diff options
245 files changed, 0 insertions, 58504 deletions
diff --git a/keyexchange/isakmpd-20041012/.depend b/keyexchange/isakmpd-20041012/.depend deleted file mode 100644 index 37903ff..0000000 --- a/keyexchange/isakmpd-20041012/.depend +++ /dev/null @@ -1,328 +0,0 @@ -app.o: app.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - app.h log.h -attribute.o: attribute.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - attribute.h conf.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h \ - log.h isakmp.h isakmp_fld.h field.h isakmp_num.h constants.h util.h -cert.o: cert.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - isakmp_num.h constants.h log.h cert.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h \ - x509.h libcrypto.h policy.h -connection.o: connection.c \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h \ - sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - conf.h connection.h doi.h ipsec.h ipsec_doi.h ipsec_fld.h field.h \ - ipsec_num.h constants.h isakmp_cfg.h isakmp.h isakmp_fld.h isakmp_num.h \ - log.h timer.h util.h -constants.o: constants.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - constants.h -conf.o: conf.c \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h \ - sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - app.h conf.h log.h monitor.h util.h -cookie.o: cookie.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - cookie.h exchange.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h \ - exchange_num.h constants.h isakmp.h isakmp_fld.h field.h isakmp_num.h \ - hash.h transport.h message.h util.h -crypto.o: crypto.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - crypto.h /usr/include/openssl/des.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/common/blf.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/common/cast.h \ - log.h -dh.o: dh.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - math_group.h dh.h log.h -doi.o: doi.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - doi.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h -exchange.o: exchange.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - cert.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h \ - conf.h connection.h constants.h cookie.h crypto.h \ - /usr/include/openssl/des.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/common/blf.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/common/cast.h \ - doi.h exchange.h exchange_num.h isakmp.h isakmp_fld.h field.h \ - isakmp_num.h ipsec_num.h isakmp_cfg.h libcrypto.h log.h message.h \ - timer.h transport.h ipsec.h ipsec_doi.h ipsec_fld.h sa.h util.h key.h -exchange_num.o: exchange_num.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - constants.h exchange_num.h -field.o: field.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - constants.h field.h log.h util.h -gmp_util.o: gmp_util.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - gmp_util.h math_mp.h -hash.o: hash.c \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/common/md5.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/common/sha1.h \ - sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - hash.h log.h -if.o: if.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - log.h monitor.h if.h -ike_auth.o: ike_auth.c \ - /home/otti/anytun/keyexchange/isakmpd-20041012/policy.h sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - cert.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h \ - conf.h constants.h exchange.h exchange_num.h isakmp.h isakmp_fld.h \ - field.h isakmp_num.h gmp_util.h math_mp.h hash.h ike_auth.h ipsec.h \ - ipsec_doi.h ipsec_fld.h ipsec_num.h isakmp_cfg.h libcrypto.h log.h \ - message.h monitor.h prf.h transport.h util.h key.h x509.h -ike_main_mode.o: ike_main_mode.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - attribute.h conf.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h \ - constants.h crypto.h /usr/include/openssl/des.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/common/blf.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/common/cast.h \ - dh.h doi.h exchange.h exchange_num.h isakmp.h isakmp_fld.h field.h \ - isakmp_num.h hash.h ike_auth.h ike_main_mode.h ike_phase_1.h ipsec.h \ - ipsec_doi.h ipsec_fld.h ipsec_num.h isakmp_cfg.h log.h math_group.h \ - message.h prf.h sa.h transport.h util.h -ike_phase_1.o: ike_phase_1.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - attribute.h conf.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h \ - constants.h crypto.h /usr/include/openssl/des.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/common/blf.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/common/cast.h \ - dh.h doi.h dpd.h exchange.h exchange_num.h isakmp.h isakmp_fld.h \ - field.h isakmp_num.h hash.h ike_auth.h ike_phase_1.h ipsec.h \ - ipsec_doi.h ipsec_fld.h ipsec_num.h isakmp_cfg.h log.h math_group.h \ - message.h nat_traversal.h prf.h sa.h transport.h util.h -ike_quick_mode.o: ike_quick_mode.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - attribute.h conf.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h \ - connection.h dh.h doi.h exchange.h exchange_num.h constants.h isakmp.h \ - isakmp_fld.h field.h isakmp_num.h hash.h ike_quick_mode.h ipsec.h \ - ipsec_doi.h ipsec_fld.h ipsec_num.h isakmp_cfg.h log.h math_group.h \ - message.h policy.h prf.h sa.h transport.h util.h key.h x509.h \ - libcrypto.h -init.o: init.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - app.h cert.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h \ - conf.h connection.h doi.h exchange.h exchange_num.h constants.h \ - isakmp.h isakmp_fld.h field.h isakmp_num.h init.h ipsec.h ipsec_doi.h \ - ipsec_fld.h ipsec_num.h isakmp_cfg.h isakmp_doi.h libcrypto.h log.h \ - math_group.h monitor.h sa.h timer.h transport.h message.h virtual.h \ - udp.h ui.h util.h policy.h nat_traversal.h udp_encap.h -ipsec.o: ipsec.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - attribute.h conf.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h \ - constants.h crypto.h /usr/include/openssl/des.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/common/blf.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/common/cast.h \ - dh.h doi.h dpd.h exchange.h exchange_num.h isakmp.h isakmp_fld.h \ - field.h isakmp_num.h hash.h ike_aggressive.h ike_auth.h ike_main_mode.h \ - ike_quick_mode.h ipsec.h ipsec_doi.h ipsec_fld.h ipsec_num.h \ - isakmp_cfg.h log.h math_group.h message.h nat_traversal.h prf.h sa.h \ - timer.h transport.h util.h x509.h libcrypto.h -ipsec_fld.o: ipsec_fld.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - constants.h field.h ipsec_fld.h isakmp_num.h ipsec_num.h -ipsec_num.o: ipsec_num.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - constants.h ipsec_num.h -isakmpd.o: isakmpd.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - app.h conf.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h \ - connection.h init.h libcrypto.h log.h monitor.h sa.h isakmp.h \ - isakmp_fld.h field.h isakmp_num.h constants.h timer.h transport.h \ - message.h udp.h ui.h util.h cert.h policy.h -isakmp_doi.o: isakmp_doi.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - doi.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h \ - exchange.h exchange_num.h constants.h isakmp.h isakmp_fld.h field.h \ - isakmp_num.h isakmp_doi.h ipsec.h ipsec_doi.h ipsec_fld.h ipsec_num.h \ - isakmp_cfg.h log.h message.h sa.h util.h -isakmp_fld.o: isakmp_fld.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - constants.h field.h isakmp_fld.h isakmp_num.h ipsec_num.h -isakmp_num.o: isakmp_num.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - constants.h isakmp_num.h -key.o: key.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - key.h libcrypto.h log.h util.h x509.h -libcrypto.o: libcrypto.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - libcrypto.h -log.o: log.c \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/common/pcap.h \ - conf.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h \ - isakmp_num.h sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - constants.h log.h monitor.h util.h -message.o: message.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - attribute.h cert.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h \ - constants.h crypto.h /usr/include/openssl/des.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/common/blf.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/common/cast.h \ - doi.h dpd.h exchange.h exchange_num.h isakmp.h isakmp_fld.h field.h \ - isakmp_num.h hash.h ipsec.h ipsec_doi.h ipsec_fld.h ipsec_num.h \ - isakmp_cfg.h log.h message.h nat_traversal.h prf.h sa.h timer.h \ - transport.h util.h virtual.h -math_2n.o: math_2n.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - math_2n.h util.h -math_group.o: math_group.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - gmp_util.h math_mp.h log.h math_2n.h math_ec2n.h math_group.h -prf.o: prf.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - hash.h log.h prf.h -sa.o: sa.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - attribute.h conf.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h \ - connection.h cookie.h doi.h exchange.h exchange_num.h constants.h \ - isakmp.h isakmp_fld.h field.h isakmp_num.h log.h message.h monitor.h \ - sa.h timer.h transport.h util.h cert.h policy.h key.h ipsec.h \ - ipsec_doi.h ipsec_fld.h ipsec_num.h isakmp_cfg.h -sysdep.o: \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep.c \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/util.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/app.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/conf.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/ipsec.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/ipsec_doi.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/ipsec_fld.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/field.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/ipsec_num.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/constants.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/isakmp_cfg.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/pf_key_v2.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/log.h -timer.o: timer.c \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h \ - sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - log.h timer.h -transport.o: transport.c \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h \ - sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - conf.h exchange.h exchange_num.h constants.h isakmp.h isakmp_fld.h \ - field.h isakmp_num.h log.h message.h sa.h timer.h transport.h virtual.h -udp.o: udp.c /usr/include/openssl/err.h sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - conf.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h \ - if.h isakmp.h isakmp_fld.h field.h isakmp_num.h constants.h log.h \ - message.h monitor.h transport.h udp.h util.h virtual.h -ui.o: ui.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - conf.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h \ - connection.h doi.h exchange.h exchange_num.h constants.h isakmp.h \ - isakmp_fld.h field.h isakmp_num.h init.h log.h monitor.h sa.h timer.h \ - transport.h message.h ui.h util.h -util.o: util.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - log.h message.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h \ - isakmp.h isakmp_fld.h field.h isakmp_num.h constants.h monitor.h \ - transport.h util.h -virtual.o: virtual.c /usr/include/openssl/err.h conf.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h \ - if.h exchange.h exchange_num.h sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - constants.h isakmp.h isakmp_fld.h field.h isakmp_num.h log.h \ - transport.h message.h virtual.h udp.h util.h udp_encap.h -pf_key_v2.o: pf_key_v2.c \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h \ - sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/bitstring.h \ - cert.h conf.h exchange.h exchange_num.h constants.h isakmp.h \ - isakmp_fld.h field.h isakmp_num.h ipsec.h ipsec_doi.h ipsec_fld.h \ - ipsec_num.h isakmp_cfg.h key.h log.h pf_key_v2.h sa.h timer.h \ - transport.h message.h util.h policy.h udp_encap.h -x509.o: x509.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - cert.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h \ - conf.h exchange.h exchange_num.h constants.h isakmp.h isakmp_fld.h \ - field.h isakmp_num.h hash.h ike_auth.h ipsec.h ipsec_doi.h ipsec_fld.h \ - ipsec_num.h isakmp_cfg.h log.h math_mp.h monitor.h policy.h sa.h util.h \ - x509.h libcrypto.h -policy.o: policy.c \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h \ - sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - conf.h exchange.h exchange_num.h constants.h isakmp.h isakmp_fld.h \ - field.h isakmp_num.h ipsec.h ipsec_doi.h ipsec_fld.h ipsec_num.h \ - isakmp_cfg.h isakmp_doi.h sa.h transport.h message.h log.h monitor.h \ - util.h policy.h x509.h libcrypto.h -math_ec2n.o: math_ec2n.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - math_2n.h math_ec2n.h -ike_aggressive.o: ike_aggressive.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - attribute.h conf.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h \ - constants.h crypto.h /usr/include/openssl/des.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/common/blf.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/common/cast.h \ - dh.h doi.h exchange.h exchange_num.h isakmp.h isakmp_fld.h field.h \ - isakmp_num.h hash.h ike_auth.h ike_aggressive.h ike_phase_1.h ipsec.h \ - ipsec_doi.h ipsec_fld.h ipsec_num.h isakmp_cfg.h log.h math_group.h \ - message.h nat_traversal.h prf.h sa.h transport.h util.h -isakmp_cfg.o: isakmp_cfg.c \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/bitstring.h \ - sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - attribute.h conf.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h \ - exchange.h exchange_num.h constants.h isakmp.h isakmp_fld.h field.h \ - isakmp_num.h hash.h ipsec.h ipsec_doi.h ipsec_fld.h ipsec_num.h \ - isakmp_cfg.h log.h message.h prf.h sa.h transport.h util.h -dpd.o: dpd.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - conf.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h \ - dpd.h exchange.h exchange_num.h constants.h isakmp.h isakmp_fld.h \ - field.h isakmp_num.h hash.h ipsec.h ipsec_doi.h ipsec_fld.h ipsec_num.h \ - isakmp_cfg.h log.h message.h sa.h timer.h transport.h util.h -nat_traversal.o: nat_traversal.c sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - conf.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h \ - exchange.h exchange_num.h constants.h isakmp.h isakmp_fld.h field.h \ - isakmp_num.h hash.h ipsec.h ipsec_doi.h ipsec_fld.h ipsec_num.h \ - isakmp_cfg.h log.h message.h nat_traversal.h prf.h sa.h timer.h \ - transport.h util.h virtual.h -udp_encap.o: udp_encap.c /usr/include/openssl/err.h sysdep.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h \ - conf.h \ - /home/otti/anytun/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h \ - if.h ipsec_doi.h ipsec_fld.h field.h ipsec_num.h constants.h isakmp.h \ - isakmp_fld.h isakmp_num.h log.h message.h monitor.h transport.h udp.h \ - udp_encap.h util.h virtual.h diff --git a/keyexchange/isakmpd-20041012/BUGS b/keyexchange/isakmpd-20041012/BUGS deleted file mode 100644 index 170282c..0000000 --- a/keyexchange/isakmpd-20041012/BUGS +++ /dev/null @@ -1,100 +0,0 @@ -$OpenBSD: BUGS,v 1.14 2002/06/09 08:13:06 todd Exp $ -$EOM: BUGS,v 1.38 2000/02/18 08:47:35 niklas Exp $ - -Until we have a bug-tracking system setup, we might just add bugs to this -file: ------------------------------------------------------------------------------- -* message_drop frees the message, this is sometimes wrong and can cause - duplicate frees, for example when a proposal does not get chosen. [fixed] - -* Notifications should be their own exchanges, otherwise the IV gets - disturbed. [fixed] - -* We need a death timeout on half-ready SAs just like exchanges. At the - moment we leak SAs. - -* When we establish a phase 2 exchange we seem to get the wrong IV set, - according to SSH's logs. [fixed] - -* If a phase 1 SA negotiation terminates with a cause that is to be sent in - a NOTIFY to the peer, we get multiple free calls on the cleanup of the - informational exchange. [fixed] - -* IKE mandates that a HASH should be added to informational exchanges in - phase 2. [fixed] - -* Message_send requires an exchange to exist, and potentially it tries to - encrypt a message multiple times when retransmitting. [fixed] - -* Multiple protocol proposals seems to fail. [fixed] - -* The initiator fails to match the responders choice of protocol suite with - the correct one of its own when several are offered. [fixed] - -* Duplicate specified sections is not detected. [fixed] - -* Quick mode establishments via UI using -P bind-addr gets "Address already in - use". - -* Not chosen proposals should be deleted from the protos list in the sa - structure. [fixed] - -* Setting SPIs generates "Invalid argument" errors due to one tunnel endpoint - being INADDR_ANY. [fixed] - -* ipsec_proto structs are never allocated. [fixed] - -* Remove SPIs of unused proposals. [fixed] - -* If the first proposal is turned down, the initiator gets confused. - -* Renegotiation after a failed phase 1 fails. - -* Phase 1 rekey event removal seems to be done twice. [fixed] - -* PF_ENCAP expirations does not find the proper phase 2 SA to remove. [fixed] - -* ISAKMP SA expirations should have a soft/hard timeout just like IPsec ones. - The soft one should put a watchdog on the SA, and start a renegotiation as - soon as something used the SA. Hard ones should just clean it up, no - renegotiation at all. [fixed] - -* ISAKMP SAs does not get removed after rekeying. [fixed] - -* On-demand PF_ENCAP SAs does not get reestablished. [fixed] - -* Rekeying is now done automatically on expirations, it should not. The - SAs should be brought up on-demand just like the first time. - -* Notifications regarding exchange errors seems to not have the right SPI, - at least not in phase 1, in NO_PROPOSAL_CHOSEN. - -* Outgoing informational exchanges when we use INVALID_PAYLOAD_TYPE - cause a DOI error. - -* In Linux select(2) of named pipes seems broken as they will return as - readable even when nothing is there after one read has succeeded. - -* I have seen INITIAL-CONTACT sent on the second Main Mode. - -* When ID mismatches occur, coredumps may follow, investigate! - -* ESP+AH does not work properly - -* Looping QM seen (due to lost sendpackets from other participant?) - -* Teardown from UI does not remove exchanges. - -* Wrong error message when policy check fails. - -* Restransmit of QM (packet 1) after INFO/PAYLOAD_MALFORMED was received. - -* SIGSEGV after sa_enter: sa added to sa list, trigged by DELETE notify (Linux) - -* Passive connections, undefined local&remote IDs will cause IKE peer IDs - to be used. - -* host route support in KLIPS does not work properly - -* When not having compiled in support for a certain crypto algorithm and - the config file still tells us to propose it, we segfault. diff --git a/keyexchange/isakmpd-20041012/DESIGN-NOTES b/keyexchange/isakmpd-20041012/DESIGN-NOTES deleted file mode 100644 index b47e80b..0000000 --- a/keyexchange/isakmpd-20041012/DESIGN-NOTES +++ /dev/null @@ -1,414 +0,0 @@ -$OpenBSD: DESIGN-NOTES,v 1.22 2003/06/04 07:27:31 ho Exp $ -$EOM: DESIGN-NOTES,v 1.48 1999/08/12 22:34:25 niklas Exp $ - -General coding conventions --------------------------- -GNU indentation, Max 80 characters per line, KNF comments, mem* instead of b*, -BSD copyright, one header per module specifying the API. -Multiple inclusion protection like this: - -#ifndef _HEADERNAME_H_ -#define _HEADERNAME_H_ - -... Here comes the bulk of the header ... - -#endif /* _HEADERNAME_H_ */ - -Start all files with RCS ID tags. - -GCC -Wall clean, ANSI prototypes. System dependent facilities should be -named sysdep_* and be placed in sysdep.c. Every C file should include -sysdep.h as the first isakmpd include file. Primary target systems are OpenBSD -and Linux, but porting to Microsoft Windows variants should not be made -overly difficult. - -Note places which need reconsiderations with comments starting with the -string "XXX", e.g. - -/* XXX Not implemented yet. */ - -TOC ---- -app.c Application support. -attribute.c Attribute handling. -cert.c Dispatching certificate related functions to the according - module based on the encoding. -conf.c Interface to isakmpd configuration. -connection.c Handle the high-level connection concept. -constants.c Value to name map of constants. -cookie.c Cookie generation. -crypto.c Generic cryptography. -dh.c Diffie-Hellman exchange logic. -dnssec.c IKE authentication using signed DNS KEY RRs. -doi.c Generic handling of different DOIs. -exchange.c Exchange state machinery. -exchange_num.cst - Some constants used for exhange scripts. -field.c Generic handling of fields. -genconstants.sh - Generate constant files from .cst source. -genfields.sh Generate field description files from .fld source. -gmp_util.c Utilities to ease interfaceing to GMP. -hash.c Generic hash handling. -if.c Network interface details. -ike_aggressive.c - IKE's aggressive mode exchange logic. -ike_auth.c IKE authentication method abstraction. -ike_main_mode.c IKE's main mode exchange logic. -ike_phase_1.c Common parts IKE's main & aggressive modes' exchange logic. -ike_quick_mode.c - IKE's quick mode logic. -init.c Initialization of all modules (might be autogenned in the - future). -ipsec.c The IPsec DOI. -ipsec_fld.fld Description of IPsec DOI-specific packet layouts. -ipsec_num.cst Constants defined by the IPsec DOI. -isakmp_doi.c The ISAKMP pseudo-DOI. -isakmp_fld.fld Generic packet layout. -isakmp_num.cst ISAKMP constants. -isakmpd.c Main loop. -key.c Generic key handling. -libcrypto.c Initialize crypto (OpenSSL). -log.c Logging of exceptional or informational messages. -math_2n.c Polynomial math. -math_ec2n.c Elliptic curve math. -math_group.c Group math. -message.c Generic message handling. -pf_key_v2.c Interface with PF_KEY sockets (for use with IPsec). -policy.c Keynote glue. -prf.c Pseudo random functions. -sa.c Handling of Security Associations (SAs). -sysdep/*/sysdep.c - System dependent stuff. -timer.c Timed events. -transport.c Generic transport handling. -udp.c The UDP transport. -ui.c The "User Interface", i.e. the FIFO command handler. -util.c Miscellaneous utility functions. -x509.c Encoding/Decoding X509 Certificates and related structures. - -Central datatypes ------------------ - -struct connection Persistent connections. -struct constant_map A map from constants to their ASCII names. -struct crypto_xf A crypto class -struct doi The DOI function switch -struct event An event that is to happen at some point in time. -struct exchange A description of an exchange while it is performed. -struct field A description of an ISAKMP field. -struct group A class abstracting out Oakley group operations -struct hash A hashing class -struct ipsec_exch IPsec-specific exchange fields. -struct ipsec_proto IPsec-specific protocol attributes. -struct ipsec_sa IPsec-specific SA stuff. -struct message A generic ISAKMP message. -struct payload A "fat" payload reference pointing into message buffers -struct prf A pseudo random function class -struct proto Per-protocol attributes. -struct post_send Post-send function chain node. -struct sa A security association. -struct transport An ISAKMP transport, i.e. a channel where ISAKMP - messages are passed (not necessarily connection- - oriented). This is an abstract class, serving as - a superclass to the different specific transports. - -SAs & exchanges ---------------- - -struct exchange Have all fields belonging to a simple exchange - + a list of all the SAs being negotiated. - Short-lived. -struct sa Only hold SA-specific stuff. Lives longer. - -In order to recognize exchanges and SAs it is good to know what constitutes -their identities: - -Phase 1 exchange Cookie pair (apart from the first message of course, - where the responder cookie is zero. - -ISAKMP SA Cookie pair. I.e. there exists a one-to-one - mapping to the negotiation in this case. - -Phase 2 exchange Cookie pair + message ID. - -Generic SA Cookie pair + message ID + SPI. - -However it would be really nice to have a name of any SA that is natural -to use for human beings, for things like deleting SAs manually. The simplest -ID would be the struct sa address. Another idea would be some kind of sequence -number, either global or per-destination. Right now I have introduced a name -for SAs, non-unique, that binds together SAs and their configuration -parameters. This means both manual exchange runs and rekeying are simpler. -Both struct exchange and struct sa does hold a reference count, but this is -not entirely like a reference count in the traditional meaning where -every reference gets counted. Perhaps it will be in the future, but for now -we increment the count at allocation time and at times we schedule events -tha might happen sometime in the future where we will need the structure. -These events then realeases its reference when done. This way intermediate -deallocation of these structures are OK. - -The basic idea of control flow ------------------------------- - -The main loop just waits for events of any kind. Supposedly a message -comes in, then the daemon looks to see if the cookies describes an -existing ISAKMP SA, if they don't and the rcookie is zero, it triggers a -setup of a new ISAKMP SA. An exhaustive validation phase of the message -is gone through at this stage. If anything goes wrong, we drop the packet -and probably send some notification back. After the SA is found we try to -locate the exchange object and advance its state, else we try to create a -new exchange. - -Need exchanges be an abstraction visible in the code? If so an exchange is -roughly a very simple FSM (only timeouts and retransmissions are events that -does not just advance the state through a sequential single path). The -informational exchange is such a special case, I am not sure it's interesting -to treat as an exchange in the logic of the implementation. The only reason -to do so would be to keep the implementation tightly coupled to the -specification for ease of understanding. As the code looks now, exchanges -*are* an abstraction in the code, and it has proven to be a rather nice -way of having things. - -When the exchange has been found the exchange engine "runs" a script which -steps forward for each incoming message, and on each reply to them. - -Payload parsing details ------------------------ - -After the generic header has been validated, we do a generic payload -parsing pass over the message and sort out the payloads into buckets indexed -by the payload type. Note that proposals and transforms are part of the SA -payloads. We then pass over them once more validating each payload -in numeric payload type order. This makes SA payloads come naturally first. - -Messages --------- - -I am not sure there is any use in sharing the message structure for both -incoming and outgoing messages but I do it anyhow. Specifically there are -certain fields which only makes sense in one direction. Incoming messages -only use one segment in the iovec vector, while outgoing has one segment per -payload as well as one for the ISAKMP header. The iovec vector is -reallocated for each payload added, maybe we should do it in chunks of a -number of payloads instead, like 10 or so. - -Design "errors" ---------------- - -Currently there are two "errors" in our design. The first one is that the -coupling between the IPsec DOI and IKE is tight. It should be separated by -a clean interface letting other key exchange models fit in instead of IKE. -The second problem is that we need a protocol-specific opaque SA part -in the DOI specific one. Now both IPsec ESP attributes takes place even -in ISAKMP SA structures. - -User control ------------- - -In order to control the daemon you send commands through a FIFO called -isakmpd.fifo. The commands are one-letter codes followed by arguments. -For now, eleven such commands are implemented: - -c connect Establish a connection with a peer -C configure Add or remove configuration entries -d delete Delete an SA given cookies and message-IDs -D debug Change logging level for a debug class -p packet capture Enable/disable packet capture feature -r report Report status information of the daemon -t teardown Teardown a connection -Q quit Quit the isakmpd process -R reinitialize Reinitialize isakmpd (re-read configuration file) -S report SA Report SA information to file /var/run/isakmp_sa -T teardown all Teardown all Phase 2 connections - -For example you can do: - -c ISAKMP-peer - -In order to delete an SA you use the 'd' command. However this is not yet -supported. - -To alter the level of debugging in the "LOG_MISC" logging class to 99 you do: - -D 0 99 - -The report command is just an "r", and results in a list of active exchanges -and security associations. - -The "C" command takes 3 subcommands: set, rm and rms, for adding and removing -entries + remove complete sections respectively. Examples: - -C set [Net-A]:Address=192.168.0.0 -C rm [Net-A]:Address -C rms [Net-A] - -All these commands are atomic, i.e. they are not collected into larger -transactions, which there should be a way to do, but currently isn't. - -The FIFO UI is also described in the isakmpd(8) man page. - -In addition to giving commands over the FIFO, you may send signals to the -daemon. Currently two such signals are implemented: - -SIGHUP Re-initialize isakmpd (not fully implemented yet) -SIGUSR1 Generate a report, much as the "r" FIFO command. - -For example, to generate a report, you do: - -unix# kill -USR1 <PID of isakmpd process> - -The constant descriptions -------------------------- - -We have invented a simple constant description language, for the sake -of easily getting textual representations of manifest constants. -The syntax is best described by an example: - -GROUP - CONSTANT_A 1 - CONSTANT_B 2 -. - -This defines a constant map "group" with the following two defines: - -#define GROUP_CONSTANT_A 1 -#define GROUP_CONSTANT_B 2 - -We can now get the textual representation by: - - cp = constant_name (group, foo); - -Here foo is an integer with either of the two constants as a value. - -The field descriptions ----------------------- - -There is language for describing header and payload layouts too, -similar to the constant descriptions. Here too I just show an example: - -RECORD_A - FIELD_A raw 4 - FIELD_B num 2 - FIELD_C mask 1 group_c_cst - FIELD_D ign 1 - FIELD_E cst 2 group_e1_cst,group_e2_cst -. - -RECORD_B : RECORD_A - FIELD_F raw -. - -This creates some utility constants like RECORD_A_SZ, RECORD_A_FIELD_A_LEN, -RECORD_A_FIELD_A_OFF, RECORD_A_FIELD_B_LEN etc. The *_OFF contains the -octet offset into the record and the *_LEN constants are the lengths. -The type fields can be: raw, num, mask, ign & cst. Raw are used for -octet buffers, num for (unsigned) numbers of 1, 2 or 4 octet's length -in network byteorder, mask is a bitmask where the bit values have symbols -coupled to them via the constant maps given after the length in octets -(also 1, 2 or 4). Ign is just a filler type, ot padding and lastly cst -denotes constants whose values can be found in the given constant map(s). -The last field in a record can be a raw, without a length, then just an -_OFF symbol will be generated. You can offset the first symbol to the -size of another record, like is done above for RECORD_B, i.e. in that -case RECORD_A_SZ == RECORD_B_FIELD_F_OFF. All this data are collected -in struct field arrays which makes it possible to symbolically print out -entire payloads in readable form via field_dump_payload. - -Configuration -------------- - -Internally isakmpd uses a section-tag-value triplet database for -configuration. Currently this happen to map really well to the -configuration file format, which on the other hand does not map -equally well to humans. It is envisioned that the configuration -database should be dynamically modifiable, and through a lot of -differnet mechanisms. Therefore we have designed an API for this -purpose. - -int conf_begin (); -int conf_set (int transaction, char *section, char *tag, char *value, - int override); -int conf_remove (int transaction, char *section, char *tag); -int conf_remove_section (int transaction, char *section); -int conf_end (int transaction, int commit); - -The caller will always be responsible for the memory management of the -passed strings, conf_set will copy the values, and not use the original -strings after it has returned. Return value will be zero on success and -non-zero otherwise. Note that the conf_remove* functions consider not -finding anything to remove as failure. - -Identification --------------- - -ISAKMP supports a lot of identity types, and we should too of course. - -* Phase 1, Main mode or Aggressive mode - -Today when we connect we do it based on the peer's IP address. That does not -automatically mean we should do policy decision based on IPs, rather we should -look at the ID the peer provide and get policy info keyed on that. - -Perhaps we get an ID saying the peer is FQDN niklas.hallqvist.se, then our -policy rules might look like: - -[IQ_FQDN] -# If commented, internal verification is used -#Verificator= verify_fqdn -Accept= no - -[ID_FQDN niklas.hallqvist.se] -Policy= MY_POLICY_001 - -[MY_POLICY_001] -# Whatever policy rules we might have. -Accept= yes - -Which means niklas.hallqvist.se is allowed to negotiate SAs with us, but -noone else. - -* Phase 2, Quick mode - -In quick mode the identities are implicitly the IP addresses of the peers, -which must mean the IP addresses actually used for the ISAKMP tunnel. -Otherwise we today support IPV4_ADDR & IPV4_ADDR_SUBNET as ID types. - -X509-Certificates ------------------ -To use RSA Signature mode you are required to generate certificates. -This can be done with ssleay, see man ssl. But the X509 certificates -require a subjectAltname extension that can either be an IPV4 address, -a User-FQDN or just FQDN. ssleay can not create those extension, -insead use the x509test program in regress/x509 to modify an existing -certificate. It will insert the subjectAltname extension and sign it -with the provided private Key. The resulting certificate then needs -to be stored in the directory pointed to by "Certs-directory" in -section "X509-certificates". - -License to use --------------- -/* - * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - diff --git a/keyexchange/isakmpd-20041012/GNUmakefile b/keyexchange/isakmpd-20041012/GNUmakefile deleted file mode 100644 index 838194c..0000000 --- a/keyexchange/isakmpd-20041012/GNUmakefile +++ /dev/null @@ -1,244 +0,0 @@ -# $OpenBSD: GNUmakefile,v 1.9 2004/08/08 19:11:06 deraadt Exp $ - -# -# Copyright (c) 1998, 1999, 2000 Niklas Hallqvist. All rights reserved. -# Copyright (c) 2000 Håkan Olsson. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Ericsson Radio Systems. -# - -# -# This makefile is a GNU makefile, which is generally available on most -# systems, either as "make" or (often) "gmake". It has been converted from -# a 'pmake' makefile (OpenBSDs 'make'), and some care has been taken to -# produce similar behaviour. -# - -# openbsd means 2.5 or newer, freeswan is the name for Linux with FreeS/WAN -# integrated, freebsd/netbsd means FreeBSD/NetBSD with KAME IPsec. -# darwin means MacOS X 10.2 and later with KAME IPsec. linux means Linux-2.5 -# and later with native IPSec support. -#OS= openbsd -#OS= netbsd -#OS= freebsd -#OS= freeswan -#OS= darwin -OS= linux - -.CURDIR:= $(shell pwd) -VPATH= ${.CURDIR}/sysdep/${OS} - -PROG= isakmpd - -ifndef BINDIR -BINDIR= /sbin -endif - -#ifndef LDSTATIC -#LDSTATIC= -static -#endif - -SRCS= app.c attribute.c cert.c connection.c \ - constants.c conf.c cookie.c crypto.c dh.c doi.c exchange.c \ - exchange_num.c field.c gmp_util.c hash.c if.c ike_auth.c \ - ike_main_mode.c ike_phase_1.c ike_quick_mode.c init.c \ - ipsec.c ipsec_fld.c ipsec_num.c isakmpd.c isakmp_doi.c \ - isakmp_fld.c isakmp_num.c key.c libcrypto.c log.c message.c \ - math_2n.c math_group.c prf.c sa.c sysdep.c timer.c \ - transport.c udp.c ui.c util.c virtual.c - -GENERATED= exchange_num.h ipsec_fld.h ipsec_num.h isakmp_fld.h \ - isakmp_num.h -CLEANFILES= exchange_num.c exchange_num.h ipsec_num.c ipsec_num.h \ - isakmp_num.c isakmp_num.h ipsec_fld.c ipsec_fld.h \ - isakmp_fld.c isakmp_fld.h -MAN= isakmpd.8 isakmpd.conf.5 isakmpd.policy.5 - -CFLAGS+= -O2 ${DEBUG} -Wall -DNEED_SYSDEP_APP \ - -I${.CURDIR} -I${.CURDIR}/sysdep/${OS} -I. \ - -# Different debugging & profiling suggestions - -# Include symbolic debugging info -DEBUG= -g - -# Do execution time profiles -#CFLAGS+= -pg - -# If you have ElectricFence available, you can spot abuses of the heap. -# (/usr/ports/devel/ElectricFence) -#LDADD+= -L/usr/local/lib -lefence -#DPADD+= /usr/local/lib/libefence.a - -# If you like to use Boehm's garbage collector (/usr/ports/devel/boehm-gc). -#LDADD+= -L/usr/local/lib -lgc -#DPADD+= /usr/local/lib/libgc.a - -# You can also use Boehm's garbage collector as a means to find leaks. -# XXX The defines below are GCC-specific. I think it is OK to require -# XXX GCC if you are debugging isakmpd in this way. -#LDADD+= -L/usr/local/lib -lleak -#DPADD+= /usr/local/lib/libleak.a -#CFLAGS+= -D'malloc(x)=({ \ -# void *GC_debug_malloc (size_t, char *, int); \ -# GC_debug_malloc ((x), __FILE__, __LINE__); \ -# })' \ -# -D'realloc(x,y)=({ \ -# void *GC_debug_realloc (void *, size_t, char *, int); \ -# GC_debug_realloc ((x), (y), __FILE__, __LINE__); \ -# })' \ -# -D'free(x)=({ \ -# void GC_debug_free (void *); \ -# GC_debug_free (x); \ -# })' \ -# -D'calloc(x,y)=malloc((x) * (y))' \ -# -D'strdup(x)=({ \ -# char *strcpy (char *, const char *); \ -# const char *_x_ = (x); \ -# char *_y_ = malloc (strlen (_x_) + 1); \ -# strcpy (_y_, _x_); \ -# })' - -# Ignore any files with these names... -.PHONY: mksubdirs all clean cleandir cleandepend beforedepend \ - afterdepend realclean realcleandepend - -# Default target, it needs to be the first target in makefile... :( - -all: ${PROG} mksubdirs - -ifneq ($(findstring install,$(MAKECMDGOALS)),install) -# Skip 'regress' until the regress/ structure has gmake makefiles for it. -#SUBDIR:= regress -SUBDIR:= apps/certpatch -mksubdirs: - $(foreach DIR, ${SUBDIR}, \ - cd ${.CURDIR}/${DIR}; ${MAKE} ${MAKECMDGOALS};) - -# $(foreach DIR, ${SUBDIR}, \ -# cd ${DIR}; ${MAKE} CFLAGS="${CFLAGS}" \ -# MKDEP="${MKDEP}" ${MAKECMDGOALS}) -else -mksubdirs: -endif - -# DEPSRCS handling is *ugly*, I know... -# What is does; keep orig SRCS in ORIGSRCS; potentially add stuff to -# SRCS (include); let DEPSRCS be ORIGSRCS (sysdep.c -> sysdep/<os>/sysdep.c) -# _plus_ any new sources, located either in cwd or sysdep/<os>. Phew. - -ORIGSRCS:= ${SRCS} --include sysdep/${OS}/GNUmakefile.sysdep - -FEATURES_UC= $(shell echo ${FEATURES} | tr '[:lower:]' '[:upper:]') -CFLAGS+= $(foreach F, ${FEATURES_UC}, -DUSE_${F}) --include $(foreach F, ${FEATURES}, features/${F}) - -ifdef USE_KEYNOTE -USE_LIBCRYPTO= yes -LDADD+= -lkeynote -lm -DPADD+= ${LIBKEYNOTE} ${LIBM} -POLICY= policy.c -CFLAGS+= -DUSE_KEYNOTE -endif - -ifdef USE_LIBCRYPTO -X509= x509.c -CFLAGS+= -DUSE_LIBCRYPTO -LDADD+= -lcrypto -DPADD+= ${LIBCRYPTO} -endif - -ifdef USE_RAWKEY -USE_LIBCRYPTO= yes -CFLAGS+= -DUSE_RAWKEY -endif - -SRCS+= ${IPSEC_SRCS} ${X509} ${POLICY} ${EC} ${AGGRESSIVE} ${DNSSEC} \ - $(ISAKMP_CFG) ${DPD} ${NAT_TRAVERSAL} -CFLAGS+= ${IPSEC_CFLAGS} -LDADD+= ${DESLIB} -DPADD+= ${DESLIBDEP} - -DEPSRCS:= $(subst sysdep.c,${VPATH}/sysdep.c,${ORIGSRCS}) \ - $(foreach FILE, $(filter-out ${ORIGSRCS},${SRCS}), \ - $(wildcard ./${FILE} ${VPATH}/${FILE})) -OBJS:= $(SRCS:%.c=%.o) - -# Generated targets -exchange_num.c exchange_num.h: genconstants.sh exchange_num.cst - /bin/sh ${.CURDIR}/genconstants.sh ${.CURDIR}/exchange_num - -ipsec_fld.c ipsec_fld.h: genfields.sh ipsec_fld.fld - /bin/sh ${.CURDIR}/genfields.sh ${.CURDIR}/ipsec_fld - -ipsec_num.c ipsec_num.h: genconstants.sh ipsec_num.cst - /bin/sh ${.CURDIR}/genconstants.sh ${.CURDIR}/ipsec_num - -isakmp_fld.c isakmp_fld.h: genfields.sh isakmp_fld.fld - /bin/sh ${.CURDIR}/genfields.sh ${.CURDIR}/isakmp_fld - -isakmp_num.c isakmp_num.h: genconstants.sh isakmp_num.cst - /bin/sh ${.CURDIR}/genconstants.sh ${.CURDIR}/isakmp_num - -# Program rules -${PROG} beforedepend: ${GENERATED} - -${PROG}: ${OBJS} ${DPADD} - ${CC} ${DEBUG} ${LDFLAGS} ${LDSTATIC} -o $@ ${OBJS} ${LDADD} - -# Depend rules -depend: beforedepend .depend mksubdirs afterdepend - @true - -# Since 'mkdep' et al maybe doesn't exist... -MKDEP:= ${CC} -MM - -.depend: ${SRCS} - @rm -f .depend - ${MKDEP} ${CFLAGS} ${DEPSRCS} > .depend - -afterdepend: - -ifneq ($(findstring clean, $(MAKECMDGOALS)), clean) -# This will initially fail (when .depend does not exist), continue -# to create .depend, then make will automatically restart to include -# the generated .depend correctly. The '-' inhibits the warning msg. --include .depend -endif - -# Clean rules - -cleandir: realclean realcleandepend mksubdirs - -clean: realclean mksubdirs - -cleandepend: realcleandepend mksubdirs - -realclean: - rm -f a.out core *.core ${PROG} ${OBJS} ${CLEANFILES} - -realcleandepend: - rm -f .depend tags diff --git a/keyexchange/isakmpd-20041012/Makefile b/keyexchange/isakmpd-20041012/Makefile deleted file mode 100644 index 2c04d8b..0000000 --- a/keyexchange/isakmpd-20041012/Makefile +++ /dev/null @@ -1,187 +0,0 @@ -# $OpenBSD: Makefile,v 1.57 2004/08/23 11:16:49 ho Exp $ -# $EOM: Makefile,v 1.78 2000/10/15 21:33:42 niklas Exp $ - -# -# Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. -# Copyright (c) 2000, 2001 Håkan Olsson. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Ericsson Radio Systems. -# - -# -# This makefile is a "pmake" one, i.e. the make variant commonly found in -# BSD derived systems, where it is indeed named "make". Other systems -# may provide this make variant as "pmake" or maybe "bsdmake". -# - -# openbsd means OpenBSD 2.5 or newer. freeswan is the name for Linux with -# FreeS/WAN integrated, freebsd/netbsd means FreeBSD/NetBSD with KAME IPsec. -OS= openbsd -#OS= netbsd -#OS= freebsd -#OS= freeswan -#OS= bsdi - -# Compile-time configuration of otherwise optional features -#FEATURES= tripledes des blowfish cast aes -#FEATURES+= policy x509 ec aggressive debug gmp -#FEATURES+= rawkey isakmp_cfg dnssec privsep nat_traversal dpd -FEATURES= tripledes des blowfish cast aes -FEATURES+= policy x509 ec aggressive debug -FEATURES+= rawkey isakmp_cfg privsep nat_traversal dpd - -.PATH: ${.CURDIR}/sysdep/${OS} - -PROG= isakmpd -BINDIR?= /sbin -LDSTATIC?= -static -SRCS= app.c attribute.c cert.c connection.c constants.c conf.c \ - cookie.c crypto.c dh.c doi.c exchange.c exchange_num.c \ - field.c gmp_util.c hash.c if.c ike_auth.c ike_main_mode.c \ - ike_phase_1.c ike_quick_mode.c init.c ipsec.c ipsec_fld.c \ - ipsec_num.c isakmpd.c isakmp_doi.c isakmp_fld.c isakmp_num.c \ - key.c libcrypto.c log.c message.c math_2n.c math_group.c \ - prf.c sa.c sysdep.c timer.c transport.c virtual.c udp.c \ - ui.c util.c - -GENERATED= exchange_num.h ipsec_fld.h ipsec_num.h isakmp_fld.h \ - isakmp_num.h -CLEANFILES= exchange_num.c exchange_num.h ipsec_num.c ipsec_num.h \ - isakmp_num.c isakmp_num.h ipsec_fld.c ipsec_fld.h \ - isakmp_fld.c isakmp_fld.h -MAN= isakmpd.8 isakmpd.conf.5 isakmpd.policy.5 -CFLAGS+= -Wall -Wstrict-prototypes -Wmissing-prototypes \ - -Wmissing-declarations -DNEED_SYSDEP_APP \ - -I${.CURDIR} -I${.CURDIR}/sysdep/${OS} -I. -#CFLAGS+= -Wsign-compare -Werror - -# Different debugging & profiling suggestions - -# Include symbolic debugging info -#DEBUG= -g # OpenBSD -#DEBUG_FLAGS= -g # FreeBSD -#CFLAGS+= -g # NetBSD and others -#STRIPFLAG= # NETBSD - -# Do execution time profiles -#CFLAGS+= -pg - -# If you have ElectricFence available, you can spot abuses of the heap. -# (/usr/ports/devel/ElectricFence) -#LDADD+= -L/usr/local/lib -lefence -#DPADD+= /usr/local/lib/libefence.a - -# If you like to use Boehm's garbage collector (/usr/ports/devel/boehm-gc). -#LDADD+= -L/usr/local/lib -lgc -#DPADD+= /usr/local/lib/libgc.a -#CFLAGS+= -DUSE_BOEHM_GC -DGC_DEBUG -# You can also use Boehm's garbage collector as a means to find leaks. -# # setenv GC_FIND_LEAK - -SUBDIR= apps - -.include "sysdep/${OS}/Makefile.sysdep" - -.if ${FEATURES} != "" -FEATURES_UC!= echo ${FEATURES} | tr '[:lower:]' '[:upper:]' -CFLAGS+= ${FEATURES_UC:S/^/-DUSE_/g} -.endif - -.if make(install) -SUBDIR+= samples -.endif - -.if !make(install) && !defined(NO_REGRESS) -SUBDIR+= regress -.endif - -.for FEATURE in ${FEATURES} -.if exists(features/${FEATURE}) -.include "features/${FEATURE}" -.endif -.endfor - -.if ${FEATURES:Mgmp} == "gmp" -CFLAGS+= -DMP_FLAVOUR=MP_FLAVOUR_GMP -LDADD+= -lgmp -DPADD+= ${LIBGMP} -.else -CFLAGS+= -DMP_FLAVOUR=MP_FLAVOUR_OPENSSL -.endif - -.ifdef USE_KEYNOTE -USE_LIBCRYPTO= yes -USE_LIBDES= yes -LDADD+= -lkeynote -lm -DPADD+= ${LIBKEYNOTE} ${LIBM} -CFLAGS+= -DUSE_KEYNOTE -.endif - -.ifdef USE_RAWKEY -USE_LIBCRYPTO= yes -CFLAGS+= -DUSE_RAWKEY -.endif - -.ifdef USE_LIBCRYPTO -CFLAGS+= -DUSE_LIBCRYPTO -LDADD+= -lcrypto -DPADD+= ${LIBCRYPTO} -.endif - -.ifdef USE_LIBDES -CFLAGS+= -DUSE_LIBDES -LDADD+= -ldes -DPADD+= ${LIBDES} -.endif - -SRCS+= ${IPSEC_SRCS} ${X509} ${POLICY} ${EC} ${AGGRESSIVE} ${DNSSEC} \ - ${ISAKMP_CFG} ${PRIVSEP} ${DPD} ${NAT_TRAVERSAL} -CFLAGS+= ${IPSEC_CFLAGS} ${DNSSEC_CFLAGS} - -LDADD+= ${DESLIB} ${LWRESLIB} -DPADD+= ${DESLIBDEP} ${LWRESLIB} - -exchange_num.c exchange_num.h: genconstants.sh exchange_num.cst - /bin/sh ${.CURDIR}/genconstants.sh ${.CURDIR}/exchange_num - -ipsec_fld.c ipsec_fld.h: genfields.sh ipsec_fld.fld - /bin/sh ${.CURDIR}/genfields.sh ${.CURDIR}/ipsec_fld - -ipsec_num.c ipsec_num.h: genconstants.sh ipsec_num.cst - /bin/sh ${.CURDIR}/genconstants.sh ${.CURDIR}/ipsec_num - -isakmp_fld.c isakmp_fld.h: genfields.sh isakmp_fld.fld - /bin/sh ${.CURDIR}/genfields.sh ${.CURDIR}/isakmp_fld - -isakmp_num.c isakmp_num.h: genconstants.sh isakmp_num.cst - /bin/sh ${.CURDIR}/genconstants.sh ${.CURDIR}/isakmp_num - -${PROG} beforedepend: ${GENERATED} - -.include <bsd.prog.mk> -.include <bsd.subdir.mk> - -debug: - (cd ${.CURDIR}; ${MAKE} DEBUG="-g -Werror") diff --git a/keyexchange/isakmpd-20041012/QUESTIONS b/keyexchange/isakmpd-20041012/QUESTIONS deleted file mode 100644 index 91225cc..0000000 --- a/keyexchange/isakmpd-20041012/QUESTIONS +++ /dev/null @@ -1,34 +0,0 @@ -$OpenBSD: QUESTIONS,v 1.5 2003/11/05 12:31:21 jmc Exp $ -$EOM: QUESTIONS,v 1.12 1998/10/11 17:11:06 niklas Exp $ - -Does the spec limit the count of SA payloads in a message? Where if so? -[ Only the specific IKE main mode does. In the IKE spec.] - -The message ID field of the header, can it be considered a SA identifier -if used together with the cookiepair? [Yes, it is meant to be that] - -DOI 0, what protocols are defined for it? Where? - -Isn't this a potential DOS attack: -Hostile user listens for ISAKMP traffic, and then extracts cookiepairs -and message IDs which he uses to flood any of the peers with spoofed -packets pretending to be the other one. Most probably these packets will -result in error notifications which potentially result in SA tear-down? -Maybe should notifications never be issued for erroneous packets which -cannot be authenticated? Or should we not tear down SAs as results of -notifications? - -Certicom claims to hold licenses for Elliptic Curve Cryptography? Does this -concern us? See: http://grouper.ieee.org/groups/1363/P1363/patents.html - -Main mode when using public key encryption authentication does not look -like an identity protection exchange to me. Must I really get rid of -the generic ISAKMP payload presense tests? - -IV generation is not described precisely in Appendix B of -oakley-08.txt: -'Subsequent messages MUST use the last CBC encryption block from the previous -message as their IV'. This probably means that we take the new IV from the -last encrypted block of the last message we sent. The SSH testing site uses -the last block from the last message they received. This is probably not -what was meant and should be clarified on ipsec@tis.com. -[ From what we have gathered this is what is meant. ] diff --git a/keyexchange/isakmpd-20041012/README b/keyexchange/isakmpd-20041012/README deleted file mode 100644 index 13df6a1..0000000 --- a/keyexchange/isakmpd-20041012/README +++ /dev/null @@ -1,68 +0,0 @@ -$OpenBSD: README,v 1.19 2003/02/22 06:57:07 kjell Exp $ -$EOM: README,v 1.28 1999/10/10 22:53:24 angelos Exp $ - -This is isakmpd, a BSD-licensed ISAKMP/Oakley (a.k.a. IKE) -implementation. It's written by Niklas Hallqvist and Niels Provos, -funded by Ericsson Radio Systems AB. Isakmpd's home is in the -OpenBSD main source tree under src/sbin/isakmpd. Look at -http://www.openbsd.org/ for details on how to get OpenBSD source. - -Isakmpd is being developed under OpenBSD, with OpenBSD as its primary -target, however, it is ported to Linux with FreeS/WAN IPsec. The -makefile support assumes a BSD environment nonetheless as it is not too -hard to get such an environment to work under other operating systems. -For example, Red Hat 5.2 shipped with pmake installed. Read sysdep/README -for further details about this issue. Other systems isakmpd has been -ported to, but no code has been made available for, includes Solaris -and Win32s. I mention this just because it shows that the code is -fairly portable. - -First edit the Makefile in a manner you see fit. Specifically the OS -define is important to get right of course. -Assuming you have an OpenBSD /usr/share/mk and use the OpenBSD (or -similar) make(1), you build isakmpd this way: - -make obj && make depend && make - -Then obj/isakmpd will be the daemon. I suggest you try it by running -under gdb with args similar to: - -d -n -p5000 -DA=99 -f/tmp/isakmpd.fifo -csamples/VPN-east.conf - -That will run isakmpd in the foreground, not connected to any application -(like an IPsec implementation) logging to stderr with full debugging output, -listening on UDP port 5000, accepting control commands via the named pipe -called /tmp/isakmpd.fifo and reading its configuration from the -VPN-east.conf file (found in the isakmpd/samples directory). - -If you are root you can try to run without -n -p5000 thus getting it to -talk to your IPsec stack and use the standard port 500 instead. - -The logging classes are Miscellaneous = 0, Transports = 1, Messages = 2, -Crypto = 3, Timers = 4, System Dependencies = 5, Security Associations = 6, -and Exchanges = 7. The debug levels increase in verbosity from 0 (off) to -99 (max). Read log.[ch] and ui.c to see how to alter the debugging levels. - -Now you have setup your daemon and can watch incoming negotiations. -But how do you get such? Either use http://isakmp-test.ssh.fi/, -there's an excellent service, just waiting for you. Or you can try to -start another isakmpd on another port (say -p5001 or so, instead) -and another fifo (let's say /tmp/other.fifo). Then edit the config -file to have some peer descriptions that fit your need and issue a -command like this: - -$ echo "c IPsec-east-west" >/tmp/other.fifo - -and watch. You can turn on debugging on that isakmpd too of course, for -greater fun. This rudimentary user interface is slightly described in -DESIGN-NOTES. If you are going to look at the config file, don't be scared, -the man page isakmpd.conf(5) covers every detail, and the flexibility will -be hidden under a userfriendlier layer in a later release. I did this -first config-file syntax just because it should be easy to parse. The man -page isakmpd.policy(5) describes the policy model used in conjunction with -KeyNote. - -Happy IKEing! - -Niklas Hallqvist <niklas@openbsd.org> -Niels Provos <provos@openbsd.org> -Håkan Olsson <ho@openbsd.org> diff --git a/keyexchange/isakmpd-20041012/README.PKI b/keyexchange/isakmpd-20041012/README.PKI deleted file mode 100644 index 4b7d9f1..0000000 --- a/keyexchange/isakmpd-20041012/README.PKI +++ /dev/null @@ -1,60 +0,0 @@ -$OpenBSD: README.PKI,v 1.7 1999/10/01 14:10:45 niklas Exp $ -$EOM: README.PKI,v 1.7 1999/09/30 13:40:38 niklas Exp $ - -1 Make sure you have an RSA-enabled isakmpd. An easy way to do this - is to install a dynamically linkable version of libcrypto from - OpenSSL and install it where the run-time linker can find it. - -2 Create your own CA as root. - - openssl genrsa -out /etc/ssl/private/ca.key 1024 - openssl req -new -key /etc/ssl/private/ca.key \ - -out /etc/ssl/private/ca.csr - - You are now being asked to enter information that will be incorporated - into your certificate request. What you are about to enter is what is - called a Distinguished Name or a DN. There are quite a few fields but - you can leave some blank. For some fields there will be a default - value, if you enter '.', the field will be left blank. - - openssl x509 -req -days 365 -in /etc/ssl/private/ca.csr \ - -signkey /etc/ssl/private/ca.key \ - -out /etc/ssl/ca.crt - -3 Create keys and certificates for your isakmpd peers. This step as well - as the next one, needs to be done for every peer. Furthermore the - last step will need to be done once for each ID you want the peer - to have. The 10.0.0.1 below symbolizes that ID, and should be - changed for each invocation. You will be asked for a DN for each - run too. See to encode the ID in the common name too, so it gets - unique. - - openssl genrsa -out /etc/isakmpd/private/local.key 1024 - openssl req -new -key /etc/isakmpd/private/local.key \ - -out /etc/isakmpd/private/10.0.0.1.csr - - Now take these certificate signing requests to your CA and process - them like below. You have to add some extensions to the certificate - in order to make it usable for isakmpd, which is why you will need - to run certpatch. Replace 10.0.0.1 with the IP-address which isakmpd - will be using for identity. - - openssl x509 -req -days 365 -in 10.0.0.1.csr -CA /etc/ssl/ca.crt \ - -CAkey /etc/ssl/private/ca.key -CAcreateserial \ - -out 10.0.0.1.crt - certpatch -i 10.0.0.1 -k /etc/ssl/private/ca.key \ - 10.0.0.1.crt 10.0.0.1.crt - - Put the certificate (the file ending in .crt) in /etc/isakmpd/certs/ - on your local system. Also carry over the CA cert /etc/ssl/ca.crt - and put it in /etc/isakmpd/ca/. - -4 See to that your config files will point out the directories where - you keep certificates. I.e. add something like this to - /etc/isakmpd/isakmpd.conf: - - # Certificates stored in PEM format - [X509-certificates] - CA-directory= /etc/isakmpd/ca/ - Cert-directory= /etc/isakmpd/certs/ - Private-key= /etc/isakmpd/private/local.key diff --git a/keyexchange/isakmpd-20041012/TO-DO b/keyexchange/isakmpd-20041012/TO-DO deleted file mode 100644 index 7e397e4..0000000 --- a/keyexchange/isakmpd-20041012/TO-DO +++ /dev/null @@ -1,145 +0,0 @@ -$OpenBSD: TO-DO,v 1.26 2003/08/28 14:43:35 markus Exp $ -$EOM: TO-DO,v 1.45 2000/04/07 22:47:38 niklas Exp $ - -This file mixes small nitpicks with large projects to be done. - -* Add debugging messages, maybe possible to control asynchronously. [done] - -* Implement the local policy governing logging and notification of exceptional - conditions. - -* A field description mechanism used for things like making packet dumps - readable etc. Both Photurisd and Pluto does this. [done] - -* Fix the cookies. <Niels> [done] - -* Garbage collect transports (ref-counting?). [done] - -* Retransmission/dup packet handling. [done] - -* Generic payload checks. [mostly done] - -* For math, speed up multiplication and division functions. - -* Cleanup of SAs when dropping messages. [done] - -* Look over message resource tracking. [done] - -* Retransmission timing & count adaptivity and configurability. - [configurability done] - -* Quick mode exchanges [done] - -* Aggressive mode exchange. [done] - -* Finish main mode exchange [done] - -* Separation of key exchange from the IPsec DOI, i.e. factor out IKE details. - -* Setup the IPsec situation field in the main mode. [done] - -* Kernel interface for IPsec parameter passing. [done] - -* Notify of unsupported situations. - -* Set/get field macros generated from the field descriptions. [done] - -* SIGHUP handler with reparsing of config file. [done] - -* RSA signature authentication. <Niels> [done] - -* DSS signature authentication. - -* RSA encryption authentication. - -* New group mode. - -* DELETE payload handling, and generation from ui. [generation done] - -* Deal well with incoming informational exchanges. [done] - -* Generate all possible SA attributes in quick mode. [done] - -* Validate incoming attribute according to policy, main mode. [done] - -* Validate incoming attribute according to policy, quick mode. [done] - -* Cleanup reserved SPIs on cleanup of associated SAs. [done] - -* Validate attribute types (i.e. that what the specs tells should be - basic). - -* Cleanup reserved SPIs in proposals never chosen. [done] - -* Add time measuring and reporting to the exchange code for catching of - bottlenecks. - -* Rescan interfaces on SIGHUP and on reception of messages on the INADDR_ANY - listener socket. [done] - -* Validate the configuration file. - -* Do a soft-limit on ISAKMP SA lifetime. [done] - -* Let the hard-limit on ISAKMP SA lifetime destroy the SA ASAP. [done] - -* IPsec rekeying. [done] - -* Store tunnels into SPD, and handle acquire SA events. [done] - -* If an exchange is on-going when a rekey event happens, drop the request. - [done] - -* INITIAL CONTACT notification sending when appropriate. [done] - -* INITIAL CONTACT notification handling. [done] - -* IPsec SAs could also do with timers protecting its lifetime, if say, - someone changed the lifetime of the IPsec SA in stack under us. [done] - -* Handle notifications showing the peer did not want to continue this exchange. - -* Flexible identification. - -* Remove referring flows when a SPI is removed. [done] - -* IPCOMP. - -* Acknowledged notification exchange. - -* Tiger hash. - -* El-Gamal public key encryption. - -* Check of attributes not being changed by the responder in phase 2. - -* See to the commit bit will never be used in phase 1. Give INVALID-FLAGS - if seeing it. - -* Base mode. - -* IKECFG [protocol done, configuration controls remain] - -* XAUTH framework. - -* PKCS#11 - -* XAUTH hybrid frame work. - -* Specify extra certificates to send somehow. - -* Handle CERTs anywhere in an exchange. - -* Add a way to do multiple configuration commands via ui. - -* Replace ui's fifo with a slightly more versatile interface. - -* Report current configuration. [done] - -* IPv6 [done] - -* AES in phase 1 [done] - -* x509_certreq_validate needs implementing. - -* Smartcard support. diff --git a/keyexchange/isakmpd-20041012/app.c b/keyexchange/isakmpd-20041012/app.c deleted file mode 100644 index a04aa14..0000000 --- a/keyexchange/isakmpd-20041012/app.c +++ /dev/null @@ -1,63 +0,0 @@ -/* $OpenBSD: app.c,v 1.9 2004/04/15 18:39:25 deraadt Exp $ */ -/* $EOM: app.c,v 1.6 1999/05/01 20:21:06 niklas Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -/* - * XXX This is just a wrapper module for now. Later we might handle many - * applications simultaneously but right now, we assume one system-dependent - * one only. - */ - -#include "sysdep.h" - -#include "app.h" -#include "log.h" - -int app_socket; - -/* Set this to not get any applications setup. */ -int app_none = 0; - -/* Initialize applications. */ -void -app_init(void) -{ - if (app_none) - return; - app_socket = sysdep_app_open(); - if (app_socket == -1) - log_fatal("app_init: cannot open connection to application"); -} - -void -app_handler(void) -{ - sysdep_app_handler(app_socket); -} diff --git a/keyexchange/isakmpd-20041012/app.h b/keyexchange/isakmpd-20041012/app.h deleted file mode 100644 index 96a2864..0000000 --- a/keyexchange/isakmpd-20041012/app.h +++ /dev/null @@ -1,42 +0,0 @@ -/* $OpenBSD: app.h,v 1.7 2004/04/15 18:39:25 deraadt Exp $ */ -/* $EOM: app.h,v 1.4 1999/04/02 00:58:16 niklas Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _APP_H_ -#define _APP_H_ - -extern int app_socket; -extern int app_none; - -extern void app_conf_init_hook(void); -extern void app_handler(void); -extern void app_init(void); - -#endif /* _APP_H_ */ diff --git a/keyexchange/isakmpd-20041012/apps/Makefile b/keyexchange/isakmpd-20041012/apps/Makefile deleted file mode 100644 index 7d1bbe9..0000000 --- a/keyexchange/isakmpd-20041012/apps/Makefile +++ /dev/null @@ -1,34 +0,0 @@ -# $OpenBSD: Makefile,v 1.2 2003/06/03 14:35:00 ho Exp $ -# $EOM: Makefile,v 1.2 1999/07/17 20:44:12 niklas Exp $ - -# -# Copyright (c) 1999 Niels Provos. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Ericsson Radio Systems. -# - -SUBDIR= certpatch - -#.include <bsd.subdir.mk> diff --git a/keyexchange/isakmpd-20041012/apps/certpatch/.cvsignore b/keyexchange/isakmpd-20041012/apps/certpatch/.cvsignore deleted file mode 100644 index 6203864..0000000 --- a/keyexchange/isakmpd-20041012/apps/certpatch/.cvsignore +++ /dev/null @@ -1,3 +0,0 @@ -certpatch -certpatch.cat8 -obj diff --git a/keyexchange/isakmpd-20041012/apps/certpatch/GNUmakefile b/keyexchange/isakmpd-20041012/apps/certpatch/GNUmakefile deleted file mode 100644 index 3cd8e3a..0000000 --- a/keyexchange/isakmpd-20041012/apps/certpatch/GNUmakefile +++ /dev/null @@ -1,55 +0,0 @@ -# $OpenBSD: Makefile,v 1.7 2003/06/03 14:35:00 ho Exp $ -# $EOM: Makefile,v 1.6 2000/03/28 21:22:06 ho Exp $ - -# -# Copyright (c) 1999 Niels Provos. All rights reserved. -# Copyright (c) 2001 Niklas Hallqvist. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Ericsson Radio Systems. -# - -PROG= certpatch -SRCS= certpatch.c -BINDIR?= /usr/sbin -TOPSRC= ${.CURDIR}../.. -TOPOBJ!= cd ${TOPSRC}; printf "all:\n\t@pwd\n" |${MAKE} -f- -OS= linux -FEATURES!= awk '/^FEATURES=/ { print $$0 }' ${.CURDIR}/../../Makefile | sed 's/FEATURES=.//' -.PATH: ${TOPSRC} ${TOPSRC}/sysdep/${OS} ${TOPOBJ} -CFLAGS+= -I${TOPSRC} -I${TOPSRC}/sysdep/${OS} -I${TOPOBJ} -Wall -LDFLAGS+= -lcrypto -lssl -lgmp -MAN= certpatch.8 - -CFLAGS+= -DMP_FLAVOUR=MP_FLAVOUR_GMP -LDADD+= -lgmp -DPADD+= ${LIBGMP} - -# Override LIBSYSDEPDIR definition from Makefile.sysdep -LIBSYSDEPDIR= ${TOPSRC}/sysdep/common/libsysdep - -all: ${PROG} - -clean: - rm -f ${PROG} diff --git a/keyexchange/isakmpd-20041012/apps/certpatch/Makefile b/keyexchange/isakmpd-20041012/apps/certpatch/Makefile deleted file mode 100644 index c422938..0000000 --- a/keyexchange/isakmpd-20041012/apps/certpatch/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# $OpenBSD: Makefile,v 1.7 2003/06/03 14:35:00 ho Exp $ -# $EOM: Makefile,v 1.6 2000/03/28 21:22:06 ho Exp $ - -# -# Copyright (c) 1999 Niels Provos. All rights reserved. -# Copyright (c) 2001 Niklas Hallqvist. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Ericsson Radio Systems. -# - -PROG= certpatch -SRCS= certpatch.c -BINDIR?= /usr/sbin -TOPSRC= ${.CURDIR}/../.. -TOPOBJ!= cd ${TOPSRC}; printf "all:\n\t@pwd\n" |${MAKE} -f- -OS!= awk '/^OS=/ { print $$2 }' ${.CURDIR}/../../Makefile -FEATURES!= awk '/^FEATURES=/ { print $$0 }' ${.CURDIR}/../../Makefile | sed 's/FEATURES=.//' -.PATH: ${TOPSRC} ${TOPSRC}/sysdep/${OS} ${TOPOBJ} -CFLAGS+= -I${TOPSRC} -I${TOPSRC}/sysdep/${OS} -I${TOPOBJ} -Wall -LDADD+= -lcrypto -DPADD+= ${LIBCRYPTO} -MAN= certpatch.8 - -.if ${FEATURES:Mgmp} == "gmp" -CFLAGS+= -DMP_FLAVOUR=MP_FLAVOUR_GMP -LDADD+= -lgmp -DPADD+= ${LIBGMP} -.else -CFLAGS+= -DMP_FLAVOUR=MP_FLAVOUR_OPENSSL -.endif - -.include "${TOPSRC}/sysdep/${OS}/Makefile.sysdep" -# Override LIBSYSDEPDIR definition from Makefile.sysdep -LIBSYSDEPDIR= ${TOPSRC}/sysdep/common/libsysdep - -.include <bsd.prog.mk> diff --git a/keyexchange/isakmpd-20041012/apps/certpatch/certpatch.8 b/keyexchange/isakmpd-20041012/apps/certpatch/certpatch.8 deleted file mode 100644 index 1c1b629..0000000 --- a/keyexchange/isakmpd-20041012/apps/certpatch/certpatch.8 +++ /dev/null @@ -1,85 +0,0 @@ -.\" $OpenBSD: certpatch.8,v 1.8 2003/06/04 07:31:17 ho Exp $ -.\" $EOM: certpatch.8,v 1.5 2000/04/07 22:17:11 niklas Exp $ -.\" -.\" Copyright (c) 1999 Niklas Hallqvist. All rights reserved. -.\" Copyright (c) 1999 Angelos D. Keromytis. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.\" This code was written under funding by Ericsson Radio Systems. -.\" -.\" Manual page, using -mandoc macros -.\" -.Dd July 18, 1999 -.Dt CERTPATCH 8 -.Os -.Sh NAME -.Nm certpatch -.Nd add subjectAltName identities to X.509 certificates -.Sh SYNOPSIS -.Nm certpatch -.Op Fl t Ar identity-type -.Fl i -.Ar identity -.Fl k -.Ar signing-key -.Ar input-certificate output-certificate -.Sh DESCRIPTION -.Nm -alters PEM-encoded X.509 certificates by adding a subjectAltName extension -containing an identity used by the signature-based authentication schemes -of the ISAKMP protocol. -After the addition the certificate will be signed -once again with the supplied CA signing key. -.Pp -The options are as follows: -.Bl -tag -width Ds -.It Fl t Ar identity-type -If given, the -.Fl t -option specifies the type of the given identity. -Currently -.Li ip , -.Li fqdn , -and -.Li ufqdn -are recognized. -The default is -.Li ip . -.It Fl i Ar identity -The -.Fl i -option takes an argument which is the identity to put into the -subjectAltName field of the certificate. -If the identity-type is -.Li ip , -this argument should be an IPv4 address in dotted decimal notation. -.It Fl k Ar signing-key -The -.Fl k -option specifies the key used for signing the certificate once the -subjectAltName extension has been added. -The key is specified by -the filename where it is stored in PEM format. -.El -.Sh SEE ALSO -.Xr isakmpd 8 , -.Xr ssl 8 diff --git a/keyexchange/isakmpd-20041012/apps/certpatch/certpatch.c b/keyexchange/isakmpd-20041012/apps/certpatch/certpatch.c deleted file mode 100644 index 0a0125a..0000000 --- a/keyexchange/isakmpd-20041012/apps/certpatch/certpatch.c +++ /dev/null @@ -1,317 +0,0 @@ -/* $OpenBSD: certpatch.c,v 1.21 2003/06/04 07:31:17 ho Exp $ */ -/* $EOM: certpatch.c,v 1.11 2000/12/21 14:50:09 ho Exp $ */ - -/* - * Copyright (c) 1999 Niels Provos. All rights reserved. - * Copyright (c) 1999, 2000 Angelos D. Keromytis. All rights reserved. - * Copyright (c) 2000, 2001 Niklas Hallqvist. All rights reserved. - * Copyright (c) 2001 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -/* - * This program takes a certificate generated by ssleay and a - * private key. It encodes a new id as subject alt name - * extension into the certifcate. The result gets written as - * new certificate that can be used by isakmpd. - */ - -#include <sys/param.h> -#include <sys/types.h> -#include <sys/mman.h> -#include <sys/stat.h> -#include <ctype.h> -#include <fcntl.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <unistd.h> - -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> - -#include "sysdep.h" - -#ifdef KAME -# ifdef CRYPTO -# include <openssl/rsa.h> -# endif -#else -# include <openssl/rsa.h> -#endif - -#include <openssl/x509.h> -#include <openssl/pem.h> - -#include "conf.h" -#include "ipsec_num.h" -#include "log.h" -#include "math_mp.h" -#include "x509.h" - -#define IDTYPE_IP "ip" -#define IDTYPE_FQDN "fqdn" -#define IDTYPE_UFQDN "ufqdn" - -int -main (int argc, char **argv) -{ - char *usage = "%s [-t idtype] -i id -k keyfile certin certout\n\n" - "This programs takes a certificate and adds a subjectAltName extension\n" - "with the identication given as command line argument. Be sure that \n" - "the signing key matches the issuer.\n"; - EVP_PKEY *pkey_priv; - X509 *cert; - BIO *file; - const EVP_MD *digest; - X509_EXTENSION *ex = NULL; - ASN1_OCTET_STRING *data = NULL; - struct in_addr saddr; - unsigned char ipaddr[6], *new_id; - char *type = IDTYPE_IP, *keyfile = NULL, *id = NULL; - char *certin, *certout; - int ch, err; - -#if SSLEAY_VERSION_NUMBER >= 0x00904100L - unsigned char *p; - ASN1_STRING str; - int i; -#endif - - - /* read command line arguments */ - while ((ch = getopt (argc, argv, "t:k:i:")) != -1) - switch (ch) { - case 't': - type = optarg; - break; - case 'k': - keyfile = optarg; - break; - case 'i': - id = optarg; - break; - default: - fprintf (stderr, usage, argv[0]); - return (1); - } - - argc -= optind; - - if (argc != 2) { - fprintf (stderr, usage, argv[0]); - return (1); - } - - argv += optind; - - certin = argv[0]; - certout = argv[1]; - - /* Check ID */ - - if ((strcasecmp (IDTYPE_IP, type) != 0 && - strcasecmp (IDTYPE_FQDN, type) != 0 && - strcasecmp (IDTYPE_UFQDN, type) != 0) || id == NULL) - { - printf ("wrong id type or missing id\n"); - return (1); - } - - /* - * X509_verify will fail, as will all other functions that call - * EVP_get_digest_byname. - */ - - SSLeay_add_all_algorithms (); - - /* Use a certificate created by ssleay and add the appr. extension */ - printf ("Reading ssleay created certificate %s and modify it\n", - certin); - file = BIO_new (BIO_s_file ()); - if (BIO_read_filename (file, certin) == -1) - { - perror ("read"); - return (1); - } -#if SSLEAY_VERSION_NUMBER >= 0x00904100L - cert = PEM_read_bio_X509 (file, NULL, NULL, NULL); -#else - cert = PEM_read_bio_X509 (file, NULL, NULL); -#endif - BIO_free (file); - if (cert == NULL) - { - printf ("PEM_read_bio_X509 () failed\n"); - return (1); - } - - /* Get the digest for the actual signing */ - digest = EVP_get_digestbyname (OBJ_nid2sn (OBJ_obj2nid (cert->sig_alg->algorithm))); - - if (!X509_set_version (cert, 2)) - { - printf ("X509 failed to set version number\n"); - return (1); - } - - if (!strcasecmp (IDTYPE_IP, type)) - { - if (inet_aton (id, &saddr) == 0) - { - printf ("inet_aton () failed\n"); - return (1); - } - - saddr.s_addr = htonl (saddr.s_addr); - ipaddr[0] = 0x87; - ipaddr[1] = 0x04; - ipaddr[2] = saddr.s_addr >> 24; - ipaddr[3] = (saddr.s_addr >> 16) & 0xff; - ipaddr[4] = (saddr.s_addr >> 8) & 0xff; - ipaddr[5] = saddr.s_addr & 0xff; - -#if SSLEAY_VERSION_NUMBER >= 0x00904100L - str.length = 6; - str.type = V_ASN1_OCTET_STRING; - str.data = ipaddr; - data = ASN1_OCTET_STRING_new (); - if (!data) - { - perror ("ASN1_OCTET_STRING_new() failed"); - return (1); - } - - i = i2d_ASN1_OCTET_STRING ((ASN1_OCTET_STRING *)&str, NULL); - if (!ASN1_STRING_set ((ASN1_STRING *)data,NULL,i)) - { - perror ("ASN1_STRING_set() failed"); - return (1); - } - p = (unsigned char *)data->data; - i2d_ASN1_OCTET_STRING ((ASN1_OCTET_STRING *)&str, &p); - data->length = i; -#else - data = X509v3_pack_string (NULL, V_ASN1_OCTET_STRING, ipaddr, 6); -#endif - } - else if (!strcasecmp (IDTYPE_FQDN, type) || !strcasecmp (IDTYPE_UFQDN, type)) - { - new_id = malloc (strlen (id) + 2); - if (new_id == NULL) - { - printf ("malloc () failed\n"); - return (1); - } - - if (!strcasecmp (IDTYPE_FQDN, type)) - new_id[0] = 0x82; - else - new_id[0] = 0x81; /* IDTYPE_UFQDN */ - - memcpy (new_id + 2, id, strlen(id)); - new_id[1] = strlen (id); -#if SSLEAY_VERSION_NUMBER >= 0x00904100L - str.length = strlen (id) + 2; - str.type = V_ASN1_OCTET_STRING; - str.data = new_id; - data = ASN1_OCTET_STRING_new (); - if (!data) - { - perror ("ASN1_OCTET_STRING_new() failed"); - return (1); - } - - i = i2d_ASN1_OCTET_STRING ((ASN1_OCTET_STRING *)&str, NULL); - if (!ASN1_STRING_set ((ASN1_STRING *)data,NULL,i)) - { - perror ("ASN1_STRING_set() failed"); - return (1); - } - p = (unsigned char *)data->data; - i2d_ASN1_OCTET_STRING ((ASN1_OCTET_STRING *)&str, &p); - data->length = i; -#else - data = X509v3_pack_string (NULL, V_ASN1_OCTET_STRING, new_id, - strlen (id) + 2); -#endif - free (new_id); - } - - /* XXX This is a hack, how to do better? */ - data->type = 0x30; - data->data[0] = 0x30; - ex = X509_EXTENSION_create_by_NID (NULL, NID_subject_alt_name, 1, data); - - if (ex == NULL) - { - printf ("X509_EXTENSION_create ()\n"); - return (1); - } - - X509_add_ext (cert, ex, -1); - - file = BIO_new (BIO_s_file ()); - if (BIO_read_filename (file, keyfile) == -1) - { - perror ("open"); - return (1); - } -#if SSLEAY_VERSION_NUMBER >= 0x00904100L - if ((pkey_priv = PEM_read_bio_PrivateKey (file, NULL, NULL, NULL)) == NULL) -#else - if ((pkey_priv = PEM_read_bio_PrivateKey (file, NULL, NULL)) == NULL) -#endif - { - printf ("Can not read private key %s\n", keyfile); - return (1); - } - BIO_free (file); - - printf ("Creating Signature: PKEY_TYPE = %s: ", - pkey_priv->type == EVP_PKEY_RSA ? "RSA" : "unknown"); - err = X509_sign (cert, pkey_priv, digest); - printf ("X509_sign: %d ", err); - if (!err) - printf ("FAILED "); - else - printf ("OKAY "); - printf ("\n"); - - file = BIO_new (BIO_s_file ()); - if (BIO_write_filename (file, certout) == -1) - { - perror ("open"); - return (1); - } - - printf ("Writing new certificate to %s\n", certout); - PEM_write_bio_X509 (file, cert); - BIO_free (file); - - return (0); -} diff --git a/keyexchange/isakmpd-20041012/attribute.c b/keyexchange/isakmpd-20041012/attribute.c deleted file mode 100644 index 362805b..0000000 --- a/keyexchange/isakmpd-20041012/attribute.c +++ /dev/null @@ -1,112 +0,0 @@ -/* $OpenBSD: attribute.c,v 1.11 2004/05/14 08:42:56 hshoexer Exp $ */ -/* $EOM: attribute.c,v 1.10 2000/02/20 19:58:36 niklas Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/types.h> -#include <string.h> - -#include "sysdep.h" - -#include "attribute.h" -#include "conf.h" -#include "log.h" -#include "isakmp.h" -#include "util.h" - -u_int8_t * -attribute_set_basic(u_int8_t *buf, u_int16_t type, u_int16_t value) -{ - SET_ISAKMP_ATTR_TYPE(buf, ISAKMP_ATTR_MAKE(1, type)); - SET_ISAKMP_ATTR_LENGTH_VALUE(buf, value); - return buf + ISAKMP_ATTR_VALUE_OFF; -} - -u_int8_t * -attribute_set_var(u_int8_t *buf, u_int16_t type, u_int8_t *value, - u_int16_t len) -{ - SET_ISAKMP_ATTR_TYPE(buf, ISAKMP_ATTR_MAKE(0, type)); - SET_ISAKMP_ATTR_LENGTH_VALUE(buf, len); - memcpy(buf + ISAKMP_ATTR_VALUE_OFF, value, len); - return buf + ISAKMP_ATTR_VALUE_OFF + len; -} - -/* - * Execute a function FUNC taking an attribute type, value, length and ARG - * as arguments for each attribute in the area of ISAKMP attributes located - * at BUF, sized SZ. If any invocation fails, the processing aborts with a - * -1 return value. If all goes well return zero. - */ -int -attribute_map(u_int8_t *buf, size_t sz, int (*func)(u_int16_t, u_int8_t *, - u_int16_t, void *), void *arg) -{ - u_int8_t *attr; - int fmt; - u_int16_t type; - u_int8_t *value; - u_int16_t len; - - for (attr = buf; attr < buf + sz; attr = value + len) { - if (attr + ISAKMP_ATTR_VALUE_OFF > buf + sz) - return -1; - type = GET_ISAKMP_ATTR_TYPE(attr); - fmt = ISAKMP_ATTR_FORMAT(type); - type = ISAKMP_ATTR_TYPE(type); - value = attr + (fmt ? ISAKMP_ATTR_LENGTH_VALUE_OFF - : ISAKMP_ATTR_VALUE_OFF); - len = (fmt ? ISAKMP_ATTR_LENGTH_VALUE_LEN - : GET_ISAKMP_ATTR_LENGTH_VALUE(attr)); - if (value + len > buf + sz) - return -1; - if (func(type, value, len, arg)) - return -1; - } - return 0; -} - -int -attribute_set_constant(char *section, char *tag, struct constant_map *map, - int attr_class, u_int8_t **attr) -{ - char *name; - int value; - - name = conf_get_str(section, tag); - if (!name) { - LOG_DBG((LOG_MISC, 70, - "attribute_set_constant: no %s in the %s section", tag, - section)); - return -1; - } - value = constant_value(map, name); - *attr = attribute_set_basic(*attr, attr_class, value); - return 0; -} diff --git a/keyexchange/isakmpd-20041012/attribute.h b/keyexchange/isakmpd-20041012/attribute.h deleted file mode 100644 index aa835cf..0000000 --- a/keyexchange/isakmpd-20041012/attribute.h +++ /dev/null @@ -1,47 +0,0 @@ -/* $OpenBSD: attribute.h,v 1.6 2004/05/14 08:42:56 hshoexer Exp $ */ -/* $EOM: attribute.h,v 1.2 1998/09/29 21:51:07 niklas Exp $ */ - -/* - * Copyright (c) 1998 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _ATTRIBUTE_H_ -#define _ATTRIBUTE_H_ - -#include <sys/types.h> - -struct constant_map; - -extern int attribute_map(u_int8_t *, size_t, int (*)(u_int16_t, - u_int8_t *, u_int16_t, void *), void *); -extern u_int8_t *attribute_set_basic(u_int8_t *, u_int16_t, u_int16_t); -extern int attribute_set_constant(char *, char *, struct constant_map *, - int, u_int8_t **); -extern u_int8_t *attribute_set_var(u_int8_t *, u_int16_t, u_int8_t *, - u_int16_t); - -#endif /* _ATTRIBUTE_H_ */ diff --git a/keyexchange/isakmpd-20041012/cert.c b/keyexchange/isakmpd-20041012/cert.c deleted file mode 100644 index d04b964..0000000 --- a/keyexchange/isakmpd-20041012/cert.c +++ /dev/null @@ -1,160 +0,0 @@ -/* $OpenBSD: cert.c,v 1.28 2004/06/14 09:55:41 ho Exp $ */ -/* $EOM: cert.c,v 1.18 2000/09/28 12:53:27 niklas Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niels Provos. All rights reserved. - * Copyright (c) 1999, 2000 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/param.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -#include "sysdep.h" - -#include "isakmp_num.h" -#include "log.h" -#include "cert.h" - -#ifdef USE_X509 -#include "x509.h" -#endif - -#ifdef USE_KEYNOTE -#include "policy.h" -#endif - -struct cert_handler cert_handler[] = { -#ifdef USE_X509 - { - ISAKMP_CERTENC_X509_SIG, - x509_cert_init, x509_crl_init, x509_cert_get, x509_cert_validate, - x509_cert_insert, x509_cert_free, - x509_certreq_validate, x509_certreq_decode, x509_free_aca, - x509_cert_obtain, x509_cert_get_key, x509_cert_get_subjects, - x509_cert_dup, x509_serialize, x509_printable, x509_from_printable - }, -#endif -#ifdef USE_KEYNOTE - { - ISAKMP_CERTENC_KEYNOTE, - keynote_cert_init, NULL, keynote_cert_get, keynote_cert_validate, - keynote_cert_insert, keynote_cert_free, - keynote_certreq_validate, keynote_certreq_decode, keynote_free_aca, - keynote_cert_obtain, keynote_cert_get_key, keynote_cert_get_subjects, - keynote_cert_dup, keynote_serialize, keynote_printable, - keynote_from_printable - }, -#endif -}; - -/* Initialize all certificate handlers */ -int -cert_init(void) -{ - size_t i; - int err = 1; - - for (i = 0; i < sizeof cert_handler / sizeof cert_handler[0]; i++) - if (cert_handler[i].cert_init && - !(*cert_handler[i].cert_init)()) - err = 0; - - return err; -} - -int -crl_init(void) -{ - size_t i; - int err = 1; - - for (i = 0; i < sizeof cert_handler / sizeof cert_handler[0]; i++) - if (cert_handler[i].crl_init && !(*cert_handler[i].crl_init)()) - err = 0; - - return err; -} - -struct cert_handler * -cert_get(u_int16_t id) -{ - size_t i; - - for (i = 0; i < sizeof cert_handler / sizeof cert_handler[0]; i++) - if (id == cert_handler[i].id) - return &cert_handler[i]; - return 0; -} - -/* - * Decode the certificate request of type TYPE contained in DATA extending - * DATALEN bytes. Return a certreq_aca structure which the caller is - * responsible for deallocating. - */ -struct certreq_aca * -certreq_decode(u_int16_t type, u_int8_t *data, u_int32_t datalen) -{ - struct cert_handler *handler; - struct certreq_aca aca, *ret; - - handler = cert_get(type); - if (!handler) - return 0; - - aca.id = type; - aca.handler = handler; - - if (datalen > 0) { - aca.data = handler->certreq_decode(data, datalen); - if (!aca.data) - return 0; - } else - aca.data = 0; - - ret = malloc(sizeof aca); - if (!ret) { - log_error("certreq_decode: malloc (%lu) failed", - (unsigned long)sizeof aca); - handler->free_aca(aca.data); - return 0; - } - memcpy(ret, &aca, sizeof aca); - return ret; -} - -void -cert_free_subjects(int n, u_int8_t **id, u_int32_t *len) -{ - int i; - - for (i = 0; i < n; i++) - free(id[i]); - free(id); - free(len); -} diff --git a/keyexchange/isakmpd-20041012/cert.h b/keyexchange/isakmpd-20041012/cert.h deleted file mode 100644 index 151b2f9..0000000 --- a/keyexchange/isakmpd-20041012/cert.h +++ /dev/null @@ -1,96 +0,0 @@ -/* $OpenBSD: cert.h,v 1.14 2004/05/14 08:42:56 hshoexer Exp $ */ -/* $EOM: cert.h,v 1.8 2000/09/28 12:53:27 niklas Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niels Provos. All rights reserved. - * Copyright (c) 2000, 2001 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _CERT_H_ -#define _CERT_H_ - -#include <sys/param.h> -#include <sys/types.h> -#include <sys/queue.h> - -/* - * CERT handler for each kind of certificate: - * - * cert_init - initialize CERT handler. - * crl_init - initialize CRLs, if applicable. - * cert_get - get a certificate in internal representation from raw data. - * cert_validate - validated a certificate, if it returns != 0 we can use it. - * cert_insert - inserts cert into memory storage, we can retrieve with - * cert_obtain. - * cert_dup - duplicate a certificate - * cert_serialize - convert to a "serialized" form; KeyNote stays the same, - * X509 is converted to the ASN1 notation. - * cert_printable - for X509, the hex representation of the serialized form; - * for KeyNote, itself. - * cert_from_printable - the reverse of cert_printable - */ - -struct cert_handler { - u_int16_t id; /* ISAKMP Cert Encoding ID */ - int (*cert_init)(void); - int (*crl_init)(void); - void *(*cert_get)(u_int8_t *, u_int32_t); - int (*cert_validate)(void *); - int (*cert_insert)(int, void *); - void (*cert_free)(void *); - int (*certreq_validate)(u_int8_t *, u_int32_t); - void *(*certreq_decode)(u_int8_t *, u_int32_t); - void (*free_aca)(void *); - int (*cert_obtain)(u_int8_t *, size_t, void *, u_int8_t **, - u_int32_t *); - int (*cert_get_key) (void *, void *); - int (*cert_get_subjects) (void *, int *, u_int8_t ***, - u_int32_t **); - void *(*cert_dup) (void *); - void (*cert_serialize) (void *, u_int8_t **, u_int32_t *); - char *(*cert_printable) (void *); - void *(*cert_from_printable) (char *); -}; - -/* The acceptable authority of cert request. */ -struct certreq_aca { - TAILQ_ENTRY(certreq_aca) link; - - u_int16_t id; - struct cert_handler *handler; - - /* If data is a null pointer, everything is acceptable. */ - void *data; -}; - -struct certreq_aca *certreq_decode(u_int16_t, u_int8_t *, u_int32_t); -void cert_free_subjects(int, u_int8_t **, u_int32_t *); -struct cert_handler *cert_get(u_int16_t); -int cert_init(void); -int crl_init(void); - -#endif /* _CERT_H_ */ diff --git a/keyexchange/isakmpd-20041012/conf.c b/keyexchange/isakmpd-20041012/conf.c deleted file mode 100644 index 0eaa1e9..0000000 --- a/keyexchange/isakmpd-20041012/conf.c +++ /dev/null @@ -1,1123 +0,0 @@ -/* $OpenBSD: conf.c,v 1.73 2004/08/08 19:11:06 deraadt Exp $ */ -/* $EOM: conf.c,v 1.48 2000/12/04 02:04:29 angelos Exp $ */ - -/* - * Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. - * Copyright (c) 2000, 2001, 2002 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/param.h> -#include <sys/mman.h> -#include <sys/queue.h> -#include <sys/socket.h> -#include <sys/stat.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <ctype.h> -#include <fcntl.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <unistd.h> -#include <errno.h> - -#include "sysdep.h" - -#include "app.h" -#include "conf.h" -#include "log.h" -#include "monitor.h" -#include "util.h" - -static char *conf_get_trans_str(int, char *, char *); -static void conf_load_defaults(int); -#if 0 -static int conf_find_trans_xf(int, char *); -#endif - -struct conf_trans { - TAILQ_ENTRY(conf_trans) link; - int trans; - enum conf_op { - CONF_SET, CONF_REMOVE, CONF_REMOVE_SECTION - } op; - char *section; - char *tag; - char *value; - int override; - int is_default; -}; - -#define CONF_SECT_MAX 256 - -TAILQ_HEAD(conf_trans_head, conf_trans) conf_trans_queue; - -/* - * Radix-64 Encoding. - */ -const u_int8_t bin2asc[] = - "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; - -const u_int8_t asc2bin[] = -{ - 255, 255, 255, 255, 255, 255, 255, 255, - 255, 255, 255, 255, 255, 255, 255, 255, - 255, 255, 255, 255, 255, 255, 255, 255, - 255, 255, 255, 255, 255, 255, 255, 255, - 255, 255, 255, 255, 255, 255, 255, 255, - 255, 255, 255, 62, 255, 255, 255, 63, - 52, 53, 54, 55, 56, 57, 58, 59, - 60, 61, 255, 255, 255, 255, 255, 255, - 255, 0, 1, 2, 3, 4, 5, 6, - 7, 8, 9, 10, 11, 12, 13, 14, - 15, 16, 17, 18, 19, 20, 21, 22, - 23, 24, 25, 255, 255, 255, 255, 255, - 255, 26, 27, 28, 29, 30, 31, 32, - 33, 34, 35, 36, 37, 38, 39, 40, - 41, 42, 43, 44, 45, 46, 47, 48, - 49, 50, 51, 255, 255, 255, 255, 255 -}; - -struct conf_binding { - LIST_ENTRY(conf_binding) link; - char *section; - char *tag; - char *value; - int is_default; -}; - -char *conf_path = CONFIG_FILE; -LIST_HEAD(conf_bindings, conf_binding) conf_bindings[256]; - -static char *conf_addr; -static __inline__ u_int8_t -conf_hash(char *s) -{ - u_int8_t hash = 0; - - while (*s) { - hash = ((hash << 1) | (hash >> 7)) ^ tolower(*s); - s++; - } - return hash; -} - -/* - * Insert a tag-value combination from LINE (the equal sign is at POS) - */ -static int -conf_remove_now(char *section, char *tag) -{ - struct conf_binding *cb, *next; - - for (cb = LIST_FIRST(&conf_bindings[conf_hash(section)]); cb; - cb = next) { - next = LIST_NEXT(cb, link); - if (strcasecmp(cb->section, section) == 0 - && strcasecmp(cb->tag, tag) == 0) { - LIST_REMOVE(cb, link); - LOG_DBG((LOG_MISC, 95, "[%s]:%s->%s removed", section, - tag, cb->value)); - free(cb->section); - free(cb->tag); - free(cb->value); - free(cb); - return 0; - } - } - return 1; -} - -static int -conf_remove_section_now(char *section) -{ - struct conf_binding *cb, *next; - int unseen = 1; - - for (cb = LIST_FIRST(&conf_bindings[conf_hash(section)]); cb; - cb = next) { - next = LIST_NEXT(cb, link); - if (strcasecmp(cb->section, section) == 0) { - unseen = 0; - LIST_REMOVE(cb, link); - LOG_DBG((LOG_MISC, 95, "[%s]:%s->%s removed", section, - cb->tag, cb->value)); - free(cb->section); - free(cb->tag); - free(cb->value); - free(cb); - } - } - return unseen; -} - -/* - * Insert a tag-value combination from LINE (the equal sign is at POS) - * into SECTION of our configuration database. - */ -static int -conf_set_now(char *section, char *tag, char *value, int override, - int is_default) -{ - struct conf_binding *node = 0; - - if (override) - conf_remove_now(section, tag); - else if (conf_get_str(section, tag)) { - if (!is_default) - log_print("conf_set_now: duplicate tag [%s]:%s, " - "ignoring...\n", section, tag); - return 1; - } - node = calloc(1, sizeof *node); - if (!node) { - log_error("conf_set_now: calloc (1, %lu) failed", - (unsigned long)sizeof *node); - return 1; - } - node->section = strdup(section); - node->tag = strdup(tag); - node->value = strdup(value); - node->is_default = is_default; - - LIST_INSERT_HEAD(&conf_bindings[conf_hash(section)], node, link); - LOG_DBG((LOG_MISC, 95, "conf_set_now: [%s]:%s->%s", node->section, - node->tag, node->value)); - return 0; -} - -/* - * Parse the line LINE of SZ bytes. Skip Comments, recognize section - * headers and feed tag-value pairs into our configuration database. - */ -static void -conf_parse_line(int trans, char *line, size_t sz) -{ - char *val; - size_t i; - int j; - static char *section = 0; - static int ln = 0; - - ln++; - - /* Lines starting with '#' or ';' are comments. */ - if (*line == '#' || *line == ';') - return; - - /* '[section]' parsing... */ - if (*line == '[') { - for (i = 1; i < sz; i++) - if (line[i] == ']') - break; - if (section) - free(section); - if (i == sz) { - log_print("conf_parse_line: %d:" - "unmatched ']', ignoring until next section", ln); - section = 0; - return; - } - section = malloc(i); - if (!section) { - log_print("conf_parse_line: %d: malloc (%lu) failed", - ln, (unsigned long)i); - return; - } - strlcpy(section, line + 1, i); - return; - } - /* Deal with assignments. */ - for (i = 0; i < sz; i++) - if (line[i] == '=') { - /* If no section, we are ignoring the lines. */ - if (!section) { - log_print("conf_parse_line: %d: ignoring line " - "due to no section", ln); - return; - } - line[strcspn(line, " \t=")] = '\0'; - val = line + i + 1 + strspn(line + i + 1, " \t"); - /* Skip trailing whitespace, if any */ - for (j = sz - (val - line) - 1; j > 0 && - isspace(val[j]); j--) - val[j] = '\0'; - /* XXX Perhaps should we not ignore errors? */ - conf_set(trans, section, line, val, 0, 0); - return; - } - /* Other non-empty lines are weird. */ - i = strspn(line, " \t"); - if (line[i]) - log_print("conf_parse_line: %d: syntax error", ln); -} - -/* Parse the mapped configuration file. */ -static void -conf_parse(int trans, char *buf, size_t sz) -{ - char *cp = buf; - char *bufend = buf + sz; - char *line; - - line = cp; - while (cp < bufend) { - if (*cp == '\n') { - /* Check for escaped newlines. */ - if (cp > buf && *(cp - 1) == '\\') - *(cp - 1) = *cp = ' '; - else { - *cp = '\0'; - conf_parse_line(trans, line, cp - line); - line = cp + 1; - } - } - cp++; - } - if (cp != line) - log_print("conf_parse: last line unterminated, ignored."); -} - -/* - * Auto-generate default configuration values for the transforms and - * suites the user wants. - * - * Resulting section names can be: - * For main mode: - * {DES,BLF,3DES,CAST,AES}-{MD5,SHA}[-GRP{1,2,5,14}][-{DSS,RSA_SIG}] - * For quick mode: - * QM-{proto}[-TRP]-{cipher}[-{hash}][-PFS[-{group}]]-SUITE - * where - * {proto} = ESP, AH - * {cipher} = DES, 3DES, CAST, BLF, AES - * {hash} = MD5, SHA, RIPEMD, SHA2-{-256,384,512} - * {group} = GRP1, GRP2, GRP5, GRP14 - * - * DH group defaults to MODP_1024. - * - * XXX We may want to support USE_BLOWFISH, USE_TRIPLEDES, etc... - * XXX No EC2N DH support here yet. - */ - -/* Find the value for a section+tag in the transaction list. */ -static char * -conf_get_trans_str(int trans, char *section, char *tag) -{ - struct conf_trans *node, *nf = 0; - - for (node = TAILQ_FIRST(&conf_trans_queue); node; - node = TAILQ_NEXT(node, link)) - if (node->trans == trans && strcasecmp(section, node->section) - == 0 && strcasecmp(tag, node->tag) == 0) { - if (!nf) - nf = node; - else if (node->override) - nf = node; - } - return nf ? nf->value : 0; -} - -#if 0 -/* XXX Currently unused. */ -static int -conf_find_trans_xf(int phase, char *xf) -{ - struct conf_trans *node; - char *p; - - /* Find the relevant transforms and suites, if any. */ - for (node = TAILQ_FIRST(&conf_trans_queue); node; - node = TAILQ_NEXT(node, link)) - if ((phase == 1 && strcmp("Transforms", node->tag) == 0) || - (phase == 2 && strcmp("Suites", node->tag) == 0)) { - p = node->value; - while ((p = strstr(p, xf)) != NULL) - if (*(p + strlen(p)) && - *(p + strlen(p)) != ',') - p += strlen(p); - else - return 1; - } - return 0; -} -#endif - -static void -conf_load_defaults_mm(int tr, char *mme, char *mmh, char *mma, char *dhg, - char *mme_p, char *mma_p, char *dhg_p) -{ - char sect[CONF_SECT_MAX]; - - snprintf(sect, sizeof sect, "%s-%s%s%s", mme_p, mmh, dhg_p, mma_p); - - LOG_DBG((LOG_MISC, 95, "conf_load_defaults_mm: main mode %s", sect)); - - conf_set(tr, sect, "ENCRYPTION_ALGORITHM", mme, 0, 1); - if (strcmp(mme, "BLOWFISH_CBC") == 0) - conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_BLF_KEYLEN, 0, - 1); - else if (strcmp(mme, "AES_CBC") == 0) - conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_AES_KEYLEN, 0, - 1); - - conf_set(tr, sect, "HASH_ALGORITHM", mmh, 0, 1); - conf_set(tr, sect, "AUTHENTICATION_METHOD", mma, 0, 1); - conf_set(tr, sect, "GROUP_DESCRIPTION", dhg, 0, 1); - conf_set(tr, sect, "Life", CONF_DFLT_TAG_LIFE_MAIN_MODE, 0, 1); -} - -static void -conf_load_defaults_qm(int tr, char *qme, char *qmh, char *dhg, char *qme_p, - char *qmh_p, char *dhg_p, int proto, int mode, int pfs) -{ - char sect[CONF_SECT_MAX], tmp[CONF_SECT_MAX]; - - /* Helper #defines, incl abbreviations. */ -#define PROTO(x) ((x) ? "AH" : "ESP") -#define PFS(x) ((x) ? "-PFS" : "") -#define MODE(x) ((x) ? "TRANSPORT" : "TUNNEL") -#define MODE_p(x) ((x) ? "-TRP" : "") - - if (proto == 1 && strcmp(qmh, "NONE") == 0) /* AH */ - return; - - snprintf(tmp, sizeof tmp, "QM-%s%s%s%s%s%s", PROTO(proto), - MODE_p(mode), qme_p, qmh_p, PFS(pfs), dhg_p); - - strlcpy(sect, tmp, CONF_SECT_MAX); - strlcat(sect, "-SUITE", CONF_SECT_MAX); - - LOG_DBG((LOG_MISC, 95, "conf_load_defaults_qm: quick mode %s", sect)); - - conf_set(tr, sect, "Protocols", tmp, 0, 1); - snprintf(sect, sizeof sect, "IPSEC_%s", PROTO(proto)); - conf_set(tr, tmp, "PROTOCOL_ID", sect, 0, 1); - strlcpy(sect, tmp, CONF_SECT_MAX); - strlcat(sect, "-XF", CONF_SECT_MAX); - conf_set(tr, tmp, "Transforms", sect, 0, 1); - - /* - * XXX For now, defaults - * contain one xf per protocol. - */ - conf_set(tr, sect, "TRANSFORM_ID", qme, 0, 1); - if (strcmp(qme ,"BLOWFISH") == 0) - conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_BLF_KEYLEN, 0, - 1); - else if (strcmp(qme ,"AES") == 0) - conf_set(tr, sect, "KEY_LENGTH", CONF_DFLT_VAL_AES_KEYLEN, 0, - 1); - conf_set(tr, sect, "ENCAPSULATION_MODE", MODE(mode), 0, 1); - if (strcmp(qmh, "NONE")) { - conf_set(tr, sect, "AUTHENTICATION_ALGORITHM", qmh, 0, 1); - - /* XXX Another shortcut to keep length down */ - if (pfs) - conf_set(tr, sect, "GROUP_DESCRIPTION", dhg, 0, 1); - } - - /* XXX Lifetimes depending on enc/auth strength? */ - conf_set(tr, sect, "Life", CONF_DFLT_TAG_LIFE_QUICK_MODE, 0, 1); -} - -static void -conf_load_defaults(int tr) -{ - int enc, auth, hash, group, proto, mode, pfs; - char *dflt; - - char *mm_auth[] = {"PRE_SHARED", "DSS", "RSA_SIG", 0}; - char *mm_auth_p[] = {"", "-DSS", "-RSA_SIG", 0}; - char *mm_hash[] = {"MD5", "SHA", 0}; - char *mm_enc[] = {"DES_CBC", "BLOWFISH_CBC", "3DES_CBC", "CAST_CBC", - "AES_CBC", 0}; - char *mm_enc_p[] = {"DES", "BLF", "3DES", "CAST", "AES", 0}; - char *dhgroup[] = {"MODP_1024", "MODP_768", "MODP_1024", - "MODP_1536", "MODP_2048", 0}; - char *dhgroup_p[] = {"", "-GRP1", "-GRP2", "-GRP5", "-GRP14", 0}; - char *qm_enc[] = {"DES", "3DES", "CAST", "BLOWFISH", "AES", 0}; - char *qm_enc_p[] = {"-DES", "-3DES", "-CAST", "-BLF", "-AES", 0}; - char *qm_hash[] = {"HMAC_MD5", "HMAC_SHA", "HMAC_RIPEMD", - "HMAC_SHA2_256", "HMAC_SHA2_384", "HMAC_SHA2_512", "NONE", - 0}; - char *qm_hash_p[] = {"-MD5", "-SHA", "-RIPEMD", "-SHA2-256", - "-SHA2-384", "-SHA2-512", "", 0}; - - /* General and X509 defaults */ - conf_set(tr, "General", "Retransmits", CONF_DFLT_RETRANSMITS, 0, 1); - conf_set(tr, "General", "Exchange-max-time", CONF_DFLT_EXCH_MAX_TIME, - 0, 1); - conf_set(tr, "General", "Use-Keynote", CONF_DFLT_USE_KEYNOTE, 0, 1); - conf_set(tr, "General", "Policy-file", CONF_DFLT_POLICY_FILE, 0, 1); - conf_set(tr, "General", "Pubkey-directory", CONF_DFLT_PUBKEY_DIR, 0, - 1); - -#ifdef USE_X509 - conf_set(tr, "X509-certificates", "CA-directory", - CONF_DFLT_X509_CA_DIR, 0, 1); - conf_set(tr, "X509-certificates", "Cert-directory", - CONF_DFLT_X509_CERT_DIR, 0, 1); - conf_set(tr, "X509-certificates", "Private-key", - CONF_DFLT_X509_PRIVATE_KEY, 0, 1); - conf_set(tr, "X509-certificates", "CRL-directory", - CONF_DFLT_X509_CRL_DIR, 0, 1); -#endif - -#ifdef USE_KEYNOTE - conf_set(tr, "KeyNote", "Credential-directory", - CONF_DFLT_KEYNOTE_CRED_DIR, 0, 1); -#endif - - /* Lifetimes. XXX p1/p2 vs main/quick mode may be unclear. */ - dflt = conf_get_trans_str(tr, "General", "Default-phase-1-lifetime"); - conf_set(tr, CONF_DFLT_TAG_LIFE_MAIN_MODE, "LIFE_TYPE", - CONF_DFLT_TYPE_LIFE_MAIN_MODE, 0, 1); - conf_set(tr, CONF_DFLT_TAG_LIFE_MAIN_MODE, "LIFE_DURATION", - (dflt ? dflt : CONF_DFLT_VAL_LIFE_MAIN_MODE), 0, 1); - - dflt = conf_get_trans_str(tr, "General", "Default-phase-2-lifetime"); - conf_set(tr, CONF_DFLT_TAG_LIFE_QUICK_MODE, "LIFE_TYPE", - CONF_DFLT_TYPE_LIFE_QUICK_MODE, 0, 1); - conf_set(tr, CONF_DFLT_TAG_LIFE_QUICK_MODE, "LIFE_DURATION", - (dflt ? dflt : CONF_DFLT_VAL_LIFE_QUICK_MODE), 0, 1); - - /* Default Phase-1 Configuration section */ - conf_set(tr, CONF_DFLT_TAG_PHASE1_CONFIG, "EXCHANGE_TYPE", - CONF_DFLT_PHASE1_EXCH_TYPE, 0, 1); - conf_set(tr, CONF_DFLT_TAG_PHASE1_CONFIG, "Transforms", - CONF_DFLT_PHASE1_TRANSFORMS, 0, 1); - - /* Main modes */ - for (enc = 0; mm_enc[enc]; enc++) - for (hash = 0; mm_hash[hash]; hash++) - for (auth = 0; mm_auth[auth]; auth++) - for (group = 0; dhgroup_p[group]; group++) - conf_load_defaults_mm (tr, mm_enc[enc], - mm_hash[hash], mm_auth[auth], - dhgroup[group], mm_enc_p[enc], - mm_auth_p[auth], dhgroup_p[group]); - - /* Setup a default Phase 1 entry */ - conf_set(tr, "Phase 1", "Default", "Default-phase-1", 0, 1); - conf_set(tr, "Default-phase-1", "Phase", "1", 0, 1); - conf_set(tr, "Default-phase-1", "Configuration", - "Default-phase-1-configuration", 0, 1); - dflt = conf_get_trans_str(tr, "General", "Default-phase-1-ID"); - if (dflt) - conf_set(tr, "Default-phase-1", "ID", dflt, 0, 1); - - /* Quick modes */ - for (enc = 0; qm_enc[enc]; enc++) - for (proto = 0; proto < 2; proto++) - for (mode = 0; mode < 2; mode++) - for (pfs = 0; pfs < 2; pfs++) - for (hash = 0; qm_hash[hash]; hash++) - for (group = 0; - dhgroup_p[group]; group++) - conf_load_defaults_qm( - tr, qm_enc[enc], - qm_hash[hash], - dhgroup[group], - qm_enc_p[enc], - qm_hash_p[hash], - dhgroup_p[group], - proto, mode, pfs); -} - -void -conf_init(void) -{ - unsigned int i; - - for (i = 0; i < sizeof conf_bindings / sizeof conf_bindings[0]; i++) - LIST_INIT(&conf_bindings[i]); - TAILQ_INIT(&conf_trans_queue); - conf_reinit(); -} - -/* Open the config file and map it into our address space, then parse it. */ -void -conf_reinit(void) -{ - struct conf_binding *cb = 0; - int fd, trans; - unsigned int i; - size_t sz; - char *new_conf_addr = 0; - - if ((fd = monitor_open(conf_path, O_RDONLY, 0)) != -1) { - if (check_file_secrecy_fd(fd, conf_path, &sz)) - goto fail; - - new_conf_addr = malloc(sz); - if (!new_conf_addr) { - log_error("conf_reinit: malloc (%lu) failed", - (unsigned long)sz); - goto fail; - } - /* XXX I assume short reads won't happen here. */ - if (read(fd, new_conf_addr, sz) != (int)sz) { - log_error("conf_reinit: read (%d, %p, %lu) failed", - fd, new_conf_addr, (unsigned long)sz); - goto fail; - } - close(fd); - - trans = conf_begin(); - - /* XXX Should we not care about errors and rollback? */ - conf_parse(trans, new_conf_addr, sz); - } else { - if (errno != ENOENT) - log_error("conf_reinit: open(\"%s\", O_RDONLY, 0) " - "failed", conf_path); - - trans = conf_begin(); - } - - /* Load default configuration values. */ - conf_load_defaults(trans); - - /* Free potential existing configuration. */ - if (conf_addr) { - for (i = 0; i < sizeof conf_bindings / sizeof conf_bindings[0]; - i++) - for (cb = LIST_FIRST(&conf_bindings[i]); cb; - cb = LIST_FIRST(&conf_bindings[i])) - conf_remove_now(cb->section, cb->tag); - free(conf_addr); - } - conf_end(trans, 1); - conf_addr = new_conf_addr; - return; - -fail: - if (new_conf_addr) - free(new_conf_addr); - close(fd); -} - -/* - * Return the numeric value denoted by TAG in section SECTION or DEF - * if that tag does not exist. - */ -int -conf_get_num(char *section, char *tag, int def) -{ - char *value = conf_get_str(section, tag); - - if (value) - return atoi(value); - return def; -} - -/* - * Return the socket endpoint address denoted by TAG in SECTION as a - * struct sockaddr. It is the callers responsibility to deallocate - * this structure when it is finished with it. - */ -struct sockaddr * -conf_get_address(char *section, char *tag) -{ - char *value = conf_get_str(section, tag); - struct sockaddr *sa; - - if (!value) - return 0; - if (text2sockaddr(value, 0, &sa) == -1) - return 0; - return sa; -} - -/* Validate X according to the range denoted by TAG in section SECTION. */ -int -conf_match_num(char *section, char *tag, int x) -{ - char *value = conf_get_str(section, tag); - int val, min, max, n; - - if (!value) - return 0; - n = sscanf(value, "%d,%d:%d", &val, &min, &max); - switch (n) { - case 1: - LOG_DBG((LOG_MISC, 95, "conf_match_num: %s:%s %d==%d?", - section, tag, val, x)); - return x == val; - case 3: - LOG_DBG((LOG_MISC, 95, "conf_match_num: %s:%s %d<=%d<=%d?", - section, tag, min, x, max)); - return min <= x && max >= x; - default: - log_error("conf_match_num: section %s tag %s: invalid number " - "spec %s", section, tag, value); - } - return 0; -} - -/* Return the string value denoted by TAG in section SECTION. */ -char * -conf_get_str(char *section, char *tag) -{ - struct conf_binding *cb; - - for (cb = LIST_FIRST(&conf_bindings[conf_hash(section)]); cb; - cb = LIST_NEXT(cb, link)) - if (strcasecmp(section, cb->section) == 0 && - strcasecmp(tag, cb->tag) == 0) { - LOG_DBG((LOG_MISC, 95, "conf_get_str: [%s]:%s->%s", - section, tag, cb->value)); - return cb->value; - } - LOG_DBG((LOG_MISC, 95, - "conf_get_str: configuration value not found [%s]:%s", section, - tag)); - return 0; -} - -/* - * Build a list of string values out of the comma separated value denoted by - * TAG in SECTION. - */ -struct conf_list * -conf_get_list(char *section, char *tag) -{ - char *liststr = 0, *p, *field, *t; - struct conf_list *list = 0; - struct conf_list_node *node; - - list = malloc(sizeof *list); - if (!list) - goto cleanup; - TAILQ_INIT(&list->fields); - list->cnt = 0; - liststr = conf_get_str(section, tag); - if (!liststr) - goto cleanup; - liststr = strdup(liststr); - if (!liststr) - goto cleanup; - p = liststr; - while ((field = strsep(&p, ",")) != NULL) { - /* Skip leading whitespace */ - while (isspace(*field)) - field++; - /* Skip trailing whitespace */ - if (p) - for (t = p - 1; t > field && isspace(*t); t--) - *t = '\0'; - if (*field == '\0') { - log_print("conf_get_list: empty field, ignoring..."); - continue; - } - list->cnt++; - node = calloc(1, sizeof *node); - if (!node) - goto cleanup; - node->field = strdup(field); - if (!node->field) - goto cleanup; - TAILQ_INSERT_TAIL(&list->fields, node, link); - } - free(liststr); - return list; - -cleanup: - if (list) - conf_free_list(list); - if (liststr) - free(liststr); - return 0; -} - -struct conf_list * -conf_get_tag_list(char *section) -{ - struct conf_list *list = 0; - struct conf_list_node *node; - struct conf_binding *cb; - - list = malloc(sizeof *list); - if (!list) - goto cleanup; - TAILQ_INIT(&list->fields); - list->cnt = 0; - for (cb = LIST_FIRST(&conf_bindings[conf_hash(section)]); cb; - cb = LIST_NEXT(cb, link)) - if (strcasecmp(section, cb->section) == 0) { - list->cnt++; - node = calloc(1, sizeof *node); - if (!node) - goto cleanup; - node->field = strdup(cb->tag); - if (!node->field) - goto cleanup; - TAILQ_INSERT_TAIL(&list->fields, node, link); - } - return list; - -cleanup: - if (list) - conf_free_list(list); - return 0; -} - -/* Decode a PEM encoded buffer. */ -int -conf_decode_base64(u_int8_t *out, u_int32_t *len, u_char *buf) -{ - u_int32_t c = 0; - u_int8_t c1, c2, c3, c4; - - while (*buf) { - if (*buf > 127 || (c1 = asc2bin[*buf]) == 255) - return 0; - buf++; - - if (*buf > 127 || (c2 = asc2bin[*buf]) == 255) - return 0; - buf++; - - if (*buf == '=') { - c3 = c4 = 0; - c++; - - /* Check last four bit */ - if (c2 & 0xF) - return 0; - - if (strcmp((char *)buf, "==") == 0) - buf++; - else - return 0; - } else if (*buf > 127 || (c3 = asc2bin[*buf]) == 255) - return 0; - else { - if (*++buf == '=') { - c4 = 0; - c += 2; - - /* Check last two bit */ - if (c3 & 3) - return 0; - - if (strcmp((char *)buf, "=")) - return 0; - - } else if (*buf > 127 || (c4 = asc2bin[*buf]) == 255) - return 0; - else - c += 3; - } - - buf++; - *out++ = (c1 << 2) | (c2 >> 4); - *out++ = (c2 << 4) | (c3 >> 2); - *out++ = (c3 << 6) | c4; - } - - *len = c; - return 1; - -} - -void -conf_free_list(struct conf_list *list) -{ - struct conf_list_node *node = TAILQ_FIRST(&list->fields); - - while (node) { - TAILQ_REMOVE(&list->fields, node, link); - if (node->field) - free(node->field); - free(node); - node = TAILQ_FIRST(&list->fields); - } - free(list); -} - -int -conf_begin(void) -{ - static int seq = 0; - - return ++seq; -} - -static struct conf_trans * -conf_trans_node(int transaction, enum conf_op op) -{ - struct conf_trans *node; - - node = calloc(1, sizeof *node); - if (!node) { - log_error("conf_trans_node: calloc (1, %lu) failed", - (unsigned long)sizeof *node); - return 0; - } - node->trans = transaction; - node->op = op; - TAILQ_INSERT_TAIL(&conf_trans_queue, node, link); - return node; -} - -/* Queue a set operation. */ -int -conf_set(int transaction, char *section, char *tag, char *value, int override, - int is_default) -{ - struct conf_trans *node; - - node = conf_trans_node(transaction, CONF_SET); - if (!node) - return 1; - node->section = strdup(section); - if (!node->section) { - log_error("conf_set: strdup (\"%s\") failed", section); - goto fail; - } - node->tag = strdup(tag); - if (!node->tag) { - log_error("conf_set: strdup (\"%s\") failed", tag); - goto fail; - } - node->value = strdup(value); - if (!node->value) { - log_error("conf_set: strdup (\"%s\") failed", value); - goto fail; - } - node->override = override; - node->is_default = is_default; - return 0; - -fail: - if (node->tag) - free(node->tag); - if (node->section) - free(node->section); - if (node) - free(node); - return 1; -} - -/* Queue a remove operation. */ -int -conf_remove(int transaction, char *section, char *tag) -{ - struct conf_trans *node; - - node = conf_trans_node(transaction, CONF_REMOVE); - if (!node) - goto fail; - node->section = strdup(section); - if (!node->section) { - log_error("conf_remove: strdup (\"%s\") failed", section); - goto fail; - } - node->tag = strdup(tag); - if (!node->tag) { - log_error("conf_remove: strdup (\"%s\") failed", tag); - goto fail; - } - return 0; - -fail: - if (node->section) - free(node->section); - if (node) - free(node); - return 1; -} - -/* Queue a remove section operation. */ -int -conf_remove_section(int transaction, char *section) -{ - struct conf_trans *node; - - node = conf_trans_node(transaction, CONF_REMOVE_SECTION); - if (!node) - goto fail; - node->section = strdup(section); - if (!node->section) { - log_error("conf_remove_section: strdup (\"%s\") failed", - section); - goto fail; - } - return 0; - -fail: - if (node) - free(node); - return 1; -} - -/* Execute all queued operations for this transaction. Cleanup. */ -int -conf_end(int transaction, int commit) -{ - struct conf_trans *node, *next; - - for (node = TAILQ_FIRST(&conf_trans_queue); node; node = next) { - next = TAILQ_NEXT(node, link); - if (node->trans == transaction) { - if (commit) - switch (node->op) { - case CONF_SET: - conf_set_now(node->section, node->tag, - node->value, node->override, - node->is_default); - break; - case CONF_REMOVE: - conf_remove_now(node->section, - node->tag); - break; - case CONF_REMOVE_SECTION: - conf_remove_section_now(node->section); - break; - default: - log_print("conf_end: unknown " - "operation: %d", node->op); - } - TAILQ_REMOVE(&conf_trans_queue, node, link); - if (node->section) - free(node->section); - if (node->tag) - free(node->tag); - if (node->value) - free(node->value); - free(node); - } - } - return 0; -} - -/* - * Dump running configuration upon SIGUSR1. - * Configuration is "stored in reverse order", so reverse it again. - */ -struct dumper { - char *s, *v; - struct dumper *next; -}; - -static void -conf_report_dump(struct dumper *node) -{ - /* Recursive, cleanup when we're done. */ - - if (node->next) - conf_report_dump(node->next); - - if (node->v) - LOG_DBG((LOG_REPORT, 0, "%s=\t%s", node->s, node->v)); - else if (node->s) { - LOG_DBG((LOG_REPORT, 0, "%s", node->s)); - if (strlen(node->s) > 0) - free(node->s); - } - free(node); -} - -void -conf_report(void) -{ - struct conf_binding *cb, *last = 0; - unsigned int i, len; - char *current_section = (char *)0; - struct dumper *dumper, *dnode; - - dumper = dnode = (struct dumper *)calloc(1, sizeof *dumper); - if (!dumper) - goto mem_fail; - - LOG_DBG((LOG_REPORT, 0, "conf_report: dumping running configuration")); - - for (i = 0; i < sizeof conf_bindings / sizeof conf_bindings[0]; i++) - for (cb = LIST_FIRST(&conf_bindings[i]); cb; - cb = LIST_NEXT(cb, link)) { - if (!cb->is_default) { - /* Dump this entry. */ - if (!current_section || strcmp(cb->section, - current_section)) { - if (current_section) { - len = strlen(current_section) - + 3; - dnode->s = malloc(len); - if (!dnode->s) - goto mem_fail; - - snprintf(dnode->s, len, "[%s]", - current_section); - dnode->next = (struct dumper *) - calloc(1, - sizeof(struct dumper)); - dnode = dnode->next; - if (!dnode) - goto mem_fail; - - dnode->s = ""; - dnode->next = (struct dumper *) - calloc(1, - sizeof(struct dumper)); - dnode = dnode->next; - if (!dnode) - goto mem_fail; - } - current_section = cb->section; - } - dnode->s = cb->tag; - dnode->v = cb->value; - dnode->next = (struct dumper *) - calloc(1, sizeof(struct dumper)); - dnode = dnode->next; - if (!dnode) - goto mem_fail; - last = cb; - } - } - - if (last) { - len = strlen(last->section) + 3; - dnode->s = malloc(len); - if (!dnode->s) - goto mem_fail; - snprintf(dnode->s, len, "[%s]", last->section); - } - conf_report_dump(dumper); - - return; - -mem_fail: - log_error("conf_report: malloc/calloc failed"); - while ((dnode = dumper) != 0) { - dumper = dumper->next; - if (dnode->s) - free(dnode->s); - free(dnode); - } -} diff --git a/keyexchange/isakmpd-20041012/conf.h b/keyexchange/isakmpd-20041012/conf.h deleted file mode 100644 index 7c66620..0000000 --- a/keyexchange/isakmpd-20041012/conf.h +++ /dev/null @@ -1,103 +0,0 @@ -/* $OpenBSD: conf.h,v 1.30 2004/06/25 20:25:34 hshoexer Exp $ */ -/* $EOM: conf.h,v 1.13 2000/09/18 00:01:47 ho Exp $ */ - -/* - * Copyright (c) 1998, 1999, 2001 Niklas Hallqvist. All rights reserved. - * Copyright (c) 2000, 2003 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _CONF_H_ -#define _CONF_H_ - -#include <sys/types.h> -#include <sys/queue.h> -#include <sys/socket.h> -#include <stdio.h> - -#define ISAKMPD_ROOT "/etc/isakmpd/" - -#define CONFIG_FILE ISAKMPD_ROOT "isakmpd.conf" - -/* Default values for autogenerated part of our configuration. */ -#define CONF_DFLT_TAG_LIFE_MAIN_MODE "LIFE_MAIN_MODE" -#define CONF_DFLT_TYPE_LIFE_MAIN_MODE "SECONDS" -#define CONF_DFLT_VAL_LIFE_MAIN_MODE "3600,60:86400" - -#define CONF_DFLT_TAG_LIFE_QUICK_MODE "LIFE_QUICK_MODE" -#define CONF_DFLT_TYPE_LIFE_QUICK_MODE "SECONDS" -#define CONF_DFLT_VAL_LIFE_QUICK_MODE "1200,60:86400" - -#define CONF_DFLT_VAL_BLF_KEYLEN "128,96:192" -#define CONF_DFLT_VAL_AES_KEYLEN "128,128:256" - -#define CONF_DFLT_RETRANSMITS "3" -#define CONF_DFLT_EXCH_MAX_TIME "120" - -#define CONF_DFLT_USE_KEYNOTE "yes" -#define CONF_DFLT_POLICY_FILE ISAKMPD_ROOT "isakmpd.policy" - -#define CONF_DFLT_X509_CA_DIR ISAKMPD_ROOT "ca/" -#define CONF_DFLT_X509_CERT_DIR ISAKMPD_ROOT "certs/" -#define CONF_DFLT_X509_PRIVATE_KEY ISAKMPD_ROOT "private/local.key" -#define CONF_DFLT_X509_CRL_DIR ISAKMPD_ROOT "crls/" -#define CONF_DFLT_PUBKEY_DIR ISAKMPD_ROOT "pubkeys/" -#define CONF_DFLT_KEYNOTE_CRED_DIR ISAKMPD_ROOT "keynote/" - -#define CONF_DFLT_TAG_PHASE1_CONFIG "Default-phase-1-configuration" -#define CONF_DFLT_PHASE1_EXCH_TYPE "ID_PROT" -#define CONF_DFLT_PHASE1_TRANSFORMS "3DES-SHA-RSA_SIG" - -struct conf_list_node { - TAILQ_ENTRY(conf_list_node) link; - char *field; -}; - -struct conf_list { - size_t cnt; - TAILQ_HEAD(conf_list_fields_head, conf_list_node) fields; -}; - -extern char *conf_path; - -extern int conf_begin(void); -extern int conf_decode_base64(u_int8_t *, u_int32_t *, u_char *); -extern int conf_end(int, int); -extern void conf_free_list(struct conf_list *); -extern struct sockaddr *conf_get_address(char *, char *); -extern struct conf_list *conf_get_list(char *, char *); -extern struct conf_list *conf_get_tag_list(char *); -extern int conf_get_num(char *, char *, int); -extern char *conf_get_str(char *, char *); -extern void conf_init(void); -extern int conf_match_num(char *, char *, int); -extern void conf_reinit(void); -extern int conf_remove(int, char *, char *); -extern int conf_remove_section(int, char *); -extern int conf_set(int, char *, char *, char *, int, int); -extern void conf_report(void); - -#endif /* _CONF_H_ */ diff --git a/keyexchange/isakmpd-20041012/connection.c b/keyexchange/isakmpd-20041012/connection.c deleted file mode 100644 index 94373ad..0000000 --- a/keyexchange/isakmpd-20041012/connection.c +++ /dev/null @@ -1,449 +0,0 @@ -/* $OpenBSD: connection.c,v 1.29 2004/06/14 09:55:41 ho Exp $ */ -/* $EOM: connection.c,v 1.28 2000/11/23 12:21:18 niklas Exp $ */ - -/* - * Copyright (c) 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. - * Copyright (c) 1999 Hakan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/queue.h> -#include <sys/time.h> -#include <sys/socket.h> -#include <stdlib.h> -#include <string.h> - -#include "sysdep.h" - -#include "conf.h" -#include "connection.h" -#include "doi.h" -#include "ipsec.h" - -/* XXX isakmp.h only required for compare_ids(). */ -#include "isakmp.h" - -#include "log.h" -#include "timer.h" -#include "util.h" - -/* How often should we check that connections we require to be up, are up? */ -#define CHECK_INTERVAL 60 - -static void connection_passive_teardown(char *); - -struct connection { - TAILQ_ENTRY(connection) link; - char *name; - struct event *ev; -}; - -struct connection_passive { - TAILQ_ENTRY(connection_passive) link; - char *name; - u_int8_t *local_id, *remote_id; - size_t local_sz, remote_sz; - -#if 0 - /* XXX Potential additions to 'connection_passive'. */ - char *isakmp_peer; - struct sa *sa; /* XXX "Soft" ref to active sa? */ - struct timeval sa_expiration; /* XXX *sa may expire. */ -#endif -}; - -TAILQ_HEAD(connection_head, connection) connections; -TAILQ_HEAD(passive_head, connection_passive) connections_passive; - -/* - * This is where we setup all the connections we want there right from the - * start. - */ -void -connection_init(void) -{ - struct conf_list *conns, *attrs; - struct conf_list_node *conn, *attr = NULL; - - /* - * Passive connections normally include: all "active" connections that - * are not flagged "Active-Only", plus all connections listed in - * the 'Passive-Connections' list. - */ - TAILQ_INIT(&connections); - TAILQ_INIT(&connections_passive); - - conns = conf_get_list("Phase 2", "Connections"); - if (conns) { - for (conn = TAILQ_FIRST(&conns->fields); conn; - conn = TAILQ_NEXT(conn, link)) { - if (connection_setup(conn->field)) - log_print("connection_init: could not setup " - "\"%s\"", conn->field); - - /* XXX Break/abort here if connection_setup failed? */ - - /* - * XXX This code (i.e. the attribute lookup) seems - * like a likely candidate for factoring out into a - * function of its own. - */ - attrs = conf_get_list(conn->field, "Flags"); - if (attrs) - for (attr = TAILQ_FIRST(&attrs->fields); attr; - attr = TAILQ_NEXT(attr, link)) - if (strcasecmp("active-only", - attr->field) == 0) - break; - if (!attrs || (attrs && !attr)) - if (connection_record_passive(conn->field)) - log_print("connection_init: could not " - "record connection \"%s\"", - conn->field); - if (attrs) - conf_free_list(attrs); - - } - conf_free_list(conns); - } - conns = conf_get_list("Phase 2", "Passive-Connections"); - if (conns) { - for (conn = TAILQ_FIRST(&conns->fields); conn; - conn = TAILQ_NEXT(conn, link)) - if (connection_record_passive(conn->field)) - log_print("connection_init: could not record " - "passive connection \"%s\"", conn->field); - conf_free_list(conns); - } -} - -/* Check the connection in VCONN and schedule another check later. */ -static void -connection_checker(void *vconn) -{ - struct timeval now; - struct connection *conn = vconn; - - gettimeofday(&now, 0); - now.tv_sec += conf_get_num("General", "check-interval", - CHECK_INTERVAL); - conn->ev = timer_add_event("connection_checker", - connection_checker, conn, &now); - if (!conn->ev) - log_print("connection_checker: could not add timer event"); - sysdep_connection_check(conn->name); -} - -/* Find the connection named NAME. */ -static struct connection * -connection_lookup(char *name) -{ - struct connection *conn; - - for (conn = TAILQ_FIRST(&connections); conn; - conn = TAILQ_NEXT(conn, link)) - if (strcasecmp(conn->name, name) == 0) - return conn; - return 0; -} - -/* Does the connection named NAME exist? */ -int -connection_exist(char *name) -{ - return (connection_lookup(name) != 0); -} - -/* Find the passive connection named NAME. */ -static struct connection_passive * -connection_passive_lookup_by_name(char *name) -{ - struct connection_passive *conn; - - for (conn = TAILQ_FIRST(&connections_passive); conn; - conn = TAILQ_NEXT(conn, link)) - if (strcasecmp(conn->name, name) == 0) - return conn; - return 0; -} - -/* - * IDs of different types cannot be the same. - * XXX Rename to ipsec_compare_id, and move to ipsec.c ? - */ -static int -compare_ids(u_int8_t *id1, u_int8_t *id2, size_t idlen) -{ - int id1_type, id2_type; - - id1_type = GET_ISAKMP_ID_TYPE(id1); - id2_type = GET_ISAKMP_ID_TYPE(id2); - - return id1_type == id2_type ? memcmp(id1 + ISAKMP_ID_DATA_OFF, - id2 + ISAKMP_ID_DATA_OFF, idlen - ISAKMP_ID_DATA_OFF) : -1; -} - -/* Find the connection named with matching IDs. */ -char * -connection_passive_lookup_by_ids(u_int8_t *id1, u_int8_t *id2) -{ - struct connection_passive *conn; - - for (conn = TAILQ_FIRST(&connections_passive); conn; - conn = TAILQ_NEXT(conn, link)) { - if (!conn->remote_id) - continue; - - /* - * If both IDs match what we have saved, return the name. - * Don't bother in which order they are. - */ - if ((compare_ids(id1, conn->local_id, conn->local_sz) == 0 && - compare_ids(id2, conn->remote_id, conn->remote_sz) == 0) || - (compare_ids(id1, conn->remote_id, conn->remote_sz) == 0 && - compare_ids(id2, conn->local_id, conn->local_sz) == 0)) { - LOG_DBG((LOG_MISC, 60, - "connection_passive_lookup_by_ids: " - "returned \"%s\"", conn->name)); - return conn->name; - } - } - - /* - * In the road warrior case, we do not know the remote ID. In that - * case we will just match against the local ID. - */ - for (conn = TAILQ_FIRST(&connections_passive); conn; - conn = TAILQ_NEXT(conn, link)) { - if (!conn->remote_id) - continue; - - if (compare_ids(id1, conn->local_id, conn->local_sz) == 0 || - compare_ids(id2, conn->local_id, conn->local_sz) == 0) { - LOG_DBG((LOG_MISC, 60, - "connection passive_lookup_by_ids: returned \"%s\"" - " only matched local id", conn->name)); - return conn->name; - } - } - LOG_DBG((LOG_MISC, 60, - "connection_passive_lookup_by_ids: no match")); - return 0; -} - -/* - * Setup NAME to be a connection that should be up "always", i.e. if it dies, - * for whatever reason, it should be tried to be brought up, over and over - * again. - */ -int -connection_setup(char *name) -{ - struct connection *conn = 0; - struct timeval now; - - /* Check for trials to add duplicate connections. */ - if (connection_lookup(name)) { - LOG_DBG((LOG_MISC, 10, - "connection_setup: cannot add \"%s\" twice", name)); - return 0; - } - conn = calloc(1, sizeof *conn); - if (!conn) { - log_error("connection_setup: calloc (1, %lu) failed", - (unsigned long)sizeof *conn); - goto fail; - } - conn->name = strdup(name); - if (!conn->name) { - log_error("connection_setup: strdup (\"%s\") failed", name); - goto fail; - } - gettimeofday(&now, 0); - conn->ev = timer_add_event("connection_checker", connection_checker, - conn, &now); - if (!conn->ev) { - log_print("connection_setup: could not add timer event"); - goto fail; - } - TAILQ_INSERT_TAIL(&connections, conn, link); - return 0; - -fail: - if (conn) { - if (conn->name) - free(conn->name); - free(conn); - } - return -1; -} - -int -connection_record_passive(char *name) -{ - struct connection_passive *conn; - char *local_id, *remote_id; - - if (connection_passive_lookup_by_name(name)) { - LOG_DBG((LOG_MISC, 10, - "connection_record_passive: cannot add \"%s\" twice", - name)); - return 0; - } - local_id = conf_get_str(name, "Local-ID"); - if (!local_id) { - log_print("connection_record_passive: " - "\"Local-ID\" is missing from section [%s]", name); - return -1; - } - /* If the remote id lookup fails we defer it to later */ - remote_id = conf_get_str(name, "Remote-ID"); - - conn = calloc(1, sizeof *conn); - if (!conn) { - log_error("connection_record_passive: calloc (1, %lu) failed", - (unsigned long)sizeof *conn); - return -1; - } - conn->name = strdup(name); - if (!conn->name) { - log_error("connection_record_passive: strdup (\"%s\") failed", - name); - goto fail; - } - /* XXX IPsec DOI-specific. */ - conn->local_id = ipsec_build_id(local_id, &conn->local_sz); - if (!conn->local_id) - goto fail; - - if (remote_id) { - conn->remote_id = ipsec_build_id(remote_id, &conn->remote_sz); - if (!conn->remote_id) - goto fail; - } else - conn->remote_id = 0; - - TAILQ_INSERT_TAIL(&connections_passive, conn, link); - - LOG_DBG((LOG_MISC, 60, - "connection_record_passive: passive connection \"%s\" added", - conn->name)); - return 0; - -fail: - if (conn->local_id) - free(conn->local_id); - if (conn->name) - free(conn->name); - free(conn); - return -1; -} - -/* Remove the connection named NAME. */ -void -connection_teardown(char *name) -{ - struct connection *conn; - - conn = connection_lookup(name); - if (!conn) - return; - - TAILQ_REMOVE(&connections, conn, link); - timer_remove_event(conn->ev); - free(conn->name); - free(conn); -} - -/* Remove the passive connection named NAME. */ -static void -connection_passive_teardown(char *name) -{ - struct connection_passive *conn; - - conn = connection_passive_lookup_by_name(name); - if (!conn) - return; - - TAILQ_REMOVE(&connections_passive, conn, link); - free(conn->name); - free(conn->local_id); - free(conn->remote_id); - free(conn); -} - -void -connection_report(void) -{ - struct connection *conn; - struct timeval now; -#ifdef USE_DEBUG - struct connection_passive *pconn; - struct doi *doi = doi_lookup(ISAKMP_DOI_ISAKMP); -#endif - - gettimeofday(&now, 0); - for (conn = TAILQ_FIRST(&connections); conn; - conn = TAILQ_NEXT(conn, link)) - LOG_DBG((LOG_REPORT, 0, - "connection_report: connection %s next check %ld seconds", - (conn->name ? conn->name : "<unnamed>"), - conn->ev->expiration.tv_sec - now.tv_sec)); -#ifdef USE_DEBUG - for (pconn = TAILQ_FIRST(&connections_passive); pconn; - pconn = TAILQ_NEXT(pconn, link)) - LOG_DBG((LOG_REPORT, 0, - "connection_report: passive connection %s %s", pconn->name, - doi->decode_ids("local_id: %s, remote_id: %s", - pconn->local_id, pconn->local_sz, - pconn->remote_id, pconn->remote_sz, 1))); -#endif -} - -/* Reinitialize all connections (SIGHUP handling). */ -void -connection_reinit(void) -{ - struct connection *conn, *next; - struct connection_passive *pconn, *pnext; - - LOG_DBG((LOG_MISC, 30, - "connection_reinit: reinitializing connection list")); - - /* Remove all present connections. */ - for (conn = TAILQ_FIRST(&connections); conn; conn = next) { - next = TAILQ_NEXT(conn, link); - connection_teardown(conn->name); - } - - for (pconn = TAILQ_FIRST(&connections_passive); pconn; pconn = pnext) { - pnext = TAILQ_NEXT(pconn, link); - connection_passive_teardown(pconn->name); - } - - /* Setup new connections, as the (new) config directs. */ - connection_init(); -} diff --git a/keyexchange/isakmpd-20041012/connection.h b/keyexchange/isakmpd-20041012/connection.h deleted file mode 100644 index 41ee533..0000000 --- a/keyexchange/isakmpd-20041012/connection.h +++ /dev/null @@ -1,51 +0,0 @@ -/* $OpenBSD: connection.h,v 1.5 2004/04/15 18:39:25 deraadt Exp $ */ -/* $EOM: connection.h,v 1.6 1999/06/07 00:10:48 ho Exp $ */ - -/* - * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. - * Copyright (c) 1999 Hakan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -/* - * The connection module deals with connections that should always be up. - */ - -#ifndef _CONNECTION_H_ -#define _CONNECTION_H_ - -#include <sys/types.h> - -extern int connection_exist(char *); -extern void connection_init(void); -extern char *connection_passive_lookup_by_ids(u_int8_t *, u_int8_t *); -extern void connection_reinit(void); -extern void connection_report(void); -extern int connection_setup(char *); -extern int connection_record_passive(char *); -extern void connection_teardown(char *); - -#endif /* _CONNECTION_H_ */ diff --git a/keyexchange/isakmpd-20041012/constants.c b/keyexchange/isakmpd-20041012/constants.c deleted file mode 100644 index ec0d0f4..0000000 --- a/keyexchange/isakmpd-20041012/constants.c +++ /dev/null @@ -1,99 +0,0 @@ -/* $OpenBSD: constants.c,v 1.9 2004/04/15 18:39:25 deraadt Exp $ */ -/* $EOM: constants.c,v 1.7 1999/04/02 00:57:31 niklas Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <stdio.h> -#include <string.h> - -#include "sysdep.h" - -#include "constants.h" - -int -constant_value(struct constant_map *map, char *name) -{ - struct constant_map *entry = map; - - for (entry = map; entry->name; entry++) - if (strcasecmp(entry->name, name) == 0) - return entry->value; - return 0; -} - -char * -constant_lookup(struct constant_map *map, int value) -{ - struct constant_map *entry = map; - - for (entry = map; entry->name; entry++) - if (entry->value == value) - return entry->name; - return 0; -} - -struct constant_map * -constant_link_lookup(struct constant_map *map, int value) -{ - struct constant_map *entry = map; - - for (entry = map; entry->name; entry++) - if (entry->value == value) - return entry->link; - return 0; -} - -char * -constant_name(struct constant_map *map, int value) -{ - static char tmp[32];/* XXX Ugly, I know. */ - char *retval = constant_lookup(map, value); - - if (!retval) { - snprintf(tmp, sizeof tmp, "<Unknown %d>", value); - return tmp; - } - return retval; -} - -char * -constant_name_maps(struct constant_map **maps, int value) -{ - static char tmp[32];/* XXX Ugly, I know. */ - char *retval; - struct constant_map **map; - - for (map = maps; *map; map++) { - retval = constant_lookup(*map, value); - if (retval) - return retval; - } - snprintf(tmp, sizeof tmp, "<Unknown %d>", value); - return tmp; -} diff --git a/keyexchange/isakmpd-20041012/constants.h b/keyexchange/isakmpd-20041012/constants.h deleted file mode 100644 index e3dd439..0000000 --- a/keyexchange/isakmpd-20041012/constants.h +++ /dev/null @@ -1,47 +0,0 @@ -/* $OpenBSD: constants.h,v 1.6 2004/04/15 18:39:25 deraadt Exp $ */ -/* $EOM: constants.h,v 1.5 1998/11/20 07:17:01 niklas Exp $ */ - -/* - * Copyright (c) 1998 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _CONSTANTS_H_ -#define _CONSTANTS_H_ - -struct constant_map { - int value; - char *name; - struct constant_map *link; -}; - -struct constant_map *constant_link_lookup(struct constant_map *, int); -extern char *constant_lookup(struct constant_map *, int); -extern char *constant_name(struct constant_map *, int); -extern char *constant_name_maps(struct constant_map **, int); -extern int constant_value(struct constant_map *, char *); - -#endif /* _CONSTANTS_H_ */ diff --git a/keyexchange/isakmpd-20041012/cookie.c b/keyexchange/isakmpd-20041012/cookie.c deleted file mode 100644 index ec8f826..0000000 --- a/keyexchange/isakmpd-20041012/cookie.c +++ /dev/null @@ -1,74 +0,0 @@ -/* $OpenBSD: cookie.c,v 1.14 2004/05/14 08:42:56 hshoexer Exp $ */ -/* $EOM: cookie.c,v 1.21 1999/08/05 15:00:04 niklas Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/types.h> -#include <sys/socket.h> -#include <stdlib.h> -#include <string.h> - -#include "sysdep.h" - -#include "cookie.h" -#include "exchange.h" -#include "hash.h" -#include "transport.h" -#include "util.h" - -#define COOKIE_SECRET_SIZE 16 - -/* - * Generate an anti-clogging token (a protection against an attacker forcing - * us to keep state for a flood of connection requests) a.k.a. a cookie - * at BUF, LEN bytes long. The cookie will be generated by hashing of - * information found, among otherplaces, in transport T and exchange - * EXCHANGE. - */ -void -cookie_gen(struct transport *t, struct exchange *exchange, u_int8_t *buf, - size_t len) -{ - struct hash *hash = hash_get(HASH_SHA1); - u_int8_t tmpsecret[COOKIE_SECRET_SIZE]; - struct sockaddr *name; - - hash->Init(hash->ctx); - (*t->vtbl->get_dst)(t, &name); - hash->Update(hash->ctx, (u_int8_t *)name, sysdep_sa_len(name)); - (*t->vtbl->get_src)(t, &name); - hash->Update(hash->ctx, (u_int8_t *)name, sysdep_sa_len(name)); - if (exchange->initiator == 0) - hash->Update(hash->ctx, exchange->cookies + - ISAKMP_HDR_ICOOKIE_OFF, ISAKMP_HDR_ICOOKIE_LEN); - getrandom(tmpsecret, COOKIE_SECRET_SIZE); - hash->Update(hash->ctx, tmpsecret, COOKIE_SECRET_SIZE); - hash->Final(hash->digest, hash->ctx); - memcpy(buf, hash->digest, len); -} diff --git a/keyexchange/isakmpd-20041012/cookie.h b/keyexchange/isakmpd-20041012/cookie.h deleted file mode 100644 index bfbcc01..0000000 --- a/keyexchange/isakmpd-20041012/cookie.h +++ /dev/null @@ -1,44 +0,0 @@ -/* $OpenBSD: cookie.h,v 1.7 2004/05/14 08:42:56 hshoexer Exp $ */ -/* $EOM: cookie.h,v 1.5 1998/08/05 09:21:43 niklas Exp $ */ - -/* - * Copyright (c) 1998 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _COOKIE_H_ -#define _COOKIE_H_ - -#include <sys/types.h> -#include <sys/socket.h> - -struct exchange; -struct transport; - -extern void cookie_gen(struct transport *, struct exchange *, u_int8_t *, - size_t); - -#endif /* _COOKIE_H_ */ diff --git a/keyexchange/isakmpd-20041012/crypto.c b/keyexchange/isakmpd-20041012/crypto.c deleted file mode 100644 index d74191e..0000000 --- a/keyexchange/isakmpd-20041012/crypto.c +++ /dev/null @@ -1,413 +0,0 @@ -/* $OpenBSD: crypto.c,v 1.22 2004/06/14 09:55:41 ho Exp $ */ -/* $EOM: crypto.c,v 1.32 2000/03/07 20:08:51 niklas Exp $ */ - -/* - * Copyright (c) 1998 Niels Provos. All rights reserved. - * Copyright (c) 1999, 2000 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/param.h> -#include <stdlib.h> -#include <string.h> - -#include "sysdep.h" - -#include "crypto.h" -#include "log.h" - -enum cryptoerr des1_init(struct keystate *, u_int8_t *, u_int16_t); -enum cryptoerr des3_init(struct keystate *, u_int8_t *, u_int16_t); -enum cryptoerr blf_init(struct keystate *, u_int8_t *, u_int16_t); -enum cryptoerr cast_init(struct keystate *, u_int8_t *, u_int16_t); -enum cryptoerr aes_init(struct keystate *, u_int8_t *, u_int16_t); -void des1_encrypt(struct keystate *, u_int8_t *, u_int16_t); -void des1_decrypt(struct keystate *, u_int8_t *, u_int16_t); -void des3_encrypt(struct keystate *, u_int8_t *, u_int16_t); -void des3_decrypt(struct keystate *, u_int8_t *, u_int16_t); -void blf_encrypt(struct keystate *, u_int8_t *, u_int16_t); -void blf_decrypt(struct keystate *, u_int8_t *, u_int16_t); -void cast1_encrypt(struct keystate *, u_int8_t *, u_int16_t); -void cast1_decrypt(struct keystate *, u_int8_t *, u_int16_t); -void aes_encrypt(struct keystate *, u_int8_t *, u_int16_t); -void aes_decrypt(struct keystate *, u_int8_t *, u_int16_t); - -struct crypto_xf transforms[] = { -#ifdef USE_DES - { - DES_CBC, "Data Encryption Standard (CBC-Mode)", 8, 8, - BLOCKSIZE, 0, - des1_init, - des1_encrypt, des1_decrypt - }, -#endif -#ifdef USE_TRIPLEDES - { - TRIPLEDES_CBC, "Triple-DES (CBC-Mode)", 24, 24, - BLOCKSIZE, 0, - des3_init, - des3_encrypt, des3_decrypt - }, -#endif -#ifdef USE_BLOWFISH - { - BLOWFISH_CBC, "Blowfish (CBC-Mode)", 12, 56, - BLOCKSIZE, 0, - blf_init, - blf_encrypt, blf_decrypt - }, -#endif -#ifdef USE_CAST - { - CAST_CBC, "CAST (CBC-Mode)", 12, 16, - BLOCKSIZE, 0, - cast_init, - cast1_encrypt, cast1_decrypt - }, -#endif -#ifdef USE_AES - { - AES_CBC, "AES (CBC-Mode)", 16, 32, - AES_BLOCK_SIZE, 0, - aes_init, - aes_encrypt, aes_decrypt - }, -#endif -}; - -/* Hmm, the function prototypes for des are really dumb */ -#ifdef __OpenBSD__ -#define DC (des_cblock *) -#else -#define DC (void *) -#endif - -enum cryptoerr -des1_init(struct keystate *ks, u_int8_t *key, u_int16_t len) -{ - /* des_set_key returns -1 for parity problems, and -2 for weak keys */ - des_set_odd_parity(DC key); - switch (des_set_key(DC key, ks->ks_des[0])) { - case -2: - return EWEAKKEY; - default: - return EOKAY; - } -} - -void -des1_encrypt(struct keystate *ks, u_int8_t *d, u_int16_t len) -{ - des_cbc_encrypt(DC d, DC d, len, ks->ks_des[0], DC ks->riv, - DES_ENCRYPT); -} - -void -des1_decrypt(struct keystate *ks, u_int8_t *d, u_int16_t len) -{ - des_cbc_encrypt(DC d, DC d, len, ks->ks_des[0], DC ks->riv, - DES_DECRYPT); -} - -#ifdef USE_TRIPLEDES -enum cryptoerr -des3_init(struct keystate *ks, u_int8_t *key, u_int16_t len) -{ - des_set_odd_parity(DC key); - des_set_odd_parity(DC(key + 8)); - des_set_odd_parity(DC(key + 16)); - - /* As of the draft Tripe-DES does not check for weak keys */ - des_set_key(DC key, ks->ks_des[0]); - des_set_key(DC(key + 8), ks->ks_des[1]); - des_set_key(DC(key + 16), ks->ks_des[2]); - - return EOKAY; -} - -void -des3_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) -{ - u_int8_t iv[MAXBLK]; - - memcpy(iv, ks->riv, ks->xf->blocksize); - des_ede3_cbc_encrypt(DC data, DC data, len, ks->ks_des[0], - ks->ks_des[1], ks->ks_des[2], DC iv, DES_ENCRYPT); -} - -void -des3_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) -{ - u_int8_t iv[MAXBLK]; - - memcpy(iv, ks->riv, ks->xf->blocksize); - des_ede3_cbc_encrypt(DC data, DC data, len, ks->ks_des[0], - ks->ks_des[1], ks->ks_des[2], DC iv, DES_DECRYPT); -} -#undef DC -#endif /* USE_TRIPLEDES */ - -#ifdef USE_BLOWFISH -enum cryptoerr -blf_init(struct keystate *ks, u_int8_t *key, u_int16_t len) -{ - blf_key(&ks->ks_blf, key, len); - - return EOKAY; -} - -void -blf_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) -{ - u_int16_t i, blocksize = ks->xf->blocksize; - u_int8_t *iv = ks->liv; - u_int32_t xl, xr; - - memcpy(iv, ks->riv, blocksize); - - for (i = 0; i < len; data += blocksize, i += blocksize) { - XOR64(data, iv); - xl = GET_32BIT_BIG(data); - xr = GET_32BIT_BIG(data + 4); - Blowfish_encipher(&ks->ks_blf, &xl, &xr); - SET_32BIT_BIG(data, xl); - SET_32BIT_BIG(data + 4, xr); - SET64(iv, data); - } -} - -void -blf_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) -{ - u_int16_t i, blocksize = ks->xf->blocksize; - u_int32_t xl, xr; - - data += len - blocksize; - for (i = len - blocksize; i >= blocksize; data -= blocksize, - i -= blocksize) { - xl = GET_32BIT_BIG(data); - xr = GET_32BIT_BIG(data + 4); - Blowfish_decipher(&ks->ks_blf, &xl, &xr); - SET_32BIT_BIG(data, xl); - SET_32BIT_BIG(data + 4, xr); - XOR64(data, data - blocksize); - - } - xl = GET_32BIT_BIG(data); - xr = GET_32BIT_BIG(data + 4); - Blowfish_decipher(&ks->ks_blf, &xl, &xr); - SET_32BIT_BIG(data, xl); - SET_32BIT_BIG(data + 4, xr); - XOR64(data, ks->riv); -} -#endif /* USE_BLOWFISH */ - -#ifdef USE_CAST -enum cryptoerr -cast_init(struct keystate *ks, u_int8_t *key, u_int16_t len) -{ - cast_setkey(&ks->ks_cast, key, len); - return EOKAY; -} - -void -cast1_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) -{ - u_int16_t i, blocksize = ks->xf->blocksize; - u_int8_t *iv = ks->liv; - - memcpy(iv, ks->riv, blocksize); - - for (i = 0; i < len; data += blocksize, i += blocksize) { - XOR64(data, iv); - cast_encrypt(&ks->ks_cast, data, data); - SET64(iv, data); - } -} - -void -cast1_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) -{ - u_int16_t i, blocksize = ks->xf->blocksize; - - data += len - blocksize; - for (i = len - blocksize; i >= blocksize; data -= blocksize, - i -= blocksize) { - cast_decrypt(&ks->ks_cast, data, data); - XOR64(data, data - blocksize); - } - cast_decrypt(&ks->ks_cast, data, data); - XOR64(data, ks->riv); -} -#endif /* USE_CAST */ - -#ifdef USE_AES -enum cryptoerr -aes_init(struct keystate *ks, u_int8_t *key, u_int16_t len) -{ - AES_set_encrypt_key(key, len << 3, &ks->ks_aes[0]); - AES_set_decrypt_key(key, len << 3, &ks->ks_aes[1]); - return EOKAY; -} - -void -aes_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) -{ - u_int8_t iv[MAXBLK]; - - memcpy(iv, ks->riv, ks->xf->blocksize); - AES_cbc_encrypt(data, data, len, &ks->ks_aes[0], iv, AES_ENCRYPT); -} - -void -aes_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len) -{ - u_int8_t iv[MAXBLK]; - - memcpy(iv, ks->riv, ks->xf->blocksize); - AES_cbc_encrypt(data, data, len, &ks->ks_aes[1], iv, AES_DECRYPT); -} -#endif /* USE_AES */ - -struct crypto_xf * -crypto_get(enum transform id) -{ - size_t i; - - for (i = 0; i < sizeof transforms / sizeof transforms[0]; i++) - if (id == transforms[i].id) - return &transforms[i]; - - return 0; -} - -struct keystate * -crypto_init(struct crypto_xf *xf, u_int8_t *key, u_int16_t len, - enum cryptoerr *err) -{ - struct keystate *ks; - - if (len < xf->keymin || len > xf->keymax) { - LOG_DBG((LOG_CRYPTO, 10, "crypto_init: invalid key length %d", - len)); - *err = EKEYLEN; - return 0; - } - ks = calloc(1, sizeof *ks); - if (!ks) { - log_error("crypto_init: calloc (1, %lu) failed", - (unsigned long)sizeof *ks); - *err = ENOCRYPTO; - return 0; - } - ks->xf = xf; - - /* Setup the IV. */ - ks->riv = ks->iv; - ks->liv = ks->iv2; - - LOG_DBG_BUF((LOG_CRYPTO, 40, "crypto_init: key", key, len)); - - *err = xf->init(ks, key, len); - if (*err != EOKAY) { - LOG_DBG((LOG_CRYPTO, 30, "crypto_init: weak key found for %s", - xf->name)); - free(ks); - return 0; - } - return ks; -} - -void -crypto_update_iv(struct keystate *ks) -{ - u_int8_t *tmp; - - tmp = ks->riv; - ks->riv = ks->liv; - ks->liv = tmp; - - LOG_DBG_BUF((LOG_CRYPTO, 50, "crypto_update_iv: updated IV", ks->riv, - ks->xf->blocksize)); -} - -void -crypto_init_iv(struct keystate *ks, u_int8_t *buf, size_t len) -{ - memcpy(ks->riv, buf, len); - - LOG_DBG_BUF((LOG_CRYPTO, 50, "crypto_init_iv: initialized IV", ks->riv, - len)); -} - -void -crypto_encrypt(struct keystate *ks, u_int8_t *buf, u_int16_t len) -{ - LOG_DBG_BUF((LOG_CRYPTO, 10, "crypto_encrypt: before encryption", buf, - len)); - ks->xf->encrypt(ks, buf, len); - memcpy(ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize); - LOG_DBG_BUF((LOG_CRYPTO, 30, "crypto_encrypt: after encryption", buf, - len)); -} - -void -crypto_decrypt(struct keystate *ks, u_int8_t *buf, u_int16_t len) -{ - LOG_DBG_BUF((LOG_CRYPTO, 10, "crypto_decrypt: before decryption", buf, - len)); - /* - * XXX There is controversy about the correctness of updating the IV - * like this. - */ - memcpy(ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize); - ks->xf->decrypt(ks, buf, len); - LOG_DBG_BUF((LOG_CRYPTO, 30, "crypto_decrypt: after decryption", buf, - len)); -} - -/* Make a copy of the keystate pointed to by OKS. */ -struct keystate * -crypto_clone_keystate(struct keystate *oks) -{ - struct keystate *ks; - - ks = malloc(sizeof *ks); - if (!ks) { - log_error("crypto_clone_keystate: malloc (%lu) failed", - (unsigned long)sizeof *ks); - return 0; - } - memcpy(ks, oks, sizeof *ks); - if (oks->riv == oks->iv) { - ks->riv = ks->iv; - ks->liv = ks->iv2; - } else { - ks->riv = ks->iv2; - ks->liv = ks->iv; - } - return ks; -} diff --git a/keyexchange/isakmpd-20041012/crypto.h b/keyexchange/isakmpd-20041012/crypto.h deleted file mode 100644 index 1095c7e..0000000 --- a/keyexchange/isakmpd-20041012/crypto.h +++ /dev/null @@ -1,175 +0,0 @@ -/* $OpenBSD: crypto.h,v 1.14 2004/05/14 08:42:56 hshoexer Exp $ */ -/* $EOM: crypto.h,v 1.12 2000/10/15 21:56:41 niklas Exp $ */ - -/* - * Copyright (c) 1998 Niels Provos. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _CRYPTO_H_ -#define _CRYPTO_H_ - -#if defined (__APPLE__) - -#include <openssl/des.h> -#ifdef USE_BLOWFISH -#include <openssl/blowfish.h> -#endif -#ifdef USE_CAST -#include <openssl/cast.h> -#endif - -#else - -#include <des.h> -#ifdef USE_BLOWFISH -#include <blf.h> -#endif -#ifdef USE_CAST -#include <cast.h> -#endif - -#endif /* __APPLE__ */ - -#ifdef USE_AES -#include <openssl/aes.h> -#endif - -#define USE_32BIT -#if defined (USE_64BIT) - -#define XOR64(x,y) *(u_int64_t *)(x) ^= *(u_int64_t *)(y); -#define SET64(x,y) *(u_int64_t *)(x) = *(u_int64_t *)(y); - -#elif defined (USE_32BIT) - -#define XOR64(x,y) *(u_int32_t *)(x) ^= *(u_int32_t *)(y); \ - *(u_int32_t *)((u_int8_t *)(x) + 4) ^= *(u_int32_t *)((u_int8_t *)(y) + 4); -#define SET64(x,y) *(u_int32_t *)(x) = *(u_int32_t *)(y); \ - *(u_int32_t *)((u_int8_t *)(x) + 4) = *(u_int32_t *)((u_int8_t *)(y) + 4); - -#else - -#define XOR8(x,y,i) (x)[i] ^= (y)[i]; -#define XOR64(x,y) XOR8(x,y,0); XOR8(x,y,1); XOR8(x,y,2); XOR8(x,y,3); \ - XOR8(x,y,4); XOR8(x,y,5); XOR8(x,y,6); XOR8(x,y,7); -#define SET8(x,y,i) (x)[i] = (y)[i]; -#define SET64(x,y) SET8(x,y,0); SET8(x,y,1); SET8(x,y,2); SET8(x,y,3); \ - SET8(x,y,4); SET8(x,y,5); SET8(x,y,6); SET8(x,y,7); - -#endif /* USE_64BIT */ - -#define SET_32BIT_BIG(x,y) (x)[3]= (y); (x)[2]= (y) >> 8; \ - (x)[1] = (y) >> 16; (x)[0]= (y) >> 24; -#define GET_32BIT_BIG(x) (u_int32_t)(x)[3] | ((u_int32_t)(x)[2] << 8) | \ - ((u_int32_t)(x)[1] << 16)| ((u_int32_t)(x)[0] << 24); - -/* - * This is standard for all block ciphers we use at the moment. - * Keep MAXBLK uptodate. - */ -#define BLOCKSIZE 8 - -#ifdef USE_AES -#define MAXBLK AES_BLOCK_SIZE -#else -#define MAXBLK BLOCKSIZE -#endif - -struct keystate { - struct crypto_xf *xf; /* Back pointer */ - u_int16_t ebytes; /* Number of encrypted bytes */ - u_int16_t dbytes; /* Number of decrypted bytes */ - time_t life; /* Creation time */ - u_int8_t iv[MAXBLK]; /* Next IV to use */ - u_int8_t iv2[MAXBLK]; - u_int8_t *riv, *liv; - union { - des_key_schedule desks[3]; -#ifdef USE_BLOWFISH - blf_ctx blfks; -#endif -#ifdef USE_CAST - cast_key castks; -#endif -#ifdef USE_AES - AES_KEY aesks[2]; -#endif - } keydata; -}; - -#define ks_des keydata.desks -#define ks_blf keydata.blfks -#define ks_cast keydata.castks -#define ks_aes keydata.aesks - -/* - * Information about the cryptotransform. - * - * XXX - In regards to the IV (Initialization Vector) the drafts are - * completly fucked up and specify a MUST as how it is derived, so - * we also have to provide for that. I just don't know where. - * Furthermore is this enum needed at all? It seems to be Oakley IDs - * only anyhow, and we already have defines for that in ipsec_doi.h. - */ -enum transform { - DES_CBC = 1, /* This is a MUST */ - IDEA_CBC = 2, /* Licensed, DONT use */ - BLOWFISH_CBC = 3, - RC5_R16_B64_CBC = 4, /* Licensed, DONT use */ - TRIPLEDES_CBC = 5, /* This is a SHOULD */ - CAST_CBC = 6, - AES_CBC = 7 -}; - -enum cryptoerr { - EOKAY, /* No error */ - ENOCRYPTO, /* A none crypto related error, see errno */ - EWEAKKEY, /* A weak key was found in key setup */ - EKEYLEN /* The key length was invalid for the cipher */ -}; - -struct crypto_xf { - enum transform id; /* Oakley ID */ - char *name; /* Transform Name */ - u_int16_t keymin, keymax; /* Possible Keying Bytes */ - u_int16_t blocksize; /* Need to keep IV in the state */ - struct keystate *state; /* Key information, can also be passed sep. */ - enum cryptoerr (*init)(struct keystate *, u_int8_t *, u_int16_t); - void (*encrypt)(struct keystate *, u_int8_t *, u_int16_t); - void (*decrypt)(struct keystate *, u_int8_t *, u_int16_t); -}; - -extern struct keystate *crypto_clone_keystate(struct keystate *); -extern void crypto_decrypt(struct keystate *, u_int8_t *, u_int16_t); -extern void crypto_encrypt(struct keystate *, u_int8_t *, u_int16_t); -extern struct crypto_xf *crypto_get(enum transform); -extern struct keystate *crypto_init(struct crypto_xf *, u_int8_t *, u_int16_t, - enum cryptoerr *); -extern void crypto_init_iv(struct keystate *, u_int8_t *, size_t); -extern void crypto_update_iv(struct keystate *); - -#endif /* _CRYPTO_H_ */ diff --git a/keyexchange/isakmpd-20041012/debian/ChangeLog b/keyexchange/isakmpd-20041012/debian/ChangeLog deleted file mode 100644 index bae602d..0000000 --- a/keyexchange/isakmpd-20041012/debian/ChangeLog +++ /dev/null @@ -1,1668 +0,0 @@ -End of changelog debian package isakmpd.20041012-1 --------------------------------------------------- - -2004-10-08 17:18 hshoexer - - * sysdep/common/libsysdep/arc4random.c: pull in some changes from - libc arc4random (only relevant for non-OpenBSD systems): ansify, - discard first 256 output bytes, make key schedule more arc4 - stream ciper like. - - ok djm ho - -2004-10-01 06:08 jsg - - * monitor_fdpass.c: add some missing $, ok djm@ 'That looks fine to - me' millert@ - -2004-09-24 15:31 ho - - * udp_encap.c: Don't process NAT-T keepalives. Noted by Kamel - Messaoudi. hshoexer@ ok - -2004-09-20 23:36 hshoexer - - * virtual.c: compile cleanly with -Wsign-compare ok ho - -2004-09-20 23:35 hshoexer - - * monitor_fdpass.c: Remove __func__ ok ho deraadt - -2004-09-17 16:54 hshoexer - - * isakmpd.c: avoid signal race. - - ok ho@ otto@ - -2004-09-17 15:53 ho - - * exchange.c, ike_quick_mode.c, ipsec.c, key.c, pf_key_v2.c: - Missing #ifdefs. - -2004-09-17 15:46 ho - - * init.c: #include <stdlib.h> for srandom(). - -2004-09-17 15:45 ho - - * message.c: Permit next payload type NAT-OA. Noted by Kamel - Messaoudi. - -2004-08-23 13:53 ho - - * exchange.c: We need to set sa->initiator before checking if the - newly created SA replaces an old one, or the id_i/id_r check will - mismatch. Previous behaviour was mostly harmless, but wasted some - resources (until normal SA expiration). hshoexer@ "haven't tried, - but think it's ok" - -2004-08-23 13:16 ho - - * Makefile: Default enable DPD (Dead Peer Detection) support. - hshoexer@ ok - -2004-08-23 13:13 ho - - * exchange.h: Indent nit. - -2004-08-17 16:48 hshoexer - - * message.c: check for msg->isakmpg_sa being NULL before - referencing ok ho@ - -2004-08-14 15:29 hshoexer - - * ike_quick_mode.c: When using -K (keynote disabled), check peers' - proposal against isakmpd.conf. - - ok ho@ henning@ - -2004-08-13 04:51 djm - - * monitor_fdpass.c: extra check for no message case; ok markus, - deraadt, hshoexer, henning - -2004-08-12 13:21 hshoexer - - * monitor.c: Fix compiler warning on alpha. Noted by and ok ho@ - -2004-08-12 13:08 ho - - * pf_key_v2.c: Avoid memleak on error (Linux/KAME). Found by - Benjamin Pineau. - -2004-08-10 21:21 deraadt - - * virtual.c, x509.c: spacing - -2004-08-10 17:59 ho - - * dpd.c, dpd.h, exchange.c, ipsec.c, isakmp_num.cst, - isakmpd.conf.5, message.c, message.h, pf_key_v2.c, pf_key_v2.h, - sa.c, sa.h, sysdep.h, udp_encap.c, sysdep/bsdi/sysdep.c, - sysdep/darwin/sysdep.c, sysdep/freebsd/sysdep.c, - sysdep/freeswan/sysdep.c, sysdep/linux/sysdep.c, - sysdep/netbsd/sysdep.c, sysdep/openbsd/sysdep.c: Better - implementation of the Dead Peer Detection protocol, RFC 3706. - hshoexer@ ok. - -2004-08-10 11:49 ho - - * sysdep/linux/GNUmakefile.sysdep: Linux has AES (and DES). From - Benjamin Pineau. - -2004-08-10 11:47 ho - - * sysdep/common/libsysdep/arc4random.c: If opening /dev/arandom - fails, try /dev/random. Suggested by Benjamin Pineau. - -2004-08-08 21:11 deraadt - - * GNUmakefile, conf.c, dpd.c, exchange.c, ike_auth.c, - ike_phase_1.c, ike_quick_mode.c, ipsec.c, isakmp_cfg.c, log.c, - message.c, monitor.c, nat_traversal.c, pf_key_v2.c, policy.c, - sa.c, sysdep.h, transport.c, udp.c, udp_encap.c, ui.c, util.c, - virtual.c, x509.c: spacing - -2004-08-03 12:54 ho - - * nat_traversal.c, transport.c, udp.c, udp.h, udp_encap.c, - virtual.c: Rewrite the transport reference count code to avoid - leaks. hshoexer@ ok. - -2004-08-02 17:48 hshoexer - - * sa.c: Do not expire unestablished phase 2 SAs on SIGHUP. - - ok ho@ - -2004-08-02 17:30 ho - - * GNUmakefile: Missed to add virtual.c here. Noted by Benjamin - Pineau. - -2004-07-30 12:45 ho - - * Makefile, sysdep.h, util.c: Style. - -2004-07-29 22:02 ho - - * conf.c: Less noise while debugging. - -2004-07-29 10:54 ho - - * ike_aggressive.c, ike_phase_1.c, nat_traversal.c: Repair NAT-T - using Aggressive mode, NAT-D checks were in the wrong place. - Noted by Yvan VANHULLEBUS. - -2004-07-09 18:06 deraadt - - * doi.c, exchange.c: ansi - -2004-07-08 21:53 hshoexer - - * virtual.c: free() and close() in error path. - - ok ho@ - -2004-07-08 12:37 jmc - - * isakmpd.8, isakmpd.conf.5: typo, and line adjustment; - -2004-07-08 00:25 hshoexer - - * isakmpd.8, isakmpd.conf.5: document -a/-K and - "Acquire-Only"/"Use-Keynote". - - ok markus@ henning@ ho@ english polish and mdoc help and ok jmc@ - -2004-07-07 11:16 hshoexer - - * message.c: plug memleak when receiving an - INVALID_HASH_INFORMATION notify. Found by Patrick Latifi, - thanks! - - ok ho@ - -2004-07-07 11:13 hshoexer - - * udp_encap.c: compile cleanly with -Wsign-compare; while around, - kill a space - - ok ho@ - -2004-07-05 19:33 pvalchev - - * ike_phase_1.c: %lu and cast to unsigned long to print a size_t; - ok ho - -2004-06-30 12:07 hshoexer - - * nat_traversal.c: Compile cleanly with gcc3.3.2. - - ok ho@ - -2004-06-26 13:32 jmc - - * isakmpd.conf.5: new sentence, new line; - -2004-06-26 08:07 hshoexer - - * monitor.c, monitor.h, pf_key_v2.c, pf_key_v2.h, - sysdep/openbsd/sysdep.c: Narrow down privsep interface. Move - pf_key_v2_open() to monitor. - - Work in progress. - - ok ho@ - -2004-06-26 05:40 mcbride - - * sysdep/: bsdi/Makefile.sysdep, darwin/GNUmakefile.sysdep, - darwin/Makefile.sysdep, freebsd/GNUmakefile.sysdep, - freebsd/Makefile.sysdep, linux/GNUmakefile.sysdep, - netbsd/GNUmakefile.sysdep, netbsd/Makefile.sysdep, - openbsd/GNUmakefile.sysdep, openbsd/Makefile.sysdep: Remove - -DHAVE_GETNAMEINFO frome makefiles. - - Pointed out by ho@ - -2004-06-25 22:25 hshoexer - - * conf.c, conf.h, ike_quick_mode.c, isakmpd.c, policy.c, policy.h: - Keynote policy checking can now be disabled by "-K" switch and - config tag "Use-Keynote". Default is to use keynote. - - ok henning@ ho@ - -2004-06-25 21:42 mcbride - - * udp.c, util.c: Remove HAVE_GETNAMEINFO alternate code. Compiled - binary is unchanged. - - ok msf@ hshoexer@ itojun@ ho@ - -2004-06-25 02:58 hshoexer - - * init.c, log.c, monitor.c, monitor.h, ui.c: Narrow down privsep - interface. Remove ui_init to monitor. So we can get rid of - monitor_mkfifo. - - Work in progress. - - ok ho@ - -2004-06-24 19:02 hshoexer - - * monitor.c: Remove some unused code. Fix handling of sigchild. - Now it's possible to sigstop/sigcont isakmpd correclty. - - ok ho@ - -2004-06-24 17:58 hshoexer - - * policy.c: Also handle keys from x509-certificates embedded in - keynote credentials. - - with msf@ ok ho@ - -2004-06-24 01:36 ho - - * pf_key_v2.c: Print corrent prefix. Found and tested by alex at - vbone.net. - -2004-06-23 05:01 hshoexer - - * ike_auth.c, util.c, util.h: Avoid stat before open. Do open and - fstat instead. Remove check_file_secrecy() as it is obsoleted be - check_file_secrecy_fd(). - - ok ho@ - -2004-06-23 03:17 ho - - * Makefile, sysdep.h, util.c: Make compiling with Boehm's gc - possible again. - -2004-06-23 02:56 ho - - * ike_phase_1.c: Support IPV{4,6}_ADDR_SUBNET IDs in Phase 1, just - like the man page says we do. Noted and tested by alex at - vbone.net. Also avoid a potential SEGV here. hshoexer@ok - -2004-06-23 02:55 hshoexer - - * ipsec.c, isakmpd.c: Add commandline switch -a / config tag - "Acquire-Only" to tell isakmpd to not touch flows. - - initial work by markus ok markus@ ho@ henning@ - -2004-06-22 20:22 hshoexer - - * ike_auth.c: kn_get_string() may return NULL on failure. Handle - this corrctly. - - with msf@, ok ho@ markus@ - -2004-06-22 05:44 ho - - * virtual.c: The NAT-T drafts suggest we should drop incoming - messages arriving on the old port (500) after we've switched to - the new one. - -2004-06-22 01:42 ho - - * isakmpd.conf.5: Describe the [Default]:NAT-T-Keepalive - configuration parameter. - -2004-06-22 01:28 ho - - * Makefile: Enable NAT-T support. - -2004-06-22 01:27 ho - - * ipsec.c, nat_traversal.c, nat_traversal.h, sa.c, sa.h, - udp_encap.c: Implement NAT-T keepalive messages. - -2004-06-21 20:41 ho - - * pf_key_v2.c: udpencap_port should be taken from dst transport - -2004-06-21 20:40 ho - - * virtual.c: When switching from main to encap transport, copy dst - port if translated (NAT). - -2004-06-21 20:34 ho - - * monitor.c: Strip away umask bits in monitor_fopen(). hshoexer@ - ok. - -2004-06-21 20:29 ho - - * ipsec.c: style nit - -2004-06-21 19:02 markus - - * features/nat_traversal: undo double-patch; Dries Schellekens - -2004-06-21 18:37 ho - - * log.c: Don't write too much IKE data in packet capture - -2004-06-21 18:01 ho - - * log.c, message.c: Packet capture should add the ESP-marker when - NAT-T is active. - -2004-06-21 17:15 ho - - * pf_key_v2.c: Tell the kernel to enable ESP-in-UDP encapsulation - when we have SAs negotiated with NAT-T. - -2004-06-21 15:09 ho - - * exchange.c, sa.h, transport.c, udp.c, udp_encap.c, virtual.c: - Port floating (500->4500) for p1 and p2 exchanges. - -2004-06-20 19:44 ho - - * message.c: message_parse_payloads should accept payloads in the - private range. While here, also cleanup some messages. - -2004-06-20 19:17 ho - - * dpd.c, exchange.c, ike_auth.c, ike_phase_1.c, ike_quick_mode.c, - init.c, ipsec.c, isakmp_cfg.c, isakmp_doi.c, message.c, - message.h, nat_traversal.c: Make the payload array in struct - message dynamic, since we need to handle payloads in the private - range, such as the pre-RFC NAT-D/NAT-OA. Replace - TAILQ_FIRST(&msg->payload[i]) instances with function calls. - -2004-06-20 17:24 ho - - * Makefile, exchange.h, ike_phase_1.c, init.c, ipsec.c, isakmp.h, - isakmp_fld.fld, message.c, nat_traversal.c, nat_traversal.h, - policy.c, transport.c, transport.h, udp.c, udp.h, udp_encap.c, - udp_encap.h, util.c, util.h, virtual.c, virtual.h, - features/nat_traversal: NAT-Traversal for isakmpd. Work in - progress... hshoexer@ ok. - -2004-06-20 17:20 ho - - * dpd.c, dpd.h, exchange.c, isakmp_num.cst, sa.h, features/dpd: A - start towards Dead Peer Detection (DPD) support, as specified in - RFC 3706 - -2004-06-20 17:11 ho - - * message.c: Some vendors send the last Aggressive Mode message - unencrypted, which we should accept. Problem noted by alex at - vbone.net. hshoexer@ ok. - -2004-06-20 17:03 ho - - * isakmpd.c, monitor.c, monitor.h: To make debugging the - unprivileged child process easier, make 'isakmpd -dd' pause just - after privsep; print the PIDs and wait for SIGCONT. hshoexer@ ok - -2004-06-17 21:39 hshoexer - - * ipsec.c: Yet another bunch of memleask found and fixed by Patrick - Latifi. Thanks! - - ok ho@ - -2004-06-17 21:36 hshoexer - - * udp.c: Plug a memleak. Found and fixed (and some cleanup) by - Patrick Latifi. Thanks! - - ok ho@ - -2004-06-17 21:32 hshoexer - - * x509.c: Evaluate result of X509_verify_cert() more carefully. - - ok cloder@ - -2004-06-16 17:08 hshoexer - - * util.c: Fix wrong pointer dereference and plug memleak. Found - and patch by Patrick Latifi. Thanks! - - ok ho@ - -2004-06-16 17:05 hshoexer - - * ipsec.c: fix ipv6-address and ipv6-address-mask mixup. Found by - Patrick Latifi. Thanks! - - ok ho@ - -2004-06-15 17:53 hshoexer - - * ike_quick_mode.c, isakmp_cfg.c: also use MSG_AUTHENTICATED flag. - - ok ho@ - -2004-06-14 15:53 hshoexer - - * conf.c, ike_auth.c, x509.c: avoid stat before open - - ok ho@ - -2004-06-14 12:04 hshoexer - - * message.c: added a missing message_free(). - - ok ho@ - -2004-06-14 11:55 ho - - * cert.c, conf.c, connection.c, crypto.c, dnssec.c, exchange.c, - field.c, hash.c, if.c, ike_auth.c, ike_main_mode.c, - ike_phase_1.c, ike_quick_mode.c, ipsec.c, isakmp_cfg.c, - isakmp_doi.c, isakmpd.c, key.c, log.c, math_2n.c, math_group.c, - message.c, monitor.c, pf_key_v2.c, policy.c, timer.c, - transport.c, udp.c, util.c, x509.c: KNF, style, 80c, etc. - hshoexer@ ok - -2004-06-11 12:17 brad - - * message.c: typo in comment - -2004-06-11 05:08 brad - - * ike_phase_1.c, ike_quick_mode.c, ipsec.c, message.c, message.h: - MFC: Fix by hshoexer@ - - Mark authenticated messages explicitly. Better check for - authentication before deleteing SAs. - - This fix is needed to solve the problems reported by Thomas - Walpuski, previous diff was not sufficient. Pointed out by - Thomas. Thanks! - -2004-06-11 04:34 brad - - * ike_phase_1.c, ike_quick_mode.c, ipsec.c, message.c, message.h: - MFC: Fix by hshoexer@ - - Mark authenticated messages explicitly. Better check for - authentication before deleteing SAs. - - This fix is needed to solve the problems reported by Thomas - Walpuski, previous diff was not sufficient. Pointed out by - Thomas. Thanks! - -2004-06-10 14:54 hshoexer - - * ike_phase_1.c, ike_quick_mode.c, ipsec.c, message.c, message.h: - Mark authenticated messages explicitly. Better check for - authentication before deleteing SAs. - - This fix is needed to solve the problems reported by Thomas - Walpuski, previous diff was not sufficient. Pointed out by - Thomas. Thanks! - - ok ho@ niklas@, testing and spellcheck by todd@ msf@ - -2004-06-09 23:15 brad - - * message.c: MFC: Fix by hshoexer@ - - only accept DELETEs during an authenticated INFORMATIONAL - exchange. Fix for recent problem disclosed by Thomas Walpuski. - -2004-06-09 22:48 brad - - * message.c: MFC: Fix by hshoexer@ - - only accept DELETEs during an authenticated INFORMATIONAL - exchange. Fix for recent problem disclosed by Thomas Walpuski. - -2004-06-09 16:02 ho - - * conf.c, exchange.c, ike_phase_1.c, ike_quick_mode.c, ipsec.c, - isakmp_cfg.c, message.c, pf_key_v2.c, transport.c, udp.c: Style - nits. hshoexer@ ok - -2004-06-09 14:59 hshoexer - - * message.c: only accept DELETEs during an authenticated - INFORMATIONAL exchange. Fix for recent problem disclosed by - Thomas Walpuski. - - ok ho@ - -2004-06-06 15:05 ho - - * ike_phase_1.c: Style (KNF, 80c). No binary change. - -2004-06-02 18:19 hshoexer - - * ike_auth.c, x509.c: remove unused BIO-functions. - - ok markus@ ho@ - -2004-05-27 00:17 hshoexer - - * ike_auth.c: do not leak fd on error path. - - ok ho@ - -2004-05-24 16:54 hshoexer - - * util.c: Use correct function names in log messages. Kill some - spaces. - - ok deraadt@ ho@ - -2004-05-23 20:17 hshoexer - - * field.c, field.h, hash.c, if.c, ike_aggressive.c, - ike_aggressive.h, ike_auth.c, ike_main_mode.c, ike_main_mode.h, - ipsec.c, ipsec.h, isakmp_cfg.c, isakmp_cfg.h, isakmp_doi.c, - isakmpd.c, key.c, log.c, log.h, math_2n.c, math_ec2n.c, - math_ec2n.h, math_group.c, message.c, message.h, monitor.c, - monitor_fdpass.c, pf_key_v2.h, policy.c, prf.c, sa.c, sa.h, - timer.c, timer.h, udp.c, ui.c, util.c, x509.c, x509.h: More KNF. - Mainly spaces and line-wraps, no binary change. - - ok ho@ - -2004-05-23 18:14 deraadt - - * if.c, udp.c: remove excessive monitor_ prefixes - -2004-05-23 18:14 deraadt - - * policy.c, util.c, util.h: stat before open is flawed - -2004-05-23 18:13 deraadt - - * key.c: greater care with arguments - -2004-05-19 16:30 ho - - * ipsec.c, isakmpd.c: Permit symbolic protocol and service names, - such as "Protocol= tcp", in the <IPsec-ID> sections. hshoexer@ ok - -2004-05-14 10:42 hshoexer - - * attribute.c, attribute.h, cert.c, cert.h, conf.c, conf.h, - connection.c, cookie.c, cookie.h, crypto.c, crypto.h, dh.h, - dnssec.c, dnssec.h, doi.c, doi.h: Some more KNF, no binary - change. - - ok ho@ - -2004-05-13 08:56 ho - - * connection.c, isakmpd.8, sa.c, sa.h, ui.c, ui.h: Extensions to - the FIFO interface: "C get [section]:tag" fetches a configuration - value. "C add [section]:tag=value" adds 'value' to a list, - typically for the [Phase 2]:Connections tag. FIFO "S" command - destination file changed. Various KNF cleanups. hshoexer@ ok. - -2004-05-10 20:34 deraadt - - * monitor.c: 64bit gcc saw missing cast - -2004-05-06 12:40 ho - - * exchange.c: KNF cleanup. hshoexer@ ok - -2004-05-03 23:23 hshoexer - - * exchange.c, exchange.h: KNF. ok ho@ - -2004-04-30 00:36 hshoexer - - * message.c: Better checking of minimum payload lengths. Drop out - safely when an unknown payload type is encountered. While - around, do some KNF. - - ok ho@ - -2004-04-28 22:20 hshoexer - - * ike_quick_mode.c, policy.c, policy.h: remove unused variable and - shorten names of two other. Removed some spaces while around. - - ok ho@ markus@ - -2004-04-28 16:40 ho - - * ipsec_num.cst, isakmp_num.cst: Reserve some payload numbers for - RFC 3547 and the earlier NAT-T drafts. hshoexer@ ok. - -2004-04-23 16:15 ho - - * conf.c, conf.h: Make sure KEY_LENGTH attribute is present when - checking AES proposals, required when acting as responder to - SafeNet peers. Also make conf_load_defaults() readable again - (KNF). hshoexer@ ok. - -2004-04-15 22:20 deraadt - - * conf.c: more knf; ok hshoexer - -2004-04-15 20:53 deraadt - - * conf.c: knf - -2004-04-15 20:39 deraadt - - * app.c, app.h, attribute.c, attribute.h, cert.c, cert.h, conf.c, - conf.h, connection.c, connection.h, constants.c, constants.h, - cookie.c, cookie.h, crypto.c, crypto.h, dh.c, dh.h, dnssec.c, - dnssec.h, doi.c, doi.h, exchange.h, field.c, field.h, - genconstants.sh, genfields.sh, gmp_util.c, gmp_util.h, hash.c, - hash.h, if.c, if.h, ike_aggressive.c, ike_aggressive.h, - ike_auth.c, ike_auth.h, ike_main_mode.c, ike_main_mode.h, - ike_phase_1.c, ike_phase_1.h, ike_quick_mode.c, ike_quick_mode.h, - init.c, init.h, ipsec.c, ipsec.h, ipsec_doi.h, isakmp.h, - isakmp_cfg.c, isakmp_cfg.h, isakmp_doi.c, isakmp_doi.h, - isakmpd.c, key.c, key.h, libcrypto.c, libcrypto.h, log.c, log.h, - math_2n.c, math_2n.h, math_ec2n.c, math_ec2n.h, math_group.c, - math_group.h, math_mp.h, message.c, message.h, monitor.c, - monitor.h, monitor_fdpass.c, pf_key_v2.c, pf_key_v2.h, policy.c, - policy.h, prf.c, prf.h, sa.c, sa.h, sysdep.h, timer.c, timer.h, - transport.c, transport.h, udp.c, udp.h, ui.c, ui.h, util.c, - util.h, x509.c, x509.h, sysdep/openbsd/keynote_compat.c, - sysdep/openbsd/sysdep.c: partial move to KNF. More to come. - This has happened because there are a raft of source code - auditors who are willing to help improve this code only if this - is done, and hey, isakmpd does need our standard auditing - process. ok ho hshoexer - -2004-04-15 02:27 deraadt - - * isakmpd.8: spaces - -2004-04-13 23:48 hshoexer - - * if.c: Add missing #include. Found by Stefan Paletta. - - ok henning@ ho@ - -2004-04-08 18:08 henning - - * sysdep/linux/sys/queue.h: swap the last two parameters to - TAILQ_FOREACH_REVERSE. matches what FreeBSD and NetBSD do. ok - millert@ mcbride@ markus@ ho@, checked to not affect ports by - naddy@ - -2004-04-08 12:05 hshoexer - - * init.c, isakmpd.c: Set timezone before privsep, child uses now - correct timezone. Noticed by david@ - - ok ho@ david@ - -2004-04-08 00:45 ho - - * conf.h, exchange.h, ike_auth.c, ike_phase_1.c, ike_quick_mode.c, - ipsec.c, log.c, math_2n.c, math_group.c, math_group.h, message.c, - monitor.c, pf_key_v2.c, policy.c, sa.c, udp.c, ui.c, util.c, - x509.c, regress/crypto/cryptotest.c: -Wsign-compare nits. - hshoexer@ ok. - -2004-04-08 00:45 ho - - * key.c: Reset *data in case of unknown key types - -2004-04-08 00:43 ho - - * Makefile: -Wmissing-declarations - -2004-04-07 22:04 ho - - * sa.c: More careful when walking LIST queues. hshoexer@, david@ - ok. - -2004-03-31 12:54 ho - - * cert.c, crypto.c, exchange.c, hash.c, ike_auth.c: -Wsign-compare - nits. hshoexer@ ok. - -2004-03-31 12:53 ho - - * monitor.c: Use sysdep_sa_len() instead of sa->sa_len, also - correct a log_fatal() message. hshoexer@ ok. - -2004-03-31 12:47 ho - - * isakmpd.c, sysdep/openbsd/Makefile.sysdep: Don't assume - closefrom(2) exists everywhere. hshoexer@, markus@ ok. - -2004-03-29 19:07 deraadt - - * monitor.c: use malloc (oops) - -2004-03-29 18:32 deraadt - - * monitor.c: wrong FD_ZERO(); from ho, hshoexer, markus - -2004-03-29 18:32 deraadt - - * udp.c: memory mishandling; from ho - -2004-03-24 17:44 hshoexer - - * isakmpd.8: Add some notes about privsep to manpage. - - ok ho@ jmc@ deraadt@ - -2004-03-23 19:20 hshoexer - - * monitor.c: Remove erroneous null termination. - - ok ho@ deraadt@ - -2004-03-19 15:04 hshoexer - - * Makefile, conf.c, conf.h, if.c, ike_auth.c, isakmpd.c, log.c, - monitor.c, monitor.h, policy.c, sa.c, udp.c, ui.c, x509.c: Add - missing bits to make already present privsep code work. Enable - privsep. - - ok ho@ deraadt@ markus@ - -2004-03-17 16:05 brad - - * doi.h, ike_quick_mode.c, ipsec.c, isakmp_cfg.c, isakmp_doi.c, - message.c, util.h: MFC: Fix by hshoexer@ - - Fix payload handling flaws found by cloder@. Based on initial - patch by cloder@. - - ok deraadt@ hshoexer@ - -2004-03-17 15:59 brad - - * doi.h, ike_quick_mode.c, ipsec.c, isakmp_cfg.c, isakmp_doi.c, - message.c, util.h: MFC: Fix by hshoexer@ - - Fix payload handling flaws found by cloder@. Based on initial - patch by cloder@. - - ok deraadt@ hshoexer@ - -2004-03-17 12:10 ho - - * ike_auth.c: For consistency and to avoid a rare memory leak, the - result from ike_auth_get_key() should always be released after - use. Found and ok hshoexer@. - -2004-03-15 17:34 hshoexer - - * monitor.c: Properly check succes of chroot(). - - ok ho@ - -2004-03-15 17:29 hshoexer - - * monitor.c, monitor.h: Remove unused code. - - ok ho@ - -2004-03-11 17:56 hshoexer - - * isakmp_cfg.c: Fix a memleak. - - ok ho@ - -2004-03-11 00:08 hshoexer - - * doi.h, ipsec.c, isakmp_doi.c, message.c, util.h: Fix payload - handling flaws found by cloder@. Based on initial patch by - cloder@. Testing by markus@ cloder@ hshoexer@. - - ok ho@ - -2004-03-10 17:10 hshoexer - - * message.c: Plug up memory leak. - - ok ho@ - -2004-03-10 12:17 hshoexer - - * message.c: Reduce some noise on receipt of an invalid spi. - - ok ho@ - -2004-03-10 10:28 ho - - * pf_key_v2.c: Fix for PR2429, from Clemens Wittinger. - -2004-03-09 22:42 hshoexer - - * message.c: Plug memleaks, found by cloder@. - - ok ho@ - -2004-02-27 20:14 hshoexer - - * ipsec.c: Remove dead code. - - ok ho@ - -2004-02-27 20:07 hshoexer - - * conf.c, isakmpd.conf.5: Add group 14 (modp2048) to predefined - suites. Manpage also updated. ok ho@ - -2004-02-27 11:16 ho - - * ike_phase_1.c, ike_quick_mode.c, sa.c, sa.h: (C)-2004 - -2004-02-27 10:01 ho - - * ike_phase_1.c, ike_quick_mode.c, sa.c, sa.h: Follow RFC 2408 more - closely regarding how to better check the proposal returned by - the other peer (the responder). Some implementations (notably the - Cisco PIX) does not follow a SHOULD in section 4.2 of the RFC. - With certain proposal combinations this caused us to setup the - wrong SA resulting in us being unable to process incoming IPsec - traffic (over this tunnel). - - Tested against a number of different IKE implementations. - hshoexer@ ok. - -2004-02-26 16:27 hshoexer - - * regress/rsakeygen/rsakeygen.c: remove unused code. noticed by - ho@ ok ho@ - -2004-02-26 06:52 jmc - - * isakmpd.conf.5: tweak; ok hshoexer@ - -2004-02-25 17:01 hshoexer - - * init.c, isakmpd.conf.5, log.c, log.h, regress/b2n/Makefile, - regress/crypto/Makefile, regress/crypto/cryptotest.c, - regress/dh/Makefile, regress/ec2n/Makefile, - regress/group/Makefile, regress/prf/Makefile, - regress/rsakeygen/Makefile, regress/rsakeygen/rsakeygen.c, - regress/util/Makefile: Add and document configuration options - Logverbose and Loglevel. As log.c now depends on conf.c and some - regression tests use log.c, add conf.c to Makefiles where - necessary. - - ok ho@ - -2004-02-20 12:31 hshoexer - - * ike_quick_mode.c: More small adjustments of log messages. - -2004-02-20 10:46 hshoexer - - * ike_quick_mode.c: Fix some double free errors. While around, - adjust a log message. ok ho@ - -2004-02-19 16:35 hshoexer - - * isakmpd.c: small cleanup of log messages. ok ho@ - -2004-02-19 10:54 ho - - * isakmpd.c, log.c, log.h: With -d, SIGINT should do a clean - shutdown. Without -d, logs should be sent to syslog, level - LOG_INFO. - -2004-02-19 10:46 ho - - * isakmpd.c: Cleanup. - -2004-02-16 21:40 markus - - * exchange.c: check for isakmp_sa->transport != NULL; noticed by - bluhm at genua.de ok hshoexer@ - -2004-02-11 09:55 jmc - - * samples/VPN-3way-template.conf: typo; from Olivier Cherrier; - -2004-02-05 12:01 hshoexer - - * exchange.c: small logging cleanup and improvement requested by - markus ok ho@ markus@ - -2004-01-26 15:56 niklas - - * regress/exchange/run.pl: Added 2-clause license - -2004-01-24 00:08 jmc - - * isakmpd.8: `Ns' implies `No', so `Ns No' -> `Ns'; (even simpler - in adduser(8)) discussed with todd@ - -2004-01-16 11:51 hshoexer - - * exchange.c, ike_quick_mode.c, isakmpd.8, isakmpd.c, log.c, log.h: - Added -v option. Enables logging of successful exchange - completion. ok ho@ - -2004-01-16 01:00 brad - - * exchange.c, ipsec.c, message.c: Fixes a few message handling - flaws in isakmpd as reported by Thomas Walpuski. - - ok deraadt@ hshoexer@ - -2004-01-13 23:50 brad - - * crypto.c, crypto.h, exchange.c, ipsec.c, message.c: Fixes a few - message handling flaws in isakmpd as reported by Thomas Walpuski. - - ok deraadt@ hshoexer@ - -2004-01-09 11:03 hshoexer - - * regress/exchange/run.sh: call nc correctly (nc has changed a - while ago). ok markus@ - -2004-01-06 01:22 hshoexer - - * conf.c, sa.c: small typos fixed. - - ok markus@ - -2004-01-06 01:09 hshoexer - - * x509.c: Remove redundant test for file types. Noted by Stefan - Paletta. While around, fix typos in log messages. - - Both ok markus@ - -2004-01-03 17:38 ho - - * ipsec.c: Be more careful with INITIAL-CONTACT and do not delete - SPIs when getting an INVALID-SPI notification. Issues noted by - Thomas Walpuski. markus@ ok. - -2003-12-22 19:13 markus - - * crypto.h: use AES_BLOCK_SIZE only for USE_AES; report - martti.kuparinen@iki.fi; ok ho@ - -2003-12-18 03:03 ho - - * transport.c: Mention the exchange name when giving up on a - message. Suggested by Michael Coulter. - -2003-12-15 11:06 hshoexer - - * ipsec.c, ipsec_num.cst, math_group.c, math_group.h: Support for - groups modp2048, modp3072, modp4096, modp6144 and modp8192 (IDs - 14 to 18). - - ok ho@ - -2003-12-14 15:50 ho - - * log.c, util.c, util.h: Log the actual port for src and dst, don't - assume it's always 500. - -2003-12-14 15:34 ho - - * sysdep/linux/sysdep.c: Make isakmpd work on big endian linux - machines. From Sebastian Klemke. Also, a few style nits and a - better error message text. - -2003-12-05 14:17 ho - - * message.c: Style nits - -2003-12-04 23:44 hshoexer - - * message.c: Validate SPIs presented in DELETE messages of the - informational exchange. ok markus@ - -2003-12-04 22:13 miod - - * ike_phase_1.c, isakmp_cfg.c: Typos - -2003-11-20 12:23 jmc - - * isakmpd.8: use .Dv for AF_INET and AF_INET6 (kills ugly line - break); spotted by Alexey E. Suslikov; - - also kill some .Pp's before displays/lists for better PostScript - output; - -2003-11-08 20:17 jmc - - * init.c: typos from Jonathon Gray; - -2003-11-07 11:16 jmc - - * x509.c, samples/VPN-3way-template.conf: adress -> address, and a - few more; all from Jonathon Gray; - - (mvme68k/mvme88k) vs.c and (vax) if_le.c ok miod@ isakmpd ones ok - ho@ -End of changelog debian package isakmpd.20031107-1 --------------------------------------------------- - -2003-11-06 17:12 ho - - * dnssec.c, exchange.c, field.c, if.c, ike_auth.c, ipsec.c, key.c, - log.c, message.c, message.h, monitor_fdpass.c, pf_key_v2.c, - policy.c, ui.c, x509.c, x509.h: Style nits. - -2003-11-06 16:55 ho - - * exchange.c, message.c: Require encrypted messages are soon as we - have the keystate for it. Require DELETE payloads to be - accompanied by HASHes, and add validation for HASH payloads - without active exchanges. From Hans-Joerg Hoexer with various - modifications and suggestions from me and markus@. Ok markus@. - -2003-11-06 16:50 ho - - * ipsec.c: spis[] type tweak. From Hans-Joerg Hoexer. - -2003-11-05 13:55 jmc - - * isakmpd.conf.5: PFS: Perfect Forward Secrecy (RFC 2409); from - misc@ and ok markus@ - -2003-11-05 13:31 jmc - - * QUESTIONS: updated URL from Jared Yanovich; - -2003-10-25 22:47 mcbride - - * isakmpd.policy.5: OpenSSL generates DNs with emailAddress, not - Email. - -2003-10-25 09:47 jmc - - * isakmpd.8: receiveing -> receiving; from Jared Yanovich; - -2003-10-14 16:29 ho - - * exchange.c, ike_auth.c, ike_phase_1.c, ipsec.c, isakmp_doi.c: - constant_lookup() to constant_name() cleanup. markus@ ok. - -2003-10-13 15:57 ho - - * isakmpd.8, log.h, ui.c: Add a UI FIFO debug class. ok markus@ - plus I think henning@ - -2003-10-04 19:29 cloder - - * ike_phase_1.c: Avoid crash on invalid config file (missing value - for LIFE_DURATION). OK ho@ - -2003-09-26 17:59 aaron - - * sysdep/freeswan/klips.c: Fix off-by-ones in format string for 's' - specifier; millert@, deraadt@ ok - -2003-09-26 13:29 cedric - - * udp.c: don't listen to INADDR_ANY if Listen-on is specified. - patch from markus@, ok ho@ - -2003-09-26 00:28 aaron - - * monitor.c: Fix off-by-one out-of-bounds write; millert@ ok - -2003-09-25 16:15 cloder - - * exchange.c, if.c: Fix one case of set length before realloc. Fix - another case of foo = realloc(foo...) and avoid possible memory - leaks. Avoid leaving things pointing to freed memory on failure. - -2003-09-24 13:12 markus - - * crypto.c, crypto.h, regress/crypto/cryptotest.c: re-add AES, but - without using EVP; patch from Hans-Joerg.Hoexer at - yerbouti.franken.de; ok ho@ (interops with isakmpd+AES in OpenBSD - 3.4) - -2003-09-24 12:13 markus - - * crypto.c, crypto.h, regress/crypto/cryptotest.c: back out EVP - change; causes fd leaks; ok cedric@ - -End of changelog debian package isakmpd.20030907-1 --------------------------------------------------- - -2003-09-05 09:50 tedu - - * monitor.c: socket leak on error paths. from Patrick Latifi. ok - deraadt@ ho@ - -2003-09-02 20:15 ho - - * conf.c, ipsec.c: A couple of nits. deraadt@ ok. - -2003-09-02 20:14 ho - - * message.c: Require ISAKMP_FLAGS_ENC on phase 2 messages. ok - markus@, deraadt@. - -2003-09-02 20:11 ho - - * sysdep/linux/: bitstring.h, sys/queue.h: For easier compilation - on linux systems. Requested by Thomas Walpuski. - -2003-08-28 16:43 markus - - * Makefile, TO-DO, conf.c, crypto.c, crypto.h, isakmpd.conf.5, - regress/crypto/Makefile, regress/crypto/cryptotest.c: support AES - in phase 1, too. switch to OpenSSL EVP interface; with - Hans-Joerg.Hoexer at yerbouti.franken.de; ok ho@ - -2003-08-20 16:43 ho - - * samples/singlehost-west.conf: Zap an old "Identification" tag in - this sample config. I have no idea what it was supposed to do and - in any case there is no reference to this tag in current code. - Pointed out by Fridtjof Busse. - -2003-08-20 14:25 ho - - * isakmpd.8: certpatch(8) can be used to create FQDN X509v3 - extensions too. From Fridtjof Busse, via henning@. Thanks. - - -End of changelog debian package isakmpd.20030820-1 --------------------------------------------------- - -2003-07-09 10:16 jmc - - * isakmpd.conf.5, isakmpd.policy.5: - remove some .Ss's that worked - around the old blank line bug - remove some unnecessary .Pp's - - mdoc a list - - ok ho@ - -2003-06-20 11:14 ho - - * transport.c: Be a bit more verbose when we give up on ever seeing - a response to the last message we sent out. In case we initiated - the exchange, one possible and common reason is a network level - problem (pf, routing, whatnot), if we're the responder, there is - also the possibility we were scanned by something like ike-scan. - markus@ ok. - -2003-06-17 23:56 millert - - * sysdep/common/libsysdep/: strlcat.c, strlcpy.c: Sync with - share/misc/license.template and add missing DARPA credit where - applicable. - -2003-06-15 12:32 ho - - * exchange.c: ID copying should happen earlier in exchange_finalize - so that we won't lose data during rekeying. From Jean-Francois - Dive. - -2003-06-14 13:47 ho - - * message.c: allocate payload_node with calloc instead of malloc - -2003-06-13 05:50 brad - - * ipsec.c: MFC: Fix from ho@ - - Do not crash on unsupported IPSec ID types, as noted by Eric - Boudrand. - - deraadt@ millert@ ok - -2003-06-13 05:34 brad - - * ipsec.c: MFC: Fix from ho@ - - Do not crash on unsupported IPSec ID types, as noted by Eric - Boudrand. - - deraadt@ millert@ ok - -2003-06-10 18:41 deraadt - - * conf.c, exchange.c, ike_auth.c, ike_phase_1.c, ike_quick_mode.c, - isakmp_cfg.c, log.c, monitor.c, monitor.h, pf_key_v2.c, policy.c, - transport.c, udp.c, x509.c: boring cleanups - -2003-06-10 14:21 ho - - * ipsec.c: Do not crash on unsupported IPSec ID types, as noted by - Eric Boudrand. - -2003-06-04 09:31 ho - - * exchange.c, ike_aggressive.c, ike_auth.c, ike_phase_1.c, - ike_quick_mode.c, init.c, ipsec.c, ipsec.h, isakmpd.8, isakmpd.c, - isakmpd.policy.5, libcrypto.c, libcrypto.h, message.c, message.h, - pf_key_v2.c, policy.c, policy.h, sa.c, sa.h, udp.c, x509.c, - x509.h, apps/certpatch/certpatch.8, apps/certpatch/certpatch.c, - regress/ec2n/ec2ntest.c, regress/hmac/hmactest.c: Remove the rest - of clauses 3 and 4. Approved by Niklas Hallqvist, Angelos D. - Keromytis and Niels Provos. - -2003-06-04 09:27 ho - - * DESIGN-NOTES: Remove 3 and 4 from the "license to use" - -2003-06-03 17:20 ho - - * sysdep/linux/: GNUmakefile.sysdep, sysdep-os.h, sysdep.c: Remove - clause 3. Approved by niklas@ and Thomas Walpuski. - -2003-06-03 17:02 ho - - * sysdep/linux/README: Obsolete. - -2003-06-03 16:53 ho - - * sysdep/: bsdi/GNUmakefile.sysdep, bsdi/Makefile.sysdep, - bsdi/sysdep-os.h, bsdi/sysdep.c, darwin/GNUmakefile.sysdep, - darwin/Makefile.sysdep, darwin/sysdep-os.h, darwin/sysdep.c, - freebsd/GNUmakefile.sysdep, freebsd/Makefile.sysdep, - freebsd/sysdep-os.h, freebsd/sysdep.c, - freeswan/GNUmakefile.sysdep, freeswan/Makefile.sysdep, - freeswan/klips.c, freeswan/klips.h, freeswan/sysdep-os.h, - freeswan/sysdep.c, netbsd/GNUmakefile.sysdep, - netbsd/Makefile.sysdep, netbsd/sysdep-os.h, netbsd/sysdep.c, - openbsd/GNUmakefile.sysdep, openbsd/Makefile.sysdep, - openbsd/keynote_compat.c, openbsd/sysdep-os.h, openbsd/sysdep.c: - Remove clauses 3 and 4. Approved by markus@ and niklas@. - -2003-06-03 16:52 ho - - * sysdep/common/: blf.h, libsysdep/GNUmakefile, libsysdep/Makefile, - libsysdep/blowfish.c: Remove clauses 3 and 4. Approved by Niklas - Hallqvist and Niels Provos. - -2003-06-03 16:39 ho - - * regress/Makefile, regress/check.sh, regress/b2n/b2ntest.c, - regress/crypto/cryptotest.c, regress/dh/dhtest.c, - regress/exchange/Makefile, regress/exchange/run.sh, - samples/Makefile, regress/group/grouptest.c, - regress/prf/prftest.c, regress/rsakeygen/Makefile, - regress/rsakeygen/rsakeygen.c, regress/util/utiltest.c, - regress/x509/Makefile, regress/x509/x509test.c: Remove clauses 3 - and 4. Approved by Niklas Hallqvist and Niels Provos. - -2003-06-03 16:35 ho - - * apps/: Makefile, certpatch/Makefile: Remove clauses 3 and 4. - Approved by Niklas Hallqvist and Niels Provos. - -2003-06-03 16:34 ho - - * apps/keyconv/: Makefile, keyconv.8, keyconv.c, keyvalues.h: - Remove clause 3. - -2003-06-03 16:29 ho - - * features/: aggressive, dnssec, ec, isakmp_cfg, policy, privsep, - x509: Remove clause 3. Approved by niklas@ - -2003-06-03 16:28 ho - - * GNUmakefile, Makefile, app.c, app.h, attribute.c, attribute.h, - cert.c, cert.h, conf.c, conf.h, connection.c, connection.h, - constants.c, constants.h, cookie.c, cookie.h, crypto.c, crypto.h, - dh.c, dh.h, dnssec.c, dnssec.h, doi.c, doi.h, exchange.h, - exchange_num.cst, field.c, field.h, genconstants.sh, - genfields.sh, gmp_util.c, gmp_util.h, hash.c, hash.h, if.c, if.h, - ike_aggressive.h, ike_auth.c, ike_auth.h, ike_main_mode.c, - ike_main_mode.h, ike_phase_1.h, ike_quick_mode.h, init.c, init.h, - ipsec_doi.h, ipsec_fld.fld, ipsec_num.cst, isakmp.h, - isakmp_cfg.c, isakmp_cfg.h, isakmp_doi.c, isakmp_doi.h, - isakmp_fld.fld, isakmp_num.cst, isakmpd.conf.5, log.c, log.h, - math_2n.c, math_2n.h, math_ec2n.c, math_ec2n.h, math_group.c, - math_group.h, math_mp.h, monitor.c, monitor.h, pf_key_v2.h, - prf.c, prf.h, sysdep.h, timer.c, timer.h, transport.c, - transport.h, udp.h, ui.c, ui.h, util.c, util.h: Remove clauses 3 - and 4. With approval from Niklas Hallqvist and Niels Provos. - -2003-06-03 15:16 jmc - - * isakmpd.8, isakmpd.conf.5, isakmpd.policy.5: - section reorder - - some mdoc fixes - -2003-06-03 14:51 ho - - * conf.c, constants.c, dnssec.c, exchange.c, ike_auth.c, - ike_phase_1.c, ike_quick_mode.c, ipsec.c, log.c, message.c, - policy.c, sa.c, udp.c, x509.c: Cleanup. Use 'sizeof variable' - instead of magic constants. - -2003-06-03 03:52 millert - - * sysdep/common/libsysdep/: strlcat.c, strlcpy.c: Use an ISC-tyle - license for all my code; it is simpler and more permissive. - -2003-06-02 22:06 millert - - * sysdep/freeswan/sys/queue.h: Remove the advertising clause in the - UCB license which Berkeley rescinded 22 July 1999. Proofed by - myself and Theo. - -2003-05-18 23:26 ho - - * monitor.c: Add some path sanitation; only permit write operations - to /tmp, /var/tmp and /var/run. Opens in /etc/isakmpd/ are - read-only. Any other path is invalid. markus@ ok. - -2003-05-18 22:46 ho - - * init.c: Style tweak. - -2003-05-18 22:39 ho - - * sa.c: Add a debug message to sa_reinit() to indicate when we - renegotiate active connections. - -2003-05-18 22:09 ho - - * monitor_fdpass.c: Forgot to remove a couple of debug messages - -2003-05-18 22:06 ho - - * udp.c: struct sockaddr is not large enough in itself to contain - the address value. Switching to sockaddr_storage makes interface - rescanning work properly. niklas@ ok. - -2003-05-18 21:37 ho - - * conf.c, ike_auth.c, isakmpd.c, log.c, monitor.c, monitor.h, - monitor_fdpass.c, pf_key_v2.c, policy.c: More isakmpd privsep - work. X509 private keys are now kept in the privileged process - only. Various cleanup and bugfixes. markus@ ok - -2003-05-18 20:16 ho - - * GNUmakefile, pf_key_v2.c, udp.c, sysdep/linux/GNUmakefile.sysdep, - sysdep/linux/sysdep-os.h, sysdep/linux/sysdep.c: Sysdep for - native Linux IPSec, 2.5 and later. From Thomas Walpuski, with - various tweaks by me. niklas@ ok. - -2003-05-17 19:39 ho - - * monitor.h, monitor_fdpass.c: Better return codes from mm_send_fd - and mm_receive_fd - -2003-05-17 19:32 ho - - * monitor_fdpass.c: Use log_error(), not log_fatal(). Style. - -2003-05-17 19:26 jmc - - * isakmpd.conf.5: tweak; ok ho@ - -2003-05-16 22:31 ho - - * init.c, isakmpd.conf.5, sa.c, sa.h: If the "Renegotiate-on-HUP" - tag is defined in the [General] section, a HUP signal (or "R" to - the FIFO) will also renegotiate all Phase 2 SAs, i.e all - connections. ok niklas@, tested and ok kjell@. - -2003-05-15 05:20 ho - - * ike_auth.c: Correct a two year old typo, which might actually - make setsockopt(..., IP_IPSEC_LOCAL_AUTH, ...) start working. - -2003-05-15 04:28 ho - - * exchange.c, ike_auth.c, sa.c, sa.h: Cleanup. Do not store the - private key in either the exchange or sa structs. - -2003-05-15 04:08 ho - - * ike_auth.c: Work around some OpenSSL BIO "features" to read the - key correctly. - -2003-05-15 04:04 ho - - * monitor.c: Proper exit of the monitor process. - -2003-05-15 03:51 ho - - * monitor.c: wait() for the child process - -2003-05-15 02:28 ho - - * Makefile, conf.c, conf.h, ike_auth.c, init.c, isakmpd.c, log.c, - monitor.c, monitor.h, monitor_fdpass.c, pf_key_v2.c, policy.c, - udp.c, ui.c, util.c, features/privsep, sysdep/openbsd/sysdep.c: - Start of privilege separation for isakmpd. There are some kinks - left, so keep it default disabled for now. markus@ says ok to - commit. - -2003-05-15 02:24 ho - - * log.h: (c) - -2003-05-15 01:44 kjell - - * pf_key_v2.c: properly terminate debug string (levels >=40) Use - "%.*s" as suggested by Niklas. ok ho@. Lost by kjell. oked ho@. - lost by kjell again. oked ho@ - -2003-05-15 01:29 ho - - * features/policy: Remove the .if/.endif stuff that gmake does not - understand. Replace with a comment about needing keynote for - policy. - -2003-05-14 22:49 ho - - * GNUmakefile, Makefile, sysdep/freeswan/GNUmakefile.sysdep, - sysdep/freeswan/Makefile.sysdep, sysdep/freeswan/README, - sysdep/freeswan/klips.c, sysdep/freeswan/klips.h, - sysdep/freeswan/sysdep-os.h, sysdep/freeswan/sysdep.c, - sysdep/freeswan/sys/queue.h, sysdep/linux/GNUmakefile.sysdep, - sysdep/linux/Makefile.sysdep, sysdep/linux/README, - sysdep/linux/klips.c, sysdep/linux/klips.h, - sysdep/linux/sysdep-os.h, sysdep/linux/sysdep.c: Call the - FreeS/WAN sysdep 'freeswan'. The 'linux' sysdep will be native - Linux IPSec. - -2003-05-14 20:11 ho - - * conf.c, conf.h, ike_auth.c: Default public key directory - definition sanity. - -2003-05-14 20:10 ho - - * policy.c, policy.h: Policy file default defined twice, kill the - local copy. - -2003-05-14 20:08 ho - - * isakmpd.c: Fix a typo (in unused code). - -2003-05-14 19:37 ho - - * ipsec.c, ipsec_num.cst, pf_key_v2.c, policy.c, sa.c: I did not - test this enough. Unbreak. - -2003-05-12 23:48 ho - - * isakmp_num.cst: Update with some data for NAT-T specific payload - types, IKEv2 notifications, ISAKMP EAP code and types, plus fix - an old typo. - -2003-05-12 23:43 ho - - * ipsec.c, pf_key_v2.c, policy.c, sa.c: AES -> AES_128_CBC - -2003-05-12 23:42 ho - - * ipsec_num.cst: Add two more encapsulation types (UDP encap, - potential future NAT-T) Add BLOCK_SIZE attribute Rename - IPSEC_ESP_AES -> IPSEC_ESP_AES_128_CBC. - -2003-05-12 01:17 ho - - * genconstants.sh: Slight style fix for .cst files. Permit comments - also after a definition. - -2003-05-11 04:16 markus - - * pf_key_v2.c: fix ID-type for ipv6; ok niklas; report fries - -2003-05-10 23:13 jmc - - * isakmpd.8, isakmpd.conf.5: typos; - -2003-04-30 17:15 jason - - * conf.c: cast size_t to unsigned long and use %lu;ok ho - -2003-04-27 13:17 ho - - * isakmpd.8: Describe the 'C set' FIFO command better. (PR#3148, - also) - -2003-04-27 13:16 ho - - * ui.c: Make the 'C set' FIFO command work as expected. PR#3148. - -2003-04-14 15:08 ho - - * isakmpd.c: Unlink FIFO and pid files on clean shutdown. PR#3199 - -2003-04-14 12:22 ho - - * pf_key_v2.c: More snprintf style - -2003-04-14 12:14 ho - - * pf_key_v2.c: A "%d" is 12 chars, not 10. Use sizeof num instead - of '10' in snprintf. From Theo. - -2003-04-09 17:46 ho - - * x509.c: Less noise for missing crl dir, demoted to debug message. - -2003-03-21 16:13 markus - - * isakmpd.conf.5: document [initiator-id] section; - richb@timestone.com.au; ok ho@, jmc@ - -2003-03-20 20:39 margarida - - * isakmp_cfg.c: Pull patch from current: Fix by ho@. Proper - id_string for SET/ACK responder, plus attr payload fixes. - - ok millert@ markus@ ho@ - -2003-03-16 09:13 matthieu - - * samples/: VPN-east.conf, VPN-west.conf: secrity -> security. Ok - ho@ - -2003-03-14 15:49 ho - - * math_group.c, transport.c, sysdep/common/blf.h, - sysdep/common/libsysdep/blowfish.c: Spelling fixes from david@. - jmc@ ok. - -2003-03-13 14:24 ho - - * ike_auth.c: Might as well do blinding here too. - -2003-03-13 11:31 ho - - * util.c: Avoid "j += snprintf()". niklas@ ok. - -2003-03-06 21:29 jmc - - * isakmpd.conf.5, isakmpd.policy.5: .Xr typos; - - ok deraadt@ - -2003-03-06 15:22 cedric - - * util.c: fix text2sockaddr() when HAVE_GETNAMEINFO is false and - port is NULL. ok ho@ - -2003-03-06 14:48 cedric - - * field.c: "len" is decremented too early, so the second argument - of the snprintf call is too small on last run of the loop. ok - ho@ - -2003-03-06 14:32 ho - - * exchange.c: Bad cut'n'paste msg plus style fixes. - -2003-03-06 10:56 ho - - * util.c: Less ambiguous l-value usage. Noted by cedric@ - -2003-03-06 05:07 david - - * apps/keyconv/keyconv.8: date should be written formally: .Dd - Month day, year ok henning@ jmc@ - -2003-03-03 17:51 ho - - * isakmpd.conf.5: Re-add the BUGS section; the RFCs still do not - permit differing DH groups in the same proposal. This time, - mention that this also applies to mixing PFS and non-PFS suites. - -2003-02-26 23:55 ho - - * samples/VPN-west.conf: Typo/pasto. Spotted by Tim Donahue. - -2003-02-26 09:17 david - - * exchange.c: IPsec is written ``IPsec'', not ``IPSec''. ok ho@ - -2003-02-24 13:01 markus - - * pf_key_v2.c: pf_key_v2_flow: typo in debug msg (KAME) - -2003-02-22 07:57 kjell - - * README: typo: noneheless->nontheless - -2003-02-22 07:56 kjell - - * isakmpd.8, isakmpd.conf.5: Clarify some language, grammar. ho@ - okayed this many moons ago, and I forgot all about it. - -2003-02-12 16:11 markus - - * if.c, if.h, udp.c: better error checking on bind(); from - Alexander_Bluhm at genua.de; ok ho@ - -2003-02-05 11:29 jmc - - * isakmpd.8: typos; isakmpd(8) ok niklas@, mailwrapper(8) help - kjell@ - -2003-02-04 21:02 markus - - * conf.c: don't set the Transform for Default-phase-1-configuration - twice, ok ho@ - -2003-02-04 21:02 markus - - * conf.h: default to 3DES-SHA-RSA_SIG (same as in OpenBSD 3.2); ok - ho@ - -2003-01-22 16:13 ho - - * ike_auth.c: Typo. - -2003-01-20 20:52 deraadt - - * isakmpd.policy.5: typos; alan@alanday.com diff --git a/keyexchange/isakmpd-20041012/debian/README.Debian b/keyexchange/isakmpd-20041012/debian/README.Debian deleted file mode 100644 index 5ed5128..0000000 --- a/keyexchange/isakmpd-20041012/debian/README.Debian +++ /dev/null @@ -1,17 +0,0 @@ -State of the package / isakmpd port to linux --------------------------------------------- -The port is operational and is included in upstream, from various sources. - - -Where to start --------------- -- isakmpd.conf man pages. -- configuration examples. -- openbsd isakmpd documentation. - -caution note ------------- -- keynote is used to check for all policy components. For exemple, if acting - as initiator, isakmpd will send the isakmpd.conf configured proposals but - will only check the received proposal with the rules enforced in isakmpd.policy. - diff --git a/keyexchange/isakmpd-20041012/debian/changelog b/keyexchange/isakmpd-20041012/debian/changelog deleted file mode 100644 index 1883efc..0000000 --- a/keyexchange/isakmpd-20041012/debian/changelog +++ /dev/null @@ -1,153 +0,0 @@ -isakmpd (20041012-4) unstable; urgency=high - - * Fix replay protection (CVE-2006-4436) - Thanks to Stefan Fritsch <sf@fritsch.de> (Closes: #385894) - - -- Jochen Friedrich <jochen@scram.de> Mon, 4 Sep 2006 18:41:00 +0200 - -isakmpd (20041012-3) unstable; urgency=low - - * Fix NAT-T RFC support. - * Remove superfluos header from packet dump so tcpdump and ethereal - can read the dump. - - -- Jochen Friedrich <jochen@scram.de> Mon, 28 Aug 2006 17:14:47 +0200 - -sakmpd (20041012-2) unstable; urgency=low - - * New maintainer (Closes: #358800) - * Replace SADB_X_SPDADD by SADB_X_SPDUPDATE (Closes: #346214) - * Fix NAT-T (Closes: #324753) - * Fix openssl incompatibility with version 0.9.8b (Closes: #334624) - * Fix dependencies (Closes: #320393, #325849) - * gcc compiler fixes (Closes: #318241) - * Update standards version to 3.7.2 - - -- Jochen Friedrich <jochen@scram.de> Tue, 21 Feb 2006 14:26:40 +0100 - -isakmpd (20041012-1) unstable; urgency=high - - * new upstream cvs merge. - * add setsockopt to properly configure udp encap socket. - * add proper source port in nat-t sadb set (thanks to Thomas Walpuski). - * DPD now works (closes: #258479). - * NAT-T now works (closes: #269851). - * remove double dependency on libkeynote0 (closes: #272377). - - -- Jean-Francois Dive <jef@debian.org> Tue, 7 Sep 2004 11:28:18 +0200 - -isakmpd (20040628-1) unstable; urgency=high - - * New upstream cvs merge. - * Enabled DPD. - * Enabled NAT-T + added support for linux nat-t pfkey msgs. - * Fix payload handling denial-of-service vuln (closes: #239739); - * Add spd cleartext entry (thanks to Vincent Bernat). (closes: #243990). - * Add dependency on linux-kernel-headers (closes: #238793). - * Add man page for isakmpd.policy. - * No issue with Renegotiate-on-HUP (closes: #255507). - * x509v3.cnf provided (closes: #238542). - * Added certpatch utility (closes: #231743). - * Fixed pcap support (closes: #238543). - - -- Jean-Francois Dive <jef@debian.org> Mon, 5 Jul 2004 23:32:47 +0200 - -isakmpd (20040204-1) unstable; urgency=low - - * Provide ike-server (closes: #223784). - * Fixes for big indian systems (thanks to Sebastian Klemke). - (closes: #223845). - * Fix for certificates file access on non ext2 enabled kernel - systems, thanks to jochen. (closes: #225474). - * Update kernel version informations. (closes: #229795). - * New upstream cvs merge. - * Added missing man page isakmpd.policy(5) (thanks to Toni Mueller). - (closes: #231123). - - -- Jean-Francois Dive <jef@debian.org> Sun, 8 Feb 2004 20:55:34 +0100 - -isakmpd (20031107-2) unstable; urgency=high - - * SECURITY fix for INITIAL_CONTACT handeling. (previous - release actually did fixed INVALID_SPI informational exchange - security issue). The problem is the exact same nature for both - type of informational messages: because the end result is SA - deletation, the HASH payload should be in the message and checked. - - -- Jean-Francois Dive <jef@debian.org> Thu, 13 Nov 2003 14:54:01 +0100 - -isakmpd (20031107-1) unstable; urgency=high - - * new upstream cvs merge. - * SECURITY fix for HASH payload handeling (closes: #219864). - * SECURITY fix handeling of quick mode exchange encryption (it now - does require quick mode to be encrypted both Rx/Tx). - * SECURITY fix for INITIAL_CONTACT handeling (did not check for - mandatory HASH payload). - * Updated linux kernel header for interop with debian x86 kernels. - * Fix issues with policy handeling in keynote. - - -- Jean-Francois Dive <jef@debian.org> Thu, 13 Nov 2003 11:05:09 +0100 - -isakmpd (20030907-1) unstable; urgency=high - - * new upstream cvs merge. - * Fixed kernel interface due to ABI changes in linux IPSec. - * Fixed keynote issue. - - -- Jean-Francois Dive <jef@debian.org> Wed, 10 Sep 2003 22:47:17 +0200 - -isakmpd (20030718-1) unstable; urgency=high - - * New upstream version. - * Merged new upstream linux native build support. - * Added fine grained selector support to upstream linux native sysdep. - * Removed useless libc and kernel headers. - * Removed libdes. - * Added generated upstream changelog (generated by cvs2cl.pl). - - -- Jean-Francois Dive <jef@debian.org> Tue, 22 Jul 2003 12:15:30 +0200 - -isakmpd (20030119-2) unstable; urgency=low - - * Fixed init script (closes: #188086). - * Added support for Protocol and Port text definition in ID handeling. - (expl: Protocol = icmp instead of Protocol = 1). - - -- Jean-Francois Dive <jef@debian.org> Mon, 9 Jun 2003 14:11:02 +0200 - -isakmpd (20030119-1) unstable; urgency=low - - * Changed version number to a sane format. - - -- Jean-Francois Dive <jef@debian.org> Thu, 20 Mar 2003 18:46:56 +0100 - -isakmpd (19012003-4) unstable; urgency=low - - * Fixed source tree clean issues (libdes, libsysdep) (closes: #184295). - * Added diff to package upload. - - -- Jean-Francois Dive <jef@debian.org> Tue, 18 Mar 2003 17:30:57 +0100 - -isakmpd (19012003-3) unstable; urgency=low - - * switched libdes copyright from copyright.libdes to - copyright file. - - -- Jean-Francois Dive <jef@debian.org> Thu, 20 Feb 2003 13:10:54 +1100 - -isakmpd (19012003-2) unstable; urgency=low - - * Added reference to BSD license and libdes license. - * Renmoved double dependency on libssl. - * Removed /usr/doc link. - * Added lintian overrides. - - -- Jean-Francois Dive <jef@debian.org> Sun, 26 Jan 2003 00:36:40 +1100 - -isakmpd (19012003-1) unstable; urgency=low - - * Inital debianization (Closes: #163904). - - -- Jean-Francois Dive <jef@debian.org> Sun, 26 Jan 2003 00:36:40 +1100 - diff --git a/keyexchange/isakmpd-20041012/debian/control b/keyexchange/isakmpd-20041012/debian/control deleted file mode 100644 index ba34296..0000000 --- a/keyexchange/isakmpd-20041012/debian/control +++ /dev/null @@ -1,17 +0,0 @@ -Source: isakmpd -Maintainer: Jochen Friedrich <jochen@scram.de> -Priority: optional -Section: net -Standards-Version: 3.7.2 -Build-Depends: debhelper (>= 5), libkeynote-dev, libssl-dev, libgmp3-dev, libpcap-dev, linux-kernel-headers - -Package: isakmpd -Priority: optional -Section: net -Architecture: any -Provides: ike-server -Depends: ${shlibs:Depends}, ${misc:Depends} -Description: The Internet Key Exchange protocol openbsd implementation - IKE is a protocol which allow to exchange security information between - to peers. This implementation requires the native linux ipsec support. - diff --git a/keyexchange/isakmpd-20041012/debian/copyright b/keyexchange/isakmpd-20041012/debian/copyright deleted file mode 100644 index f418b06..0000000 --- a/keyexchange/isakmpd-20041012/debian/copyright +++ /dev/null @@ -1,21 +0,0 @@ -This package have been packaged by Jean-Francois Dive <jef@debian.org> as -isakmpd. The upstream source of isakmpd can be found at www.openbsd.org - -This package is now maintained by Jochen Friedrich <jochen@scram.de> - -- This package links against openssl. -- This package include linux kernel include files for interface definition - purposes. This should mean that GPL does not apply for this distribution. -- This package include libdes from the openbsd tree which have the same - license as openssl, please refer to the following license statement for details. - -This is isakmpd, a BSD-licensed ISAKMP/Oakley (a.k.a. IKE) -implementation. It's written by Niklas Hallqvist and Niels Provos, -funded by Ericsson Radio Systems AB. Isakmpd's home is in the -OpenBSD main source tree under src/sbin/isakmpd. Look at -http://www.openbsd.org/ for details on how to get OpenBSD source. - -The isakmpd license is the BSD license, please refer to -/usr/share/common-license/BSD for details. The few code modification in isakmpd -(linux support) are authored by Jean-Francois Dive and Jochen Friedrich -and are release on the same license as isakmpd itself. diff --git a/keyexchange/isakmpd-20041012/debian/isakmpd.dirs b/keyexchange/isakmpd-20041012/debian/isakmpd.dirs deleted file mode 100644 index de7adf9..0000000 --- a/keyexchange/isakmpd-20041012/debian/isakmpd.dirs +++ /dev/null @@ -1,13 +0,0 @@ -usr/sbin -usr/bin -etc/isakmpd -etc/isakmpd/certs -etc/isakmpd/crls -etc/isakmpd/ca -etc/isakmpd/pubkeys/ipv4 -etc/isakmpd/pubkeys/ipv6 -etc/isakmpd/pubkeys/fqdn -etc/isakmpd/pubkeys/ufqdn -etc/isakmpd/private -usr/share/doc/isakmpd/samples -usr/share/lintian/overrides diff --git a/keyexchange/isakmpd-20041012/debian/isakmpd.init b/keyexchange/isakmpd-20041012/debian/isakmpd.init deleted file mode 100644 index 57de3d4..0000000 --- a/keyexchange/isakmpd-20041012/debian/isakmpd.init +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/sh -# -PATH=/bin:/usr/bin:/sbin:/usr/sbin -DAEMON=/usr/sbin/isakmpd -PIDFILE=/var/run/isakmpd.pid - -test -f $DAEMON || exit 0 - -case "$1" in - start) - echo -n "Starting OpenBSD isakmpd: " - start-stop-daemon --start --verbose --pidfile $PIDFILE --exec $DAEMON > /dev/null 2>&1 - echo "done" - ;; - stop) - echo -n "Stopping OpenBSD isakmpd: " - start-stop-daemon --stop --verbose --pidfile $PIDFILE --exec $DAEMON > /dev/null 2>&1 - echo "done" - ;; - restart|force-reload) - echo -n "Restarting OpenBSD isakmpd: " - start-stop-daemon --stop --verbose --pidfile $PIDFILE --exec $DAEMON > /dev/null 2>&1 - start-stop-daemon --start --verbose --pidfile $PIDFILE --exec $DAEMON > /dev/null 2>&1 - echo "done" - ;; - *) - echo "Usage: /etc/init.d/isakmpd {start|stop|restart|force-reload}" - exit 1 - ;; -esac - -exit 0 diff --git a/keyexchange/isakmpd-20041012/debian/isakmpd.lintian b/keyexchange/isakmpd-20041012/debian/isakmpd.lintian deleted file mode 100644 index 7d9b585..0000000 --- a/keyexchange/isakmpd-20041012/debian/isakmpd.lintian +++ /dev/null @@ -1,3 +0,0 @@ -isakmpd: copyright-should-refer-to-common-license-file-for-gpl -isakmpd: non-standard-dir-perm -isakmpd: non-standard-file-perm diff --git a/keyexchange/isakmpd-20041012/debian/rules b/keyexchange/isakmpd-20041012/debian/rules deleted file mode 100755 index d15e56a..0000000 --- a/keyexchange/isakmpd-20041012/debian/rules +++ /dev/null @@ -1,73 +0,0 @@ -#!/usr/bin/make -f - -export DH_COMPAT := 5 - -b := $(CURDIR)/debian/isakmpd - -arrange: arrange-stamp -arrange-stamp: install - dh_testdir - touch arrange-stamp - -binary: binary-stamp -binary-stamp: binary-indep binary-arch - dh_testdir - touch binary-stamp - -binary-arch: binary-arch-stamp -binary-arch-stamp: arrange - dh_testdir - dh_testroot - dh_installdocs -n DESIGN-NOTES QUESTIONS README README.PKI TO-DO $(CURDIR)/debian/README.Debian x509v3.cnf - cp $(CURDIR)/samples/*.conf $(b)/usr/share/doc/isakmpd/samples/ - cp $(CURDIR)/samples/VPN-east.conf $(b)/etc/isakmpd/isakmpd.conf - cp $(CURDIR)/samples/policy $(b)/etc/isakmpd/isakmpd.policy - cp $(CURDIR)/isakmpd $(b)/usr/sbin/ - cp $(CURDIR)/apps/certpatch/certpatch $(b)/usr/bin - cp $(CURDIR)/debian/isakmpd.lintian $(b)/usr/share/lintian/overrides/isakmpd - dh_installman isakmpd.8 isakmpd.conf.5 isakmpd.policy.5 apps/certpatch/certpatch.8 - dh_installinit - dh_installchangelogs $(CURDIR)/debian/ChangeLog upstream - dh_compress - dh_fixperms - find $(b)/etc/isakmpd -type d | xargs chmod 0700 - find $(b)/etc/isakmpd -type f | xargs chmod 0600 - dh_strip - dh_installdeb - dh_perl - dh_shlibdeps - dh_gencontrol - dh_md5sums - dh_builddeb - touch binary-arch-stamp - -binary-indep: binary-indep-stamp -binary-indep-stamp: arrange - dh_testdir - touch binary-indep-stamp - -build: build-stamp -build-stamp: config - dh_testdir - $(MAKE) - touch build-stamp - -clean: - dh_testdir - dh_testroot - $(MAKE) clean - dh_clean arrange-stamp binary-stamp binary-arch-stamp binary-indep-stamp build-stamp config-stamp install-stamp - find $(CURDIR) -type f -name ".depend" | xargs rm -f - -config: config-stamp -config-stamp: - dh_testdir - touch config-stamp - -install: install-stamp -install-stamp: build - dh_testdir - dh_installdirs - touch install-stamp - -.PHONY: arrange binary binary-arch binary-indep build clean config install diff --git a/keyexchange/isakmpd-20041012/dh.c b/keyexchange/isakmpd-20041012/dh.c deleted file mode 100644 index afb41ba..0000000 --- a/keyexchange/isakmpd-20041012/dh.c +++ /dev/null @@ -1,82 +0,0 @@ -/* $OpenBSD: dh.c,v 1.9 2004/04/15 18:39:25 deraadt Exp $ */ -/* $EOM: dh.c,v 1.5 1999/04/17 23:20:22 niklas Exp $ */ - -/* - * Copyright (c) 1998 Niels Provos. All rights reserved. - * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/param.h> - -#include "sysdep.h" - -#include "math_group.h" -#include "dh.h" -#include "log.h" - -/* - * Returns the length of our exchange value. - */ - -int -dh_getlen(struct group *group) -{ - return group->getlen(group); -} - -/* - * Creates the exchange value we are offering to the other party. - * Each time this function is called a new value is created, that - * means the application has to save the exchange value itself, - * dh_create_exchange should only be called once. - */ -int -dh_create_exchange(struct group *group, u_int8_t *buf) -{ - if (group->setrandom(group, group->c)) - return -1; - if (group->operation(group, group->a, group->gen, group->c)) - return -1; - group->getraw(group, group->a, buf); - return 0; -} - -/* - * Creates the Diffie-Hellman shared secret in 'secret', where 'exchange' - * is the exchange value offered by the other party. No length verification - * is done for the value, the application has to do that. - */ -int -dh_create_shared(struct group *group, u_int8_t *secret, u_int8_t *exchange) -{ - if (group->setraw(group, group->b, exchange, group->getlen(group))) - return -1; - if (group->operation(group, group->a, group->b, group->c)) - return -1; - group->getraw(group, group->a, secret); - return 0; -} diff --git a/keyexchange/isakmpd-20041012/dh.h b/keyexchange/isakmpd-20041012/dh.h deleted file mode 100644 index afd00ad..0000000 --- a/keyexchange/isakmpd-20041012/dh.h +++ /dev/null @@ -1,43 +0,0 @@ -/* $OpenBSD: dh.h,v 1.7 2004/05/14 08:42:56 hshoexer Exp $ */ -/* $EOM: dh.h,v 1.4 1999/04/17 23:20:24 niklas Exp $ */ - -/* - * Copyright (c) 1998 Niels Provos. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _DH_H_ -#define _DH_H_ - -#include <sys/types.h> - -struct group; - -int dh_getlen(struct group *); -int dh_create_exchange(struct group *, u_int8_t *); -int dh_create_shared(struct group *, u_int8_t *, u_int8_t *); - -#endif /* _DH_H_ */ diff --git a/keyexchange/isakmpd-20041012/dnssec.c b/keyexchange/isakmpd-20041012/dnssec.c deleted file mode 100644 index b7ee75f..0000000 --- a/keyexchange/isakmpd-20041012/dnssec.c +++ /dev/null @@ -1,293 +0,0 @@ -/* $OpenBSD: dnssec.c,v 1.20 2004/06/14 09:55:41 ho Exp $ */ - -/* - * Copyright (c) 2001 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include <sys/types.h> -#include <netinet/in.h> -#include <arpa/nameser.h> -#include <arpa/inet.h> -#include <stdlib.h> - -#include <openssl/rsa.h> - -#ifdef LWRES -#include <lwres/netdb.h> -#include <dns/keyvalues.h> -#else -#include <netdb.h> -#endif - -#include "sysdep.h" - -#include "dnssec.h" -#include "exchange.h" -#include "ipsec_num.h" -#include "libcrypto.h" -#include "log.h" -#include "message.h" -#include "transport.h" -#include "util.h" - -#ifndef DNS_UFQDN_SEPARATOR -#define DNS_UFQDN_SEPARATOR "._ipsec." -#endif - -/* adapted from <dns/rdatastruct.h> / RFC 2535 */ -struct dns_rdata_key { - u_int16_t flags; - u_int8_t protocol; - u_int8_t algorithm; - u_int16_t datalen; - unsigned char *data; -}; - -void * -dns_get_key(int type, struct message *msg, int *keylen) -{ - struct exchange *exchange = msg->exchange; - struct rrsetinfo *rr; - struct dns_rdata_key key_rr; - char name[MAXHOSTNAMELEN]; - in_addr_t ip4; - u_int8_t algorithm, *id, *umark; - size_t id_len; - int ret, i; - - switch (type) { - case IKE_AUTH_RSA_SIG: - algorithm = DNS_KEYALG_RSA; - break; - - case IKE_AUTH_RSA_ENC: - case IKE_AUTH_RSA_ENC_REV: - /* XXX Not yet. */ - /* algorithm = DNS_KEYALG_RSA; */ - return 0; - - case IKE_AUTH_DSS: - /* XXX Not yet. */ - /* algorithm = DNS_KEYALG_DSS; */ - return 0; - - case IKE_AUTH_PRE_SHARED: - default: - return 0; - } - - id = exchange->initiator ? exchange->id_r : exchange->id_i; - id_len = exchange->initiator ? exchange->id_r_len : exchange->id_i_len; - memset(name, 0, sizeof name); - - if (!id || id_len == 0) { - log_print("dns_get_key: ID is missing"); - return 0; - } - /* Exchanges (and SAs) don't carry the ID in ISAKMP form */ - id -= ISAKMP_GEN_SZ; - id_len += ISAKMP_GEN_SZ - ISAKMP_ID_DATA_OFF; - - switch (GET_ISAKMP_ID_TYPE(id)) { - case IPSEC_ID_IPV4_ADDR: - /* We want to lookup a KEY RR in the reverse zone. */ - if (id_len < sizeof ip4) - return 0; - memcpy(&ip4, id + ISAKMP_ID_DATA_OFF, sizeof ip4); - snprintf(name, sizeof name, "%d.%d.%d.%d.in-addr.arpa.", ip4 - >> 24, (ip4 >> 16) & 0xFF, (ip4 >> 8) & 0xFF, ip4 & 0xFF); - break; - - case IPSEC_ID_IPV6_ADDR: - /* XXX Not yet. */ - return 0; - break; - - case IPSEC_ID_FQDN: - if ((id_len + 1) >= sizeof name) - return 0; - /* ID is not NULL-terminated. Add trailing dot and NULL. */ - memcpy(name, id + ISAKMP_ID_DATA_OFF, id_len); - *(name + id_len) = '.'; - *(name + id_len + 1) = '\0'; - break; - - case IPSEC_ID_USER_FQDN: - /* - * Some special handling here. We want to convert the ID - * 'user@host.domain' string into 'user._ipsec.host.domain.'. - */ - if ((id_len + sizeof(DNS_UFQDN_SEPARATOR)) >= sizeof name) - return 0; - /* Look for the '@' separator. */ - for (umark = id + ISAKMP_ID_DATA_OFF; (umark - id) < id_len; - umark++) - if (*umark == '@') - break; - if (*umark != '@') { - LOG_DBG((LOG_MISC, 50, "dns_get_key: bad UFQDN ID")); - return 0; - } - *umark++ = '\0'; - /* id is now terminated. 'umark', however, is not. */ - snprintf(name, sizeof name, "%s%s", id + ISAKMP_ID_DATA_OFF, - DNS_UFQDN_SEPARATOR); - memcpy(name + strlen(name), umark, id_len - strlen(id) - 1); - *(name + id_len + sizeof(DNS_UFQDN_SEPARATOR) - 2) = '.'; - *(name + id_len + sizeof(DNS_UFQDN_SEPARATOR) - 1) = '\0'; - break; - - default: - return 0; - } - - LOG_DBG((LOG_MISC, 50, "dns_get_key: trying KEY RR for %s", name)); - ret = getrrsetbyname(name, C_IN, T_KEY, 0, &rr); - - if (ret) { - LOG_DBG((LOG_MISC, 30, "dns_get_key: no DNS responses " - "(error %d)", ret)); - return 0; - } - LOG_DBG((LOG_MISC, 80, - "dns_get_key: rrset class %d type %d ttl %d nrdatas %d nrsigs %d", - rr->rri_rdclass, rr->rri_rdtype, rr->rri_ttl, rr->rri_nrdatas, - rr->rri_nsigs)); - - /* We don't accept unvalidated data. */ - if (!(rr->rri_flags & RRSET_VALIDATED)) { - LOG_DBG((LOG_MISC, 10, "dns_get_key: " - "got unvalidated response")); - freerrset(rr); - return 0; - } - /* Sanity. */ - if (rr->rri_nrdatas == 0 || rr->rri_rdtype != T_KEY) { - LOG_DBG((LOG_MISC, 30, "dns_get_key: no KEY RRs received")); - freerrset(rr); - return 0; - } - memset(&key_rr, 0, sizeof key_rr); - - /* - * Find a key with the wanted algorithm, if any. - * XXX If there are several keys present, we currently only find the - * first. - */ - for (i = 0; i < rr->rri_nrdatas && key_rr.datalen == 0; i++) { - key_rr.flags = ntohs((u_int16_t) * rr->rri_rdatas[i].rdi_data); - key_rr.protocol = *(rr->rri_rdatas[i].rdi_data + 2); - key_rr.algorithm = *(rr->rri_rdatas[i].rdi_data + 3); - - if (key_rr.protocol != DNS_KEYPROTO_IPSEC) { - LOG_DBG((LOG_MISC, 50, "dns_get_key: ignored " - "non-IPsec key")); - continue; - } - if (key_rr.algorithm != algorithm) { - LOG_DBG((LOG_MISC, 50, "dns_get_key: ignored " - "key with other alg")); - continue; - } - key_rr.datalen = rr->rri_rdatas[i].rdi_length - 4; - if (key_rr.datalen <= 0) { - LOG_DBG((LOG_MISC, 50, "dns_get_key: " - "ignored bad key")); - key_rr.datalen = 0; - continue; - } - /* This key seems to fit our requirements... */ - key_rr.data = (char *)malloc(key_rr.datalen); - if (!key_rr.data) { - log_error("dns_get_key: malloc (%d) failed", - key_rr.datalen); - freerrset(rr); - return 0; - } - memcpy(key_rr.data, rr->rri_rdatas[i].rdi_data + 4, - key_rr.datalen); - *keylen = key_rr.datalen; - } - - freerrset(rr); - - if (key_rr.datalen) - return key_rr.data; - return 0; -} - -int -dns_RSA_dns_to_x509(u_int8_t *key, int keylen, RSA **rsa_key) -{ - RSA *rsa; - int key_offset; - u_int8_t e_len; - - if (!key || keylen <= 0) { - log_print("dns_RSA_dns_to_x509: invalid public key"); - return -1; - } - rsa = RSA_new(); - if (rsa == NULL) { - log_error("dns_RSA_dns_to_x509: " - "failed to allocate new RSA struct"); - return -1; - } - e_len = *key; - key_offset = 1; - - if (e_len == 0) { - if (keylen < 3) { - log_print("dns_RSA_dns_to_x509: invalid public key"); - RSA_free(rsa); - return -1; - } - e_len = *(key + key_offset++) << 8; - e_len += *(key + key_offset++); - } - if (e_len > (keylen - key_offset)) { - log_print("dns_RSA_dns_to_x509: invalid public key"); - RSA_free(rsa); - return -1; - } - rsa->e = BN_bin2bn(key + key_offset, e_len, NULL); - key_offset += e_len; - - /* XXX if (keylen <= key_offset) -> "invalid public key" ? */ - - rsa->n = BN_bin2bn(key + key_offset, keylen - key_offset, NULL); - - *rsa_key = rsa; - - LOG_DBG((LOG_MISC, 30, "dns_RSA_dns_to_x509: got %d bits RSA key", - BN_num_bits(rsa->n))); - return 0; -} - -#if notyet -int -dns_RSA_x509_to_dns(RSA *rsa_key, u_int8_t *key, int *keylen) -{ - return 0; -} -#endif diff --git a/keyexchange/isakmpd-20041012/dnssec.h b/keyexchange/isakmpd-20041012/dnssec.h deleted file mode 100644 index 90a78df..0000000 --- a/keyexchange/isakmpd-20041012/dnssec.h +++ /dev/null @@ -1,46 +0,0 @@ -/* $OpenBSD: dnssec.h,v 1.7 2004/05/14 08:42:56 hshoexer Exp $ */ - -/* - * Copyright (c) 2001 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include "libcrypto.h" -#include "message.h" - -void *dns_get_key(int, struct message *, int *); -int dns_RSA_dns_to_x509(u_int8_t *, int, RSA **); - -#ifndef DNS_KEYALG_RSA -#define DNS_KEYALG_RSA 1 -#endif - -#ifndef DNS_KEYPROTO_IPSEC -#define DNS_KEYPROTO_IPSEC 4 -#endif -#ifndef DNS_KEYALG_RSA -#define DNS_KEYALG_RSA 1 -#endif - -#ifndef DNS_KEYPROTO_IPSEC -#define DNS_KEYPROTO_IPSEC 4 -#endif diff --git a/keyexchange/isakmpd-20041012/doi.c b/keyexchange/isakmpd-20041012/doi.c deleted file mode 100644 index e9a5030..0000000 --- a/keyexchange/isakmpd-20041012/doi.c +++ /dev/null @@ -1,61 +0,0 @@ -/* $OpenBSD: doi.c,v 1.9 2004/07/09 16:06:48 deraadt Exp $ */ -/* $EOM: doi.c,v 1.4 1999/04/02 00:57:36 niklas Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/param.h> - -#include "sysdep.h" - -#include "doi.h" - -static -LIST_HEAD(doi_list, doi) doi_tab; - -void -doi_init(void) -{ - LIST_INIT(&doi_tab); -} - -struct doi * -doi_lookup(u_int8_t doi_id) -{ - struct doi *doi; - - for (doi = LIST_FIRST(&doi_tab); doi && doi->id != doi_id; - doi = LIST_NEXT(doi, link)); - return doi; -} - -void -doi_register(struct doi *doi) -{ - LIST_INSERT_HEAD(&doi_tab, doi, link); -} diff --git a/keyexchange/isakmpd-20041012/doi.h b/keyexchange/isakmpd-20041012/doi.h deleted file mode 100644 index f2bcc68..0000000 --- a/keyexchange/isakmpd-20041012/doi.h +++ /dev/null @@ -1,101 +0,0 @@ -/* $OpenBSD: doi.h,v 1.14 2004/05/14 08:42:56 hshoexer Exp $ */ -/* $EOM: doi.h,v 1.29 2000/07/02 18:47:15 provos Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _DOI_H_ -#define _DOI_H_ - -#include <sys/types.h> -#include <sys/queue.h> - -struct exchange; -struct keystate; -struct message; -struct payload; -struct proto; -struct sa; - -/* XXX This structure needs per-field commenting. */ -struct doi { - LIST_ENTRY(doi) link; - u_int8_t id; - - /* Size of DOI-specific exchange data. */ - size_t exchange_size; - - /* Size of DOI-specific security association data. */ - size_t sa_size; - - /* Size of DOI-specific protocol data. */ - size_t proto_size; - -#ifdef USE_DEBUG - int (*debug_attribute)(u_int16_t, u_int8_t *, u_int16_t, - void *); -#endif - void (*delete_spi)(struct sa *, struct proto *, int); - int16_t *(*exchange_script)(u_int8_t); - void (*finalize_exchange)(struct message *); - void (*free_exchange_data)(void *); - void (*free_proto_data)(void *); - void (*free_sa_data)(void *); - struct keystate *(*get_keystate)(struct message *); - u_int8_t *(*get_spi)(size_t *, u_int8_t, struct message *); - int (*handle_leftover_payload)(struct message *, u_int8_t, - struct payload *); - int (*informational_post_hook)(struct message *); - int (*informational_pre_hook)(struct message *); - int (*is_attribute_incompatible)(u_int16_t, u_int8_t *, - u_int16_t, void *); - void (*proto_init)(struct proto *, char *); - void (*setup_situation)(u_int8_t *); - size_t (*situation_size)(void); - u_int8_t (*spi_size)(u_int8_t); - int (*validate_attribute)(u_int16_t, u_int8_t *, - u_int16_t, void *); - int (*validate_exchange)(u_int8_t); - int (*validate_id_information)(u_int8_t, u_int8_t *, - u_int8_t *, size_t, struct exchange *); - int (*validate_key_information)(u_int8_t *, size_t); - int (*validate_notification)(u_int16_t); - int (*validate_proto)(u_int8_t); - int (*validate_situation)(u_int8_t *, size_t *, size_t); - int (*validate_transform_id)(u_int8_t, u_int8_t); - int (*initiator)(struct message * msg); - int (*responder)(struct message * msg); - char *(*decode_ids)(char *, u_int8_t *, size_t, u_int8_t *, - size_t, int); -}; - -extern void doi_init(void); -extern struct doi *doi_lookup(u_int8_t); -extern void doi_register(struct doi *); - -#endif /* _DOI_H_ */ diff --git a/keyexchange/isakmpd-20041012/dpd.c b/keyexchange/isakmpd-20041012/dpd.c deleted file mode 100644 index 4351637..0000000 --- a/keyexchange/isakmpd-20041012/dpd.c +++ /dev/null @@ -1,374 +0,0 @@ -/* $OpenBSD: dpd.c,v 1.4 2004/08/10 15:59:10 ho Exp $ */ - -/* - * Copyright (c) 2004 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include <sys/types.h> -#include <stdlib.h> -#include <memory.h> - -#include "sysdep.h" - -#include "conf.h" -#include "dpd.h" -#include "exchange.h" -#include "hash.h" -#include "ipsec.h" -#include "isakmp_fld.h" -#include "log.h" -#include "message.h" -#include "sa.h" -#include "timer.h" -#include "transport.h" -#include "util.h" - -/* From RFC 3706. */ -#define DPD_MAJOR 0x01 -#define DPD_MINOR 0x00 -#define DPD_SEQNO_SZ 4 - -static const char dpd_vendor_id[] = { - 0xAF, 0xCA, 0xD7, 0x13, 0x68, 0xA1, 0xF1, /* RFC 3706 */ - 0xC9, 0x6B, 0x86, 0x96, 0xFC, 0x77, 0x57, - DPD_MAJOR, - DPD_MINOR -}; - -#define DPD_RETRANS_MAX 5 /* max number of retries. */ -#define DPD_RETRANS_WAIT 5 /* seconds between retries. */ - -/* DPD Timer State */ -enum dpd_tstate { DPD_TIMER_NORMAL, DPD_TIMER_CHECK }; - -static void dpd_check_event(void *); -static void dpd_event(void *); -static u_int32_t dpd_timer_interval(u_int32_t); -static void dpd_timer_reset(struct sa *, u_int32_t, enum dpd_tstate); - -/* Add the DPD VENDOR ID payload. */ -int -dpd_add_vendor_payload(struct message *msg) -{ - u_int8_t *buf; - size_t buflen = sizeof dpd_vendor_id + ISAKMP_GEN_SZ; - - buf = malloc(buflen); - if (!buf) { - log_error("dpd_add_vendor_payload: malloc(%lu) failed", - (unsigned long)buflen); - return -1; - } - - SET_ISAKMP_GEN_LENGTH(buf, buflen); - memcpy(buf + ISAKMP_VENDOR_ID_OFF, dpd_vendor_id, - sizeof dpd_vendor_id); - if (message_add_payload(msg, ISAKMP_PAYLOAD_VENDOR, buf, buflen, 1)) { - free(buf); - return -1; - } - - return 0; -} - -/* - * Check an incoming message for DPD capability markers. - */ -void -dpd_check_vendor_payload(struct message *msg, struct payload *p) -{ - u_int8_t *pbuf = p->p; - size_t vlen; - - /* Already checked? */ - if (msg->exchange->flags & EXCHANGE_FLAG_DPD_CAP_PEER) { - /* Just mark it as handled and return. */ - p->flags |= PL_MARK; - return; - } - - vlen = GET_ISAKMP_GEN_LENGTH(pbuf) - ISAKMP_GEN_SZ; - if (vlen != sizeof dpd_vendor_id) { - LOG_DBG((LOG_EXCHANGE, 90, - "dpd_check_vendor_payload: bad size %d != %d", vlen, - sizeof dpd_vendor_id)); - return; - } - - if (memcmp(dpd_vendor_id, pbuf + ISAKMP_GEN_SZ, vlen) == 0) { - /* This peer is DPD capable. */ - if (msg->isakmp_sa) { - msg->exchange->flags |= EXCHANGE_FLAG_DPD_CAP_PEER; - LOG_DBG((LOG_EXCHANGE, 10, "dpd_check_vendor_payload: " - "DPD capable peer detected")); - if (dpd_timer_interval(0) != 0) { - LOG_DBG((LOG_EXCHANGE, 10, - "dpd_check_vendor_payload: enabling")); - msg->isakmp_sa->flags |= SA_FLAG_DPD; - dpd_timer_reset(msg->isakmp_sa, 0, - DPD_TIMER_NORMAL); - } - } - p->flags |= PL_MARK; - } - return; -} - -/* - * All incoming DPD Notify messages enter here. Message has been validated. - */ -void -dpd_handle_notify(struct message *msg, struct payload *p) -{ - struct sa *isakmp_sa = msg->isakmp_sa; - u_int16_t notify = GET_ISAKMP_NOTIFY_MSG_TYPE(p->p); - u_int32_t p_seq; - - /* Extract the sequence number. */ - memcpy(&p_seq, p->p + ISAKMP_NOTIFY_SPI_OFF + ISAKMP_HDR_COOKIES_LEN, - sizeof p_seq); - p_seq = ntohl(p_seq); - - LOG_DBG((LOG_MESSAGE, 40, "dpd_handle_notify: got %s seq %u", - constant_name(isakmp_notify_cst, notify), p_seq)); - - switch (notify) { - case ISAKMP_NOTIFY_STATUS_DPD_R_U_THERE: - /* The other peer wants to know we're alive. */ - if (p_seq <= isakmp_sa->dpd_rseq) { - log_print("dpd_handle_notify: bad R_U_THERE seqno " - "%u <= %u", p_seq, isakmp_sa->dpd_rseq); - return; - } - isakmp_sa->dpd_rseq = p_seq; - message_send_dpd_notify(isakmp_sa, - ISAKMP_NOTIFY_STATUS_DPD_R_U_THERE_ACK, p_seq); - break; - - case ISAKMP_NOTIFY_STATUS_DPD_R_U_THERE_ACK: - /* This should be a response to a R_U_THERE we've sent. */ - if (isakmp_sa->dpd_seq != p_seq) { - log_print("dpd_handle_notify: got bad ACK seqno %u, " - "expected %u", p_seq, isakmp_sa->dpd_seq); - /* XXX Give up? Retry? */ - return; - } - break; - default: - ; - } - - /* Mark handled. */ - p->flags |= PL_MARK; - - /* The other peer is alive, so we can safely wait a while longer. */ - if (isakmp_sa->flags & SA_FLAG_DPD) - dpd_timer_reset(isakmp_sa, 0, DPD_TIMER_NORMAL); -} - -/* Calculate the time until next DPD exchange. */ -static u_int32_t -dpd_timer_interval(u_int32_t offset) -{ - int32_t v = 0; - -#ifdef notyet - v = ...; /* XXX Per-peer specified DPD intervals? */ -#endif - if (!v) - v = conf_get_num("General", "DPD-check-interval", 0); - if (v < 1) - return 0; /* DPD-Check-Interval < 1 means disable DPD */ - - v -= offset; - return v < 1 ? 1 : v; -} - -static void -dpd_timer_reset(struct sa *sa, u_int32_t time_passed, enum dpd_tstate mode) -{ - struct timeval tv; - - if (sa->dpd_event) - timer_remove_event(sa->dpd_event); - - gettimeofday(&tv, 0); - switch (mode) { - case DPD_TIMER_NORMAL: - tv.tv_sec += dpd_timer_interval(time_passed); - sa->dpd_event = timer_add_event("dpd_event", dpd_event, sa, - &tv); - break; - case DPD_TIMER_CHECK: - tv.tv_sec += DPD_RETRANS_WAIT; - sa->dpd_event = timer_add_event("dpd_check_event", - dpd_check_event, sa, &tv); - break; - default: - ; - } - if (!sa->dpd_event) - log_print("dpd_timer_reset: timer_add_event failed"); -} - -/* Helper function for dpd_exchange_finalization(). */ -static int -dpd_find_sa(struct sa *sa, void *v_sa) -{ - struct sa *isakmp_sa = v_sa; - - return (sa->phase == 2 && - memcmp(sa->id_i, isakmp_sa->id_i, sa->id_i_len) == 0 && - memcmp(sa->id_r, isakmp_sa->id_r, sa->id_r_len) == 0); -} - -struct dpd_args { - struct sa *isakmp_sa; - u_int32_t interval; -}; - -/* Helper function for dpd_event(). */ -static int -dpd_check_time(struct sa *sa, void *v_arg) -{ - struct dpd_args *args = v_arg; - struct sockaddr *dst; - struct proto *proto; - struct sa_kinfo *ksa; - struct timeval tv; - - if (sa->phase == 1 || (args->isakmp_sa->flags & SA_FLAG_DPD) == 0 || - dpd_find_sa(sa, args->isakmp_sa) == 0) - return 0; - - proto = TAILQ_FIRST(&sa->protos); - if (!proto || !proto->data) - return 0; - sa->transport->vtbl->get_src(sa->transport, &dst); - - gettimeofday(&tv, 0); - ksa = sysdep_ipsec_get_kernel_sa(proto->spi[1], proto->spi_sz[1], - proto->proto, dst); - - if (!ksa || !ksa->last_used) - return 0; - - LOG_DBG((LOG_MESSAGE, 80, "dpd_check_time: " - "SA %p last use %u second(s) ago", sa, - (u_int32_t)(tv.tv_sec - ksa->last_used))); - - if ((u_int32_t)(tv.tv_sec - ksa->last_used) < args->interval) { - args->interval = (u_int32_t)(tv.tv_sec - ksa->last_used); - return 1; - } - - return 0; -} - -/* Called by the timer. */ -static void -dpd_event(void *v_sa) -{ - struct sa *isakmp_sa = v_sa; - struct dpd_args args; -#if defined (USE_DEBUG) - struct sockaddr *dst; - char *addr; -#endif - - isakmp_sa->dpd_event = 0; - - /* Check if there's been any incoming SA activity since last time. */ - args.isakmp_sa = isakmp_sa; - args.interval = dpd_timer_interval(0); - if (sa_find(dpd_check_time, &args)) { - if (args.interval > dpd_timer_interval(0)) - args.interval = 0; - dpd_timer_reset(isakmp_sa, args.interval, DPD_TIMER_NORMAL); - return; - } - - /* No activity seen, do a DPD exchange. */ - if (isakmp_sa->dpd_seq == 0) { - /* - * RFC 3706: first seq# should be random, with MSB zero, - * otherwise we just increment it. - */ - getrandom((u_int8_t *)&isakmp_sa->dpd_seq, - sizeof isakmp_sa->dpd_seq); - isakmp_sa->dpd_seq &= 0x7FFF; - } else - isakmp_sa->dpd_seq++; - -#if defined (USE_DEBUG) - isakmp_sa->transport->vtbl->get_dst(isakmp_sa->transport, &dst); - if (sockaddr2text(dst, &addr, 0) == -1) - addr = 0; - LOG_DBG((LOG_MESSAGE, 30, "dpd_event: sending R_U_THERE to %s seq %u", - addr ? addr : "<unknown>", isakmp_sa->dpd_seq)); - if (addr) - free(addr); -#endif - message_send_dpd_notify(isakmp_sa, ISAKMP_NOTIFY_STATUS_DPD_R_U_THERE, - isakmp_sa->dpd_seq); - - /* And set the short timer. */ - dpd_timer_reset(isakmp_sa, 0, DPD_TIMER_CHECK); -} - -/* - * Called by the timer. If this function is called, it means we did not - * recieve any R_U_THERE_ACK confirmation from the other peer. - */ -static void -dpd_check_event(void *v_sa) -{ - struct sa *isakmp_sa = v_sa; - struct sa *sa; - - isakmp_sa->dpd_event = 0; - - if (++isakmp_sa->dpd_failcount < DPD_RETRANS_MAX) { - LOG_DBG((LOG_MESSAGE, 10, "dpd_check_event: " - "peer not responding, retry %u of %u", - isakmp_sa->dpd_failcount, DPD_RETRANS_MAX)); - message_send_dpd_notify(isakmp_sa, - ISAKMP_NOTIFY_STATUS_DPD_R_U_THERE, isakmp_sa->dpd_seq); - dpd_timer_reset(isakmp_sa, 0, DPD_TIMER_CHECK); - return; - } - - /* - * Peer is considered dead. Delete all SAs created under isakmp_sa. - */ - LOG_DBG((LOG_MESSAGE, 10, "dpd_check_event: peer is dead, " - "deleting all SAs connected to SA %p", isakmp_sa)); - while ((sa = sa_find(dpd_find_sa, isakmp_sa)) != 0) { - LOG_DBG((LOG_MESSAGE, 30, "dpd_check_event: deleting SA %p", - sa)); - sa_delete(sa, 0); - } - LOG_DBG((LOG_MESSAGE, 30, "dpd_check_event: deleting ISAKMP SA %p", - isakmp_sa)); - sa_delete(isakmp_sa, 0); -} diff --git a/keyexchange/isakmpd-20041012/dpd.h b/keyexchange/isakmpd-20041012/dpd.h deleted file mode 100644 index fa62c5b..0000000 --- a/keyexchange/isakmpd-20041012/dpd.h +++ /dev/null @@ -1,38 +0,0 @@ -/* $OpenBSD: dpd.h,v 1.2 2004/08/10 15:59:10 ho Exp $ */ - -/* - * Copyright (c) 2004 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#ifndef _DPD_H_ -#define _DPD_H_ - -struct message; -struct payload; -struct sa; - -int dpd_add_vendor_payload(struct message *); -void dpd_check_vendor_payload(struct message *, struct payload *); -void dpd_handle_notify(struct message *, struct payload *); - -#endif /* _DPD_H_ */ diff --git a/keyexchange/isakmpd-20041012/exchange.c b/keyexchange/isakmpd-20041012/exchange.c deleted file mode 100644 index 1c4ef1f..0000000 --- a/keyexchange/isakmpd-20041012/exchange.c +++ /dev/null @@ -1,1799 +0,0 @@ -/* $OpenBSD: exchange.c,v 1.104 2004/09/17 13:53:08 ho Exp $ */ -/* $EOM: exchange.c,v 1.143 2000/12/04 00:02:25 angelos Exp $ */ - -/* - * Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. - * Copyright (c) 1999, 2001 Angelos D. Keromytis. All rights reserved. - * Copyright (c) 1999, 2000, 2002 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/types.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <stdlib.h> -#include <string.h> - -#include "sysdep.h" - -#include "cert.h" -#include "conf.h" -#include "connection.h" -#include "constants.h" -#include "cookie.h" -#include "crypto.h" -#include "doi.h" -#include "exchange.h" -#include "ipsec_num.h" -#include "isakmp.h" -#ifdef USE_ISAKMP_CFG -#include "isakmp_cfg.h" -#endif -#include "libcrypto.h" -#include "log.h" -#include "message.h" -#include "timer.h" -#include "transport.h" -#include "ipsec.h" -#include "sa.h" -#include "util.h" -#include "key.h" - -/* Initial number of bits from the cookies used as hash. */ -#define INITIAL_BUCKET_BITS 6 - -/* - * Don't try to use more bits than this as a hash. - * We only XOR 16 bits so going above that means changing the code below - * too. - */ -#define MAX_BUCKET_BITS 16 - -#ifdef USE_DEBUG -static void exchange_dump(char *, struct exchange *); -#endif -static void exchange_free_aux(void *); -#if 0 -static void exchange_resize(void); -#endif -static struct exchange *exchange_lookup_active(char *, int); - -static -LIST_HEAD(exchange_list, exchange) *exchange_tab; - -/* Works both as a maximum index and a mask. */ -static int bucket_mask; - -/* - * Validation scripts used to test messages for correct content of - * payloads depending on the exchange type. - */ -int16_t script_base[] = { - ISAKMP_PAYLOAD_SA, /* Initiator -> responder. */ - ISAKMP_PAYLOAD_NONCE, - EXCHANGE_SCRIPT_SWITCH, - ISAKMP_PAYLOAD_SA, /* Responder -> initiator. */ - ISAKMP_PAYLOAD_NONCE, - EXCHANGE_SCRIPT_SWITCH, - ISAKMP_PAYLOAD_KEY_EXCH, /* Initiator -> responder. */ - ISAKMP_PAYLOAD_ID, - EXCHANGE_SCRIPT_AUTH, - EXCHANGE_SCRIPT_SWITCH, - ISAKMP_PAYLOAD_KEY_EXCH, /* Responder -> initiator. */ - ISAKMP_PAYLOAD_ID, - EXCHANGE_SCRIPT_AUTH, - EXCHANGE_SCRIPT_END -}; - -int16_t script_identity_protection[] = { - ISAKMP_PAYLOAD_SA, /* Initiator -> responder. */ - EXCHANGE_SCRIPT_SWITCH, - ISAKMP_PAYLOAD_SA, /* Responder -> initiator. */ - EXCHANGE_SCRIPT_SWITCH, - ISAKMP_PAYLOAD_KEY_EXCH, /* Initiator -> responder. */ - ISAKMP_PAYLOAD_NONCE, - EXCHANGE_SCRIPT_SWITCH, - ISAKMP_PAYLOAD_KEY_EXCH, /* Responder -> initiator. */ - ISAKMP_PAYLOAD_NONCE, - EXCHANGE_SCRIPT_SWITCH, - ISAKMP_PAYLOAD_ID, /* Initiator -> responder. */ - EXCHANGE_SCRIPT_AUTH, - EXCHANGE_SCRIPT_SWITCH, - ISAKMP_PAYLOAD_ID, /* Responder -> initiator. */ - EXCHANGE_SCRIPT_AUTH, - EXCHANGE_SCRIPT_END -}; - -int16_t script_authentication_only[] = { - ISAKMP_PAYLOAD_SA, /* Initiator -> responder. */ - ISAKMP_PAYLOAD_NONCE, - EXCHANGE_SCRIPT_SWITCH, - ISAKMP_PAYLOAD_SA, /* Responder -> initiator. */ - ISAKMP_PAYLOAD_NONCE, - ISAKMP_PAYLOAD_ID, - EXCHANGE_SCRIPT_AUTH, - EXCHANGE_SCRIPT_SWITCH, - ISAKMP_PAYLOAD_ID, /* Initiator -> responder. */ - EXCHANGE_SCRIPT_AUTH, - EXCHANGE_SCRIPT_END -}; - -#ifdef USE_AGGRESSIVE -int16_t script_aggressive[] = { - ISAKMP_PAYLOAD_SA, /* Initiator -> responder. */ - ISAKMP_PAYLOAD_KEY_EXCH, - ISAKMP_PAYLOAD_NONCE, - ISAKMP_PAYLOAD_ID, - EXCHANGE_SCRIPT_SWITCH, - ISAKMP_PAYLOAD_SA, /* Responder -> initiator. */ - ISAKMP_PAYLOAD_KEY_EXCH, - ISAKMP_PAYLOAD_NONCE, - ISAKMP_PAYLOAD_ID, - EXCHANGE_SCRIPT_AUTH, - EXCHANGE_SCRIPT_SWITCH, - EXCHANGE_SCRIPT_AUTH, /* Initiator -> responder. */ - EXCHANGE_SCRIPT_END -}; -#endif /* USE_AGGRESSIVE */ - -int16_t script_informational[] = { - EXCHANGE_SCRIPT_INFO, /* Initiator -> responder. */ - EXCHANGE_SCRIPT_END -}; - -/* - * Check what exchange SA is negotiated with and return a suitable validation - * script. - */ -int16_t * -exchange_script(struct exchange *exchange) -{ - switch (exchange->type) { - case ISAKMP_EXCH_BASE: - return script_base; - case ISAKMP_EXCH_ID_PROT: - return script_identity_protection; - case ISAKMP_EXCH_AUTH_ONLY: - return script_authentication_only; -#ifdef USE_AGGRESSIVE - case ISAKMP_EXCH_AGGRESSIVE: - return script_aggressive; -#endif - case ISAKMP_EXCH_INFO: - return script_informational; -#ifdef USE_ISAKMP_CFG - case ISAKMP_EXCH_TRANSACTION: - return script_transaction; -#endif - default: - if (exchange->type >= ISAKMP_EXCH_DOI_MIN && - exchange->type <= ISAKMP_EXCH_DOI_MAX) - return exchange->doi->exchange_script(exchange->type); - } - return 0; -} - -/* - * Validate the message MSG's contents wrt what payloads the exchange type - * requires at this point in the dialogoue. Return -1 if the validation fails, - * 0 if it succeeds and the script is not finished and 1 if it's ready. - */ -static int -exchange_validate(struct message *msg) -{ - struct exchange *exchange = msg->exchange; - int16_t *pc = exchange->exch_pc; - - while (*pc != EXCHANGE_SCRIPT_END && *pc != EXCHANGE_SCRIPT_SWITCH) { - LOG_DBG((LOG_EXCHANGE, 90, - "exchange_validate: checking for required %s", - *pc >= ISAKMP_PAYLOAD_NONE - ? constant_name(isakmp_payload_cst, *pc) - : constant_name(exchange_script_cst, *pc))); - - /* Check for existence of the required payloads. */ - if ((*pc > 0 && !payload_first(msg, *pc)) - || (*pc == EXCHANGE_SCRIPT_AUTH - && !payload_first(msg, ISAKMP_PAYLOAD_HASH) - && !payload_first(msg, ISAKMP_PAYLOAD_SIG)) - || (*pc == EXCHANGE_SCRIPT_INFO - && ((!payload_first(msg, ISAKMP_PAYLOAD_NOTIFY) - && !payload_first(msg, ISAKMP_PAYLOAD_DELETE)) - || (payload_first(msg, ISAKMP_PAYLOAD_DELETE) - && !payload_first(msg, ISAKMP_PAYLOAD_HASH))))) { - /* Missing payload. */ - LOG_DBG((LOG_MESSAGE, 70, - "exchange_validate: msg %p requires missing %s", - msg, *pc >= ISAKMP_PAYLOAD_NONE - ? constant_name(isakmp_payload_cst, *pc) - : constant_name(exchange_script_cst, *pc))); - return -1; - } - pc++; - } - if (*pc == EXCHANGE_SCRIPT_END) - /* Cleanup. */ - return 1; - - return 0; -} - -/* Feed unhandled payloads to the DOI for handling. Help for exchange_run(). */ -static void -exchange_handle_leftover_payloads(struct message *msg) -{ - struct exchange *exchange = msg->exchange; - struct doi *doi = exchange->doi; - struct payload *p; - int i; - - for (i = ISAKMP_PAYLOAD_SA; i < payload_index_max; i++) { - if (i == ISAKMP_PAYLOAD_PROPOSAL || - i == ISAKMP_PAYLOAD_TRANSFORM) - continue; - for (p = payload_first(msg, i); p; - p = TAILQ_NEXT(p, link)) { - if (p->flags & PL_MARK) - continue; - if (!doi->handle_leftover_payload || - doi->handle_leftover_payload(msg, i, p)) - LOG_DBG((LOG_EXCHANGE, 10, - "exchange_run: unexpected payload %s", - constant_name(isakmp_payload_cst, i))); - } - } -} - -/* - * Run the exchange script from a point given by the "program counter" - * upto either the script's end or a transmittal of a message. If we are - * at the point of a reception of a message, that message should be handed - * in here in the MSG argument. Otherwise we are the initiator and should - * expect MSG to be a half-cooked message without payloads. - */ -void -exchange_run(struct message *msg) -{ - struct exchange *exchange = msg->exchange; - struct doi *doi = exchange->doi; - int (*handler)(struct message *) = exchange->initiator ? - doi->initiator : doi->responder; - int done = 0; - - while (!done) { - /* - * It's our turn if we're either the initiator on an even step, - * or the responder on an odd step of the dialogue. - */ - if (exchange->initiator ^ (exchange->step % 2)) { - done = 1; - if (exchange->step) - msg = message_alloc_reply(msg); - message_setup_header(msg, exchange->type, 0, - exchange->message_id); - if (handler(msg)) { - /* - * This can happen when transient starvation - * of memory occurs. - * XXX The peer's retransmit ought to - * kick-start this exchange again. If he's - * stopped retransmitting he's likely dropped - * the SA at his side so we need to do that - * too, i.e. implement automatic SA teardown - * after a certain amount of inactivity. - */ - log_print("exchange_run: doi->%s (%p) failed", - exchange->initiator ? "initiator" : - "responder", msg); - message_free(msg); - return; - } - switch (exchange_validate(msg)) { - case 1: - /* - * The last message of a multi-message - * exchange should not be retransmitted other - * than "on-demand", i.e. if we see - * retransmits of the last message of the peer - * later. - */ - msg->flags |= MSG_LAST; - if (exchange->step > 0) { - if (exchange->last_sent) - message_free(exchange->last_sent); - exchange->last_sent = msg; - } - /* - * After we physically have sent our last - * message we need to do SA-specific - * finalization, like telling our application - * the SA is ready to be used, or issuing a - * CONNECTED notify if we set the COMMIT bit. - */ - message_register_post_send(msg, - exchange_finalize); - - /* Fallthrough. */ - - case 0: - /* XXX error handling. */ - message_send(msg); - break; - - default: - log_print("exchange_run: exchange_validate " - "failed, DOI error"); - exchange_free(exchange); - message_free(msg); - return; - } - } else { - done = exchange_validate(msg); - switch (done) { - case 0: - case 1: - /* Feed the message to the DOI. */ - if (handler(msg)) { - /* - * Trust the peer to retransmit. - * XXX We have to implement SA aging - * with automatic teardown. - */ - message_free(msg); - return; - } - /* - * Go over the yet unhandled payloads and feed - * them to DOI for handling. - */ - exchange_handle_leftover_payloads(msg); - - /* - * We have advanced the state. If we have - * been processing an incoming message, record - * that message as the one to do duplication - * tests against. - */ - if (exchange->last_received) - message_free(exchange->last_received); - exchange->last_received = msg; - if (exchange->flags & EXCHANGE_FLAG_ENCRYPT) - crypto_update_iv(exchange->keystate); - - if (done) { - exchange_finalize(msg); - return; - } - break; - - case -1: - log_print("exchange_run: exchange_validate " - "failed"); - /* - * XXX Is this the best error notification - * type? - */ - message_drop(msg, - ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 1); - return; - } - } - - LOG_DBG((LOG_EXCHANGE, 40, - "exchange_run: exchange %p finished step %d, advancing...", - exchange, exchange->step)); - exchange->step++; - while (*exchange->exch_pc != EXCHANGE_SCRIPT_SWITCH - && *exchange->exch_pc != EXCHANGE_SCRIPT_END) - exchange->exch_pc++; - exchange->exch_pc++; - } -} - -void -exchange_init(void) -{ - int i; - - bucket_mask = (1 << INITIAL_BUCKET_BITS) - 1; - exchange_tab = malloc((bucket_mask + 1) * - sizeof(struct exchange_list)); - if (!exchange_tab) - log_fatal("exchange_init: out of memory"); - for (i = 0; i <= bucket_mask; i++) - LIST_INIT(&exchange_tab[i]); -} - -#if 0 -/* XXX Currently unused. */ -static void -exchange_resize(void) -{ - struct exchange_list *new_tab; - int new_mask = (bucket_mask + 1) * 2 - 1; - int i; - - new_tab = realloc(exchange_tab, - (new_mask + 1) * sizeof(struct exchange_list)); - if (!new_tab) - return; - for (i = bucket_mask + 1; i <= new_mask; i++) - LIST_INIT(&new_tab[i]); - bucket_mask = new_mask; - /* XXX Rehash existing entries. */ -} -#endif - -/* Lookup a phase 1 exchange out of just the initiator cookie. */ -struct exchange * -exchange_lookup_from_icookie(u_int8_t * cookie) -{ - struct exchange *exchange; - int i; - - for (i = 0; i <= bucket_mask; i++) - for (exchange = LIST_FIRST(&exchange_tab[i]); exchange; - exchange = LIST_NEXT(exchange, link)) - if (memcmp(exchange->cookies, cookie, - ISAKMP_HDR_ICOOKIE_LEN) == 0 && - exchange->phase == 1) - return exchange; - return 0; -} - -/* Lookup an exchange out of the name and phase. */ -struct exchange * -exchange_lookup_by_name(char *name, int phase) -{ - struct exchange *exchange; - int i; - - /* If we search for nothing, we will find nothing. */ - if (!name) - return 0; - - for (i = 0; i <= bucket_mask; i++) - for (exchange = LIST_FIRST(&exchange_tab[i]); exchange; - exchange = LIST_NEXT(exchange, link)) { - LOG_DBG((LOG_EXCHANGE, 90, - "exchange_lookup_by_name: %s == %s && %d == %d?", - name, exchange->name ? exchange->name : - "<unnamed>", phase, exchange->phase)); - - /* - * Match by name, but don't select finished exchanges, - * i.e where MSG_LAST are set in last_sent msg. - */ - if (exchange->name && - strcasecmp(exchange->name, name) == 0 && - exchange->phase == phase && - (!exchange->last_sent || - (exchange->last_sent->flags & MSG_LAST) == 0)) - return exchange; - } - return 0; -} - -/* Lookup an exchange out of the name, phase and step > 1. */ -static struct exchange * -exchange_lookup_active(char *name, int phase) -{ - struct exchange *exchange; - int i; - - /* XXX Almost identical to exchange_lookup_by_name. */ - - if (!name) - return 0; - - for (i = 0; i <= bucket_mask; i++) - for (exchange = LIST_FIRST(&exchange_tab[i]); exchange; - exchange = LIST_NEXT(exchange, link)) { - LOG_DBG((LOG_EXCHANGE, 90, - "exchange_lookup_active: %s == %s && %d == %d?", - name, exchange->name ? exchange->name : - "<unnamed>", phase, exchange->phase)); - if (exchange->name && - strcasecmp(exchange->name, name) == 0 && - exchange->phase == phase) { - if (exchange->step > 1) - return exchange; - else - LOG_DBG((LOG_EXCHANGE, 80, - "exchange_lookup_active: avoided " - "early (pre-step 1) exchange %p", - exchange)); - } - } - return 0; -} - -static void -exchange_enter(struct exchange *exchange) -{ - u_int16_t bucket = 0; - u_int8_t *cp; - int i; - - /* XXX We might resize if we are crossing a certain threshold */ - - for (i = 0; i < ISAKMP_HDR_COOKIES_LEN; i += 2) { - cp = exchange->cookies + i; - /* Doing it this way avoids alignment problems. */ - bucket ^= cp[0] | cp[1] << 8; - } - for (i = 0; i < ISAKMP_HDR_MESSAGE_ID_LEN; i += 2) { - cp = exchange->message_id + i; - /* Doing it this way avoids alignment problems. */ - bucket ^= cp[0] | cp[1] << 8; - } - bucket &= bucket_mask; - LIST_INSERT_HEAD(&exchange_tab[bucket], exchange, link); -} - -/* - * Lookup the exchange given by the header fields MSG. PHASE2 is false when - * looking for phase 1 exchanges and true otherwise. - */ -struct exchange * -exchange_lookup(u_int8_t *msg, int phase2) -{ - struct exchange *exchange; - u_int16_t bucket = 0; - u_int8_t *cp; - int i; - - /* - * We use the cookies to get bits to use as an index into exchange_tab, - * as at least one (our cookie) is a good hash, xoring all the bits, - * 16 at a time, and then masking, should do. Doing it this way means - * we can validate cookies very fast thus delimiting the effects of - * "Denial of service"-attacks using packet flooding. - */ - for (i = 0; i < ISAKMP_HDR_COOKIES_LEN; i += 2) { - cp = msg + ISAKMP_HDR_COOKIES_OFF + i; - /* Doing it this way avoids alignment problems. */ - bucket ^= cp[0] | cp[1] << 8; - } - if (phase2) - for (i = 0; i < ISAKMP_HDR_MESSAGE_ID_LEN; i += 2) { - cp = msg + ISAKMP_HDR_MESSAGE_ID_OFF + i; - /* Doing it this way avoids alignment problems. */ - bucket ^= cp[0] | cp[1] << 8; - } - bucket &= bucket_mask; - for (exchange = LIST_FIRST(&exchange_tab[bucket]); - exchange && (memcmp(msg + ISAKMP_HDR_COOKIES_OFF, - exchange->cookies, ISAKMP_HDR_COOKIES_LEN) != 0 || - (phase2 && memcmp(msg + ISAKMP_HDR_MESSAGE_ID_OFF, - exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN) != 0) || - (!phase2 && !zero_test(msg + ISAKMP_HDR_MESSAGE_ID_OFF, - ISAKMP_HDR_MESSAGE_ID_LEN))); - exchange = LIST_NEXT(exchange, link)) - ; - - return exchange; -} - -/* - * Create a phase PHASE exchange where INITIATOR denotes our role. DOI - * is the domain of interpretation identifier and TYPE tells what exchange - * type to use per either the DOI document or the ISAKMP spec proper. - * NSA tells how many SAs we should pre-allocate, and should be zero - * when we have the responder role. - */ -static struct exchange * -exchange_create(int phase, int initiator, int doi, int type) -{ - struct exchange *exchange; - struct timeval expiration; - int delta; - - /* - * We want the exchange zeroed for exchange_free to be able to find - * out what fields have been filled-in. - */ - exchange = calloc(1, sizeof *exchange); - if (!exchange) { - log_error("exchange_create: calloc (1, %lu) failed", - (unsigned long)sizeof *exchange); - return 0; - } - exchange->phase = phase; - exchange->step = 0; - exchange->initiator = initiator; - memset(exchange->cookies, 0, ISAKMP_HDR_COOKIES_LEN); - memset(exchange->message_id, 0, ISAKMP_HDR_MESSAGE_ID_LEN); - exchange->doi = doi_lookup(doi); - exchange->type = type; - exchange->policy_id = -1; - exchange->exch_pc = exchange_script(exchange); - exchange->last_sent = exchange->last_received = 0; - TAILQ_INIT(&exchange->sa_list); - TAILQ_INIT(&exchange->aca_list); - - /* Allocate the DOI-specific structure and initialize it to zeroes. */ - if (exchange->doi->exchange_size) { - exchange->data = calloc(1, exchange->doi->exchange_size); - if (!exchange->data) { - log_error("exchange_create: calloc (1, %lu) failed", - (unsigned long)exchange->doi->exchange_size); - exchange_free(exchange); - return 0; - } - } - gettimeofday(&expiration, 0); - delta = conf_get_num("General", "Exchange-max-time", - EXCHANGE_MAX_TIME); - expiration.tv_sec += delta; - exchange->death = timer_add_event("exchange_free_aux", - exchange_free_aux, exchange, &expiration); - if (!exchange->death) { - /* If we don't give up we might start leaking... */ - exchange_free_aux(exchange); - return 0; - } - return exchange; -} - -struct exchange_finalization_node { - void (*first)(struct exchange *, void *, int); - void *first_arg; - void (*second)(struct exchange *, void *, int); - void *second_arg; -}; - -/* Run the finalization functions of ARG. */ -static void -exchange_run_finalizations(struct exchange *exchange, void *arg, int fail) -{ - struct exchange_finalization_node *node = arg; - - node->first(exchange, node->first_arg, fail); - node->second(exchange, node->second_arg, fail); - free(node); -} - -/* - * Add a finalization function FINALIZE with argument ARG to the tail - * of the finalization function list of EXCHANGE. - */ -static void -exchange_add_finalization(struct exchange *exchange, - void (*finalize)(struct exchange *, void *, int), void *arg) -{ - struct exchange_finalization_node *node; - - if (!finalize) - return; - - if (!exchange->finalize) { - exchange->finalize = finalize; - exchange->finalize_arg = arg; - return; - } - node = malloc(sizeof *node); - if (!node) { - log_error("exchange_add_finalization: malloc (%lu) failed", - (unsigned long)sizeof *node); - free(arg); - return; - } - node->first = exchange->finalize; - node->first_arg = exchange->finalize_arg; - node->second = finalize; - node->second_arg = arg; - exchange->finalize = exchange_run_finalizations; - exchange->finalize_arg = node; -} - -#ifdef USE_ISAKMP_CFG -static void -exchange_establish_transaction(struct exchange *exchange, void *arg, int fail) -{ - /* Establish a TRANSACTION exchange. */ - struct exchange_finalization_node *node = - (struct exchange_finalization_node *)arg; - struct sa *isakmp_sa = sa_lookup_by_name((char *) node->second_arg, 1); - - if (isakmp_sa && !fail) - exchange_establish_p2(isakmp_sa, ISAKMP_EXCH_TRANSACTION, 0, 0, - node->first, node->first_arg); - - free(node); -} -#endif /* USE_ISAKMP_CFG */ - -/* Establish a phase 1 exchange. */ -void -exchange_establish_p1(struct transport *t, u_int8_t type, u_int32_t doi, - char *name, void *args, void (*finalize)(struct exchange *, void *, int), - void *arg) -{ - struct exchange *exchange; - struct message *msg; -#ifdef USE_ISAKMP_CFG - struct conf_list *flags; - struct conf_list_node *flag; -#endif - char *tag = 0; - char *str; - - if (name) { - /* If no exchange type given, fetch from the configuration. */ - if (type == 0) { - /* - * XXX Similar code can be found in - * exchange_setup_p1. Share? - */ - - /* Find out our phase 1 mode. */ - tag = conf_get_str(name, "Configuration"); - if (!tag) { - /* Use default setting. */ - tag = CONF_DFLT_TAG_PHASE1_CONFIG; - } - /* Figure out the DOI. XXX Factor out? */ - str = conf_get_str(tag, "DOI"); - if (!str || strcasecmp(str, "IPSEC") == 0) - doi = IPSEC_DOI_IPSEC; - else if (strcasecmp(str, "ISAKMP") == 0) - doi = ISAKMP_DOI_ISAKMP; - else { - log_print("exchange_establish_p1: " - "DOI \"%s\" unsupported", str); - return; - } - - /* What exchange type do we want? */ - str = conf_get_str(tag, "EXCHANGE_TYPE"); - if (!str) { - log_print("exchange_establish_p1: " - "no \"EXCHANGE_TYPE\" tag in [%s] section", - tag); - return; - } - type = constant_value(isakmp_exch_cst, str); - if (!type) { - log_print("exchange_setup_p1: " - "unknown exchange type %s", str); - return; - } - } - } - exchange = exchange_create(1, 1, doi, type); - if (!exchange) { - /* XXX Do something here? */ - return; - } - if (name) { - exchange->name = strdup(name); - if (!exchange->name) { - log_error("exchange_establish_p1: " - "strdup (\"%s\") failed", name); - exchange_free(exchange); - return; - } - } - exchange->policy = name ? conf_get_str(name, "Configuration") : 0; - if (!exchange->policy && name) - exchange->policy = CONF_DFLT_TAG_PHASE1_CONFIG; - -#ifdef USE_ISAKMP_CFG - if (name && (flags = conf_get_list(name, "Flags")) != NULL) { - for (flag = TAILQ_FIRST(&flags->fields); flag; - flag = TAILQ_NEXT(flag, link)) - if (strcasecmp(flag->field, "ikecfg") == 0) { - struct exchange_finalization_node *node; - - node = calloc(1, (unsigned long)sizeof *node); - if (!node) { - log_print("exchange_establish_p1: " - "calloc (1, %lu) failed", - (unsigned long)sizeof(*node)); - exchange_free(exchange); - return; - } - /* - * Insert this finalization inbetween - * the original. - */ - node->first = finalize; - node->first_arg = arg; - node->second_arg = name; - exchange_add_finalization(exchange, - exchange_establish_transaction, - node); - finalize = 0; - } - conf_free_list(flags); - } -#endif /* USE_ISAKMP_CFG */ - - exchange_add_finalization(exchange, finalize, arg); - cookie_gen(t, exchange, exchange->cookies, ISAKMP_HDR_ICOOKIE_LEN); - exchange_enter(exchange); -#ifdef USE_DEBUG - exchange_dump("exchange_establish_p1", exchange); -#endif - - msg = message_alloc(t, 0, ISAKMP_HDR_SZ); - if (!msg) { - log_print("exchange_establish_p1: message_alloc () failed"); - exchange_free(exchange); - return; - } - msg->exchange = exchange; - - /* Do not create SA for an information or transaction exchange. */ - if (exchange->type != ISAKMP_EXCH_INFO - && exchange->type != ISAKMP_EXCH_TRANSACTION) { - /* - * Don't install a transport into this SA as it will be an - * INADDR_ANY address in the local end, which is not good at - * all. Let the reply packet install the transport instead. - */ - sa_create(exchange, 0); - msg->isakmp_sa = TAILQ_FIRST(&exchange->sa_list); - if (!msg->isakmp_sa) { - /* XXX Do something more here? */ - message_free(msg); - exchange_free(exchange); - return; - } - sa_reference(msg->isakmp_sa); - } - msg->extra = args; - - exchange_run(msg); -} - -/* Establish a phase 2 exchange. XXX With just one SA for now. */ -void -exchange_establish_p2(struct sa *isakmp_sa, u_int8_t type, char *name, - void *args, void (*finalize)(struct exchange *, void *, int), void *arg) -{ - struct exchange *exchange; - struct message *msg; - u_int32_t doi = ISAKMP_DOI_ISAKMP; - u_int32_t seq = 0; - int i; - char *tag, *str; - - if (isakmp_sa) - doi = isakmp_sa->doi->id; - - if (name) { - /* Find out our phase 2 modes. */ - tag = conf_get_str(name, "Configuration"); - if (!tag) { - log_print("exchange_establish_p2: " - "no configuration for peer \"%s\"", name); - return; - } - seq = (u_int32_t)conf_get_num(name, "Acquire-ID", 0); - - /* Figure out the DOI. */ - str = conf_get_str(tag, "DOI"); - if (!str || strcasecmp(str, "IPSEC") == 0) - doi = IPSEC_DOI_IPSEC; - else if (strcasecmp(str, "ISAKMP") == 0) - doi = ISAKMP_DOI_ISAKMP; - else { - log_print("exchange_establish_p2: " - "DOI \"%s\" unsupported", str); - return; - } - - /* What exchange type do we want? */ - if (!type) { - str = conf_get_str(tag, "EXCHANGE_TYPE"); - if (!str) { - log_print("exchange_establish_p2: " - "no \"EXCHANGE_TYPE\" tag in [%s] section", - tag); - return; - } - /* XXX IKE dependent. */ - type = constant_value(ike_exch_cst, str); - if (!type) { - log_print("exchange_establish_p2: unknown " - "exchange type %s", str); - return; - } - } - } - exchange = exchange_create(2, 1, doi, type); - if (!exchange) { - /* XXX Do something here? */ - return; - } - if (name) { - exchange->name = strdup(name); - if (!exchange->name) { - log_error("exchange_establish_p2: " - "strdup (\"%s\") failed", name); - exchange_free(exchange); - return; - } - } - exchange->policy = name ? conf_get_str(name, "Configuration") : 0; - exchange->finalize = finalize; - exchange->finalize_arg = arg; - exchange->seq = seq; - memcpy(exchange->cookies, isakmp_sa->cookies, ISAKMP_HDR_COOKIES_LEN); - getrandom(exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN); - exchange->flags |= EXCHANGE_FLAG_ENCRYPT; -#if defined (USE_NAT_TRAVERSAL) - if (isakmp_sa->flags & SA_FLAG_NAT_T_ENABLE) - exchange->flags |= EXCHANGE_FLAG_NAT_T_ENABLE; - if (isakmp_sa->flags & SA_FLAG_NAT_T_KEEPALIVE) - exchange->flags |= EXCHANGE_FLAG_NAT_T_KEEPALIVE; -#endif - exchange_enter(exchange); -#ifdef USE_DEBUG - exchange_dump("exchange_establish_p2", exchange); -#endif - - /* - * Do not create SA's for informational exchanges. - * XXX How to handle new group mode? - */ - if (exchange->type != ISAKMP_EXCH_INFO && - exchange->type != ISAKMP_EXCH_TRANSACTION) { - /* XXX Number of SAs should come from the args structure. */ - for (i = 0; i < 1; i++) - if (sa_create(exchange, isakmp_sa->transport)) { - exchange_free(exchange); - return; - } - } - msg = message_alloc(isakmp_sa->transport, 0, ISAKMP_HDR_SZ); - msg->isakmp_sa = isakmp_sa; - sa_reference(isakmp_sa); - - msg->extra = args; - - /* This needs to be done late or else get_keystate won't work right. */ - msg->exchange = exchange; - - exchange_run(msg); -} - -/* Out of an incoming phase 1 message, setup an exchange. */ -struct exchange * -exchange_setup_p1(struct message *msg, u_int32_t doi) -{ - struct transport *t = msg->transport; - struct exchange *exchange; - struct sockaddr *dst; -#ifdef USE_ISAKMP_CFG - struct conf_list *flags; - struct conf_list_node *flag; -#endif - char *name = 0, *policy = 0, *str; - u_int32_t want_doi; - u_int8_t type; - - /* XXX Similar code can be found in exchange_establish_p1. Share? */ - - /* - * Unless this is an informational exchange, look up our policy for - * this peer. - */ - type = GET_ISAKMP_HDR_EXCH_TYPE(msg->iov[0].iov_base); - if (type != ISAKMP_EXCH_INFO) { - /* - * Find out our inbound phase 1 mode. - */ - t->vtbl->get_dst(t, &dst); - if (sockaddr2text(dst, &str, 0) == -1) - return 0; - name = conf_get_str("Phase 1", str); - free(str); - if (name) { - /* - * If another phase 1 exchange is ongoing don't bother - * returning the call. However, we will need to - * continue responding if our phase 1 exchange is - * still waiting for step 1 (i.e still half-open). - */ - if (exchange_lookup_active(name, 1)) - return 0; - } else { - name = conf_get_str("Phase 1", "Default"); - if (!name) { - log_print("exchange_setup_p1: no \"Default\" " - "tag in [Phase 1] section"); - return 0; - } - } - - policy = conf_get_str(name, "Configuration"); - if (!policy) - policy = CONF_DFLT_TAG_PHASE1_CONFIG; - - /* Figure out the DOI. */ - str = conf_get_str(policy, "DOI"); - if (!str || strcasecmp(str, "IPSEC") == 0) - want_doi = IPSEC_DOI_IPSEC; - else if (strcasecmp(str, "ISAKMP") == 0) - want_doi = ISAKMP_DOI_ISAKMP; - else { - log_print("exchange_setup_p1: " - "DOI \"%s\" unsupported", str); - return 0; - } - if (want_doi != doi) { - /* XXX Should I tell what DOI I got? */ - log_print("exchange_setup_p1: expected %s DOI", str); - return 0; - } - /* What exchange type do we want? */ - str = conf_get_str(policy, "EXCHANGE_TYPE"); - if (!str) { - log_print("exchange_setup_p1: no \"EXCHANGE_TYPE\" " - "tag in [%s] section", policy); - return 0; - } - type = constant_value(isakmp_exch_cst, str); - if (!type) { - log_print("exchange_setup_p1: " - "unknown exchange type %s", str); - return 0; - } - if (type != GET_ISAKMP_HDR_EXCH_TYPE(msg->iov[0].iov_base)) { - log_print("exchange_setup_p1: " - "expected exchange type %s got %s", str, - constant_name(isakmp_exch_cst, - GET_ISAKMP_HDR_EXCH_TYPE(msg->iov[0].iov_base))); - return 0; - } - } - exchange = exchange_create(1, 0, doi, type); - if (!exchange) - return 0; - - exchange->name = name ? strdup(name) : 0; - if (name && !exchange->name) { - log_error("exchange_setup_p1: strdup (\"%s\") failed", name); - exchange_free(exchange); - return 0; - } - exchange->policy = policy; - -#ifdef USE_ISAKMP_CFG - if (name && (flags = conf_get_list(name, "Flags")) != NULL) { - for (flag = TAILQ_FIRST(&flags->fields); flag; - flag = TAILQ_NEXT(flag, link)) - if (strcasecmp(flag->field, "ikecfg") == 0) { - struct exchange_finalization_node *node; - - node = calloc(1, (unsigned long)sizeof *node); - if (!node) { - log_print("exchange_establish_p1: " - "calloc (1, %lu) failed", - (unsigned long)sizeof(*node)); - exchange_free(exchange); - return 0; - } - /* - * Insert this finalization inbetween - * the original. - */ - node->first = 0; - node->first_arg = 0; - node->second_arg = name; - exchange_add_finalization(exchange, - exchange_establish_transaction, - node); - } - conf_free_list(flags); - } -#endif - - cookie_gen(msg->transport, exchange, exchange->cookies + - ISAKMP_HDR_ICOOKIE_LEN, ISAKMP_HDR_RCOOKIE_LEN); - GET_ISAKMP_HDR_ICOOKIE(msg->iov[0].iov_base, exchange->cookies); - exchange_enter(exchange); -#ifdef USE_DEBUG - exchange_dump("exchange_setup_p1", exchange); -#endif - return exchange; -} - -/* Out of an incoming phase 2 message, setup an exchange. */ -struct exchange * -exchange_setup_p2(struct message *msg, u_int8_t doi) -{ - struct exchange *exchange; - u_int8_t *buf = msg->iov[0].iov_base; - - exchange = exchange_create(2, 0, doi, GET_ISAKMP_HDR_EXCH_TYPE(buf)); - if (!exchange) - return 0; - GET_ISAKMP_HDR_ICOOKIE(buf, exchange->cookies); - GET_ISAKMP_HDR_RCOOKIE(buf, - exchange->cookies + ISAKMP_HDR_ICOOKIE_LEN); - GET_ISAKMP_HDR_MESSAGE_ID(buf, exchange->message_id); -#if defined (USE_NAT_TRAVERSAL) - if (msg->isakmp_sa->flags & SA_FLAG_NAT_T_ENABLE) - exchange->flags |= EXCHANGE_FLAG_NAT_T_ENABLE; - if (msg->isakmp_sa->flags & SA_FLAG_NAT_T_KEEPALIVE) - exchange->flags |= EXCHANGE_FLAG_NAT_T_KEEPALIVE; -#endif - exchange_enter(exchange); -#ifdef USE_DEBUG - exchange_dump("exchange_setup_p2", exchange); -#endif - return exchange; -} - -/* Dump interesting data about an exchange. */ -static void -exchange_dump_real(char *header, struct exchange *exchange, int class, - int level) -{ - struct sa *sa; - char buf[LOG_SIZE]; - /* Don't risk overflowing the final log buffer. */ - size_t bufsize_max = LOG_SIZE - strlen(header) - 32; - - LOG_DBG((class, level, - "%s: %p %s %s policy %s phase %d doi %d exchange %d step %d", - header, exchange, exchange->name ? exchange->name : "<unnamed>", - exchange->policy ? exchange->policy : "<no policy>", - exchange->initiator ? "initiator" : "responder", exchange->phase, - exchange->doi->id, exchange->type, exchange->step)); - LOG_DBG((class, level, "%s: icookie %08x%08x rcookie %08x%08x", header, - decode_32(exchange->cookies), decode_32(exchange->cookies + 4), - decode_32(exchange->cookies + 8), - decode_32(exchange->cookies + 12))); - - /* Include phase 2 SA list for this exchange */ - if (exchange->phase == 2) { - snprintf(buf, bufsize_max, "sa_list "); - for (sa = TAILQ_FIRST(&exchange->sa_list); - sa && strlen(buf) < bufsize_max; sa = TAILQ_NEXT(sa, next)) - snprintf(buf + strlen(buf), bufsize_max - strlen(buf), - "%p ", sa); - if (sa) - strlcat(buf, "...", bufsize_max); - } else - buf[0] = '\0'; - - LOG_DBG((class, level, "%s: msgid %08x %s", header, - decode_32(exchange->message_id), buf)); -} - -#ifdef USE_DEBUG -static void -exchange_dump(char *header, struct exchange *exchange) -{ - exchange_dump_real(header, exchange, LOG_EXCHANGE, 10); -} -#endif - -void -exchange_report(void) -{ - struct exchange *exchange; - int i; - - for (i = 0; i <= bucket_mask; i++) - for (exchange = LIST_FIRST(&exchange_tab[i]); exchange; - exchange = LIST_NEXT(exchange, link)) - exchange_dump_real("exchange_report", exchange, - LOG_REPORT, 0); -} - -/* - * Release all resources this exchange is using *except* for the "death" - * event. When removing an exchange from the expiration handler that event - * will be dealt with therein instead. - */ -static void -exchange_free_aux(void *v_exch) -{ - struct exchange *exchange = v_exch; - struct sa *sa, *next_sa; - struct cert_handler *handler; - - LOG_DBG((LOG_EXCHANGE, 80, "exchange_free_aux: freeing exchange %p", - exchange)); - - if (exchange->last_received) - message_free(exchange->last_received); - if (exchange->last_sent) - message_free(exchange->last_sent); - if (exchange->in_transit && - exchange->in_transit != exchange->last_sent) - message_free(exchange->in_transit); - if (exchange->nonce_i) - free(exchange->nonce_i); - if (exchange->nonce_r) - free(exchange->nonce_r); - if (exchange->id_i) - free(exchange->id_i); - if (exchange->id_r) - free(exchange->id_r); - if (exchange->keystate) - free(exchange->keystate); - if (exchange->doi && exchange->doi->free_exchange_data) - exchange->doi->free_exchange_data(exchange->data); - if (exchange->data) - free(exchange->data); - if (exchange->name) - free(exchange->name); - if (exchange->recv_cert) { - handler = cert_get(exchange->recv_certtype); - if (handler) - handler->cert_free(exchange->recv_cert); - } - if (exchange->sent_cert) { - handler = cert_get(exchange->sent_certtype); - if (handler) - handler->cert_free(exchange->sent_cert); - } - if (exchange->recv_key) - key_free(exchange->recv_keytype, ISAKMP_KEYTYPE_PUBLIC, - exchange->recv_key); - if (exchange->keynote_key) - free(exchange->keynote_key); /* This is just a string */ - -#if defined (POLICY) || defined (KEYNOTE) - if (exchange->policy_id != -1) - kn_close(exchange->policy_id); -#endif - - exchange_free_aca_list(exchange); - LIST_REMOVE(exchange, link); - - /* Tell potential finalize routine we never got there. */ - if (exchange->finalize) - exchange->finalize(exchange, exchange->finalize_arg, 1); - - /* Remove any SAs that have not been disassociated from us. */ - for (sa = TAILQ_FIRST(&exchange->sa_list); sa; sa = next_sa) { - next_sa = TAILQ_NEXT(sa, next); - /* One for the reference in exchange->sa_list. */ - sa_release(sa); - /* And two more for the expiration and SA linked list. */ - sa_free(sa); - } - - free(exchange); -} - -/* Release all resources this exchange is using. */ -void -exchange_free(struct exchange *exchange) -{ - if (exchange->death) - timer_remove_event(exchange->death); - exchange_free_aux(exchange); -} - -/* - * Upgrade the phase 1 exchange and its ISAKMP SA with the rcookie of our - * peer (found in his recently sent message MSG). - */ -void -exchange_upgrade_p1(struct message *msg) -{ - struct exchange *exchange = msg->exchange; - - LIST_REMOVE(exchange, link); - GET_ISAKMP_HDR_RCOOKIE(msg->iov[0].iov_base, exchange->cookies + - ISAKMP_HDR_ICOOKIE_LEN); - exchange_enter(exchange); - sa_isakmp_upgrade(msg); -} - -static int -exchange_check_old_sa(struct sa *sa, void *v_arg) -{ - struct sa *new_sa = v_arg; - char res1[1024]; - - if (sa == new_sa || !sa->name || !(sa->flags & SA_FLAG_READY) || - (sa->flags & SA_FLAG_REPLACED)) - return 0; - - if (sa->phase != new_sa->phase || new_sa->name == 0 || - strcasecmp(sa->name, new_sa->name)) - return 0; - - if (sa->initiator) - strlcpy(res1, ipsec_decode_ids("%s %s", sa->id_i, sa->id_i_len, - sa->id_r, sa->id_r_len, 0), sizeof res1); - else - strlcpy(res1, ipsec_decode_ids("%s %s", sa->id_r, sa->id_r_len, - sa->id_i, sa->id_i_len, 0), sizeof res1); - - LOG_DBG((LOG_EXCHANGE, 30, - "checking whether new SA replaces existing SA with IDs %s", res1)); - - if (new_sa->initiator) - return strcasecmp(res1, ipsec_decode_ids("%s %s", new_sa->id_i, - new_sa->id_i_len, new_sa->id_r, new_sa->id_r_len, 0)) == 0; - else - return strcasecmp(res1, ipsec_decode_ids("%s %s", new_sa->id_r, - new_sa->id_r_len, new_sa->id_i, new_sa->id_i_len, 0)) == 0; -} - -void -exchange_finalize(struct message *msg) -{ - struct exchange *exchange = msg->exchange; - struct sa *sa, *old_sa; - struct proto *proto; - struct conf_list *attrs; - struct conf_list_node *attr; - struct cert_handler *handler; - int i; - char *id_doi, *id_trp; - -#ifdef USE_DEBUG - exchange_dump("exchange_finalize", exchange); -#endif - - /* Copy the ID from phase 1 to exchange or phase 2 SA. */ - if (msg->isakmp_sa) { - if (exchange->id_i && exchange->id_r) { - ipsec_clone_id(&msg->isakmp_sa->id_i, - &msg->isakmp_sa->id_i_len, exchange->id_i, - exchange->id_i_len); - ipsec_clone_id(&msg->isakmp_sa->id_r, - &msg->isakmp_sa->id_r_len, exchange->id_r, - exchange->id_r_len); - } else if (msg->isakmp_sa->id_i && msg->isakmp_sa->id_r) { - ipsec_clone_id(&exchange->id_i, &exchange->id_i_len, - msg->isakmp_sa->id_i, msg->isakmp_sa->id_i_len); - ipsec_clone_id(&exchange->id_r, &exchange->id_r_len, - msg->isakmp_sa->id_r, msg->isakmp_sa->id_r_len); - } - } - /* - * Walk over all the SAs and noting them as ready. If we set the - * COMMIT bit, tell the peer each SA is connected. - * - * XXX The decision should really be based on if a SA was installed - * successfully. - */ - for (sa = TAILQ_FIRST(&exchange->sa_list); sa; - sa = TAILQ_NEXT(sa, next)) { - /* Move over the name to the SA. */ - sa->name = exchange->name ? strdup(exchange->name) : 0; - - if (exchange->flags & EXCHANGE_FLAG_I_COMMITTED) { - for (proto = TAILQ_FIRST(&sa->protos); proto; - proto = TAILQ_NEXT(proto, link)) - for (i = 0; i < 2; i++) - message_send_notification(exchange->last_received, - msg->isakmp_sa, - ISAKMP_NOTIFY_STATUS_CONNECTED, - proto, i); - } - /* - * Locate any old SAs and mark them replaced - * (SA_FLAG_REPLACED). - */ - sa->initiator = exchange->initiator; - while ((old_sa = sa_find(exchange_check_old_sa, sa)) != 0) - sa_mark_replaced(old_sa); - - /* Setup the SA flags. */ - sa->flags |= SA_FLAG_READY; - if (exchange->name) { - attrs = conf_get_list(exchange->name, "Flags"); - if (attrs) { - for (attr = TAILQ_FIRST(&attrs->fields); attr; - attr = TAILQ_NEXT(attr, link)) - sa->flags |= sa_flag(attr->field); - conf_free_list(attrs); - } - /* 'Connections' should stay alive. */ - if (connection_exist(exchange->name)) { - sa->flags |= SA_FLAG_STAYALIVE; - - /* - * ISAKMP SA of this connection should also - * stay alive. - */ - if (exchange->phase == 2 && msg->isakmp_sa) - msg->isakmp_sa->flags |= - SA_FLAG_STAYALIVE; - } - } - sa->seq = exchange->seq; - sa->exch_type = exchange->type; - } - - /* - * If this was an phase 1 SA negotiation, save the keystate in the - * ISAKMP SA structure for future initialization of phase 2 exchanges' - * keystates. Also save the Phase 1 ID and authentication - * information. - */ - if (exchange->phase == 1 && msg->isakmp_sa) { - msg->isakmp_sa->keystate = exchange->keystate; - exchange->keystate = 0; - - msg->isakmp_sa->recv_certtype = exchange->recv_certtype; - msg->isakmp_sa->sent_certtype = exchange->sent_certtype; - msg->isakmp_sa->recv_keytype = exchange->recv_keytype; - msg->isakmp_sa->recv_key = exchange->recv_key; - msg->isakmp_sa->keynote_key = exchange->keynote_key; - /* Reset. */ - exchange->recv_key = 0; - exchange->keynote_key = 0; - msg->isakmp_sa->policy_id = exchange->policy_id; - exchange->policy_id = -1; - msg->isakmp_sa->initiator = exchange->initiator; - - if (exchange->recv_certtype && exchange->recv_cert) { - handler = cert_get(exchange->recv_certtype); - if (handler) - msg->isakmp_sa->recv_cert = - handler->cert_dup(exchange->recv_cert); - } - if (exchange->sent_certtype) { - handler = cert_get(exchange->sent_certtype); - if (handler) - msg->isakmp_sa->sent_cert = - handler->cert_dup(exchange->sent_cert); - } - if (exchange->doi) - id_doi = exchange->doi->decode_ids( - "initiator id %s, responder id %s", - exchange->id_i, exchange->id_i_len, - exchange->id_r, exchange->id_r_len, 0); - else - id_doi = "<no doi>"; - - if (msg->isakmp_sa->transport) - id_trp = - msg->isakmp_sa->transport->vtbl->decode_ids(msg->isakmp_sa->transport); - else - id_trp = "<no transport>"; - -#if defined (USE_NAT_TRAVERSAL) - if (exchange->flags & EXCHANGE_FLAG_NAT_T_ENABLE) - msg->isakmp_sa->flags |= SA_FLAG_NAT_T_ENABLE; - if (exchange->flags & EXCHANGE_FLAG_NAT_T_KEEPALIVE) - msg->isakmp_sa->flags |= SA_FLAG_NAT_T_KEEPALIVE; -#endif - - LOG_DBG((LOG_EXCHANGE, 10, - "exchange_finalize: phase 1 done: %s, %s", id_doi, - id_trp)); - - log_verbose("isakmpd: phase 1 done: %s, %s", id_doi, id_trp); - } - exchange->doi->finalize_exchange(msg); - if (exchange->finalize) - exchange->finalize(exchange, exchange->finalize_arg, 0); - exchange->finalize = 0; - - /* - * There is no reason to keep the SAs connected to us anymore, in fact - * it can hurt us if we have short lifetimes on the SAs and we try - * to call exchange_report, where the SA list will be walked and - * references to freed SAs can occur. - */ - while (TAILQ_FIRST(&exchange->sa_list)) { - sa = TAILQ_FIRST(&exchange->sa_list); - - if (exchange->id_i && exchange->id_r) { - ipsec_clone_id(&sa->id_i, &sa->id_i_len, - exchange->id_i, exchange->id_i_len); - ipsec_clone_id(&sa->id_r, &sa->id_r_len, - exchange->id_r, exchange->id_r_len); - } - TAILQ_REMOVE(&exchange->sa_list, sa, next); - sa_release(sa); - } - - /* If we have nothing to retransmit we can safely remove ourselves. */ - if (!exchange->last_sent) - exchange_free(exchange); -} - -/* Stash a nonce into the exchange data. */ -static int -exchange_nonce(struct exchange *exchange, int peer, size_t nonce_sz, - u_int8_t *buf) -{ - u_int8_t **nonce; - size_t *nonce_len; - int initiator = exchange->initiator ^ peer; - char header[32]; - - nonce = initiator ? &exchange->nonce_i : &exchange->nonce_r; - nonce_len = - initiator ? &exchange->nonce_i_len : &exchange->nonce_r_len; - *nonce_len = nonce_sz; - *nonce = malloc(nonce_sz); - if (!*nonce) { - log_error("exchange_nonce: malloc (%lu) failed", - (unsigned long)nonce_sz); - return -1; - } - memcpy(*nonce, buf, nonce_sz); - snprintf(header, sizeof header, "exchange_nonce: NONCE_%c", - initiator ? 'i' : 'r'); - LOG_DBG_BUF((LOG_EXCHANGE, 80, header, *nonce, nonce_sz)); - return 0; -} - -/* Generate our NONCE. */ -int -exchange_gen_nonce(struct message *msg, size_t nonce_sz) -{ - struct exchange *exchange = msg->exchange; - u_int8_t *buf; - - buf = malloc(ISAKMP_NONCE_SZ + nonce_sz); - if (!buf) { - log_error("exchange_gen_nonce: malloc (%lu) failed", - ISAKMP_NONCE_SZ + (unsigned long)nonce_sz); - return -1; - } - getrandom(buf + ISAKMP_NONCE_DATA_OFF, nonce_sz); - if (message_add_payload(msg, ISAKMP_PAYLOAD_NONCE, buf, - ISAKMP_NONCE_SZ + nonce_sz, 1)) { - free(buf); - return -1; - } - return exchange_nonce(exchange, 0, nonce_sz, - buf + ISAKMP_NONCE_DATA_OFF); -} - -/* Save the peer's NONCE. */ -int -exchange_save_nonce(struct message *msg) -{ - struct payload *noncep; - struct exchange *exchange = msg->exchange; - - noncep = payload_first(msg, ISAKMP_PAYLOAD_NONCE); - noncep->flags |= PL_MARK; - return exchange_nonce(exchange, 1, GET_ISAKMP_GEN_LENGTH(noncep->p) - - ISAKMP_NONCE_DATA_OFF, noncep->p + ISAKMP_NONCE_DATA_OFF); -} - -/* Save the peer's CERT REQuests. */ -int -exchange_save_certreq(struct message *msg) -{ - struct payload *cp = payload_first(msg, ISAKMP_PAYLOAD_CERT_REQ); - struct exchange *exchange = msg->exchange; - struct certreq_aca *aca; - - for (; cp; cp = TAILQ_NEXT(cp, link)) { - cp->flags |= PL_MARK; - aca = certreq_decode(GET_ISAKMP_CERTREQ_TYPE(cp->p), cp->p + - ISAKMP_CERTREQ_AUTHORITY_OFF, GET_ISAKMP_GEN_LENGTH(cp->p) - - ISAKMP_CERTREQ_AUTHORITY_OFF); - if (aca) - TAILQ_INSERT_TAIL(&exchange->aca_list, aca, link); - } - - return 0; -} - -/* Free the list of pending CERTREQs. */ -void -exchange_free_aca_list(struct exchange *exchange) -{ - struct certreq_aca *aca; - - for (aca = TAILQ_FIRST(&exchange->aca_list); aca; - aca = TAILQ_FIRST(&exchange->aca_list)) { - if (aca->data) { - if (aca->handler) - aca->handler->free_aca(aca->data); - free(aca->data); - } - TAILQ_REMOVE(&exchange->aca_list, aca, link); - free(aca); - } -} - -/* Obtain certificates from acceptable certification authority. */ -int -exchange_add_certs(struct message *msg) -{ - struct exchange *exchange = msg->exchange; - struct certreq_aca *aca; - u_int8_t *cert = 0, *new_cert = 0; - u_int32_t certlen; - u_int8_t *id; - size_t id_len; - - id = exchange->initiator ? exchange->id_r : exchange->id_i; - id_len = exchange->initiator ? exchange->id_r_len : exchange->id_i_len; - - /* - * Without IDs we cannot handle this yet. Keep the aca_list around for - * a later step/retry to see if we got the ID by then. - * Note: A 'return -1' breaks X509-auth interop in the responder case - * with some IPsec clients that send CERTREQs early (such as - * the SSH Sentinel). - */ - if (!id) - return 0; - - for (aca = TAILQ_FIRST(&exchange->aca_list); aca; - aca = TAILQ_NEXT(aca, link)) { - /* XXX? If we can not satisfy a CERTREQ we drop the message. */ - if (!aca->handler->cert_obtain(id, id_len, aca->data, &cert, - &certlen)) { - log_print("exchange_add_certs: could not obtain cert " - "for a type %d cert request", aca->id); - if (cert) - free(cert); - return -1; - } - new_cert = realloc(cert, ISAKMP_CERT_SZ + certlen); - if (!new_cert) { - log_error("exchange_add_certs: realloc (%p, %d) " - "failed", cert, ISAKMP_CERT_SZ + certlen); - if (cert) - free(cert); - return -1; - } - cert = new_cert; - memmove(cert + ISAKMP_CERT_DATA_OFF, cert, certlen); - SET_ISAKMP_CERT_ENCODING(cert, aca->id); - if (message_add_payload(msg, ISAKMP_PAYLOAD_CERT, cert, - ISAKMP_CERT_SZ + certlen, 1)) { - free(cert); - return -1; - } - } - - /* We dont need the CERT REQs any more, they are answered. */ - exchange_free_aca_list(exchange); - - return 0; -} - -static void -exchange_establish_finalize(struct exchange *exchange, void *arg, int fail) -{ - char *name = arg; - - LOG_DBG((LOG_EXCHANGE, 20, "exchange_establish_finalize: " - "finalizing exchange %p with arg %p (%s) & fail = %d", - exchange, arg, name ? name : "<unnamed>", fail)); - - if (!fail) - exchange_establish(name, 0, 0); - free(name); -} - -/* - * Establish an exchange named NAME, and record the FINALIZE function - * taking ARG as an argument to be run after the exchange is ready. - */ -void -exchange_establish(char *name, void (*finalize)(struct exchange *, void *, - int), void *arg) -{ - struct transport *transport; - struct sa *isakmp_sa; - struct exchange *exchange; - int phase; - char *trpt, *peer; - - phase = conf_get_num(name, "Phase", 0); - - /* - * First of all, never try to establish anything if another exchange - * of the same kind is running. - */ - exchange = exchange_lookup_by_name(name, phase); - if (exchange) { - LOG_DBG((LOG_EXCHANGE, 40, - "exchange_establish: %s exchange already exists as %p", - name, exchange)); - exchange_add_finalization(exchange, finalize, arg); - return; - } - switch (phase) { - case 1: - trpt = conf_get_str(name, "Transport"); - if (!trpt) { - /* Phase 1 transport defaults to "udp". */ - trpt = ISAKMP_DEFAULT_TRANSPORT; - } - transport = transport_create(trpt, name); - if (!transport) { - log_print("exchange_establish: transport \"%s\" for " - "peer \"%s\" could not be created", trpt, name); - return; - } - exchange_establish_p1(transport, 0, 0, name, 0, finalize, arg); - break; - - case 2: - peer = conf_get_str(name, "ISAKMP-peer"); - if (!peer) { - log_print("exchange_establish: No ISAKMP-peer given " - "for \"%s\"", name); - return; - } - isakmp_sa = sa_lookup_by_name(peer, 1); - if (!isakmp_sa) { - name = strdup(name); - if (!name) { - log_error("exchange_establish: " - "strdup (\"%s\") failed", name); - return; - } - if (conf_get_num(peer, "Phase", 0) != 1) { - log_print("exchange_establish: " - "[%s]:ISAKMP-peer's (%s) phase is not 1", - name, peer); - return; - } - /* - * XXX We're losing information here (what the - * original finalize routine was. As a result, if an - * exchange does not manage to get through, there may - * be application-specific information that won't get - * cleaned up, since no error signalling will be done. - * This is the case with dynamic SAs and PFKEY. - */ - exchange_establish(peer, exchange_establish_finalize, - name); - exchange = exchange_lookup_by_name(peer, 1); - /* - * If the exchange was correctly initialized, add the - * original finalization routine; otherwise, call it - * directly. - */ - if (exchange) - exchange_add_finalization(exchange, finalize, - arg); - else - finalize(0, arg, 1); /* Indicate failure */ - return; - } else - exchange_establish_p2(isakmp_sa, 0, name, 0, finalize, - arg); - break; - - default: - log_print("exchange_establish: " - "peer \"%s\" does not have a correct phase (%d)", - name, phase); - break; - } -} diff --git a/keyexchange/isakmpd-20041012/exchange.h b/keyexchange/isakmpd-20041012/exchange.h deleted file mode 100644 index 67061c0..0000000 --- a/keyexchange/isakmpd-20041012/exchange.h +++ /dev/null @@ -1,252 +0,0 @@ -/* $OpenBSD: exchange.h,v 1.28 2004/08/23 11:13:14 ho Exp $ */ -/* $EOM: exchange.h,v 1.28 2000/09/28 12:54:28 niklas Exp $ */ - -/* - * Copyright (c) 1998, 1999, 2001 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _EXCHANGE_H_ -#define _EXCHANGE_H_ - -#include <sys/param.h> -#include <sys/types.h> -#include <sys/queue.h> - -#include "exchange_num.h" -#include "isakmp.h" - -/* Remove an exchange if it has not been fully negotiated in this time. */ -#define EXCHANGE_MAX_TIME 120 - -struct crypto_xf; -struct certreq_aca; -struct doi; -struct event; -struct keystate; -struct message; -struct payload; -struct transport; -struct sa; - -struct exchange { - /* Link to exchanges with the same hash value. */ - LIST_ENTRY(exchange) link; - - /* A name of the SAs this exchange will result in. XXX non unique? */ - char *name; - - /* - * A name of the major policy deciding offers and acceptable - * proposals. - */ - char *policy; - - /* - * A function with a polymorphic argument called after the exchange - * has been run to its end, successfully. The 2nd argument is true - * if the finalization hook is called due to the exchange not running - * to its end normally. - */ - void (*finalize)(struct exchange *, void *, int); - void *finalize_arg; - - /* When several SA's are being negotiated we keep them here. */ - TAILQ_HEAD(sa_head, sa) sa_list; - - /* - * The event that will occur when it has taken too long time to try to - * run the exchange and which will trigger auto-destruction. - */ - struct event *death; - - /* - * Both initiator and responder cookies. - * XXX For code clarity we might split this into two fields. - */ - u_int8_t cookies[ISAKMP_HDR_COOKIES_LEN]; - - /* The message ID signifying phase 2 exchanges. */ - u_int8_t message_id[ISAKMP_HDR_MESSAGE_ID_LEN]; - - /* The exchange type we are using. */ - u_int8_t type; - - /* Phase is 1 for ISAKMP SA exchanges, and 2 for application ones. */ - u_int8_t phase; - - /* The "step counter" of the exchange, starting from zero. */ - u_int8_t step; - - /* 1 if we are the initiator, 0 if we are the responder. */ - u_int8_t initiator; - - /* Various flags, look below for descriptions. */ - u_int32_t flags; - - /* The DOI that is to handle DOI-specific issues for this exchange. */ - struct doi *doi; - - /* - * A "program counter" into the script that validate message contents - * for this exchange. - */ - int16_t *exch_pc; - - /* The last message received, used for checking for duplicates. */ - struct message *last_received; - - /* The last message sent, to be acked when something new is received. */ - struct message *last_sent; - - /* - * If some message is queued up for sending, we want to be able to - * remove it from the queue, when the exchange is deleted. - */ - struct message *in_transit; - - /* - * Initiator's & responder's nonces respectively, with lengths. - * XXX Should this be in the DOI-specific parts instead? - */ - u_int8_t *nonce_i; - size_t nonce_i_len; - u_int8_t *nonce_r; - size_t nonce_r_len; - - /* - * The ID payload contents for the initiator & responder, - * respectively. - */ - u_int8_t *id_i; - size_t id_i_len; - u_int8_t *id_r; - size_t id_r_len; - - /* Policy session identifier, where applicable. */ - int policy_id; - - /* Crypto info needed to encrypt/decrypt packets in this exchange. */ - struct crypto_xf *crypto; - size_t key_length; - struct keystate *keystate; - - /* - * Used only by KeyNote, to cache the key used to authenticate Phase - * 1 - */ - char *keynote_key; /* printable format */ - - /* - * Received certificate - used to verify signatures on packet, - * stored here for later policy processing. - * - * The rules for the recv_* and sent_* fields are: - * - recv_cert stores the credential (if any) received from the peer; - * the kernel may pass us one, but we ignore it. We pass it to the - * kernel so processes can peek at it. When doing passphrase - * authentication in Phase 1, this is empty. - * - recv_key stores the key (public or private) used by the peer - * to authenticate. Otherwise, same properties as recv_cert except - * that we don't tell the kernel about passphrases (so we don't - * reveal system-wide passphrases). Processes that used passphrase - * authentication already know the passphrase! We ignore it if/when - * received from the kernel (meaningless). - * - sent_cert stores the credential, if any, we used to authenticate - * with the peer. It may be passed to us by the kernel, or we may - * have found it in our certificate storage. In either case, there's - * no point passing it to the kernel, so we don't. - * - sent key stores the private key we used for authentication with - * the peer (private key or passphrase). This may have been received - * from the kernel, or may be a system-wide setting. In either case, - * we don't pass it to the kernel, to avoid revealing such information - * to processes (processes either already know it, or have no business - * knowing it). - */ - int recv_certtype, recv_keytype; - void *recv_cert; /* Certificate received from peer, - * native format */ - void *recv_key; /* Key peer used to authenticate, - * native format */ - - /* Likewise, for certificates/keys we use. */ - int sent_certtype, sent_keytype; - void *sent_cert; /* Certificate (to be) sent to peer, - * native format */ - void *sent_key; /* Key we'll use to authenticate to - * peer, native format */ - - /* ACQUIRE sequence number. */ - u_int32_t seq; - - /* XXX This is no longer necessary, it is covered by policy. */ - - /* Acceptable authorities for cert requests. */ - TAILQ_HEAD(aca_head, certreq_aca) aca_list; - - /* DOI-specific opaque data. */ - void *data; -}; - -/* The flag bits. */ -#define EXCHANGE_FLAG_I_COMMITTED 0x01 -#define EXCHANGE_FLAG_HE_COMMITTED 0x02 -#define EXCHANGE_FLAG_COMMITTED (EXCHANGE_FLAG_I_COMMITTED \ - | EXCHANGE_FLAG_HE_COMMITTED) -#define EXCHANGE_FLAG_ENCRYPT 0x04 -#define EXCHANGE_FLAG_NAT_T_CAP_PEER 0x08 /* Peer is NAT capable. */ -#define EXCHANGE_FLAG_NAT_T_ENABLE 0x10 /* We are doing NAT-T. */ -#define EXCHANGE_FLAG_NAT_T_KEEPALIVE 0x20 /* We are the NAT:ed peer. */ -#define EXCHANGE_FLAG_DPD_CAP_PEER 0x40 /* Peer is DPD capable. */ -#define EXCHANGE_FLAG_NAT_T_RFC 0x0080 /* Peer does RFC NAT-T. */ -#define EXCHANGE_FLAG_NAT_T_DRAFT 0x0100 /* Peer does draft NAT-T.*/ - -extern int exchange_add_certs(struct message *); -extern void exchange_finalize(struct message *); -extern void exchange_free(struct exchange *); -extern void exchange_free_aca_list(struct exchange *); -extern void exchange_establish(char *name, void (*)(struct exchange *, - void *, int), void *); -extern void exchange_establish_p1(struct transport *, u_int8_t, u_int32_t, - char *, void *, void (*)(struct exchange *, void *, int), - void *); -extern void exchange_establish_p2(struct sa *, u_int8_t, char *, void *, - void (*)(struct exchange *, void *, int), void *); -extern int exchange_gen_nonce(struct message *, size_t); -extern void exchange_init(void); -extern struct exchange *exchange_lookup(u_int8_t *, int); -extern struct exchange *exchange_lookup_by_name(char *, int); -extern struct exchange *exchange_lookup_from_icookie(u_int8_t *); -extern void exchange_report(void); -extern void exchange_run(struct message *); -extern int exchange_save_nonce(struct message *); -extern int exchange_save_certreq(struct message *); -extern int16_t *exchange_script(struct exchange *); -extern struct exchange *exchange_setup_p1(struct message *, u_int32_t); -extern struct exchange *exchange_setup_p2(struct message *, u_int8_t); -extern void exchange_upgrade_p1(struct message *); - -#endif /* _EXCHANGE_H_ */ diff --git a/keyexchange/isakmpd-20041012/exchange_num.cst b/keyexchange/isakmpd-20041012/exchange_num.cst deleted file mode 100644 index 7f61568..0000000 --- a/keyexchange/isakmpd-20041012/exchange_num.cst +++ /dev/null @@ -1,42 +0,0 @@ -# $OpenBSD: exchange_num.cst,v 1.4 2003/06/03 14:28:16 ho Exp $ -# $EOM: exchange_num.cst,v 1.1 1998/08/05 09:23:32 niklas Exp $ - -# -# Copyright (c) 1998 Niklas Hallqvist. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Ericsson Radio Systems. -# - -# Special exchange script symbols. -EXCHANGE_SCRIPT -# Special type signifying PAYLOAD_HASH or PALOAD_SIG must be present. - AUTH -1 -# Special type signifying PAYLOAD_NOTIFY or PALOAD_DELETE must be present. - INFO -2 -# Switch roles at this point in the exchange. - SWITCH -3 -# End of script - END -4 -. diff --git a/keyexchange/isakmpd-20041012/features/aggressive b/keyexchange/isakmpd-20041012/features/aggressive deleted file mode 100644 index 945678c..0000000 --- a/keyexchange/isakmpd-20041012/features/aggressive +++ /dev/null @@ -1,32 +0,0 @@ -# $OpenBSD: aggressive,v 1.4 2003/06/03 14:29:41 ho Exp $ -# $EOM: aggressive,v 1.3 2000/02/20 16:38:15 niklas Exp $ - -# -# Copyright (c) 2000 Niklas Hallqvist. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Wireless Networks Inc. -# - -AGGRESSIVE= ike_aggressive.c diff --git a/keyexchange/isakmpd-20041012/features/dnssec b/keyexchange/isakmpd-20041012/features/dnssec deleted file mode 100644 index aab768d..0000000 --- a/keyexchange/isakmpd-20041012/features/dnssec +++ /dev/null @@ -1,30 +0,0 @@ -# $OpenBSD: dnssec,v 1.3 2003/06/03 14:29:41 ho Exp $ - -# -# Copyright (c) 2001 Håkan Olsson. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -DNSSEC= dnssec.c - -#LWRESLIB= /usr/local/lib/liblwres.a -#DNSSEC_CFLAGS= -I/usr/local/include -DLWRES diff --git a/keyexchange/isakmpd-20041012/features/dpd b/keyexchange/isakmpd-20041012/features/dpd deleted file mode 100644 index 155ce68..0000000 --- a/keyexchange/isakmpd-20041012/features/dpd +++ /dev/null @@ -1,27 +0,0 @@ -# $OpenBSD: dpd,v 1.1 2004/06/20 15:20:07 ho Exp $ - -# -# Copyright (c) 2004 Håkan Olsson. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -DPD= dpd.c diff --git a/keyexchange/isakmpd-20041012/features/ec b/keyexchange/isakmpd-20041012/features/ec deleted file mode 100644 index 6452a8e..0000000 --- a/keyexchange/isakmpd-20041012/features/ec +++ /dev/null @@ -1,32 +0,0 @@ -# $OpenBSD: ec,v 1.4 2003/06/03 14:29:41 ho Exp $ -# $EOM: ec,v 1.3 2000/02/20 16:38:15 niklas Exp $ - -# -# Copyright (c) 2000 Niklas Hallqvist. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Wireless Networks Inc. -# - -EC= math_ec2n.c diff --git a/keyexchange/isakmpd-20041012/features/isakmp_cfg b/keyexchange/isakmpd-20041012/features/isakmp_cfg deleted file mode 100644 index 55710fc..0000000 --- a/keyexchange/isakmpd-20041012/features/isakmp_cfg +++ /dev/null @@ -1,31 +0,0 @@ -# $OpenBSD: isakmp_cfg,v 1.2 2003/06/03 14:29:41 ho Exp $ - -# -# Copyright (c) 2001 Niklas Hallqvist. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Gatespace (http://www.gatespace.com/). -# - -ISAKMP_CFG= isakmp_cfg.c diff --git a/keyexchange/isakmpd-20041012/features/nat_traversal b/keyexchange/isakmpd-20041012/features/nat_traversal deleted file mode 100644 index 590b4bf..0000000 --- a/keyexchange/isakmpd-20041012/features/nat_traversal +++ /dev/null @@ -1,27 +0,0 @@ -# $OpenBSD: nat_traversal,v 1.2 2004/06/21 17:02:53 markus Exp $ - -# -# Copyright (c) 2004 Håkan Olsson. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -NAT_TRAVERSAL= nat_traversal.c udp_encap.c diff --git a/keyexchange/isakmpd-20041012/features/policy b/keyexchange/isakmpd-20041012/features/policy deleted file mode 100644 index 680cc37..0000000 --- a/keyexchange/isakmpd-20041012/features/policy +++ /dev/null @@ -1,33 +0,0 @@ -# $OpenBSD: policy,v 1.6 2003/06/03 14:29:41 ho Exp $ -# $EOM: policy,v 1.4 2000/02/20 16:38:15 niklas Exp $ - -# -# Copyright (c) 2000 Niklas Hallqvist. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Wireless Networks Inc. -# - -# NOTE: KeyNote policy support requires the keynote library -POLICY= policy.c diff --git a/keyexchange/isakmpd-20041012/features/privsep b/keyexchange/isakmpd-20041012/features/privsep deleted file mode 100644 index 20690a0..0000000 --- a/keyexchange/isakmpd-20041012/features/privsep +++ /dev/null @@ -1,27 +0,0 @@ -# $OpenBSD: privsep,v 1.2 2003/06/03 14:29:41 ho Exp $ - -# -# Copyright (c) 2003 Håkan Olsson. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -PRIVSEP= monitor.c monitor_fdpass.c diff --git a/keyexchange/isakmpd-20041012/features/x509 b/keyexchange/isakmpd-20041012/features/x509 deleted file mode 100644 index be1b2aa..0000000 --- a/keyexchange/isakmpd-20041012/features/x509 +++ /dev/null @@ -1,32 +0,0 @@ -# $OpenBSD: x509,v 1.5 2003/06/03 14:29:41 ho Exp $ -# $EOM: x509,v 1.4 2000/02/20 16:38:15 niklas Exp $ - -# -# Copyright (c) 2000 Niklas Hallqvist. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Wireless Networks Inc. -# - -X509= x509.c diff --git a/keyexchange/isakmpd-20041012/field.c b/keyexchange/isakmpd-20041012/field.c deleted file mode 100644 index 0cc96d2..0000000 --- a/keyexchange/isakmpd-20041012/field.c +++ /dev/null @@ -1,252 +0,0 @@ -/* $OpenBSD: field.c,v 1.16 2004/06/14 09:55:41 ho Exp $ */ -/* $EOM: field.c,v 1.11 2000/02/20 19:58:37 niklas Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -#include "sysdep.h" - -#include "constants.h" -#include "field.h" -#include "log.h" -#include "util.h" - -static char *field_debug_raw(u_int8_t *, size_t, struct constant_map **); -static char *field_debug_num(u_int8_t *, size_t, struct constant_map **); -static char *field_debug_mask(u_int8_t *, size_t, struct constant_map **); -static char *field_debug_ign(u_int8_t *, size_t, struct constant_map **); -static char *field_debug_cst(u_int8_t *, size_t, struct constant_map **); - -/* Contents must match the enum in struct field. */ -static char *(*decode_field[]) (u_int8_t *, size_t, - struct constant_map **) = { - field_debug_raw, - field_debug_num, - field_debug_mask, - field_debug_ign, - field_debug_cst -}; - -/* - * Return a string showing the hexadecimal contents of the LEN-sized buffer - * BUF. MAPS should be zero and is only here because the API requires it. - */ -static char * -field_debug_raw(u_int8_t *buf, size_t len, struct constant_map **maps) -{ - char *retval, *p; - - if (len == 0) - return 0; - retval = malloc(3 + len * 2); - if (!retval) - return 0; - strlcpy(retval, "0x", 3 + len * 2); - p = retval + 2; - for (; len > 0; len--) { - snprintf(p, 1 + len * 2, "%02x", *buf++); - p += 2; - } - return retval; -} - -/* - * Convert the unsigned LEN-sized number at BUF of network byteorder to a - * 32-bit unsigned integer of host byteorder pointed to by VAL. - */ -static int -extract_val(u_int8_t *buf, size_t len, u_int32_t *val) -{ - switch (len) { - case 1: - *val = *buf; - break; - case 2: - *val = decode_16(buf); - break; - case 4: - *val = decode_32(buf); - break; - default: - return -1; - } - return 0; -} - -/* - * Return a textual representation of the unsigned number pointed to by BUF - * which is LEN octets long. MAPS should be zero and is only here because - * the API requires it. - */ -static char * -field_debug_num(u_int8_t *buf, size_t len, struct constant_map **maps) -{ - char *retval; - u_int32_t val; - - if (extract_val(buf, len, &val)) - return 0; - /* 3 decimal digits are enough to represent each byte. */ - retval = malloc(3 * len); - snprintf(retval, 3 * len, "%u", val); - return retval; -} - -/* - * Return the symbolic names of the flags pointed to by BUF which is LEN - * octets long, using the constant maps MAPS. - */ -static char * -field_debug_mask(u_int8_t *buf, size_t len, struct constant_map **maps) -{ - u_int32_t val; - u_int32_t bit; - char *retval, *new_buf, *name; - size_t buf_sz; - - if (extract_val(buf, len, &val)) - return 0; - - /* Size for brackets, two spaces and a NUL terminator. */ - buf_sz = 4; - retval = malloc(buf_sz); - if (!retval) - return 0; - - strlcpy(retval, "[ ", buf_sz); - for (bit = 1; bit; bit <<= 1) { - if (val & bit) { - name = constant_name_maps(maps, bit); - buf_sz += strlen(name) + 1; - new_buf = realloc(retval, buf_sz); - if (!new_buf) { - free(retval); - return 0; - } - retval = new_buf; - strlcat(retval, name, buf_sz); - strlcat(retval, " ", buf_sz); - } - } - strlcat(retval, "]", buf_sz); - return retval; -} - -/* - * Just a dummy needed to skip the unused LEN sized space at BUF. MAPS - * should be zero and is only here because the API requires it. - */ -static char * -field_debug_ign(u_int8_t *buf, size_t len, struct constant_map **maps) -{ - return 0; -} - -/* - * Return the symbolic name of a constant pointed to by BUF which is LEN - * octets long, using the constant maps MAPS. - */ -static char * -field_debug_cst(u_int8_t *buf, size_t len, struct constant_map **maps) -{ - u_int32_t val; - - if (extract_val(buf, len, &val)) - return 0; - - return strdup(constant_name_maps(maps, val)); -} - -/* Pretty-print a field from BUF as described by F. */ -void -field_dump_field(struct field *f, u_int8_t *buf) -{ - char *value; - - value = decode_field[(int) f->type] (buf + f->offset, f->len, f->maps); - if (value) { - LOG_DBG((LOG_MESSAGE, 70, "%s: %s", f->name, value)); - free(value); - } -} - -/* Pretty-print all the fields of BUF as described in FIELDS. */ -void -field_dump_payload(struct field *fields, u_int8_t *buf) -{ - struct field *field; - - for (field = fields; field->name; field++) - field_dump_field(field, buf); -} - -/* Return the numeric value of the field F of BUF. */ -u_int32_t -field_get_num(struct field *f, u_int8_t *buf) -{ - u_int32_t val; - - if (extract_val(buf + f->offset, f->len, &val)) - return 0; - return val; -} - -/* Stash the number VAL into BUF's field F. */ -void -field_set_num(struct field *f, u_int8_t *buf, u_int32_t val) -{ - switch (f->len) { - case 1: - buf[f->offset] = val; - break; - case 2: - encode_16(buf + f->offset, val); - break; - case 4: - encode_32(buf + f->offset, val); - break; - } -} - -/* Stash BUF's raw field F into VAL. */ -void -field_get_raw(struct field *f, u_int8_t *buf, u_int8_t *val) -{ - memcpy(val, buf + f->offset, f->len); -} - -/* Stash the buffer VAL into BUF's field F. */ -void -field_set_raw(struct field *f, u_int8_t *buf, u_int8_t *val) -{ - memcpy(buf + f->offset, val, f->len); -} diff --git a/keyexchange/isakmpd-20041012/field.h b/keyexchange/isakmpd-20041012/field.h deleted file mode 100644 index 428d417..0000000 --- a/keyexchange/isakmpd-20041012/field.h +++ /dev/null @@ -1,54 +0,0 @@ -/* $OpenBSD: field.h,v 1.6 2004/05/23 18:17:55 hshoexer Exp $ */ -/* $EOM: field.h,v 1.3 1998/08/02 20:25:01 niklas Exp $ */ - -/* - * Copyright (c) 1998 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _FIELD_H_ -#define _FIELD_H_ - -#include <sys/types.h> - -struct field { - char *name; - int offset; - size_t len; - enum { - raw, num, mask, ign, cst - } type; - struct constant_map **maps; -}; - -extern void field_dump_field(struct field *, u_int8_t *); -extern void field_dump_payload(struct field *, u_int8_t *); -extern u_int32_t field_get_num(struct field *, u_int8_t *); -extern void field_get_raw(struct field *, u_int8_t *, u_int8_t *); -extern void field_set_num(struct field *, u_int8_t *, u_int32_t); -extern void field_set_raw(struct field *, u_int8_t *, u_int8_t *); - -#endif /* _FIELD_H_ */ diff --git a/keyexchange/isakmpd-20041012/genconstants.sh b/keyexchange/isakmpd-20041012/genconstants.sh deleted file mode 100644 index 8332209..0000000 --- a/keyexchange/isakmpd-20041012/genconstants.sh +++ /dev/null @@ -1,114 +0,0 @@ -# $OpenBSD: genconstants.sh,v 1.12 2004/04/15 18:39:25 deraadt Exp $ -# $EOM: genconstants.sh,v 1.6 1999/04/02 01:15:53 niklas Exp $ - -# -# Copyright (c) 1998, 1999, 2001 Niklas Hallqvist. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Ericsson Radio Systems. -# - -base=`basename $1` -upcased_name=`echo $base |tr a-z A-Z` - -awk=${AWK:-awk} - -locase_function='function locase (str) { - cmd = "echo " str " |tr A-Z a-z" - cmd | getline retval; - close (cmd); - return retval; -}' - -$awk " -$locase_function -"' -BEGIN { - print "/* DO NOT EDIT-- this file is automatically generated. */\n" - print "#ifndef _'$upcased_name'_H_" - print "#define _'$upcased_name'_H_\n" - print "#include \"sysdep.h\"\n" - print "#include \"constants.h\"\n" -} - -/^[#.]/ { - next -} - -/^[^ ]/ { - prefix = $1 - printf ("extern struct constant_map %s_cst[];\n\n", locase(prefix)); - next -} - -/^[ ]/ && $1 { - printf ("#define %s_%s %s\n", prefix, $1, $2) - next -} - -{ - print -} - -END { - printf ("\n") - print "#endif /* _'$upcased_name'_H_ */" -} -' <$1.cst >$base.h - -$awk " -$locase_function -"' -BEGIN { - print "/* DO NOT EDIT-- this file is automatically generated. */\n" - print "#include \"sysdep.h\"\n" - print "#include \"constants.h\"" - print "#include \"'$base'.h\"\n" -} - -/^#/ { - next -} - -/^\./ { - print " { 0, 0 }\n};\n" - next -} - -/^[^ ]/ { - prefix = $1 - printf ("struct constant_map %s_cst[] = {\n", locase(prefix)) - next -} - -/^[ ]/ && $1 { - printf (" { %s_%s, \"%s\", %s },\n", prefix, $1, $1, - ($3 && substr($3,1,1) != "#") ? $3 : 0) - next -} - -{ - print -} -' <$1.cst >$base.c diff --git a/keyexchange/isakmpd-20041012/genfields.sh b/keyexchange/isakmpd-20041012/genfields.sh deleted file mode 100644 index 74909e1..0000000 --- a/keyexchange/isakmpd-20041012/genfields.sh +++ /dev/null @@ -1,185 +0,0 @@ -# $OpenBSD: genfields.sh,v 1.9 2004/04/15 18:39:25 deraadt Exp $ -# $EOM: genfields.sh,v 1.5 1999/04/02 01:15:55 niklas Exp $ - -# -# Copyright (c) 1998, 1999, 2001 Niklas Hallqvist. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Ericsson Radio Systems. -# - -base=`basename $1` -upcased_name=`echo $base |tr a-z A-Z` - -awk=${AWK:-awk} - -locase_function='function locase (str) { - cmd = "echo " str " |tr A-Z a-z" - cmd | getline retval; - close (cmd); - return retval; -}' - -$awk " -$locase_function -"' -BEGIN { - print "/* DO NOT EDIT-- this file is automatically generated. */\n" - print "#ifndef _'$upcased_name'_H_" - print "#define _'$upcased_name'_H_\n" - - print "#include \"sysdep.h\"\n" - print "#include \"field.h\"\n" - - print "struct constant_map;\n" -} - -/^#/ { - next -} - -/^\./ { - printf ("#define %s_SZ %d\n", prefix, off) - size[prefix] = off - next -} - -/^[^ ]/ { - prefix = $1 - printf ("extern struct field %s_fld[];\n\n", locase(prefix)); - if ($3) - { - off = size[$3] - } - else - { - off = 0 - } - i = 0 - next -} - -/^[ ]/ && $1 { - printf ("#define %s_%s_OFF %d\n", prefix, $1, off) - if ($3) - { - printf ("#define %s_%s_LEN %d\n", prefix, $1, $3) - } - if ($4) - { - printf ("extern struct constant_map *%s_%s_maps[];\n", locase(prefix), - locase($1)) - } - if ($2 == "raw") - { - printf ("#define GET_%s_%s(buf, val) ", prefix, $1) - printf ("field_get_raw (%s_fld + %d, buf, val)\n", locase(prefix), i) - printf ("#define SET_%s_%s(buf, val) ", prefix, $1) - printf ("field_set_raw (%s_fld + %d, buf, val)\n", locase(prefix), i) - } - else - { - printf ("#define GET_%s_%s(buf) field_get_num (%s_fld + %d, buf)\n", - prefix, $1, locase(prefix), i) - printf ("#define SET_%s_%s(buf, val) ", prefix, $1) - printf ("field_set_num (%s_fld + %d, buf, val)\n", locase(prefix), i) - } - off += $3 - i++ - next -} - -{ - print -} - -END { - printf ("\n") - print "#endif /* _'$upcased_name'_H_ */" -} -' <$1.fld >$base.h - -$awk " -$locase_function -"' -BEGIN { - print "/* DO NOT EDIT-- this file is automatically generated. */\n" - print "#include \"sysdep.h\"\n" - print "#include \"constants.h\"" - print "#include \"field.h\"" - print "#include \"'$base'.h\"" - print "#include \"isakmp_num.h\"" - print "#include \"ipsec_num.h\"\n" -} - -/^#/ { - next -} - -/^\./ { - print " { 0, 0, 0, 0, 0 }\n};\n" - size[prefix] = off - for (map in maps) - { - printf ("struct constant_map *%s_%s_maps[] = {\n", locase(prefix), - locase(map)) - printf (" %s, 0\n};\n", maps[map]) - } - next -} - -/^[^ ]/ { - prefix = $1 - printf ("struct field %s_fld[] = {\n", locase(prefix)) - if ($3) - { - off = size[$3] - } - else - { - off = 0 - } - delete maps - next -} - -/^[ ]/ && $1 { - if ($4) - { - maps_name = locase(prefix)"_"locase($1)"_maps" - maps[$1] = $4 - } - else - { - maps_name = "0" - } - printf (" { \"%s\", %d, %d, %s, %s },\n", $1, off, $3, $2, maps_name) - off += $3 - next -} - -{ - print -} -' <$1.fld >$base.c diff --git a/keyexchange/isakmpd-20041012/gmp_util.c b/keyexchange/isakmpd-20041012/gmp_util.c deleted file mode 100644 index 2a338d2..0000000 --- a/keyexchange/isakmpd-20041012/gmp_util.c +++ /dev/null @@ -1,105 +0,0 @@ -/* $OpenBSD: gmp_util.c,v 1.11 2004/04/15 18:39:25 deraadt Exp $ */ -/* $EOM: gmp_util.c,v 1.7 2000/09/18 00:01:47 ho Exp $ */ - -/* - * Copyright (c) 1998 Niels Provos. All rights reserved. - * Copyright (c) 1999, 2000 Niklas Hallqvist. All rights reserved. - * Copyright (c) 2000 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/param.h> - -#include "sysdep.h" - -#include "gmp_util.h" -#include "math_mp.h" - -/* Various utility functions for gmp, used in more than one module */ - -u_int32_t -mpz_sizeinoctets(math_mp_t a) -{ -#if MP_FLAVOUR == MP_FLAVOUR_GMP - return (7 + mpz_sizeinbase(a, 2)) >> 3; -#elif MP_FLAVOUR == MP_FLAVOUR_OPENSSL - return BN_num_bytes(a); -#endif -} - -void -mpz_getraw(u_int8_t *raw, math_mp_t v, u_int32_t len) -{ - math_mp_t a; - -#if MP_FLAVOUR == MP_FLAVOUR_GMP - math_mp_t tmp; - - /* XXX mpz_get_str (raw, BASE, v); ? */ - mpz_init_set(a, v); - mpz_init(tmp); -#elif MP_FLAVOUR == MP_FLAVOUR_OPENSSL - /* XXX bn2bin? */ - a = BN_dup(v); -#endif - - while (len-- > 0) -#if MP_FLAVOUR == MP_FLAVOUR_GMP - raw[len] = mpz_fdiv_qr_ui(a, tmp, a, 256); -#elif MP_FLAVOUR == MP_FLAVOUR_OPENSSL - raw[len] = BN_div_word(a, 256); -#endif - -#if MP_FLAVOUR == MP_FLAVOUR_GMP - mpz_clear(a); - mpz_clear(tmp); -#elif MP_FLAVOUR == MP_FLAVOUR_OPENSSL - BN_clear_free(a); -#endif -} - -void -mpz_setraw(math_mp_t d, u_int8_t *s, u_int32_t l) -{ - u_int32_t i; - -#if MP_FLAVOUR == MP_FLAVOUR_GMP - /* XXX mpz_set_str (d, s, 0); */ - mpz_set_si(d, 0); -#elif MP_FLAVOUR == MP_FLAVOUR_OPENSSL - /* XXX bin2bn? */ - BN_set_word(d, 0); -#endif - for (i = 0; i < l; i++) { -#if MP_FLAVOUR == MP_FLAVOUR_GMP - mpz_mul_ui(d, d, 256); - mpz_add_ui(d, d, s[i]); -#elif MP_FLAVOUR == MP_FLAVOUR_OPENSSL - BN_mul_word(d, 256); - BN_add_word(d, s[i]); -#endif - } -} diff --git a/keyexchange/isakmpd-20041012/gmp_util.h b/keyexchange/isakmpd-20041012/gmp_util.h deleted file mode 100644 index 826c6ca..0000000 --- a/keyexchange/isakmpd-20041012/gmp_util.h +++ /dev/null @@ -1,42 +0,0 @@ -/* $OpenBSD: gmp_util.h,v 1.8 2004/04/15 18:39:25 deraadt Exp $ */ -/* $EOM: gmp_util.h,v 1.4 2000/05/08 13:42:11 ho Exp $ */ - -/* - * Copyright (c) 1998 Niels Provos. All rights reserved. - * Copyright (c) 2000 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _GMP_UTIL_H_ -#define _GMP_UTIL_H_ - -#include "math_mp.h" - -u_int32_t mpz_sizeinoctets(math_mp_t); -void mpz_getraw(u_int8_t *, math_mp_t, u_int32_t); -void mpz_setraw(math_mp_t, u_int8_t *, u_int32_t); - -#endif /* _GMP_UTIL_H_ */ diff --git a/keyexchange/isakmpd-20041012/hash.c b/keyexchange/isakmpd-20041012/hash.c deleted file mode 100644 index 84773f8..0000000 --- a/keyexchange/isakmpd-20041012/hash.c +++ /dev/null @@ -1,145 +0,0 @@ -/* $OpenBSD: hash.c,v 1.17 2004/06/14 09:55:41 ho Exp $ */ -/* $EOM: hash.c,v 1.10 1999/04/17 23:20:34 niklas Exp $ */ - -/* - * Copyright (c) 1998 Niels Provos. All rights reserved. - * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/param.h> -#include <string.h> -#if defined (__APPLE__) -#include <openssl/md5.h> -#include <openssl/sha.h> -#else -#include <md5.h> -#include <sha1.h> -#endif /* __APPLE__ */ - -#include "sysdep.h" - -#include "hash.h" -#include "log.h" - -void hmac_init(struct hash *, unsigned char *, unsigned int); -void hmac_final(unsigned char *, struct hash *); - -/* Temporary hash contexts. */ -static union { - MD5_CTX md5ctx; - SHA1_CTX sha1ctx; -} Ctx, Ctx2; - -/* Temporary hash digest. */ -static unsigned char digest[HASH_MAX]; - -/* Encapsulation of hash functions. */ - -static struct hash hashes[] = { - { - HASH_MD5, 5, MD5_SIZE, (void *)&Ctx.md5ctx, digest, - sizeof(MD5_CTX), (void *)&Ctx2.md5ctx, - (void (*)(void *))MD5Init, - (void (*)(void *, unsigned char *, unsigned int))MD5Update, - (void (*)(unsigned char *, void *))MD5Final, - hmac_init, - hmac_final - }, { - HASH_SHA1, 6, SHA1_SIZE, (void *)&Ctx.sha1ctx, digest, - sizeof(SHA1_CTX), (void *)&Ctx2.sha1ctx, - (void (*)(void *))SHA1Init, - (void (*)(void *, unsigned char *, unsigned int))SHA1Update, - (void (*)(unsigned char *, void *))SHA1Final, - hmac_init, - hmac_final - }, -}; - -struct hash * -hash_get(enum hashes hashtype) -{ - size_t i; - - LOG_DBG((LOG_CRYPTO, 60, "hash_get: requested algorithm %d", - hashtype)); - - for (i = 0; i < sizeof hashes / sizeof hashes[0]; i++) - if (hashtype == hashes[i].type) - return &hashes[i]; - - return 0; -} - -/* - * Initial a hash for HMAC usage this requires a special init function. - * ctx, ctx2 hold the contexts, if you want to use the hash object for - * something else in the meantime, be sure to store the contexts somewhere. - */ - -void -hmac_init(struct hash *hash, unsigned char *okey, unsigned int len) -{ - unsigned int i, blocklen = HMAC_BLOCKLEN; - unsigned char key[HMAC_BLOCKLEN]; - - memset(key, 0, blocklen); - if (len > blocklen) { - /* Truncate key down to blocklen */ - hash->Init(hash->ctx); - hash->Update(hash->ctx, okey, len); - hash->Final(key, hash->ctx); - } else { - memcpy(key, okey, len); - } - - /* HMAC I and O pad computation */ - for (i = 0; i < blocklen; i++) - key[i] ^= HMAC_IPAD_VAL; - - hash->Init(hash->ctx); - hash->Update(hash->ctx, key, blocklen); - - for (i = 0; i < blocklen; i++) - key[i] ^= (HMAC_IPAD_VAL ^ HMAC_OPAD_VAL); - - hash->Init(hash->ctx2); - hash->Update(hash->ctx2, key, blocklen); - - memset(key, 0, blocklen); -} - -/* - * HMAC Final function - */ - -void -hmac_final(unsigned char *dgst, struct hash *hash) -{ - hash->Final(dgst, hash->ctx); - hash->Update(hash->ctx2, dgst, hash->hashsize); - hash->Final(dgst, hash->ctx2); -} diff --git a/keyexchange/isakmpd-20041012/hash.h b/keyexchange/isakmpd-20041012/hash.h deleted file mode 100644 index 3af2350..0000000 --- a/keyexchange/isakmpd-20041012/hash.h +++ /dev/null @@ -1,70 +0,0 @@ -/* $OpenBSD: hash.h,v 1.7 2004/04/15 18:39:25 deraadt Exp $ */ -/* $EOM: hash.h,v 1.6 1998/07/25 22:04:36 niklas Exp $ */ - -/* - * Copyright (c) 1998 Niels Provos. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _HASH_H_ -#define _HASH_H_ - -/* Normal mode hash encapsulation */ - -#define MD5_SIZE 16 -#define SHA1_SIZE 20 -#define HASH_MAX SHA1_SIZE - -enum hashes { - HASH_MD5 = 0, - HASH_SHA1 -}; - -struct hash { - enum hashes type; - int id; /* ISAKMP/Oakley ID */ - u_int8_t hashsize; /* Size of the hash */ - void *ctx; /* Pointer to a context, for HMAC ictx */ - unsigned char *digest; /* Pointer to a digest */ - int ctxsize; - void *ctx2; /* Pointer to a 2nd context, for HMAC octx */ - void (*Init) (void *); - void (*Update) (void *, unsigned char *, unsigned int); - void (*Final) (unsigned char *, void *); - void (*HMACInit) (struct hash *, unsigned char *, unsigned int); - void (*HMACFinal) (unsigned char *, struct hash *); -}; - -/* HMAC Hash Encapsulation */ - -#define HMAC_IPAD_VAL 0x36 -#define HMAC_OPAD_VAL 0x5C -#define HMAC_BLOCKLEN 64 - -extern struct hash *hash_get(enum hashes); -extern void hmac_init(struct hash *, unsigned char *, unsigned int); - -#endif /* _HASH_H_ */ diff --git a/keyexchange/isakmpd-20041012/if.c b/keyexchange/isakmpd-20041012/if.c deleted file mode 100644 index b9cf927..0000000 --- a/keyexchange/isakmpd-20041012/if.c +++ /dev/null @@ -1,152 +0,0 @@ -/* $OpenBSD: if.c,v 1.22 2004/06/14 09:55:41 ho Exp $ */ -/* $EOM: if.c,v 1.12 1999/10/01 13:45:20 niklas Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/ioctl.h> -#include <sys/types.h> -#include <sys/socket.h> -#include <net/if.h> -#include <stdlib.h> -#include <unistd.h> -#ifdef HAVE_GETIFADDRS -#include <ifaddrs.h> -#endif - -#include "sysdep.h" - -#include "log.h" -#include "monitor.h" -#include "if.h" - -#ifndef HAVE_GETIFADDRS -/* XXX Unsafe if either x or y has side-effects. */ -#ifndef MAX -#define MAX(x, y) ((x) > (y) ? (x) : (y)) -#endif - -/* Most boxes has less than 16 interfaces, so this might be a good guess. */ -#define INITIAL_IFREQ_COUNT 16 - -/* - * Get all network interface configurations. - * Return 0 if successful, -1 otherwise. - */ -int -siocgifconf(struct ifconf *ifcp) -{ - caddr_t buf, new_buf; - int s, len; - - /* Get a socket to ask for the network interface configurations. */ - s = socket(AF_INET, SOCK_DGRAM, 0); - if (s == -1) { - log_error("siocgifconf: " - "socket (AF_INET, SOCK_DGRAM, 0) failed"); - return -1; - } - len = sizeof(struct ifreq) * INITIAL_IFREQ_COUNT; - buf = 0; - while (1) { - /* - * Allocate a larger buffer each time around the loop and get - * the network interfaces configurations into it. - */ - new_buf = realloc(buf, len); - if (!new_buf) { - log_error("siocgifconf: realloc (%p, %d) failed", buf, - len); - goto err; - } - ifcp->ifc_len = len; - ifcp->ifc_buf = buf = new_buf; - if (ioctl(s, SIOCGIFCONF, ifcp) == -1) { - log_error("siocgifconf: ioctl (%d, SIOCGIFCONF, ...) " - "failed", s); - goto err; - } - - /* - * If there is place for another ifreq we can be sure that the - * buffer was big enough, otherwise double the size and try - * again. - */ - if (len - ifcp->ifc_len >= sizeof(struct ifreq)) - break; - len *= 2; - } - close(s); - return 0; - -err: - if (buf) - free(buf); - ifcp->ifc_len = 0; - ifcp->ifc_buf = 0; - close(s); - return -1; -} -#endif - -int -if_map(int (*func)(char *, struct sockaddr *, void *), void *arg) -{ - int err = 0; - -#ifdef HAVE_GETIFADDRS - struct ifaddrs *ifap, *ifa; - - if (getifaddrs(&ifap) < 0) - return -1; - - for (ifa = ifap; ifa; ifa = ifa->ifa_next) - if ((*func)(ifa->ifa_name, ifa->ifa_addr, arg) == -1) - err = -1; - freeifaddrs(ifap); -#else - struct ifconf ifc; - struct ifreq *ifrp; - caddr_t limit, p; - size_t len; - - if (siocgifconf(&ifc)) - return -1; - - limit = ifc.ifc_buf + ifc.ifc_len; - for (p = ifc.ifc_buf; p < limit; p += len) { - ifrp = (struct ifreq *)p; - if ((*func)(ifrp->ifr_name, &ifrp->ifr_addr, arg) == -1) - err = -1; - len = sizeof ifrp->ifr_name + - MAX(sysdep_sa_len(&ifrp->ifr_addr), sizeof ifrp->ifr_addr); - } - free(ifc.ifc_buf); -#endif - return err; -} diff --git a/keyexchange/isakmpd-20041012/if.h b/keyexchange/isakmpd-20041012/if.h deleted file mode 100644 index 82d574d..0000000 --- a/keyexchange/isakmpd-20041012/if.h +++ /dev/null @@ -1,43 +0,0 @@ -/* $OpenBSD: if.h,v 1.7 2004/04/15 18:39:25 deraadt Exp $ */ -/* $EOM: if.h,v 1.2 1998/07/07 23:35:58 niklas Exp $ */ - -/* - * Copyright (c) 1998 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _IF_H_ -#define _IF_H_ - -#include <sys/types.h> - -struct ifreq; -struct ifconf; - -extern int if_map(int (*) (char *, struct sockaddr *, void *), void *); -extern int siocgifconf(struct ifconf *); - -#endif /* _IF_H_ */ diff --git a/keyexchange/isakmpd-20041012/ike_aggressive.c b/keyexchange/isakmpd-20041012/ike_aggressive.c deleted file mode 100644 index 48ec10f..0000000 --- a/keyexchange/isakmpd-20041012/ike_aggressive.c +++ /dev/null @@ -1,184 +0,0 @@ -/* $OpenBSD: ike_aggressive.c,v 1.8 2004/07/29 08:54:08 ho Exp $ */ -/* $EOM: ike_aggressive.c,v 1.4 2000/01/31 22:33:45 niklas Exp $ */ - -/* - * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. - * Copyright (c) 1999 Angelos D. Keromytis. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/types.h> -#include <netinet/in.h> -#include <stdlib.h> -#include <string.h> - -#include "sysdep.h" - -#include "attribute.h" -#include "conf.h" -#include "constants.h" -#include "crypto.h" -#include "dh.h" -#include "doi.h" -#include "exchange.h" -#include "hash.h" -#include "ike_auth.h" -#include "ike_aggressive.h" -#include "ike_phase_1.h" -#include "ipsec.h" -#include "ipsec_doi.h" -#include "isakmp.h" -#include "log.h" -#include "math_group.h" -#include "message.h" -#if defined (USE_NAT_TRAVERSAL) -#include "nat_traversal.h" -#endif -#include "prf.h" -#include "sa.h" -#include "transport.h" -#include "util.h" - -static int initiator_recv_SA_KE_NONCE_ID_AUTH(struct message *); -static int initiator_send_SA_KE_NONCE_ID(struct message *); -static int initiator_send_AUTH(struct message *); -static int responder_recv_SA_KE_NONCE_ID(struct message *); -static int responder_send_SA_KE_NONCE_ID_AUTH(struct message *); -static int responder_recv_AUTH(struct message *); - -int (*ike_aggressive_initiator[])(struct message *) = { - initiator_send_SA_KE_NONCE_ID, - initiator_recv_SA_KE_NONCE_ID_AUTH, - initiator_send_AUTH -}; - -int (*ike_aggressive_responder[])(struct message *) = { - responder_recv_SA_KE_NONCE_ID, - responder_send_SA_KE_NONCE_ID_AUTH, - responder_recv_AUTH -}; - -/* Offer a set of transforms to the responder in the MSG message. */ -static int -initiator_send_SA_KE_NONCE_ID(struct message *msg) -{ - if (ike_phase_1_initiator_send_SA(msg)) - return -1; - - if (ike_phase_1_initiator_send_KE_NONCE(msg)) - return -1; - - return ike_phase_1_send_ID(msg); -} - -/* Figure out what transform the responder chose. */ -static int -initiator_recv_SA_KE_NONCE_ID_AUTH(struct message *msg) -{ - if (ike_phase_1_initiator_recv_SA(msg)) - return -1; - - if (ike_phase_1_initiator_recv_KE_NONCE(msg)) - return -1; - - return ike_phase_1_recv_ID_AUTH(msg); -} - -static int -initiator_send_AUTH(struct message *msg) -{ - msg->exchange->flags |= EXCHANGE_FLAG_ENCRYPT; - - if (ike_phase_1_send_AUTH(msg)) - return -1; - - /* - * RFC 2407 4.6.3 says that, among others, INITIAL-CONTACT MUST NOT - * be sent in Aggressive Mode. This leaves us with the choice of - * doing it in an informational exchange of its own with no delivery - * guarantee or in the first Quick Mode, or not at all. - * draft-jenkins-ipsec-rekeying-01.txt has some text that requires - * INITIAL-CONTACT in phase 1, thus contradicting what we learned - * above. I will bring this up in the IPsec list. For now we don't - * do INITIAL-CONTACT at all when using aggressive mode. - */ - return 0; -} - -/* - * Accept a set of transforms offered by the initiator and chose one we can - * handle. Also accept initiator's public DH value, nonce and ID. - */ -static int -responder_recv_SA_KE_NONCE_ID(struct message *msg) -{ - if (ike_phase_1_responder_recv_SA(msg)) - return -1; - - if (ike_phase_1_recv_ID(msg)) - return -1; - - return ike_phase_1_recv_KE_NONCE(msg); -} - -/* - * Reply with the transform we chose. Send our public DH value and a nonce - * to the initiator. - */ -static int -responder_send_SA_KE_NONCE_ID_AUTH(struct message *msg) -{ - /* Add the SA payload with the transform that was chosen. */ - if (ike_phase_1_responder_send_SA(msg)) - return -1; - - /* XXX Should we really just use the initiator's nonce size? */ - if (ike_phase_1_send_KE_NONCE(msg, msg->exchange->nonce_i_len)) - return -1; - - if (ike_phase_1_post_exchange_KE_NONCE(msg)) - return -1; - - return ike_phase_1_responder_send_ID_AUTH(msg); -} - -/* - * Reply with the transform we chose. Send our public DH value and a nonce - * to the initiator. - */ -static int -responder_recv_AUTH(struct message *msg) -{ - if (ike_phase_1_recv_AUTH(msg)) - return -1; - -#if defined (USE_NAT_TRAVERSAL) - /* Aggressive: Check for NAT-D payloads and contents. */ - if (msg->exchange->flags & EXCHANGE_FLAG_NAT_T_CAP_PEER) - (void)nat_t_exchange_check_nat_d(msg); -#endif - return 0; -} diff --git a/keyexchange/isakmpd-20041012/ike_aggressive.h b/keyexchange/isakmpd-20041012/ike_aggressive.h deleted file mode 100644 index f2af524..0000000 --- a/keyexchange/isakmpd-20041012/ike_aggressive.h +++ /dev/null @@ -1,40 +0,0 @@ -/* $OpenBSD: ike_aggressive.h,v 1.5 2004/05/23 18:17:55 hshoexer Exp $ */ -/* $EOM: ike_aggressive.h,v 1.1 1999/04/16 21:24:43 niklas Exp $ */ - -/* - * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _IKE_AGGRESSIVE_H_ -#define _IKE_AGGRESSIVE_H_ - -struct message; - -extern int (*ike_aggressive_initiator[])(struct message *msg); -extern int (*ike_aggressive_responder[])(struct message *msg); - -#endif /* _IKE_AGGRESSIVE_H_ */ diff --git a/keyexchange/isakmpd-20041012/ike_auth.c b/keyexchange/isakmpd-20041012/ike_auth.c deleted file mode 100644 index dcacb0e..0000000 --- a/keyexchange/isakmpd-20041012/ike_auth.c +++ /dev/null @@ -1,1167 +0,0 @@ -/* $OpenBSD: ike_auth.c,v 1.95 2004/08/08 19:11:06 deraadt Exp $ */ -/* $EOM: ike_auth.c,v 1.59 2000/11/21 00:21:31 angelos Exp $ */ - -/* - * Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. - * Copyright (c) 1999 Niels Provos. All rights reserved. - * Copyright (c) 1999 Angelos D. Keromytis. All rights reserved. - * Copyright (c) 2000, 2001, 2003 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/types.h> -#include <sys/stat.h> -#include <netinet/in.h> -#include <arpa/inet.h> - -#include <errno.h> -#include <fcntl.h> -#include <stdlib.h> -#include <string.h> -#include <unistd.h> -#include <regex.h> -#if defined (USE_KEYNOTE) -#include <keynote.h> -#endif -#include <policy.h> - -#include "sysdep.h" - -#include "cert.h" -#include "conf.h" -#include "constants.h" -#if defined (USE_DNSSEC) -#include "dnssec.h" -#endif -#include "exchange.h" -#include "gmp_util.h" -#include "hash.h" -#include "ike_auth.h" -#include "ipsec.h" -#include "ipsec_doi.h" -#include "libcrypto.h" -#include "log.h" -#include "message.h" -#include "monitor.h" -#include "prf.h" -#include "transport.h" -#include "util.h" -#include "key.h" -#if defined (USE_X509) -#include "x509.h" -#endif - -#ifdef notyet -static u_int8_t *enc_gen_skeyid(struct exchange *, size_t *); -#endif -static u_int8_t *pre_shared_gen_skeyid(struct exchange *, size_t *); - -static int pre_shared_decode_hash(struct message *); -static int pre_shared_encode_hash(struct message *); - -#if defined (USE_X509) || defined (USE_KEYNOTE) -static u_int8_t *sig_gen_skeyid(struct exchange *, size_t *); -static int rsa_sig_decode_hash(struct message *); -static int rsa_sig_encode_hash(struct message *); -#endif - -#if defined (USE_RAWKEY) -static int get_raw_key_from_file(int, u_int8_t *, size_t, RSA **); -#endif - -static int ike_auth_hash(struct exchange *, u_int8_t *); - -static struct ike_auth ike_auth[] = { - { - IKE_AUTH_PRE_SHARED, pre_shared_gen_skeyid, - pre_shared_decode_hash, - pre_shared_encode_hash - }, -#ifdef notdef - { - IKE_AUTH_DSS, sig_gen_skeyid, - pre_shared_decode_hash, - pre_shared_encode_hash - }, -#endif -#if defined (USE_X509) || defined (USE_KEYNOTE) - { - IKE_AUTH_RSA_SIG, sig_gen_skeyid, - rsa_sig_decode_hash, - rsa_sig_encode_hash - }, -#endif -#ifdef notdef - { - IKE_AUTH_RSA_ENC, enc_gen_skeyid, - pre_shared_decode_hash, - pre_shared_encode_hash - }, - { - IKE_AUTH_RSA_ENC_REV, enc_gen_skeyid, - pre_shared_decode_hash, - pre_shared_encode_hash - }, -#endif -}; - -struct ike_auth * -ike_auth_get(u_int16_t id) -{ - size_t i; - - for (i = 0; i < sizeof ike_auth / sizeof ike_auth[0]; i++) - if (id == ike_auth[i].id) - return &ike_auth[i]; - return 0; -} - -/* - * Find and decode the configured key (pre-shared or public) for the - * peer denoted by ID. Stash the len in KEYLEN. - */ -static void * -ike_auth_get_key(int type, char *id, char *local_id, size_t *keylen) -{ - char *key, *buf; -#if defined (USE_X509) || defined (USE_KEYNOTE) - int fd; - char *keyfile; -#if defined (USE_X509) - FILE *keyfp; - RSA *rsakey; - size_t fsize; -#endif -#endif - - switch (type) { - case IKE_AUTH_PRE_SHARED: - /* Get the pre-shared key for our peer. */ - key = conf_get_str(id, "Authentication"); - if (!key && local_id) - key = conf_get_str(local_id, "Authentication"); - - if (!key) { - log_print("ike_auth_get_key: " - "no key found for peer \"%s\" or local ID \"%s\"", - id, local_id); - return 0; - } - /* If the key starts with 0x it is in hex format. */ - if (strncasecmp(key, "0x", 2) == 0) { - *keylen = (strlen(key) - 1) / 2; - buf = malloc(*keylen); - if (!buf) { - log_error("ike_auth_get_key: malloc (%lu) " - "failed", (unsigned long)*keylen); - return 0; - } - if (hex2raw(key + 2, (unsigned char *)buf, *keylen)) { - free(buf); - log_print("ike_auth_get_key: invalid hex key " - "%s", key); - return 0; - } - key = buf; - } else { - buf = key; - key = strdup(buf); - if (!key) { - log_error("ike_auth_get_key: strdup() failed"); - return 0; - } - *keylen = strlen(key); - } - break; - - case IKE_AUTH_RSA_SIG: -#if defined (USE_X509) || defined (USE_KEYNOTE) -#if defined (USE_KEYNOTE) - if (local_id && (keyfile = conf_get_str("KeyNote", - "Credential-directory")) != 0) { - struct stat sb; - struct keynote_deckey dc; - char *privkeyfile, *buf2; - int pkflen; - size_t size; - - pkflen = strlen(keyfile) + strlen(local_id) + - sizeof PRIVATE_KEY_FILE + sizeof "//" - 1; - privkeyfile = calloc(pkflen, sizeof(char)); - if (!privkeyfile) { - log_print("ike_auth_get_key: failed to " - "allocate %d bytes", pkflen); - return 0; - } - snprintf(privkeyfile, pkflen, "%s/%s/%s", keyfile, - local_id, PRIVATE_KEY_FILE); - keyfile = privkeyfile; - - fd = monitor_open(keyfile, O_RDONLY, 0); - if (fd < 0) { - free(keyfile); - goto ignorekeynote; - } - - if (fstat(fd, &sb) < 0) { - log_print("ike_auth_get_key: fstat failed"); - free(keyfile); - close(fd); - return 0; - } - size = (size_t)sb.st_size; - - buf = calloc(size + 1, sizeof(char)); - if (!buf) { - log_print("ike_auth_get_key: failed allocating" - " %lu bytes", (unsigned long)size + 1); - free(keyfile); - close(fd); - return 0; - } - if (read(fd, buf, size) != (ssize_t)size) { - free(buf); - log_print("ike_auth_get_key: " - "failed reading %lu bytes from \"%s\"", - (unsigned long)size, keyfile); - free(keyfile); - close(fd); - return 0; - } - close(fd); - - /* Parse private key string */ - buf2 = kn_get_string(buf); - free(buf); - - if (!buf2 || kn_decode_key(&dc, buf2, - KEYNOTE_PRIVATE_KEY) == -1) { - if (buf2) - free(buf2); - log_print("ike_auth_get_key: failed decoding " - "key in \"%s\"", keyfile); - free(keyfile); - return 0; - } - free(buf2); - - if (dc.dec_algorithm != KEYNOTE_ALGORITHM_RSA) { - log_print("ike_auth_get_key: wrong algorithm " - "type %d in \"%s\"", dc.dec_algorithm, - keyfile); - free(keyfile); - kn_free_key(&dc); - return 0; - } - free(keyfile); - return dc.dec_key; - } -ignorekeynote: -#endif /* USE_KEYNOTE */ -#ifdef USE_X509 - /* Otherwise, try X.509 */ - keyfile = conf_get_str("X509-certificates", "Private-key"); - - fd = monitor_open(keyfile, O_RDONLY, 0); - if (fd < 0) { - log_print("ike_auth_get_key: failed opening \"%s\"", - keyfile); - return 0; - } - - if (check_file_secrecy_fd(fd, keyfile, &fsize) < 0) { - close(fd); - return 0; - } - - if ((keyfp = fdopen(fd, "r")) == NULL) { - log_print("ike_auth_get_key: fdopen failed"); - close(fd); - return 0; - } -#if SSLEAY_VERSION_NUMBER >= 0x00904100L - rsakey = PEM_read_RSAPrivateKey(keyfp, NULL, NULL, NULL); -#else - rsakey = PEM_read_RSAPrivateKey(keyfp, NULL, NULL); -#endif - fclose(keyfp); - - if (!rsakey) { - log_print("ike_auth_get_key: " - "PEM_read_bio_RSAPrivateKey failed"); - return 0; - } - return rsakey; -#endif /* USE_X509 */ -#endif /* USE_X509 || USE_KEYNOTE */ - - default: - log_print("ike_auth_get_key: unknown key type %d", type); - return 0; - } - - return key; -} - -static u_int8_t * -pre_shared_gen_skeyid(struct exchange *exchange, size_t *sz) -{ - struct prf *prf; - struct ipsec_exch *ie = exchange->data; - u_int8_t *skeyid, *buf = 0; - unsigned char *key; - size_t keylen; - - /* - * If we're the responder and have the initiator's ID (which is the - * case in Aggressive mode), try to find the preshared key in the - * section of the initiator's Phase 1 ID. This allows us to do - * mobile user support with preshared keys. - */ - if (!exchange->initiator && exchange->id_i) { - switch (exchange->id_i[0]) { - case IPSEC_ID_IPV4_ADDR: - case IPSEC_ID_IPV6_ADDR: - util_ntoa((char **) &buf, - exchange->id_i[0] == IPSEC_ID_IPV4_ADDR ? AF_INET : - AF_INET6, exchange->id_i + ISAKMP_ID_DATA_OFF - - ISAKMP_GEN_SZ); - if (!buf) - return 0; - break; - - case IPSEC_ID_FQDN: - case IPSEC_ID_USER_FQDN: - buf = calloc(exchange->id_i_len - ISAKMP_ID_DATA_OFF + - ISAKMP_GEN_SZ + 1, sizeof(char)); - if (!buf) { - log_print("pre_shared_gen_skeyid: malloc (%lu" - ") failed", - (unsigned long)exchange->id_i_len - - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1); - return 0; - } - memcpy(buf, - exchange->id_i + ISAKMP_ID_DATA_OFF - - ISAKMP_GEN_SZ, - exchange->id_i_len - ISAKMP_ID_DATA_OFF + - ISAKMP_GEN_SZ); - break; - - /* XXX Support more ID types ? */ - default: - break; - } - } - /* - * Get the pre-shared key for our peer. This will work even if the key - * has been passed to us through a mechanism like PFKEYv2. - */ - key = ike_auth_get_key(IKE_AUTH_PRE_SHARED, exchange->name, - (char *) buf, &keylen); - if (buf) - free(buf); - - /* Fail if no key could be found. */ - if (!key) - return 0; - - /* Store the secret key for later policy processing. */ - exchange->recv_key = calloc(keylen + 1, sizeof(char)); - exchange->recv_keytype = ISAKMP_KEY_PASSPHRASE; - if (!exchange->recv_key) { - log_error("pre_shared_gen_skeyid: malloc (%lu) failed", - (unsigned long)keylen); - free(key); - return 0; - } - memcpy(exchange->recv_key, key, keylen); - exchange->recv_certtype = ISAKMP_CERTENC_NONE; - free(key); - - prf = prf_alloc(ie->prf_type, ie->hash->type, exchange->recv_key, - keylen); - if (!prf) - return 0; - - *sz = prf->blocksize; - skeyid = malloc(*sz); - if (!skeyid) { - log_error("pre_shared_gen_skeyid: malloc (%lu) failed", - (unsigned long)*sz); - prf_free(prf); - return 0; - } - prf->Init(prf->prfctx); - prf->Update(prf->prfctx, exchange->nonce_i, exchange->nonce_i_len); - prf->Update(prf->prfctx, exchange->nonce_r, exchange->nonce_r_len); - prf->Final(skeyid, prf->prfctx); - prf_free(prf); - return skeyid; -} - -#if defined (USE_X509) || defined (USE_KEYNOTE) -/* Both DSS & RSA signature authentication use this algorithm. */ -static u_int8_t * -sig_gen_skeyid(struct exchange *exchange, size_t *sz) -{ - struct prf *prf; - struct ipsec_exch *ie = exchange->data; - u_int8_t *skeyid; - unsigned char *key; - - key = malloc(exchange->nonce_i_len + exchange->nonce_r_len); - if (!key) - return 0; - memcpy(key, exchange->nonce_i, exchange->nonce_i_len); - memcpy(key + exchange->nonce_i_len, exchange->nonce_r, - exchange->nonce_r_len); - - LOG_DBG((LOG_NEGOTIATION, 80, "sig_gen_skeyid: PRF type %d, hash %d", - ie->prf_type, ie->hash->type)); - LOG_DBG_BUF((LOG_NEGOTIATION, 80, - "sig_gen_skeyid: SKEYID initialized with", - (u_int8_t *)key, exchange->nonce_i_len + exchange->nonce_r_len)); - - prf = prf_alloc(ie->prf_type, ie->hash->type, key, - exchange->nonce_i_len + exchange->nonce_r_len); - free(key); - if (!prf) - return 0; - - *sz = prf->blocksize; - skeyid = malloc(*sz); - if (!skeyid) { - log_error("sig_gen_skeyid: malloc (%lu) failed", - (unsigned long)*sz); - prf_free(prf); - return 0; - } - LOG_DBG((LOG_NEGOTIATION, 80, "sig_gen_skeyid: g^xy length %lu", - (unsigned long) ie->g_x_len)); - LOG_DBG_BUF((LOG_NEGOTIATION, 80, - "sig_gen_skeyid: SKEYID fed with g^xy", ie->g_xy, ie->g_x_len)); - - prf->Init(prf->prfctx); - prf->Update(prf->prfctx, ie->g_xy, ie->g_x_len); - prf->Final(skeyid, prf->prfctx); - prf_free(prf); - return skeyid; -} -#endif /* USE_X509 || USE_KEYNOTE */ - -#ifdef notdef -/* - * Both standard and revised RSA encryption authentication use this SKEYID - * computation. - */ -static u_int8_t * -enc_gen_skeyid(struct exchange *exchange, size_t *sz) -{ - struct prf *prf; - struct ipsec_exch *ie = exchange->data; - struct hash *hash = ie->hash; - u_int8_t *skeyid; - - hash->Init(hash->ctx); - hash->Update(hash->ctx, exchange->nonce_i, exchange->nonce_i_len); - hash->Update(hash->ctx, exchange->nonce_r, exchange->nonce_r_len); - hash->Final(hash->digest, hash->ctx); - prf = prf_alloc(ie->prf_type, hash->type, hash->digest, *sz); - if (!prf) - return 0; - - *sz = prf->blocksize; - skeyid = malloc(*sz); - if (!skeyid) { - log_error("enc_gen_skeyid: malloc (%d) failed", *sz); - prf_free(prf); - return 0; - } - prf->Init(prf->prfctx); - prf->Update(prf->prfctx, exchange->cookies, ISAKMP_HDR_COOKIES_LEN); - prf->Final(skeyid, prf->prfctx); - prf_free(prf); - return skeyid; -} -#endif /* notdef */ - -static int -pre_shared_decode_hash(struct message *msg) -{ - struct exchange *exchange = msg->exchange; - struct ipsec_exch *ie = exchange->data; - struct payload *payload; - size_t hashsize = ie->hash->hashsize; - char header[80]; - int initiator = exchange->initiator; - u_int8_t **hash_p; - - /* Choose the right fields to fill-in. */ - hash_p = initiator ? &ie->hash_r : &ie->hash_i; - - payload = payload_first(msg, ISAKMP_PAYLOAD_HASH); - if (!payload) { - log_print("pre_shared_decode_hash: no HASH payload found"); - return -1; - } - /* Check that the hash is of the correct size. */ - if (GET_ISAKMP_GEN_LENGTH(payload->p) - ISAKMP_GEN_SZ != hashsize) - return -1; - - /* XXX Need this hash be in the SA? */ - *hash_p = malloc(hashsize); - if (!*hash_p) { - log_error("pre_shared_decode_hash: malloc (%lu) failed", - (unsigned long)hashsize); - return -1; - } - memcpy(*hash_p, payload->p + ISAKMP_HASH_DATA_OFF, hashsize); - snprintf(header, sizeof header, "pre_shared_decode_hash: HASH_%c", - initiator ? 'R' : 'I'); - LOG_DBG_BUF((LOG_MISC, 80, header, *hash_p, hashsize)); - - payload->flags |= PL_MARK; - return 0; -} - -#if defined (USE_X509) || defined (USE_KEYNOTE) -/* Decrypt the HASH in SIG, we already need a parsed ID payload. */ -static int -rsa_sig_decode_hash(struct message *msg) -{ - struct cert_handler *handler; - struct exchange *exchange = msg->exchange; - struct ipsec_exch *ie = exchange->data; - struct payload *p; - void *cert = 0; - u_int8_t *rawcert = 0, **hash_p, **id_cert, *id; - u_int32_t rawcertlen, *id_cert_len; - RSA *key = 0; - size_t hashsize = ie->hash->hashsize, id_len; - char header[80]; - int len, initiator = exchange->initiator; - int found = 0, n, i, id_found; -#if defined (USE_DNSSEC) - u_int8_t *rawkey = 0; - u_int32_t rawkeylen; -#endif - - /* Choose the right fields to fill-in. */ - hash_p = initiator ? &ie->hash_r : &ie->hash_i; - id = initiator ? exchange->id_r : exchange->id_i; - id_len = initiator ? exchange->id_r_len : exchange->id_i_len; - - if (!id || id_len == 0) { - log_print("rsa_sig_decode_hash: ID is missing"); - return -1; - } - /* - * XXX Assume we should use the same kind of certification as the - * remote... moreover, just use the first CERT payload to decide what - * to use. - */ - p = payload_first(msg, ISAKMP_PAYLOAD_CERT); - if (!p) - handler = cert_get(ISAKMP_CERTENC_KEYNOTE); - else - handler = cert_get(GET_ISAKMP_CERT_ENCODING(p->p)); - if (!handler) { - log_print("rsa_sig_decode_hash: cert_get (%d) failed", - p ? GET_ISAKMP_CERT_ENCODING(p->p) : -1); - return -1; - } -#if defined (USE_POLICY) || defined (USE_KEYNOTE) - /* - * We need the policy session initialized now, so we can add - * credentials etc. - */ - exchange->policy_id = kn_init(); - if (exchange->policy_id == -1) { - log_print("rsa_sig_decode_hash: failed to initialize policy " - "session"); - return -1; - } -#endif /* USE_POLICY || USE_KEYNOTE */ - - /* Obtain a certificate from our certificate storage. */ - if (handler->cert_obtain(id, id_len, 0, &rawcert, &rawcertlen)) { - if (handler->id == ISAKMP_CERTENC_X509_SIG) { - cert = handler->cert_get(rawcert, rawcertlen); - if (!cert) - LOG_DBG((LOG_CRYPTO, 50, "rsa_sig_decode_hash:" - " certificate malformed")); - else { - if (!handler->cert_get_key(cert, &key)) { - log_print("rsa_sig_decode_hash: " - "decoding certificate failed"); - handler->cert_free(cert); - } else { - found++; - LOG_DBG((LOG_CRYPTO, 40, - "rsa_sig_decode_hash: using cert " - "of type %d", handler->id)); - exchange->recv_cert = cert; - exchange->recv_certtype = handler->id; -#if defined (USE_POLICY) - x509_generate_kn(exchange->policy_id, - cert); -#endif /* USE_POLICY */ - } - } - } else if (handler->id == ISAKMP_CERTENC_KEYNOTE) - handler->cert_insert(exchange->policy_id, rawcert); - free(rawcert); - } - /* - * Walk over potential CERT payloads in this message. - * XXX I believe this is the wrong spot for this. CERTs can appear - * anytime. - */ - for (p = payload_first(msg, ISAKMP_PAYLOAD_CERT); p; - p = TAILQ_NEXT(p, link)) { - p->flags |= PL_MARK; - - /* - * When we have found a key, just walk over the rest, marking - * them. - */ - if (found) - continue; - - handler = cert_get(GET_ISAKMP_CERT_ENCODING(p->p)); - if (!handler) { - LOG_DBG((LOG_MISC, 30, "rsa_sig_decode_hash: " - "no handler for %s CERT encoding", - constant_name(isakmp_certenc_cst, - GET_ISAKMP_CERT_ENCODING(p->p)))); - continue; - } - cert = handler->cert_get(p->p + ISAKMP_CERT_DATA_OFF, - GET_ISAKMP_GEN_LENGTH(p->p) - ISAKMP_CERT_DATA_OFF); - if (!cert) { - log_print("rsa_sig_decode_hash: " - "can not get data from CERT"); - continue; - } - if (!handler->cert_validate(cert)) { - handler->cert_free(cert); - log_print("rsa_sig_decode_hash: received CERT can't " - "be validated"); - continue; - } - if (GET_ISAKMP_CERT_ENCODING(p->p) == - ISAKMP_CERTENC_X509_SIG) { - if (!handler->cert_get_subjects(cert, &n, &id_cert, - &id_cert_len)) { - handler->cert_free(cert); - log_print("rsa_sig_decode_hash: can not get " - "subject from CERT"); - continue; - } - id_found = 0; - for (i = 0; i < n; i++) - if (id_cert_len[i] == id_len && - id[0] == id_cert[i][0] && - memcmp(id + 4, id_cert[i] + 4, id_len - 4) - == 0) { - id_found++; - break; - } - if (!id_found) { - handler->cert_free(cert); - log_print("rsa_sig_decode_hash: no CERT " - "subject match the ID"); - free(id_cert); - continue; - } - cert_free_subjects(n, id_cert, id_cert_len); - } - if (!handler->cert_get_key(cert, &key)) { - handler->cert_free(cert); - log_print("rsa_sig_decode_hash: decoding payload CERT " - "failed"); - continue; - } - /* We validated the cert, cache it for later use. */ - handler->cert_insert(exchange->policy_id, cert); - - exchange->recv_cert = cert; - exchange->recv_certtype = GET_ISAKMP_CERT_ENCODING(p->p); - -#if defined (USE_POLICY) || defined (USE_KEYNOTE) - if (exchange->recv_certtype == ISAKMP_CERTENC_KEYNOTE) { - struct keynote_deckey dc; - char *pp; - int dclen; - - dc.dec_algorithm = KEYNOTE_ALGORITHM_RSA; - dc.dec_key = key; - - pp = kn_encode_key(&dc, INTERNAL_ENC_PKCS1, - ENCODING_HEX, KEYNOTE_PUBLIC_KEY); - if (pp == NULL) { - kn_free_key(&dc); - log_print("rsa_sig_decode_hash: failed to " - "ASCII-encode key"); - return -1; - } - dclen = strlen(pp) + sizeof "rsa-hex:"; - exchange->keynote_key = calloc(dclen, sizeof(char)); - if (!exchange->keynote_key) { - free(pp); - kn_free_key(&dc); - log_print("rsa_sig_decode_hash: failed to " - "allocate %d bytes", dclen); - return -1; - } - snprintf(exchange->keynote_key, dclen, "rsa-hex:%s", - pp); - free(pp); - } -#endif - - found++; - } - -#if defined (USE_DNSSEC) - /* - * If no certificate provided a key, try to find a validated DNSSEC - * KEY. - */ - if (!found) { - rawkey = dns_get_key(IKE_AUTH_RSA_SIG, msg, &rawkeylen); - - /* We need to convert 'void *rawkey' into 'RSA *key'. */ - if (dns_RSA_dns_to_x509(rawkey, rawkeylen, &key) == 0) - found++; - else - log_print("rsa_sig_decode_hash: KEY to RSA key " - "conversion failed"); - - if (rawkey) - free(rawkey); - } -#endif /* USE_DNSSEC */ - -#if defined (USE_RAWKEY) - /* If we still have not found a key, try to read it from a file. */ - if (!found) - if (get_raw_key_from_file(IKE_AUTH_RSA_SIG, id, id_len, &key) - != -1) - found++; -#endif - - if (!found) { - log_print("rsa_sig_decode_hash: no public key found"); - return -1; - } - p = payload_first(msg, ISAKMP_PAYLOAD_SIG); - if (!p) { - log_print("rsa_sig_decode_hash: missing signature payload"); - RSA_free(key); - return -1; - } - /* Check that the sig is of the correct size. */ - len = GET_ISAKMP_GEN_LENGTH(p->p) - ISAKMP_SIG_SZ; - if (len != RSA_size(key)) { - RSA_free(key); - log_print("rsa_sig_decode_hash: " - "SIG payload length does not match public key"); - return -1; - } - *hash_p = malloc(len); - if (!*hash_p) { - RSA_free(key); - log_error("rsa_sig_decode_hash: malloc (%d) failed", len); - return -1; - } - len = RSA_public_decrypt(len, p->p + ISAKMP_SIG_DATA_OFF, *hash_p, key, - RSA_PKCS1_PADDING); - if (len == -1) { - RSA_free(key); - log_print("rsa_sig_decode_hash: RSA_public_decrypt () failed"); - return -1; - } - /* Store key for later use */ - exchange->recv_key = key; - exchange->recv_keytype = ISAKMP_KEY_RSA; - - if (len != (int) hashsize) { - free(*hash_p); - *hash_p = 0; - log_print("rsa_sig_decode_hash: len %lu != hashsize %lu", - (unsigned long)len, (unsigned long)hashsize); - return -1; - } - snprintf(header, sizeof header, "rsa_sig_decode_hash: HASH_%c", - initiator ? 'R' : 'I'); - LOG_DBG_BUF((LOG_MISC, 80, header, *hash_p, hashsize)); - - p->flags |= PL_MARK; - return 0; -} -#endif /* USE_X509 || USE_KEYNOTE */ - -static int -pre_shared_encode_hash(struct message *msg) -{ - struct exchange *exchange = msg->exchange; - struct ipsec_exch *ie = exchange->data; - size_t hashsize = ie->hash->hashsize; - char header[80]; - int initiator = exchange->initiator; - u_int8_t *buf; - - buf = ipsec_add_hash_payload(msg, hashsize); - if (!buf) - return -1; - - if (ike_auth_hash(exchange, buf + ISAKMP_HASH_DATA_OFF) == -1) - return -1; - - snprintf(header, sizeof header, "pre_shared_encode_hash: HASH_%c", - initiator ? 'I' : 'R'); - LOG_DBG_BUF((LOG_MISC, 80, header, buf + ISAKMP_HASH_DATA_OFF, - hashsize)); - return 0; -} - -#if defined (USE_X509) || defined (USE_KEYNOTE) -/* Encrypt the HASH into a SIG type. */ -static int -rsa_sig_encode_hash(struct message *msg) -{ - struct exchange *exchange = msg->exchange; - struct ipsec_exch *ie = exchange->data; - size_t hashsize = ie->hash->hashsize, id_len; - struct cert_handler *handler; - char header[80]; - int initiator = exchange->initiator, idtype; - u_int8_t *buf, *data, *buf2, *id; - u_int32_t datalen; - int32_t sigsize; - void *sent_key; - - id = initiator ? exchange->id_i : exchange->id_r; - id_len = initiator ? exchange->id_i_len : exchange->id_r_len; - - /* We may have been provided these by the kernel */ - buf = (u_int8_t *) conf_get_str(exchange->name, "Credentials"); - if (buf && (idtype = conf_get_num(exchange->name, "Credential_Type", - -1) != -1)) { - exchange->sent_certtype = idtype; - handler = cert_get(idtype); - if (!handler) { - log_print("rsa_sig_encode_hash: cert_get (%d) failed", - idtype); - return -1; - } - exchange->sent_cert = - handler->cert_from_printable((char *)buf); - if (!exchange->sent_cert) { - log_print("rsa_sig_encode_hash: failed to retrieve " - "certificate"); - return -1; - } - handler->cert_serialize(exchange->sent_cert, &data, &datalen); - if (!data) { - log_print("rsa_sig_encode_hash: cert serialization " - "failed"); - return -1; - } - goto aftercert; /* Skip all the certificate discovery */ - } - /* XXX This needs to be configurable. */ - idtype = ISAKMP_CERTENC_KEYNOTE; - - /* Find a certificate with subjectAltName = id. */ - handler = cert_get(idtype); - if (!handler) { - idtype = ISAKMP_CERTENC_X509_SIG; - handler = cert_get(idtype); - if (!handler) { - log_print("rsa_sig_encode_hash: cert_get(%d) failed", - idtype); - return -1; - } - } - if (handler->cert_obtain(id, id_len, 0, &data, &datalen) == 0) { - if (idtype == ISAKMP_CERTENC_KEYNOTE) { - idtype = ISAKMP_CERTENC_X509_SIG; - handler = cert_get(idtype); - if (!handler) { - log_print("rsa_sig_encode_hash: cert_get(%d) " - "failed", idtype); - return -1; - } - if (handler->cert_obtain(id, id_len, 0, &data, - &datalen) == 0) { - LOG_DBG((LOG_MISC, 10, "rsa_sig_encode_hash: " - "no certificate to send")); - goto skipcert; - } - } else { - LOG_DBG((LOG_MISC, 10, - "rsa_sig_encode_hash: no certificate to send")); - goto skipcert; - } - } - /* Let's store the certificate we are going to use */ - exchange->sent_certtype = idtype; - exchange->sent_cert = handler->cert_get(data, datalen); - if (!exchange->sent_cert) { - free(data); - log_print("rsa_sig_encode_hash: failed to get certificate " - "from wire encoding"); - return -1; - } -aftercert: - - buf = realloc(data, ISAKMP_CERT_SZ + datalen); - if (!buf) { - log_error("rsa_sig_encode_hash: realloc (%p, %d) failed", data, - ISAKMP_CERT_SZ + datalen); - free(data); - return -1; - } - memmove(buf + ISAKMP_CERT_SZ, buf, datalen); - SET_ISAKMP_CERT_ENCODING(buf, idtype); - if (message_add_payload(msg, ISAKMP_PAYLOAD_CERT, buf, - ISAKMP_CERT_SZ + datalen, 1)) { - free(buf); - return -1; - } -skipcert: - - /* Again, we may have these from the kernel */ - buf = (u_int8_t *) conf_get_str(exchange->name, "PKAuthentication"); - if (buf) { - key_from_printable(ISAKMP_KEY_RSA, ISAKMP_KEYTYPE_PRIVATE, - (char *)buf, &data, &datalen); - if (!data) { - log_print("rsa_sig_encode_hash: badly formatted RSA " - "private key"); - return 0; - } - sent_key = key_internalize(ISAKMP_KEY_RSA, - ISAKMP_KEYTYPE_PRIVATE, data, datalen); - if (!sent_key) { - log_print("rsa_sig_encode_hash: bad RSA private key " - "from dynamic SA acquisition subsystem"); - return 0; - } - } else { - /* Try through the regular means. */ - switch (id[ISAKMP_ID_TYPE_OFF - ISAKMP_GEN_SZ]) { - case IPSEC_ID_IPV4_ADDR: - case IPSEC_ID_IPV6_ADDR: - util_ntoa((char **)&buf2, - id[ISAKMP_ID_TYPE_OFF - ISAKMP_GEN_SZ] == - IPSEC_ID_IPV4_ADDR ? AF_INET : AF_INET6, - id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ); - if (!buf2) - return 0; - break; - - case IPSEC_ID_FQDN: - case IPSEC_ID_USER_FQDN: - buf2 = calloc(id_len - ISAKMP_ID_DATA_OFF + - ISAKMP_GEN_SZ + 1, sizeof(char)); - if (!buf2) { - log_print("rsa_sig_encode_hash: malloc (%lu) " - "failed", (unsigned long)id_len - - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ + 1); - return 0; - } - memcpy(buf2, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, - id_len - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); - break; - - /* XXX Support more ID types? */ - default: - buf2 = 0; - return 0; - } - - sent_key = ike_auth_get_key(IKE_AUTH_RSA_SIG, exchange->name, - (char *)buf2, 0); - free(buf2); - - /* Did we find a key? */ - if (!sent_key) { - log_print("rsa_sig_encode_hash: " - "could not get private key"); - return -1; - } - } - - /* Enable RSA blinding. */ - if (RSA_blinding_on(sent_key, NULL) != 1) { - log_error("rsa_sig_encode_hash: RSA_blinding_on () failed."); - return -1; - } - /* XXX hashsize is not necessarily prf->blocksize. */ - buf = malloc(hashsize); - if (!buf) { - log_error("rsa_sig_encode_hash: malloc (%lu) failed", - (unsigned long)hashsize); - return -1; - } - if (ike_auth_hash(exchange, buf) == -1) { - free(buf); - return -1; - } - snprintf(header, sizeof header, "rsa_sig_encode_hash: HASH_%c", - initiator ? 'I' : 'R'); - LOG_DBG_BUF((LOG_MISC, 80, header, buf, hashsize)); - - data = malloc(RSA_size(sent_key)); - if (!data) { - log_error("rsa_sig_encode_hash: malloc (%d) failed", - RSA_size(sent_key)); - return -1; - } - sigsize = RSA_private_encrypt(hashsize, buf, data, sent_key, - RSA_PKCS1_PADDING); - if (sigsize == -1) { - log_print("rsa_sig_encode_hash: " - "RSA_private_encrypt () failed"); - if (data) - free(data); - free(buf); - RSA_free(sent_key); - return -1; - } - datalen = (u_int32_t) sigsize; - - free(buf); - - buf = realloc(data, ISAKMP_SIG_SZ + datalen); - if (!buf) { - log_error("rsa_sig_encode_hash: realloc (%p, %d) failed", data, - ISAKMP_SIG_SZ + datalen); - free(data); - return -1; - } - memmove(buf + ISAKMP_SIG_SZ, buf, datalen); - - snprintf(header, sizeof header, "rsa_sig_encode_hash: SIG_%c", - initiator ? 'I' : 'R'); - LOG_DBG_BUF((LOG_MISC, 80, header, buf + ISAKMP_SIG_DATA_OFF, - datalen)); - if (message_add_payload(msg, ISAKMP_PAYLOAD_SIG, buf, - ISAKMP_SIG_SZ + datalen, 1)) { - free(buf); - return -1; - } - return 0; -} -#endif /* USE_X509 || USE_KEYNOTE */ - -int -ike_auth_hash(struct exchange *exchange, u_int8_t *buf) -{ - struct ipsec_exch *ie = exchange->data; - struct prf *prf; - struct hash *hash = ie->hash; - int initiator = exchange->initiator; - u_int8_t *id; - size_t id_len; - - /* Choose the right fields to fill-in. */ - id = initiator ? exchange->id_i : exchange->id_r; - id_len = initiator ? exchange->id_i_len : exchange->id_r_len; - - /* Allocate the prf and start calculating our HASH. */ - prf = prf_alloc(ie->prf_type, hash->type, ie->skeyid, ie->skeyid_len); - if (!prf) - return -1; - - prf->Init(prf->prfctx); - prf->Update(prf->prfctx, initiator ? ie->g_xi : ie->g_xr, ie->g_x_len); - prf->Update(prf->prfctx, initiator ? ie->g_xr : ie->g_xi, ie->g_x_len); - prf->Update(prf->prfctx, exchange->cookies + - (initiator ? ISAKMP_HDR_ICOOKIE_OFF : ISAKMP_HDR_RCOOKIE_OFF), - ISAKMP_HDR_ICOOKIE_LEN); - prf->Update(prf->prfctx, exchange->cookies + - (initiator ? ISAKMP_HDR_RCOOKIE_OFF : ISAKMP_HDR_ICOOKIE_OFF), - ISAKMP_HDR_ICOOKIE_LEN); - prf->Update(prf->prfctx, ie->sa_i_b, ie->sa_i_b_len); - prf->Update(prf->prfctx, id, id_len); - prf->Final(buf, prf->prfctx); - prf_free(prf); - return 0; -} - -#if defined (USE_RAWKEY) -static int -get_raw_key_from_file(int type, u_int8_t *id, size_t id_len, RSA **rsa) -{ - char filename[FILENAME_MAX]; - char *fstr; - FILE *keyfp; - - if (type != IKE_AUTH_RSA_SIG) { /* XXX More types? */ - LOG_DBG((LOG_NEGOTIATION, 20, "get_raw_key_from_file: " - "invalid auth type %d\n", type)); - return -1; - } - *rsa = 0; - - fstr = conf_get_str("General", "Pubkey-directory"); - if (!fstr) - fstr = CONF_DFLT_PUBKEY_DIR; - - if (snprintf(filename, sizeof filename, "%s/", fstr) > - (int)sizeof filename - 1) - return -1; - - fstr = ipsec_id_string(id, id_len); - if (!fstr) { - LOG_DBG((LOG_NEGOTIATION, 50, "get_raw_key_from_file: " - "ipsec_id_string failed")); - return -1; - } - strlcat(filename, fstr, sizeof filename - strlen(filename)); - free(fstr); - - /* If the file does not exist, fail silently. */ - keyfp = monitor_fopen(filename, "r"); - if (keyfp) { - *rsa = PEM_read_RSA_PUBKEY(keyfp, NULL, NULL, NULL); - fclose(keyfp); - } else if (errno != ENOENT) { - log_error("get_raw_key_from_file: monitor_fopen " - "(\"%s\", \"r\") failed", filename); - return -1; - } else - LOG_DBG((LOG_NEGOTIATION, 50, - "get_raw_key_from_file: file %s not found", filename)); - - return (*rsa ? 0 : -1); -} -#endif /* USE_RAWKEY */ diff --git a/keyexchange/isakmpd-20041012/ike_auth.h b/keyexchange/isakmpd-20041012/ike_auth.h deleted file mode 100644 index 39b0923..0000000 --- a/keyexchange/isakmpd-20041012/ike_auth.h +++ /dev/null @@ -1,48 +0,0 @@ -/* $OpenBSD: ike_auth.h,v 1.5 2004/04/15 18:39:25 deraadt Exp $ */ -/* $EOM: ike_auth.h,v 1.5 1998/08/16 19:55:24 provos Exp $ */ - -/* - * Copyright (c) 1998 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _IKE_AUTH_H_ -#define _IKE_AUTH_H_ - -#include <sys/types.h> - -struct exchange; - -struct ike_auth { - u_int16_t id; - u_int8_t *(*gen_skeyid) (struct exchange *, size_t *); - int (*decode_hash) (struct message *); - int (*encode_hash) (struct message *); -}; - -extern struct ike_auth *ike_auth_get(u_int16_t); - -#endif /* _IKE_AUTH_H_ */ diff --git a/keyexchange/isakmpd-20041012/ike_main_mode.c b/keyexchange/isakmpd-20041012/ike_main_mode.c deleted file mode 100644 index 1308564..0000000 --- a/keyexchange/isakmpd-20041012/ike_main_mode.c +++ /dev/null @@ -1,124 +0,0 @@ -/* $OpenBSD: ike_main_mode.c,v 1.15 2004/06/14 09:55:41 ho Exp $ */ -/* $EOM: ike_main_mode.c,v 1.77 1999/04/25 22:12:34 niklas Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/types.h> -#include <netinet/in.h> -#include <stdlib.h> -#include <string.h> - -#include "sysdep.h" - -#include "attribute.h" -#include "conf.h" -#include "constants.h" -#include "crypto.h" -#include "dh.h" -#include "doi.h" -#include "exchange.h" -#include "hash.h" -#include "ike_auth.h" -#include "ike_main_mode.h" -#include "ike_phase_1.h" -#include "ipsec.h" -#include "ipsec_doi.h" -#include "isakmp.h" -#include "log.h" -#include "math_group.h" -#include "message.h" -#include "prf.h" -#include "sa.h" -#include "transport.h" -#include "util.h" - -static int initiator_send_ID_AUTH(struct message *); -static int responder_send_ID_AUTH(struct message *); -static int responder_send_KE_NONCE(struct message *); - -int (*ike_main_mode_initiator[]) (struct message *) = { - ike_phase_1_initiator_send_SA, - ike_phase_1_initiator_recv_SA, - ike_phase_1_initiator_send_KE_NONCE, - ike_phase_1_initiator_recv_KE_NONCE, - initiator_send_ID_AUTH, - ike_phase_1_recv_ID_AUTH -}; - -int (*ike_main_mode_responder[]) (struct message *) = { - ike_phase_1_responder_recv_SA, - ike_phase_1_responder_send_SA, - ike_phase_1_recv_KE_NONCE, - responder_send_KE_NONCE, - ike_phase_1_recv_ID_AUTH, - responder_send_ID_AUTH -}; - -static int -initiator_send_ID_AUTH(struct message *msg) -{ - msg->exchange->flags |= EXCHANGE_FLAG_ENCRYPT; - - if (ike_phase_1_send_ID(msg)) - return -1; - - if (ike_phase_1_send_AUTH(msg)) - return -1; - - return ipsec_initial_contact(msg); -} - -/* Send our public DH value and a nonce to the initiator. */ -int -responder_send_KE_NONCE(struct message *msg) -{ - /* XXX Should we really just use the initiator's nonce size? */ - if (ike_phase_1_send_KE_NONCE(msg, msg->exchange->nonce_i_len)) - return -1; - - /* - * Calculate DH values & key material in parallel with the message - * going on a roundtrip over the wire. - */ - message_register_post_send(msg, - (void (*)(struct message *))ike_phase_1_post_exchange_KE_NONCE); - - return 0; -} - -static int -responder_send_ID_AUTH(struct message *msg) -{ - msg->exchange->flags |= EXCHANGE_FLAG_ENCRYPT; - - if (ike_phase_1_responder_send_ID_AUTH(msg)) - return -1; - - return ipsec_initial_contact(msg); -} diff --git a/keyexchange/isakmpd-20041012/ike_main_mode.h b/keyexchange/isakmpd-20041012/ike_main_mode.h deleted file mode 100644 index 3e0d173..0000000 --- a/keyexchange/isakmpd-20041012/ike_main_mode.h +++ /dev/null @@ -1,40 +0,0 @@ -/* $OpenBSD: ike_main_mode.h,v 1.6 2004/05/23 18:17:56 hshoexer Exp $ */ -/* $EOM: ike_main_mode.h,v 1.1 1998/07/25 11:22:07 niklas Exp $ */ - -/* - * Copyright (c) 1998 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _IKE_MAIN_MODE_H_ -#define _IKE_MAIN_MODE_H_ - -struct message; - -extern int (*ike_main_mode_initiator[]) (struct message *msg); -extern int (*ike_main_mode_responder[]) (struct message *msg); - -#endif /* _IKE_MAIN_MODE_H_ */ diff --git a/keyexchange/isakmpd-20041012/ike_phase_1.c b/keyexchange/isakmpd-20041012/ike_phase_1.c deleted file mode 100644 index 7f72a25..0000000 --- a/keyexchange/isakmpd-20041012/ike_phase_1.c +++ /dev/null @@ -1,1396 +0,0 @@ -/* $OpenBSD: ike_phase_1.c,v 1.56 2004/08/08 19:11:06 deraadt Exp $ */ -/* $EOM: ike_phase_1.c,v 1.31 2000/12/11 23:47:56 niklas Exp $ */ - -/* - * Copyright (c) 1999, 2000 Niklas Hallqvist. All rights reserved. - * Copyright (c) 1999, 2000 Angelos D. Keromytis. All rights reserved. - * Copyright (c) 2001, 2004 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/types.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <stdlib.h> -#include <string.h> - -#include "sysdep.h" - -#include "attribute.h" -#include "conf.h" -#include "constants.h" -#include "crypto.h" -#include "dh.h" -#include "doi.h" -#ifdef USE_DPD -#include "dpd.h" -#endif -#include "exchange.h" -#include "hash.h" -#include "ike_auth.h" -#include "ike_phase_1.h" -#include "ipsec.h" -#include "ipsec_doi.h" -#include "isakmp.h" -#include "log.h" -#include "math_group.h" -#include "message.h" -#if defined (USE_NAT_TRAVERSAL) -#include "nat_traversal.h" -#endif -#include "prf.h" -#include "sa.h" -#include "transport.h" -#include "util.h" - -static int attribute_unacceptable(u_int16_t, u_int8_t *, u_int16_t, - void *); -static int ike_phase_1_validate_prop(struct exchange *, struct sa *, - struct sa *); - -/* Offer a set of transforms to the responder in the MSG message. */ -int -ike_phase_1_initiator_send_SA(struct message *msg) -{ - struct exchange *exchange = msg->exchange; - struct ipsec_exch *ie = exchange->data; - u_int8_t *proposal = 0, *sa_buf = 0, *saved_nextp, *attr; - u_int8_t **transform = 0; - size_t transforms_len = 0, proposal_len, sa_len; - size_t *transform_len = 0; - struct conf_list *conf, *life_conf; - struct conf_list_node *xf, *life; - int value, update_nextp; - size_t i; - struct payload *p; - struct proto *proto; - struct proto_attr *pa; - int group_desc = -1, new_group_desc; - - /* Get the list of transforms. */ - conf = conf_get_list(exchange->policy, "Transforms"); - if (!conf) - return -1; - - transform = calloc(conf->cnt, sizeof *transform); - if (!transform) { - log_error("ike_phase_1_initiator_send_SA: calloc (%lu, %lu) " - "failed", (u_long)conf->cnt, (u_long) sizeof *transform); - goto bail_out; - } - transform_len = calloc(conf->cnt, sizeof *transform_len); - if (!transform_len) { - log_error("ike_phase_1_initiator_send_SA: calloc (%lu, %lu) " - "failed", (u_long)conf->cnt, - (u_long) sizeof *transform_len); - goto bail_out; - } - for (xf = TAILQ_FIRST(&conf->fields), i = 0; i < conf->cnt; - i++, xf = TAILQ_NEXT(xf, link)) { - /* XXX The sizing needs to be dynamic. */ - transform[i] = malloc(ISAKMP_TRANSFORM_SA_ATTRS_OFF + - 16 * ISAKMP_ATTR_VALUE_OFF); - if (!transform[i]) { - log_error("ike_phase_1_initiator_send_SA: malloc (%d) " - "failed", ISAKMP_TRANSFORM_SA_ATTRS_OFF + - 16 * ISAKMP_ATTR_VALUE_OFF); - goto bail_out; - } - SET_ISAKMP_TRANSFORM_NO(transform[i], i); - SET_ISAKMP_TRANSFORM_ID(transform[i], IPSEC_TRANSFORM_KEY_IKE); - SET_ISAKMP_TRANSFORM_RESERVED(transform[i], 0); - - attr = transform[i] + ISAKMP_TRANSFORM_SA_ATTRS_OFF; - - if (attribute_set_constant(xf->field, "ENCRYPTION_ALGORITHM", - ike_encrypt_cst, IKE_ATTR_ENCRYPTION_ALGORITHM, &attr)) - goto bail_out; - - if (attribute_set_constant(xf->field, "HASH_ALGORITHM", - ike_hash_cst, IKE_ATTR_HASH_ALGORITHM, &attr)) - goto bail_out; - - if (attribute_set_constant(xf->field, "AUTHENTICATION_METHOD", - ike_auth_cst, IKE_ATTR_AUTHENTICATION_METHOD, &attr)) - goto bail_out; - - if (attribute_set_constant(xf->field, "GROUP_DESCRIPTION", - ike_group_desc_cst, IKE_ATTR_GROUP_DESCRIPTION, &attr)) { - /* - * If no group description exists, try looking for - * a user-defined one. - */ - if (attribute_set_constant(xf->field, "GROUP_TYPE", - ike_group_cst, IKE_ATTR_GROUP_TYPE, &attr)) - goto bail_out; - -#if 0 - if (attribute_set_bignum(xf->field, "GROUP_PRIME", - IKE_ATTR_GROUP_PRIME, &attr)) - goto bail_out; - - if (attribute_set_bignum(xf->field, - "GROUP_GENERATOR_2", IKE_ATTR_GROUP_GENERATOR_2, - &attr)) - goto bail_out; - - if (attribute_set_bignum(xf->field, - "GROUP_GENERATOR_2", IKE_ATTR_GROUP_GENERATOR_2, - &attr)) - goto bail_out; - - if (attribute_set_bignum(xf->field, "GROUP_CURVE_A", - IKE_ATTR_GROUP_CURVE_A, &attr)) - goto bail_out; - - if (attribute_set_bignum(xf->field, "GROUP_CURVE_B", - IKE_ATTR_GROUP_CURVE_B, &attr)) - goto bail_out; -#endif - } - /* - * Life durations are special, we should be able to specify - * several, one per type. - */ - life_conf = conf_get_list(xf->field, "Life"); - if (life_conf) { - for (life = TAILQ_FIRST(&life_conf->fields); life; - life = TAILQ_NEXT(life, link)) { - attribute_set_constant(life->field, - "LIFE_TYPE", ike_duration_cst, - IKE_ATTR_LIFE_TYPE, &attr); - - /* - * XXX Deals with 16 and 32 bit lifetimes - * only - */ - value = conf_get_num(life->field, - "LIFE_DURATION", 0); - if (value) { - if (value <= 0xffff) - attr = attribute_set_basic( - attr, - IKE_ATTR_LIFE_DURATION, - value); - else { - value = htonl(value); - attr = attribute_set_var(attr, - IKE_ATTR_LIFE_DURATION, - (u_int8_t *)&value, - sizeof value); - } - } - } - conf_free_list(life_conf); - } - attribute_set_constant(xf->field, "PRF", ike_prf_cst, - IKE_ATTR_PRF, &attr); - - value = conf_get_num(xf->field, "KEY_LENGTH", 0); - if (value) - attr = attribute_set_basic(attr, IKE_ATTR_KEY_LENGTH, - value); - - value = conf_get_num(xf->field, "FIELD_SIZE", 0); - if (value) - attr = attribute_set_basic(attr, IKE_ATTR_FIELD_SIZE, - value); - - value = conf_get_num(xf->field, "GROUP_ORDER", 0); - if (value) - attr = attribute_set_basic(attr, IKE_ATTR_GROUP_ORDER, - value); - - /* Record the real transform size. */ - transforms_len += transform_len[i] = attr - transform[i]; - - /* XXX I don't like exchange-specific stuff in here. */ - if (exchange->type == ISAKMP_EXCH_AGGRESSIVE) { - /* - * Make sure that if a group description is specified, - * it is specified for all transforms equally. - */ - attr = (u_int8_t *) conf_get_str(xf->field, - "GROUP_DESCRIPTION"); - new_group_desc = - attr ? constant_value(ike_group_desc_cst, - (char *) attr) : 0; - if (group_desc == -1) - group_desc = new_group_desc; - else if (group_desc != new_group_desc) { - log_print("ike_phase_1_initiator_send_SA: " - "differing group descriptions in a " - "proposal"); - goto bail_out; - } - } - /* - * We need to check that we actually support our - * configuration. - */ - if (attribute_map(transform[i] + ISAKMP_TRANSFORM_SA_ATTRS_OFF, - transform_len[i] - ISAKMP_TRANSFORM_SA_ATTRS_OFF, - exchange->doi->is_attribute_incompatible, msg)) { - log_print("ike_phase_1_initiator_send_SA: " - "section [%s] has unsupported attribute(s)", - xf->field); - goto bail_out; - } - } - - /* XXX I don't like exchange-specific stuff in here. */ - if (exchange->type == ISAKMP_EXCH_AGGRESSIVE) - ie->group = group_get(group_desc); - - proposal_len = ISAKMP_PROP_SPI_OFF; - proposal = malloc(proposal_len); - if (!proposal) { - log_error("ike_phase_1_initiator_send_SA: malloc (%lu) failed", - (unsigned long) proposal_len); - goto bail_out; - } - SET_ISAKMP_PROP_NO(proposal, 1); - SET_ISAKMP_PROP_PROTO(proposal, ISAKMP_PROTO_ISAKMP); - SET_ISAKMP_PROP_SPI_SZ(proposal, 0); - SET_ISAKMP_PROP_NTRANSFORMS(proposal, conf->cnt); - - /* XXX I would like to see this factored out. */ - proto = calloc(1, sizeof *proto); - if (!proto) { - log_error("ike_phase_1_initiator_send_SA: " - "calloc (1, %lu) failed", (unsigned long) sizeof *proto); - goto bail_out; - } - proto->no = 1; - proto->proto = ISAKMP_PROTO_ISAKMP; - proto->sa = TAILQ_FIRST(&exchange->sa_list); - proto->xf_cnt = conf->cnt; - TAILQ_INIT(&proto->xfs); - for (i = 0; i < proto->xf_cnt; i++) { - pa = (struct proto_attr *) calloc(1, sizeof *pa); - if (!pa) - goto bail_out; - pa->len = transform_len[i]; - pa->attrs = (u_int8_t *) malloc(pa->len); - if (!pa->attrs) { - free(pa); - goto bail_out; - } - memcpy(pa->attrs, transform[i], pa->len); - TAILQ_INSERT_TAIL(&proto->xfs, pa, next); - } - TAILQ_INSERT_TAIL(&TAILQ_FIRST(&exchange->sa_list)->protos, proto, - link); - - sa_len = ISAKMP_SA_SIT_OFF + IPSEC_SIT_SIT_LEN; - sa_buf = malloc(sa_len); - if (!sa_buf) { - log_error("ike_phase_1_initiator_send_SA: malloc (%lu) failed", - (unsigned long) sa_len); - goto bail_out; - } - SET_ISAKMP_SA_DOI(sa_buf, IPSEC_DOI_IPSEC); - SET_IPSEC_SIT_SIT(sa_buf + ISAKMP_SA_SIT_OFF, IPSEC_SIT_IDENTITY_ONLY); - - /* - * Add the payloads. As this is a SA, we need to recompute the - * lengths of the payloads containing others. - */ - if (message_add_payload(msg, ISAKMP_PAYLOAD_SA, sa_buf, sa_len, 1)) - goto bail_out; - SET_ISAKMP_GEN_LENGTH(sa_buf, - sa_len + proposal_len + transforms_len); - sa_buf = 0; - - saved_nextp = msg->nextp; - if (message_add_payload(msg, ISAKMP_PAYLOAD_PROPOSAL, proposal, - proposal_len, 0)) - goto bail_out; - SET_ISAKMP_GEN_LENGTH(proposal, proposal_len + transforms_len); - proposal = 0; - - update_nextp = 0; - for (i = 0; i < conf->cnt; i++) { - if (message_add_payload(msg, ISAKMP_PAYLOAD_TRANSFORM, - transform[i], transform_len[i], update_nextp)) - goto bail_out; - update_nextp = 1; - transform[i] = 0; - } - msg->nextp = saved_nextp; - - /* Save SA payload body in ie->sa_i_b, length ie->sa_i_b_len. */ - ie->sa_i_b_len = sa_len + proposal_len + transforms_len - - ISAKMP_GEN_SZ; - ie->sa_i_b = malloc(ie->sa_i_b_len); - if (!ie->sa_i_b) { - log_error("ike_phase_1_initiator_send_SA: malloc (%lu) failed", - (unsigned long) ie->sa_i_b_len); - goto bail_out; - } - memcpy(ie->sa_i_b, - payload_first(msg, ISAKMP_PAYLOAD_SA)->p + ISAKMP_GEN_SZ, - sa_len - ISAKMP_GEN_SZ); - memcpy(ie->sa_i_b + sa_len - ISAKMP_GEN_SZ, - payload_first(msg, ISAKMP_PAYLOAD_PROPOSAL)->p, proposal_len); - transforms_len = 0; - for (i = 0, p = payload_first(msg, ISAKMP_PAYLOAD_TRANSFORM); - i < conf->cnt; i++, p = TAILQ_NEXT(p, link)) { - memcpy(ie->sa_i_b + sa_len + proposal_len + transforms_len - - ISAKMP_GEN_SZ, p->p, transform_len[i]); - transforms_len += transform_len[i]; - } - -#if defined (USE_NAT_TRAVERSAL) - /* Advertise NAT-T capability. */ - if (nat_t_add_vendor_payloads(msg)) - goto bail_out; -#endif - -#if defined (USE_DPD) - /* Advertise DPD capability. */ - if (dpd_add_vendor_payload(msg)) - goto bail_out; -#endif - - conf_free_list(conf); - free(transform); - free(transform_len); - return 0; - -bail_out: - if (sa_buf) - free(sa_buf); - if (proposal) - free(proposal); - if (transform) { - for (i = 0; i < conf->cnt; i++) - if (transform[i]) - free(transform[i]); - free(transform); - } - if (transform_len) - free(transform_len); - conf_free_list(conf); - return -1; -} - -/* Figure out what transform the responder chose. */ -int -ike_phase_1_initiator_recv_SA(struct message *msg) -{ - struct exchange *exchange = msg->exchange; - struct sa *sa = TAILQ_FIRST(&exchange->sa_list); - struct ipsec_exch *ie = exchange->data; - struct ipsec_sa *isa = sa->data; - struct payload *sa_p = payload_first(msg, ISAKMP_PAYLOAD_SA); - struct payload *prop = payload_first(msg, ISAKMP_PAYLOAD_PROPOSAL); - struct payload *xf = payload_first(msg, ISAKMP_PAYLOAD_TRANSFORM); - - /* - * IKE requires that only one SA with only one proposal exists and - * since we are getting an answer on our transform offer, only one - * transform. - */ - if (TAILQ_NEXT(sa_p, link) || TAILQ_NEXT(prop, link) || - TAILQ_NEXT(xf, link)) { - log_print("ike_phase_1_initiator_recv_SA: " - "multiple SA, proposal or transform payloads in phase 1"); - /* XXX Is there a better notification type? */ - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0); - return -1; - } - /* Check that the chosen transform matches an offer. */ - if (message_negotiate_sa(msg, ike_phase_1_validate_prop) || - !TAILQ_FIRST(&sa->protos)) - return -1; - - ipsec_decode_transform(msg, sa, TAILQ_FIRST(&sa->protos), xf->p); - - /* XXX I don't like exchange-specific stuff in here. */ - if (exchange->type != ISAKMP_EXCH_AGGRESSIVE) - ie->group = group_get(isa->group_desc); - - /* Mark the SA as handled. */ - sa_p->flags |= PL_MARK; - - return 0; -} - -/* Send our public DH value and a nonce to the responder. */ -int -ike_phase_1_initiator_send_KE_NONCE(struct message *msg) -{ - struct ipsec_exch *ie = msg->exchange->data; - - ie->g_x_len = dh_getlen(ie->group); - - /* XXX I want a better way to specify the nonce's size. */ - return ike_phase_1_send_KE_NONCE(msg, 16); -} - -/* Accept responder's public DH value and nonce. */ -int -ike_phase_1_initiator_recv_KE_NONCE(struct message *msg) -{ - if (ike_phase_1_recv_KE_NONCE(msg)) - return -1; - - return ike_phase_1_post_exchange_KE_NONCE(msg); -} - -/* - * Accept a set of transforms offered by the initiator and chose one we can - * handle. - */ -int -ike_phase_1_responder_recv_SA(struct message *msg) -{ - struct exchange *exchange = msg->exchange; - struct sa *sa = TAILQ_FIRST(&exchange->sa_list); - struct ipsec_sa *isa = sa->data; - struct payload *sa_p = payload_first(msg, ISAKMP_PAYLOAD_SA); - struct payload *prop = payload_first(msg, ISAKMP_PAYLOAD_PROPOSAL); - struct ipsec_exch *ie = exchange->data; - - /* Mark the SA as handled. */ - sa_p->flags |= PL_MARK; - - /* IKE requires that only one SA with only one proposal exists. */ - if (TAILQ_NEXT(sa_p, link) || TAILQ_NEXT(prop, link)) { - log_print("ike_phase_1_responder_recv_SA: " - "multiple SA or proposal payloads in phase 1"); - /* XXX Is there a better notification type? */ - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0); - return -1; - } - /* Chose a transform from the SA. */ - if (message_negotiate_sa(msg, ike_phase_1_validate_prop) || - !TAILQ_FIRST(&sa->protos)) - return -1; - - /* XXX Move into message_negotiate_sa? */ - ipsec_decode_transform(msg, sa, TAILQ_FIRST(&sa->protos), - TAILQ_FIRST(&sa->protos)->chosen->p); - - ie->group = group_get(isa->group_desc); - - /* - * Check that the mandatory attributes: encryption, hash, - * authentication method and Diffie-Hellman group description, has - * been supplied. - */ - if (!exchange->crypto || !ie->hash || !ie->ike_auth || !ie->group) { - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0); - return -1; - } - /* Save the body for later hash computation. */ - ie->sa_i_b_len = GET_ISAKMP_GEN_LENGTH(sa_p->p) - ISAKMP_GEN_SZ; - ie->sa_i_b = malloc(ie->sa_i_b_len); - if (!ie->sa_i_b) { - /* XXX How to notify peer? */ - log_error("ike_phase_1_responder_recv_SA: malloc (%lu) failed", - (unsigned long) ie->sa_i_b_len); - return -1; - } - memcpy(ie->sa_i_b, sa_p->p + ISAKMP_GEN_SZ, ie->sa_i_b_len); - return 0; -} - -/* Reply with the transform we chose. */ -int -ike_phase_1_responder_send_SA(struct message *msg) -{ - /* Add the SA payload with the transform that was chosen. */ - if (message_add_sa_payload(msg)) - return -1; - -#if defined (USE_NAT_TRAVERSAL) - /* Advertise NAT-T capability. */ - if (nat_t_add_vendor_payloads(msg)) - return -1; -#endif - -#if defined (USE_DPD) - /* Advertise DPD capability. */ - if (dpd_add_vendor_payload(msg)) - return -1; -#endif - return 0; -} - -/* Send our public DH value and a nonce to the peer. */ -int -ike_phase_1_send_KE_NONCE(struct message *msg, size_t nonce_sz) -{ - /* Public DH key. */ - if (ipsec_gen_g_x(msg)) { - /* XXX How to log and notify peer? */ - return -1; - } - /* Generate a nonce, and add it to the message. */ - if (exchange_gen_nonce(msg, nonce_sz)) { - /* XXX Log? */ - return -1; - } - /* Try to add certificates which are acceptable for the CERTREQs */ - if (exchange_add_certs(msg)) { - /* XXX Log? */ - return -1; - } -#if defined (USE_NAT_TRAVERSAL) - /* If this exchange uses NAT-Traversal, add NAT-D payloads now. */ - if (msg->exchange->flags & EXCHANGE_FLAG_NAT_T_CAP_PEER) - if (nat_t_exchange_add_nat_d(msg)) { - /* XXX Log? */ - return -1; - } -#endif - return 0; -} - -/* Receive our peer's public DH value and nonce. */ -int -ike_phase_1_recv_KE_NONCE(struct message *msg) -{ - /* Copy out the initiator's DH public value. */ - if (ipsec_save_g_x(msg)) { - /* XXX How to log and notify peer? */ - return -1; - } - /* Copy out the initiator's nonce. */ - if (exchange_save_nonce(msg)) { - /* XXX How to log and notify peer? */ - return -1; - } - /* Copy out the initiator's cert requests. */ - if (exchange_save_certreq(msg)) { - /* XXX How to log and notify peer? */ - return -1; - } -#if defined (USE_NAT_TRAVERSAL) - /* MainMode: Check for NAT-D payloads and contents. */ - if (msg->exchange->type == ISAKMP_EXCH_ID_PROT && - msg->exchange->flags & EXCHANGE_FLAG_NAT_T_CAP_PEER) - (void)nat_t_exchange_check_nat_d(msg); -#endif - return 0; -} - -/* - * Compute DH values and key material. This is done in a post-send function - * as that means we can do parallel work in both the initiator and responder - * thus speeding up exchanges. - */ -int -ike_phase_1_post_exchange_KE_NONCE(struct message *msg) -{ - struct exchange *exchange = msg->exchange; - struct ipsec_exch *ie = exchange->data; - struct prf *prf; - struct hash *hash = ie->hash; - enum cryptoerr err; - - /* Compute Diffie-Hellman shared value. */ - ie->g_xy = malloc(ie->g_x_len); - if (!ie->g_xy) { - /* XXX How to notify peer? */ - log_error("ike_phase_1_post_exchange_KE_NONCE: " - "malloc (%lu) failed", (unsigned long) ie->g_x_len); - return -1; - } - if (dh_create_shared(ie->group, ie->g_xy, - exchange->initiator ? ie->g_xr : ie->g_xi)) { - log_print("ike_phase_1_post_exchange_KE_NONCE: " - "dh_create_shared failed"); - return -1; - } - LOG_DBG_BUF((LOG_NEGOTIATION, 80, - "ike_phase_1_post_exchange_KE_NONCE: g^xy", ie->g_xy, - ie->g_x_len)); - - /* Compute the SKEYID depending on the authentication method. */ - ie->skeyid = ie->ike_auth->gen_skeyid(exchange, &ie->skeyid_len); - if (!ie->skeyid) { - /* XXX Log and teardown? */ - return -1; - } - LOG_DBG_BUF((LOG_NEGOTIATION, 80, - "ike_phase_1_post_exchange_KE_NONCE: SKEYID", ie->skeyid, - ie->skeyid_len)); - - /* SKEYID_d. */ - ie->skeyid_d = malloc(ie->skeyid_len); - if (!ie->skeyid_d) { - /* XXX How to notify peer? */ - log_error("ike_phase_1_post_exchange_KE_NONCE: " - "malloc (%lu) failed", (unsigned long) ie->skeyid_len); - return -1; - } - prf = prf_alloc(ie->prf_type, hash->type, ie->skeyid, ie->skeyid_len); - if (!prf) { - /* XXX Log and teardown? */ - return -1; - } - prf->Init(prf->prfctx); - prf->Update(prf->prfctx, ie->g_xy, ie->g_x_len); - prf->Update(prf->prfctx, exchange->cookies, ISAKMP_HDR_COOKIES_LEN); - prf->Update(prf->prfctx, (unsigned char *) "\0", 1); - prf->Final(ie->skeyid_d, prf->prfctx); - LOG_DBG_BUF((LOG_NEGOTIATION, 80, - "ike_phase_1_post_exchange_KE_NONCE: SKEYID_d", ie->skeyid_d, - ie->skeyid_len)); - - /* SKEYID_a. */ - ie->skeyid_a = malloc(ie->skeyid_len); - if (!ie->skeyid_a) { - log_error("ike_phase_1_post_exchange_KE_NONCE: " - "malloc (%lu) failed", (unsigned long) ie->skeyid_len); - prf_free(prf); - return -1; - } - prf->Init(prf->prfctx); - prf->Update(prf->prfctx, ie->skeyid_d, ie->skeyid_len); - prf->Update(prf->prfctx, ie->g_xy, ie->g_x_len); - prf->Update(prf->prfctx, exchange->cookies, ISAKMP_HDR_COOKIES_LEN); - prf->Update(prf->prfctx, (unsigned char *) "\1", 1); - prf->Final(ie->skeyid_a, prf->prfctx); - LOG_DBG_BUF((LOG_NEGOTIATION, 80, - "ike_phase_1_post_exchange_KE_NONCE: SKEYID_a", ie->skeyid_a, - ie->skeyid_len)); - - /* SKEYID_e. */ - ie->skeyid_e = malloc(ie->skeyid_len); - if (!ie->skeyid_e) { - /* XXX How to notify peer? */ - log_error("ike_phase_1_post_exchange_KE_NONCE: " - "malloc (%lu) failed", (unsigned long) ie->skeyid_len); - prf_free(prf); - return -1; - } - prf->Init(prf->prfctx); - prf->Update(prf->prfctx, ie->skeyid_a, ie->skeyid_len); - prf->Update(prf->prfctx, ie->g_xy, ie->g_x_len); - prf->Update(prf->prfctx, exchange->cookies, ISAKMP_HDR_COOKIES_LEN); - prf->Update(prf->prfctx, (unsigned char *) "\2", 1); - prf->Final(ie->skeyid_e, prf->prfctx); - prf_free(prf); - LOG_DBG_BUF((LOG_NEGOTIATION, 80, - "ike_phase_1_post_exchange_KE_NONCE: SKEYID_e", ie->skeyid_e, - ie->skeyid_len)); - - /* Key length determination. */ - if (!exchange->key_length) - exchange->key_length = exchange->crypto->keymax; - - /* Derive a longer key from skeyid_e */ - if (ie->skeyid_len < exchange->key_length) { - u_int16_t len, keylen; - u_int8_t *key, *p; - - prf = prf_alloc(ie->prf_type, hash->type, ie->skeyid_e, - ie->skeyid_len); - if (!prf) { - /* XXX - notify peer */ - return -1; - } - /* Make keylen a multiple of prf->blocksize */ - keylen = exchange->key_length; - if (keylen % prf->blocksize) - keylen += prf->blocksize - (keylen % prf->blocksize); - - key = malloc(keylen); - if (!key) { - /* XXX - Notify peer. */ - log_error("ike_phase_1_post_exchange_KE_NONCE: " - "malloc (%d) failed", keylen); - return -1; - } - prf->Init(prf->prfctx); - prf->Update(prf->prfctx, (unsigned char *) "\0", 1); - prf->Final(key, prf->prfctx); - - for (len = prf->blocksize, p = key; len < exchange->key_length; - len += prf->blocksize, p += prf->blocksize) { - prf->Init(prf->prfctx); - prf->Update(prf->prfctx, p, prf->blocksize); - prf->Final(p + prf->blocksize, prf->prfctx); - } - prf_free(prf); - - /* Setup our keystate using the derived encryption key. */ - exchange->keystate = crypto_init(exchange->crypto, key, - exchange->key_length, &err); - - free(key); - } else - /* Setup our keystate using the raw skeyid_e. */ - exchange->keystate = crypto_init(exchange->crypto, - ie->skeyid_e, exchange->key_length, &err); - - /* Special handling for DES weak keys. */ - if (!exchange->keystate && err == EWEAKKEY && - (exchange->key_length << 1) <= ie->skeyid_len) { - log_print("ike_phase_1_post_exchange_KE_NONCE: " - "weak key, trying subseq. skeyid_e"); - exchange->keystate = crypto_init(exchange->crypto, - ie->skeyid_e + exchange->key_length, - exchange->key_length, &err); - } - if (!exchange->keystate) { - log_print("ike_phase_1_post_exchange_KE_NONCE: " - "exchange->crypto->init () failed: %d", err); - - /* - * XXX We really need to know if problems are of transient - * nature or fatal (like failed assertions etc.) - */ - return -1; - } - /* Setup IV. XXX Only for CBC transforms, no? */ - hash->Init(hash->ctx); - hash->Update(hash->ctx, ie->g_xi, ie->g_x_len); - hash->Update(hash->ctx, ie->g_xr, ie->g_x_len); - hash->Final(hash->digest, hash->ctx); - crypto_init_iv(exchange->keystate, hash->digest, - exchange->crypto->blocksize); - return 0; -} - -int -ike_phase_1_responder_send_ID_AUTH(struct message *msg) -{ - if (ike_phase_1_send_ID(msg)) - return -1; - - return ike_phase_1_send_AUTH(msg); -} - -int -ike_phase_1_send_ID(struct message *msg) -{ - struct exchange *exchange = msg->exchange; - u_int8_t *buf; - char header[80]; - ssize_t sz; - struct sockaddr *src; - int initiator = exchange->initiator; - u_int8_t **id; - size_t *id_len; - char *my_id = 0, *data; - u_int8_t id_type; - - /* Choose the right fields to fill-in. */ - id = initiator ? &exchange->id_i : &exchange->id_r; - id_len = initiator ? &exchange->id_i_len : &exchange->id_r_len; - - if (exchange->name) - my_id = conf_get_str(exchange->name, "ID"); - - if (!my_id) - my_id = conf_get_str("General", "Default-phase-1-ID"); - - msg->transport->vtbl->get_src(msg->transport, &src); - sz = my_id ? ipsec_id_size(my_id, &id_type) : sockaddr_addrlen(src); - if (sz == -1) - return -1; - - sz += ISAKMP_ID_DATA_OFF; - buf = malloc(sz); - if (!buf) { - log_error("ike_phase_1_send_ID: malloc (%lu) failed", - (unsigned long) sz); - return -1; - } - SET_IPSEC_ID_PROTO(buf + ISAKMP_ID_DOI_DATA_OFF, 0); - SET_IPSEC_ID_PORT(buf + ISAKMP_ID_DOI_DATA_OFF, 0); - if (my_id) { - SET_ISAKMP_ID_TYPE(buf, id_type); - switch (id_type) { - case IPSEC_ID_IPV4_ADDR: - case IPSEC_ID_IPV6_ADDR: - /* Already in network byteorder. */ - memcpy(buf + ISAKMP_ID_DATA_OFF, - sockaddr_addrdata(src), sockaddr_addrlen(src)); - break; - - case IPSEC_ID_IPV4_ADDR_SUBNET: - case IPSEC_ID_IPV6_ADDR_SUBNET: - /* Network */ - data = conf_get_str(my_id, "Network"); - if (!data) { - log_print("ike_phase_1_send_ID: section %s " - "has no \"Network\" tag", my_id); - return -1; - } - if (text2sockaddr(data, NULL, &src)) { - log_error("ike_phase_1_send_ID: " - "text2sockaddr() failed"); - return -1; - } - memcpy(buf + ISAKMP_ID_DATA_OFF, - sockaddr_addrdata(src), sockaddr_addrlen(src)); - free(src); - /* Netmask */ - data = conf_get_str(my_id, "Netmask"); - if (!data) { - log_print("ike_phase_1_send_ID: section %s " - "has no \"Netmask\" tag", my_id); - return -1; - } - if (text2sockaddr(data, NULL, &src)) { - log_error("ike_phase_1_send_ID: " - "text2sockaddr() failed"); - return -1; - } - memcpy(buf + ISAKMP_ID_DATA_OFF + - sockaddr_addrlen(src), sockaddr_addrdata(src), - sockaddr_addrlen(src)); - free(src); - break; - - case IPSEC_ID_FQDN: - case IPSEC_ID_USER_FQDN: - case IPSEC_ID_KEY_ID: - data = conf_get_str(my_id, "Name"); - if (!data) { - log_print("ike_phase_1_send_ID: section %s " - "has no \"Name\" tag", my_id); - return -1; - } - memcpy(buf + ISAKMP_ID_DATA_OFF, data, - sz - ISAKMP_ID_DATA_OFF); - break; - - default: - log_print("ike_phase_1_send_ID: " - "unsupported ID type %d", id_type); - free(buf); - return -1; - } - } else { - switch (src->sa_family) { - case AF_INET: - SET_ISAKMP_ID_TYPE(buf, IPSEC_ID_IPV4_ADDR); - break; - case AF_INET6: - SET_ISAKMP_ID_TYPE(buf, IPSEC_ID_IPV6_ADDR); - break; - } - /* Already in network byteorder. */ - memcpy(buf + ISAKMP_ID_DATA_OFF, sockaddr_addrdata(src), - sockaddr_addrlen(src)); - } - - if (message_add_payload(msg, ISAKMP_PAYLOAD_ID, buf, sz, 1)) { - free(buf); - return -1; - } - *id_len = sz - ISAKMP_GEN_SZ; - *id = malloc(*id_len); - if (!*id) { - log_error("ike_phase_1_send_ID: malloc (%lu) failed", - (unsigned long) *id_len); - return -1; - } - memcpy(*id, buf + ISAKMP_GEN_SZ, *id_len); - snprintf(header, sizeof header, "ike_phase_1_send_ID: %s", - constant_name(ipsec_id_cst, GET_ISAKMP_ID_TYPE(buf))); - LOG_DBG_BUF((LOG_NEGOTIATION, 40, header, buf + ISAKMP_ID_DATA_OFF, - sz - ISAKMP_ID_DATA_OFF)); - return 0; -} - -int -ike_phase_1_send_AUTH(struct message *msg) -{ - struct exchange *exchange = msg->exchange; - struct ipsec_exch *ie = exchange->data; - - if (ie->ike_auth->encode_hash(msg)) { - /* XXX Log? */ - return -1; - } - /* - * XXX Many people say the COMMIT flag is just junk, especially in - * Phase 1. - */ -#ifdef notyet - if ((exchange->flags & EXCHANGE_FLAG_COMMITTED) == 0) - exchange->flags |= EXCHANGE_FLAG_I_COMMITTED; -#endif - - return 0; -} - -/* Receive ID and HASH and check that the exchange has been consistent. */ -int -ike_phase_1_recv_ID_AUTH(struct message *msg) -{ - if (ike_phase_1_recv_ID(msg)) - return -1; - - return ike_phase_1_recv_AUTH(msg); -} - -/* Receive ID. */ -int -ike_phase_1_recv_ID(struct message *msg) -{ - struct exchange *exchange = msg->exchange; - struct payload *payload; - char header[80], *rs = 0, *rid = 0, *p; - int initiator = exchange->initiator; - u_int8_t **id, id_type; - size_t *id_len; - ssize_t sz; - struct sockaddr *sa; - - payload = payload_first(msg, ISAKMP_PAYLOAD_ID); - - if (exchange->name) - rs = conf_get_str(exchange->name, "Remote-ID"); - - if (rs) { - sz = ipsec_id_size(rs, &id_type); - if (sz == -1) { - log_print("ike_phase_1_recv_ID: could not handle " - "specified Remote-ID [%s]", rs); - return -1; - } - rid = malloc(sz); - if (!rid) { - log_error("ike_phase_1_recv_ID: malloc (%lu) failed", - (unsigned long) sz); - return -1; - } - switch (id_type) { - case IPSEC_ID_IPV4_ADDR: - case IPSEC_ID_IPV6_ADDR: - p = conf_get_str(rs, "Address"); - if (!p) { - log_print("ike_phase_1_recv_ID: failed to get " - "Address in Remote-ID section [%s]", rs); - free(rid); - return -1; - } - if (text2sockaddr(p, 0, &sa) == -1) { - log_print("ike_phase_1_recv_ID: " - "failed to parse address %s", p); - free(rid); - return -1; - } - if ((id_type == IPSEC_ID_IPV4_ADDR && - sa->sa_family != AF_INET) || - (id_type == IPSEC_ID_IPV6_ADDR && - sa->sa_family != AF_INET6)) { - log_print("ike_phase_1_recv_ID: " - "address %s not of expected family", p); - free(rid); - free(sa); - return -1; - } - memcpy(rid, sockaddr_addrdata(sa), - sockaddr_addrlen(sa)); - free(sa); - break; - - case IPSEC_ID_FQDN: - case IPSEC_ID_USER_FQDN: - case IPSEC_ID_KEY_ID: - p = conf_get_str(rs, "Name"); - if (!p) { - log_print("ike_phase_1_recv_ID: failed to " - "get Name in Remote-ID section [%s]", rs); - free(rid); - return -1; - } - memcpy(rid, p, sz); - break; - - default: - log_print("ike_phase_1_recv_ID: " - "unsupported ID type %d", id_type); - free(rid); - return -1; - } - - /* Compare expected/desired and received remote ID */ - if (bcmp(rid, payload->p + ISAKMP_ID_DATA_OFF, sz)) { - log_print("ike_phase_1_recv_ID: " - "received remote ID other than expected %s - %s", p, payload->p); - free(rid); - return -1; - } - free(rid); - } - /* Choose the right fields to fill in */ - id = initiator ? &exchange->id_r : &exchange->id_i; - id_len = initiator ? &exchange->id_r_len : &exchange->id_i_len; - - *id_len = GET_ISAKMP_GEN_LENGTH(payload->p) - ISAKMP_GEN_SZ; - *id = malloc(*id_len); - if (!*id) { - log_error("ike_phase_1_recv_ID: malloc (%lu) failed", - (unsigned long) *id_len); - return -1; - } - memcpy(*id, payload->p + ISAKMP_GEN_SZ, *id_len); - snprintf(header, sizeof header, "ike_phase_1_recv_ID: %s", - constant_name(ipsec_id_cst, GET_ISAKMP_ID_TYPE(payload->p))); - LOG_DBG_BUF((LOG_NEGOTIATION, 40, header, - payload->p + ISAKMP_ID_DATA_OFF, - *id_len + ISAKMP_GEN_SZ - ISAKMP_ID_DATA_OFF)); - payload->flags |= PL_MARK; - return 0; -} - -/* Receive HASH and check that the exchange has been consistent. */ -int -ike_phase_1_recv_AUTH(struct message *msg) -{ - struct exchange *exchange = msg->exchange; - struct ipsec_exch *ie = exchange->data; - struct prf *prf; - struct hash *hash = ie->hash; - char header[80]; - size_t hashsize = hash->hashsize; - int initiator = exchange->initiator; - u_int8_t **hash_p, *id; - size_t id_len; - - /* Choose the right fields to fill in */ - hash_p = initiator ? &ie->hash_r : &ie->hash_i; - id = initiator ? exchange->id_r : exchange->id_i; - id_len = initiator ? exchange->id_r_len : exchange->id_i_len; - - /* The decoded hash will be in ie->hash_r or ie->hash_i */ - if (ie->ike_auth->decode_hash(msg)) { - message_drop(msg, ISAKMP_NOTIFY_INVALID_ID_INFORMATION, 0, 1, - 0); - return -1; - } - /* Allocate the prf and start calculating his HASH. */ - prf = prf_alloc(ie->prf_type, hash->type, ie->skeyid, ie->skeyid_len); - if (!prf) { - /* XXX Log? */ - return -1; - } - prf->Init(prf->prfctx); - prf->Update(prf->prfctx, initiator ? ie->g_xr : ie->g_xi, ie->g_x_len); - prf->Update(prf->prfctx, initiator ? ie->g_xi : ie->g_xr, ie->g_x_len); - prf->Update(prf->prfctx, exchange->cookies + - (initiator ? ISAKMP_HDR_RCOOKIE_OFF : ISAKMP_HDR_ICOOKIE_OFF), - ISAKMP_HDR_ICOOKIE_LEN); - prf->Update(prf->prfctx, exchange->cookies + - (initiator ? ISAKMP_HDR_ICOOKIE_OFF : ISAKMP_HDR_RCOOKIE_OFF), - ISAKMP_HDR_ICOOKIE_LEN); - prf->Update(prf->prfctx, ie->sa_i_b, ie->sa_i_b_len); - prf->Update(prf->prfctx, id, id_len); - prf->Final(hash->digest, prf->prfctx); - prf_free(prf); - snprintf(header, sizeof header, "ike_phase_1_recv_AUTH: " - "computed HASH_%c", initiator ? 'R' : 'I'); - LOG_DBG_BUF((LOG_NEGOTIATION, 80, header, hash->digest, hashsize)); - - /* Check that the hash we got matches the one we computed. */ - if (memcmp(*hash_p, hash->digest, hashsize) != 0) { - /* XXX Log? */ - return -1; - } - - /* Mark message as authenticated. */ - msg->flags |= MSG_AUTHENTICATED; - - return 0; -} - -struct attr_node { - LIST_ENTRY(attr_node) link; - u_int16_t type; -}; - -struct validation_state { - struct conf_list_node *xf; - LIST_HEAD(attr_head, attr_node) attrs; - char *life; -}; - -/* Validate a proposal inside SA according to EXCHANGE's policy. */ -static int -ike_phase_1_validate_prop(struct exchange *exchange, struct sa *sa, - struct sa *isakmp_sa) -{ - struct conf_list *conf, *tags; - struct conf_list_node *xf, *tag; - struct proto *proto; - struct validation_state vs; - struct attr_node *node, *next_node; - - /* Get the list of transforms. */ - conf = conf_get_list(exchange->policy, "Transforms"); - if (!conf) - return 0; - - for (xf = TAILQ_FIRST(&conf->fields); xf; xf = TAILQ_NEXT(xf, link)) { - for (proto = TAILQ_FIRST(&sa->protos); proto; - proto = TAILQ_NEXT(proto, link)) { - /* Mark all attributes in our policy as unseen. */ - LIST_INIT(&vs.attrs); - vs.xf = xf; - vs.life = 0; - if (attribute_map(proto->chosen->p + - ISAKMP_TRANSFORM_SA_ATTRS_OFF, - GET_ISAKMP_GEN_LENGTH(proto->chosen->p) - - ISAKMP_TRANSFORM_SA_ATTRS_OFF, - attribute_unacceptable, &vs)) - goto try_next; - - /* Sweep over unseen tags in this section. */ - tags = conf_get_tag_list(xf->field); - if (tags) { - for (tag = TAILQ_FIRST(&tags->fields); tag; - tag = TAILQ_NEXT(tag, link)) - /* - * XXX Should we care about attributes - * we have, they do not provide? - */ - for (node = LIST_FIRST(&vs.attrs); - node; node = next_node) { - next_node = - LIST_NEXT(node, link); - if (node->type == - constant_value(ike_attr_cst, - tag->field)) { - LIST_REMOVE(node, link); - free(node); - } - } - conf_free_list(tags); - } - /* Are there leftover tags in this section? */ - node = LIST_FIRST(&vs.attrs); - if (node) - goto try_next; - } - - /* All protocols were OK, we succeeded. */ - LOG_DBG((LOG_NEGOTIATION, 20, "ike_phase_1_validate_prop: " - "success")); - conf_free_list(conf); - if (vs.life) - free(vs.life); - return 1; - -try_next: - /* Are there leftover tags in this section? */ - node = LIST_FIRST(&vs.attrs); - while (node) { - LIST_REMOVE(node, link); - free(node); - node = LIST_FIRST(&vs.attrs); - } - if (vs.life) - free(vs.life); - } - - LOG_DBG((LOG_NEGOTIATION, 20, "ike_phase_1_validate_prop: failure")); - conf_free_list(conf); - return 0; -} - -/* - * Look at the attribute of type TYPE, located at VALUE for LEN bytes forward. - * The VVS argument holds a validation state kept across invocations. - * If the attribute is unacceptable to use, return non-zero, otherwise zero. - */ -static int -attribute_unacceptable(u_int16_t type, u_int8_t *value, u_int16_t len, - void *vvs) -{ - struct validation_state *vs = vvs; - struct conf_list *life_conf; - struct conf_list_node *xf = vs->xf, *life; - char *tag = constant_lookup(ike_attr_cst, type); - char *str; - struct constant_map *map; - struct attr_node *node; - int rv; - - if (!tag) { - LOG_DBG((LOG_NEGOTIATION, 60, "attribute_unacceptable: " - "attribute type %d not known", type)); - return 1; - } - switch (type) { - case IKE_ATTR_ENCRYPTION_ALGORITHM: - case IKE_ATTR_HASH_ALGORITHM: - case IKE_ATTR_AUTHENTICATION_METHOD: - case IKE_ATTR_GROUP_DESCRIPTION: - case IKE_ATTR_GROUP_TYPE: - case IKE_ATTR_PRF: - str = conf_get_str(xf->field, tag); - if (!str) { - /* This attribute does not exist in this policy. */ - LOG_DBG((LOG_NEGOTIATION, 70, - "attribute_unacceptable: attr %s does not exist " - "in %s", tag, xf->field)); - return 1; - } - map = constant_link_lookup(ike_attr_cst, type); - if (!map) - return 1; - - if ((constant_value(map, str) == decode_16(value)) || - (!strcmp(str, "ANY"))) { - /* Mark this attribute as seen. */ - node = malloc(sizeof *node); - if (!node) { - log_error("attribute_unacceptable: " - "malloc (%lu) failed", - (unsigned long) sizeof *node); - return 1; - } - node->type = type; - LIST_INSERT_HEAD(&vs->attrs, node, link); - return 0; - } - LOG_DBG((LOG_NEGOTIATION, 70, - "attribute_unacceptable: %s: got %s, expected %s", tag, - constant_name(map, decode_16(value)), str)); - return 1; - - case IKE_ATTR_GROUP_PRIME: - case IKE_ATTR_GROUP_GENERATOR_1: - case IKE_ATTR_GROUP_GENERATOR_2: - case IKE_ATTR_GROUP_CURVE_A: - case IKE_ATTR_GROUP_CURVE_B: - /* XXX Bignums not handled yet. */ - return 1; - - case IKE_ATTR_LIFE_TYPE: - case IKE_ATTR_LIFE_DURATION: - life_conf = conf_get_list(xf->field, "Life"); - if (life_conf && - !strcmp(conf_get_str(xf->field, "Life"), "ANY")) - return 0; - - rv = 1; - if (!life_conf) { - /* Life attributes given, but not in our policy. */ - LOG_DBG((LOG_NEGOTIATION, 70, - "attribute_unacceptable: received unexpected life " - "attribute")); - return 1; - } - /* - * Each lifetime type must match, otherwise we turn the - * proposal down. In order to do this we need to find the - * specific section of our policy's "Life" list and match - * its duration. - */ - switch (type) { - case IKE_ATTR_LIFE_TYPE: - for (life = TAILQ_FIRST(&life_conf->fields); life; - life = TAILQ_NEXT(life, link)) { - str = conf_get_str(life->field, "LIFE_TYPE"); - if (!str) { - LOG_DBG((LOG_NEGOTIATION, 70, - "attribute_unacceptable: " - "section [%s] has no LIFE_TYPE", - life->field)); - continue; - } - - /* - * If this is the type we are looking at, - * to save a pointer this section in vs->life. - */ - if (constant_value(ike_duration_cst, str) == - decode_16(value)) { - vs->life = strdup(life->field); - rv = 0; - goto bail_out; - } - } - LOG_DBG((LOG_NEGOTIATION, 70, "attribute_unacceptable:" - " unrecognized LIFE_TYPE %d", decode_16(value))); - vs->life = 0; - break; - - case IKE_ATTR_LIFE_DURATION: - if (!vs->life) { - LOG_DBG((LOG_NEGOTIATION, 70, - "attribute_unacceptable: " - "LIFE_DURATION without LIFE_TYPE")); - rv = 1; - goto bail_out; - } - str = conf_get_str(vs->life, "LIFE_DURATION"); - if (str) { - if (!strcmp(str, "ANY")) - rv = 0; - else - rv = !conf_match_num(vs->life, - "LIFE_DURATION", - len == 4 ? decode_32(value) : - decode_16(value)); - } else { - LOG_DBG((LOG_NEGOTIATION, 70, - "attribute_unacceptable: section [%s] has " - "no LIFE_DURATION", vs->life)); - rv = 1; - } - - free(vs->life); - vs->life = 0; - break; - } - -bail_out: - conf_free_list(life_conf); - return rv; - - case IKE_ATTR_KEY_LENGTH: - case IKE_ATTR_FIELD_SIZE: - case IKE_ATTR_GROUP_ORDER: - if (conf_match_num(xf->field, tag, decode_16(value))) { - /* Mark this attribute as seen. */ - node = malloc(sizeof *node); - if (!node) { - log_error("attribute_unacceptable: " - "malloc (%lu) failed", - (unsigned long) sizeof *node); - return 1; - } - node->type = type; - LIST_INSERT_HEAD(&vs->attrs, node, link); - return 0; - } - return 1; - } - return 1; -} diff --git a/keyexchange/isakmpd-20041012/ike_phase_1.h b/keyexchange/isakmpd-20041012/ike_phase_1.h deleted file mode 100644 index 1252664..0000000 --- a/keyexchange/isakmpd-20041012/ike_phase_1.h +++ /dev/null @@ -1,53 +0,0 @@ -/* $OpenBSD: ike_phase_1.h,v 1.4 2004/04/15 18:39:25 deraadt Exp $ */ - -/* - * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _IKE_PHASE_1_H_ -#define _IKE_PHASE_1_H_ - -struct message; - -extern int ike_phase_1_initiator_recv_KE_NONCE(struct message *); -extern int ike_phase_1_initiator_recv_SA(struct message *); -extern int ike_phase_1_initiator_send_KE_NONCE(struct message *); -extern int ike_phase_1_initiator_send_SA(struct message *); -extern int ike_phase_1_post_exchange_KE_NONCE(struct message *); -extern int ike_phase_1_recv_AUTH(struct message *); -extern int ike_phase_1_recv_ID(struct message *); -extern int ike_phase_1_recv_ID_AUTH(struct message *); -extern int ike_phase_1_recv_KE_NONCE(struct message *); -extern int ike_phase_1_responder_recv_SA(struct message *); -extern int ike_phase_1_responder_send_SA(struct message *); -extern int ike_phase_1_responder_send_ID_AUTH(struct message *); -extern int ike_phase_1_send_AUTH(struct message *); -extern int ike_phase_1_send_ID(struct message *); -extern int ike_phase_1_send_ID_AUTH(struct message *); -extern int ike_phase_1_send_KE_NONCE(struct message *, size_t); - -#endif /* _IKE_PHASE_1_H_ */ diff --git a/keyexchange/isakmpd-20041012/ike_quick_mode.c b/keyexchange/isakmpd-20041012/ike_quick_mode.c deleted file mode 100644 index 75bec87..0000000 --- a/keyexchange/isakmpd-20041012/ike_quick_mode.c +++ /dev/null @@ -1,1989 +0,0 @@ -/* $OpenBSD: ike_quick_mode.c,v 1.87 2004/09/17 13:53:08 ho Exp $ */ -/* $EOM: ike_quick_mode.c,v 1.139 2001/01/26 10:43:17 niklas Exp $ */ - -/* - * Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. - * Copyright (c) 1999, 2000, 2001 Angelos D. Keromytis. All rights reserved. - * Copyright (c) 2000, 2001, 2004 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <stdlib.h> -#include <string.h> - -#if defined (USE_POLICY) || defined (USE_KEYNOTE) -#include <sys/types.h> -#include <regex.h> -#include <keynote.h> -#endif - -#include "sysdep.h" - -#include "attribute.h" -#include "conf.h" -#include "connection.h" -#include "dh.h" -#include "doi.h" -#include "exchange.h" -#include "hash.h" -#include "ike_quick_mode.h" -#include "ipsec.h" -#include "log.h" -#include "math_group.h" -#include "message.h" -#include "policy.h" -#include "prf.h" -#include "sa.h" -#include "transport.h" -#include "util.h" -#include "key.h" - -#ifdef USE_X509 -#include "x509.h" -#endif - -static void gen_g_xy(struct message *); -static int initiator_send_HASH_SA_NONCE(struct message *); -static int initiator_recv_HASH_SA_NONCE(struct message *); -static int initiator_send_HASH(struct message *); -static void post_quick_mode(struct message *); -static int responder_recv_HASH_SA_NONCE(struct message *); -static int responder_send_HASH_SA_NONCE(struct message *); -static int responder_recv_HASH(struct message *); - -#ifdef USE_POLICY -static int check_policy(struct exchange *, struct sa *, struct sa *); -#endif - -int (*ike_quick_mode_initiator[])(struct message *) = { - initiator_send_HASH_SA_NONCE, - initiator_recv_HASH_SA_NONCE, - initiator_send_HASH -}; - -int (*ike_quick_mode_responder[])(struct message *) = { - responder_recv_HASH_SA_NONCE, - responder_send_HASH_SA_NONCE, - responder_recv_HASH -}; - -#ifdef USE_POLICY - -/* How many return values will policy handle -- true/false for now */ -#define RETVALUES_NUM 2 - -/* - * Given an exchange and our policy, check whether the SA and IDs are - * acceptable. - */ -static int -check_policy(struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa) -{ - char *return_values[RETVALUES_NUM]; - char **principal = 0; - int i, len, result = 0, nprinc = 0; - int *x509_ids = 0, *keynote_ids = 0; - unsigned char hashbuf[20]; /* Set to the largest digest result */ -#ifdef USE_X509 - struct keynote_deckey dc; - X509_NAME *subject; -#endif - - /* Do we want to use keynote policies? */ - if (ignore_policy || - strncmp("yes", conf_get_str("General", "Use-Keynote"), 3)) - return 1; - - /* Initialize if necessary -- e.g., if pre-shared key auth was used */ - if (isakmp_sa->policy_id < 0) { - if ((isakmp_sa->policy_id = kn_init()) == -1) { - log_print("check_policy: " - "failed to initialize policy session"); - return 0; - } - } - /* Add the callback that will handle attributes. */ - if (kn_add_action(isakmp_sa->policy_id, ".*", (char *)policy_callback, - ENVIRONMENT_FLAG_FUNC | ENVIRONMENT_FLAG_REGEX) == -1) { - log_print("check_policy: " - "kn_add_action (%d, \".*\", %p, FUNC | REGEX) failed", - isakmp_sa->policy_id, policy_callback); - kn_close(isakmp_sa->policy_id); - isakmp_sa->policy_id = -1; - return 0; - } - if (policy_asserts_num) { - keynote_ids = calloc(policy_asserts_num, sizeof *keynote_ids); - if (!keynote_ids) { - log_error("check_policy: calloc (%d, %lu) failed", - policy_asserts_num, - (unsigned long)sizeof *keynote_ids); - return 0; - } - } - /* Add the policy assertions */ - for (i = 0; i < policy_asserts_num; i++) - keynote_ids[i] = kn_add_assertion(isakmp_sa->policy_id, - policy_asserts[i], - strlen(policy_asserts[i]), ASSERT_FLAG_LOCAL); - - /* Initialize -- we'll let the callback do all the work. */ - policy_exchange = exchange; - policy_sa = sa; - policy_isakmp_sa = isakmp_sa; - - /* Set the return values; true/false for now at least. */ - return_values[0] = "false"; /* Order of values in array is - * important. */ - return_values[1] = "true"; - - /* Create a principal (authorizer) for the SA/ID request. */ - switch (isakmp_sa->recv_certtype) { - case ISAKMP_CERTENC_NONE: - /* - * For shared keys, just duplicate the passphrase with the - * appropriate prefix tag. - */ - nprinc = 3; - principal = calloc(nprinc, sizeof *principal); - if (!principal) { - log_error("check_policy: calloc (%d, %lu) failed", - nprinc, (unsigned long)sizeof *principal); - goto policydone; - } - len = strlen(isakmp_sa->recv_key) + sizeof "passphrase:"; - principal[0] = calloc(len, sizeof(char)); - if (!principal[0]) { - log_error("check_policy: calloc (%d, %lu) failed", len, - (unsigned long)sizeof(char)); - goto policydone; - } - /* - * XXX Consider changing the magic hash lengths with - * constants. - */ - strlcpy(principal[0], "passphrase:", len); - memcpy(principal[0] + sizeof "passphrase:" - 1, - isakmp_sa->recv_key, strlen(isakmp_sa->recv_key)); - - len = sizeof "passphrase-md5-hex:" + 2 * 16; - principal[1] = calloc(len, sizeof(char)); - if (!principal[1]) { - log_error("check_policy: calloc (%d, %lu) failed", len, - (unsigned long)sizeof(char)); - goto policydone; - } - strlcpy(principal[1], "passphrase-md5-hex:", len); - MD5(isakmp_sa->recv_key, strlen(isakmp_sa->recv_key), hashbuf); - for (i = 0; i < 16; i++) - snprintf(principal[1] + 2 * i + - sizeof "passphrase-md5-hex:" - 1, 3, "%02x", - hashbuf[i]); - - len = sizeof "passphrase-sha1-hex:" + 2 * 20; - principal[2] = calloc(len, sizeof(char)); - if (!principal[2]) { - log_error("check_policy: calloc (%d, %lu) failed", len, - (unsigned long)sizeof(char)); - goto policydone; - } - strlcpy(principal[2], "passphrase-sha1-hex:", len); - SHA1(isakmp_sa->recv_key, strlen(isakmp_sa->recv_key), - hashbuf); - for (i = 0; i < 20; i++) - snprintf(principal[2] + 2 * i + - sizeof "passphrase-sha1-hex:" - 1, 3, "%02x", - hashbuf[i]); - break; - - case ISAKMP_CERTENC_KEYNOTE: -#ifdef USE_KEYNOTE - nprinc = 1; - - principal = calloc(nprinc, sizeof *principal); - if (!principal) { - log_error("check_policy: calloc (%d, %lu) failed", - nprinc, (unsigned long)sizeof *principal); - goto policydone; - } - /* Dup the keys */ - principal[0] = strdup(isakmp_sa->keynote_key); - if (!principal[0]) { - log_error("check_policy: calloc (%lu, %lu) failed", - (unsigned long)strlen(isakmp_sa->keynote_key), - (unsigned long)sizeof(char)); - goto policydone; - } -#endif - break; - - case ISAKMP_CERTENC_X509_SIG: -#ifdef USE_X509 - principal = calloc(2, sizeof *principal); - if (!principal) { - log_error("check_policy: calloc (2, %lu) failed", - (unsigned long)sizeof *principal); - goto policydone; - } - if (isakmp_sa->recv_keytype == ISAKMP_KEY_RSA) - dc.dec_algorithm = KEYNOTE_ALGORITHM_RSA; - else { - log_error("check_policy: " - "unknown/unsupported public key algorithm %d", - isakmp_sa->recv_keytype); - goto policydone; - } - - dc.dec_key = isakmp_sa->recv_key; - principal[0] = kn_encode_key(&dc, INTERNAL_ENC_PKCS1, - ENCODING_HEX, KEYNOTE_PUBLIC_KEY); - if (keynote_errno == ERROR_MEMORY) { - log_print("check_policy: " - "failed to get memory for public key"); - goto policydone; - } - if (!principal[0]) { - log_print("check_policy: " - "failed to allocate memory for principal"); - goto policydone; - } - len = strlen(principal[0]) + sizeof "rsa-hex:"; - principal[1] = calloc(len, sizeof(char)); - if (!principal[1]) { - log_error("check_policy: calloc (%d, %lu) failed", len, - (unsigned long)sizeof(char)); - goto policydone; - } - snprintf(principal[1], len, "rsa-hex:%s", principal[0]); - free(principal[0]); - principal[0] = principal[1]; - principal[1] = 0; - - /* Generate a "DN:" principal. */ - subject = X509_get_subject_name(isakmp_sa->recv_cert); - if (subject) { - principal[1] = calloc(259, sizeof(char)); - if (!principal[1]) { - log_error("check_policy: " - "calloc (259, %lu) failed", - (unsigned long)sizeof(char)); - goto policydone; - } - strlcpy(principal[1], "DN:", 259); - X509_NAME_oneline(subject, principal[1] + 3, 256); - nprinc = 2; - } else { - nprinc = 1; - } - break; -#endif - - /* XXX Eventually handle these. */ - case ISAKMP_CERTENC_PKCS: - case ISAKMP_CERTENC_PGP: - case ISAKMP_CERTENC_DNS: - case ISAKMP_CERTENC_X509_KE: - case ISAKMP_CERTENC_KERBEROS: - case ISAKMP_CERTENC_CRL: - case ISAKMP_CERTENC_ARL: - case ISAKMP_CERTENC_SPKI: - case ISAKMP_CERTENC_X509_ATTR: - default: - log_print("check_policy: " - "unknown/unsupported certificate/authentication method %d", - isakmp_sa->recv_certtype); - goto policydone; - } - - /* - * Add the authorizer (who is requesting the SA/ID); - * this may be a public or a secret key, depending on - * what mode of authentication we used in Phase 1. - */ - for (i = 0; i < nprinc; i++) { - LOG_DBG((LOG_POLICY, 40, "check_policy: " - "adding authorizer [%s]", principal[i])); - - if (kn_add_authorizer(isakmp_sa->policy_id, principal[i]) - == -1) { - int j; - - for (j = 0; j < i; j++) - kn_remove_authorizer(isakmp_sa->policy_id, - principal[j]); - log_print("check_policy: kn_add_authorizer failed"); - goto policydone; - } - } - - /* Ask policy */ - result = kn_do_query(isakmp_sa->policy_id, return_values, - RETVALUES_NUM); - LOG_DBG((LOG_POLICY, 40, "check_policy: kn_do_query returned %d", - result)); - - /* Cleanup environment */ - kn_cleanup_action_environment(isakmp_sa->policy_id); - - /* Remove authorizers from the session */ - for (i = 0; i < nprinc; i++) { - kn_remove_authorizer(isakmp_sa->policy_id, principal[i]); - free(principal[i]); - } - - free(principal); - principal = 0; - nprinc = 0; - - /* Check what policy said. */ - if (result < 0) { - LOG_DBG((LOG_POLICY, 40, "check_policy: proposal refused")); - result = 0; - goto policydone; - } -policydone: - for (i = 0; i < nprinc; i++) - if (principal && principal[i]) - free(principal[i]); - - if (principal) - free(principal); - - /* Remove the policies */ - for (i = 0; i < policy_asserts_num; i++) { - if (keynote_ids[i] != -1) - kn_remove_assertion(isakmp_sa->policy_id, - keynote_ids[i]); - } - - if (keynote_ids) - free(keynote_ids); - - if (x509_ids) - free(x509_ids); - - /* - * XXX Currently, check_policy() is only called from - * message_negotiate_sa(), and so this log message reflects this. - * Change to something better? - */ - if (result == 0) - log_print("check_policy: negotiated SA failed policy check"); - - /* - * Given that we have only 2 return values from policy (true/false) - * we can just return the query result directly (no pre-processing - * needed). - */ - return result; -} -#endif /* USE_POLICY */ - -/* - * Offer several sets of transforms to the responder. - * XXX Split this huge function up and look for common code with main mode. - */ -static int -initiator_send_HASH_SA_NONCE(struct message *msg) -{ - struct exchange *exchange = msg->exchange; - struct doi *doi = exchange->doi; - struct ipsec_exch *ie = exchange->data; - u_int8_t ***transform = 0, ***new_transform; - u_int8_t **proposal = 0, **new_proposal; - u_int8_t *sa_buf = 0, *attr, *saved_nextp_sa, *saved_nextp_prop, - *id, *spi; - size_t spi_sz, sz; - size_t proposal_len = 0, proposals_len = 0, sa_len; - size_t **transform_len = 0, **new_transform_len; - size_t *transforms_len = 0, *new_transforms_len; - u_int32_t *transform_cnt = 0, *new_transform_cnt; - u_int32_t suite_no, prop_no, prot_no, xf_no, prop_cnt = 0; - u_int32_t i; - int value, update_nextp, protocol_num, proto_id; - struct proto *proto; - struct conf_list *suite_conf, *prot_conf = 0, *xf_conf = 0, *life_conf; - struct conf_list_node *suite, *prot, *xf, *life; - struct constant_map *id_map; - char *protocol_id, *transform_id; - char *local_id, *remote_id; - int group_desc = -1, new_group_desc; - struct ipsec_sa *isa = msg->isakmp_sa->data; - struct hash *hash = hash_get(isa->hash); - struct sockaddr *src; - struct proto_attr *pa; - - if (!ipsec_add_hash_payload(msg, hash->hashsize)) - return -1; - - /* Get the list of protocol suites. */ - suite_conf = conf_get_list(exchange->policy, "Suites"); - if (!suite_conf) - return -1; - - for (suite = TAILQ_FIRST(&suite_conf->fields), suite_no = prop_no = 0; - suite_no < suite_conf->cnt; - suite_no++, suite = TAILQ_NEXT(suite, link)) { - /* Now get each protocol in this specific protocol suite. */ - prot_conf = conf_get_list(suite->field, "Protocols"); - if (!prot_conf) - goto bail_out; - - for (prot = TAILQ_FIRST(&prot_conf->fields), prot_no = 0; - prot_no < prot_conf->cnt; - prot_no++, prot = TAILQ_NEXT(prot, link)) { - /* Make sure we have a proposal/transform vectors. */ - if (prop_no >= prop_cnt) { - /* - * This resize algorithm is completely - * arbitrary. - */ - prop_cnt = 2 * prop_cnt + 10; - new_proposal = realloc(proposal, - prop_cnt * sizeof *proposal); - if (!new_proposal) { - log_error( - "initiator_send_HASH_SA_NONCE: " - "realloc (%p, %lu) failed", - proposal, - prop_cnt * (unsigned long)sizeof *proposal); - goto bail_out; - } - proposal = new_proposal; - - new_transforms_len = realloc(transforms_len, - prop_cnt * sizeof *transforms_len); - if (!new_transforms_len) { - log_error( - "initiator_send_HASH_SA_NONCE: " - "realloc (%p, %lu) failed", - transforms_len, - prop_cnt * (unsigned long)sizeof *transforms_len); - goto bail_out; - } - transforms_len = new_transforms_len; - - new_transform = realloc(transform, - prop_cnt * sizeof *transform); - if (!new_transform) { - log_error( - "initiator_send_HASH_SA_NONCE: " - "realloc (%p, %lu) failed", - transform, - prop_cnt * (unsigned long)sizeof *transform); - goto bail_out; - } - transform = new_transform; - - new_transform_cnt = realloc(transform_cnt, - prop_cnt * sizeof *transform_cnt); - if (!new_transform_cnt) { - log_error( - "initiator_send_HASH_SA_NONCE: " - "realloc (%p, %lu) failed", - transform_cnt, - prop_cnt * (unsigned long)sizeof *transform_cnt); - goto bail_out; - } - transform_cnt = new_transform_cnt; - - new_transform_len = realloc(transform_len, - prop_cnt * sizeof *transform_len); - if (!new_transform_len) { - log_error( - "initiator_send_HASH_SA_NONCE: " - "realloc (%p, %lu) failed", - transform_len, - prop_cnt * (unsigned long)sizeof *transform_len); - goto bail_out; - } - transform_len = new_transform_len; - } - protocol_id = conf_get_str(prot->field, "PROTOCOL_ID"); - if (!protocol_id) - goto bail_out; - - proto_id = constant_value(ipsec_proto_cst, - protocol_id); - switch (proto_id) { - case IPSEC_PROTO_IPSEC_AH: - id_map = ipsec_ah_cst; - break; - - case IPSEC_PROTO_IPSEC_ESP: - id_map = ipsec_esp_cst; - break; - - case IPSEC_PROTO_IPCOMP: - id_map = ipsec_ipcomp_cst; - break; - - default: - { - log_print("initiator_send_HASH_SA_NONCE: " - "invalid PROTCOL_ID: %s", protocol_id); - goto bail_out; - } - } - - /* Now get each transform we offer for this protocol.*/ - xf_conf = conf_get_list(prot->field, "Transforms"); - if (!xf_conf) - goto bail_out; - transform_cnt[prop_no] = xf_conf->cnt; - - transform[prop_no] = calloc(transform_cnt[prop_no], - sizeof **transform); - if (!transform[prop_no]) { - log_error("initiator_send_HASH_SA_NONCE: " - "calloc (%d, %lu) failed", - transform_cnt[prop_no], - (unsigned long)sizeof **transform); - goto bail_out; - } - transform_len[prop_no] = calloc(transform_cnt[prop_no], - sizeof **transform_len); - if (!transform_len[prop_no]) { - log_error("initiator_send_HASH_SA_NONCE: " - "calloc (%d, %lu) failed", - transform_cnt[prop_no], - (unsigned long)sizeof **transform_len); - goto bail_out; - } - transforms_len[prop_no] = 0; - for (xf = TAILQ_FIRST(&xf_conf->fields), xf_no = 0; - xf_no < transform_cnt[prop_no]; - xf_no++, xf = TAILQ_NEXT(xf, link)) { - - /* XXX The sizing needs to be dynamic. */ - transform[prop_no][xf_no] = - calloc(ISAKMP_TRANSFORM_SA_ATTRS_OFF + - 9 * ISAKMP_ATTR_VALUE_OFF, 1); - if (!transform[prop_no][xf_no]) { - log_error( - "initiator_send_HASH_SA_NONCE: " - "calloc (%d, 1) failed", - ISAKMP_TRANSFORM_SA_ATTRS_OFF + - 9 * ISAKMP_ATTR_VALUE_OFF); - goto bail_out; - } - SET_ISAKMP_TRANSFORM_NO(transform[prop_no][xf_no], - xf_no + 1); - - transform_id = conf_get_str(xf->field, - "TRANSFORM_ID"); - if (!transform_id) - goto bail_out; - SET_ISAKMP_TRANSFORM_ID(transform[prop_no][xf_no], - constant_value(id_map, transform_id)); - SET_ISAKMP_TRANSFORM_RESERVED(transform[prop_no][xf_no], 0); - - attr = transform[prop_no][xf_no] + - ISAKMP_TRANSFORM_SA_ATTRS_OFF; - - /* - * Life durations are special, we should be - * able to specify several, one per type. - */ - life_conf = conf_get_list(xf->field, "Life"); - if (life_conf) { - for (life = TAILQ_FIRST(&life_conf->fields); - life; - life = TAILQ_NEXT(life, link)) { - attribute_set_constant( - life->field, "LIFE_TYPE", - ipsec_duration_cst, - IPSEC_ATTR_SA_LIFE_TYPE, - &attr); - - /* - * XXX Deals with 16 and 32 - * bit lifetimes only - */ - value = - conf_get_num(life->field, - "LIFE_DURATION", 0); - if (value) { - if (value <= 0xffff) - attr = - attribute_set_basic( - attr, - IPSEC_ATTR_SA_LIFE_DURATION, - value); - else { - value = htonl(value); - attr = - attribute_set_var( - attr, - IPSEC_ATTR_SA_LIFE_DURATION, - (u_int8_t *)&value, - sizeof value); - } - } - } - conf_free_list(life_conf); - } - attribute_set_constant(xf->field, - "ENCAPSULATION_MODE", ipsec_encap_cst, - IPSEC_ATTR_ENCAPSULATION_MODE, &attr); - - if (proto_id != IPSEC_PROTO_IPCOMP) { - attribute_set_constant(xf->field, - "AUTHENTICATION_ALGORITHM", - ipsec_auth_cst, - IPSEC_ATTR_AUTHENTICATION_ALGORITHM, - &attr); - - attribute_set_constant(xf->field, - "GROUP_DESCRIPTION", - ike_group_desc_cst, - IPSEC_ATTR_GROUP_DESCRIPTION, &attr); - - value = conf_get_num(xf->field, - "KEY_LENGTH", 0); - if (value) - attr = attribute_set_basic( - attr, - IPSEC_ATTR_KEY_LENGTH, - value); - - value = conf_get_num(xf->field, - "KEY_ROUNDS", 0); - if (value) - attr = attribute_set_basic( - attr, - IPSEC_ATTR_KEY_ROUNDS, - value); - } else { - value = conf_get_num(xf->field, - "COMPRESS_DICTIONARY_SIZE", 0); - if (value) - attr = attribute_set_basic( - attr, - IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE, - value); - - value = conf_get_num(xf->field, - "COMPRESS_PRIVATE_ALGORITHM", 0); - if (value) - attr = attribute_set_basic( - attr, - IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM, - value); - } - - value = conf_get_num(xf->field, "ECN_TUNNEL", - 0); - if (value) - attr = attribute_set_basic(attr, - IPSEC_ATTR_ECN_TUNNEL, value); - - /* Record the real transform size. */ - transforms_len[prop_no] += - (transform_len[prop_no][xf_no] - = attr - transform[prop_no][xf_no]); - - if (proto_id != IPSEC_PROTO_IPCOMP) { - /* - * Make sure that if a group - * description is specified, it is - * specified for all transforms - * equally. - */ - attr = - (u_int8_t *)conf_get_str(xf->field, - "GROUP_DESCRIPTION"); - new_group_desc - = attr ? constant_value(ike_group_desc_cst, - (char *)attr) : 0; - if (group_desc == -1) - group_desc = new_group_desc; - else if (group_desc != new_group_desc) { - log_print("initiator_send_HASH_SA_NONCE: " - "differing group descriptions in a proposal"); - goto bail_out; - } - } - } - conf_free_list(xf_conf); - xf_conf = 0; - - /* - * Get SPI from application. - * XXX Should we care about unknown constants? - */ - protocol_num = constant_value(ipsec_proto_cst, - protocol_id); - spi = doi->get_spi(&spi_sz, protocol_num, msg); - if (spi_sz && !spi) { - log_print("initiator_send_HASH_SA_NONCE: " - "doi->get_spi failed"); - goto bail_out; - } - proposal_len = ISAKMP_PROP_SPI_OFF + spi_sz; - proposals_len += - proposal_len + transforms_len[prop_no]; - proposal[prop_no] = malloc(proposal_len); - if (!proposal[prop_no]) { - log_error("initiator_send_HASH_SA_NONCE: " - "malloc (%lu) failed", - (unsigned long)proposal_len); - goto bail_out; - } - SET_ISAKMP_PROP_NO(proposal[prop_no], suite_no + 1); - SET_ISAKMP_PROP_PROTO(proposal[prop_no], protocol_num); - - /* XXX I would like to see this factored out. */ - proto = calloc(1, sizeof *proto); - if (!proto) { - log_error("initiator_send_HASH_SA_NONCE: " - "calloc (1, %lu) failed", - (unsigned long)sizeof *proto); - goto bail_out; - } - if (doi->proto_size) { - proto->data = calloc(1, doi->proto_size); - if (!proto->data) { - log_error( - "initiator_send_HASH_SA_NONCE: " - "calloc (1, %lu) failed", - (unsigned long)doi->proto_size); - goto bail_out; - } - } - proto->no = suite_no + 1; - proto->proto = protocol_num; - proto->sa = TAILQ_FIRST(&exchange->sa_list); - proto->xf_cnt = transform_cnt[prop_no]; - TAILQ_INIT(&proto->xfs); - for (xf_no = 0; xf_no < proto->xf_cnt; xf_no++) { - pa = (struct proto_attr *)calloc(1, - sizeof *pa); - if (!pa) - goto bail_out; - pa->len = transform_len[prop_no][xf_no]; - pa->attrs = (u_int8_t *)malloc(pa->len); - if (!pa->attrs) { - free(pa); - goto bail_out; - } - memcpy(pa->attrs, transform[prop_no][xf_no], - pa->len); - TAILQ_INSERT_TAIL(&proto->xfs, pa, next); - } - TAILQ_INSERT_TAIL(&TAILQ_FIRST(&exchange->sa_list)->protos, - proto, link); - - /* Setup the incoming SPI. */ - SET_ISAKMP_PROP_SPI_SZ(proposal[prop_no], spi_sz); - memcpy(proposal[prop_no] + ISAKMP_PROP_SPI_OFF, spi, - spi_sz); - proto->spi_sz[1] = spi_sz; - proto->spi[1] = spi; - - /* - * Let the DOI get at proto for initializing its own - * data. - */ - if (doi->proto_init) - doi->proto_init(proto, prot->field); - - SET_ISAKMP_PROP_NTRANSFORMS(proposal[prop_no], - transform_cnt[prop_no]); - prop_no++; - } - conf_free_list(prot_conf); - prot_conf = 0; - } - - sa_len = ISAKMP_SA_SIT_OFF + IPSEC_SIT_SIT_LEN; - sa_buf = malloc(sa_len); - if (!sa_buf) { - log_error("initiator_send_HASH_SA_NONCE: malloc (%lu) failed", - (unsigned long)sa_len); - goto bail_out; - } - SET_ISAKMP_SA_DOI(sa_buf, IPSEC_DOI_IPSEC); - SET_IPSEC_SIT_SIT(sa_buf + ISAKMP_SA_SIT_OFF, IPSEC_SIT_IDENTITY_ONLY); - - /* - * Add the payloads. As this is a SA, we need to recompute the - * lengths of the payloads containing others. We also need to - * reset these payload's "next payload type" field. - */ - if (message_add_payload(msg, ISAKMP_PAYLOAD_SA, sa_buf, sa_len, 1)) - goto bail_out; - SET_ISAKMP_GEN_LENGTH(sa_buf, sa_len + proposals_len); - sa_buf = 0; - - update_nextp = 0; - saved_nextp_sa = msg->nextp; - for (i = 0; i < prop_no; i++) { - if (message_add_payload(msg, ISAKMP_PAYLOAD_PROPOSAL, - proposal[i], proposal_len, update_nextp)) - goto bail_out; - SET_ISAKMP_GEN_LENGTH(proposal[i], - proposal_len + transforms_len[i]); - proposal[i] = 0; - - update_nextp = 0; - saved_nextp_prop = msg->nextp; - for (xf_no = 0; xf_no < transform_cnt[i]; xf_no++) { - if (message_add_payload(msg, ISAKMP_PAYLOAD_TRANSFORM, - transform[i][xf_no], - transform_len[i][xf_no], update_nextp)) - goto bail_out; - update_nextp = 1; - transform[i][xf_no] = 0; - } - msg->nextp = saved_nextp_prop; - update_nextp = 1; - } - msg->nextp = saved_nextp_sa; - - /* - * Save SA payload body in ie->sa_i_b, length ie->sa_i_b_len. - */ - ie->sa_i_b = message_copy(msg, ISAKMP_GEN_SZ, &ie->sa_i_b_len); - if (!ie->sa_i_b) - goto bail_out; - - /* - * Generate a nonce, and add it to the message. - * XXX I want a better way to specify the nonce's size. - */ - if (exchange_gen_nonce(msg, 16)) - return -1; - - /* Generate optional KEY_EXCH payload. */ - if (group_desc > 0) { - ie->group = group_get(group_desc); - ie->g_x_len = dh_getlen(ie->group); - - if (ipsec_gen_g_x(msg)) { - group_free(ie->group); - ie->group = 0; - return -1; - } - } - /* Generate optional client ID payloads. XXX Share with responder. */ - local_id = conf_get_str(exchange->name, "Local-ID"); - remote_id = conf_get_str(exchange->name, "Remote-ID"); - if (local_id && remote_id) { - id = ipsec_build_id(local_id, &sz); - if (!id) - return -1; - LOG_DBG_BUF((LOG_NEGOTIATION, 90, - "initiator_send_HASH_SA_NONCE: IDic", id, sz)); - if (message_add_payload(msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) { - free(id); - return -1; - } - id = ipsec_build_id(remote_id, &sz); - if (!id) - return -1; - LOG_DBG_BUF((LOG_NEGOTIATION, 90, - "initiator_send_HASH_SA_NONCE: IDrc", id, sz)); - if (message_add_payload(msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) { - free(id); - return -1; - } - } - /* XXX I do not judge these as errors, are they? */ - else if (local_id) - log_print("initiator_send_HASH_SA_NONCE: " - "Local-ID given without Remote-ID for \"%s\"", - exchange->name); - else if (remote_id) - /* - * This code supports the "road warrior" case, where the - * initiator doesn't have a fixed IP address, but wants to - * specify a particular remote network to talk to. -- Adrian - * Close <adrian@esec.com.au> - */ - { - log_print("initiator_send_HASH_SA_NONCE: " - "Remote-ID given without Local-ID for \"%s\"", - exchange->name); - - /* - * If we're here, then we are the initiator, so use initiator - * address for local ID - */ - msg->transport->vtbl->get_src(msg->transport, &src); - sz = ISAKMP_ID_SZ + sockaddr_addrlen(src); - - id = calloc(sz, sizeof(char)); - if (!id) { - log_error("initiator_send_HASH_SA_NONCE: " - "calloc (%lu, %lu) failed", (unsigned long)sz, - (unsigned long)sizeof(char)); - return -1; - } - switch (src->sa_family) { - case AF_INET6: - SET_ISAKMP_ID_TYPE(id, IPSEC_ID_IPV6_ADDR); - break; - case AF_INET: - SET_ISAKMP_ID_TYPE(id, IPSEC_ID_IPV4_ADDR); - break; - default: - log_error("initiator_send_HASH_SA_NONCE: " - "unknown sa_family %d", src->sa_family); - free(id); - return -1; - } - memcpy(id + ISAKMP_ID_DATA_OFF, sockaddr_addrdata(src), - sockaddr_addrlen(src)); - - LOG_DBG_BUF((LOG_NEGOTIATION, 90, - "initiator_send_HASH_SA_NONCE: IDic", id, sz)); - if (message_add_payload(msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) { - free(id); - return -1; - } - /* Send supplied remote_id */ - id = ipsec_build_id(remote_id, &sz); - if (!id) - return -1; - LOG_DBG_BUF((LOG_NEGOTIATION, 90, - "initiator_send_HASH_SA_NONCE: IDrc", id, sz)); - if (message_add_payload(msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) { - free(id); - return -1; - } - } - if (ipsec_fill_in_hash(msg)) - goto bail_out; - - conf_free_list(suite_conf); - for (i = 0; i < prop_no; i++) { - free(transform[i]); - free(transform_len[i]); - } - free(proposal); - free(transform); - free(transforms_len); - free(transform_len); - free(transform_cnt); - return 0; - -bail_out: - if (sa_buf) - free(sa_buf); - if (proposal) { - for (i = 0; i < prop_no; i++) { - if (proposal[i]) - free(proposal[i]); - if (transform[i]) { - for (xf_no = 0; xf_no < transform_cnt[i]; - xf_no++) - if (transform[i][xf_no]) - free(transform[i][xf_no]); - free(transform[i]); - } - if (transform_len[i]) - free(transform_len[i]); - } - free(proposal); - free(transforms_len); - free(transform); - free(transform_len); - free(transform_cnt); - } - if (xf_conf) - conf_free_list(xf_conf); - if (prot_conf) - conf_free_list(prot_conf); - conf_free_list(suite_conf); - return -1; -} - -/* Figure out what transform the responder chose. */ -static int -initiator_recv_HASH_SA_NONCE(struct message *msg) -{ - struct exchange *exchange = msg->exchange; - struct ipsec_exch *ie = exchange->data; - struct sa *sa; - struct proto *proto, *next_proto; - struct payload *sa_p = payload_first(msg, ISAKMP_PAYLOAD_SA); - struct payload *xf, *idp; - struct payload *hashp = payload_first(msg, ISAKMP_PAYLOAD_HASH); - struct payload *kep = payload_first(msg, ISAKMP_PAYLOAD_KEY_EXCH); - struct prf *prf; - struct sa *isakmp_sa = msg->isakmp_sa; - struct ipsec_sa *isa = isakmp_sa->data; - struct hash *hash = hash_get(isa->hash); - size_t hashsize = hash->hashsize; - u_int8_t *rest; - size_t rest_len; - struct sockaddr *src, *dst; - - /* Allocate the prf and start calculating our HASH(1). XXX Share? */ - LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: " - "SKEYID_a", (u_int8_t *)isa->skeyid_a, isa->skeyid_len)); - prf = prf_alloc(isa->prf_type, hash->type, isa->skeyid_a, - isa->skeyid_len); - if (!prf) - return -1; - - prf->Init(prf->prfctx); - LOG_DBG_BUF((LOG_NEGOTIATION, 90, - "initiator_recv_HASH_SA_NONCE: message_id", - exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); - prf->Update(prf->prfctx, exchange->message_id, - ISAKMP_HDR_MESSAGE_ID_LEN); - LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_recv_HASH_SA_NONCE: " - "NONCE_I_b", exchange->nonce_i, exchange->nonce_i_len)); - prf->Update(prf->prfctx, exchange->nonce_i, exchange->nonce_i_len); - rest = hashp->p + GET_ISAKMP_GEN_LENGTH(hashp->p); - rest_len = (GET_ISAKMP_HDR_LENGTH(msg->iov[0].iov_base) - - (rest - (u_int8_t *)msg->iov[0].iov_base)); - LOG_DBG_BUF((LOG_NEGOTIATION, 90, - "initiator_recv_HASH_SA_NONCE: payloads after HASH(2)", rest, - rest_len)); - prf->Update(prf->prfctx, rest, rest_len); - prf->Final(hash->digest, prf->prfctx); - prf_free(prf); - LOG_DBG_BUF((LOG_NEGOTIATION, 80, - "initiator_recv_HASH_SA_NONCE: computed HASH(2)", hash->digest, - hashsize)); - if (memcmp(hashp->p + ISAKMP_HASH_DATA_OFF, hash->digest, hashsize) - != 0) { - message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, 1, - 0); - return -1; - } - /* Mark the HASH as handled. */ - hashp->flags |= PL_MARK; - - /* Mark message as authenticated. */ - msg->flags |= MSG_AUTHENTICATED; - - /* - * As we are getting an answer on our transform offer, only one - * transform should be given. - * - * XXX Currently we only support negotiating one SA per quick mode run. - */ - if (TAILQ_NEXT(sa_p, link)) { - log_print("initiator_recv_HASH_SA_NONCE: " - "multiple SA payloads in quick mode not supported yet"); - return -1; - } - sa = TAILQ_FIRST(&exchange->sa_list); - - /* This is here for the policy check */ - if (kep) - ie->pfs = 1; - - /* Handle optional client ID payloads. */ - idp = payload_first(msg, ISAKMP_PAYLOAD_ID); - if (idp) { - /* If IDci is there, IDcr must be too. */ - if (!TAILQ_NEXT(idp, link)) { - /* XXX Is this a good notify type? */ - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, - 1, 0); - return -1; - } - /* XXX We should really compare, not override. */ - ie->id_ci_sz = GET_ISAKMP_GEN_LENGTH(idp->p); - ie->id_ci = malloc(ie->id_ci_sz); - if (!ie->id_ci) { - log_error("initiator_recv_HASH_SA_NONCE: " - "malloc (%lu) failed", - (unsigned long)ie->id_ci_sz); - return -1; - } - memcpy(ie->id_ci, idp->p, ie->id_ci_sz); - idp->flags |= PL_MARK; - LOG_DBG_BUF((LOG_NEGOTIATION, 90, - "initiator_recv_HASH_SA_NONCE: IDci", - ie->id_ci + ISAKMP_GEN_SZ, ie->id_ci_sz - ISAKMP_GEN_SZ)); - - idp = TAILQ_NEXT(idp, link); - ie->id_cr_sz = GET_ISAKMP_GEN_LENGTH(idp->p); - ie->id_cr = malloc(ie->id_cr_sz); - if (!ie->id_cr) { - log_error("initiator_recv_HASH_SA_NONCE: " - "malloc (%lu) failed", - (unsigned long)ie->id_cr_sz); - return -1; - } - memcpy(ie->id_cr, idp->p, ie->id_cr_sz); - idp->flags |= PL_MARK; - LOG_DBG_BUF((LOG_NEGOTIATION, 90, - "initiator_recv_HASH_SA_NONCE: IDcr", - ie->id_cr + ISAKMP_GEN_SZ, ie->id_cr_sz - ISAKMP_GEN_SZ)); - } else { - /* - * If client identifiers are not present in the exchange, - * we fake them. RFC 2409 states: - * The identities of the SAs negotiated in Quick Mode are - * implicitly assumed to be the IP addresses of the ISAKMP - * peers, without any constraints on the protocol or port - * numbers allowed, unless client identifiers are specified - * in Quick Mode. - * - * -- Michael Paddon (mwp@aba.net.au) - */ - - ie->flags = IPSEC_EXCH_FLAG_NO_ID; - - /* Get initiator and responder addresses. */ - msg->transport->vtbl->get_src(msg->transport, &src); - msg->transport->vtbl->get_dst(msg->transport, &dst); - ie->id_ci_sz = ISAKMP_ID_DATA_OFF + sockaddr_addrlen(src); - ie->id_cr_sz = ISAKMP_ID_DATA_OFF + sockaddr_addrlen(dst); - ie->id_ci = calloc(ie->id_ci_sz, sizeof(char)); - ie->id_cr = calloc(ie->id_cr_sz, sizeof(char)); - - if (!ie->id_ci || !ie->id_cr) { - log_error("initiator_recv_HASH_SA_NONCE: " - "calloc (%lu, %lu) failed", - (unsigned long)ie->id_cr_sz, - (unsigned long)sizeof(char)); - if (ie->id_ci) { - free(ie->id_ci); - ie->id_ci = 0; - } - if (ie->id_cr) { - free(ie->id_cr); - ie->id_cr = 0; - } - return -1; - } - if (src->sa_family != dst->sa_family) { - log_error("initiator_recv_HASH_SA_NONCE: " - "sa_family mismatch"); - free(ie->id_ci); - ie->id_ci = 0; - free(ie->id_cr); - ie->id_cr = 0; - return -1; - } - switch (src->sa_family) { - case AF_INET: - SET_ISAKMP_ID_TYPE(ie->id_ci, IPSEC_ID_IPV4_ADDR); - SET_ISAKMP_ID_TYPE(ie->id_cr, IPSEC_ID_IPV4_ADDR); - break; - - case AF_INET6: - SET_ISAKMP_ID_TYPE(ie->id_ci, IPSEC_ID_IPV6_ADDR); - SET_ISAKMP_ID_TYPE(ie->id_cr, IPSEC_ID_IPV6_ADDR); - break; - - default: - log_error("initiator_recv_HASH_SA_NONCE: " - "unknown sa_family %d", src->sa_family); - free(ie->id_ci); - ie->id_ci = 0; - free(ie->id_cr); - ie->id_cr = 0; - return -1; - } - memcpy(ie->id_ci + ISAKMP_ID_DATA_OFF, sockaddr_addrdata(src), - sockaddr_addrlen(src)); - memcpy(ie->id_cr + ISAKMP_ID_DATA_OFF, sockaddr_addrdata(dst), - sockaddr_addrlen(dst)); - } - - /* Build the protection suite in our SA. */ - for (xf = payload_first(msg, ISAKMP_PAYLOAD_TRANSFORM); xf; - xf = TAILQ_NEXT(xf, link)) { - - /* - * XXX We could check that the proposal each transform - * belongs to is unique. - */ - - if (sa_add_transform(sa, xf, exchange->initiator, &proto)) - return -1; - - /* XXX Check that the chosen transform matches an offer. */ - - ipsec_decode_transform(msg, sa, proto, xf->p); - } - - /* Now remove offers that we don't need anymore. */ - for (proto = TAILQ_FIRST(&sa->protos); proto; proto = next_proto) { - next_proto = TAILQ_NEXT(proto, link); - if (!proto->chosen) - proto_free(proto); - } - -#ifdef USE_POLICY - if (!check_policy(exchange, sa, msg->isakmp_sa)) { - message_drop(msg, ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0); - log_print("initiator_recv_HASH_SA_NONCE: policy check failed"); - return -1; - } -#endif - - /* Mark the SA as handled. */ - sa_p->flags |= PL_MARK; - - isa = sa->data; - if ((isa->group_desc && - (!ie->group || ie->group->id != isa->group_desc)) || - (!isa->group_desc && ie->group)) { - log_print("initiator_recv_HASH_SA_NONCE: disagreement on PFS"); - return -1; - } - /* Copy out the initiator's nonce. */ - if (exchange_save_nonce(msg)) - return -1; - - /* Handle the optional KEY_EXCH payload. */ - if (kep && ipsec_save_g_x(msg)) - return -1; - - return 0; -} - -static int -initiator_send_HASH(struct message *msg) -{ - struct exchange *exchange = msg->exchange; - struct ipsec_exch *ie = exchange->data; - struct sa *isakmp_sa = msg->isakmp_sa; - struct ipsec_sa *isa = isakmp_sa->data; - struct prf *prf; - u_int8_t *buf; - struct hash *hash = hash_get(isa->hash); - size_t hashsize = hash->hashsize; - - /* - * We want a HASH payload to start with. XXX Share with - * ike_main_mode.c? - */ - buf = malloc(ISAKMP_HASH_SZ + hashsize); - if (!buf) { - log_error("initiator_send_HASH: malloc (%lu) failed", - ISAKMP_HASH_SZ + (unsigned long)hashsize); - return -1; - } - if (message_add_payload(msg, ISAKMP_PAYLOAD_HASH, buf, - ISAKMP_HASH_SZ + hashsize, 1)) { - free(buf); - return -1; - } - /* Allocate the prf and start calculating our HASH(3). XXX Share? */ - LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_send_HASH: SKEYID_a", - isa->skeyid_a, isa->skeyid_len)); - prf = prf_alloc(isa->prf_type, isa->hash, isa->skeyid_a, - isa->skeyid_len); - if (!prf) - return -1; - prf->Init(prf->prfctx); - prf->Update(prf->prfctx, (unsigned char *)"\0", 1); - LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_send_HASH: message_id", - exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); - prf->Update(prf->prfctx, exchange->message_id, - ISAKMP_HDR_MESSAGE_ID_LEN); - LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_send_HASH: NONCE_I_b", - exchange->nonce_i, exchange->nonce_i_len)); - prf->Update(prf->prfctx, exchange->nonce_i, exchange->nonce_i_len); - LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_send_HASH: NONCE_R_b", - exchange->nonce_r, exchange->nonce_r_len)); - prf->Update(prf->prfctx, exchange->nonce_r, exchange->nonce_r_len); - prf->Final(buf + ISAKMP_GEN_SZ, prf->prfctx); - prf_free(prf); - LOG_DBG_BUF((LOG_NEGOTIATION, 90, "initiator_send_HASH: HASH(3)", - buf + ISAKMP_GEN_SZ, hashsize)); - - if (ie->group) - message_register_post_send(msg, gen_g_xy); - - message_register_post_send(msg, post_quick_mode); - - return 0; -} - -static void -post_quick_mode(struct message *msg) -{ - struct sa *isakmp_sa = msg->isakmp_sa; - struct ipsec_sa *isa = isakmp_sa->data; - struct exchange *exchange = msg->exchange; - struct ipsec_exch *ie = exchange->data; - struct prf *prf; - struct sa *sa; - struct proto *proto; - struct ipsec_proto *iproto; - u_int8_t *keymat; - int i; - - /* - * Loop over all SA negotiations and do both an in- and an outgoing SA - * per protocol. - */ - for (sa = TAILQ_FIRST(&exchange->sa_list); sa; - sa = TAILQ_NEXT(sa, next)) { - for (proto = TAILQ_FIRST(&sa->protos); proto; - proto = TAILQ_NEXT(proto, link)) { - if (proto->proto == IPSEC_PROTO_IPCOMP) - continue; - - iproto = proto->data; - - /* - * There are two SAs for each SA negotiation, - * incoming and outcoing. - */ - for (i = 0; i < 2; i++) { - prf = prf_alloc(isa->prf_type, isa->hash, - isa->skeyid_d, isa->skeyid_len); - if (!prf) { - /* XXX What to do? */ - continue; - } - ie->keymat_len = ipsec_keymat_length(proto); - - /* - * We need to roundup the length of the key - * material buffer to a multiple of the PRF's - * blocksize as it is generated in chunks of - * that blocksize. - */ - iproto->keymat[i] - = malloc(((ie->keymat_len + prf->blocksize - 1) - / prf->blocksize) * prf->blocksize); - if (!iproto->keymat[i]) { - log_error("post_quick_mode: " - "malloc (%lu) failed", - (((unsigned long)ie->keymat_len + - prf->blocksize - 1) / prf->blocksize) * - prf->blocksize); - /* XXX What more to do? */ - free(prf); - continue; - } - for (keymat = iproto->keymat[i]; - keymat < iproto->keymat[i] + ie->keymat_len; - keymat += prf->blocksize) { - prf->Init(prf->prfctx); - - if (keymat != iproto->keymat[i]) { - /* - * Hash in last round's - * KEYMAT. - */ - LOG_DBG_BUF((LOG_NEGOTIATION, - 90, "post_quick_mode: " - "last KEYMAT", - keymat - prf->blocksize, - prf->blocksize)); - prf->Update(prf->prfctx, - keymat - prf->blocksize, - prf->blocksize); - } - /* If PFS is used hash in g^xy. */ - if (ie->g_xy) { - LOG_DBG_BUF((LOG_NEGOTIATION, - 90, "post_quick_mode: " - "g^xy", ie->g_xy, - ie->g_x_len)); - prf->Update(prf->prfctx, - ie->g_xy, ie->g_x_len); - } - LOG_DBG((LOG_NEGOTIATION, 90, - "post_quick_mode: " - "suite %d proto %d", proto->no, - proto->proto)); - prf->Update(prf->prfctx, &proto->proto, - 1); - LOG_DBG_BUF((LOG_NEGOTIATION, 90, - "post_quick_mode: SPI", - proto->spi[i], proto->spi_sz[i])); - prf->Update(prf->prfctx, - proto->spi[i], proto->spi_sz[i]); - LOG_DBG_BUF((LOG_NEGOTIATION, 90, - "post_quick_mode: Ni_b", - exchange->nonce_i, - exchange->nonce_i_len)); - prf->Update(prf->prfctx, - exchange->nonce_i, - exchange->nonce_i_len); - LOG_DBG_BUF((LOG_NEGOTIATION, 90, - "post_quick_mode: Nr_b", - exchange->nonce_r, - exchange->nonce_r_len)); - prf->Update(prf->prfctx, - exchange->nonce_r, - exchange->nonce_r_len); - prf->Final(keymat, prf->prfctx); - } - prf_free(prf); - LOG_DBG_BUF((LOG_NEGOTIATION, 90, - "post_quick_mode: KEYMAT", - iproto->keymat[i], ie->keymat_len)); - } - } - } - - log_verbose("isakmpd: quick mode done: %s", - !msg->isakmp_sa || !msg->isakmp_sa->transport ? "<no transport>" - : msg->isakmp_sa->transport->vtbl->decode_ids - (msg->isakmp_sa->transport)); -} - -/* - * Accept a set of transforms offered by the initiator and chose one we can - * handle. - * XXX Describe in more detail. - */ -static int -responder_recv_HASH_SA_NONCE(struct message *msg) -{ - struct payload *hashp, *kep, *idp; - struct sa *sa; - struct sa *isakmp_sa = msg->isakmp_sa; - struct ipsec_sa *isa = isakmp_sa->data; - struct exchange *exchange = msg->exchange; - struct ipsec_exch *ie = exchange->data; - struct prf *prf; - u_int8_t *hash, *my_hash = 0; - size_t hash_len; - u_int8_t *pkt = msg->iov[0].iov_base; - u_int8_t group_desc = 0; - int retval = -1; - struct proto *proto; - struct sockaddr *src, *dst; - char *name; - - hashp = payload_first(msg, ISAKMP_PAYLOAD_HASH); - hash = hashp->p; - hashp->flags |= PL_MARK; - - /* The HASH payload should be the first one. */ - if (hash != pkt + ISAKMP_HDR_SZ) { - /* XXX Is there a better notification type? */ - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0); - goto cleanup; - } - hash_len = GET_ISAKMP_GEN_LENGTH(hash); - my_hash = malloc(hash_len - ISAKMP_GEN_SZ); - if (!my_hash) { - log_error("responder_recv_HASH_SA_NONCE: malloc (%lu) failed", - (unsigned long)hash_len - ISAKMP_GEN_SZ); - goto cleanup; - } - /* - * Check the payload's integrity. - * XXX Share with ipsec_fill_in_hash? - */ - LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: " - "SKEYID_a", isa->skeyid_a, isa->skeyid_len)); - prf = prf_alloc(isa->prf_type, isa->hash, isa->skeyid_a, - isa->skeyid_len); - if (!prf) - goto cleanup; - prf->Init(prf->prfctx); - LOG_DBG_BUF((LOG_NEGOTIATION, 90, - "responder_recv_HASH_SA_NONCE: message_id", - exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); - prf->Update(prf->prfctx, exchange->message_id, - ISAKMP_HDR_MESSAGE_ID_LEN); - LOG_DBG_BUF((LOG_NEGOTIATION, 90, - "responder_recv_HASH_SA_NONCE: message after HASH", - hash + hash_len, - msg->iov[0].iov_len - ISAKMP_HDR_SZ - hash_len)); - prf->Update(prf->prfctx, hash + hash_len, - msg->iov[0].iov_len - ISAKMP_HDR_SZ - hash_len); - prf->Final(my_hash, prf->prfctx); - prf_free(prf); - LOG_DBG_BUF((LOG_NEGOTIATION, 90, - "responder_recv_HASH_SA_NONCE: computed HASH(1)", my_hash, - hash_len - ISAKMP_GEN_SZ)); - if (memcmp(hash + ISAKMP_GEN_SZ, my_hash, hash_len - ISAKMP_GEN_SZ) - != 0) { - message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, - 1, 0); - goto cleanup; - } - free(my_hash); - my_hash = 0; - - /* Mark message as authenticated. */ - msg->flags |= MSG_AUTHENTICATED; - - kep = payload_first(msg, ISAKMP_PAYLOAD_KEY_EXCH); - if (kep) - ie->pfs = 1; - - /* Handle optional client ID payloads. */ - idp = payload_first(msg, ISAKMP_PAYLOAD_ID); - if (idp) { - /* If IDci is there, IDcr must be too. */ - if (!TAILQ_NEXT(idp, link)) { - /* XXX Is this a good notify type? */ - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, - 1, 0); - goto cleanup; - } - ie->id_ci_sz = GET_ISAKMP_GEN_LENGTH(idp->p); - ie->id_ci = malloc(ie->id_ci_sz); - if (!ie->id_ci) { - log_error("responder_recv_HASH_SA_NONCE: " - "malloc (%lu) failed", - (unsigned long)ie->id_ci_sz); - goto cleanup; - } - memcpy(ie->id_ci, idp->p, ie->id_ci_sz); - idp->flags |= PL_MARK; - LOG_DBG_BUF((LOG_NEGOTIATION, 90, - "responder_recv_HASH_SA_NONCE: IDci", - ie->id_ci + ISAKMP_GEN_SZ, ie->id_ci_sz - ISAKMP_GEN_SZ)); - - idp = TAILQ_NEXT(idp, link); - ie->id_cr_sz = GET_ISAKMP_GEN_LENGTH(idp->p); - ie->id_cr = malloc(ie->id_cr_sz); - if (!ie->id_cr) { - log_error("responder_recv_HASH_SA_NONCE: " - "malloc (%lu) failed", - (unsigned long)ie->id_cr_sz); - goto cleanup; - } - memcpy(ie->id_cr, idp->p, ie->id_cr_sz); - idp->flags |= PL_MARK; - LOG_DBG_BUF((LOG_NEGOTIATION, 90, - "responder_recv_HASH_SA_NONCE: IDcr", - ie->id_cr + ISAKMP_GEN_SZ, ie->id_cr_sz - ISAKMP_GEN_SZ)); - } else { - /* - * If client identifiers are not present in the exchange, - * we fake them. RFC 2409 states: - * The identities of the SAs negotiated in Quick Mode are - * implicitly assumed to be the IP addresses of the ISAKMP - * peers, without any constraints on the protocol or port - * numbers allowed, unless client identifiers are specified - * in Quick Mode. - * - * -- Michael Paddon (mwp@aba.net.au) - */ - - ie->flags = IPSEC_EXCH_FLAG_NO_ID; - - /* Get initiator and responder addresses. */ - msg->transport->vtbl->get_src(msg->transport, &src); - msg->transport->vtbl->get_dst(msg->transport, &dst); - ie->id_ci_sz = ISAKMP_ID_DATA_OFF + sockaddr_addrlen(src); - ie->id_cr_sz = ISAKMP_ID_DATA_OFF + sockaddr_addrlen(dst); - ie->id_ci = calloc(ie->id_ci_sz, sizeof(char)); - ie->id_cr = calloc(ie->id_cr_sz, sizeof(char)); - - if (!ie->id_ci || !ie->id_cr) { - log_error("responder_recv_HASH_SA_NONCE: " - "calloc (%lu, %lu) failed", - (unsigned long)ie->id_ci_sz, - (unsigned long)sizeof(char)); - goto cleanup; - } - if (src->sa_family != dst->sa_family) { - log_error("initiator_recv_HASH_SA_NONCE: " - "sa_family mismatch"); - goto cleanup; - } - switch (src->sa_family) { - case AF_INET: - SET_ISAKMP_ID_TYPE(ie->id_ci, IPSEC_ID_IPV4_ADDR); - SET_ISAKMP_ID_TYPE(ie->id_cr, IPSEC_ID_IPV4_ADDR); - break; - - case AF_INET6: - SET_ISAKMP_ID_TYPE(ie->id_ci, IPSEC_ID_IPV6_ADDR); - SET_ISAKMP_ID_TYPE(ie->id_cr, IPSEC_ID_IPV6_ADDR); - break; - - default: - log_error("initiator_recv_HASH_SA_NONCE: " - "unknown sa_family %d", src->sa_family); - goto cleanup; - } - - memcpy(ie->id_cr + ISAKMP_ID_DATA_OFF, sockaddr_addrdata(src), - sockaddr_addrlen(src)); - memcpy(ie->id_ci + ISAKMP_ID_DATA_OFF, sockaddr_addrdata(dst), - sockaddr_addrlen(dst)); - } - -#ifdef USE_POLICY -#ifdef USE_KEYNOTE - if (message_negotiate_sa(msg, check_policy)) - goto cleanup; -#else - if (message_negotiate_sa(msg, 0)) - goto cleanup; -#endif -#else - if (message_negotiate_sa(msg, 0)) - goto cleanup; -#endif /* USE_POLICY */ - - for (sa = TAILQ_FIRST(&exchange->sa_list); sa; - sa = TAILQ_NEXT(sa, next)) { - for (proto = TAILQ_FIRST(&sa->protos); proto; - proto = TAILQ_NEXT(proto, link)) { - /* - * XXX we need to have some attributes per proto, not - * all per SA. - */ - ipsec_decode_transform(msg, sa, proto, - proto->chosen->p); - if (proto->proto == IPSEC_PROTO_IPSEC_AH - && !((struct ipsec_proto *)proto->data)->auth) { - log_print("responder_recv_HASH_SA_NONCE: " - "AH proposed without an algorithm " - "attribute"); - message_drop(msg, - ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0); - goto next_sa; - } - } - - isa = sa->data; - - /* - * The group description is mandatory if we got a KEY_EXCH - * payload. - */ - if (kep) { - if (!isa->group_desc) { - log_print("responder_recv_HASH_SA_NONCE: " - "KEY_EXCH payload without a group " - "desc. attribute"); - message_drop(msg, - ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0); - continue; - } - /* Also, all SAs must have equal groups. */ - if (!group_desc) - group_desc = isa->group_desc; - else if (group_desc != isa->group_desc) { - log_print("responder_recv_HASH_SA_NONCE: " - "differing group descriptions in one QM"); - message_drop(msg, - ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0); - continue; - } - } - /* At least one SA was accepted. */ - retval = 0; - -next_sa: - ; /* XXX gcc3 wants this. */ - } - - if (kep) { - ie->group = group_get(group_desc); - if (!ie->group) { - /* - * XXX If the error was due to an out-of-range group - * description we should notify our peer, but this - * should probably be done by the attribute - * validation. Is it? - */ - goto cleanup; - } - } - /* Copy out the initiator's nonce. */ - if (exchange_save_nonce(msg)) - goto cleanup; - - /* Handle the optional KEY_EXCH payload. */ - if (kep && ipsec_save_g_x(msg)) - goto cleanup; - - /* - * Try to find and set the connection name on the exchange. - */ - - /* - * Check for accepted identities as well as lookup the connection - * name and set it on the exchange. - * - * When not using policies make sure the peer proposes sane IDs. - * Otherwise this is done by KeyNote. - */ - name = connection_passive_lookup_by_ids(ie->id_ci, ie->id_cr); - if (name) { - exchange->name = strdup(name); - if (!exchange->name) { - log_error("responder_recv_HASH_SA_NONCE: " - "strdup (\"%s\") failed", name); - goto cleanup; - } - } else if ( -#ifdef USE_X509 - ignore_policy || -#endif - strncmp("yes", conf_get_str("General", "Use-Keynote"), 3)) { - log_print("responder_recv_HASH_SA_NONCE: peer proposed " - "invalid phase 2 IDs: %s", - (exchange->doi->decode_ids("initiator id %s, responder" - " id %s", ie->id_ci, ie->id_ci_sz, ie->id_cr, - ie->id_cr_sz, 1))); - message_drop(msg, ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0); - goto cleanup; - } - - return retval; - -cleanup: - /* Remove all potential protocols that have been added to the SAs. */ - for (sa = TAILQ_FIRST(&exchange->sa_list); sa; - sa = TAILQ_NEXT(sa, next)) - while ((proto = TAILQ_FIRST(&sa->protos)) != 0) - proto_free(proto); - if (my_hash) - free(my_hash); - if (ie->id_ci) { - free(ie->id_ci); - ie->id_ci = 0; - } - if (ie->id_cr) { - free(ie->id_cr); - ie->id_cr = 0; - } - return -1; -} - -/* Reply with the transform we chose. */ -static int -responder_send_HASH_SA_NONCE(struct message *msg) -{ - struct exchange *exchange = msg->exchange; - struct ipsec_exch *ie = exchange->data; - struct sa *isakmp_sa = msg->isakmp_sa; - struct ipsec_sa *isa = isakmp_sa->data; - struct prf *prf; - struct hash *hash = hash_get(isa->hash); - size_t hashsize = hash->hashsize; - size_t nonce_sz = exchange->nonce_i_len; - u_int8_t *buf; - int initiator = exchange->initiator; - char header[80]; - u_int32_t i; - u_int8_t *id; - size_t sz; - - /* - * We want a HASH payload to start with. XXX Share with - * ike_main_mode.c? - */ - buf = malloc(ISAKMP_HASH_SZ + hashsize); - if (!buf) { - log_error("responder_send_HASH_SA_NONCE: malloc (%lu) failed", - ISAKMP_HASH_SZ + (unsigned long)hashsize); - return -1; - } - if (message_add_payload(msg, ISAKMP_PAYLOAD_HASH, buf, - ISAKMP_HASH_SZ + hashsize, 1)) { - free(buf); - return -1; - } - /* Add the SA payload(s) with the transform(s) that was/were chosen. */ - if (message_add_sa_payload(msg)) - return -1; - - /* Generate a nonce, and add it to the message. */ - if (exchange_gen_nonce(msg, nonce_sz)) - return -1; - - /* Generate optional KEY_EXCH payload. This is known as PFS. */ - if (ie->group && ipsec_gen_g_x(msg)) - return -1; - - /* - * If the initiator client ID's were acceptable, just mirror them - * back. - */ - if (!(ie->flags & IPSEC_EXCH_FLAG_NO_ID)) { - sz = ie->id_ci_sz; - id = malloc(sz); - if (!id) { - log_error("responder_send_HASH_SA_NONCE: " - "malloc (%lu) failed", (unsigned long)sz); - return -1; - } - memcpy(id, ie->id_ci, sz); - LOG_DBG_BUF((LOG_NEGOTIATION, 90, - "responder_send_HASH_SA_NONCE: IDic", id, sz)); - if (message_add_payload(msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) { - free(id); - return -1; - } - sz = ie->id_cr_sz; - id = malloc(sz); - if (!id) { - log_error("responder_send_HASH_SA_NONCE: " - "malloc (%lu) failed", (unsigned long)sz); - return -1; - } - memcpy(id, ie->id_cr, sz); - LOG_DBG_BUF((LOG_NEGOTIATION, 90, - "responder_send_HASH_SA_NONCE: IDrc", id, sz)); - if (message_add_payload(msg, ISAKMP_PAYLOAD_ID, id, sz, 1)) { - free(id); - return -1; - } - } - /* Allocate the prf and start calculating our HASH(2). XXX Share? */ - LOG_DBG((LOG_NEGOTIATION, 90, "responder_recv_HASH: " - "isakmp_sa %p isa %p", isakmp_sa, isa)); - LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: " - "SKEYID_a", isa->skeyid_a, isa->skeyid_len)); - prf = prf_alloc(isa->prf_type, hash->type, isa->skeyid_a, - isa->skeyid_len); - if (!prf) - return -1; - prf->Init(prf->prfctx); - LOG_DBG_BUF((LOG_NEGOTIATION, 90, - "responder_send_HASH_SA_NONCE: message_id", - exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); - prf->Update(prf->prfctx, exchange->message_id, - ISAKMP_HDR_MESSAGE_ID_LEN); - LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_send_HASH_SA_NONCE: " - "NONCE_I_b", exchange->nonce_i, exchange->nonce_i_len)); - prf->Update(prf->prfctx, exchange->nonce_i, exchange->nonce_i_len); - - /* Loop over all payloads after HASH(2). */ - for (i = 2; i < msg->iovlen; i++) { - /* XXX Misleading payload type printouts. */ - snprintf(header, sizeof header, - "responder_send_HASH_SA_NONCE: payload %d after HASH(2)", - i - 1); - LOG_DBG_BUF((LOG_NEGOTIATION, 90, header, msg->iov[i].iov_base, - msg->iov[i].iov_len)); - prf->Update(prf->prfctx, msg->iov[i].iov_base, - msg->iov[i].iov_len); - } - prf->Final(buf + ISAKMP_HASH_DATA_OFF, prf->prfctx); - prf_free(prf); - snprintf(header, sizeof header, "responder_send_HASH_SA_NONCE: " - "HASH_%c", initiator ? 'I' : 'R'); - LOG_DBG_BUF((LOG_NEGOTIATION, 80, header, buf + ISAKMP_HASH_DATA_OFF, - hashsize)); - - if (ie->group) - message_register_post_send(msg, gen_g_xy); - - return 0; -} - -static void -gen_g_xy(struct message *msg) -{ - struct exchange *exchange = msg->exchange; - struct ipsec_exch *ie = exchange->data; - - /* Compute Diffie-Hellman shared value. */ - ie->g_xy = malloc(ie->g_x_len); - if (!ie->g_xy) { - log_error("gen_g_xy: malloc (%lu) failed", - (unsigned long)ie->g_x_len); - return; - } - if (dh_create_shared(ie->group, ie->g_xy, - exchange->initiator ? ie->g_xr : ie->g_xi)) { - log_print("gen_g_xy: dh_create_shared failed"); - return; - } - LOG_DBG_BUF((LOG_NEGOTIATION, 80, "gen_g_xy: g^xy", ie->g_xy, - ie->g_x_len)); -} - -static int -responder_recv_HASH(struct message *msg) -{ - struct exchange *exchange = msg->exchange; - struct sa *isakmp_sa = msg->isakmp_sa; - struct ipsec_sa *isa = isakmp_sa->data; - struct prf *prf; - u_int8_t *hash, *my_hash = 0; - size_t hash_len; - struct payload *hashp; - - /* Find HASH(3) and create our own hash, just as big. */ - hashp = payload_first(msg, ISAKMP_PAYLOAD_HASH); - hash = hashp->p; - hashp->flags |= PL_MARK; - hash_len = GET_ISAKMP_GEN_LENGTH(hash); - my_hash = malloc(hash_len - ISAKMP_GEN_SZ); - if (!my_hash) { - log_error("responder_recv_HASH: malloc (%lu) failed", - (unsigned long)hash_len - ISAKMP_GEN_SZ); - goto cleanup; - } - /* Allocate the prf and start calculating our HASH(3). XXX Share? */ - LOG_DBG((LOG_NEGOTIATION, 90, "responder_recv_HASH: " - "isakmp_sa %p isa %p", isakmp_sa, isa)); - LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH: SKEYID_a", - isa->skeyid_a, isa->skeyid_len)); - prf = prf_alloc(isa->prf_type, isa->hash, isa->skeyid_a, - isa->skeyid_len); - if (!prf) - goto cleanup; - prf->Init(prf->prfctx); - prf->Update(prf->prfctx, (unsigned char *)"\0", 1); - LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH: message_id", - exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); - prf->Update(prf->prfctx, exchange->message_id, - ISAKMP_HDR_MESSAGE_ID_LEN); - LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH: NONCE_I_b", - exchange->nonce_i, exchange->nonce_i_len)); - prf->Update(prf->prfctx, exchange->nonce_i, exchange->nonce_i_len); - LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH: NONCE_R_b", - exchange->nonce_r, exchange->nonce_r_len)); - prf->Update(prf->prfctx, exchange->nonce_r, exchange->nonce_r_len); - prf->Final(my_hash, prf->prfctx); - prf_free(prf); - LOG_DBG_BUF((LOG_NEGOTIATION, 90, - "responder_recv_HASH: computed HASH(3)", my_hash, - hash_len - ISAKMP_GEN_SZ)); - if (memcmp(hash + ISAKMP_GEN_SZ, my_hash, hash_len - ISAKMP_GEN_SZ) - != 0) { - message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, 0, - 1, 0); - goto cleanup; - } - free(my_hash); - - /* Mark message as authenticated. */ - msg->flags |= MSG_AUTHENTICATED; - - post_quick_mode(msg); - - return 0; - -cleanup: - if (my_hash) - free(my_hash); - return -1; -} diff --git a/keyexchange/isakmpd-20041012/ike_quick_mode.h b/keyexchange/isakmpd-20041012/ike_quick_mode.h deleted file mode 100644 index 32b1523..0000000 --- a/keyexchange/isakmpd-20041012/ike_quick_mode.h +++ /dev/null @@ -1,40 +0,0 @@ -/* $OpenBSD: ike_quick_mode.h,v 1.6 2004/04/15 18:39:25 deraadt Exp $ */ -/* $EOM: ike_quick_mode.h,v 1.1 1998/08/02 20:22:44 niklas Exp $ */ - -/* - * Copyright (c) 1998, 2001 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _IKE_QUICK_MODE_H_ -#define _IKE_QUICK_MODE_H_ - -struct message; - -extern int (*ike_quick_mode_initiator[]) (struct message *); -extern int (*ike_quick_mode_responder[]) (struct message *); - -#endif /* _IKE_QUICK_MODE_H_ */ diff --git a/keyexchange/isakmpd-20041012/init.c b/keyexchange/isakmpd-20041012/init.c deleted file mode 100644 index 5ee6682..0000000 --- a/keyexchange/isakmpd-20041012/init.c +++ /dev/null @@ -1,158 +0,0 @@ -/* $OpenBSD: init.c,v 1.33 2004/09/17 13:46:34 ho Exp $ */ -/* $EOM: init.c,v 1.25 2000/03/30 14:27:24 ho Exp $ */ - -/* - * Copyright (c) 1998, 1999, 2000 Niklas Hallqvist. All rights reserved. - * Copyright (c) 2000 Angelos D. Keromytis. All rights reserved. - * Copyright (c) 2003, 2004 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -/* XXX This file could easily be built dynamically instead. */ - -#include <stdlib.h> - -#include "sysdep.h" - -#include "app.h" -#include "cert.h" -#include "conf.h" -#include "connection.h" -#include "doi.h" -#include "exchange.h" -#include "init.h" -#include "ipsec.h" -#include "isakmp_doi.h" -#include "libcrypto.h" -#include "log.h" -#include "math_group.h" -#include "monitor.h" -#include "sa.h" -#include "timer.h" -#include "transport.h" -#include "virtual.h" -#include "udp.h" -#include "ui.h" -#include "util.h" - -#if defined (USE_POLICY) -#include "policy.h" -#endif - -#if defined (USE_NAT_TRAVERSAL) -#include "nat_traversal.h" -#include "udp_encap.h" -#endif - -void -init(void) -{ - app_init(); - doi_init(); - exchange_init(); - group_init(); - ipsec_init(); - isakmp_doi_init(); - message_init(); - libcrypto_init(); - - timer_init(); - - /* The following group are depending on timer_init having run. */ - conf_init(); - connection_init(); - - /* This depends on conf_init, thus check as soon as possible. */ - log_reinit(); - -#if defined (USE_POLICY) - /* policy_init depends on conf_init having run. */ - policy_init(); -#endif - - /* Depends on conf_init and policy_init having run */ - cert_init(); - crl_init(); - - sa_init(); - transport_init(); - virtual_init(); - udp_init(); -#if defined (USE_NAT_TRAVERSAL) - nat_t_init(); - udp_encap_init(); -#endif - monitor_ui_init(); -} - -/* Reinitialize, either after a SIGHUP reception or by FIFO UI cmd. */ -void -reinit(void) -{ - log_print("isakmpd: reinitializing daemon"); - - /* - * XXX Remove all(/some?) pending exchange timers? - they may not be - * possible to complete after we've re-read the config file. - * User-initiated SIGHUP's maybe "authorizes" a wait until - * next connection-check. - * XXX This means we discard exchange->last_msg, is this really ok? - */ - - /* Reinitialize PRNG if we are in deterministic mode. */ - if (regrand) - srandom(seed); - - /* Reread config file. */ - conf_reinit(); - - log_reinit(); - -#if defined (USE_POLICY) - /* Reread the policies. */ - policy_init(); -#endif - - /* Reinitialize certificates */ - cert_init(); - crl_init(); - - /* Reinitialize our connection list. */ - connection_reinit(); - - /* - * Rescan interfaces (call reinit() in all transports). - */ - transport_reinit(); - - /* - * XXX "These" (non-existent) reinitializations should not be done. - * cookie_reinit (); - * ui_reinit (); - */ - - sa_reinit(); -} diff --git a/keyexchange/isakmpd-20041012/init.h b/keyexchange/isakmpd-20041012/init.h deleted file mode 100644 index cbcd46a..0000000 --- a/keyexchange/isakmpd-20041012/init.h +++ /dev/null @@ -1,38 +0,0 @@ -/* $OpenBSD: init.h,v 1.6 2004/04/15 18:39:25 deraadt Exp $ */ -/* $EOM: init.h,v 1.2 1998/07/07 23:36:00 niklas Exp $ */ - -/* - * Copyright (c) 1998 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _INIT_H_ -#define _INIT_H_ - -extern void init(void); -extern void reinit(void); - -#endif /* _INIT_H_ */ diff --git a/keyexchange/isakmpd-20041012/ipsec.c b/keyexchange/isakmpd-20041012/ipsec.c deleted file mode 100644 index 46cb8d9..0000000 --- a/keyexchange/isakmpd-20041012/ipsec.c +++ /dev/null @@ -1,2523 +0,0 @@ -/* $OpenBSD: ipsec.c,v 1.104 2004/09/17 13:53:08 ho Exp $ */ -/* $EOM: ipsec.c,v 1.143 2000/12/11 23:57:42 niklas Exp $ */ - -/* - * Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. - * Copyright (c) 2001 Angelos D. Keromytis. All rights reserved. - * Copyright (c) 2001 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/types.h> -#include <sys/socket.h> -#include <netdb.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <stdlib.h> -#include <string.h> - -#include "sysdep.h" - -#include "attribute.h" -#include "conf.h" -#include "constants.h" -#include "crypto.h" -#include "dh.h" -#include "doi.h" -#if defined (USE_DPD) -#include "dpd.h" -#endif -#include "exchange.h" -#include "hash.h" -#include "ike_aggressive.h" -#include "ike_auth.h" -#include "ike_main_mode.h" -#include "ike_quick_mode.h" -#include "ipsec.h" -#include "ipsec_doi.h" -#include "isakmp.h" -#include "isakmp_cfg.h" -#include "isakmp_fld.h" -#include "isakmp_num.h" -#include "log.h" -#include "math_group.h" -#include "message.h" -#if defined (USE_NAT_TRAVERSAL) -#include "nat_traversal.h" -#endif -#include "prf.h" -#include "sa.h" -#include "timer.h" -#include "transport.h" -#include "util.h" -#ifdef USE_X509 -#include "x509.h" -#endif - -extern int acquire_only; - -/* Backwards compatibility. */ -#ifndef NI_MAXHOST -#define NI_MAXHOST 1025 -#endif - -/* The replay window size used for all IPsec protocols if not overridden. */ -#define DEFAULT_REPLAY_WINDOW 16 - -struct ipsec_decode_arg { - struct message *msg; - struct sa *sa; - struct proto *proto; -}; - -/* These variables hold the contacted peers ADT state. */ -struct contact { - struct sockaddr *addr; - socklen_t len; -} *contacts = 0; -int contact_cnt = 0, contact_limit = 0; - -static int addr_cmp(const void *, const void *); -static int ipsec_add_contact(struct message *); -static int ipsec_contacted(struct message *); -#ifdef USE_DEBUG -static int ipsec_debug_attribute(u_int16_t, u_int8_t *, u_int16_t, - void *); -#endif -static void ipsec_delete_spi(struct sa *, struct proto *, int); -static int16_t *ipsec_exchange_script(u_int8_t); -static void ipsec_finalize_exchange(struct message *); -static void ipsec_free_exchange_data(void *); -static void ipsec_free_proto_data(void *); -static void ipsec_free_sa_data(void *); -static struct keystate *ipsec_get_keystate(struct message *); -static u_int8_t *ipsec_get_spi(size_t *, u_int8_t, struct message *); -static int ipsec_handle_leftover_payload(struct message *, u_int8_t, - struct payload *); -static int ipsec_informational_post_hook(struct message *); -static int ipsec_informational_pre_hook(struct message *); -static int ipsec_initiator(struct message *); -static void ipsec_proto_init(struct proto *, char *); -static int ipsec_responder(struct message *); -static void ipsec_setup_situation(u_int8_t *); -static int ipsec_set_network(u_int8_t *, u_int8_t *, struct ipsec_sa *); -static size_t ipsec_situation_size(void); -static u_int8_t ipsec_spi_size(u_int8_t); -static int ipsec_validate_attribute(u_int16_t, u_int8_t *, u_int16_t, - void *); -static int ipsec_validate_exchange(u_int8_t); -static int ipsec_validate_id_information(u_int8_t, u_int8_t *, u_int8_t *, - size_t, struct exchange *); -static int ipsec_validate_key_information(u_int8_t *, size_t); -static int ipsec_validate_notification(u_int16_t); -static int ipsec_validate_proto(u_int8_t); -static int ipsec_validate_situation(u_int8_t *, size_t *, size_t); -static int ipsec_validate_transform_id(u_int8_t, u_int8_t); - -static struct doi ipsec_doi = { - {0}, IPSEC_DOI_IPSEC, - sizeof(struct ipsec_exch), sizeof(struct ipsec_sa), - sizeof(struct ipsec_proto), -#ifdef USE_DEBUG - ipsec_debug_attribute, -#endif - ipsec_delete_spi, - ipsec_exchange_script, - ipsec_finalize_exchange, - ipsec_free_exchange_data, - ipsec_free_proto_data, - ipsec_free_sa_data, - ipsec_get_keystate, - ipsec_get_spi, - ipsec_handle_leftover_payload, - ipsec_informational_post_hook, - ipsec_informational_pre_hook, - ipsec_is_attribute_incompatible, - ipsec_proto_init, - ipsec_setup_situation, - ipsec_situation_size, - ipsec_spi_size, - ipsec_validate_attribute, - ipsec_validate_exchange, - ipsec_validate_id_information, - ipsec_validate_key_information, - ipsec_validate_notification, - ipsec_validate_proto, - ipsec_validate_situation, - ipsec_validate_transform_id, - ipsec_initiator, - ipsec_responder, - ipsec_decode_ids -}; - -int16_t script_quick_mode[] = { - ISAKMP_PAYLOAD_HASH, /* Initiator -> responder. */ - ISAKMP_PAYLOAD_SA, - ISAKMP_PAYLOAD_NONCE, - EXCHANGE_SCRIPT_SWITCH, - ISAKMP_PAYLOAD_HASH, /* Responder -> initiator. */ - ISAKMP_PAYLOAD_SA, - ISAKMP_PAYLOAD_NONCE, - EXCHANGE_SCRIPT_SWITCH, - ISAKMP_PAYLOAD_HASH, /* Initiator -> responder. */ - EXCHANGE_SCRIPT_END -}; - -int16_t script_new_group_mode[] = { - ISAKMP_PAYLOAD_HASH, /* Initiator -> responder. */ - ISAKMP_PAYLOAD_SA, - EXCHANGE_SCRIPT_SWITCH, - ISAKMP_PAYLOAD_HASH, /* Responder -> initiator. */ - ISAKMP_PAYLOAD_SA, - EXCHANGE_SCRIPT_END -}; - -struct dst_spi_proto_arg { - struct sockaddr *dst; - u_int32_t spi; - u_int8_t proto; -}; - -/* - * Check if SA matches what we are asking for through V_ARG. It has to - * be a finished phase 2 SA. - * if "proto" arg is 0, match any proto - */ -static int -ipsec_sa_check(struct sa *sa, void *v_arg) -{ - struct dst_spi_proto_arg *arg = v_arg; - struct proto *proto; - struct sockaddr *dst, *src; - int incoming; - - if (sa->phase != 2 || !(sa->flags & SA_FLAG_READY)) - return 0; - - sa->transport->vtbl->get_dst(sa->transport, &dst); - if (memcmp(sockaddr_addrdata(dst), sockaddr_addrdata(arg->dst), - sockaddr_addrlen(dst)) == 0) - incoming = 0; - else { - sa->transport->vtbl->get_src(sa->transport, &src); - if (memcmp(sockaddr_addrdata(src), sockaddr_addrdata(arg->dst), - sockaddr_addrlen(src)) == 0) - incoming = 1; - else - return 0; - } - - for (proto = TAILQ_FIRST(&sa->protos); proto; - proto = TAILQ_NEXT(proto, link)) - if ((arg->proto == 0 || proto->proto == arg->proto) && - memcmp(proto->spi[incoming], &arg->spi, sizeof arg->spi) - == 0) - return 1; - return 0; -} - -/* Find an SA with a "name" of DST, SPI & PROTO. */ -struct sa * -ipsec_sa_lookup(struct sockaddr *dst, u_int32_t spi, u_int8_t proto) -{ - struct dst_spi_proto_arg arg; - - arg.dst = dst; - arg.spi = spi; - arg.proto = proto; - return sa_find(ipsec_sa_check, &arg); -} - -/* - * Check if SA matches the flow of another SA in V_ARG. It has to - * be a finished non-replaced phase 2 SA. - * XXX At some point other selectors will matter here too. - */ -static int -ipsec_sa_check_flow(struct sa *sa, void *v_arg) -{ - struct sa *sa2 = v_arg; - struct ipsec_sa *isa = sa->data, *isa2 = sa2->data; - - if (sa == sa2 || sa->phase != 2 || - (sa->flags & (SA_FLAG_READY | SA_FLAG_REPLACED)) != SA_FLAG_READY) - return 0; - - if (isa->tproto != isa2->tproto || isa->sport != isa2->sport || - isa->dport != isa2->dport) - return 0; - - return isa->src_net->sa_family == isa2->src_net->sa_family && - memcmp(sockaddr_addrdata(isa->src_net), - sockaddr_addrdata(isa2->src_net), - sockaddr_addrlen(isa->src_net)) == 0 && - memcmp(sockaddr_addrdata(isa->src_mask), - sockaddr_addrdata(isa2->src_mask), - sockaddr_addrlen(isa->src_mask)) == 0 && - memcmp(sockaddr_addrdata(isa->dst_net), - sockaddr_addrdata(isa2->dst_net), - sockaddr_addrlen(isa->dst_net)) == 0 && - memcmp(sockaddr_addrdata(isa->dst_mask), - sockaddr_addrdata(isa2->dst_mask), - sockaddr_addrlen(isa->dst_mask)) == 0; -} - -/* - * Do IPsec DOI specific finalizations task for the exchange where MSG was - * the final message. - */ -static void -ipsec_finalize_exchange(struct message *msg) -{ - struct sa *isakmp_sa = msg->isakmp_sa; - struct ipsec_sa *isa; - struct exchange *exchange = msg->exchange; - struct ipsec_exch *ie = exchange->data; - struct sa *sa = 0, *old_sa; - struct proto *proto, *last_proto = 0; -#ifdef USE_DEBUG - char *addr1, *addr2, *mask1, *mask2; -#endif - - switch (exchange->phase) { - case 1: - switch (exchange->type) { - case ISAKMP_EXCH_ID_PROT: - case ISAKMP_EXCH_AGGRESSIVE: - isa = isakmp_sa->data; - isa->hash = ie->hash->type; - isa->prf_type = ie->prf_type; - isa->skeyid_len = ie->skeyid_len; - isa->skeyid_d = ie->skeyid_d; - isa->skeyid_a = ie->skeyid_a; - /* Prevents early free of SKEYID_*. */ - ie->skeyid_a = ie->skeyid_d = 0; - - /* - * If a lifetime was negotiated setup the expiration - * timers. - */ - if (isakmp_sa->seconds) - sa_setup_expirations(isakmp_sa); - -#if defined (USE_NAT_TRAVERSAL) - if (isakmp_sa->flags & SA_FLAG_NAT_T_KEEPALIVE) - nat_t_setup_keepalive(isakmp_sa); -#endif - break; - } - break; - - case 2: - switch (exchange->type) { - case IKE_EXCH_QUICK_MODE: - /* - * Tell the application(s) about the SPIs and key - * material. - */ - for (sa = TAILQ_FIRST(&exchange->sa_list); sa; - sa = TAILQ_NEXT(sa, next)) { - isa = sa->data; - - if (exchange->initiator) { - /* - * Initiator is source, responder is - * destination. - */ - if (ipsec_set_network(ie->id_ci, - ie->id_cr, isa)) { - log_print( - "ipsec_finalize_exchange: " - "ipsec_set_network " - "failed"); - return; - } - } else { - /* - * Responder is source, initiator is - * destination. - */ - if (ipsec_set_network(ie->id_cr, - ie->id_ci, isa)) { - log_print( - "ipsec_finalize_exchange: " - "ipsec_set_network " - "failed"); - return; - } - } - - for (proto = TAILQ_FIRST(&sa->protos), - last_proto = 0; proto; - proto = TAILQ_NEXT(proto, link)) { - if (sysdep_ipsec_set_spi(sa, proto, - 0, isakmp_sa) || - (last_proto && - sysdep_ipsec_group_spis(sa, - last_proto, proto, 0)) || - sysdep_ipsec_set_spi(sa, proto, - 1, isakmp_sa) || - (last_proto && - sysdep_ipsec_group_spis(sa, - last_proto, proto, 1))) - /* - * XXX Tear down this - * exchange. - */ - return; - last_proto = proto; - } - -#ifdef USE_DEBUG - if (sockaddr2text(isa->src_net, &addr1, 0)) - addr1 = 0; - if (sockaddr2text(isa->src_mask, &mask1, 0)) - mask1 = 0; - if (sockaddr2text(isa->dst_net, &addr2, 0)) - addr2 = 0; - if (sockaddr2text(isa->dst_mask, &mask2, 0)) - mask2 = 0; - - LOG_DBG((LOG_EXCHANGE, 50, - "ipsec_finalize_exchange: src %s %s " - "dst %s %s tproto %u sport %u dport %u", - addr1 ? addr1 : "<??\?>", - mask1 ? mask1 : "<??\?>", - addr2 ? addr2 : "<??\?>", - mask2 ? mask2 : "<??\?>", - isa->tproto, ntohs(isa->sport), - ntohs(isa->dport))); - - if (addr1) - free(addr1); - if (mask1) - free(mask1); - if (addr2) - free(addr2); - if (mask2) - free(mask2); - -#endif /* USE_DEBUG */ - - /* - * If this is not an SA acquired by the - * kernel, it needs to have a SPD entry - * (a.k.a. flow) set up. - */ - if (!(sa->flags & SA_FLAG_ONDEMAND || - conf_get_str("General", "Acquire-Only") - || acquire_only) - && sysdep_ipsec_enable_sa(sa, isakmp_sa)) - /* XXX Tear down this exchange. */ - return; - - /* - * Mark elder SAs with the same flow - * information as replaced. - */ - while ((old_sa = sa_find(ipsec_sa_check_flow, - sa)) != 0) - sa_mark_replaced(old_sa); - } - break; - } - } -} - -/* Set the client addresses in ISA from SRC_ID and DST_ID. */ -static int -ipsec_set_network(u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa) -{ - int id; - - /* Set source address/mask. */ - id = GET_ISAKMP_ID_TYPE(src_id); - switch (id) { - case IPSEC_ID_IPV4_ADDR: - case IPSEC_ID_IPV4_ADDR_SUBNET: - isa->src_net = (struct sockaddr *)calloc(1, - sizeof(struct sockaddr_in)); - if (!isa->src_net) - goto memfail; - isa->src_net->sa_family = AF_INET; -#ifndef USE_OLD_SOCKADDR - isa->src_net->sa_len = sizeof(struct sockaddr_in); -#endif - - isa->src_mask = (struct sockaddr *)calloc(1, - sizeof(struct sockaddr_in)); - if (!isa->src_mask) - goto memfail; - isa->src_mask->sa_family = AF_INET; -#ifndef USE_OLD_SOCKADDR - isa->src_mask->sa_len = sizeof(struct sockaddr_in); -#endif - break; - - case IPSEC_ID_IPV6_ADDR: - case IPSEC_ID_IPV6_ADDR_SUBNET: - isa->src_net = (struct sockaddr *)calloc(1, - sizeof(struct sockaddr_in6)); - if (!isa->src_net) - goto memfail; - isa->src_net->sa_family = AF_INET6; -#ifndef USE_OLD_SOCKADDR - isa->src_net->sa_len = sizeof(struct sockaddr_in6); -#endif - - isa->src_mask = (struct sockaddr *)calloc(1, - sizeof(struct sockaddr_in6)); - if (!isa->src_mask) - goto memfail; - isa->src_mask->sa_family = AF_INET6; -#ifndef USE_OLD_SOCKADDR - isa->src_mask->sa_len = sizeof(struct sockaddr_in6); -#endif - break; - - case IPSEC_ID_IPV4_RANGE: - case IPSEC_ID_IPV6_RANGE: - case IPSEC_ID_DER_ASN1_DN: - case IPSEC_ID_DER_ASN1_GN: - case IPSEC_ID_KEY_ID: - default: - log_print("ipsec_set_network: ID type %d (%s) not supported", - id, constant_name(ipsec_id_cst, id)); - return -1; - } - - /* Net */ - memcpy(sockaddr_addrdata(isa->src_net), src_id + ISAKMP_ID_DATA_OFF, - sockaddr_addrlen(isa->src_net)); - - /* Mask */ - switch (id) { - case IPSEC_ID_IPV4_ADDR: - case IPSEC_ID_IPV6_ADDR: - memset(sockaddr_addrdata(isa->src_mask), 0xff, - sockaddr_addrlen(isa->src_mask)); - break; - case IPSEC_ID_IPV4_ADDR_SUBNET: - case IPSEC_ID_IPV6_ADDR_SUBNET: - memcpy(sockaddr_addrdata(isa->src_mask), src_id + - ISAKMP_ID_DATA_OFF + sockaddr_addrlen(isa->src_net), - sockaddr_addrlen(isa->src_mask)); - break; - } - - memcpy(&isa->sport, - src_id + ISAKMP_ID_DOI_DATA_OFF + IPSEC_ID_PORT_OFF, - IPSEC_ID_PORT_LEN); - - /* Set destination address. */ - id = GET_ISAKMP_ID_TYPE(dst_id); - switch (id) { - case IPSEC_ID_IPV4_ADDR: - case IPSEC_ID_IPV4_ADDR_SUBNET: - isa->dst_net = (struct sockaddr *)calloc(1, - sizeof(struct sockaddr_in)); - if (!isa->dst_net) - goto memfail; - isa->dst_net->sa_family = AF_INET; -#ifndef USE_OLD_SOCKADDR - isa->dst_net->sa_len = sizeof(struct sockaddr_in); -#endif - - isa->dst_mask = (struct sockaddr *)calloc(1, - sizeof(struct sockaddr_in)); - if (!isa->dst_mask) - goto memfail; - isa->dst_mask->sa_family = AF_INET; -#ifndef USE_OLD_SOCKADDR - isa->dst_mask->sa_len = sizeof(struct sockaddr_in); -#endif - break; - - case IPSEC_ID_IPV6_ADDR: - case IPSEC_ID_IPV6_ADDR_SUBNET: - isa->dst_net = (struct sockaddr *)calloc(1, - sizeof(struct sockaddr_in6)); - if (!isa->dst_net) - goto memfail; - isa->dst_net->sa_family = AF_INET6; -#ifndef USE_OLD_SOCKADDR - isa->dst_net->sa_len = sizeof(struct sockaddr_in6); -#endif - - isa->dst_mask = (struct sockaddr *)calloc(1, - sizeof(struct sockaddr_in6)); - if (!isa->dst_mask) - goto memfail; - isa->dst_mask->sa_family = AF_INET6; -#ifndef USE_OLD_SOCKADDR - isa->dst_mask->sa_len = sizeof(struct sockaddr_in6); -#endif - break; - } - - /* Net */ - memcpy(sockaddr_addrdata(isa->dst_net), dst_id + ISAKMP_ID_DATA_OFF, - sockaddr_addrlen(isa->dst_net)); - - /* Mask */ - switch (id) { - case IPSEC_ID_IPV4_ADDR: - case IPSEC_ID_IPV6_ADDR: - memset(sockaddr_addrdata(isa->dst_mask), 0xff, - sockaddr_addrlen(isa->dst_mask)); - break; - case IPSEC_ID_IPV4_ADDR_SUBNET: - case IPSEC_ID_IPV6_ADDR_SUBNET: - memcpy(sockaddr_addrdata(isa->dst_mask), dst_id + - ISAKMP_ID_DATA_OFF + sockaddr_addrlen(isa->dst_net), - sockaddr_addrlen(isa->dst_mask)); - break; - } - - memcpy(&isa->tproto, dst_id + ISAKMP_ID_DOI_DATA_OFF + - IPSEC_ID_PROTO_OFF, IPSEC_ID_PROTO_LEN); - memcpy(&isa->dport, - dst_id + ISAKMP_ID_DOI_DATA_OFF + IPSEC_ID_PORT_OFF, - IPSEC_ID_PORT_LEN); - return 0; - -memfail: - log_error("ipsec_set_network: calloc () failed"); - return -1; -} - -/* Free the DOI-specific exchange data pointed to by VIE. */ -static void -ipsec_free_exchange_data(void *vie) -{ - struct ipsec_exch *ie = vie; -#ifdef USE_ISAKMP_CFG - struct isakmp_cfg_attr *attr; -#endif - - if (ie->sa_i_b) - free(ie->sa_i_b); - if (ie->id_ci) - free(ie->id_ci); - if (ie->id_cr) - free(ie->id_cr); - if (ie->g_xi) - free(ie->g_xi); - if (ie->g_xr) - free(ie->g_xr); - if (ie->g_xy) - free(ie->g_xy); - if (ie->skeyid) - free(ie->skeyid); - if (ie->skeyid_d) - free(ie->skeyid_d); - if (ie->skeyid_a) - free(ie->skeyid_a); - if (ie->skeyid_e) - free(ie->skeyid_e); - if (ie->hash_i) - free(ie->hash_i); - if (ie->hash_r) - free(ie->hash_r); - if (ie->group) - group_free(ie->group); -#ifdef USE_ISAKMP_CFG - for (attr = LIST_FIRST(&ie->attrs); attr; - attr = LIST_FIRST(&ie->attrs)) { - LIST_REMOVE(attr, link); - if (attr->length) - free(attr->value); - free(attr); - } -#endif -} - -/* Free the DOI-specific SA data pointed to by VISA. */ -static void -ipsec_free_sa_data(void *visa) -{ - struct ipsec_sa *isa = visa; - - if (isa->src_net) - free(isa->src_net); - if (isa->src_mask) - free(isa->src_mask); - if (isa->dst_net) - free(isa->dst_net); - if (isa->dst_mask) - free(isa->dst_mask); - if (isa->skeyid_a) - free(isa->skeyid_a); - if (isa->skeyid_d) - free(isa->skeyid_d); -} - -/* Free the DOI-specific protocol data of an SA pointed to by VIPROTO. */ -static void -ipsec_free_proto_data(void *viproto) -{ - struct ipsec_proto *iproto = viproto; - int i; - - for (i = 0; i < 2; i++) - if (iproto->keymat[i]) - free(iproto->keymat[i]); -} - -/* Return exchange script based on TYPE. */ -static int16_t * -ipsec_exchange_script(u_int8_t type) -{ - switch (type) { -#ifdef USE_ISAKMP_CFG - case ISAKMP_EXCH_TRANSACTION: - return script_transaction; -#endif - case IKE_EXCH_QUICK_MODE: - return script_quick_mode; - case IKE_EXCH_NEW_GROUP_MODE: - return script_new_group_mode; - } - return 0; -} - -/* Initialize this DOI, requires doi_init to already have been called. */ -void -ipsec_init(void) -{ - doi_register(&ipsec_doi); -} - -/* Given a message MSG, return a suitable IV (or rather keystate). */ -static struct keystate * -ipsec_get_keystate(struct message *msg) -{ - struct keystate *ks; - struct hash *hash; - - /* If we have already have an IV, use it. */ - if (msg->exchange && msg->exchange->keystate) { - ks = malloc(sizeof *ks); - if (!ks) { - log_error("ipsec_get_keystate: malloc (%lu) failed", - (unsigned long) sizeof *ks); - return 0; - } - memcpy(ks, msg->exchange->keystate, sizeof *ks); - return ks; - } - /* - * For phase 2 when no SA yet is setup we need to hash the IV used by - * the ISAKMP SA concatenated with the message ID, and use that as an - * IV for further cryptographic operations. - */ - if (!msg->isakmp_sa->keystate) { - log_print("ipsec_get_keystate: no keystate in ISAKMP SA %p", - msg->isakmp_sa); - return 0; - } - ks = crypto_clone_keystate(msg->isakmp_sa->keystate); - if (!ks) - return 0; - - hash = hash_get(((struct ipsec_sa *)msg->isakmp_sa->data)->hash); - hash->Init(hash->ctx); - LOG_DBG_BUF((LOG_CRYPTO, 80, "ipsec_get_keystate: final phase 1 IV", - ks->riv, ks->xf->blocksize)); - hash->Update(hash->ctx, ks->riv, ks->xf->blocksize); - LOG_DBG_BUF((LOG_CRYPTO, 80, "ipsec_get_keystate: message ID", - ((u_int8_t *) msg->iov[0].iov_base) + ISAKMP_HDR_MESSAGE_ID_OFF, - ISAKMP_HDR_MESSAGE_ID_LEN)); - hash->Update(hash->ctx, ((u_int8_t *) msg->iov[0].iov_base) + - ISAKMP_HDR_MESSAGE_ID_OFF, ISAKMP_HDR_MESSAGE_ID_LEN); - hash->Final(hash->digest, hash->ctx); - crypto_init_iv(ks, hash->digest, ks->xf->blocksize); - LOG_DBG_BUF((LOG_CRYPTO, 80, "ipsec_get_keystate: phase 2 IV", - hash->digest, ks->xf->blocksize)); - return ks; -} - -static void -ipsec_setup_situation(u_int8_t *buf) -{ - SET_IPSEC_SIT_SIT(buf + ISAKMP_SA_SIT_OFF, IPSEC_SIT_IDENTITY_ONLY); -} - -static size_t -ipsec_situation_size(void) -{ - return IPSEC_SIT_SIT_LEN; -} - -static u_int8_t -ipsec_spi_size(u_int8_t proto) -{ - return IPSEC_SPI_SIZE; -} - -static int -ipsec_validate_attribute(u_int16_t type, u_int8_t * value, u_int16_t len, - void *vmsg) -{ - struct message *msg = vmsg; - - if ((msg->exchange->phase == 1 - && (type < IKE_ATTR_ENCRYPTION_ALGORITHM - || type > IKE_ATTR_GROUP_ORDER)) - || (msg->exchange->phase == 2 - && (type < IPSEC_ATTR_SA_LIFE_TYPE - || type > IPSEC_ATTR_ECN_TUNNEL))) - return -1; - return 0; -} - -static int -ipsec_validate_exchange(u_int8_t exch) -{ - return exch != IKE_EXCH_QUICK_MODE && exch != IKE_EXCH_NEW_GROUP_MODE; -} - -static int -ipsec_validate_id_information(u_int8_t type, u_int8_t *extra, u_int8_t *buf, - size_t sz, struct exchange *exchange) -{ - u_int8_t proto = GET_IPSEC_ID_PROTO(extra); - u_int16_t port = GET_IPSEC_ID_PORT(extra); - - LOG_DBG((LOG_MESSAGE, 40, - "ipsec_validate_id_information: proto %d port %d type %d", - proto, port, type)); - if (type < IPSEC_ID_IPV4_ADDR || type > IPSEC_ID_KEY_ID) - return -1; - - switch (type) { - case IPSEC_ID_IPV4_ADDR: - LOG_DBG_BUF((LOG_MESSAGE, 40, - "ipsec_validate_id_information: IPv4", buf, - sizeof(struct in_addr))); - break; - - case IPSEC_ID_IPV6_ADDR: - LOG_DBG_BUF((LOG_MESSAGE, 40, - "ipsec_validate_id_information: IPv6", buf, - sizeof(struct in6_addr))); - break; - - case IPSEC_ID_IPV4_ADDR_SUBNET: - LOG_DBG_BUF((LOG_MESSAGE, 40, - "ipsec_validate_id_information: IPv4 network/netmask", - buf, 2 * sizeof(struct in_addr))); - break; - - case IPSEC_ID_IPV6_ADDR_SUBNET: - LOG_DBG_BUF((LOG_MESSAGE, 40, - "ipsec_validate_id_information: IPv6 network/netmask", - buf, 2 * sizeof(struct in6_addr))); - break; - - default: - break; - } - - if (exchange->phase == 1 - && (proto != IPPROTO_UDP || port != UDP_DEFAULT_PORT) - && (proto != 0 || port != 0)) { - /* - * XXX SSH's ISAKMP tester fails this test (proto 17 - port - * 0). - */ -#ifdef notyet - return -1; -#else - log_print("ipsec_validate_id_information: dubious ID " - "information accepted"); -#endif - } - /* XXX More checks? */ - - return 0; -} - -static int -ipsec_validate_key_information(u_int8_t *buf, size_t sz) -{ - /* XXX Not implemented yet. */ - return 0; -} - -static int -ipsec_validate_notification(u_int16_t type) -{ - return type < IPSEC_NOTIFY_RESPONDER_LIFETIME - || type > IPSEC_NOTIFY_INITIAL_CONTACT ? -1 : 0; -} - -static int -ipsec_validate_proto(u_int8_t proto) -{ - return proto < IPSEC_PROTO_IPSEC_AH - || proto > IPSEC_PROTO_IPCOMP ? -1 : 0; -} - -static int -ipsec_validate_situation(u_int8_t *buf, size_t *sz, size_t len) -{ - if (len < IPSEC_SIT_SIT_OFF + IPSEC_SIT_SIT_LEN) { - log_print("ipsec_validate_situation: payload too short: %u", - (unsigned int) len); - return -1; - } - /* Currently only "identity only" situations are supported. */ - if (GET_IPSEC_SIT_SIT(buf) != IPSEC_SIT_IDENTITY_ONLY) - return 1; - - *sz = IPSEC_SIT_SIT_LEN; - - return 0; -} - -static int -ipsec_validate_transform_id(u_int8_t proto, u_int8_t transform_id) -{ - switch (proto) { - /* - * As no unexpected protocols can occur, we just tie the - * default case to the first case, in orer to silence a GCC - * warning. - */ - default: - case ISAKMP_PROTO_ISAKMP: - return transform_id != IPSEC_TRANSFORM_KEY_IKE; - case IPSEC_PROTO_IPSEC_AH: - return transform_id < IPSEC_AH_MD5 - || transform_id > IPSEC_AH_DES ? -1 : 0; - case IPSEC_PROTO_IPSEC_ESP: - return transform_id < IPSEC_ESP_DES_IV64 - || (transform_id > IPSEC_ESP_AES_128_CTR - && transform_id < IPSEC_ESP_AES_MARS) - || transform_id > IPSEC_ESP_AES_TWOFISH ? -1 : 0; - case IPSEC_PROTO_IPCOMP: - return transform_id < IPSEC_IPCOMP_OUI - || transform_id > IPSEC_IPCOMP_V42BIS ? -1 : 0; - } -} - -static int -ipsec_initiator(struct message *msg) -{ - struct exchange *exchange = msg->exchange; - int (**script)(struct message *) = 0; - - /* Check that the SA is coherent with the IKE rules. */ - if (exchange->type != ISAKMP_EXCH_TRANSACTION - && ((exchange->phase == 1 && - exchange->type != ISAKMP_EXCH_ID_PROT && - exchange->type != ISAKMP_EXCH_AGGRESSIVE && - exchange->type != ISAKMP_EXCH_INFO) - || (exchange->phase == 2 && - exchange->type != IKE_EXCH_QUICK_MODE && - exchange->type != ISAKMP_EXCH_INFO))) { - log_print("ipsec_initiator: unsupported exchange type %d " - "in phase %d", exchange->type, exchange->phase); - return -1; - } - switch (exchange->type) { - case ISAKMP_EXCH_ID_PROT: - script = ike_main_mode_initiator; - break; -#ifdef USE_AGGRESSIVE - case ISAKMP_EXCH_AGGRESSIVE: - script = ike_aggressive_initiator; - break; -#endif -#ifdef USE_ISAKMP_CFG - case ISAKMP_EXCH_TRANSACTION: - script = isakmp_cfg_initiator; - break; -#endif - case ISAKMP_EXCH_INFO: - return message_send_info(msg); - case IKE_EXCH_QUICK_MODE: - script = ike_quick_mode_initiator; - break; - default: - log_print("ipsec_initiator: unsupported exchange type %d", - exchange->type); - return -1; - } - - /* Run the script code for this step. */ - if (script) - return script[exchange->step] (msg); - - return 0; -} - -/* - * delete all SA's from addr with the associated proto and SPI's - * - * spis[] is an array of SPIs of size 16-octet for proto ISAKMP - * or 4-octet otherwise. - */ -static void -ipsec_delete_spi_list(struct sockaddr *addr, u_int8_t proto, u_int8_t *spis, - int nspis, char *type) -{ - struct sa *sa; - int i; - - for (i = 0; i < nspis; i++) { - if (proto == ISAKMP_PROTO_ISAKMP) { - u_int8_t *spi = spis + i * ISAKMP_HDR_COOKIES_LEN; - - /* - * This really shouldn't happen in IPSEC DOI - * code, but Cisco VPN 3000 sends ISAKMP DELETE's - * this way. - */ - sa = sa_lookup_isakmp_sa(addr, spi); - } else { - u_int32_t spi = ((u_int32_t *)spis)[i]; - - sa = ipsec_sa_lookup(addr, spi, proto); - } - - if (sa == NULL) { - LOG_DBG((LOG_SA, 30, "ipsec_delete_spi_list: could " - "not locate SA (SPI %08x, proto %u)", - ((u_int32_t *)spis)[i], proto)); - continue; - } - /* Delete the SA and search for the next */ - LOG_DBG((LOG_SA, 30, "ipsec_delete_spi_list: " - "%s made us delete SA %p (%d references) for proto %d", - type, sa, sa->refcnt, proto)); - - sa_free(sa); - } -} - -/* - * deal with a NOTIFY of INVALID_SPI - */ -static void -ipsec_invalid_spi (struct message *msg, struct payload *p) -{ - struct sockaddr *dst; - int invspisz, off; - u_int32_t spi; - u_int16_t totsiz; - u_int8_t spisz; - - /* Any notification that make us do something should be protected */ - if(!TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_HASH])) - { - LOG_DBG ((LOG_SA, 40, - "ipsec_invalid_spi: missing HASH payload in INVALID_SPI" - " notification")); - return; - } - - /* - * get the invalid spi out of the variable sized notification data - * field, which is after the variable sized SPI field [which specifies - * the receiving entity's phase-1 SPI, not the invalid spi] - */ - totsiz = GET_ISAKMP_GEN_LENGTH (p->p); - spisz = GET_ISAKMP_NOTIFY_SPI_SZ (p->p); - off = ISAKMP_NOTIFY_SPI_OFF + spisz; - invspisz = totsiz - off; - - if (invspisz != sizeof spi) - { - LOG_DBG ((LOG_SA, 40, - "ipsec_invalid_spi: SPI size %d in INVALID_SPI " - "payload unsupported", spisz)); - return; - } - memcpy (&spi, p->p + off, sizeof spi); - - msg->transport->vtbl->get_dst (msg->transport, &dst); - - /* delete matching SPI's from this peer */ - ipsec_delete_spi_list (dst, 0, (u_int8_t *)&spi, 1, "INVALID_SPI"); -} - -static int -ipsec_responder(struct message *msg) -{ - struct exchange *exchange = msg->exchange; - int (**script)(struct message *) = 0; - struct payload *p; - u_int16_t type; - - /* Check that a new exchange is coherent with the IKE rules. */ - if (exchange->step == 0 && exchange->type != ISAKMP_EXCH_TRANSACTION - && ((exchange->phase == 1 && - exchange->type != ISAKMP_EXCH_ID_PROT && - exchange->type != ISAKMP_EXCH_AGGRESSIVE && - exchange->type != ISAKMP_EXCH_INFO) - || (exchange->phase == 2 && - exchange->type != IKE_EXCH_QUICK_MODE && - exchange->type != ISAKMP_EXCH_INFO))) { - message_drop(msg, ISAKMP_NOTIFY_UNSUPPORTED_EXCHANGE_TYPE, - 0, 1, 0); - return -1; - } - LOG_DBG((LOG_MISC, 30, "ipsec_responder: phase %d exchange %d step %d", - exchange->phase, exchange->type, exchange->step)); - switch (exchange->type) { - case ISAKMP_EXCH_ID_PROT: - script = ike_main_mode_responder; - break; -#ifdef USE_AGGRESSIVE - case ISAKMP_EXCH_AGGRESSIVE: - script = ike_aggressive_responder; - break; -#endif -#ifdef USE_ISAKMP_CFG - case ISAKMP_EXCH_TRANSACTION: - script = isakmp_cfg_responder; - break; -#endif - case ISAKMP_EXCH_INFO: - for (p = payload_first(msg, ISAKMP_PAYLOAD_NOTIFY); p; - p = TAILQ_NEXT(p, link)) { - type = GET_ISAKMP_NOTIFY_MSG_TYPE(p->p); - LOG_DBG((LOG_EXCHANGE, 10, - "ipsec_responder: got NOTIFY of type %s", - constant_name(isakmp_notify_cst, type))); - - switch (type) { - case IPSEC_NOTIFY_INITIAL_CONTACT: - /* Handled by leftover logic. */ - break; - -#if defined (USE_DPD) - case ISAKMP_NOTIFY_STATUS_DPD_R_U_THERE: - case ISAKMP_NOTIFY_STATUS_DPD_R_U_THERE_ACK: - dpd_handle_notify(msg, p); - break; -#endif - - default: - p->flags |= PL_MARK; - break; - } - } - - /* - * If any DELETEs are in here, let the logic of leftover - * payloads deal with them. - */ - return 0; - - case IKE_EXCH_QUICK_MODE: - script = ike_quick_mode_responder; - break; - - default: - message_drop(msg, ISAKMP_NOTIFY_UNSUPPORTED_EXCHANGE_TYPE, - 0, 1, 0); - return -1; - } - - /* Run the script code for this step. */ - if (script) - return script[exchange->step] (msg); - - /* - * XXX So far we don't accept any proposals for exchanges we don't - * support. - */ - if (payload_first(msg, ISAKMP_PAYLOAD_SA)) { - message_drop(msg, ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0); - return -1; - } - return 0; -} - -static enum hashes -from_ike_hash(u_int16_t hash) -{ - switch (hash) { - case IKE_HASH_MD5: - return HASH_MD5; - case IKE_HASH_SHA: - return HASH_SHA1; - } - return -1; -} - -static enum transform -from_ike_crypto(u_int16_t crypto) -{ - /* Coincidentally this is the null operation :-) */ - return crypto; -} - -/* - * Find out whether the attribute of type TYPE with a LEN length value - * pointed to by VALUE is incompatible with what we can handle. - * VMSG is a pointer to the current message. - */ -int -ipsec_is_attribute_incompatible(u_int16_t type, u_int8_t *value, u_int16_t len, - void *vmsg) -{ - struct message *msg = vmsg; - u_int16_t dv = decode_16(value); - - if (msg->exchange->phase == 1) { - switch (type) { - case IKE_ATTR_ENCRYPTION_ALGORITHM: - return !crypto_get(from_ike_crypto(dv)); - case IKE_ATTR_HASH_ALGORITHM: - return !hash_get(from_ike_hash(dv)); - case IKE_ATTR_AUTHENTICATION_METHOD: - return !ike_auth_get(dv); - case IKE_ATTR_GROUP_DESCRIPTION: - return (dv < IKE_GROUP_DESC_MODP_768 - || dv > IKE_GROUP_DESC_MODP_1536) - && (dv < IKE_GROUP_DESC_MODP_2048 - || dv > IKE_GROUP_DESC_MODP_8192); - case IKE_ATTR_GROUP_TYPE: - return 1; - case IKE_ATTR_GROUP_PRIME: - return 1; - case IKE_ATTR_GROUP_GENERATOR_1: - return 1; - case IKE_ATTR_GROUP_GENERATOR_2: - return 1; - case IKE_ATTR_GROUP_CURVE_A: - return 1; - case IKE_ATTR_GROUP_CURVE_B: - return 1; - case IKE_ATTR_LIFE_TYPE: - return dv < IKE_DURATION_SECONDS - || dv > IKE_DURATION_KILOBYTES; - case IKE_ATTR_LIFE_DURATION: - return len != 2 && len != 4; - case IKE_ATTR_PRF: - return 1; - case IKE_ATTR_KEY_LENGTH: - /* - * Our crypto routines only allows key-lengths which - * are multiples of an octet. - */ - return dv % 8 != 0; - case IKE_ATTR_FIELD_SIZE: - return 1; - case IKE_ATTR_GROUP_ORDER: - return 1; - } - } else { - switch (type) { - case IPSEC_ATTR_SA_LIFE_TYPE: - return dv < IPSEC_DURATION_SECONDS - || dv > IPSEC_DURATION_KILOBYTES; - case IPSEC_ATTR_SA_LIFE_DURATION: - return len != 2 && len != 4; - case IPSEC_ATTR_GROUP_DESCRIPTION: - return (dv < IKE_GROUP_DESC_MODP_768 - || dv > IKE_GROUP_DESC_MODP_1536) - && (dv < IKE_GROUP_DESC_MODP_2048 - || IKE_GROUP_DESC_MODP_8192 < dv); - case IPSEC_ATTR_ENCAPSULATION_MODE: -#if defined (USE_NAT_TRAVERSAL) - return dv != IPSEC_ENCAP_TUNNEL - && dv != IPSEC_ENCAP_TRANSPORT - && dv != IPSEC_ENCAP_UDP_ENCAP_TUNNEL - && dv != IPSEC_ENCAP_UDP_ENCAP_TRANSPORT - && dv != IPSEC_ENCAP_UDP_ENCAP_TUNNEL_DRAFT - && dv != IPSEC_ENCAP_UDP_ENCAP_TRANSPORT_DRAFT; -#else - return dv < IPSEC_ENCAP_TUNNEL - || dv > IPSEC_ENCAP_TRANSPORT; -#endif /* USE_NAT_TRAVERSAL */ - case IPSEC_ATTR_AUTHENTICATION_ALGORITHM: - return dv < IPSEC_AUTH_HMAC_MD5 - || dv > IPSEC_AUTH_HMAC_RIPEMD; - case IPSEC_ATTR_KEY_LENGTH: - /* - * XXX Blowfish needs '0'. Others appear to disregard - * this attr? - */ - return 0; - case IPSEC_ATTR_KEY_ROUNDS: - return 1; - case IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE: - return 1; - case IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM: - return 1; - case IPSEC_ATTR_ECN_TUNNEL: - return 1; - } - } - /* XXX Silence gcc. */ - return 1; -} - -#ifdef USE_DEBUG -/* - * Log the attribute of TYPE with a LEN length value pointed to by VALUE - * in human-readable form. VMSG is a pointer to the current message. - */ -int -ipsec_debug_attribute(u_int16_t type, u_int8_t *value, u_int16_t len, - void *vmsg) -{ - struct message *msg = vmsg; - char val[20]; - - /* XXX Transient solution. */ - if (len == 2) - snprintf(val, sizeof val, "%d", decode_16(value)); - else if (len == 4) - snprintf(val, sizeof val, "%d", decode_32(value)); - else - snprintf(val, sizeof val, "unrepresentable"); - - LOG_DBG((LOG_MESSAGE, 50, "Attribute %s value %s", - constant_name(msg->exchange->phase == 1 ? ike_attr_cst : - ipsec_attr_cst, type), val)); - return 0; -} -#endif - -/* - * Decode the attribute of type TYPE with a LEN length value pointed to by - * VALUE. VIDA is a pointer to a context structure where we can find the - * current message, SA and protocol. - */ -int -ipsec_decode_attribute(u_int16_t type, u_int8_t *value, u_int16_t len, - void *vida) -{ - struct ipsec_decode_arg *ida = vida; - struct message *msg = ida->msg; - struct sa *sa = ida->sa; - struct ipsec_sa *isa = sa->data; - struct proto *proto = ida->proto; - struct ipsec_proto *iproto = proto->data; - struct exchange *exchange = msg->exchange; - struct ipsec_exch *ie = exchange->data; - static int lifetype = 0; - - if (exchange->phase == 1) { - switch (type) { - case IKE_ATTR_ENCRYPTION_ALGORITHM: - /* XXX Errors possible? */ - exchange->crypto = crypto_get(from_ike_crypto( - decode_16(value))); - break; - case IKE_ATTR_HASH_ALGORITHM: - /* XXX Errors possible? */ - ie->hash = hash_get(from_ike_hash(decode_16(value))); - break; - case IKE_ATTR_AUTHENTICATION_METHOD: - /* XXX Errors possible? */ - ie->ike_auth = ike_auth_get(decode_16(value)); - break; - case IKE_ATTR_GROUP_DESCRIPTION: - isa->group_desc = decode_16(value); - break; - case IKE_ATTR_GROUP_TYPE: - break; - case IKE_ATTR_GROUP_PRIME: - break; - case IKE_ATTR_GROUP_GENERATOR_1: - break; - case IKE_ATTR_GROUP_GENERATOR_2: - break; - case IKE_ATTR_GROUP_CURVE_A: - break; - case IKE_ATTR_GROUP_CURVE_B: - break; - case IKE_ATTR_LIFE_TYPE: - lifetype = decode_16(value); - return 0; - case IKE_ATTR_LIFE_DURATION: - switch (lifetype) { - case IKE_DURATION_SECONDS: - switch (len) { - case 2: - sa->seconds = decode_16(value); - break; - case 4: - sa->seconds = decode_32(value); - break; - default: - log_print("ipsec_decode_attribute: " - "unreasonable lifetime"); - } - break; - case IKE_DURATION_KILOBYTES: - switch (len) { - case 2: - sa->kilobytes = decode_16(value); - break; - case 4: - sa->kilobytes = decode_32(value); - break; - default: - log_print("ipsec_decode_attribute: " - "unreasonable lifetime"); - } - break; - default: - log_print("ipsec_decode_attribute: unknown " - "lifetime type"); - } - break; - case IKE_ATTR_PRF: - break; - case IKE_ATTR_KEY_LENGTH: - exchange->key_length = decode_16(value) / 8; - break; - case IKE_ATTR_FIELD_SIZE: - break; - case IKE_ATTR_GROUP_ORDER: - break; - } - } else { - switch (type) { - case IPSEC_ATTR_SA_LIFE_TYPE: - lifetype = decode_16(value); - return 0; - case IPSEC_ATTR_SA_LIFE_DURATION: - switch (lifetype) { - case IPSEC_DURATION_SECONDS: - switch (len) { - case 2: - sa->seconds = decode_16(value); - break; - case 4: - sa->seconds = decode_32(value); - break; - default: - log_print("ipsec_decode_attribute: " - "unreasonable lifetime"); - } - break; - case IPSEC_DURATION_KILOBYTES: - switch (len) { - case 2: - sa->kilobytes = decode_16(value); - break; - case 4: - sa->kilobytes = decode_32(value); - break; - default: - log_print("ipsec_decode_attribute: " - "unreasonable lifetime"); - } - break; - default: - log_print("ipsec_decode_attribute: unknown " - "lifetime type"); - } - break; - case IPSEC_ATTR_GROUP_DESCRIPTION: - isa->group_desc = decode_16(value); - break; - case IPSEC_ATTR_ENCAPSULATION_MODE: - /* - * XXX Multiple protocols must have same - * encapsulation mode, no? - */ - iproto->encap_mode = decode_16(value); - break; - case IPSEC_ATTR_AUTHENTICATION_ALGORITHM: - iproto->auth = decode_16(value); - break; - case IPSEC_ATTR_KEY_LENGTH: - iproto->keylen = decode_16(value); - break; - case IPSEC_ATTR_KEY_ROUNDS: - iproto->keyrounds = decode_16(value); - break; - case IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE: - break; - case IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM: - break; - case IPSEC_ATTR_ECN_TUNNEL: - break; - } - } - lifetype = 0; - return 0; -} - -/* - * Walk over the attributes of the transform payload found in BUF, and - * fill out the fields of the SA attached to MSG. Also mark the SA as - * processed. - */ -void -ipsec_decode_transform(struct message *msg, struct sa *sa, struct proto *proto, - u_int8_t *buf) -{ - struct ipsec_exch *ie = msg->exchange->data; - struct ipsec_decode_arg ida; - - LOG_DBG((LOG_MISC, 20, "ipsec_decode_transform: transform %d chosen", - GET_ISAKMP_TRANSFORM_NO(buf))); - - ida.msg = msg; - ida.sa = sa; - ida.proto = proto; - - /* The default IKE lifetime is 8 hours. */ - if (sa->phase == 1) - sa->seconds = 28800; - - /* Extract the attributes and stuff them into the SA. */ - attribute_map(buf + ISAKMP_TRANSFORM_SA_ATTRS_OFF, - GET_ISAKMP_GEN_LENGTH(buf) - ISAKMP_TRANSFORM_SA_ATTRS_OFF, - ipsec_decode_attribute, &ida); - - /* - * If no pseudo-random function was negotiated, it's HMAC. - * XXX As PRF_HMAC currently is zero, this is a no-op. - */ - if (!ie->prf_type) - ie->prf_type = PRF_HMAC; -} - -/* - * Delete the IPsec SA represented by the INCOMING direction in protocol PROTO - * of the IKE security association SA. - */ -static void -ipsec_delete_spi(struct sa *sa, struct proto *proto, int incoming) -{ - if (sa->phase == 1) - return; - /* XXX Error handling? Is it interesting? */ - sysdep_ipsec_delete_spi(sa, proto, incoming); -} - -/* - * Store BUF into the g^x entry of the exchange that message MSG belongs to. - * PEER is non-zero when the value is our peer's, and zero when it is ours. - */ -static int -ipsec_g_x(struct message *msg, int peer, u_int8_t *buf) -{ - struct exchange *exchange = msg->exchange; - struct ipsec_exch *ie = exchange->data; - u_int8_t **g_x; - int initiator = exchange->initiator ^ peer; - char header[32]; - - g_x = initiator ? &ie->g_xi : &ie->g_xr; - *g_x = malloc(ie->g_x_len); - if (!*g_x) { - log_error("ipsec_g_x: malloc (%lu) failed", - (unsigned long)ie->g_x_len); - return -1; - } - memcpy(*g_x, buf, ie->g_x_len); - snprintf(header, sizeof header, "ipsec_g_x: g^x%c", - initiator ? 'i' : 'r'); - LOG_DBG_BUF((LOG_MISC, 80, header, *g_x, ie->g_x_len)); - return 0; -} - -/* Generate our DH value. */ -int -ipsec_gen_g_x(struct message *msg) -{ - struct exchange *exchange = msg->exchange; - struct ipsec_exch *ie = exchange->data; - u_int8_t *buf; - - buf = malloc(ISAKMP_KE_SZ + ie->g_x_len); - if (!buf) { - log_error("ipsec_gen_g_x: malloc (%lu) failed", - ISAKMP_KE_SZ + (unsigned long)ie->g_x_len); - return -1; - } - if (message_add_payload(msg, ISAKMP_PAYLOAD_KEY_EXCH, buf, - ISAKMP_KE_SZ + ie->g_x_len, 1)) { - free(buf); - return -1; - } - if (dh_create_exchange(ie->group, buf + ISAKMP_KE_DATA_OFF)) { - log_print("ipsec_gen_g_x: dh_create_exchange failed"); - free(buf); - return -1; - } - return ipsec_g_x(msg, 0, buf + ISAKMP_KE_DATA_OFF); -} - -/* Save the peer's DH value. */ -int -ipsec_save_g_x(struct message *msg) -{ - struct exchange *exchange = msg->exchange; - struct ipsec_exch *ie = exchange->data; - struct payload *kep; - - kep = payload_first(msg, ISAKMP_PAYLOAD_KEY_EXCH); - kep->flags |= PL_MARK; - ie->g_x_len = GET_ISAKMP_GEN_LENGTH(kep->p) - ISAKMP_KE_DATA_OFF; - - /* Check that the given length matches the group's expectancy. */ - if (ie->g_x_len != (size_t) dh_getlen(ie->group)) { - /* XXX Is this a good notify type? */ - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0); - return -1; - } - return ipsec_g_x(msg, 1, kep->p + ISAKMP_KE_DATA_OFF); -} - -/* - * Get a SPI for PROTO and the transport MSG passed over. Store the - * size where SZ points. NB! A zero return is OK if *SZ is zero. - */ -static u_int8_t * -ipsec_get_spi(size_t *sz, u_int8_t proto, struct message *msg) -{ - struct sockaddr *dst, *src; - struct transport *transport = msg->transport; - - if (msg->exchange->phase == 1) { - *sz = 0; - return 0; - } else { - /* We are the destination in the SA we want a SPI for. */ - transport->vtbl->get_src(transport, &dst); - /* The peer is the source. */ - transport->vtbl->get_dst(transport, &src); - return sysdep_ipsec_get_spi(sz, proto, src, dst, - msg->exchange->seq); - } -} - -/* - * We have gotten a payload PAYLOAD of type TYPE, which did not get handled - * by the logic of the exchange MSG takes part in. Now is the time to deal - * with such a payload if we know how to, if we don't, return -1, otherwise - * 0. - */ -int -ipsec_handle_leftover_payload(struct message *msg, u_int8_t type, - struct payload *payload) -{ - u_int32_t spisz, nspis; - struct sockaddr *dst; - int reenter = 0; - u_int8_t *spis, proto; - struct sa *sa; - - switch (type) { - case ISAKMP_PAYLOAD_DELETE: - proto = GET_ISAKMP_DELETE_PROTO(payload->p); - nspis = GET_ISAKMP_DELETE_NSPIS(payload->p); - spisz = GET_ISAKMP_DELETE_SPI_SZ(payload->p); - - if (nspis == 0) { - LOG_DBG((LOG_SA, 60, "ipsec_handle_leftover_payload: " - "message specified zero SPIs, ignoring")); - return -1; - } - /* verify proper SPI size */ - if ((proto == ISAKMP_PROTO_ISAKMP && spisz != - ISAKMP_HDR_COOKIES_LEN) - || (proto != ISAKMP_PROTO_ISAKMP && spisz != - sizeof(u_int32_t))) { - log_print("ipsec_handle_leftover_payload: invalid SPI " - "size %d for proto %d in DELETE payload", - spisz, proto); - return -1; - } - spis = (u_int8_t *) malloc(nspis * spisz); - if (!spis) { - log_error("ipsec_handle_leftover_payload: malloc " - "(%d) failed", nspis * spisz); - return -1; - } - /* extract SPI and get dst address */ - memcpy(spis, payload->p + ISAKMP_DELETE_SPI_OFF, nspis * spisz); - msg->transport->vtbl->get_dst(msg->transport, &dst); - - ipsec_delete_spi_list(dst, proto, spis, nspis, "DELETE"); - - free(spis); - payload->flags |= PL_MARK; - return 0; - - case ISAKMP_PAYLOAD_NOTIFY: - switch (GET_ISAKMP_NOTIFY_MSG_TYPE(payload->p)) { - case IPSEC_NOTIFY_INITIAL_CONTACT: - /* - * Permit INITIAL-CONTACT if - * - this is not an AGGRESSIVE mode exchange - * - it is protected by an ISAKMP SA - * - * XXX Instead of the first condition above, we could - * XXX permit this only for phase 2. In the last - * XXX packet of main-mode, this payload, while - * XXX encrypted, is not part of the hash digest. As - * XXX we currently send our own INITIAL-CONTACTs at - * XXX this point, this too would need to be changed. - */ - if (msg->exchange->type == ISAKMP_EXCH_AGGRESSIVE) { - log_print("ipsec_handle_leftover_payload: got " - "INITIAL-CONTACT in AGGRESSIVE mode"); - return -1; - } - if ((msg->exchange->flags & EXCHANGE_FLAG_ENCRYPT) - == 0) { - log_print("ipsec_handle_leftover_payload: got " - "INITIAL-CONTACT without ISAKMP SA"); - return -1; - } - - if ((msg->flags & MSG_AUTHENTICATED) == 0) { - log_print("ipsec_handle_leftover_payload: " - "got unauthenticated INITIAL-CONTACT"); - return -1; - } - /* - * Find out who is sending this and then delete every - * SA that is ready. Exchanges will timeout - * themselves and then the non-ready SAs will - * disappear too. - */ - msg->transport->vtbl->get_dst(msg->transport, &dst); - while ((sa = sa_lookup_by_peer(dst, - sysdep_sa_len(dst))) != 0) { - /* - * Don't delete the current SA -- we received - * the notification over it, so it's obviously - * still active. We temporarily need to remove - * the SA from the list to avoid an endless - * loop, but keep a reference so it won't - * disappear meanwhile. - */ - if (sa == msg->isakmp_sa) { - sa_reference(sa); - sa_remove(sa); - reenter = 1; - continue; - } - LOG_DBG((LOG_SA, 30, - "ipsec_handle_leftover_payload: " - "INITIAL-CONTACT made us delete SA %p", - sa)); - sa_delete(sa, 0); - } - - if (reenter) { - sa_enter(msg->isakmp_sa); - sa_release(msg->isakmp_sa); - } - payload->flags |= PL_MARK; - return 0; - } - } - return -1; -} - -/* Return the encryption keylength in octets of the ESP protocol PROTO. */ -int -ipsec_esp_enckeylength(struct proto *proto) -{ - struct ipsec_proto *iproto = proto->data; - - /* Compute the keylength to use. */ - switch (proto->id) { - case IPSEC_ESP_DES: - case IPSEC_ESP_DES_IV32: - case IPSEC_ESP_DES_IV64: - return 8; - case IPSEC_ESP_3DES: - return 24; - case IPSEC_ESP_CAST: - if (!iproto->keylen) - return 16; - return iproto->keylen / 8; - case IPSEC_ESP_AES: - case IPSEC_ESP_AES_128_CTR: - if (!iproto->keylen) - return 16; - /* Fallthrough */ - default: - return iproto->keylen / 8; - } -} - -/* Return the authentication keylength in octets of the ESP protocol PROTO. */ -int -ipsec_esp_authkeylength(struct proto *proto) -{ - struct ipsec_proto *iproto = proto->data; - - switch (iproto->auth) { - case IPSEC_AUTH_HMAC_MD5: - return 16; - case IPSEC_AUTH_HMAC_SHA: - case IPSEC_AUTH_HMAC_RIPEMD: - return 20; - case IPSEC_AUTH_HMAC_SHA2_256: - return 32; - case IPSEC_AUTH_HMAC_SHA2_384: - return 48; - case IPSEC_AUTH_HMAC_SHA2_512: - return 64; - default: - return 0; - } -} - -/* Return the authentication keylength in octets of the AH protocol PROTO. */ -int -ipsec_ah_keylength(struct proto *proto) -{ - switch (proto->id) { - case IPSEC_AH_MD5: - return 16; - case IPSEC_AH_SHA: - case IPSEC_AH_RIPEMD: - return 20; - case IPSEC_AH_SHA2_256: - return 32; - case IPSEC_AH_SHA2_384: - return 48; - case IPSEC_AH_SHA2_512: - return 64; - default: - return -1; - } -} - -/* Return the total keymaterial length of the protocol PROTO. */ -int -ipsec_keymat_length(struct proto *proto) -{ - switch (proto->proto) { - case IPSEC_PROTO_IPSEC_ESP: - return ipsec_esp_enckeylength(proto) - + ipsec_esp_authkeylength(proto); - case IPSEC_PROTO_IPSEC_AH: - return ipsec_ah_keylength(proto); - default: - return -1; - } -} - -/* Helper function for ipsec_get_id(). */ -static int -ipsec_get_proto_port(char *section, u_int8_t *tproto, u_int16_t *port) -{ - struct protoent *pe = NULL; - struct servent *se; - char *pstr; - - pstr = conf_get_str(section, "Protocol"); - if (!pstr) { - *tproto = 0; - return 0; - } - *tproto = (u_int8_t)atoi(pstr); - if (!*tproto) { - pe = getprotobyname(pstr); - if (pe) - *tproto = pe->p_proto; - } - if (!*tproto) { - log_print("ipsec_get_proto_port: protocol \"%s\" unknown", - pstr); - return -1; - } - - pstr = conf_get_str(section, "Port"); - if (!pstr) - return 0; - *port = (u_int16_t)atoi(pstr); - if (!*port) { - se = getservbyname(pstr, - pe ? pe->p_name : (pstr ? pstr : NULL)); - if (se) - *port = se->s_port; - } - if (!*port) { - log_print("ipsec_get_proto_port: port \"%s\" unknown", - pstr); - return -1; - } - return 0; -} - -/* - * Out of a named section SECTION in the configuration file find out - * the network address and mask as well as the ID type. Put the info - * in the areas pointed to by ADDR, MASK, TPROTO, PORT, and ID respectively. - * Return 0 on success and -1 on failure. - */ -int -ipsec_get_id(char *section, int *id, struct sockaddr **addr, - struct sockaddr **mask, u_int8_t *tproto, u_int16_t *port) -{ - char *type, *address, *netmask; - - type = conf_get_str(section, "ID-type"); - if (!type) { - log_print("ipsec_get_id: section %s has no \"ID-type\" tag", - section); - return -1; - } - *id = constant_value(ipsec_id_cst, type); - switch (*id) { - case IPSEC_ID_IPV4_ADDR: - case IPSEC_ID_IPV6_ADDR: { - int ret; - - address = conf_get_str(section, "Address"); - if (!address) { - log_print("ipsec_get_id: section %s has no " - "\"Address\" tag", section); - return -1; - } - if (text2sockaddr(address, NULL, addr)) { - log_print("ipsec_get_id: invalid address %s in " - "section %s", address, section); - return -1; - } - ret = ipsec_get_proto_port(section, tproto, port); - if (ret < 0) - free(*addr); - - return ret; - } - -#ifdef notyet - case IPSEC_ID_FQDN: - return -1; - - case IPSEC_ID_USER_FQDN: - return -1; -#endif - - case IPSEC_ID_IPV4_ADDR_SUBNET: - case IPSEC_ID_IPV6_ADDR_SUBNET: { - int ret; - - address = conf_get_str(section, "Network"); - if (!address) { - log_print("ipsec_get_id: section %s has no " - "\"Network\" tag", section); - return -1; - } - if (text2sockaddr(address, NULL, addr)) { - log_print("ipsec_get_id: invalid section %s " - "network %s", section, address); - return -1; - } - netmask = conf_get_str(section, "Netmask"); - if (!netmask) { - log_print("ipsec_get_id: section %s has no " - "\"Netmask\" tag", section); - free(*addr); - return -1; - } - if (text2sockaddr(netmask, NULL, mask)) { - log_print("ipsec_id_build: invalid section %s " - "network %s", section, netmask); - free(*addr); - return -1; - } - ret = ipsec_get_proto_port(section, tproto, port); - if (ret < 0) { - free(*mask); - free(*addr); - } - return ret; - } - -#ifdef notyet - case IPSEC_ID_IPV4_RANGE: - return -1; - - case IPSEC_ID_IPV6_RANGE: - return -1; - - case IPSEC_ID_DER_ASN1_DN: - return -1; - - case IPSEC_ID_DER_ASN1_GN: - return -1; - - case IPSEC_ID_KEY_ID: - return -1; -#endif - - default: - log_print("ipsec_get_id: unknown ID type \"%s\" in " - "section %s", type, section); - return -1; - } - - return 0; -} - -/* - * XXX I rather want this function to return a status code, and fail if - * we cannot fit the information in the supplied buffer. - */ -static void -ipsec_decode_id(char *buf, size_t size, u_int8_t *id, size_t id_len, - int isakmpform) -{ - int id_type; - char *addr = 0, *mask = 0; - u_int32_t *idp; - - if (id) { - if (!isakmpform) { - /* - * Exchanges and SAs dont carry the IDs in ISAKMP - * form. - */ - id -= ISAKMP_GEN_SZ; - id_len += ISAKMP_GEN_SZ; - } - id_type = GET_ISAKMP_ID_TYPE(id); - idp = (u_int32_t *) (id + ISAKMP_ID_DATA_OFF); - switch (id_type) { - case IPSEC_ID_IPV4_ADDR: - util_ntoa(&addr, AF_INET, id + ISAKMP_ID_DATA_OFF); - snprintf(buf, size, "%08x: %s", - decode_32(id + ISAKMP_ID_DATA_OFF), addr); - break; - - case IPSEC_ID_IPV4_ADDR_SUBNET: - util_ntoa(&addr, AF_INET, id + ISAKMP_ID_DATA_OFF); - util_ntoa(&mask, AF_INET, id + ISAKMP_ID_DATA_OFF + 4); - snprintf(buf, size, "%08x/%08x: %s/%s", - decode_32(id + ISAKMP_ID_DATA_OFF), - decode_32(id + ISAKMP_ID_DATA_OFF + 4), addr, mask); - break; - - case IPSEC_ID_IPV6_ADDR: - util_ntoa(&addr, AF_INET6, id + ISAKMP_ID_DATA_OFF); - snprintf(buf, size, "%08x%08x%08x%08x: %s", *idp, - *(idp + 1), *(idp + 2), *(idp + 3), addr); - break; - - case IPSEC_ID_IPV6_ADDR_SUBNET: - util_ntoa(&addr, AF_INET6, id + ISAKMP_ID_DATA_OFF); - util_ntoa(&mask, AF_INET6, id + ISAKMP_ID_DATA_OFF + - sizeof(struct in6_addr)); - snprintf(buf, size, - "%08x%08x%08x%08x/%08x%08x%08x%08x: %s/%s", *idp, - *(idp + 1), *(idp + 2), *(idp + 3), *(idp + 4), - *(idp + 5), *(idp + 6), *(idp + 7), addr, mask); - break; - - case IPSEC_ID_FQDN: - case IPSEC_ID_USER_FQDN: - /* String is not NUL terminated, be careful */ - id_len -= ISAKMP_ID_DATA_OFF; - id_len = MIN(id_len, size - 1); - memcpy(buf, id + ISAKMP_ID_DATA_OFF, id_len); - buf[id_len] = '\0'; - break; - -#ifdef USE_X509 - case IPSEC_ID_DER_ASN1_DN: - addr = x509_DN_string(id + ISAKMP_ID_DATA_OFF, - id_len - ISAKMP_ID_DATA_OFF); - if (!addr) { - snprintf(buf, size, "unparsable ASN1 DN ID"); - return; - } - strlcpy(buf, addr, size); - break; -#endif - - default: - snprintf(buf, size, "<id type unknown: %x>", id_type); - break; - } - } else - snprintf(buf, size, "<no ipsec id>"); - if (addr) - free(addr); - if (mask) - free(mask); -} - -char * -ipsec_decode_ids(char *fmt, u_int8_t *id1, size_t id1_len, u_int8_t *id2, - size_t id2_len, int isakmpform) -{ - static char result[1024]; - char s_id1[256], s_id2[256]; - - ipsec_decode_id(s_id1, sizeof s_id1, id1, id1_len, isakmpform); - ipsec_decode_id(s_id2, sizeof s_id2, id2, id2_len, isakmpform); - - snprintf(result, sizeof result, fmt, s_id1, s_id2); - return result; -} - -/* - * Out of a named section SECTION in the configuration file build an - * ISAKMP ID payload. Ths payload size should be stashed in SZ. - * The caller is responsible for freeing the payload. - */ -u_int8_t * -ipsec_build_id(char *section, size_t *sz) -{ - struct sockaddr *addr, *mask; - u_int8_t *p; - int id, subnet = 0; - u_int8_t tproto = 0; - u_int16_t port = 0; - - if (ipsec_get_id(section, &id, &addr, &mask, &tproto, &port)) - return 0; - - if (id == IPSEC_ID_IPV4_ADDR_SUBNET || id == IPSEC_ID_IPV6_ADDR_SUBNET) - subnet = 1; - - *sz = ISAKMP_ID_SZ + sockaddr_addrlen(addr); - if (subnet) - *sz += sockaddr_addrlen(mask); - - p = malloc(*sz); - if (!p) { - log_print("ipsec_build_id: malloc(%lu) failed", - (unsigned long)*sz); - if (subnet) - free(mask); - free(addr); - return 0; - } - SET_ISAKMP_ID_TYPE(p, id); - SET_ISAKMP_ID_DOI_DATA(p, (unsigned char *)"\000\000\000"); - - memcpy(p + ISAKMP_ID_DATA_OFF, sockaddr_addrdata(addr), - sockaddr_addrlen(addr)); - if (subnet) - memcpy(p + ISAKMP_ID_DATA_OFF + sockaddr_addrlen(addr), - sockaddr_addrdata(mask), sockaddr_addrlen(mask)); - - SET_IPSEC_ID_PROTO(p + ISAKMP_ID_DOI_DATA_OFF, tproto); - SET_IPSEC_ID_PORT(p + ISAKMP_ID_DOI_DATA_OFF, port); - - if (subnet) - free(mask); - free(addr); - return p; -} - -/* - * copy an ISAKMPD id - */ -int -ipsec_clone_id(u_int8_t **did, size_t *did_len, u_int8_t *id, size_t id_len) -{ - if (*did) - free(*did); - - if (!id_len || !id) { - *did = 0; - *did_len = 0; - return 0; - } - *did = malloc(id_len); - if (!*did) { - *did_len = 0; - log_error("ipsec_clone_id: malloc(%lu) failed", - (unsigned long)id_len); - return -1; - } - *did_len = id_len; - memcpy(*did, id, id_len); - - return 0; -} - -/* - * IPsec-specific PROTO initializations. SECTION is only set if we are the - * initiator thus only usable there. - * XXX I want to fix this later. - */ -void -ipsec_proto_init(struct proto *proto, char *section) -{ - struct ipsec_proto *iproto = proto->data; - - if (proto->sa->phase == 2) - iproto->replay_window = section ? conf_get_num(section, - "ReplayWindow", DEFAULT_REPLAY_WINDOW) : - DEFAULT_REPLAY_WINDOW; -} - -/* - * Add a notification payload of type INITIAL CONTACT to MSG if this is - * the first contact we have made to our peer. - */ -int -ipsec_initial_contact(struct message *msg) -{ - u_int8_t *buf; - - if (ipsec_contacted(msg)) - return 0; - - buf = malloc(ISAKMP_NOTIFY_SZ + ISAKMP_HDR_COOKIES_LEN); - if (!buf) { - log_error("ike_phase_1_initial_contact: malloc (%d) failed", - ISAKMP_NOTIFY_SZ + ISAKMP_HDR_COOKIES_LEN); - return -1; - } - SET_ISAKMP_NOTIFY_DOI(buf, IPSEC_DOI_IPSEC); - SET_ISAKMP_NOTIFY_PROTO(buf, ISAKMP_PROTO_ISAKMP); - SET_ISAKMP_NOTIFY_SPI_SZ(buf, ISAKMP_HDR_COOKIES_LEN); - SET_ISAKMP_NOTIFY_MSG_TYPE(buf, IPSEC_NOTIFY_INITIAL_CONTACT); - memcpy(buf + ISAKMP_NOTIFY_SPI_OFF, msg->isakmp_sa->cookies, - ISAKMP_HDR_COOKIES_LEN); - if (message_add_payload(msg, ISAKMP_PAYLOAD_NOTIFY, buf, - ISAKMP_NOTIFY_SZ + ISAKMP_HDR_COOKIES_LEN, 1)) { - free(buf); - return -1; - } - return ipsec_add_contact(msg); -} - -/* - * Compare the two contacts pointed to by A and B. Return negative if - * *A < *B, 0 if they are equal, and positive if *A is the largest of them. - */ -static int -addr_cmp(const void *a, const void *b) -{ - const struct contact *x = a, *y = b; - int minlen = MIN(x->len, y->len); - int rv = memcmp(x->addr, y->addr, minlen); - - return rv ? rv : (x->len - y->len); -} - -/* - * Add the peer that MSG is bound to as an address we don't want to send - * INITIAL CONTACT too from now on. Do not call this function with a - * specific address duplicate times. We want fast lookup, speed of insertion - * is unimportant, if this is to scale. - */ -static int -ipsec_add_contact(struct message *msg) -{ - struct contact *new_contacts; - struct sockaddr *dst, *addr; - int cnt; - - if (contact_cnt == contact_limit) { - cnt = contact_limit ? 2 * contact_limit : 64; - new_contacts = realloc(contacts, cnt * sizeof contacts[0]); - if (!new_contacts) { - log_error("ipsec_add_contact: " - "realloc (%p, %lu) failed", contacts, - cnt * (unsigned long) sizeof contacts[0]); - return -1; - } - contact_limit = cnt; - contacts = new_contacts; - } - msg->transport->vtbl->get_dst(msg->transport, &dst); - addr = malloc(sysdep_sa_len(dst)); - if (!addr) { - log_error("ipsec_add_contact: malloc (%d) failed", - sysdep_sa_len(dst)); - return -1; - } - memcpy(addr, dst, sysdep_sa_len(dst)); - contacts[contact_cnt].addr = addr; - contacts[contact_cnt++].len = sysdep_sa_len(dst); - - /* - * XXX There are better algorithms for already mostly-sorted data like - * this, but only qsort is standard. I will someday do this inline. - */ - qsort(contacts, contact_cnt, sizeof *contacts, addr_cmp); - return 0; -} - -/* Return true if the recipient of MSG has already been contacted. */ -static int -ipsec_contacted(struct message *msg) -{ - struct contact contact; - - msg->transport->vtbl->get_dst(msg->transport, &contact.addr); - contact.len = sysdep_sa_len(contact.addr); - return contacts ? (bsearch(&contact, contacts, contact_cnt, - sizeof *contacts, addr_cmp) != 0) : 0; -} - -/* Add a HASH for to MSG. */ -u_int8_t * -ipsec_add_hash_payload(struct message *msg, size_t hashsize) -{ - u_int8_t *buf; - - buf = malloc(ISAKMP_HASH_SZ + hashsize); - if (!buf) { - log_error("ipsec_add_hash_payload: malloc (%lu) failed", - ISAKMP_HASH_SZ + (unsigned long) hashsize); - return 0; - } - if (message_add_payload(msg, ISAKMP_PAYLOAD_HASH, buf, - ISAKMP_HASH_SZ + hashsize, 1)) { - free(buf); - return 0; - } - return buf; -} - -/* Fill in the HASH payload of MSG. */ -int -ipsec_fill_in_hash(struct message *msg) -{ - struct exchange *exchange = msg->exchange; - struct sa *isakmp_sa = msg->isakmp_sa; - struct ipsec_sa *isa = isakmp_sa->data; - struct hash *hash = hash_get(isa->hash); - struct prf *prf; - struct payload *payload; - u_int8_t *buf; - u_int32_t i; - char header[80]; - - /* If no SKEYID_a, we need not do anything. */ - if (!isa->skeyid_a) - return 0; - - payload = payload_first(msg, ISAKMP_PAYLOAD_HASH); - if (!payload) { - log_print("ipsec_fill_in_hash: no HASH payload found"); - return -1; - } - buf = payload->p; - - /* Allocate the prf and start calculating our HASH(1). */ - LOG_DBG_BUF((LOG_MISC, 90, "ipsec_fill_in_hash: SKEYID_a", - isa->skeyid_a, isa->skeyid_len)); - prf = prf_alloc(isa->prf_type, hash->type, isa->skeyid_a, - isa->skeyid_len); - if (!prf) - return -1; - - prf->Init(prf->prfctx); - LOG_DBG_BUF((LOG_MISC, 90, "ipsec_fill_in_hash: message_id", - exchange->message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); - prf->Update(prf->prfctx, exchange->message_id, - ISAKMP_HDR_MESSAGE_ID_LEN); - - /* Loop over all payloads after HASH(1). */ - for (i = 2; i < msg->iovlen; i++) { - /* XXX Misleading payload type printouts. */ - snprintf(header, sizeof header, - "ipsec_fill_in_hash: payload %d after HASH(1)", i - 1); - LOG_DBG_BUF((LOG_MISC, 90, header, msg->iov[i].iov_base, - msg->iov[i].iov_len)); - prf->Update(prf->prfctx, msg->iov[i].iov_base, - msg->iov[i].iov_len); - } - prf->Final(buf + ISAKMP_HASH_DATA_OFF, prf->prfctx); - prf_free(prf); - LOG_DBG_BUF((LOG_MISC, 80, "ipsec_fill_in_hash: HASH(1)", buf + - ISAKMP_HASH_DATA_OFF, hash->hashsize)); - - return 0; -} - -/* Add a HASH payload to MSG, if we have an ISAKMP SA we're protected by. */ -static int -ipsec_informational_pre_hook(struct message *msg) -{ - struct sa *isakmp_sa = msg->isakmp_sa; - struct ipsec_sa *isa; - struct hash *hash; - - if (!isakmp_sa) - return 0; - isa = isakmp_sa->data; - hash = hash_get(isa->hash); - return ipsec_add_hash_payload(msg, hash->hashsize) == 0; -} - -/* - * Fill in the HASH payload in MSG, if we have an ISAKMP SA we're protected by. - */ -static int -ipsec_informational_post_hook(struct message *msg) -{ - if (!msg->isakmp_sa) - return 0; - return ipsec_fill_in_hash(msg); -} - -ssize_t -ipsec_id_size(char *section, u_int8_t *id) -{ - char *type, *data; - - type = conf_get_str(section, "ID-type"); - if (!type) { - log_print("ipsec_id_size: section %s has no \"ID-type\" tag", - section); - return -1; - } - *id = constant_value(ipsec_id_cst, type); - switch (*id) { - case IPSEC_ID_IPV4_ADDR: - return sizeof(struct in_addr); - case IPSEC_ID_IPV4_ADDR_SUBNET: - return 2 * sizeof(struct in_addr); - case IPSEC_ID_IPV6_ADDR: - return sizeof(struct in6_addr); - case IPSEC_ID_IPV6_ADDR_SUBNET: - return 2 * sizeof(struct in6_addr); - case IPSEC_ID_FQDN: - case IPSEC_ID_USER_FQDN: - case IPSEC_ID_KEY_ID: - case IPSEC_ID_DER_ASN1_DN: - case IPSEC_ID_DER_ASN1_GN: - data = conf_get_str(section, "Name"); - if (!data) { - log_print("ipsec_id_size: " - "section %s has no \"Name\" tag", section); - return -1; - } - return strlen(data); - } - log_print("ipsec_id_size: unrecognized/unsupported ID-type %d (%s)", - *id, type); - return -1; -} - -/* - * Generate a string version of the ID. - */ -char * -ipsec_id_string(u_int8_t *id, size_t id_len) -{ - char *buf = 0; - char *addrstr = 0; - size_t len, size; - - /* - * XXX Real ugly way of making the offsets correct. Be aware that id - * now will point before the actual buffer and cannot be dereferenced - * without an offset larger than or equal to ISAKM_GEN_SZ. - */ - id -= ISAKMP_GEN_SZ; - - /* This is the actual length of the ID data field. */ - id_len += ISAKMP_GEN_SZ - ISAKMP_ID_DATA_OFF; - - /* - * Conservative allocation. - * XXX I think the ASN1 DN case can be thought through to give a better - * estimate. - */ - size = MAX(sizeof "ipv6/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff", - sizeof "asn1_dn/" + id_len - ISAKMP_ID_DATA_OFF); - buf = malloc(size); - if (!buf) - /* XXX Log? */ - goto fail; - - switch (GET_ISAKMP_ID_TYPE(id)) { - case IPSEC_ID_IPV4_ADDR: - if (id_len < sizeof(struct in_addr)) - goto fail; - util_ntoa(&addrstr, AF_INET, id + ISAKMP_ID_DATA_OFF); - if (!addrstr) - goto fail; - snprintf(buf, size, "ipv4/%s", addrstr); - break; - - case IPSEC_ID_IPV6_ADDR: - if (id_len < sizeof(struct in6_addr)) - goto fail; - util_ntoa(&addrstr, AF_INET6, id + ISAKMP_ID_DATA_OFF); - if (!addrstr) - goto fail; - snprintf(buf, size, "ipv6/%s", addrstr); - break; - - case IPSEC_ID_FQDN: - case IPSEC_ID_USER_FQDN: - strlcpy(buf, - GET_ISAKMP_ID_TYPE(id) == IPSEC_ID_FQDN ? "fqdn/" : "ufqdn/", - size); - len = strlen(buf); - - memcpy(buf + len, id + ISAKMP_ID_DATA_OFF, id_len); - *(buf + len + id_len) = '\0'; - break; - -#ifdef USE_X509 - case IPSEC_ID_DER_ASN1_DN: - strlcpy(buf, "asn1_dn/", size); - len = strlen(buf); - addrstr = x509_DN_string(id + ISAKMP_ID_DATA_OFF, - id_len - ISAKMP_ID_DATA_OFF); - if (!addrstr) - goto fail; - if (size < len + strlen(addrstr) + 1) - goto fail; - strlcpy(buf + len, addrstr, size - len); - break; -#endif - - default: - /* Unknown type. */ - LOG_DBG((LOG_MISC, 10, - "ipsec_id_string: unknown identity type %d\n", - GET_ISAKMP_ID_TYPE(id))); - goto fail; - } - - if (addrstr) - free(addrstr); - return buf; - -fail: - if (buf) - free(buf); - if (addrstr) - free(addrstr); - return 0; -} diff --git a/keyexchange/isakmpd-20041012/ipsec.h b/keyexchange/isakmpd-20041012/ipsec.h deleted file mode 100644 index 1b3c996..0000000 --- a/keyexchange/isakmpd-20041012/ipsec.h +++ /dev/null @@ -1,173 +0,0 @@ -/* $OpenBSD: ipsec.h,v 1.24 2004/05/23 18:17:56 hshoexer Exp $ */ -/* $EOM: ipsec.h,v 1.42 2000/12/03 07:58:20 angelos Exp $ */ - -/* - * Copyright (c) 1998, 1999, 2001 Niklas Hallqvist. All rights reserved. - * Copyright (c) 1999 Angelos D. Keromytis. All rights reserved. - * Copyright (c) 2001 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _IPSEC_H_ -#define _IPSEC_H_ - -#include <sys/queue.h> -#include <sys/types.h> -#include <netinet/in.h> - -#include "ipsec_doi.h" -#ifdef USE_ISAKMP_CFG -#include "isakmp_cfg.h" -#endif - -struct group; -struct hash; -struct ike_auth; -struct message; -struct proto; -struct sa; - -/* - * IPsec-specific data to be linked into the exchange struct. - * XXX Should probably be several different structs, one for each kind - * of exchange, i.e. phase 1, phase 2 and ISAKMP configuration parameters - * separated. - */ -struct ipsec_exch { - u_int flags; - struct hash *hash; - struct ike_auth *ike_auth; - struct group *group; - u_int16_t prf_type; - - /* 0 if no KEY_EXCH was proposed, 1 otherwise */ - u_int8_t pfs; - - /* - * A copy of the initiator SA payload body for later computation of - * hashes. Phase 1 only. - */ - size_t sa_i_b_len; - u_int8_t *sa_i_b; - - /* Diffie-Hellman values. */ - size_t g_x_len; - u_int8_t *g_xi; - u_int8_t *g_xr; - u_int8_t *g_xy; - - /* SKEYIDs. XXX Phase 1 only? */ - size_t skeyid_len; - u_int8_t *skeyid; - u_int8_t *skeyid_d; - u_int8_t *skeyid_a; - u_int8_t *skeyid_e; - - /* HASH_I & HASH_R. XXX Do these need to be saved here? */ - u_int8_t *hash_i; - u_int8_t *hash_r; - - /* KEYMAT */ - size_t keymat_len; - - /* Phase 2. */ - u_int8_t *id_ci; - size_t id_ci_sz; - u_int8_t *id_cr; - size_t id_cr_sz; - -#ifdef USE_ISAKMP_CFG - /* ISAKMP configuration mode parameters */ - u_int16_t cfg_id; - u_int16_t cfg_type; - LIST_HEAD(isakmp_cfg_attr_head, isakmp_cfg_attr) attrs; -#endif -}; - -#define IPSEC_EXCH_FLAG_NO_ID 1 - -struct ipsec_sa { - /* Phase 1. */ - u_int8_t hash; - size_t skeyid_len; - u_int8_t *skeyid_d; - u_int8_t *skeyid_a; - u_int16_t prf_type; - - /* Phase 2. */ - u_int16_t group_desc; - - /* Tunnel parameters. These are in network byte order. */ - struct sockaddr *src_net; - struct sockaddr *src_mask; - struct sockaddr *dst_net; - struct sockaddr *dst_mask; - u_int8_t tproto; - u_int16_t sport; - u_int16_t dport; -}; - -struct ipsec_proto { - /* Phase 2. */ - u_int16_t encap_mode; - u_int16_t auth; - u_int16_t keylen; - u_int16_t keyrounds; - - /* This is not negotiated, but rather configured. */ - int32_t replay_window; - - /* KEYMAT */ - u_int8_t *keymat[2]; -}; - -extern u_int8_t *ipsec_add_hash_payload(struct message *, size_t); -extern int ipsec_ah_keylength(struct proto *); -extern u_int8_t *ipsec_build_id(char *, size_t *); -extern int ipsec_decode_attribute(u_int16_t, u_int8_t *, u_int16_t, void *); -extern void ipsec_decode_transform(struct message *, struct sa *, - struct proto *, u_int8_t *); -extern int ipsec_esp_authkeylength(struct proto *); -extern int ipsec_esp_enckeylength(struct proto *); -extern int ipsec_fill_in_hash(struct message *); -extern int ipsec_gen_g_x(struct message *); -extern int ipsec_get_id(char *, int *, struct sockaddr **, - struct sockaddr **, u_int8_t *, u_int16_t *); -extern ssize_t ipsec_id_size(char *, u_int8_t *); -extern char *ipsec_id_string(u_int8_t *, size_t); -extern void ipsec_init(void); -extern int ipsec_initial_contact(struct message *); -extern int ipsec_is_attribute_incompatible(u_int16_t, u_int8_t *, - u_int16_t, void *); -extern int ipsec_keymat_length(struct proto *); -extern int ipsec_save_g_x(struct message *); -extern struct sa *ipsec_sa_lookup(struct sockaddr *, u_int32_t, u_int8_t); - -extern char *ipsec_decode_ids(char *, u_int8_t *, size_t, u_int8_t *, - size_t, int); -extern int ipsec_clone_id(u_int8_t **, size_t *, u_int8_t *, size_t); - -#endif /* _IPSEC_H_ */ diff --git a/keyexchange/isakmpd-20041012/ipsec_doi.h b/keyexchange/isakmpd-20041012/ipsec_doi.h deleted file mode 100644 index c7000c7..0000000 --- a/keyexchange/isakmpd-20041012/ipsec_doi.h +++ /dev/null @@ -1,44 +0,0 @@ -/* $OpenBSD: ipsec_doi.h,v 1.8 2004/04/15 18:39:25 deraadt Exp $ */ -/* $EOM: ipsec_doi.h,v 1.10 1999/04/02 00:57:51 niklas Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _IPSEC_DOI_H_ -#define _IPSEC_DOI_H_ - -#include "ipsec_fld.h" -#include "ipsec_num.h" - -/* The SPI size of all IPsec protocols. XXX Correct? */ -#define IPSEC_SPI_SIZE 4 - -/* The low limit if valid SPI values. */ -#define IPSEC_SPI_LOW 0x100 - -#endif /* _IPSEC_DOI_H_ */ diff --git a/keyexchange/isakmpd-20041012/ipsec_fld.fld b/keyexchange/isakmpd-20041012/ipsec_fld.fld deleted file mode 100644 index 8dfd0ef..0000000 --- a/keyexchange/isakmpd-20041012/ipsec_fld.fld +++ /dev/null @@ -1,60 +0,0 @@ -# $OpenBSD: ipsec_fld.fld,v 1.5 2003/06/03 14:28:16 ho Exp $ -# $EOM: ipsec_fld.fld,v 1.1 1998/08/02 20:12:02 niklas Exp $ - -# -# Copyright (c) 1998 Niklas Hallqvist. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Ericsson Radio Systems. -# - -# XXX There are num-declared fields below that really are csts. - -# IPsec's situation field's subdivision. -IPSEC_SIT - SIT mask 4 ipsec_sit_cst - LABELED_DOMAIN_ID num 4 - SECRECY_LENGTH num 2 - RESERVED_1 ign 2 -# The following fields' offsets need the secrecy length added + 32bit -# alignment. - SECRECY_CAT_LENGTH num 2 - RESERVED_2 ign 2 -# The following fields' offsets need the secrecy cat length added + 32bit -# alignment on top of the aforementioned offset. - INTEGRITY_LENGTH num 2 - RESERVED_3 ign 2 -# The following fields' offsets need the integrity length added + 32bit -# alignment on top of the aforementioned offset. - INTEGRITY_CAT_LENGTH num 2 - RESERVED_4 ign 2 -# The IPSEC_SIT record's length need the integrity cat length added + 32bit -# alignment on top of the aforementioned offset. -. - -# IPsec's layout of the identification payload's DOI data field. -IPSEC_ID - PROTO num 1 - PORT num 2 -. diff --git a/keyexchange/isakmpd-20041012/ipsec_num.cst b/keyexchange/isakmpd-20041012/ipsec_num.cst deleted file mode 100644 index 9105550..0000000 --- a/keyexchange/isakmpd-20041012/ipsec_num.cst +++ /dev/null @@ -1,264 +0,0 @@ -# $OpenBSD: ipsec_num.cst,v 1.15 2004/04/28 14:40:00 ho Exp $ -# $EOM: ipsec_num.cst,v 1.5 2000/10/13 17:56:52 angelos Exp $ - -# -# Copyright (c) 1998 Niklas Hallqvist. All rights reserved. -# Copyright (c) 2003 Håkan Olsson. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Ericsson Radio Systems. -# - -# XXX Please fill in references to the drafts, chapter & verse for each -# constant group below. - -# IPSEC DOI Identifier. -IPSEC_DOI - IPSEC 1 -. - -# IPSEC SA attributes -IPSEC_ATTR - SA_LIFE_TYPE 1 - SA_LIFE_DURATION 2 - GROUP_DESCRIPTION 3 - ENCAPSULATION_MODE 4 - AUTHENTICATION_ALGORITHM 5 - KEY_LENGTH 6 - KEY_ROUNDS 7 - COMPRESS_DICTIONARY_SIZE 8 - COMPRESS_PRIVATE_ALGORITHM 9 - ECN_TUNNEL 10 -. - -# IPSEC SA duration. -IPSEC_DURATION - SECONDS 1 - KILOBYTES 2 -. - -# IPSEC encapsulation mode. -IPSEC_ENCAP - TUNNEL 1 - TRANSPORT 2 - UDP_ENCAP_TUNNEL 3 - UDP_ENCAP_TRANSPORT 4 - UDP_ENCAP_TUNNEL_DRAFT 61443 # draft-ietf-ipsec-nat-t-ike - UDP_ENCAP_TRANSPORT_DRAFT 61443 # draft-ietf-ipsec-nat-t-ike -. - -# IPSEC authentication algorithm. -IPSEC_AUTH - HMAC_MD5 1 - HMAC_SHA 2 - DES_MAC 3 - KPDK 4 - HMAC_SHA2_256 5 - HMAC_SHA2_384 6 - HMAC_SHA2_512 7 - HMAC_RIPEMD 8 -. - -# IPSEC ID types. -IPSEC_ID - IPV4_ADDR 1 - FQDN 2 - USER_FQDN 3 - IPV4_ADDR_SUBNET 4 - IPV6_ADDR 5 - IPV6_ADDR_SUBNET 6 - IPV4_RANGE 7 - IPV6_RANGE 8 - DER_ASN1_DN 9 - DER_ASN1_GN 10 - KEY_ID 11 -. - -# IKE SA attributes -IKE_ATTR - ENCRYPTION_ALGORITHM 1 ike_encrypt_cst - HASH_ALGORITHM 2 ike_hash_cst - AUTHENTICATION_METHOD 3 ike_auth_cst - GROUP_DESCRIPTION 4 ike_group_desc_cst - GROUP_TYPE 5 ike_group_cst - GROUP_PRIME 6 - GROUP_GENERATOR_1 7 - GROUP_GENERATOR_2 8 - GROUP_CURVE_A 9 - GROUP_CURVE_B 10 - LIFE_TYPE 11 ike_duration_cst - LIFE_DURATION 12 - PRF 13 ike_prf_cst - KEY_LENGTH 14 - FIELD_SIZE 15 - GROUP_ORDER 16 - BLOCK_SIZE 17 -. - -# XXX Fill in reserved ranges for the attributes below. - -# IKE encryption algorithm. -IKE_ENCRYPT - DES_CBC 1 - IDEA_CBC 2 - BLOWFISH_CBC 3 - RC5_R16_B64_CBC 4 - 3DES_CBC 5 - CAST_CBC 6 - AES_CBC 7 -. - -# IKE hash algorithm. -IKE_HASH - MD5 1 - SHA 2 - TIGER 3 - SHA2_256 4 - SHA2_384 5 - SHA2_512 6 -. - -# IKE authentication method. -IKE_AUTH - PRE_SHARED 1 - DSS 2 - RSA_SIG 3 - RSA_ENC 4 - RSA_ENC_REV 5 - EL_GAMAL_ENC 6 - EL_GAMAL_ENC_REV 7 - ECDSA_SIG 8 -. - -# IKE group description. -IKE_GROUP_DESC - MODP_768 1 - MODP_1024 2 - EC2N_155 3 - EC2N_185 4 - MODP_1536 5 - EC2N_163sect 6 - EC2N_163K 7 - EC2N_283sect 8 - EC2N_283K 9 - EC2N_409sect 10 - EC2N_409K 11 - EC2N_571sect 12 - EC2N_571K 13 - MODP_2048 14 - MODP_3072 15 - MODP_4096 16 - MODP_6144 17 - MODP_8192 18 -. - -# IKE Group type. -IKE_GROUP - MODP 1 - ECP 2 - EC2N 3 -. - -# IKE SA duration. -IKE_DURATION - SECONDS 1 - KILOBYTES 2 -. - -# IKE Pseudo random function. No defined so far. -IKE_PRF -. - -# IPSEC Situation bits. -IPSEC_SIT - IDENTITY_ONLY 1 - SECRECY 2 - INTEGRITY 4 -. - -# IPSEC security protocol IDs. -IPSEC_PROTO - IPSEC_AH 2 - IPSEC_ESP 3 - IPCOMP 4 -. - -# IPSEC ISAKMP transform IDs. -IPSEC_TRANSFORM - KEY_IKE 1 -. - -# IPSEC AH transform IDs. -IPSEC_AH - MD5 2 - SHA 3 - DES 4 - SHA2_256 5 - SHA2_384 6 - SHA2_512 7 - RIPEMD 8 -. - -# IPSEC ESP transform IDs. -IPSEC_ESP - DES_IV64 1 - DES 2 - 3DES 3 - RC5 4 - IDEA 5 - CAST 6 - BLOWFISH 7 - 3IDEA 8 - DES_IV32 9 - RC4 10 - NULL 11 - AES 12 - AES_128_CTR 13 - AES_MARS 249 - AES_RC6 250 - AES_RIJNDAEL 251 - AES_SERPENT 252 - AES_TWOFISH 253 -. - -# IPSEC IPCOMP transform IDs -IPSEC_IPCOMP - OUI 1 - DEFLATE 2 - LZS 3 - V42BIS 4 -. - -# IPSEC notify message types. -IPSEC_NOTIFY - RESPONDER_LIFETIME 24576 - REPLAY_STATUS 24577 - INITIAL_CONTACT 24578 -. - -# IKE exchange types. -IKE_EXCH - QUICK_MODE 32 - NEW_GROUP_MODE 33 -. diff --git a/keyexchange/isakmpd-20041012/isakmp.h b/keyexchange/isakmpd-20041012/isakmp.h deleted file mode 100644 index 4ab6869..0000000 --- a/keyexchange/isakmpd-20041012/isakmp.h +++ /dev/null @@ -1,64 +0,0 @@ -/* $OpenBSD: isakmp.h,v 1.7 2004/06/20 15:24:05 ho Exp $ */ -/* $EOM: isakmp.h,v 1.11 2000/07/05 10:48:43 ho Exp $ */ - -/* - * Copyright (c) 1998 Niklas Hallqvist. All rights reserved. - * Copyright (c) 2004 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _ISAKMP_H_ -#define _ISAKMP_H_ - -#include "isakmp_fld.h" -#include "isakmp_num.h" - -/* IANA assigned port */ -#define UDP_DEFAULT_PORT 500 -#define UDP_DEFAULT_PORT_STR "500" - -#define ISAKMP_DEFAULT_TRANSPORT "udp" - -/* draft-ietf-ipsec-nat-t-ike-07.txt */ -#define UDP_ENCAP_DEFAULT_PORT 4500 -#define UDP_ENCAP_DEFAULT_PORT_STR "4500" - -/* ISAKMP header extras defines */ -#define ISAKMP_HDR_COOKIES_OFF ISAKMP_HDR_ICOOKIE_OFF -#define ISAKMP_HDR_COOKIES_LEN (ISAKMP_HDR_ICOOKIE_LEN \ - + ISAKMP_HDR_ICOOKIE_LEN) - -/* ISAKMP attribute utilitiy macros. */ -#define ISAKMP_ATTR_FORMAT(x) ((x) >> 15) -#define ISAKMP_ATTR_TYPE(x) ((x) & 0x7fff) -#define ISAKMP_ATTR_MAKE(fmt, type) (((fmt) << 15) | (type)) - -/* Version number handling. */ -#define ISAKMP_VERSION_MAJOR(x) ((x) >> 4) -#define ISAKMP_VERSION_MINOR(x) ((x) & 0xf) -#define ISAKMP_VERSION_MAKE(maj, min) ((maj) << 4 | (min)) - -#endif /* _ISAKMP_H_ */ diff --git a/keyexchange/isakmpd-20041012/isakmp_cfg.c b/keyexchange/isakmpd-20041012/isakmp_cfg.c deleted file mode 100644 index 222d0c6..0000000 --- a/keyexchange/isakmpd-20041012/isakmp_cfg.c +++ /dev/null @@ -1,982 +0,0 @@ -/* $OpenBSD: isakmp_cfg.c,v 1.34 2004/08/08 19:11:06 deraadt Exp $ */ - -/* - * Copyright (c) 2001 Niklas Hallqvist. All rights reserved. - * Copyright (c) 2002 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Gatespace - * (http://www.gatespace.com/). - */ - -#include <sys/types.h> -#include <stdlib.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <string.h> -#include <bitstring.h> - -#include "sysdep.h" - -#include "attribute.h" -#include "conf.h" -#include "exchange.h" -#include "hash.h" -#include "ipsec.h" -#include "isakmp_fld.h" -#include "isakmp_num.h" -#include "log.h" -#include "message.h" -#include "prf.h" -#include "sa.h" -#include "transport.h" -#include "util.h" - -/* - * Validation script used to test messages for correct content of - * payloads depending on the exchange type. - */ -int16_t script_transaction[] = { - ISAKMP_PAYLOAD_ATTRIBUTE, /* Initiator -> responder. */ - EXCHANGE_SCRIPT_SWITCH, - ISAKMP_PAYLOAD_ATTRIBUTE, /* Responder -> initiator. */ - EXCHANGE_SCRIPT_END -}; - -static int cfg_decode_attribute(u_int16_t, u_int8_t *, u_int16_t, void *); -static int cfg_encode_attributes(struct isakmp_cfg_attr_head *, u_int32_t, - u_int32_t, char *, u_int8_t **, u_int16_t *); -static int cfg_initiator_send_ATTR(struct message *); -static int cfg_initiator_recv_ATTR(struct message *); -static int cfg_responder_recv_ATTR(struct message *); -static int cfg_responder_send_ATTR(struct message *); - -u_int8_t *cfg_add_hash(struct message *); -int cfg_finalize_hash(struct message *, u_int8_t *, u_int8_t *, - u_int16_t); -int cfg_verify_hash(struct message *); - -/* Server: SET/ACK Client; REQ/REPLY */ -int (*isakmp_cfg_initiator[]) (struct message *) = { - cfg_initiator_send_ATTR, - cfg_initiator_recv_ATTR -}; - -/* Server: REQ/REPLY Client: SET/ACK */ -int (*isakmp_cfg_responder[]) (struct message *) = { - cfg_responder_recv_ATTR, - cfg_responder_send_ATTR -}; - -/* - * When we are "the server", this starts SET/ACK mode - * When we are "the client", this starts REQ/REPLY mode - */ -static int -cfg_initiator_send_ATTR(struct message *msg) -{ - struct sa *isakmp_sa = msg->isakmp_sa; - struct ipsec_exch *ie = msg->exchange->data; - u_int8_t *hashp = 0, *attrp, *attr; - size_t attrlen, off; - char *id_string, *cfg_mode, *field; - struct sockaddr *sa; -#define CFG_ATTR_BIT_MAX ISAKMP_CFG_ATTR_FUTURE_MIN /* XXX */ - bitstr_t bit_decl(attrbits, CFG_ATTR_BIT_MAX); - u_int16_t bit, length; - u_int32_t life; - - if (msg->exchange->phase == 2) { - hashp = cfg_add_hash(msg); - if (!hashp) - return -1; - } - /* We initiated this exchange, check isakmp_sa for other side. */ - if (isakmp_sa->initiator) - id_string = ipsec_id_string(isakmp_sa->id_r, - isakmp_sa->id_r_len); - else - id_string = ipsec_id_string(isakmp_sa->id_i, - isakmp_sa->id_i_len); - if (!id_string) { - log_print("cfg_initiator_send_ATTR: cannot parse ID"); - goto fail; - } - /* Check for attribute list to send to the other side */ - attrlen = 0; - bit_nclear(attrbits, 0, CFG_ATTR_BIT_MAX - 1); - - cfg_mode = conf_get_str(id_string, "Mode"); - if (!cfg_mode || strcmp(cfg_mode, "SET") == 0) { - /* SET/ACK mode */ - ie->cfg_type = ISAKMP_CFG_SET; - - LOG_DBG((LOG_NEGOTIATION, 10, - "cfg_initiator_send_ATTR: SET/ACK mode")); - -#define ATTRFIND(STR,ATTR4,LEN4,ATTR6,LEN6) do \ - { \ - if ((sa = conf_get_address (id_string, STR)) != NULL) \ - switch (sa->sa_family) { \ - case AF_INET: \ - bit_set (attrbits, ATTR4); \ - attrlen += ISAKMP_ATTR_SZ + LEN4; \ - break; \ - case AF_INET6: \ - bit_set (attrbits, ATTR6); \ - attrlen += ISAKMP_ATTR_SZ + LEN6; \ - break; \ - default: \ - break; \ - } \ - free (sa); \ - } while (0) - - /* - * XXX We don't simultaneously support IPv4 and IPv6 - * addresses. - */ - ATTRFIND("Address", ISAKMP_CFG_ATTR_INTERNAL_IP4_ADDRESS, 4, - ISAKMP_CFG_ATTR_INTERNAL_IP6_ADDRESS, 16); - ATTRFIND("Netmask", ISAKMP_CFG_ATTR_INTERNAL_IP4_NETMASK, 4, - ISAKMP_CFG_ATTR_INTERNAL_IP6_NETMASK, 16); - ATTRFIND("Nameserver", ISAKMP_CFG_ATTR_INTERNAL_IP4_DNS, 4, - ISAKMP_CFG_ATTR_INTERNAL_IP6_DNS, 16); - ATTRFIND("WINS-server", ISAKMP_CFG_ATTR_INTERNAL_IP4_NBNS, 4, - ISAKMP_CFG_ATTR_INTERNAL_IP6_NBNS, 16); - ATTRFIND("DHCP-server", ISAKMP_CFG_ATTR_INTERNAL_IP4_DHCP, 4, - ISAKMP_CFG_ATTR_INTERNAL_IP6_DHCP, 16); -#ifdef notyet - ATTRFIND("Network", ISAKMP_CFG_ATTR_INTERNAL_IP4_SUBNET, 8, - ISAKMP_CFG_ATTR_INTERNAL_IP6_SUBNET, 17); -#endif -#undef ATTRFIND - - if (conf_get_str(id_string, "Lifetime")) { - bit_set(attrbits, - ISAKMP_CFG_ATTR_INTERNAL_ADDRESS_EXPIRY); - attrlen += ISAKMP_ATTR_SZ + 4; - } - } else { - struct conf_list *alist; - struct conf_list_node *anode; - - ie->cfg_type = ISAKMP_CFG_REQUEST; - - LOG_DBG((LOG_NEGOTIATION, 10, - "cfg_initiator_send_ATTR: REQ/REPLY mode")); - - alist = conf_get_list(id_string, "Attributes"); - if (alist) { - for (anode = TAILQ_FIRST(&alist->fields); anode; - anode = TAILQ_NEXT(anode, link)) { - if (strcasecmp(anode->field, "Address") == 0) { - bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP4_ADDRESS); - bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP6_ADDRESS); - attrlen += ISAKMP_ATTR_SZ * 2; - } else if (strcasecmp(anode->field, "Netmask") - == 0) { - bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP4_NETMASK); - bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP6_NETMASK); - attrlen += ISAKMP_ATTR_SZ * 2; - } else if (strcasecmp(anode->field, - "Nameserver") == 0) { - bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP4_DNS); - bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP6_DNS); - attrlen += ISAKMP_ATTR_SZ * 2; - } else if (strcasecmp(anode->field, - "WINS-server") == 0) { - bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP4_NBNS); - bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP6_NBNS); - attrlen += ISAKMP_ATTR_SZ * 2; - } else if (strcasecmp(anode->field, - "DHCP-server") == 0) { - bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP4_DHCP); - bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_IP6_DHCP); - attrlen += ISAKMP_ATTR_SZ * 2; - } else if (strcasecmp(anode->field, - "Lifetime") == 0) { - bit_set(attrbits, ISAKMP_CFG_ATTR_INTERNAL_ADDRESS_EXPIRY); - attrlen += ISAKMP_ATTR_SZ; - } else { - log_print("cfg_initiator_send_ATTR: " - "unknown attribute %.20s in " - "section [%s]", anode->field, - id_string); - } - } - - conf_free_list(alist); - } - } - - if (attrlen == 0) { - /* No data found. */ - log_print("cfg_initiator_send_ATTR: no IKECFG attributes " - "found for [%s]", id_string); - - /* - * We can continue, but this indicates a configuration error - * that the user probably will want to correct. - */ - free(id_string); - return 0; - } - attrlen += ISAKMP_ATTRIBUTE_SZ; - attrp = calloc(1, attrlen); - if (!attrp) { - log_error("cfg_initiator_send_ATTR: calloc (1, %lu) failed", - (unsigned long)attrlen); - goto fail; - } - if (message_add_payload(msg, ISAKMP_PAYLOAD_ATTRIBUTE, attrp, attrlen, - 1)) { - free(attrp); - goto fail; - } - SET_ISAKMP_ATTRIBUTE_TYPE(attrp, ie->cfg_type); - getrandom((u_int8_t *) & ie->cfg_id, sizeof ie->cfg_id); - SET_ISAKMP_ATTRIBUTE_ID(attrp, ie->cfg_id); - - off = ISAKMP_ATTRIBUTE_SZ; - - /* - * Use the bitstring built previously to collect the right - * parameters for attrp. - */ - for (bit = 0; bit < CFG_ATTR_BIT_MAX; bit++) - if (bit_test(attrbits, bit)) { - attr = attrp + off; - SET_ISAKMP_ATTR_TYPE(attr, bit); - - if (ie->cfg_type == ISAKMP_CFG_REQUEST) { - off += ISAKMP_ATTR_SZ; - continue; - } - /* All the other are similar, this is the odd one. */ - if (bit == ISAKMP_CFG_ATTR_INTERNAL_ADDRESS_EXPIRY) { - life = conf_get_num(id_string, "Lifetime", - 1200); - SET_ISAKMP_ATTR_LENGTH_VALUE(attr, 4); - encode_32(attr + ISAKMP_ATTR_VALUE_OFF, life); - off += ISAKMP_ATTR_SZ + 4; - continue; - } - switch (bit) { - case ISAKMP_CFG_ATTR_INTERNAL_IP4_ADDRESS: - case ISAKMP_CFG_ATTR_INTERNAL_IP4_NETMASK: - case ISAKMP_CFG_ATTR_INTERNAL_IP4_DNS: - case ISAKMP_CFG_ATTR_INTERNAL_IP4_DHCP: - case ISAKMP_CFG_ATTR_INTERNAL_IP4_NBNS: - length = 4; - break; - - case ISAKMP_CFG_ATTR_INTERNAL_IP6_ADDRESS: - case ISAKMP_CFG_ATTR_INTERNAL_IP6_NETMASK: - case ISAKMP_CFG_ATTR_INTERNAL_IP6_DNS: - case ISAKMP_CFG_ATTR_INTERNAL_IP6_DHCP: - case ISAKMP_CFG_ATTR_INTERNAL_IP6_NBNS: - length = 16; - break; - - default: - length = 0; /* Silence gcc. */ - } - - switch (bit) { - case ISAKMP_CFG_ATTR_INTERNAL_IP4_ADDRESS: - case ISAKMP_CFG_ATTR_INTERNAL_IP6_ADDRESS: - field = "Address"; - break; - case ISAKMP_CFG_ATTR_INTERNAL_IP4_NETMASK: - case ISAKMP_CFG_ATTR_INTERNAL_IP6_NETMASK: - field = "Netmask"; - break; - case ISAKMP_CFG_ATTR_INTERNAL_IP4_DNS: - case ISAKMP_CFG_ATTR_INTERNAL_IP6_DNS: - field = "Nameserver"; - break; - case ISAKMP_CFG_ATTR_INTERNAL_IP4_DHCP: - case ISAKMP_CFG_ATTR_INTERNAL_IP6_DHCP: - field = "DHCP-server"; - break; - case ISAKMP_CFG_ATTR_INTERNAL_IP4_NBNS: - case ISAKMP_CFG_ATTR_INTERNAL_IP6_NBNS: - field = "WINS-server"; - break; - default: - field = 0; /* Silence gcc. */ - } - - sa = conf_get_address(id_string, field); - - SET_ISAKMP_ATTR_LENGTH_VALUE(attr, length); - memcpy(attr + ISAKMP_ATTR_VALUE_OFF, - sockaddr_addrdata(sa), length); - - free(sa); - - off += ISAKMP_ATTR_SZ + length; - } - if (msg->exchange->phase == 2) - if (cfg_finalize_hash(msg, hashp, attrp, attrlen)) - goto fail; - - return 0; - -fail: - if (id_string) - free(id_string); - return -1; -} - -/* - * As "the server", this ends SET/ACK. - * As "the client", this ends REQ/REPLY. - */ -static int -cfg_initiator_recv_ATTR(struct message *msg) -{ - struct payload *attrp = payload_first(msg, ISAKMP_PAYLOAD_ATTRIBUTE); - struct ipsec_exch *ie = msg->exchange->data; - struct sa *isakmp_sa = msg->isakmp_sa; - struct isakmp_cfg_attr *attr; - struct sockaddr *sa; - const char *uk_addr = "<unknown>"; - char *addr; - - if (msg->exchange->phase == 2) - if (cfg_verify_hash(msg)) - return -1; - - /* Sanity. */ - if (ie->cfg_id != GET_ISAKMP_ATTRIBUTE_ID(attrp->p)) { - log_print("cfg_initiator_recv_ATTR: " - "cfg packet ID does not match!"); - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0); - return -1; - } - switch (attrp->p[ISAKMP_ATTRIBUTE_TYPE_OFF]) { - case ISAKMP_CFG_ACK: - if (ie->cfg_type != ISAKMP_CFG_SET) { - log_print("cfg_initiator_recv_ATTR: " - "bad packet type ACK"); - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, - 0, 1, 0); - return -1; - } - break; - case ISAKMP_CFG_REPLY: - if (ie->cfg_type != ISAKMP_CFG_REQUEST) { - log_print("cfg_initiator_recv_ATTR: " - "bad packet type REPLY"); - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, - 0, 1, 0); - return -1; - } - break; - - default: - log_print("cfg_initiator_recv_ATTR: unexpected configuration " - "message type %d", attrp->p[ISAKMP_ATTRIBUTE_TYPE_OFF]); - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0); - return -1; - } - - attribute_map(attrp->p + ISAKMP_ATTRIBUTE_ATTRS_OFF, - GET_ISAKMP_GEN_LENGTH(attrp->p) - ISAKMP_TRANSFORM_SA_ATTRS_OFF, - cfg_decode_attribute, ie); - - switch (ie->cfg_type) { - case ISAKMP_CFG_ACK: { - /* SET/ACK -- Server side (ACK from client) */ - msg->transport->vtbl->get_src(isakmp_sa->transport, - &sa); - if (sockaddr2text(sa, &addr, 0) < 0) - addr = (char *) uk_addr; - - for (attr = LIST_FIRST(&ie->attrs); attr; - attr = LIST_NEXT(attr, link)) - LOG_DBG((LOG_NEGOTIATION, 50, - "cfg_initiator_recv_ATTR: " - "client %s ACKs attribute %s", addr, - constant_name(isakmp_cfg_attr_cst, - attr->type))); - - if (addr != uk_addr) - free(addr); - } - break; - - case ISAKMP_CFG_REPLY: { - /* - * REQ/REPLY: effect attributes we've gotten - * responses on. - */ - msg->transport->vtbl->get_src(isakmp_sa->transport, - &sa); - if (sockaddr2text(sa, &addr, 0) < 0) - addr = (char *) uk_addr; - - for (attr = LIST_FIRST(&ie->attrs); attr; - attr = LIST_NEXT(attr, link)) - LOG_DBG((LOG_NEGOTIATION, 50, - "cfg_initiator_recv_ATTR: " - "server %s replied with attribute %s", - addr, constant_name(isakmp_cfg_attr_cst, - attr->type))); - - if (addr != uk_addr) - free(addr); - } - break; - - default: - break; - } - - attrp->flags |= PL_MARK; - return 0; -} - -/* - * As "the server", this starts REQ/REPLY (initiated by the client). - * As "the client", this starts SET/ACK (initiated by the server). - */ -static int -cfg_responder_recv_ATTR(struct message *msg) -{ - struct payload *attrp = payload_first(msg, ISAKMP_PAYLOAD_ATTRIBUTE); - struct ipsec_exch *ie = msg->exchange->data; - struct sa *isakmp_sa = msg->isakmp_sa; - struct isakmp_cfg_attr *attr; - struct sockaddr *sa; - char *addr; - - if (msg->exchange->phase == 2) - if (cfg_verify_hash(msg)) - return -1; - - ie->cfg_id = GET_ISAKMP_ATTRIBUTE_ID(attrp->p); - ie->cfg_type = attrp->p[ISAKMP_ATTRIBUTE_TYPE_OFF]; - - switch (ie->cfg_type) { - case ISAKMP_CFG_REQUEST: - case ISAKMP_CFG_SET: - break; - - default: - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0); - log_print("cfg_responder_recv_ATTR: " - "unexpected configuration message type %d", ie->cfg_type); - return -1; - } - - attribute_map(attrp->p + ISAKMP_ATTRIBUTE_ATTRS_OFF, - GET_ISAKMP_GEN_LENGTH(attrp->p) - ISAKMP_TRANSFORM_SA_ATTRS_OFF, - cfg_decode_attribute, ie); - - switch (ie->cfg_type) { - case ISAKMP_CFG_REQUEST: - /* We're done. */ - break; - - case ISAKMP_CFG_SET: { - /* SET/ACK -- Client side (SET from server) */ - const char *uk_addr = "<unknown>"; - - msg->transport->vtbl->get_dst(isakmp_sa->transport, - &sa); - if (sockaddr2text(sa, &addr, 0) < 0) - addr = (char *) uk_addr; - - for (attr = LIST_FIRST(&ie->attrs); attr; - attr = LIST_NEXT(attr, link)) - LOG_DBG((LOG_NEGOTIATION, 50, - "cfg_responder_recv_ATTR: " - "server %s asks us to SET attribute %s", - addr, constant_name(isakmp_cfg_attr_cst, - attr->type))); - - /* - * XXX Here's the place to add code to walk through - * XXX each attribute and send them along to dhclient - * XXX or whatever. Each attribute that we act upon - * XXX (such as setting a netmask), should be marked - * XXX like this for us to send the proper ACK - * XXX response: attr->attr_used++; - */ - - if (addr != uk_addr) - free(addr); - } - break; - - default: - break; - } - - attrp->flags |= PL_MARK; - return 0; -} - -/* - * As "the server", this ends REQ/REPLY mode. - * As "the client", this ends SET/ACK mode. - */ -static int -cfg_responder_send_ATTR(struct message *msg) -{ - struct ipsec_exch *ie = msg->exchange->data; - struct sa *isakmp_sa = msg->isakmp_sa; - u_int8_t *hashp = 0, *attrp; - u_int16_t attrlen; - char *id_string; - - if (msg->exchange->phase == 2) { - hashp = cfg_add_hash(msg); - if (!hashp) - return -1; - } - /* We are responder, check isakmp_sa for other side. */ - if (isakmp_sa->initiator ^ (ie->cfg_type == ISAKMP_CFG_REQUEST)) - id_string = ipsec_id_string(isakmp_sa->id_i, - isakmp_sa->id_i_len); - else - id_string = ipsec_id_string(isakmp_sa->id_r, - isakmp_sa->id_r_len); - if (!id_string) { - log_print("cfg_responder_send_ATTR: cannot parse client's ID"); - return -1; - } - if (cfg_encode_attributes(&ie->attrs, (ie->cfg_type == ISAKMP_CFG_SET ? - ISAKMP_CFG_ACK : ISAKMP_CFG_REPLY), ie->cfg_id, id_string, &attrp, - &attrlen)) { - free(id_string); - return -1; - } - free(id_string); - - if (message_add_payload(msg, ISAKMP_PAYLOAD_ATTRIBUTE, attrp, attrlen, - 1)) { - free(attrp); - return -1; - } - if (msg->exchange->phase == 2) - if (cfg_finalize_hash(msg, hashp, attrp, attrlen)) - return -1; - - return 0; -} - -u_int8_t * -cfg_add_hash(struct message *msg) -{ - struct ipsec_sa *isa = msg->isakmp_sa->data; - struct hash *hash = hash_get(isa->hash); - u_int8_t *hashp; - - hashp = malloc(ISAKMP_HASH_SZ + hash->hashsize); - if (!hashp) { - log_error("cfg_add_hash: malloc (%lu) failed", - ISAKMP_HASH_SZ + (unsigned long)hash->hashsize); - return 0; - } - if (message_add_payload(msg, ISAKMP_PAYLOAD_HASH, hashp, - ISAKMP_HASH_SZ + hash->hashsize, 1)) { - free(hashp); - return 0; - } - return hashp; -} - -int -cfg_finalize_hash(struct message *msg, u_int8_t *hashp, u_int8_t *data, - u_int16_t length) -{ - struct ipsec_sa *isa = msg->isakmp_sa->data; - struct prf *prf; - - prf = prf_alloc(isa->prf_type, isa->hash, isa->skeyid_a, - isa->skeyid_len); - if (!prf) - return -1; - - prf->Init(prf->prfctx); - prf->Update(prf->prfctx, msg->exchange->message_id, - ISAKMP_HDR_MESSAGE_ID_LEN); - prf->Update(prf->prfctx, data, length); - prf->Final(hashp + ISAKMP_GEN_SZ, prf->prfctx); - prf_free(prf); - return 0; -} - -int -cfg_verify_hash(struct message *msg) -{ - struct payload *hashp = payload_first(msg, ISAKMP_PAYLOAD_HASH); - struct ipsec_sa *isa = msg->isakmp_sa->data; - struct prf *prf; - u_int8_t *hash, *comp_hash; - size_t hash_len; - - if (!hashp) { - log_print("cfg_verify_hash: phase 2 message missing HASH"); - message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, - 0, 1, 0); - return -1; - } - hash = hashp->p; - hash_len = GET_ISAKMP_GEN_LENGTH(hash); - comp_hash = malloc(hash_len - ISAKMP_GEN_SZ); - if (!comp_hash) { - log_error("cfg_verify_hash: malloc (%lu) failed", - (unsigned long)hash_len - ISAKMP_GEN_SZ); - return -1; - } - /* Verify hash. */ - prf = prf_alloc(isa->prf_type, isa->hash, isa->skeyid_a, - isa->skeyid_len); - if (!prf) { - free(comp_hash); - return -1; - } - prf->Init(prf->prfctx); - prf->Update(prf->prfctx, msg->exchange->message_id, - ISAKMP_HDR_MESSAGE_ID_LEN); - prf->Update(prf->prfctx, hash + hash_len, - msg->iov[0].iov_len - ISAKMP_HDR_SZ - hash_len); - prf->Final(comp_hash, prf->prfctx); - prf_free(prf); - - if (memcmp(hash + ISAKMP_GEN_SZ, comp_hash, hash_len - ISAKMP_GEN_SZ) - != 0) { - message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, - 0, 1, 0); - free(comp_hash); - return -1; - } - free(comp_hash); - - /* Mark the HASH as handled. */ - hashp->flags |= PL_MARK; - - /* Mark message authenticated. */ - msg->flags |= MSG_AUTHENTICATED; - - return 0; -} - -/* - * Decode the attribute of type TYPE with a LEN length value pointed to by - * VALUE. VIE is a pointer to the IPsec exchange context holding the - * attributes indexed by type for easy retrieval. - */ -static int -cfg_decode_attribute(u_int16_t type, u_int8_t * value, u_int16_t len, - void *vie) -{ - struct ipsec_exch *ie = vie; - struct isakmp_cfg_attr *attr; - - if (type >= ISAKMP_CFG_ATTR_PRIVATE_MIN - && type <= ISAKMP_CFG_ATTR_PRIVATE_MAX) - return 0; - if (type == 0 || type >= ISAKMP_CFG_ATTR_FUTURE_MIN) { - LOG_DBG((LOG_NEGOTIATION, 30, - "cfg_decode_attribute: invalid attr type %u", type)); - return -1; - } - attr = calloc(1, sizeof *attr); - if (!attr) { - log_error("cfg_decode_attribute: calloc (1, %lu) failed", - (unsigned long)sizeof *attr); - return -1; - } - attr->type = type; - attr->length = len; - if (len) { - attr->value = malloc(len); - if (!attr->value) { - log_error("cfg_decode_attribute: malloc (%d) failed", - len); - free(attr); - /* Should we also deallocate all other values? */ - return -1; - } - memcpy(attr->value, value, len); - } - LIST_INSERT_HEAD(&ie->attrs, attr, link); - return 0; -} - -/* - * Encode list of attributes from ie->attrs into a attribute payload. - */ -static int -cfg_encode_attributes(struct isakmp_cfg_attr_head *attrs, u_int32_t type, - u_int32_t cfg_id, char *id_string, u_int8_t **attrp, u_int16_t *len) -{ - struct isakmp_cfg_attr *attr; - struct sockaddr *sa; - sa_family_t family; - u_int32_t value; - u_int16_t off; - char *field; - - /* Compute length */ - *len = ISAKMP_ATTRIBUTE_SZ; - for (attr = LIST_FIRST(attrs); attr; attr = LIST_NEXT(attr, link)) { - /* With ACK we only include the attrs we've actually used. */ - if (type == ISAKMP_CFG_ACK && attr->attr_used == 0) - continue; - - switch (attr->type) { - case ISAKMP_CFG_ATTR_INTERNAL_IP4_ADDRESS: - case ISAKMP_CFG_ATTR_INTERNAL_IP4_NETMASK: - case ISAKMP_CFG_ATTR_INTERNAL_IP4_DHCP: - case ISAKMP_CFG_ATTR_INTERNAL_IP4_DNS: - case ISAKMP_CFG_ATTR_INTERNAL_IP4_NBNS: - case ISAKMP_CFG_ATTR_INTERNAL_ADDRESS_EXPIRY: - attr->length = 4; - break; - - case ISAKMP_CFG_ATTR_INTERNAL_IP4_SUBNET: - attr->length = 8; - break; - - case ISAKMP_CFG_ATTR_APPLICATION_VERSION: - /* XXX So far no version identifier of isakmpd here. */ - attr->length = 0; - break; - - case ISAKMP_CFG_ATTR_SUPPORTED_ATTRIBUTES: - attr->length = 2 * 15; - break; - - case ISAKMP_CFG_ATTR_INTERNAL_IP6_ADDRESS: - case ISAKMP_CFG_ATTR_INTERNAL_IP6_NETMASK: - case ISAKMP_CFG_ATTR_INTERNAL_IP6_DHCP: - case ISAKMP_CFG_ATTR_INTERNAL_IP6_DNS: - case ISAKMP_CFG_ATTR_INTERNAL_IP6_NBNS: - attr->length = 16; - break; - - case ISAKMP_CFG_ATTR_INTERNAL_IP6_SUBNET: - attr->length = 17; - break; - - default: - attr->ignore++; - /* XXX Log! */ - } - *len += ISAKMP_ATTR_SZ + attr->length; - } - - /* Allocate enough space for the payload */ - *attrp = calloc(1, *len); - if (!*attrp) { - log_error("cfg_encode_attributes: calloc (1, %lu) failed", - (unsigned long)*len); - return -1; - } - SET_ISAKMP_ATTRIBUTE_TYPE(*attrp, type); - SET_ISAKMP_ATTRIBUTE_ID(*attrp, cfg_id); - - off = ISAKMP_ATTRIBUTE_SZ; - for (attr = LIST_FIRST(attrs); attr; attr = LIST_NEXT(attr, link)) { - /* With ACK we only include the attrs we've actually used. */ - if (type == ISAKMP_CFG_ACK && attr->attr_used == 0) - continue; - - switch (attr->type) { - case ISAKMP_CFG_ATTR_INTERNAL_IP4_ADDRESS: - case ISAKMP_CFG_ATTR_INTERNAL_IP4_NETMASK: - case ISAKMP_CFG_ATTR_INTERNAL_IP4_SUBNET: - case ISAKMP_CFG_ATTR_INTERNAL_IP4_DHCP: - case ISAKMP_CFG_ATTR_INTERNAL_IP4_DNS: - case ISAKMP_CFG_ATTR_INTERNAL_IP4_NBNS: - family = AF_INET; - break; - - case ISAKMP_CFG_ATTR_INTERNAL_IP6_ADDRESS: - case ISAKMP_CFG_ATTR_INTERNAL_IP6_NETMASK: - case ISAKMP_CFG_ATTR_INTERNAL_IP6_SUBNET: - case ISAKMP_CFG_ATTR_INTERNAL_IP6_DHCP: - case ISAKMP_CFG_ATTR_INTERNAL_IP6_DNS: - case ISAKMP_CFG_ATTR_INTERNAL_IP6_NBNS: - family = AF_INET6; - break; - - default: - family = 0; - break; - } - - switch (attr->type) { - case ISAKMP_CFG_ATTR_INTERNAL_IP4_ADDRESS: - case ISAKMP_CFG_ATTR_INTERNAL_IP6_ADDRESS: - field = "Address"; - break; - - case ISAKMP_CFG_ATTR_INTERNAL_IP4_SUBNET: - case ISAKMP_CFG_ATTR_INTERNAL_IP6_SUBNET: - field = "Network"; /* XXX or just "Address" */ - break; - - case ISAKMP_CFG_ATTR_INTERNAL_IP4_NETMASK: - case ISAKMP_CFG_ATTR_INTERNAL_IP6_NETMASK: - field = "Netmask"; - break; - - case ISAKMP_CFG_ATTR_INTERNAL_IP4_DHCP: - case ISAKMP_CFG_ATTR_INTERNAL_IP6_DHCP: - field = "DHCP-server"; - break; - - case ISAKMP_CFG_ATTR_INTERNAL_IP4_DNS: - case ISAKMP_CFG_ATTR_INTERNAL_IP6_DNS: - field = "Nameserver"; - break; - - case ISAKMP_CFG_ATTR_INTERNAL_IP4_NBNS: - case ISAKMP_CFG_ATTR_INTERNAL_IP6_NBNS: - field = "WINS-server"; - break; - - default: - field = 0; - } - - switch (attr->type) { - case ISAKMP_CFG_ATTR_INTERNAL_IP4_ADDRESS: - case ISAKMP_CFG_ATTR_INTERNAL_IP6_ADDRESS: - case ISAKMP_CFG_ATTR_INTERNAL_IP4_NETMASK: - case ISAKMP_CFG_ATTR_INTERNAL_IP6_NETMASK: - case ISAKMP_CFG_ATTR_INTERNAL_IP4_DHCP: - case ISAKMP_CFG_ATTR_INTERNAL_IP6_DHCP: - case ISAKMP_CFG_ATTR_INTERNAL_IP4_DNS: - case ISAKMP_CFG_ATTR_INTERNAL_IP6_DNS: - case ISAKMP_CFG_ATTR_INTERNAL_IP4_NBNS: - case ISAKMP_CFG_ATTR_INTERNAL_IP6_NBNS: - sa = conf_get_address(id_string, field); - if (!sa) { - LOG_DBG((LOG_NEGOTIATION, 10, - "cfg_responder_send_ATTR: " - "attribute not found: %s", field)); - attr->length = 0; - break; - } - if (sa->sa_family != family) { - log_print("cfg_responder_send_ATTR: " - "attribute %s - expected %s got %s data", - field, - (family == AF_INET ? "IPv4" : "IPv6"), - (sa->sa_family == - AF_INET ? "IPv4" : "IPv6")); - free(sa); - attr->length = 0; - break; - } - /* Temporary limit length for the _SUBNET types. */ - if (attr->type == ISAKMP_CFG_ATTR_INTERNAL_IP4_SUBNET) - attr->length = 4; - else if (attr->type == - ISAKMP_CFG_ATTR_INTERNAL_IP6_SUBNET) - attr->length = 16; - - memcpy(*attrp + off + ISAKMP_ATTR_VALUE_OFF, - sockaddr_addrdata(sa), attr->length); - free(sa); - - /* _SUBNET types need some extra work. */ - if (attr->type == - ISAKMP_CFG_ATTR_INTERNAL_IP4_SUBNET) { - sa = conf_get_address(id_string, "Netmask"); - if (!sa) { - LOG_DBG((LOG_NEGOTIATION, 10, - "cfg_responder_send_ATTR: " - "attribute not found: Netmask")); - attr->length = 0; - break; - } - if (sa->sa_family != AF_INET) { - log_print("cfg_responder_send_ATTR: " - "attribute Netmask - expected " - "IPv4 got IPv6 data"); - free(sa); - attr->length = 0; - break; - } - memcpy(*attrp + off + ISAKMP_ATTR_VALUE_OFF + - attr->length, sockaddr_addrdata(sa), - attr->length); - attr->length = 8; - free(sa); - } else if (attr->type == - ISAKMP_CFG_ATTR_INTERNAL_IP6_SUBNET) { - int prefix = conf_get_num(id_string, "Prefix", - -1); - - if (prefix == -1) { - log_print("cfg_responder_send_ATTR: " - "attribute not found: Prefix"); - attr->length = 0; - break; - } else if (prefix < -1 || prefix > 128) { - log_print("cfg_responder_send_ATTR: " - "attribute Prefix - invalid " - "value %d", prefix); - attr->length = 0; - break; - } - *(*attrp + off + ISAKMP_ATTR_VALUE_OFF + 16) = - (u_int8_t)prefix; - attr->length = 17; - } - break; - - case ISAKMP_CFG_ATTR_INTERNAL_ADDRESS_EXPIRY: - value = conf_get_num(id_string, "Lifetime", 1200); - encode_32(*attrp + off + ISAKMP_ATTR_VALUE_OFF, value); - break; - - case ISAKMP_CFG_ATTR_APPLICATION_VERSION: - /* XXX So far no version identifier of isakmpd here. */ - break; - - case ISAKMP_CFG_ATTR_SUPPORTED_ATTRIBUTES: - break; - - default: - break; - } - - SET_ISAKMP_ATTR_TYPE(*attrp + off, attr->type); - SET_ISAKMP_ATTR_LENGTH_VALUE(*attrp + off, attr->length); - off += ISAKMP_ATTR_VALUE_OFF + attr->length; - } - - return 0; -} diff --git a/keyexchange/isakmpd-20041012/isakmp_cfg.h b/keyexchange/isakmpd-20041012/isakmp_cfg.h deleted file mode 100644 index 169fa29..0000000 --- a/keyexchange/isakmpd-20041012/isakmp_cfg.h +++ /dev/null @@ -1,53 +0,0 @@ -/* $OpenBSD: isakmp_cfg.h,v 1.5 2004/05/23 18:17:56 hshoexer Exp $ */ - -/* - * Copyright (c) 2001 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Gatespace - * (http://www.gatespace.com/). - */ - -#ifndef _ISAKMP_CFG_H_ -#define _ISAKMP_CFG_H_ - -#include <sys/queue.h> - -struct isakmp_cfg_attr { - LIST_ENTRY(isakmp_cfg_attr) link; - u_int16_t type; - u_int8_t attr_used; - /* 8 bits just to be well-aligned. */ - u_int8_t ignore; - size_t length; - void *value; -}; - -struct message; - -extern int (*isakmp_cfg_initiator[])(struct message *); -extern int (*isakmp_cfg_responder[])(struct message *); -extern int16_t script_transaction[]; - -#endif /* _ISAKMP_CFG_H_ */ diff --git a/keyexchange/isakmpd-20041012/isakmp_doi.c b/keyexchange/isakmpd-20041012/isakmp_doi.c deleted file mode 100644 index 2fc8c1d..0000000 --- a/keyexchange/isakmpd-20041012/isakmp_doi.c +++ /dev/null @@ -1,264 +0,0 @@ -/* $OpenBSD: isakmp_doi.c,v 1.22 2004/06/20 17:17:35 ho Exp $ */ -/* $EOM: isakmp_doi.c,v 1.42 2000/09/12 16:29:41 ho Exp $ */ - -/* - * Copyright (c) 1998, 1999, 2001 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -/* - * XXX This DOI is very fuzzily defined, and should perhaps be short-circuited - * to the IPsec DOI instead. At the moment I will have it as its own DOI, - * as the ISAKMP architecture seems to imply it should be done like this. - */ - -#include <sys/types.h> - -#include "sysdep.h" - -#include "doi.h" -#include "exchange.h" -#include "isakmp.h" -#include "isakmp_doi.h" -#include "ipsec.h" -#include "log.h" -#include "message.h" -#include "sa.h" -#include "util.h" - -#ifdef USE_DEBUG -static int isakmp_debug_attribute(u_int16_t, u_int8_t *, u_int16_t, - void *); -#endif -static void isakmp_finalize_exchange(struct message *); -static struct keystate *isakmp_get_keystate(struct message *); -static int isakmp_initiator(struct message *); -static int isakmp_responder(struct message *); -static void isakmp_setup_situation(u_int8_t *); -static size_t isakmp_situation_size(void); -static u_int8_t isakmp_spi_size(u_int8_t); -static int isakmp_validate_attribute(u_int16_t, u_int8_t *, u_int16_t, - void *); -static int isakmp_validate_exchange(u_int8_t); -static int isakmp_validate_id_information(u_int8_t, u_int8_t *, - u_int8_t *, size_t, struct exchange *); -static int isakmp_validate_key_information(u_int8_t *, size_t); -static int isakmp_validate_notification(u_int16_t); -static int isakmp_validate_proto(u_int8_t); -static int isakmp_validate_situation(u_int8_t *, size_t *, size_t); -static int isakmp_validate_transform_id(u_int8_t, u_int8_t); - -static struct doi isakmp_doi = { - {0}, ISAKMP_DOI_ISAKMP, 0, 0, 0, -#ifdef USE_DEBUG - isakmp_debug_attribute, -#endif - 0, /* delete_spi not needed. */ - 0, /* exchange_script not needed. */ - isakmp_finalize_exchange, - 0, /* free_exchange_data not needed. */ - 0, /* free_proto_data not needed. */ - 0, /* free_sa_data not needed. */ - isakmp_get_keystate, - 0, /* get_spi not needed. */ - 0, /* handle_leftover_payload not needed. */ - 0, /* informational_post_hook not needed. */ - 0, /* informational_pre_hook not needed. */ - 0, /* XXX need maybe be filled-in. */ - 0, /* proto_init not needed. */ - isakmp_setup_situation, - isakmp_situation_size, - isakmp_spi_size, - isakmp_validate_attribute, - isakmp_validate_exchange, - isakmp_validate_id_information, - isakmp_validate_key_information, - isakmp_validate_notification, - isakmp_validate_proto, - isakmp_validate_situation, - isakmp_validate_transform_id, - isakmp_initiator, - isakmp_responder, -#ifdef USE_DEBUG - ipsec_decode_ids -#endif -}; - -/* Requires doi_init to already have been called. */ -void -isakmp_doi_init(void) -{ - doi_register(&isakmp_doi); -} - -#ifdef USE_DEBUG -int -isakmp_debug_attribute(u_int16_t type, u_int8_t *value, u_int16_t len, - void *vmsg) -{ - /* XXX Not implemented yet. */ - return 0; -} -#endif /* USE_DEBUG */ - -static void -isakmp_finalize_exchange(struct message *msg) -{ -} - -static struct keystate * -isakmp_get_keystate(struct message *msg) -{ - return 0; -} - -static void -isakmp_setup_situation(u_int8_t *buf) -{ - /* Nothing to do. */ -} - -static size_t -isakmp_situation_size(void) -{ - return 0; -} - -static u_int8_t -isakmp_spi_size(u_int8_t proto) -{ - /* One way to specify ISAKMP SPIs is to say they're zero-sized. */ - return 0; -} - -static int -isakmp_validate_attribute(u_int16_t type, u_int8_t *value, u_int16_t len, - void *vmsg) -{ - /* XXX Not implemented yet. */ - return -1; -} - -static int -isakmp_validate_exchange(u_int8_t exch) -{ - /* If we get here the exchange is invalid. */ - return -1; -} - -static int -isakmp_validate_id_information(u_int8_t type, u_int8_t *extra, u_int8_t *buf, - size_t sz, struct exchange *exchange) -{ - return zero_test(extra, ISAKMP_ID_DOI_DATA_LEN); -} - -static int -isakmp_validate_key_information(u_int8_t *buf, size_t sz) -{ - /* Nothing to do. */ - return 0; -} - -static int -isakmp_validate_notification(u_int16_t type) -{ - /* If we get here the message type is invalid. */ - return -1; -} - -static int -isakmp_validate_proto(u_int8_t proto) -{ - /* If we get here the protocol is invalid. */ - return -1; -} - -static int -isakmp_validate_situation(u_int8_t *buf, size_t *sz, size_t len) -{ - /* There are no situations in the ISAKMP DOI. */ - *sz = 0; - return 0; -} - -static int -isakmp_validate_transform_id(u_int8_t proto, u_int8_t transform_id) -{ - /* XXX Not yet implemented. */ - return -1; -} - -static int -isakmp_initiator(struct message *msg) -{ - if (msg->exchange->type != ISAKMP_EXCH_INFO) { - log_print("isakmp_initiator: unsupported exchange type %d " - "in phase %d", msg->exchange->type, msg->exchange->phase); - return -1; - } - return message_send_info(msg); -} - -static int -isakmp_responder(struct message *msg) -{ - struct payload *p; - - switch (msg->exchange->type) { - case ISAKMP_EXCH_INFO: - for (p = payload_first(msg, ISAKMP_PAYLOAD_NOTIFY); p; - p = TAILQ_NEXT(p, link)) { - LOG_DBG((LOG_EXCHANGE, 10, "isakmp_responder: " - "got NOTIFY of type %s, ignoring", - constant_name(isakmp_notify_cst, - GET_ISAKMP_NOTIFY_MSG_TYPE(p->p)))); - p->flags |= PL_MARK; - } - - for (p = payload_first(msg, ISAKMP_PAYLOAD_DELETE); p; - p = TAILQ_NEXT(p, link)) { - LOG_DBG((LOG_EXCHANGE, 10, - "isakmp_responder: got DELETE, ignoring")); - p->flags |= PL_MARK; - } - return 0; - -#ifdef USE_ISAKMP_CFG - case ISAKMP_EXCH_TRANSACTION: - /* return 0 isakmp_cfg_responder (msg); */ -#endif /* USE_ISAKMP_CFG */ - - default: - /* XXX So far we don't accept any proposals. */ - if (payload_first(msg, ISAKMP_PAYLOAD_SA)) { - message_drop(msg, ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, - 0, 1, 0); - return -1; - } - } - return 0; -} diff --git a/keyexchange/isakmpd-20041012/isakmp_doi.h b/keyexchange/isakmpd-20041012/isakmp_doi.h deleted file mode 100644 index 13a485b..0000000 --- a/keyexchange/isakmpd-20041012/isakmp_doi.h +++ /dev/null @@ -1,37 +0,0 @@ -/* $OpenBSD: isakmp_doi.h,v 1.5 2004/04/15 18:39:26 deraadt Exp $ */ -/* $EOM: isakmp_doi.h,v 1.1 1998/07/07 23:20:29 niklas Exp $ */ - -/* - * Copyright (c) 1998 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _ISAKMP_DOI_H_ -#define _ISAKMP_DOI_H_ - -extern void isakmp_doi_init(void); - -#endif /* _ISAKMP_DOI_H_ */ diff --git a/keyexchange/isakmpd-20041012/isakmp_fld.fld b/keyexchange/isakmpd-20041012/isakmp_fld.fld deleted file mode 100644 index 05eeda9..0000000 --- a/keyexchange/isakmpd-20041012/isakmp_fld.fld +++ /dev/null @@ -1,164 +0,0 @@ -# $OpenBSD: isakmp_fld.fld,v 1.8 2004/06/20 15:24:05 ho Exp $ -# $EOM: isakmp_fld.fld,v 1.5 1999/04/25 13:38:22 niklas Exp $ - -# -# Copyright (c) 1998, 2001 Niklas Hallqvist. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Ericsson Radio Systems. -# - -# XXX There are num-declared fields below that really are csts. - -# The ISAKMP message header. -ISAKMP_HDR -# XXX I want a way to specify COOKIES as an overlay of ICOOKIE + RCOOKIE - ICOOKIE raw 8 - RCOOKIE raw 8 - NEXT_PAYLOAD cst 1 isakmp_payload_cst - VERSION num 1 - EXCH_TYPE cst 1 ike_exch_cst,isakmp_exch_cst - FLAGS mask 1 isakmp_flags_cst - MESSAGE_ID raw 4 - LENGTH num 4 -. - -# Generic payload header. -ISAKMP_GEN - NEXT_PAYLOAD cst 1 isakmp_payload_cst - RESERVED ign 1 - LENGTH num 2 -. - -# ISAKMP data attributes -ISAKMP_ATTR - TYPE num 2 ike_attr_cst,ipsec_attr_cst - LENGTH_VALUE num 2 - VALUE raw -. - -# Security association payload. -ISAKMP_SA : ISAKMP_GEN - DOI num 4 isakmp_doi_cst,ipsec_doi_cst - SIT raw -. - -# Proposal payload. -ISAKMP_PROP : ISAKMP_GEN - NO num 1 - PROTO cst 1 isakmp_proto_cst,ipsec_proto_cst - SPI_SZ num 1 - NTRANSFORMS num 1 - SPI raw -. - -# Transform payload. -ISAKMP_TRANSFORM : ISAKMP_GEN - NO num 1 - ID num 1 - RESERVED ign 2 - SA_ATTRS raw -. - -# Key exchange payload. -ISAKMP_KE : ISAKMP_GEN - DATA raw -. - -# Identification payload. -ISAKMP_ID : ISAKMP_GEN - TYPE num 1 - DOI_DATA raw 3 - DATA raw -. - -# Certificate payload. -ISAKMP_CERT : ISAKMP_GEN - ENCODING cst 1 isakmp_certenc_cst - DATA raw -. - -# Certificate request payload. -ISAKMP_CERTREQ : ISAKMP_GEN - TYPE cst 1 isakmp_certenc_cst - AUTHORITY raw -. - -# Hash payload. -ISAKMP_HASH : ISAKMP_GEN - DATA raw -. - -# Signature payload. -ISAKMP_SIG : ISAKMP_GEN - DATA raw -. - -# Nonce payload. -ISAKMP_NONCE : ISAKMP_GEN - DATA raw -. - -# Notify payload. -ISAKMP_NOTIFY : ISAKMP_GEN - DOI cst 4 isakmp_doi_cst,ipsec_doi_cst - PROTO cst 1 isakmp_proto_cst - SPI_SZ num 1 - MSG_TYPE cst 2 isakmp_notify_cst,ipsec_notify_cst - SPI raw -. - -# Delete payload. -ISAKMP_DELETE : ISAKMP_GEN - DOI cst 4 isakmp_doi_cst,ipsec_doi_cst - PROTO cst 1 isakmp_proto_cst - SPI_SZ num 1 - NSPIS num 2 - SPI raw -. - -# Vendor ID payload. -ISAKMP_VENDOR : ISAKMP_GEN - ID raw -. - -# Attribute payload. -ISAKMP_ATTRIBUTE : ISAKMP_GEN - TYPE num 1 isakmp_cfg_cst - RESERVED ign 1 - ID num 2 - ATTRS raw -. - -# NAT Discovery payload. -ISAKMP_NAT_D : ISAKMP_GEN - DATA raw -. - -# NAT Original Address payload. -ISAKMP_NAT_OA : ISAKMP_GEN - TYPE num 1 - RESERVED ign 3 - DATA raw -. diff --git a/keyexchange/isakmpd-20041012/isakmp_num.cst b/keyexchange/isakmpd-20041012/isakmp_num.cst deleted file mode 100644 index d96d923..0000000 --- a/keyexchange/isakmpd-20041012/isakmp_num.cst +++ /dev/null @@ -1,264 +0,0 @@ -# $OpenBSD: isakmp_num.cst,v 1.10 2004/08/10 15:59:10 ho Exp $ -# $EOM: isakmp_num.cst,v 1.3 2000/05/17 03:09:50 angelos Exp $ - -# -# Copyright (c) 1998, 2001 Niklas Hallqvist. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Ericsson Radio Systems. -# - -# XXX Please fill in references to the drafts, chapter & verse for each -# constant group below. -# Also think about ranges, can they be specified differently? Can we use -# these constants for validity checks? - -# ISAKMP payload type. -ISAKMP_PAYLOAD - NONE 0 - SA 1 - PROPOSAL 2 - TRANSFORM 3 - KEY_EXCH 4 - ID 5 - CERT 6 - CERT_REQ 7 - HASH 8 - SIG 9 - NONCE 10 - NOTIFY 11 - DELETE 12 - VENDOR 13 -# XXX the following are not quite legitimate according to the IETF process - ATTRIBUTE 14 # IKE Mode-Config attribute - SAK 15 # RFC 3547, SA KEK Payload - SAT 16 # RFC 3547, SA TEK Payload - KD 17 # RFC 3547, Key Download - SEQ 18 # RFC 3547, Sequence Number - POP 19 # RFC 3547, Proof of possession - NAT_D 20 # RFC 3947, NAT Discovery payload - NAT_OA 21 # RFC 3947, NAT Original Address payload - RESERVED_MIN 22 - RESERVED_MAX 127 - PRIVATE_MIN 128 -# XXX values from draft-ietf-ipsec-nat-t-ike-01,02,03. Later drafts specify -# XXX NAT_D as payload 15 and NAT_OA as 16, but these are allocated by RFC -# XXX 3547 as seen above. - NAT_D_DRAFT 130 # NAT Discovery payload - NAT_OA_DRAFT 131 # NAT Original Address payload - PRIVATE_MAX 255 - MAX 255 -. - -# ISAKMP exchange types. -ISAKMP_EXCH - NONE 0 - BASE 1 - ID_PROT 2 - AUTH_ONLY 3 - AGGRESSIVE 4 - INFO 5 -# XXX the following are not quite legitimate according to the IETF process - TRANSACTION 6 - FUTURE_MIN 7 - FUTURE_MAX 31 - DOI_MIN 32 - DOI_MAX 255 -. - -# ISAKMP flags. -ISAKMP_FLAGS - ENC 1 - COMMIT 2 - AUTH_ONLY 4 -. - -# ISAKMP certificate encoding. -ISAKMP_CERTENC - NONE 0 - PKCS 1 - PGP 2 - DNS 3 - X509_SIG 4 - X509_KE 5 - KERBEROS 6 - CRL 7 - ARL 8 - SPKI 9 - X509_ATTR 10 - KEYNOTE 11 - HASH_URL_PKIX_CERT 12 - HASH_URL_PKIX_BUNDLE 13 - RESERVED_MIN 14 - RESERVED_MAX 255 -. - -# ISAKMP Notify message types. -ISAKMP_NOTIFY - INVALID_PAYLOAD_TYPE 1 - DOI_NOT_SUPPORTED 2 - SITUATION_NOT_SUPPORTED 3 - INVALID_COOKIE 4 - INVALID_MAJOR_VERSION 5 - INVALID_MINOR_VERSION 6 - INVALID_EXCHANGE_TYPE 7 - INVALID_FLAGS 8 - INVALID_MESSAGE_ID 9 - INVALID_PROTOCOL_ID 10 - INVALID_SPI 11 - INVALID_TRANSFORM_ID 12 - ATTRIBUTES_NOT_SUPPORTED 13 - NO_PROPOSAL_CHOSEN 14 - BAD_PROPOSAL_SYNTAX 15 - PAYLOAD_MALFORMED 16 - INVALID_KEY_INFORMATION 17 - INVALID_ID_INFORMATION 18 - INVALID_CERT_ENCODING 19 - INVALID_CERTIFICATE 20 - CERT_TYPE_UNSUPPORTED 21 - INVALID_CERT_AUTHORITY 22 - INVALID_HASH_INFORMATION 23 - AUTHENTICATION_FAILED 24 - INVALID_SIGNATURE 25 - ADDRESS_NOTIFICATION 26 - NOTIFY_SA_LIFETIME 27 - CERTIFICATE_UNAVAILABLE 28 - UNSUPPORTED_EXCHANGE_TYPE 29 - UNEQUAL_PAYLOAD_LENGTHS 30 - RESERVED_MIN 31 - RESERVED_MAX 8191 - PRIVATE_MIN 8192 - PRIVATE_MAX 16383 - STATUS_CONNECTED 16384 - STATUS_RESERVED1_MIN 16385 - STATUS_RESERVED1_MAX 24575 - STATUS_DOI_MIN 24576 - STATUS_DOI_MAX 32767 - STATUS_PRIVATE_MIN 32768 - STATUS_DPD_R_U_THERE 36136 - STATUS_DPD_R_U_THERE_ACK 36137 - STATUS_PRIVATE_MAX 40959 - STATUS_RESERVED2_MIN 40960 - STATUS_RESERVED2_MAX 65535 -. - -# ISAKMP V2 Notify payload types -ISAKMP_V2_NOTIFY - UNSUPPORTED_CRITICAL_PAYLOAD 1 - INVALID_IKE_SPI 4 - INVALID_MAJOR_VERSION 5 - INVALID_SYNTAX 7 - INVALID_MESSAGE_ID 9 - INVALID_SPI 11 - NO_PROPOSAL_CHOSEN 14 - AUTHENTICATION_FAILED 24 - SINGLE_PAIR_REQUIRED 34 - NO_ADDITIONAL_SAS 35 - INTERNAL_ADDRESS_FAILURE 36 - FAILED_CP_REQUIRED 37 - TS_UNACCEPTABLE 38 - RESERVED_MIN 39 - RESERVED_MAX 8191 - PRIVATE_MIN 8192 - PRIVATE_MAX 16383 - STATUS_RESERVED1_MIN 16384 - STATUS_RESERVED1_MAX 24577 - STATUS_INITIAL_CONTACT 24578 - STATUS_SET_WINDOW_SIZE 24579 - STATUS_ADDITIONAL_IS_POSSIBLE 24580 - STATUS_IPCOMP_SUPPORTED 24581 - STATUS_NAT_DETECTION_SOURCE_IP 24582 - STATUS_NAT_DETECTION_DESTINATION_IP 24583 - STATUS_COOKIE 24584 - STATUS_USE_TRANSPORT_MODE 24585 - STATUS_HTTP_CERT_LOOKUP_SUPPORTED 24586 - STATUS_RESERVED2_MIN 24587 - STATUS_RESERVED2_MAX 40959 - STATUS_PRIVATE_MIN 40960 - STATUS_PRIVATE_MAX 65535 -. - -# ISAKMP DOI Identifier. -ISAKMP_DOI - ISAKMP 0 -. - -# ISAKMP Protocol ID. -ISAKMP_PROTO - ISAKMP 1 -. - -# ISAKMP transaction message type. -ISAKMP_CFG - REQUEST 1 - REPLY 2 - SET 3 - ACK 4 - FUTURE_MIN 5 - FUTURE_MAX 127 - PRIVATE_MIN 128 - PRIVATE_MAX 255 -. - -# ISAKMP configuration attributes. -ISAKMP_CFG_ATTR - INTERNAL_IP4_ADDRESS 1 - INTERNAL_IP4_NETMASK 2 - INTERNAL_IP4_DNS 3 - INTERNAL_IP4_NBNS 4 - INTERNAL_ADDRESS_EXPIRY 5 - INTERNAL_IP4_DHCP 6 - APPLICATION_VERSION 7 - INTERNAL_IP6_ADDRESS 8 - INTERNAL_IP6_NETMASK 9 - INTERNAL_IP6_DNS 10 - INTERNAL_IP6_NBNS 11 - INTERNAL_IP6_DHCP 12 - INTERNAL_IP4_SUBNET 13 - SUPPORTED_ATTRIBUTES 14 - INTERNAL_IP6_SUBNET 15 - FUTURE_MIN 16 - FUTURE_MAX 16383 - PRIVATE_MIN 16384 - PRIVATE_MAX 32767 -. - -# ISAKMP EAP -ISAKMP_EAP_CODE - REQUEST 1 - RESPONSE 2 - SUCCESS 3 - FAILURE 4 -. - -# ISAKMP EAP Types (RFC2284) -ISAKMP_EAP_TYPE - IDENTITY 1 - NOTIFICATION 2 - NAK 3 # Response only - MD5_CHALLENGE 4 - OTP 5 - TOKEN 6 # Generic token card -. - diff --git a/keyexchange/isakmpd-20041012/isakmpd.8 b/keyexchange/isakmpd-20041012/isakmpd.8 deleted file mode 100644 index e7f6987..0000000 --- a/keyexchange/isakmpd-20041012/isakmpd.8 +++ /dev/null @@ -1,603 +0,0 @@ -.\" $OpenBSD: isakmpd.8,v 1.65 2004/07/08 10:37:12 jmc Exp $ -.\" $EOM: isakmpd.8,v 1.23 2000/05/02 00:30:23 niklas Exp $ -.\" -.\" Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. -.\" All rights reserved. -.\" Copyright (c) 1999 Angelos D. Keromytis. All rights reserved. -.\" Copyright (c) 2001, 2002 Håkan Olsson. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.\" This code was written under funding by Ericsson Radio Systems. -.\" -.\" Manual page, using -mandoc macros -.\" -.Dd August 07, 2002 -.Dt ISAKMPD 8 -.Os -.Sh NAME -.Nm isakmpd -.Nd ISAKMP/Oakley a.k.a. IKE key management daemon -.Sh SYNOPSIS -.Nm isakmpd -.Bk -words -.Op Fl 4 -.Op Fl 6 -.Op Fl c Ar config-file -.Op Fl a -.Op Fl d -.Op Fl D Ar class=level -.Op Fl f Ar fifo -.Op Fl i Ar pid-file -.Op Fl n -.Op Fl p Ar listen-port -.Op Fl P Ar local-port -.Op Fl K -.Op Fl L -.Op Fl l Ar packetlog-file -.Op Fl r Ar seed -.Op Fl R Ar report-file -.Op Fl v -.Ek -.Sh DESCRIPTION -The -.Nm -daemon establishes security associations for encrypted -and/or authenticated network traffic. -At this moment, and probably forever, this means -.Xr ipsec 4 -traffic. -.Pp -The way -.Nm -goes about its work is by maintaining an internal configuration -as well as a policy database which describes what kinds of SAs to negotiate, -and by listening for different events that trigger these negotiations. -The events that control -.Nm -consist of negotiation initiations from a remote party, user input via -a FIFO or by signals, upcalls from the kernel via a -.Dv PF_KEY -socket, and lastly by scheduled events triggered by timers running out. -.Pp -Most uses of -.Nm -will be to implement so called "virtual private -networks" or VPNs for short. -The -.Xr vpn 8 -manual page describes how to set up -.Nm -for a simple VPN. -For other uses, some more knowledge of IKE as a protocol is required. -One source of information are the RFCs mentioned below. -.Pp -On startup -.Nm -forks into two processes for privilege separation. -The unprivileged child jails itself with -.Xr chroot 8 -to -.Pa /var/empty . -The privileged process communicates with the child, reads configuration files -and PKI information and binds to privileged ports on its behalf. -See -.Sx CAVEATS -section below. -.Pp -The options are as follows: -.Bl -tag -width Ds -.It Fl 4 | Fl 6 -These options control what address family -.Pf ( Dv AF_INET -and/or -.Dv AF_INET6 ) -.Nm -will use. -The default is to use both IPv4 and IPv6. -.It Fl a -If given, -.Nm -does not set up flows automatically. -This is useful when flows are configured with -.Xr ipsecadm 4 -or by other programs like -.Xr bgpd 8 . -Thus -.Nm -only takes care of the SA establishment. -.It Fl c Ar config-file -If given, the -.Fl c -option specifies an alternate configuration file instead of -.Pa /etc/isakmpd/isakmpd.conf . -As this file may contain sensitive information, it must be readable -only by the user running the daemon. -.Nm -will reread the configuration file when sent a -.Dv SIGHUP -signal. -.It Fl d -The -.Fl d -option is used to make the daemon run in the foreground, logging to stderr. -.It Xo Fl D -.Ar class Ns = Ns Ar level -.Xc -Debugging class. -It's possible to specify this argument many times. -It takes a parameter of the form -.Ar class Ns = Ns Ar level , -where both -.Ar class -and -.Ar level -are numbers. -.Ar class -denotes a debugging class, and -.Ar level -the level you want that debugging class to -limit debug printouts at (i.e., all debug printouts above the level specified -will not output anything). -If -.Ar class -is set to -.Sq A , -then all debugging classes are set to the specified level. -.Pp -Valid values for -.Ar class -are as follows: -.Pp -.Bl -tag -width 2n -compact -offset indent -.It 0 -Misc -.It 1 -Transport -.It 2 -Message -.It 3 -Crypto -.It 4 -Timer -.It 5 -Sysdep -.It 6 -SA -.It 7 -Exchange -.It 8 -Negotiation -.It 9 -Policy -.It 10 -FIFO user interface -.It A -All -.El -.Pp -Currently used values for -.Ar level -are 0 to 99. -.It Fl f Ar fifo -The -.Fl f -option specifies the -.Tn FIFO -(a.k.a. named pipe) where the daemon listens for -user requests. -If the path given is a dash -.Pq Sq \&- , -.Nm -will listen to stdin instead. -.It Fl i Ar pid-file -By default the PID of the daemon process will be written to -.Pa /var/run/isakmpd.pid . -This path can be overridden by specifying another one as the argument to the -.Fl i -option. -.It Fl n -When the -.Fl n -option is given, the kernel will not take part in the negotiations. -This is a non-destructive mode, so to speak, in that it won't alter any -SAs in the IPsec stack. -.It Fl p Ar listen-port -The -.Fl p -option specifies the listen port the daemon will bind to. -.It Fl P Ar local-port -On the other hand, the port specified to capital -.Fl P -will be what the daemon binds its local end to when acting as -initiator. -.It Fl K -When this option is given, -.Nm -does not read the policy configuration file and no -.Xr keynote 4 -policy check is accomplished. -This option can be used when policies for flows and SA establishment are -arranged by other programs like -.Xr ipsecadm 8 -or -.Xr bgpd 8 . -.It Fl L -Enable IKE packet capture. -When this option is given, -.Nm -will capture to file an unencrypted copy of the negotiation packets it -is sending and receiving. -This file can later be read by -.Xr tcpdump 8 -and other utilities using -.Xr pcap 3 . -.It Fl l Ar packetlog-file -As option -.Fl L -above, but capture to a specified file. -.It Fl r Ar seed -If given, a deterministic random number sequence will be used internally. -This is useful for setting up regression tests. -.It Fl R Ar report-file -When you signal -.Nm -a -.Dv SIGUSR1 , -it will report its internal state to a report file, normally -.Pa /var/run/isakmpd.report , -but this can be changed by feeding -the file name as an argument to the -.Fl R -flag. -.It Fl v -Enables verbose logging. -Normally, -.Nm -is silent and outputs only messages when a warning or an error occurs. -With verbose logging -.Nm -reports successful completion of phase 1 (Main and Aggressive) and phase 2 -(Quick) exchanges (Information and Transaction exchanges do not generate any -additional status information). -.El -.Ss Setting up an IKE public key infrastructure (a.k.a. PKI) -In order to use public key based authentication, there has to be an -infrastructure managing the key signing. -Either there is an already existing PKI -.Nm -should take part in, or there will be a need to set one up. -In the former case, what is needed to be done varies depending on the -actual Certificate Authority used, and is therefore not covered here, -other than mentioning that -.Xr openssl 1 -needs to be used to create a certificate signing request that the -CA understands. -The latter case, however, is described here: -.Bl -enum -.It -Create your own CA as root. -.Bd -literal -# openssl genrsa -out /etc/ssl/private/ca.key 1024 -# openssl req -new -key /etc/ssl/private/ca.key \e - -out /etc/ssl/private/ca.csr -.Ed -.Pp -You are then asked to enter information that will be incorporated -into your certificate request. -What you are about to enter is what is called a Distinguished Name (DN). -There are quite a few fields but you can leave some blank. -For some fields there will be a default value; if you enter -.Sq \&. , -the field will be left blank. -.Bd -literal -# openssl x509 -req -days 365 -in /etc/ssl/private/ca.csr \e - -signkey /etc/ssl/private/ca.key \e - -extfile /etc/ssl/x509v3.cnf -extensions x509v3_CA \e - -out /etc/ssl/ca.crt -.Ed -.Pp -.It -Create keys and certificates for your IKE peers. -This step as well as the next one, needs to be done for every peer. -Furthermore the last step will need to be done once for each ID you -want the peer to have. -The 10.0.0.1 below symbolizes that ID, in this case an IPv4 ID, -and should be changed for each invocation. -You will be asked for a DN for each run. -Encoding the ID in the common name is recommended, as it should be unique. -.Bd -literal -# openssl genrsa -out /etc/isakmpd/private/local.key 1024 -# openssl req -new -key /etc/isakmpd/private/local.key \e - -out /etc/isakmpd/private/10.0.0.1.csr -.Ed -.Pp -Now take these certificate signing requests to your CA and process -them like below. -You have to add a subjectAltName extension field -to the certificate in order to make it usable by -.Nm isakmpd . -There are two possible ways to add the extensions to the certificate. -Either you have to run -.Xr certpatch 8 -or you have to make use of an OpenSSL configuration file, for example -.Pa /etc/ssl/x509v3.cnf . -Replace 10.0.0.1 with the IP-address which -.Nm -will use as the certificate identity. -.Pp -To use -.Xr certpatch 8 , -do the following -.Bd -literal -# openssl x509 -req -days 365 -in 10.0.0.1.csr -CA /etc/ssl/ca.crt \e - -CAkey /etc/ssl/private/ca.key -CAcreateserial \e - -out 10.0.0.1.crt -# certpatch -i 10.0.0.1 -k /etc/ssl/private/ca.key \e - 10.0.0.1.crt 10.0.0.1.crt -.Ed -.Pp -Otherwise do -.Bd -literal -# setenv CERTIP 10.0.0.1 -# openssl x509 -req -days 365 -in 10.0.0.1.csr -CA /etc/ssl/ca.crt \e - -CAkey /etc/ssl/private/ca.key -CAcreateserial \e - -extfile /etc/ssl/x509v3.cnf -extensions x509v3_IPAddr \e - -out 10.0.0.1.crt -.Ed -.Pp -For a FQDN certificate, do -.Bd -literal -# setenv CERTFQDN somehost.somedomain -# openssl x509 -req -days 365 -in somehost.somedomain.csr \e - -CA /etc/ssl/ca.crt -CAkey /etc/ssl/private/ca.key \e - -CAcreateserial \e - -extfile /etc/ssl/x509v3.cnf -extensions x509v3_FQDN \e - -out somehost.somedomain.crt -.Ed -.Pp -or with -.Xr certpatch 8 -.Bd -literal -# certpatch -t fqdn -i somehost.somedomain \e - -k /etc/ssl/private/ca.key \e - somehost.somedomain.crt somehost.somedomain.crt -.Ed -.Pp -(This assumes the previous steps were used to create a request for -somehost.somedomain instead of 10.0.0.1) -.Pp -Put the certificate (the file ending in .crt) in -.Pa /etc/isakmpd/certs/ -on your local system. -Also carry over the CA cert -.Pa /etc/ssl/ca.crt -and put it in -.Pa /etc/isakmpd/ca/ . -.El -.Pp -To revoke certificates, create a Certificate Revocation List (CRL) file -and install it in the -.Pa /etc/isakmpd/crls/ -directory. -See -.Xr openssl 1 -and the -.Sq crl -subcommand for more info. -.Pp -It is also possible to store trusted public keys to make them directly -usable by -.Nm isakmpd . -The keys should be saved in PEM format (see -.Xr openssl 1 ) -and named and stored after this easy formula: -.Bl -tag -width for_ufqdn_identities -.It For IPv4 identities -/etc/isakmpd/pubkeys/ipv4/A.B.C.D -.It For IPv6 identities -/etc/isakmpd/pubkeys/ipv6/abcd:abcd::ab:bc -.It For FQDN identities -/etc/isakmpd/pubkeys/fqdn/foo.bar.org -.It For UFQDN identities -/etc/isakmpd/pubkeys/ufqdn/user@foo.bar.org -.El -.Ss The FIFO user interface -When -.Nm -starts, it creates a FIFO (named pipe) where it listens for user -requests. -All commands start with a single letter, followed by command-specific options. -Available commands are: -.Bl -tag -width Ds -compact -.Pp -.It Ic "c <name>" -Start the named connection, if stopped or inactive. -.Pp -.It Ic "C set [section]:tag=value" -.It Ic "C set [section]:tag=value force" -.It Ic "C add [section]:tag=value" -.It Ic "C rm [section]:tag" -.It Ic "C rms [section]" -Update the running -.Nm -configuration atomically. -.Sq set -sets a configuration value consisting of a section, tag and value triplet. -.Sq set -will fail if the configuration already contains a section with the named tag; -use the -.Sq force -option to change this behaviour. -.Sq add -appends a configuration value to the named configuration list tag. -.Sq rm -removes a tag in a section. -.Sq rms -removes an entire section. -.Pp -NOTE: Sending isakmpd a SIGHUP or an "R" through the FIFO will -void any updates done to the configuration. -.Pp -.It Ic "C get [section]:tag" -Get the configuration value of the specified section and tag. -The result is stored in -.Pa /var/run/isakmpd.result . -.Pp -.It Ic "d <cookies> <msgid>" -Delete the specified SA from the system. -Specify <msgid> as "-" to match a Phase 1 SA. -.Pp -.It Ic "D <class> <level>" -.It Ic "D A <level>" -.It Ic "D T" -Set debug class <class> to level <level>. -If <class> is specified as "A", the level applies to all debug classes. -"D T" toggles all debug classes to level zero. -Another "D T" command will toggle them back to the earlier levels. -.Pp -.It Ic "p on[=<path>]" -.It Ic "p off" -Enable or disable cleartext IKE packet capture. -When enabling, optionally specify which file -.Nm -should capture the packets to. -.Pp -.It Ic "Q" -Cleanly shutdown the daemon, as when sent a -.Dv SIGTERM -signal. -.Pp -.It Ic "r" -Report -.Nm -internal state to a file. -See -.Fl R -option. -Same as when sent a -.Dv SIGUSR1 -signal. -.Pp -.It Ic "R" -Reinitialize -.Nm isakmpd , -as when sent a -.Dv SIGHUP -signal. -.Pp -.It Ic "S" -Report information on all known SAs to the -.Pa /var/run/isakmpd.result -file. -.Pp -.It Ic "t <name>" -Tear down the named connection, if active. -.Pp -.It Ic "T" -Tear down all active connections. -.El -.Sh FILES -.Bl -tag -width /etc/isakmpd/private/local. -.It Pa /etc/isakmpd/ca/ -The directory where CA certificates can be found. -.It Pa /etc/isakmpd/certs/ -The directory where IKE certificates can be found, both the local -certificate(s) and those of the peers, if a choice to have them kept -permanently has been made. -.It Pa /etc/isakmpd/crls/ -The directory where CRLs can be found. -.It Pa /etc/isakmpd/isakmpd.conf -The configuration file. -As this file can contain sensitive information -it must not be readable by anyone but the user running -.Nm isakmpd . -.It Pa /etc/isakmpd/isakmpd.policy -The keynote policy configuration file. -The same mode requirements as -.Nm isakmpd.conf . -.It Pa /etc/isakmpd/private/local.key -A local private key for certificate based authentication. -There has to be a certificate for this key in the certificate directory -mentioned above. -The same mode requirements as -.Nm isakmpd.conf . -.It Pa /etc/isakmpd/pubkeys/ -Directory in which trusted public keys can be kept. -The keys must be named in the fashion described above. -.It Pa /var/run/isakmpd.pid -The PID of the current daemon. -.It Pa /var/run/isakmpd.fifo -The FIFO used to manually control -.Nm isakmpd . -.It Pa /var/run/isakmpd.pcap -The default IKE packet capture file. -.It Pa /var/run/isakmpd.report -The report file written when -.Dv SIGUSR1 -is received. -.It Pa /var/run/isakmpd.result -The report file written when the -.Sq S -or -.Sq "C get" -command is issued in the command FIFO. -.It Pa /usr/share/ipsec/isakmpd/ -A directory containing some sample -.Nm -and keynote policy configuration files. -.El -.Sh SEE ALSO -.Xr openssl 1 , -.Xr getnameinfo 3 , -.Xr pcap 3 , -.Xr ipsec 4 , -.Xr isakmpd.conf 5 , -.Xr isakmpd.policy 5 , -.Xr ssl 8 , -.Xr tcpdump 8 , -.Xr vpn 8 -.Sh HISTORY -The ISAKMP/Oakley key management protocol is described in the RFCs -.%T RFC 2407 , -.%T RFC 2408 -and -.%T RFC 2409 . -This implementation was done 1998 by Niklas Hallqvist and Niels Provos, -sponsored by Ericsson Radio Systems. -.Sh CAVEATS -When storing a trusted public key for an IPv6 identity, the -.Em most efficient -form of address representation, i.e "::" instead of ":0:0:0:", -must be used or the matching will fail. -.Nm -uses the output from -.Xr getnameinfo 3 -for the address-to-name translation. -The privileged process only allows binding to the default port 500 or -unprivileged ports (>1024). -It is not possible to change the interfaces -.Nm -listens on without a restart. -.Sh BUGS -The -.Fl P -flag does not do what we document, rather it does nothing. diff --git a/keyexchange/isakmpd-20041012/isakmpd.c b/keyexchange/isakmpd-20041012/isakmpd.c deleted file mode 100644 index 8675201..0000000 --- a/keyexchange/isakmpd-20041012/isakmpd.c +++ /dev/null @@ -1,543 +0,0 @@ -/* $OpenBSD: isakmpd.c,v 1.68 2004/09/17 14:54:09 hshoexer Exp $ */ -/* $EOM: isakmpd.c,v 1.54 2000/10/05 09:28:22 niklas Exp $ */ - -/* - * Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. - * Copyright (c) 1999, 2000 Angelos D. Keromytis. All rights reserved. - * Copyright (c) 1999, 2000, 2001 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <errno.h> -#include <sys/param.h> -#include <sys/types.h> -#include <sys/stat.h> -#include <signal.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <time.h> -#include <netdb.h> -#include <unistd.h> -#include <fcntl.h> - -#include "sysdep.h" - -#include "app.h" -#include "conf.h" -#include "connection.h" -#include "init.h" -#include "libcrypto.h" -#include "log.h" -#include "monitor.h" -#include "sa.h" -#include "timer.h" -#include "transport.h" -#include "udp.h" -#include "ui.h" -#include "util.h" -#include "cert.h" - -#ifdef USE_POLICY -#include "policy.h" -#endif - -static void usage(void); - -/* - * Set if -d is given, currently just for running in the foreground and log - * to stderr instead of syslog. - */ -int debug = 0; - -/* Set when no policy file is found. */ -int acquire_only = 0; - -/* - * If we receive a SIGHUP signal, this flag gets set to show we need to - * reconfigure ASAP. - */ -volatile sig_atomic_t sighupped = 0; - -/* - * If we receive a USR1 signal, this flag gets set to show we need to dump - * a report over our internal state ASAP. The file to report to is settable - * via the -R parameter. - */ -volatile sig_atomic_t sigusr1ed = 0; -static char *report_file = "/var/run/isakmpd.report"; - -/* - * If we receive a USR2 signal, this flag gets set to show we need to - * rehash our SA soft expiration timers to a uniform distribution. - * XXX Perhaps this is a really bad idea? - */ -volatile sig_atomic_t sigusr2ed = 0; - -/* - * If we receive a TERM signal, perform a "clean shutdown" of the daemon. - * This includes to send DELETE notifications for all our active SAs. - * Also on recv of an INT signal (Ctrl-C out of an '-d' session, typically). - */ -volatile sig_atomic_t sigtermed = 0; -void daemon_shutdown_now(int); - -/* The default path of the PID file. */ -static char *pid_file = "/var/run/isakmpd.pid"; - -#ifdef USE_DEBUG -/* The path of the IKE packet capture log file. */ -static char *pcap_file = 0; -#endif - -static void -usage(void) -{ - fprintf(stderr, - "usage: %s [-4] [-6] [-a] [-c config-file] [-d] [-D class=level]\n" - " [-f fifo] [-i pid-file] [-K] [-n] [-p listen-port]\n" - " [-P local-port] [-L] [-l packetlog-file] [-r seed]\n" - " [-R report-file] [-v]\n", - sysdep_progname()); - exit(1); -} - -static void -parse_args(int argc, char *argv[]) -{ - int ch; - char *ep; -#ifdef USE_DEBUG - int cls, level; - int do_packetlog = 0; -#endif - - while ((ch = getopt(argc, argv, "46ac:dD:f:i:Knp:P:Ll:r:R:v")) != -1) { - switch (ch) { - case '4': - bind_family |= BIND_FAMILY_INET4; - break; - - case '6': - bind_family |= BIND_FAMILY_INET6; - break; - - case 'a': - acquire_only++; - break; - - case 'c': - conf_path = optarg; - break; - - case 'd': - debug++; - break; - -#ifdef USE_DEBUG - case 'D': - if (sscanf(optarg, "%d=%d", &cls, &level) != 2) { - if (sscanf(optarg, "A=%d", &level) == 1) { - for (cls = 0; cls < LOG_ENDCLASS; - cls++) - log_debug_cmd(cls, level); - } else - log_print("parse_args: -D argument " - "unparseable: %s", optarg); - } else - log_debug_cmd(cls, level); - break; -#endif /* USE_DEBUG */ - - case 'f': - ui_fifo = optarg; - break; - - case 'i': - pid_file = optarg; - break; - -#ifdef USE_POLICY - case 'K': - ignore_policy++; - break; -#endif - - case 'n': - app_none++; - break; - - case 'p': - udp_default_port = optarg; - break; - - case 'P': - udp_bind_port = optarg; - break; - -#ifdef USE_DEBUG - case 'l': - pcap_file = optarg; - /* Fallthrough intended. */ - - case 'L': - do_packetlog++; - break; -#endif /* USE_DEBUG */ - - case 'r': - seed = strtoul(optarg, &ep, 0); - srandom(seed); - if (*ep != '\0') - log_fatal("parse_args: invalid numeric arg " - "to -r (%s)", optarg); - regrand = 1; - break; - - case 'R': - report_file = optarg; - break; - - case 'v': - verbose_logging = 1; - break; - - case '?': - default: - usage(); - } - } - argc -= optind; - argv += optind; - -#ifdef USE_DEBUG - if (do_packetlog && !pcap_file) - pcap_file = PCAP_FILE_DEFAULT; -#endif -} - -static void -sighup(int sig) -{ - sighupped = 1; -} - -/* Report internal state on SIGUSR1. */ -static void -report(void) -{ - FILE *rfp, *old; - mode_t old_umask; - - old_umask = umask(S_IRWXG | S_IRWXO); - rfp = monitor_fopen(report_file, "w"); - umask(old_umask); - - if (!rfp) { - log_error("report: fopen (\"%s\", \"w\") failed", report_file); - return; - } - /* Divert the log channel to the report file during the report. */ - old = log_current(); - log_to(rfp); - ui_report("r"); - log_to(old); - fclose(rfp); -} - -static void -sigusr1(int sig) -{ - sigusr1ed = 1; -} - -/* Rehash soft expiration timers on SIGUSR2. */ -static void -rehash_timers(void) -{ -#if 0 - /* XXX - not yet */ - log_print("SIGUSR2 received, rehashing soft expiration timers."); - - timer_rehash_timers(); -#endif -} - -static void -sigusr2(int sig) -{ - sigusr2ed = 1; -} - -static int -phase2_sa_check(struct sa *sa, void *arg) -{ - return sa->phase == 2; -} - -static void -daemon_shutdown(void) -{ - /* Perform a (protocol-wise) clean shutdown of the daemon. */ - struct sa *sa; - - if (sigtermed == 1) { - log_print("isakmpd: shutting down..."); - - /* Delete all active phase 2 SAs. */ - while ((sa = sa_find(phase2_sa_check, NULL))) { - /* Each DELETE is another (outgoing) message. */ - sa_delete(sa, 1); - } - sigtermed++; - } - if (transport_prio_sendqs_empty()) { - /* - * When the prioritized transport sendq:s are empty, i.e all - * the DELETE notifications have been sent, we can shutdown. - */ - -#ifdef USE_DEBUG - log_packet_stop(); -#endif - /* Remove FIFO and pid files. */ - unlink(ui_fifo); - unlink(pid_file); - log_print("isakmpd: exit"); - exit(0); - } -} - -/* Called on SIGTERM, SIGINT or by ui_shutdown_daemon(). */ -void -daemon_shutdown_now(int sig) -{ - sigtermed = 1; -} - -/* Write pid file. */ -static void -write_pid_file(void) -{ - FILE *fp; - - /* Ignore errors. This will fail with USE_PRIVSEP. */ - unlink(pid_file); - - fp = monitor_fopen(pid_file, "w"); - if (fp != NULL) { - if (fprintf(fp, "%ld\n", (long) getpid()) < 0) - log_error("write_pid_file: failed to write PID to " - "\"%.100s\"", pid_file); - fclose(fp); - } else - log_fatal("write_pid_file: fopen (\"%.100s\", \"w\") failed", - pid_file); -} - -int -main(int argc, char *argv[]) -{ - fd_set *rfds, *wfds; - int n, m; - size_t mask_size; - struct timeval tv, *timeout; - -#if defined (HAVE_CLOSEFROM) && (!defined (OpenBSD) || (OpenBSD >= 200405)) - closefrom(STDERR_FILENO + 1); -#else - m = getdtablesize(); - for (n = STDERR_FILENO + 1; n < m; n++) - (void) close(n); -#endif - - /* - * Make sure init() won't alloc fd 0, 1 or 2, as daemon() will close - * them. - */ - for (n = 0; n <= 2; n++) - if (fcntl(n, F_GETFL, 0) == -1 && errno == EBADF) - (void) open("/dev/null", n ? O_WRONLY : O_RDONLY, 0); - - for (n = 1; n < _NSIG; n++) - signal(n, SIG_DFL); - - /* Log cmd line parsing and initialization errors to stderr. */ - log_to(stderr); - parse_args(argc, argv); - log_init(debug); - - /* Open protocols and services databases. */ - setprotoent(1); - setservent(1); - - /* - * Do a clean daemon shutdown on TERM/INT. These signals must be - * initialized before monitor_init(). INT is only used with '-d'. - */ - signal(SIGTERM, daemon_shutdown_now); - if (debug == 1) /* i.e '-dd' will skip this. */ - signal(SIGINT, daemon_shutdown_now); - - /* Daemonize before forking unpriv'ed child */ - if (!debug) - if (daemon(0, 0)) - log_fatal("main: daemon (0, 0) failed"); - - /* Set timezone before priv'separation */ - tzset(); - -#if defined (USE_PRIVSEP) - if (monitor_init(debug)) { - /* The parent, with privileges enters infinite monitor loop. */ - monitor_loop(debug); - exit(0); /* Never reached. */ - } - /* Child process only from this point on, no privileges left. */ -#endif - - init(); - - write_pid_file(); - - /* Reinitialize on HUP reception. */ - signal(SIGHUP, sighup); - - /* Report state on USR1 reception. */ - signal(SIGUSR1, sigusr1); - - /* Rehash soft expiration timers on USR2 reception. */ - signal(SIGUSR2, sigusr2); - -#if defined (USE_DEBUG) - /* If we wanted IKE packet capture to file, initialize it now. */ - if (pcap_file != 0) - log_packet_init(pcap_file); -#endif - - /* Allocate the file descriptor sets just big enough. */ - n = getdtablesize(); - mask_size = howmany(n, NFDBITS) * sizeof(fd_mask); - rfds = (fd_set *) malloc(mask_size); - if (!rfds) - log_fatal("main: malloc (%lu) failed", - (unsigned long)mask_size); - wfds = (fd_set *) malloc(mask_size); - if (!wfds) - log_fatal("main: malloc (%lu) failed", - (unsigned long)mask_size); - -#if defined (USE_PRIVSEP) - monitor_init_done(); -#endif - - while (1) { - /* If someone has sent SIGHUP to us, reconfigure. */ - if (sighupped) { - sighupped = 0; - log_print("SIGHUP received"); - reinit(); - } - /* and if someone sent SIGUSR1, do a state report. */ - if (sigusr1ed) { - sigusr1ed = 0; - log_print("SIGUSR1 received"); - report(); - } - /* and if someone sent SIGUSR2, do a timer rehash. */ - if (sigusr2ed) { - sigusr2ed = 0; - log_print("SIGUSR2 received"); - rehash_timers(); - } - /* - * and if someone set 'sigtermed' (SIGTERM, SIGINT or via the - * UI), this indicates we should start a controlled shutdown - * of the daemon. - * - * Note: Since _one_ message is sent per iteration of this - * enclosing while-loop, and we want to send a number of - * DELETE notifications, we must loop atleast this number of - * times. The daemon_shutdown() function starts by queueing - * the DELETEs, all other calls just increments the - * 'sigtermed' variable until it reaches a "safe" value, and - * the daemon exits. - */ - if (sigtermed) - daemon_shutdown(); - - /* Setup the descriptors to look for incoming messages at. */ - memset(rfds, 0, mask_size); - n = transport_fd_set(rfds); - FD_SET(ui_socket, rfds); - if (ui_socket + 1 > n) - n = ui_socket + 1; - - /* - * XXX Some day we might want to deal with an abstract - * application class instead, with many instantiations - * possible. - */ - if (!app_none && app_socket >= 0) { - FD_SET(app_socket, rfds); - if (app_socket + 1 > n) - n = app_socket + 1; - } - /* Setup the descriptors that have pending messages to send. */ - memset(wfds, 0, mask_size); - m = transport_pending_wfd_set(wfds); - if (m > n) - n = m; - - /* Find out when the next timed event is. */ - timeout = &tv; - timer_next_event(&timeout); - - n = select(n, rfds, wfds, 0, timeout); - if (n == -1) { - if (errno != EINTR) { - log_error("main: select"); - - /* - * In order to give the unexpected error - * condition time to resolve without letting - * this process eat up all available CPU - * we sleep for a short while. - */ - sleep(1); - } - } else if (n) { - transport_handle_messages(rfds); - transport_send_messages(wfds); - if (FD_ISSET(ui_socket, rfds)) - ui_handler(); - if (!app_none && app_socket >= 0 && - FD_ISSET(app_socket, rfds)) - app_handler(); - } - timer_handle_expirations(); - } -} diff --git a/keyexchange/isakmpd-20041012/isakmpd.conf.5 b/keyexchange/isakmpd-20041012/isakmpd.conf.5 deleted file mode 100644 index db3dd78..0000000 --- a/keyexchange/isakmpd-20041012/isakmpd.conf.5 +++ /dev/null @@ -1,1126 +0,0 @@ -.\" $OpenBSD: isakmpd.conf.5,v 1.94 2004/08/10 15:59:10 ho Exp $ -.\" $EOM: isakmpd.conf.5,v 1.57 2000/12/21 14:43:17 ho Exp $ -.\" -.\" Copyright (c) 1998, 1999, 2000 Niklas Hallqvist. All rights reserved. -.\" Copyright (c) 2000, 2001, 2002 Håkan Olsson. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.\" This code was written under funding by Ericsson Radio Systems. -.\" -.\" Manual page, using -mandoc macros -.\" -.Dd August 07, 2002 -.Dt ISAKMPD.CONF 5 -.Os -.Sh NAME -.Nm isakmpd.conf -.Nd configuration file for isakmpd -.Sh DESCRIPTION -.Nm -is the configuration file for the -.Nm isakmpd -daemon managing security association and key management for the -IPsec layer of the kernel's networking stack. -.Pp -The file is of a well known type of format called .INI style, named after -the suffix used by an overrated windowing environment for its configuration -files. -This format consists of sections, each beginning with a line looking like: -.Bd -literal -[Section name] -.Ed -Between the brackets is the name of the section following this section header. -Inside a section many tag/value pairs can be stored, each one looking like: -.Bd -literal -Tag=Value -.Ed -If the value needs more space than fits on a single line it's possible to -continue it on the next by ending the first with a backslash character -immediately before the newline character. -This method can extend a value for an arbitrary number of lines. -.Pp -Comments can be put anywhere in the file by using a hash mark -.Pq Sq \&# . -The comment extends to the end of the current line. -.Pp -Often the right-hand side values consist of other section names. -This results in a tree structure. -Some values are treated as a list of several scalar values. -Such lists always use a comma character as the separator. -Some values are formatted like this: X,Y:Z, which -is an offer/accept syntax, where X is a value we offer and Y:Z is a range of -accepted values, inclusive. -.Pp -To activate changes to -.Nm -without restarting -.Nm isakmpd , -send a -.Dv SIGHUP -signal to the daemon process. -.Ss Auto-generated parts of the configuration -.Pp -Some predefined section names are recognized by the daemon, avoiding the need -to fully specify the Main Mode transforms and Quick Mode suites, protocols, -and transforms. -.Pp -For Main Mode: -.Bd -filled -compact -.Ar {DES,BLF,3DES,CAST,AES}-{MD5,SHA}[-GRP{1,2,5,14}][-{DSS,RSA_SIG}] -.Ed -.Pp -For Quick Mode: -.Bd -filled -compact -.Ar QM-{proto}[-TRP]-{cipher}[-{hash}][-PFS[-{group}]]-SUITE -.Ed -.Bd -literal - where - {proto} is either ESP or AH - {cipher} is either DES, 3DES, CAST, BLF or AES - {hash} is either MD5, SHA, RIPEMD, SHA2-{256,384,512} - {group} is either GRP1, GRP2, GRP5 or GRP14 -.Ed -.Pp -For example, 3DES-SHA means: 3DES encryption, SHA hash, and authorization by -pre-shared keys. -Similarly, QM-ESP-3DES-SHA-PFS-SUITE means: ESP protocol, 3DES encryption, -SHA hash, and use Perfect Forward Secrecy. -.Pp -Unless explicitly stated with -GRP1, 2, 5 or 14 transforms and PFS suites -use DH group 2. -There are currently no predefined ESP+AH Quick Mode suites. -.Pp -The predefinitions include some default values for the special -sections "General", "Keynote", "X509-certificates", and -"Default-phase-1-configuration". -These default values are presented in the example below. -.Pp -All autogenerated values can be overridden by manual entries by using the -same section and tag names in the configuration file. -In particular, the default phase 1 (Main or Aggressive Mode) and phase 2 -(Quick Mode) lifetimes can be overridden by these tags under the "General" -section; -.Bd -literal -[General] -Default-phase-1-lifetime= 3600,60:86400 -Default-phase-2-lifetime= 1200,60:86400 -.Ed -.Pp -The Main Mode lifetime currently defaults to one hour (minimum 60 -seconds, maximum 1 day). -The Quick Mode lifetime defaults to 20 minutes -(minimum 60 seconds, maximum 1 day). -.Pp -Also, the default phase 1 ID can be set by creating a <Phase1-ID> -section, as shown below, and adding this tag under the "General" -section; -.Bd -literal -[General] -Default-phase-1-ID= Phase1-ID-name - -[Phase1-ID-name] -ID-type= USER_FQDN -Name= foo@bar.com -.Ed -.Ss Roots -.Bl -hang -width 12n -.It Em General -Generic global configuration parameters -.Bl -tag -width 12n -.It Em Default-phase-1-ID -Optional default phase 1 ID name. -.It Em Default-phase-1-lifetime -The default lifetime for autogenerated transforms (phase 1). -If unspecified, the value 3600,60:86400 is used as the default. -.It Em Default-phase-2-lifetime -The default lifetime for autogenerated suites (phase 2). -If unspecified, the value 1200,60:86400 is used as the default. -.It Em Default-phase-2-suites -A list of phase 2 suites that will be used when establishing dynamic -SAs. -If left unspecified, QM-ESP-3DES-SHA-PFS-SUITE is used as the default. -.It Em Acquire-Only -If this tag is defined, -.Nm isakmpd -will not set up flows automatically. -This is useful when flows are configured with -.Xr ipsecadm 4 -or by other programs like -.Xr bgpd 8 . -Thus -.Nm isakmpd -only takes care of the SA establishment. -.It Em Check-interval -The interval between watchdog checks of connections we want up at all -times. -.It Em DPD-check-interval -The interval between RFC 3706 (Dead Peer Detection) messages. -The default value is 0 (zero), which means DPD is disabled. -.It Em Exchange-max-time -How many seconds should an exchange maximally take to set up before we -give up. -.It Em Listen-on -A list of IP-addresses OK to listen on. -This list is used as a filter for the set of addresses the interfaces -configured provides. -This means that we won't see if an address given here does not exist -on this host, and thus no error is given for that case. -.It Em Loglevel -A list of the form -.Ar class Ns = Ns Ar level , -where both -.Ar class -and -.Ar level -are numbers. -This is similar to the -.Fl D -command line switch of -.Em isakmpd . -See -.Xr isakmpd 8 -for details. -.It Em Logverbose -If this tag is defined, whatever the value is, verbose logging is enabled. -This is similar to the -.Fl v -command line switch of -.Em isakmpd . -See -.Xr isakmpd 8 -for details. -.It Em NAT-T-Keepalive -The number of seconds between NAT-T keepalive messages, sent by the -peer behind NAT to keep the mapping active. -Defaults to 20. -.It Em Policy-file -The name of the file that contains -.Xr keynote 4 -policies. -The default is "/etc/isakmpd/isakmpd.policy". -.It Em Pubkey-directory -The directory in which -.Nm -looks for explicitly trusted public keys. -The default is "/etc/isakmpd/pubkeys". -Read -.Xr isakmpd 8 -for the required naming convention of the files in here. -.It Em Renegotiate-on-HUP -If this tag is defined, whatever the value is, -.Nm isakmpd -will renegotiate all current phase 2 SAs when the daemon receives a -.Dv SIGHUP -signal, or an -.Sq R -is sent to the FIFO interface (see -.Xr isakmpd 8 ) . -.It Em Retransmits -How many times should a message be retransmitted before giving up. -.It Em Shared-SADB -If this tag is defined, whatever the value is, some semantics of -.Nm -are changed so that multiple instances can run on top of one SADB -and set up SAs with each other. -Specifically this means replay -protection will not be asked for, and errors that can occur when -updating an SA with its parameters a 2nd time will be ignored. -.It Em Use-Keynote -This tag controls the use of -.Xr keynote 4 -policy checking. -The default value is -.Qq yes , -which enables the policy checking. -When set to any other value, policies will not be checked. -This is useful when policies for flows and SA establishment are arranged by -other programs like -.Xr ipsecadm 8 -or -.Xr bgpd 8 . -.El -.It Em Phase 1 -ISAKMP SA negotiation parameter root -.Bl -tag -width 12n -.It Em <IP-address> -A name of the ISAKMP peer at the given IP-address. -.It Em Default -A name of the default ISAKMP peer. -Incoming phase 1 connections from other IP-addresses will use this peer name. -.It "" -This name is used as the section name for further information to be found. -Look at <ISAKMP-peer> below. -.El -.It Em Phase 2 -IPsec SA negotiation parameter root -.Bl -tag -width 12n -.It Em Connections -A list of directed IPsec "connection" names that should be brought up -automatically, either on first use if the system supports it, or at -startup of the daemon. -These names are section names where further information can be found. -Look at <IPsec-connection> below. -Normally any connections mentioned here are treated as part of the -"Passive-connection" list we present below, however there is a -flag: "Active-only" that disables this behaviour. -This too is mentioned in the <IPsec-connection> section, in the "Flags" tag. -.It Em Passive-connections -A list of IPsec "connection" names we recognize and accept initiations for. -These names are section names where further information can be found. -Look at <IPsec-connection> below. -Currently only the Local-ID and Remote-ID tags -are looked at in those sections, as they are matched against the IDs given -by the initiator. -.El -.It Em KeyNote -.Bl -tag -width 12n -.It Em Credential-directory -A directory containing directories named after IDs (IP -addresses, -.Dq user@domain , -or hostnames) that contain files named -.Dq credentials -and -.Dq private_key . -.Pp -The credentials file contains -.Xr keynote 4 -credentials that are sent to a remote IKE daemon when we use the -associated ID, or credentials that we may want to consider when doing -an exchange with a remote IKE daemon that uses that ID. -Note that, in the former case, the last credential in the file -MUST contain our public key in its Licensees field. -More than one credentials may exist in the file. -They are separated by whitelines (the format is essentially the same as -that of the policy file). -The credentials are of the same format as the policies described in -.Xr isakmpd.policy 5 . -The only difference is that the Authorizer field contains a public -key, and the assertion is signed. -Signed assertions can be generated using the -.Xr keynote 1 -utility. -.Pp -The private_key file contains the private RSA key we use for -authentication. -If the directory (and the files) exist, they take precedence over X509-based -authentication. -.El -.It Em X509-Certificates -.Bl -tag -width 12n -.It Em Accept-self-signed -If this tag is defined, whatever the value is, certificates that -do not originate from a trusted CA but are self-signed will be -accepted. -.It Em Ca-directory -A directory containing PEM certificates of certification authorities -that we trust to sign other certificates. -Note that for a CA to be really trusted, it needs to be somehow -referred to by policy, in -.Xr isakmpd.policy 5 . -The certificates in this directory are used for the actual X.509 -authentication and for cross-referencing policies that refer to -Distinguished Names (DNs). -Keeping a separate directory (as opposed to integrating policies -and X.509 CA certificates) allows for maintenance of a list of -"well known" CAs without actually having to trust all (or any) of them. -.It Em Cert-directory -A directory containing PEM certificates that we trust to be valid. -These certificates are used in preference to those passed in messages and -are required to have a subjectAltName extension containing the certificate -holder identity; usually IP address, FQDN, or User FQDN, as provided by -.Xr certpatch 8 . -.It Em Private-key -The private key matching the public key of our certificate (which should be -in the "Cert-directory", and have an appropriate subjectAltName field). -.El -.El -.Ss Referred-to sections -.Bl -hang -width 12n -.It Em <ISAKMP-peer> -Parameters for negotiation with an ISAKMP peer -.Bl -tag -width 12n -.It Em Phase -The constant -.Li 1 , -as ISAKMP-peers and IPsec-connections -really are handled by the same code inside isakmpd. -.It Em Transport -The name of the transport protocol, defaults to -.Li UDP . -.It Em Port -In case of -.Li UDP , -the -.Li UDP -port number to send to. -This is optional, the -default value is 500 which is the IANA-registered number for ISAKMP. -.It Em Local-address -The Local IP-address to use, if we are multi-homed, or have aliases. -.It Em Address -If existent, the IP-address of the peer. -.It Em Configuration -The name of the ISAKMP-configuration section to use. -Look at <ISAKMP-configuration> below. -If unspecified, defaults to "Default-phase-1-configuration". -.It Em Authentication -If existent, authentication data for this specific peer. -In the case of preshared key, this is the key value itself. -.It Em ID -If existent, the name of the section that describes the -local client ID that we should present to our peer. -If not present, it -defaults to the address of the local interface we are sending packets -over to the remote daemon. -Look at <Phase1-ID> below. -.It Em Remote-ID -If existent, the name of the section that describes the remote client -ID we expect the remote daemon to send us. -If not present, it defaults to the address of the remote daemon. -Look at <Phase1-ID> below. -.It Em Flags -A comma-separated list of flags controlling the further -handling of the ISAKMP SA. -Currently there are no specific ISAKMP SA flags defined. -.El -.It Em <Phase1-ID> -.Bl -tag -width 12n -.It Em ID-type -The ID type as given by the RFC specifications. -For phase 1 this is currently -.Li IPV4_ADDR , -.Li IPV4_ADDR_SUBNET , -.Li IPV6_ADDR , -.Li IPV6_ADDR_SUBNET , -.Li FQDN , -.Li USER_FQDN -or -.Li KEY_ID . -.It Em Address -If the ID-type is -.Li IPV4_ADDR -or -.Li IPV6_ADDR , -this tag should exist and be an IP-address. -.It Em Network -If the ID-type is -.Li IPV4_ADDR_SUBNET -or -.Li IPV6_ADDR_SUBNET -this tag should exist and -be a network address. -.It Em Netmask -If the ID-type is -.Li IPV4_ADDR_SUBNET -or -.Li IPV6_ADDR_SUBNET -this tag should exist and -be a network subnet mask. -.It Em Name -If the ID-type is -.Li FQDN , -.Li USER_FQDN -or -.Li KEY_ID , -this tag should exist and contain a domain name, user@domain, or -other identifying string respectively. -.Pp -In the case of -.Li KEY_ID , -note that the IKE protocol allows any octet sequence to be sent or -received under this payload, potentially including non-printable -ones. -.Xr isakmpd 8 -can only transmit printable -.Li KEY_ID -payloads, but can receive and process arbitrary -.Li KEY_ID -payloads. -This effectively means that non-printable -.Li KEY_ID -remote identities cannot be verified through this means, although it -is still possible to do so through -.Xr isakmpd.policy 5 . -.El -.It Em <ISAKMP-configuration> -.Bl -tag -width 12n -.It Em DOI -The domain of interpretation as given by the RFCs. -Normally -.Li IPSEC . -If unspecified, defaults to -.Li IPSEC . -.It Em EXCHANGE_TYPE -The exchange type as given by the RFCs. -For main mode this is -.Li ID_PROT -and for aggressive mode it is -.Li AGGRESSIVE . -.It Em Transforms -A list of proposed transforms to use for protecting the -ISAKMP traffic. -These are actually names for sections -further describing the transforms. -Look at <ISAKMP-transform> below. -.El -.It Em <ISAKMP-transform> -.Bl -tag -width 12n -.It Em ENCRYPTION_ALGORITHM -The encryption algorithm as the RFCs name it, or ANY to denote that any -encryption algorithm proposed will be accepted. -.It Em KEY_LENGTH -For encryption algorithms with variable key length, this is -where the offered/accepted keylengths are described. -The value is of the offer-accept kind described above. -.It Em HASH_ALGORITHM -The hash algorithm as the RFCs name it, or ANY. -.It Em AUTHENTICATION_METHOD -The authentication method as the RFCs name it, or ANY. -.It Em GROUP_DESCRIPTION -The group used for Diffie-Hellman exponentiations, or ANY. -The names are symbolic, like -.Li MODP_768 , MODP_1024 , EC_155 -and -.Li EC_185 . -.It Em PRF -The algorithm to use for the keyed pseudo-random function (used for key -derivation and authentication in phase 1), or ANY. -.It Em Life -A list of lifetime descriptions, or ANY. -In the former case, each -element is in itself a name of the section that defines the lifetime. -Look at <Lifetime> below. -If it is set to ANY, then any type of -proposed lifetime type and value will be accepted. -.El -.It Em <Lifetime> -.Bl -tag -width 12n -.It Em LIFE_TYPE -.Li SECONDS -or -.Li KILOBYTES -depending on the type of the duration. -Notice that this field may NOT be set to ANY. -.It Em LIFE_DURATION -An offer/accept kind of value, see above. -Can also be set to ANY. -.El -.It Em <IPsec-connection> -.Bl -tag -width 12n -.It Em Phase -The constant -.Li 2 , -as ISAKMP-peers and IPsec-connections -really are handled by the same code inside isakmpd. -.It Em ISAKMP-peer -The name of the ISAKMP-peer which to talk to in order to -set up this connection. -The value is the name of an <ISAKMP-peer> section. -See above. -.It Em Configuration -The name of the IPsec-configuration section to use. -Look at <IPsec-configuration> below. -.It Em Local-ID -If existent, the name of the section that describes the -optional local client ID that we should present to our peer. -It is also used when we act as responders to find out what -<IPsec-connection> we are dealing with. -Look at <IPsec-ID> below. -.It Em Remote-ID -If existent, the name of the section that describes the -optional remote client ID that we should present to our peer. -It is also used when we act as responders to find out what -<IPsec-connection> we are dealing with. -Look at <IPsec-ID> below. -.It Em Flags -A comma-separated list of flags controlling the further -handling of the IPsec SA. -Currently only one flag is defined: -.Bl -tag -width 12n -.It Em Active-only -If this flag is given and this <IPsec-connection> is part of the phase 2 -connections we automatically keep up, it will not automatically be used for -accepting connections from the peer. -.El -.El -.It Em <IPsec-configuration> -.Bl -tag -width 12n -.It Em DOI -The domain of interpretation as given by the RFCs. -Normally -.Li IPSEC . -If unspecified, defaults to -.Li IPSEC . -.It Em EXCHANGE_TYPE -The exchange type as given by the RFCs. -For quick mode this is -.Li QUICK_MODE . -.It Em Suites -A list of protection suites (bundles of protocols) usable for -protecting the IP traffic. -Each of the list elements is a name of an <IPsec-suite> section. -See below. -.El -.It Em <IPsec-suite> -.Bl -tag -width 12n -.It Em Protocols -A list of the protocols included in this protection suite. -Each of the list elements is a name of an <IPsec-protocol> -section. -See below. -.El -.It Em <IPsec-protocol> -.Bl -tag -width 12n -.It Em PROTOCOL_ID -The protocol as given by the RFCs. -Acceptable values today are -.Li IPSEC_AH -and -.Li IPSEC_ESP . -.It Em Transforms -A list of transforms usable for implementing the protocol. -Each of the list elements is a name of an <IPsec-transform> -section. -See below. -.It Em ReplayWindow -The size of the window used for replay protection. -This is normally left alone. -Look at the -.Nm ESP -and -.Nm AH -RFCs for a better description. -.El -.It Em <IPsec-transform> -.Bl -tag -width 12n -.It Em TRANSFORM_ID -The transform ID as given by the RFCs. -.It Em ENCAPSULATION_MODE -The encapsulation mode as given by the RFCs. -This means TRANSPORT or TUNNEL. -.It Em AUTHENTICATION_ALGORITHM -The optional authentication algorithm in the case of this -being an ESP transform. -.It Em GROUP_DESCRIPTION -An optional (provides PFS if present) Diffie-Hellman group -description. -The values are the same as GROUP_DESCRIPTION's -in <ISAKMP-transform> sections shown above. -.It Em Life -List of lifetimes, each element is a <Lifetime> section name. -.El -.It Em <IPsec-ID> -.Bl -tag -width 12n -.It Em ID-type -The ID type as given by the RFCs. -For IPsec this is currently -.Li IPV4_ADDR , -.Li IPV6_ADDR , -.Li IPV4_ADDR_SUBNET -or -.Li IPV6_ADDR_SUBNET . -.It Em Address -If the ID-type is -.Li IPV4_ADDR -or -.Li IPV6_ADDR -this tag should exist and be an IP-address. -.It Em Network -If the ID-type is -.Li IPV4_ADDR_SUBNET -or -.Li IPV6_ADDR_SUBNET -this tag should exist and -be a network address. -.It Em Netmask -If the ID-type is -.Li IPV4_ADDR_SUBNET -or -.Li IPV6_ADDR_SUBNET -this tag should exist and -be a network subnet mask. -.It Em Protocol -If the ID-type is -.Li IPV4_ADDR , -.Li IPV4_ADDR_SUBNET , -.Li IPV6_ADDR -or -.Li IPV6_ADDR_SUBNET -this tag indicates what transport protocol should be transmitted over -the SA. -If left unspecified, all transport protocols between the two address -(ranges) will be sent (or permitted) over that SA. -.It Em Port -If the ID-type is -.Li IPV4_ADDR , -.Li IPV4_ADDR_SUBNET , -.Li IPV6_ADDR -or -.Li IPV6_ADDR_SUBNET -this tag indicates what source or destination port is allowed to be -transported over the SA (depending on whether this is a local or -remote ID). -If left unspecified, all ports of the given transport protocol -will be transmitted (or permitted) over the SA. -The Protocol tag must be specified in conjunction with this tag. -.El -.El -.Ss Other sections -.Bl -hang -width 12n -.It Em <IKECFG-ID> -Parameters to use with IKE mode-config. -One ID per peer. -.Pp -An IKECFG-ID is written as [<ID-type>/<name>]. -The following ID types are supported: -.Bl -tag -width 12n -.It IPv4 -[ipv4/A.B.C.D] -.It IPv6 -[ipv6/abcd:abcd::ab:cd] -.It FQDN -[fqdn/foo.bar.org] -.It UFQDN -[ufqdn/user@foo.bar.org] -.It ASN1_DN -[asn1_dn//C=aa/O=cc/...] (Note the double slashes as the DN itself -starts with a -.Sq / . ) -.El -.Pp -Each section specifies what configuration values to return to the peer -requesting IKE mode-config. -Currently supported values are: -.Bl -tag -width 12n -.It Em Address -The peer's network address. -.It Em Netmask -The peer's netmask. -.It Em Nameserver -The IP address of a DNS nameserver. -.It Em WINS-server -The IP address of a WINS server. -.El -.It Em <Initiator-ID> -.Pp -During phase 1 negotiation -.Nm isakmpd -looks for a pre-shared key in the <ISAKMP-peer> section. -If no Authentication data is specified in that section, and -.Nm isakmpd -is not the initiator, it looks for Authentication data in a section named after -the initiator's phase 1 ID. -This allows mobile users with dynamic IP addresses -to have different shared secrets. -.Pp -This only works for aggressive mode because in main mode the remote -initiator ID would not yet be known. -.Pp -The name of the <Initiator-ID> section depends on the ID type sent by -the initiator. -Currently this can be: -.Bl -tag -width 12n -.It IPv4 -[A.B.C.D] -.It IPv6 -[abcd:abcd::ab:cd] -.It FQDN -[foo.bar.org] -.It UFQDN -[user@foo.bar.org] -.El -.El -.Sh FILES -.Bl -tag -width /etc/isakmpd/isakmpd.conf -.It Pa /etc/isakmpd/isakmpd.conf -The default -.Nm isakmpd -configuration file. -.It Pa /usr/share/ipsec/isakmpd/ -A directory containing some sample -.Nm isakmpd -configuration files. -.El -.Sh EXAMPLES -An example of a configuration file: -.Bd -literal -# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon. - -[General] -Listen-on= 10.1.0.2 - -# Incoming phase 1 negotiations are multiplexed on the source IP address -[Phase 1] -10.1.0.1= ISAKMP-peer-west - -# These connections are walked over after config file parsing and told -# to the application layer so that it will inform us when traffic wants to -# pass over them. -This means we can do on-demand keying. -[Phase 2] -Connections= IPsec-east-west - -# Default values are commented out. -[ISAKMP-peer-west] -Phase= 1 -#Transport= udp -Local-address= 10.1.0.2 -Address= 10.1.0.1 -#Port= isakmp -#Port= 500 -#Configuration= Default-phase-1-configuration -Authentication= mekmitasdigoat -#Flags= - -[IPsec-east-west] -Phase= 2 -ISAKMP-peer= ISAKMP-peer-west -Configuration= Default-quick-mode -Local-ID= Net-east -Remote-ID= Net-west -#Flags= - -[Net-west] -ID-type= IPV4_ADDR_SUBNET -Network= 192.168.1.0 -Netmask= 255.255.255.0 - -[Net-east] -ID-type= IPV4_ADDR_SUBNET -Network= 192.168.2.0 -Netmask= 255.255.255.0 - -# Quick mode descriptions - -[Default-quick-mode] -EXCHANGE_TYPE= QUICK_MODE -Suites= QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-AES-SHA-PFS-SUITE - -# Data for an IKE mode-config peer -[asn1_dn//C=SE/L=SomeCity/O=SomeCompany/CN=SomePeer.company.com] -Address= 192.168.1.123 -Netmask= 255.255.255.0 -Nameserver= 192.168.1.10 -WINS-server= 192.168.1.11 - -# pre-shared key based on initiator's phase 1 ID -[foo.bar.org] -Authentication= mekmitasdigoat - -# -# ##################################################################### -# All configuration data below this point is not required as the example -# uses the predefined Main Mode transform and Quick Mode suite names. -# It is included here for completeness. Note the default values for the -# [General] and [X509-certificates] sections just below. -# ##################################################################### -# - -[General] -Policy-file= /etc/isakmpd/isakmpd.policy -Retransmits= 3 -Exchange-max-time= 120 - -# KeyNote credential storage -[KeyNote] -Credential-directory= /etc/isakmpd/keynote/ - -# Certificates stored in PEM format -[X509-certificates] -CA-directory= /etc/isakmpd/ca/ -Cert-directory= /etc/isakmpd/certs/ -CRL-directory= /etc/isakmpd/crls/ -Private-key= /etc/isakmpd/private/local.key - -# Default phase 1 description (Main Mode) - -[Default-phase-1-configuration] -EXCHANGE_TYPE= ID_PROT -Transforms= 3DES-SHA - -# Main mode transforms -###################### - -# DES - -[DES-MD5] -ENCRYPTION_ALGORITHM= DES_CBC -HASH_ALGORITHM= MD5 -AUTHENTICATION_METHOD= PRE_SHARED -GROUP_DESCRIPTION= MODP_1024 -Life= Default-phase-1-lifetime - -[DES-SHA] -ENCRYPTION_ALGORITHM= DES_CBC -HASH_ALGORITHM= SHA -AUTHENTICATION_METHOD= PRE_SHARED -GROUP_DESCRIPTION= MODP_1024 -Life= Default-phase-1-lifetime - -# 3DES - -[3DES-SHA] -ENCRYPTION_ALGORITHM= 3DES_CBC -HASH_ALGORITHM= SHA -AUTHENTICATION_METHOD= PRE_SHARED -GROUP_DESCRIPTION= MODP_1024 -Life= Default-phase-1-lifetime - -# Blowfish - -[BLF-SHA] -ENCRYPTION_ALGORITHM= BLOWFISH_CBC -KEY_LENGTH= 128,96:192 -HASH_ALGORITHM= SHA -AUTHENTICATION_METHOD= PRE_SHARED -GROUP_DESCRIPTION= MODP_1024 -Life= Default-phase-1-lifetime - -# Blowfish, using DH group 4 (non-default) -[BLF-SHA-EC185] -ENCRYPTION_ALGORITHM= BLOWFISH_CBC -KEY_LENGTH= 128,96:192 -HASH_ALGORITHM= SHA -AUTHENTICATION_METHOD= PRE_SHARED -GROUP_DESCRIPTION= EC2N_185 -Life= Default-phase-1-lifetime - -# Quick mode protection suites -############################## - -# DES - -[QM-ESP-DES-SUITE] -Protocols= QM-ESP-DES - -[QM-ESP-DES-PFS-SUITE] -Protocols= QM-ESP-DES-PFS - -[QM-ESP-DES-MD5-SUITE] -Protocols= QM-ESP-DES-MD5 - -[QM-ESP-DES-MD5-PFS-SUITE] -Protocols= QM-ESP-DES-MD5-PFS - -[QM-ESP-DES-SHA-SUITE] -Protocols= QM-ESP-DES-SHA - -[QM-ESP-DES-SHA-PFS-SUITE] -Protocols= QM-ESP-DES-SHA-PFS - -# 3DES - -[QM-ESP-3DES-SHA-SUITE] -Protocols= QM-ESP-3DES-SHA - -[QM-ESP-3DES-SHA-PFS-SUITE] -Protocols= QM-ESP-3DES-SHA-PFS - -# AES - -[QM-ESP-AES-SHA-SUITE] -Protocols= QM-ESP-AES-SHA - -[QM-ESP-AES-SHA-PFS-SUITE] -Protocols= QM-ESP-AES-SHA-PFS - -# AH - -[QM-AH-MD5-SUITE] -Protocols= QM-AH-MD5 - -[QM-AH-MD5-PFS-SUITE] -Protocols= QM-AH-MD5-PFS - -# AH + ESP (non-default) - -[QM-AH-MD5-ESP-DES-SUITE] -Protocols= QM-AH-MD5,QM-ESP-DES - -[QM-AH-MD5-ESP-DES-MD5-SUITE] -Protocols= QM-AH-MD5,QM-ESP-DES-MD5 - -[QM-ESP-DES-MD5-AH-MD5-SUITE] -Protocols= QM-ESP-DES-MD5,QM-AH-MD5 - -# Quick mode protocols - -# DES - -[QM-ESP-DES] -PROTOCOL_ID= IPSEC_ESP -Transforms= QM-ESP-DES-XF - -[QM-ESP-DES-MD5] -PROTOCOL_ID= IPSEC_ESP -Transforms= QM-ESP-DES-MD5-XF - -[QM-ESP-DES-MD5-PFS] -PROTOCOL_ID= IPSEC_ESP -Transforms= QM-ESP-DES-MD5-PFS-XF - -[QM-ESP-DES-SHA] -PROTOCOL_ID= IPSEC_ESP -Transforms= QM-ESP-DES-SHA-XF - -# 3DES - -[QM-ESP-3DES-SHA] -PROTOCOL_ID= IPSEC_ESP -Transforms= QM-ESP-3DES-SHA-XF - -[QM-ESP-3DES-SHA-PFS] -PROTOCOL_ID= IPSEC_ESP -Transforms= QM-ESP-3DES-SHA-PFS-XF - -[QM-ESP-3DES-SHA-TRP] -PROTOCOL_ID= IPSEC_ESP -Transforms= QM-ESP-3DES-SHA-TRP-XF - -# AES - -[QM-ESP-AES-SHA] -PROTOCOL_ID= IPSEC_ESP -Transforms= QM-ESP-AES-SHA-XF - -[QM-ESP-AES-SHA-PFS] -PROTOCOL_ID= IPSEC_ESP -Transforms= QM-ESP-AES-SHA-PFS-XF - -[QM-ESP-AES-SHA-TRP] -PROTOCOL_ID= IPSEC_ESP -Transforms= QM-ESP-AES-SHA-TRP-XF - -# AH MD5 - -[QM-AH-MD5] -PROTOCOL_ID= IPSEC_AH -Transforms= QM-AH-MD5-XF - -[QM-AH-MD5-PFS] -PROTOCOL_ID= IPSEC_AH -Transforms= QM-AH-MD5-PFS-XF - -# Quick mode transforms - -# ESP DES+MD5 - -[QM-ESP-DES-XF] -TRANSFORM_ID= DES -ENCAPSULATION_MODE= TUNNEL -Life= Default-phase-2-lifetime - -[QM-ESP-DES-MD5-XF] -TRANSFORM_ID= DES -ENCAPSULATION_MODE= TUNNEL -AUTHENTICATION_ALGORITHM= HMAC_MD5 -Life= Default-phase-2-lifetime - -[QM-ESP-DES-MD5-PFS-XF] -TRANSFORM_ID= DES -ENCAPSULATION_MODE= TUNNEL -GROUP_DESCRIPTION= MODP_1024 -AUTHENTICATION_ALGORITHM= HMAC_MD5 -Life= Default-phase-2-lifetime - -[QM-ESP-DES-SHA-XF] -TRANSFORM_ID= DES -ENCAPSULATION_MODE= TUNNEL -AUTHENTICATION_ALGORITHM= HMAC_SHA -Life= Default-phase-2-lifetime - -# 3DES - -[QM-ESP-3DES-SHA-XF] -TRANSFORM_ID= 3DES -ENCAPSULATION_MODE= TUNNEL -AUTHENTICATION_ALGORITHM= HMAC_SHA -Life= Default-phase-2-lifetime - -[QM-ESP-3DES-SHA-PFS-XF] -TRANSFORM_ID= 3DES -ENCAPSULATION_MODE= TUNNEL -AUTHENTICATION_ALGORITHM= HMAC_SHA -GROUP_DESCRIPTION= MODP_1024 -Life= Default-phase-2-lifetime - -[QM-ESP-3DES-SHA-TRP-XF] -TRANSFORM_ID= 3DES -ENCAPSULATION_MODE= TRANSPORT -AUTHENTICATION_ALGORITHM= HMAC_SHA -Life= Default-phase-2-lifetime - -# AES - -[QM-ESP-AES-SHA-XF] -TRANSFORM_ID= AES -ENCAPSULATION_MODE= TUNNEL -AUTHENTICATION_ALGORITHM= HMAC_SHA -Life= Default-phase-2-lifetime - -[QM-ESP-AES-SHA-PFS-XF] -TRANSFORM_ID= AES -ENCAPSULATION_MODE= TUNNEL -AUTHENTICATION_ALGORITHM= HMAC_SHA -GROUP_DESCRIPTION= MODP_1024 -Life= Default-phase-2-lifetime - -[QM-ESP-AES-SHA-TRP-XF] -TRANSFORM_ID= AES -ENCAPSULATION_MODE= TRANSPORT -AUTHENTICATION_ALGORITHM= HMAC_SHA -Life= Default-phase-2-lifetime - -# AH - -[QM-AH-MD5-XF] -TRANSFORM_ID= MD5 -ENCAPSULATION_MODE= TUNNEL -AUTHENTICATION_ALGORITHM= HMAC_MD5 -Life= Default-phase-2-lifetime - -[QM-AH-MD5-PFS-XF] -TRANSFORM_ID= MD5 -ENCAPSULATION_MODE= TUNNEL -GROUP_DESCRIPTION= MODP_1024 -Life= Default-phase-2-lifetime - -[Sample-Life-Time] -LIFE_TYPE= SECONDS -LIFE_DURATION= 3600,1800:7200 - -[Sample-Life-Volume] -LIFE_TYPE= KILOBYTES -LIFE_DURATION= 1000,768:1536 -.Ed -.Sh SEE ALSO -.Xr keynote 1 , -.Xr ipsec 4 , -.Xr keynote 4 , -.Xr isakmpd.policy 5 , -.Xr isakmpd 8 -.Sh BUGS -The RFCs do not permit differing DH groups in the same proposal for -aggressive and quick mode exchanges. -Mixing both PFS and non-PFS suites in a quick mode proposal is not possible, -as PFS implies using a DH group. diff --git a/keyexchange/isakmpd-20041012/isakmpd.policy.5 b/keyexchange/isakmpd-20041012/isakmpd.policy.5 deleted file mode 100644 index 64800db..0000000 --- a/keyexchange/isakmpd-20041012/isakmpd.policy.5 +++ /dev/null @@ -1,638 +0,0 @@ -.\" $OpenBSD: isakmpd.policy.5,v 1.35 2003/10/25 20:47:47 mcbride Exp $ -.\" $EOM: isakmpd.policy.5,v 1.24 2000/11/23 12:55:25 niklas Exp $ -.\" -.\" Copyright (c) 1999-2001, Angelos D. Keromytis. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.\" -.\" Manual page, using -mandoc macros -.\" -.Dd June 15, 2002 -.Dt ISAKMPD.POLICY 5 -.Os -.Sh NAME -.Nm isakmpd.policy -.Nd policy configuration file for isakmpd -.Sh DESCRIPTION -.Nm -is the policy configuration file for the -.Nm isakmpd -daemon managing security association and key management for the -.Xr ipsec 4 -layer of the kernel's networking stack. -.Pp -The -.Xr isakmpd 8 -daemon (also known as IKE, for Internet Key Exchange) is used when two -systems need to automatically set up a pair of Security Associations -(SAs) for securely communicating using IPsec. -IKE operates in two stages: -.Pp -In the first stage (Main or Identity Protection Mode), the two IKE -daemons establish a secure link between themselves, fully -authenticating each other and establishing key material for -encrypting/authenticating future communications between them. -This step is typically only performed once for every pair of IKE daemons. -.Pp -In the second stage (also called Quick Mode), the two IKE daemons -create the pair of SAs for the parties that wish to communicate using -IPsec. -These parties may be the hosts the IKE daemons run on, a host -and a network behind a firewall, or two networks behind their -respective firewalls. -At this stage, the exact parameters of the SAs -(e.g., algorithms to use, encapsulation mode, lifetime) and the -identities of the communicating parties (hosts, networks, etc.) are -specified. -The reason for the existence of Quick Mode is to allow for fast -SA setup, once the more heavy-weight Main Mode has been completed. -Generally, Quick Mode uses the key material derived from Main Mode to -provide keys to the IPsec transforms to be used. -Alternatively, a new -Diffie-Hellman computation may be performed (significantly slowing -down the exchange, but at the same time providing Perfect Forward -Secrecy (PFS)). -Briefly, this means that even should an attacker -manage to break long-term keys used in other sessions (or, -specifically, if an attacker breaks the Diffie-Hellman exchange -performed during Main Mode), they will not be able to decrypt this -traffic. -Normally, no PFS is provided (the key material used by the -IPsec SAs established as a result of this exchange will be derived -from the key material of the Main Mode exchange), allowing for a -faster Quick Mode exchange (no public key computations). -.Pp -IKE proposals are "suggestions" by the initiator of an exchange to the -responder as to what protocols and attributes should be used on a -class of packets. -For example, a given exchange may ask for ESP with -3DES and MD5 and AH with SHA1 (applied successively on the same -packet), or just ESP with Blowfish and RIPEMD-160. -The responder -examines the proposals and determines which of them are acceptable, -according to policy and any credentials. -.Pp -The following paragraphs assume some knowledge of the contents of the -.Xr keynote 4 -and -.Xr keynote 5 -man pages. -.Pp -In the KeyNote policy model for IPsec, no distinction is currently -made based on the ordering of AH and ESP in the packet. -Should this -change in the future, an appropriate attribute (see below) will be -added. -.Pp -The goal of security policy for IKE is thus to determine, based on -local policy (provided in the -.Nm isakmpd.policy -file), credentials provided during the IKE exchanges (or obtained -through other means), the SA attributes proposed during the exchange, -and perhaps other (side-channel) information, whether a pair of SAs -should be installed in the system (in fact, whether both the IPsec SAs -and the flows should be installed). -For each proposal suggested by or -to the remote IKE daemon, the KeyNote system is consulted as to -whether the proposal is acceptable based on local policy (contained in -.Nm isakmpd.policy , -in the form of policy assertions) and remote credentials (e.g., -KeyNote credentials or X509 certificates provided by the remote IKE -daemon). -.Pp -.Nm isakmpd.policy -is simply a flat -.Xr ascii 7 -file containing KeyNote policy assertions, separated by blank lines -(note that KeyNote assertions may not contain blank lines). -.Nm isakmpd.policy -is read when -.Xr isakmpd 8 -is first started, and every time it receives a -.Dv SIGHUP -signal. -The new policies read will be used for all new Phase 2 (IPsec) -SAs established from that point on (even if the associated Phase 1 SA -was already established when the new policies were loaded). -The policy change will not affect already established Phase 2 SAs. -.Pp -For more details on KeyNote assertion format, please see -.Xr keynote 5 . -Briefly, KeyNote policy assertions used in IKE have the following -characteristics: -.Bl -bullet -.It -The Authorizer field is typically "POLICY" (but see the examples -below, for use of policy delegation). -.It -The Licensees field can be an expression of passphrases used for -authentication of the Main Mode exchanges, and/or public keys -(typically, X509 certificates), and/or X509 distinguished names. -.It -The Conditions field contains an expression of attributes from the -IPsec policy action set (see below as well as the keynote syntax man -page for more details). -.It -The ordered return-values set for IPsec policy is "false, true". -.El -.Pp -For an explanation of these fields and their semantics, see -.Xr keynote 5 . -.Pp -For example, the following policy assertion: -.Bd -literal - Authorizer: "POLICY" - Licensees: "passphrase:foobar" || "x509-base64:abcd==" || - "passphrase-md5-hex:3858f62230ac3c915f300c664312c63f" || - "passphrase-sha1-hex:8843d7f92416211de9ebb963ff4ce28125932878" - Conditions: app_domain == "IPsec policy" && esp_present == "yes" - && esp_enc_alg != "null" -> "true"; -.Ed -.Pp -says that any proposal from a remote host that authenticates using the -passphrase "foobar" or the public key contained in the X509 -certificate encoded as "abcd==" will be accepted, as long as it -contains ESP with a non-null algorithm (i.e., the packet will be -encrypted). -The last two authorizers are the MD5 and SHA1 hashes respectively of -the passphrase "foobar". -This form may be used instead of the "passphrase:..." one to protect -the passphrase as included in the policy file (or as distributed in a -signed credential). -.Pp -The following policy assertion: -.Bd -literal - Authorizer: "POLICY" - Licensees: "DN:/CN=CA Certificate" - Conditions: app_domain == "IPsec policy" && esp_present == "yes" - && esp_enc_alg != "null" -> "true"; -.Ed -.Pp -is similar to the previous one, but instead of including a complete -X509 credential in the Licensees field, only the X509 certificate's -Subject Canonical Name needs to be specified (note that the "DN:" -prefix is necessary). -.Pp -KeyNote credentials have the same format as policy assertions, with -one difference: the Authorizer field always contains a public key, and -the assertion is signed (and thus its integrity can be -cryptographically verified). -Credentials are used to build chains of delegation of authority. -They can be exchanged during an IKE exchange, -or can be retrieved through some out-of-band mechanism (no such -mechanism is currently supported in this implementation however). -See -.Xr isakmpd.conf 5 -on how to specify what credentials to send in an IKE exchange. -.Pp -Passphrases that appear in the Licensees field are encoded as the -string "passphrase:", followed by the passphrase itself -(case-sensitive). -Alternatively (and preferably), they may be encoded using the -"passphrase-md5-hex:" or "passphrase-sha1-hex:" prefixes, followed -by the -.Xr md5 1 -or -.Xr sha1 1 -hash of the passphrase itself, encoded as a hexadecimal string (using -lower-case letters only). -.Pp -When X509-based authentication is performed in Main Mode, any X509 -certificates received from the remote IKE daemon are converted to very -simple KeyNote credentials. -The conversion is straightforward: the -issuer of the X509 certificate becomes the Authorizer of the KeyNote -credential, the subject becomes the only Licensees entry, while the -Conditions field simply asserts that the credential is only valid for -"IPsec policy" use (see the app_domain action attribute below). -.Pp -Similarly, any X509 CA certificates present in the directory pointed -to by the appropriate -.Xr isakmpd.conf 5 -entry, are converted to such pseudo-credentials. -This allows one to -write KeyNote policies that delegate specific authority to CAs (and -the keys those CAs certify, recursively). -.Pp -For more details on KeyNote assertion format, see -.Xr keynote 5 . -.Pp -Information about the proposals, the identity of the remote IKE -daemon, the packet classes to be protected, etc. are encoded in what -is called an action set. -The action set is composed of name-value -attributes, similar in some ways to shell environment variables. -These values are initialized by -.Nm isakmpd -before each query to the KeyNote system, and can be tested against in -the Conditions field of assertions. -See -.Xr keynote 4 -and -.Xr keynote 5 -for more details on the format and semantics of the Conditions field. -.Pp -Note that assertions and credentials can make references to -non-existent attributes without catastrophic failures (access may be -denied, depending on the overall structure, but will not be -accidentally granted). -One reason for credentials referencing -non-existent attributes is that they were defined within a specific -implementation or network only. -.Pp -In the following attribute set, IPv4 addresses are encoded as ASCII -strings in the usual dotted-quad format. -However, all quads are three digits long. -For example, the IPv4 address -.Va 10.128.1.12 -would be encoded as -.Va 010.128.001.012 . -Similarly, IPv6 addresses are encoded in the standard x:x:x:x:x:x:x:x -format, where the 'x's are the hexadecimal values of the eight 16-bit -pieces of the address. -All 'x's are four digits long. -For example, the address -.Va 1080:0:12:0:8:800:200C:417A -would be encoded as -.Va 1080:0000:0012:0000:0008:0800:200C:417A . -.Pp -The following attributes are currently defined: -.Bl -tag -width -indent -.It app_domain -Always set to -.Va IPsec policy . -.It doi -Always set to -.Va ipsec . -.It initiator -Set to -.Va yes -if the local daemon is initiating the Phase 2 SA, -.Va no -otherwise. -.It phase_1 -Set to -.Va aggressive -if aggressive mode was used to establish the Phase 1 SA, or -.Va main -if main mode was used instead. -.It pfs -Set to -.Va yes -if a Diffie-Hellman exchange will be performed during this Quick Mode, -.Va no -otherwise. -.It ah_present, esp_present, comp_present -Set to -.Va yes -if an AH, ESP, or compression proposal was received respectively, -.Va no -otherwise. -.It ah_hash_alg -One of -.Va md5 , -.Va sha , -.Va ripemd , -.Va sha2-256 , -.Va sha2-385 , -.Va sha2-512 , -or -.Va des , -based on the hash algorithm specified in the AH proposal. -This attribute describes the generic transform to be used in the AH -authentication. -.It esp_enc_alg -One of -.Va des , -.Va des-iv64 , -.Va 3des , -.Va rc4 , -.Va idea , -.Va cast , -.Va blowfish , -.Va 3idea , -.Va des-iv32 , -.Va rc4 , -.Va null , -or -.Va aes , -based on the encryption algorithm specified in the ESP proposal. -.It comp_alg -One of -.Va oui , -.Va deflate , -.Va lzs , -or -.Va v42bis , -based on the compression algorithm specified in the compression -proposal. -.It ah_auth_alg -One of -.Va hmac-md5 , -.Va hmac-sha , -.Va des-mac , -.Va kpdk , -.Va hmac-sha2-256 , -.Va hmac-sha2-385 , -.Va hmac-sha2-512 , -or -.Va hmac-ripemd . -based on the authentication method specified in the AH proposal. -.It esp_auth_alg -One of -.Va hmac-md5 , -.Va hmac-sha , -.Va des-mac , -.Va kpdk , -.Va hmac-sha2-256 , -.Va hmac-sha2-385 , -.Va hmac-sha2-512 , -or -.Va hmac-ripemd -based on the authentication method specified in the ESP proposal. -.It ah_life_seconds, esp_life_seconds, comp_life_seconds -Set to the lifetime of the AH, ESP, and compression proposal, in -seconds. -If no lifetime was proposed for the corresponding protocol -(e.g., there was no proposal for AH), the corresponding attribute will -be set to zero. -.It ah_life_kbytes, esp_life_kbytes, comp_life_kbytes -Set to the lifetime of the AH, ESP, and compression proposal, in -kbytes of traffic. -If no lifetime was proposed for the corresponding -protocol (e.g., there was no proposal for AH), the corresponding -attribute will be set to zero. -.It ah_encapsulation, esp_encapsulation, comp_encapsulation -Set to -.Va tunnel -or -.Va transport , -based on the AH, ESP, and compression proposal. -.It ah_ecn, esp_ecn, comp_ecn -Set to -.Va yes -or -.Va no , -based on whether ECN was requested for the IPsec tunnel. -.It comp_dict_size -Specifies the log2 maximum size of the dictionary, according to the -compression proposal. -.It comp_private_alg -Set to an integer specifying the private algorithm in use, according -to the compression proposal. -.It ah_key_length, esp_key_length -The number of key bits to be used by the authentication and encryption -algorithms respectively (for variable key-size algorithms). -.It ah_key_rounds, esp_key length -The number of rounds of the authentication and encryption algorithms -respectively (for variable round algorithms). -.It ah_group_desc, esp_group_desc, comp_group_desc -The Diffie-Hellman group identifier from the AH, ESP, and compression -proposal, used for PFS during Quick Mode (see the pfs attribute -above). -If more than one of these attributes are set to a value other -than zero, they should have the same value (in valid IKE proposals). -Valid values are 1 (768-bit MODP), 2 (1024-bit MODP), 3 (155-bit EC), -4 (185-bit EC), and 5 (1536-bit MODP). -.It phase1_group_desc -The Diffie-Hellman group identifier used in IKE Phase 1. -Takes the same values as -.Va ah_group_desc . -.It remote_filter_type, local_filter_type, remote_id_type -Set to -.Va IPv4 address , -.Va IPv4 range , -.Va IPv4 subnet , -.Va IPv6 address , -.Va IPv6 range , -.Va IPv6 subnet , -.Va FQDN , -.Va User FQDN , -.Va ASN1 DN , -.Va ASN1 GN , -or -.Va Key ID , -based on the Quick Mode Initiator ID, Quick Mode Responder ID, and -Main Mode peer ID respectively. -.It remote_filter_addr_upper, local_filter_addr_upper, remote_id_addr_upper -When the corresponding filter_type is -.Va IPv4 address -or -.Va IPv6 address , -these contain the respective address. -For -.Va IPv4 range -or -.Va IPv6 range , -they contain the upper end of the address range. -For -.Va IPv4 subnet -or -.Va IPv6 subnet , -they contain the highest address in the specified subnet. -.It remote_filter_addr_lower, local_filter_addr_lower, remote_id_addr_lower -When the corresponding filter_type is -.Va IPv4 address -or -.Va IPv6 address , -these contain the respective address. -For -.Va IPv4 range -or -.Va IPv6 range , -these contain the lower end of the address range. -For -.Va IPv4 subnet -or -.Va IPv6 subnet , -these contain the lowest address in the specified subnet. -.It remote_filter, local_filter, remote_id -When the corresponding filter_type specifies an address range or -subnet, these are set to the upper and lower part of the address -space separated by a dash ('-') character (if the type specifies a -single address, they are set to that address). -.Pp -For FQDN and User FQDN types, these are set to the respective string. -For Key ID, these are set to the hexadecimal representation of the -associated byte string (lower-case letters used) if the Key ID payload -contains non-printable characters. -Otherwise, they are set to the respective string. -.Pp -For ASN1 DN, these are set to the text encoding of the Distinguished -Name in the payload sent or received. -The format is the same as that used in the Licensees field. -.It remote_filter_port, local_filter_port, remote_id_port -Set to the transport protocol port. -.It remote_filter_proto, local_filter_proto, remote_id_proto -Set to -.Va etherip , -.Va tcp , -.Va udp , -or the transport protocol number, depending on the transport protocol set -in the IDci, IDcr, and Main Mode peer ID respectively. -.It remote_negotiation_address -Set to the IPv4 or IPv6 address of the remote IKE daemon. -.It local_negotiation_address -Set to the IPv4 or IPv6 address of the local interface used by the local IKE -daemon for this exchange. -.It GMTTimeOfDay -Set to the UTC date/time, in YYYYMMDDHHmmSS format. -.It LocalTimeOfDay -Set to the local date/time, in YYYYMMDDHHmmSS format. -.El -.Sh FILES -.Bl -tag -width /etc/isakmpd/isakmpd.policy -.It Pa /etc/isakmpd/isakmpd.policy -The default -.Nm isakmpd -policy configuration file. -.It Pa /usr/share/ipsec/isakmpd/policy -A sample -.Nm isakmpd -policy configuration file. -.El -.Sh EXAMPLES -.Bd -literal - Authorizer: "POLICY" - Comment: This bare-bones assertion accepts everything - - - - Authorizer: "POLICY" - Licensees: "passphrase-md5-hex:10838982612aff543e2e62a67c786550" - Comment: This policy accepts anyone using shared-secret - authentication using the password mekmitasisgoat, - and does ESP with some form of encryption (not null). - Conditions: app_domain == "IPsec policy" && - esp_present == "yes" && - esp_enc_alg != "null" -> "true"; - - - - Authorizer: "POLICY" - Licensees: "subpolicy1" || "subpolicy2" - Comment: Delegate to two other sub-policies, so we - can manage our policy better. Since these subpolicies - are not "owned" by a key (and are thus unsigned), they - have to be in isakmpd.policy. - Conditions: app_domain == "IPsec policy"; - - - - KeyNote-Version: 2 - Licensees: "passphrase-md5-hex:9c42a1346e333a770904b2a2b37fa7d3" - Conditions: esp_present == "yes" -> "true"; - Authorizer: "subpolicy1" - - - - Conditions: ah_present == "yes" -> - { - ah_auth_alg == "md5" -> "true"; - ah_auth_alg == "sha" && - esp_present == "no" -> "true"; - }; - Licensees: "passphrase:otherpassword" || - "passphrase-sha1-hex:f5ed6e4abd30c36a89409b5da7ecb542c9fbf00f" - Authorizer: "subpolicy2" - - - - keynote-version: 2 - comment: this is an example of a policy delegating to a CN. - authorizer: "POLICY" - licensees: "DN:/CN=CA Certificate/emailAddress=ca@foo.bar.com" - - - - keynote-version: 2 - comment: This is an example of a policy delegating to a key. - authorizer: "POLICY" - licensees: "x509-base64:MIICGDCCAYGgAwIBAgIBADANBgkqhkiG9w0BAQQ\\ - FADBSMQswCQYDVQQGEwJHQjEOMAwGA1UEChMFQmVuQ28xETAPBg\\ - NVBAMTCEJlbkNvIENBMSAwHgYJKoZIhvcNAQkBFhFiZW5AYWxnc\\ - m91cC5jby51azAeFw05OTEwMTEyMjQ5MzhaFw05OTExMTAyMjQ5\\ - MzhaMFIxCzAJBgNVBAYTAkdCMQ4wDAYDVQQKEwVCZW5DbzERMA8\\ - GA1UEAxMIQmVuQ28gQ0ExIDAeBgkqhkiG9w0BCQEWEWJlbkBhbG\\ - dyb3VwLmNvLnVrMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBg\\ - QCxyAte2HEVouXg1Yu+vDihbnjDRn+6k00Rv6cZqbwA3BQ30mC/\\ - 3TFJ09VGXCaM0UKfpnxIpkBYLmOA3FWkKI0RvPU7E1AhKkhC1Ds\\ - PSBFjYHrB15T5lYzgfwKJCIxTDzZDx2iobUgPa0FRNGVUjpQ4/k\\ - MJ2BF4Wh7zY3X08rMzsQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBA\\ - DWJ5pbTcE7iKHWLQTMYiz8i9jGi5+Eo1yr1Bab90tgaGQV0zrRH\\ - jDHgAAy1h8WSXuyQrXfgbx2rnWFPhx9CfmuAXn7sZmQE3mnUqeP\\ - ZL2dW87jdBGqtoUdNcoz5zKBkC943yasNui/O01MiqgadTThTJH\\ - d1Pn17LbJC1ZVRNjR5" - conditions: app_domain == "IPsec policy" && doi == "ipsec" && - pfs == "yes" && esp_present == "yes" && ah_present == "no" && - (esp_enc_alg == "3des" || esp_enc_alg == "aes") -> "true"; - - - - keynote-version: 2 - comment: This is an example of a credential, the signature does - not really verify (although the keys are real). - licensees: "x509-base64:MIICGDCCAYGgAwIBAgIBADANBgkqhkiG9w0BAQQ\\ - FADBSMQswCQYDVQQGEwJHQjEOMAwGA1UEChMFQmVuQ28xETAPBg\\ - NVBAMTCEJlbkNvIENBMSAwHgYJKoZIhvcNAQkBFhFiZW5AYWxnc\\ - m91cC5jby51azAeFw05OTEwMTEyMzA2MjJaFw05OTExMTAyMzA2\\ - MjJaMFIxCzAJBgNVBAYTAkdCMQ4wDAYDVQQKEwVCZW5DbzERMA8\\ - GA1UEAxMIQmVuQ28gQ0ExIDAeBgkqhkiG9w0BCQEWEWJlbkBhbG\\ - dyb3VwLmNvLnVrMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBg\\ - QDaCs+JAB6YRKAVkoi1NkOpE1V3syApjBj0Ahjq5HqYAACo1JhM\\ - +QsPwuSWCNhBT51HX6G6UzfY3mOUz/vou6MJ/wor8EdeTX4nucx\\ - NSz/r6XI262aXezAp+GdBviuJZx3Q67ON/IWYrB4QtvihI4bMn5\\ - E55nF6TKtUMJTdATvs/wIDAQABMA0GCSqGSIb3DQEBBAUAA4GBA\\ - MaQOSkaiR8id0h6Zo0VSB4HpBnjpWqz1jNG8N4RPN0W8muRA2b9\\ - 85GNP1bkC3fK1ZPpFTB0A76lLn11CfhAf/gV1iz3ELlUHo5J8nx\\ - Pu6XfsGJm3HsXJOuvOog8Aean4ODo4KInuAsnbLzpGl0d+Jqa5u\\ - TZUxsyg4QOBwYEU92H" - authorizer: "x509-base64:MIICGDCCAYGgAwIBAgIBADANBgkqhkiG9w0BAQQ\\ - FADBSMQswCQYDVQQGEwJHQjEOMAwGA1UEChMFQmVuQ28xETAPBg\\ - NVBAMTCEJlbkNvIENBMSAwHgYJKoZIhvcNAQkBFhFiZW5AYWxnc\\ - m91cC5jby51azAeFw05OTEwMTEyMjQ5MzhaFw05OTExMTAyMjQ5\\ - MzhaMFIxCzAJBgNVBAYTAkdCMQ4wDAYDVQQKEwVCZW5DbzERMA8\\ - GA1UEAxMIQmVuQ28gQ0ExIDAeBgkqhkiG9w0BCQEWEWJlbkBhbG\\ - dyb3VwLmNvLnVrMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBg\\ - QCxyAte2HEVouXg1Yu+vDihbnjDRn+6k00Rv6cZqbwA3BQ30mC/\\ - 3TFJ09VGXCaM0UKfpnxIpkBYLmOA3FWkKI0RvPU7E1AhKkhC1Ds\\ - PSBFjYHrB15T5lYzgfwKJCIxTDzZDx2iobUgPa0FRNGVUjpQ4/k\\ - MJ2BF4Wh7zY3X08rMzsQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBA\\ - DWJ5pbTcE7iKHWLQTMYiz8i9jGi5+Eo1yr1Bab90tgaGQV0zrRH\\ - jDHgAAy1h8WSXuyQrXfgbx2rnWFPhx9CfmuAXn7sZmQE3mnUqeP\\ - ZL2dW87jdBGqtoUdNcoz5zKBkC943yasNui/O01MiqgadTThTJH\\ - d1Pn17LbJC1ZVRNjR5" -conditions: app_domain == "IPsec policy" && doi == "ipsec" && - pfs == "yes" && esp_present == "yes" && ah_present == "no" && - (esp_enc_alg == "3des" || esp_enc_alg == "aes") -> "true"; -Signature: "sig-x509-sha1-base64:ql+vrUxv14DcBOQHR2jsbXayq6T\\ - mmtMiUB745a8rjwSrQwh+KIVDlUrghPnqhSIkWSDi9oWWMbfg\\ - mkdudZ0wjgeTLMI2NI4GibMMsToakOKMex/0q4cpdpln3DKcQ\\ - IcjzRv4khDws69FT3QfELjcpShvbLrXmh1Z00OFmxjyqDw=" -.Ed -.Sh SEE ALSO -.Xr ipsec 4 , -.Xr keynote 4 , -.Xr keynote 5 , -.Xr isakmpd 8 -.Sh BUGS -A more sane way of expressing IPv6 address ranges is needed. diff --git a/keyexchange/isakmpd-20041012/key.c b/keyexchange/isakmpd-20041012/key.c deleted file mode 100644 index bc3c9fc..0000000 --- a/keyexchange/isakmpd-20041012/key.c +++ /dev/null @@ -1,213 +0,0 @@ -/* $OpenBSD: key.c,v 1.19 2004/09/17 13:53:08 ho Exp $ */ -/* - * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) - * - * Copyright (c) 2000-2001 Angelos D. Keromytis. - * - * Permission to use, copy, and modify this software with or without fee - * is hereby granted, provided that this entire notice is included in - * all copies of any software which is or includes a copy or - * modification of this software. - * You may use this code under the GNU public license if you so wish. Please - * contribute changes back to the authors under this freer than GPL license - * so that we may further the use of strong encryption without limitations to - * all. - * - * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY - * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE - * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR - * PURPOSE. - */ - -#include <string.h> -#include <stdlib.h> - -#include "sysdep.h" - -#include "key.h" -#include "libcrypto.h" -#include "log.h" -#include "util.h" -#ifdef USE_X509 -#include "x509.h" -#endif - -void -key_free(int type, int private, void *key) -{ - switch (type) { - case ISAKMP_KEY_PASSPHRASE: - free(key); - break; - case ISAKMP_KEY_RSA: -#ifdef USE_X509 - RSA_free(key); - break; -#endif - case ISAKMP_KEY_NONE: - default: - log_error("key_free: unknown/unsupportedkey type %d", type); - break; - } -} - -/* Convert from internal form to serialized */ -void -key_serialize(int type, int private, void *key, u_int8_t **data, - size_t *datalenp) -{ -#ifdef USE_X509 - u_int8_t *p; - size_t datalen; -#endif - - switch (type) { - case ISAKMP_KEY_PASSPHRASE: - *datalenp = strlen((char *)key); - *data = (u_int8_t *)strdup((char *)key); - break; - case ISAKMP_KEY_RSA: -#ifdef USE_X509 - switch (private) { - case ISAKMP_KEYTYPE_PUBLIC: - datalen = i2d_RSAPublicKey((RSA *)key, NULL); - *data = p = malloc(datalen); - if (!p) { - log_error("key_serialize: malloc (%lu) failed", - (unsigned long)datalen); - return; - } - *datalenp = i2d_RSAPublicKey((RSA *) key, &p); - break; - - case ISAKMP_KEYTYPE_PRIVATE: - datalen = i2d_RSAPrivateKey((RSA *)key, NULL); - *data = p = malloc(datalen); - if (!p) { - log_error("key_serialize: malloc (%lu) failed", - (unsigned long)datalen); - return; - } - *datalenp = i2d_RSAPrivateKey((RSA *)key, &p); - break; - } -#endif - break; - default: - log_error("key_serialize: unknown/unsupported key type %d", - type); - break; - } -} - -/* Convert from serialized to printable */ -char * -key_printable(int type, int private, u_int8_t *data, int datalen) -{ -#ifdef USE_X509 - char *s; - int i; -#endif - - switch (type) { - case ISAKMP_KEY_PASSPHRASE: - return strdup((char *)data); - - case ISAKMP_KEY_RSA: -#ifdef USE_X509 - s = malloc(datalen * 2 + 1); - if (!s) { - log_error("key_printable: malloc (%d) failed", - datalen * 2 + 1); - return 0; - } - for (i = 0; i < datalen; i++) - snprintf(s + (2 * i), 2 * (datalen - i) + 1, "%02x", - data[i]); - return s; -#endif - - default: - log_error("key_printable: unknown/unsupported key type %d", - type); - return 0; - } -} - -/* Convert from serialized to internal. */ -void * -key_internalize(int type, int private, u_int8_t *data, int datalen) -{ - switch (type) { - case ISAKMP_KEY_PASSPHRASE: - return strdup((char *)data); - case ISAKMP_KEY_RSA: -#ifdef USE_X509 - switch (private) { -#if OPENSSL_VERSION_NUMBER >= 0x00907000L - case ISAKMP_KEYTYPE_PUBLIC: - return d2i_RSAPublicKey(NULL, - (const u_int8_t **)&data, datalen); - case ISAKMP_KEYTYPE_PRIVATE: - return d2i_RSAPrivateKey(NULL, - (const u_int8_t **)&data, datalen); -#else - case ISAKMP_KEYTYPE_PUBLIC: - return d2i_RSAPublicKey(NULL, &data, datalen); - case ISAKMP_KEYTYPE_PRIVATE: - return d2i_RSAPrivateKey(NULL, &data, datalen); -#endif - default: - log_error("key_internalize: not public or private " - "RSA key passed"); - return 0; - } - break; -#endif /* USE_X509 */ - default: - log_error("key_internalize: unknown/unsupported key type %d", - type); - break; - } - - return 0; -} - -/* Convert from printable to serialized */ -void -key_from_printable(int type, int private, char *key, u_int8_t **data, - u_int32_t *datalenp) -{ -#ifdef USE_X509 - u_int32_t datalen; -#endif - - switch (type) { - case ISAKMP_KEY_PASSPHRASE: - *datalenp = strlen(key); - *data = (u_int8_t *) strdup(key); - break; - - case ISAKMP_KEY_RSA: -#ifdef USE_X509 - datalen = (strlen(key) + 1) / 2; /* Round up, just in case */ - *data = malloc(datalen); - if (!*data) { - log_error("key_from_printable: malloc (%d) failed", - datalen); - *datalenp = 0; - return; - } - *datalenp = hex2raw(key, *data, datalen); - break; -#endif - - default: - log_error("key_from_printable: " - "unknown/unsupported key type %d", type); - *data = NULL; - *datalenp = 0; - break; - } -} diff --git a/keyexchange/isakmpd-20041012/key.h b/keyexchange/isakmpd-20041012/key.h deleted file mode 100644 index 81b1328..0000000 --- a/keyexchange/isakmpd-20041012/key.h +++ /dev/null @@ -1,39 +0,0 @@ -/* $OpenBSD: key.h,v 1.7 2004/04/15 18:39:26 deraadt Exp $ */ -/* - * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) - * - * Copyright (c) 2000-2001 Angelos D. Keromytis. - * - * Permission to use, copy, and modify this software with or without fee - * is hereby granted, provided that this entire notice is included in - * all copies of any software which is or includes a copy or - * modification of this software. - * You may use this code under the GNU public license if you so wish. Please - * contribute changes back to the authors under this freer than GPL license - * so that we may further the use of strong encryption without limitations to - * all. - * - * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY - * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE - * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR - * PURPOSE. - */ - -#ifndef _KEY_H_ -#define _KEY_H_ - -#define ISAKMP_KEY_NONE 0 -#define ISAKMP_KEY_PASSPHRASE 1 -#define ISAKMP_KEY_RSA 2 -#define ISAKMP_KEY_DSA 3 - -#define ISAKMP_KEYTYPE_PUBLIC 0 -#define ISAKMP_KEYTYPE_PRIVATE 1 - -void key_free(int, int, void *); -void key_serialize(int, int, void *, u_int8_t **, size_t *); -char *key_printable(int, int, u_int8_t *, int); -void key_from_printable(int, int, char *, u_int8_t **, u_int32_t *); -void *key_internalize(int, int, u_int8_t *, int); -#endif /* _KEY_H_ */ diff --git a/keyexchange/isakmpd-20041012/libcrypto.c b/keyexchange/isakmpd-20041012/libcrypto.c deleted file mode 100644 index d66c58a..0000000 --- a/keyexchange/isakmpd-20041012/libcrypto.c +++ /dev/null @@ -1,49 +0,0 @@ -/* $OpenBSD: libcrypto.c,v 1.16 2004/04/15 18:39:26 deraadt Exp $ */ -/* $EOM: libcrypto.c,v 1.14 2000/09/28 12:53:27 niklas Exp $ */ - -/* - * Copyright (c) 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. - * Copyright (c) 1999, 2000 Angelos D. Keromytis. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include "sysdep.h" -#include "libcrypto.h" - -void -libcrypto_init(void) -{ -#if defined (USE_X509) && defined (USE_LIBCRYPTO) - - /* Add all algorithms known by SSL */ -#if OPENSSL_VERSION_NUMBER >= 0x00905100L - OpenSSL_add_all_algorithms(); -#else - SSLeay_add_all_algorithms(); -#endif - -#endif /* USE_X509 && USE_LIBCRYPTO */ -} diff --git a/keyexchange/isakmpd-20041012/libcrypto.h b/keyexchange/isakmpd-20041012/libcrypto.h deleted file mode 100644 index e9581bf..0000000 --- a/keyexchange/isakmpd-20041012/libcrypto.h +++ /dev/null @@ -1,52 +0,0 @@ -/* $OpenBSD: libcrypto.h,v 1.16 2004/04/15 18:39:26 deraadt Exp $ */ -/* $EOM: libcrypto.h,v 1.16 2000/09/28 12:53:27 niklas Exp $ */ - -/* - * Copyright (c) 1999, 2000 Niklas Hallqvist. All rights reserved. - * Copyright (c) 1999, 2000 Angelos D. Keromytis. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _LIBCRYPTO_H_ -#define _LIBCRYPTO_H_ - -#ifdef USE_X509 - -#include <stdio.h> - -/* XXX I want #include <ssl/cryptall.h> but we appear to not install meth.h */ -#include <openssl/ssl.h> -#include <openssl/bio.h> -#include <openssl/md5.h> -#include <openssl/pem.h> -#include <openssl/x509_vfy.h> -#include <openssl/x509.h> - -#endif /* USE_X509 */ - -extern void libcrypto_init(void); - -#endif /* _LIBCRYPTO_H_ */ diff --git a/keyexchange/isakmpd-20041012/log.c b/keyexchange/isakmpd-20041012/log.c deleted file mode 100644 index 5d8080c..0000000 --- a/keyexchange/isakmpd-20041012/log.c +++ /dev/null @@ -1,706 +0,0 @@ -/* $OpenBSD: log.c,v 1.49 2004/08/08 19:11:06 deraadt Exp $ */ -/* $EOM: log.c,v 1.30 2000/09/29 08:19:23 niklas Exp $ */ - -/* - * Copyright (c) 1998, 1999, 2001 Niklas Hallqvist. All rights reserved. - * Copyright (c) 1999, 2000, 2001, 2003 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/types.h> -#include <sys/time.h> - -#ifdef USE_DEBUG -#include <sys/socket.h> -#include <sys/stat.h> -#include <sys/uio.h> -#include <netinet/in.h> -#include <netinet/in_systm.h> -#include <netinet/ip.h> -#include <netinet/ip6.h> -#include <netinet/udp.h> -#include <arpa/inet.h> - -#ifdef HAVE_PCAP -#include <pcap.h> -#else -#include "sysdep/common/pcap.h" -#endif - -#endif /* USE_DEBUG */ - -#include <errno.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <syslog.h> -#include <stdarg.h> -#include <unistd.h> - -#include "conf.h" -#include "isakmp_num.h" -#include "log.h" -#include "monitor.h" -#include "util.h" - -static void _log_print(int, int, const char *, va_list, int, int); - -static FILE *log_output; - -int verbose_logging = 0; -#if defined (USE_DEBUG) -static int log_level[LOG_ENDCLASS]; - -#define TCPDUMP_MAGIC 0xa1b2c3d4 -#define SNAPLEN (64 * 1024) - -struct packhdr { - struct pcap_pkthdr pcap;/* pcap file packet header */ - union { - struct ip ip4; /* IPv4 header (w/o options) */ - struct ip6_hdr ip6; /* IPv6 header */ - } ip; -}; - -struct isakmp_hdr { - u_int8_t icookie[8], rcookie[8]; - u_int8_t next, ver, type, flags; - u_int32_t msgid, len; -}; - -static char *pcaplog_file = NULL; -static FILE *packet_log; -static u_int8_t *packet_buf = NULL; - -static int udp_cksum(struct packhdr *, const struct udphdr *, - u_int16_t *, int); -static u_int16_t in_cksum(const u_int16_t *, int); -#endif /* USE_DEBUG */ - -void -log_init(int debug) -{ - if (debug) - log_output = stderr; - else - log_to(0); /* syslog */ -} - -void -log_reinit(void) -{ - struct conf_list *logging; -#ifdef USE_DEBUG - struct conf_list_node *logclass; - int class, level; -#endif /* USE_DEBUG */ - - logging = conf_get_list("General", "Logverbose"); - if (logging) { - verbose_logging = 1; - conf_free_list(logging); - } -#ifdef USE_DEBUG - logging = conf_get_list("General", "Loglevel"); - if (!logging) - return; - - for (logclass = TAILQ_FIRST(&logging->fields); logclass; - logclass = TAILQ_NEXT(logclass, link)) { - if (sscanf(logclass->field, "%d=%d", &class, &level) != 2) { - if (sscanf(logclass->field, "A=%d", &level) == 1) - for (class = 0; class < LOG_ENDCLASS; class++) - log_debug_cmd(class, level); - else { - log_print("init: invalid logging class or " - "level: %s", logclass->field); - continue; - } - } else - log_debug_cmd(class, level); - } - conf_free_list(logging); -#endif /* USE_DEBUG */ -} - -void -log_to(FILE *f) -{ - if (!log_output && f) - closelog(); - log_output = f; - if (!f) - openlog("isakmpd", LOG_PID | LOG_CONS, LOG_DAEMON); -} - -FILE * -log_current(void) -{ - return log_output; -} - -static char * -_log_get_class(int error_class) -{ - /* XXX For test purposes. To be removed later on? */ - static char *class_text[] = LOG_CLASSES_TEXT; - - if (error_class < 0) - return "Dflt"; - else if (error_class >= LOG_ENDCLASS) - return "Unkn"; - else - return class_text[error_class]; -} - -static void -_log_print(int error, int syslog_level, const char *fmt, va_list ap, - int class, int level) -{ - char buffer[LOG_SIZE], nbuf[LOG_SIZE + 32]; - static const char fallback_msg[] = - "write to log file failed (errno %d), redirecting to syslog"; - int len; - struct tm *tm; - struct timeval now; - time_t t; - - len = vsnprintf(buffer, sizeof buffer, fmt, ap); - if (len > 0 && len < (int) sizeof buffer - 1 && error) - snprintf(buffer + len, sizeof buffer - len, ": %s", - strerror(errno)); - if (log_output) { - gettimeofday(&now, 0); - t = now.tv_sec; - tm = localtime(&t); - if (class >= 0) - snprintf(nbuf, sizeof nbuf, - "%02d%02d%02d.%06ld %s %02d ", - tm->tm_hour, tm->tm_min, tm->tm_sec, now.tv_usec, - _log_get_class(class), level); - else /* LOG_PRINT (-1) or LOG_REPORT (-2) */ - snprintf(nbuf, sizeof nbuf, "%02d%02d%02d.%06ld %s ", - tm->tm_hour, tm->tm_min, tm->tm_sec, now.tv_usec, - class == LOG_PRINT ? "Default" : "Report>"); - strlcat(nbuf, buffer, sizeof nbuf); -#if defined (USE_PRIVSEP) - strlcat(nbuf, getuid() ? "" : " [priv]", LOG_SIZE + 32); -#endif - strlcat(nbuf, "\n", sizeof nbuf); - - if (fwrite(nbuf, strlen(nbuf), 1, log_output) == 0) { - /* Report fallback. */ - syslog(LOG_ALERT, fallback_msg, errno); - fprintf(log_output, fallback_msg, errno); - - /* - * Close log_output to prevent isakmpd from locking - * the file. We may need to explicitly close stdout - * to do this properly. - * XXX - Figure out how to match two FILE *'s and - * rewrite. - */ - if (fileno(log_output) != -1 && - fileno(stdout) == fileno(log_output)) - fclose(stdout); - fclose(log_output); - - /* Fallback to syslog. */ - log_to(0); - - /* (Re)send current message to syslog(). */ - syslog(class == LOG_REPORT ? LOG_ALERT : - syslog_level, "%s", buffer); - } - } else - syslog(class == LOG_REPORT ? LOG_ALERT : syslog_level, "%s", - buffer); -} - -#ifdef USE_DEBUG -void -log_debug(int cls, int level, const char *fmt, ...) -{ - va_list ap; - - /* - * If we are not debugging this class, or the level is too low, just - * return. - */ - if (cls >= 0 && (log_level[cls] == 0 || level > log_level[cls])) - return; - va_start(ap, fmt); - _log_print(0, LOG_INFO, fmt, ap, cls, level); - va_end(ap); -} - -void -log_debug_buf(int cls, int level, const char *header, const u_int8_t *buf, - size_t sz) -{ - size_t i, j; - char s[73]; - - /* - * If we are not debugging this class, or the level is too low, just - * return. - */ - if (cls >= 0 && (log_level[cls] == 0 || level > log_level[cls])) - return; - - log_debug(cls, level, "%s:", header); - for (i = j = 0; i < sz;) { - snprintf(s + j, sizeof s - j, "%02x", buf[i++]); - j += 2; - if (i % 4 == 0) { - if (i % 32 == 0) { - s[j] = '\0'; - log_debug(cls, level, "%s", s); - j = 0; - } else - s[j++] = ' '; - } - } - if (j) { - s[j] = '\0'; - log_debug(cls, level, "%s", s); - } -} - -void -log_debug_cmd(int cls, int level) -{ - if (cls < 0 || cls >= LOG_ENDCLASS) { - log_print("log_debug_cmd: invalid debugging class %d", cls); - return; - } - if (level < 0) { - log_print("log_debug_cmd: invalid debugging level %d for " - "class %d", level, cls); - return; - } - if (level == log_level[cls]) - log_print("log_debug_cmd: log level unchanged for class %d", - cls); - else { - log_print("log_debug_cmd: log level changed from %d to %d " - "for class %d", log_level[cls], level, cls); - log_level[cls] = level; - } -} - -void -log_debug_toggle(void) -{ - static int log_level_copy[LOG_ENDCLASS], toggle = 0; - - if (!toggle) { - LOG_DBG((LOG_MISC, 50, "log_debug_toggle: " - "debug levels cleared")); - memcpy(&log_level_copy, &log_level, sizeof log_level); - memset(&log_level, 0, sizeof log_level); - } else { - memcpy(&log_level, &log_level_copy, sizeof log_level); - LOG_DBG((LOG_MISC, 50, "log_debug_toggle: " - "debug levels restored")); - } - toggle = !toggle; -} -#endif /* USE_DEBUG */ - -void -log_print(const char *fmt, ...) -{ - va_list ap; - - va_start(ap, fmt); - _log_print(0, LOG_NOTICE, fmt, ap, LOG_PRINT, 0); - va_end(ap); -} - -void -log_verbose(const char *fmt, ...) -{ - va_list ap; -#ifdef USE_DEBUG - int i; -#endif /* USE_DEBUG */ - - if (verbose_logging == 0) - return; - -#ifdef USE_DEBUG - for (i = 0; i < LOG_ENDCLASS; i++) - if (log_level[i] > 0) - return; -#endif - - va_start(ap, fmt); - _log_print(0, LOG_NOTICE, fmt, ap, LOG_PRINT, 0); - va_end(ap); -} - -void -log_error(const char *fmt, ...) -{ - va_list ap; - - va_start(ap, fmt); - _log_print(1, LOG_ERR, fmt, ap, LOG_PRINT, 0); - va_end(ap); -} - -void -log_fatal(const char *fmt, ...) -{ - va_list ap; - - va_start(ap, fmt); - _log_print(1, LOG_CRIT, fmt, ap, LOG_PRINT, 0); - va_end(ap); -#ifdef USE_PRIVSEP - monitor_exit(1); -#else - exit(1); -#endif -} - -#ifdef USE_DEBUG -void -log_packet_init(char *newname) -{ - struct pcap_file_header sf_hdr; - struct stat st; - mode_t old_umask; - char *mode; - - /* Allocate packet buffer first time through. */ - if (!packet_buf) - packet_buf = malloc(SNAPLEN); - - if (!packet_buf) { - log_error("log_packet_init: malloc (%d) failed", SNAPLEN); - return; - } - if (pcaplog_file && strcmp(pcaplog_file, PCAP_FILE_DEFAULT) != 0) - free(pcaplog_file); - - pcaplog_file = strdup(newname); - if (!pcaplog_file) { - log_error("log_packet_init: strdup (\"%s\") failed", newname); - return; - } - /* Does the file already exist? XXX lstat() or stat()? */ -#if defined (USE_PRIVSEP) - /* XXX This is a fstat! */ - if (monitor_stat(pcaplog_file, &st) == 0) { -#else - if (lstat(pcaplog_file, &st) == 0) { -#endif - /* Sanity checks. */ - if ((st.st_mode & S_IFMT) != S_IFREG) { - log_print("log_packet_init: existing capture file is " - "not a regular file"); - return; - } - if ((st.st_mode & (S_IRWXG | S_IRWXO)) != 0) { - log_print("log_packet_init: existing capture " - "file has bad modes"); - return; - } - /* - * XXX It would be nice to check if it actually is a pcap - * file... - */ - - mode = "a"; - } else - mode = "w"; - - old_umask = umask(S_IRWXG | S_IRWXO); - packet_log = monitor_fopen(pcaplog_file, mode); - umask(old_umask); - - if (!packet_log) { - log_error("log_packet_init: fopen (\"%s\", \"%s\") failed", - pcaplog_file, mode); - return; - } - log_print("log_packet_init: " - "starting IKE packet capture to file \"%s\"", pcaplog_file); - - /* If this is a new file, we need to write a PCAP header to it. */ - if (*mode == 'w') { - sf_hdr.magic = TCPDUMP_MAGIC; - sf_hdr.version_major = PCAP_VERSION_MAJOR; - sf_hdr.version_minor = PCAP_VERSION_MINOR; - sf_hdr.thiszone = 0; - sf_hdr.snaplen = SNAPLEN; - sf_hdr.sigfigs = 0; - sf_hdr.linktype = DLT_LOOP; - - fwrite((char *) &sf_hdr, sizeof sf_hdr, 1, packet_log); - fflush(packet_log); - } -} - -void -log_packet_restart(char *newname) -{ - if (packet_log) { - log_print("log_packet_restart: capture already active on " - "file \"%s\"", pcaplog_file); - return; - } - if (newname) - log_packet_init(newname); - else if (!pcaplog_file) - log_packet_init(PCAP_FILE_DEFAULT); - else - log_packet_init(pcaplog_file); -} - -void -log_packet_stop(void) -{ - /* Stop capture. */ - if (packet_log) { - fclose(packet_log); - log_print("log_packet_stop: stopped capture"); - } - packet_log = 0; -} - -void -log_packet_iov(struct sockaddr *src, struct sockaddr *dst, struct iovec *iov, - int iovcnt) -{ - struct isakmp_hdr *isakmphdr; - struct packhdr hdr; - struct udphdr udp; - struct timeval tv; - int off, datalen, hdrlen, i, add_espmarker = 0; - const u_int32_t espmarker = 0; - - for (i = 0, datalen = 0; i < iovcnt; i++) - datalen += iov[i].iov_len; - - if (!packet_log || datalen > SNAPLEN) - return; - - /* copy packet into buffer */ - for (i = 0, off = 0; i < iovcnt; i++) { - memcpy(packet_buf + off, iov[i].iov_base, iov[i].iov_len); - off += iov[i].iov_len; - } - - memset(&hdr, 0, sizeof hdr); - memset(&udp, 0, sizeof udp); - - /* isakmp - turn off the encryption bit in the isakmp hdr */ - isakmphdr = (struct isakmp_hdr *) packet_buf; - isakmphdr->flags &= ~(ISAKMP_FLAGS_ENC); - - /* udp */ - udp.uh_sport = sockaddr_port(src); - udp.uh_dport = sockaddr_port(dst); - datalen += sizeof udp; -#if defined (USE_NAT_TRAVERSAL) - if (ntohs(udp.uh_sport) == 4500 || - ntohs(udp.uh_dport) == 4500) { /* XXX Quick and dirty */ - add_espmarker = 1; - datalen += sizeof espmarker; - } -#endif - udp.uh_ulen = htons(datalen); - - /* ip */ - switch (src->sa_family) { - default: - /* Assume IPv4. XXX Can 'default' ever happen here? */ - hdr.ip.ip4.ip_src.s_addr = 0x02020202; - hdr.ip.ip4.ip_dst.s_addr = 0x01010101; - /* The rest of the setup is common to AF_INET. */ - goto setup_ip4; - - case AF_INET: - hdr.ip.ip4.ip_src.s_addr = - ((struct sockaddr_in *)src)->sin_addr.s_addr; - hdr.ip.ip4.ip_dst.s_addr = - ((struct sockaddr_in *)dst)->sin_addr.s_addr; - -setup_ip4: - hdrlen = sizeof hdr.ip.ip4; - hdr.ip.ip4.ip_v = 0x4; - hdr.ip.ip4.ip_hl = 0x5; - hdr.ip.ip4.ip_p = IPPROTO_UDP; - hdr.ip.ip4.ip_len = htons(datalen + hdrlen); - /* Let's use the IP ID as a "packet counter". */ - i = ntohs(hdr.ip.ip4.ip_id) + 1; - hdr.ip.ip4.ip_id = htons(i); - /* Calculate IP header checksum. */ - hdr.ip.ip4.ip_sum = in_cksum((u_int16_t *) & hdr.ip.ip4, - hdr.ip.ip4.ip_hl << 2); - break; - - case AF_INET6: - hdrlen = sizeof(hdr.ip.ip6); - hdr.ip.ip6.ip6_vfc = IPV6_VERSION; - hdr.ip.ip6.ip6_nxt = IPPROTO_UDP; - hdr.ip.ip6.ip6_plen = udp.uh_ulen; - memcpy(&hdr.ip.ip6.ip6_src, - &((struct sockaddr_in6 *)src)->sin6_addr, - sizeof hdr.ip.ip6.ip6_src); - memcpy(&hdr.ip.ip6.ip6_dst, - &((struct sockaddr_in6 *)dst)->sin6_addr, - sizeof hdr.ip.ip6.ip6_dst); - break; - } - - /* Calculate UDP checksum. */ - udp.uh_sum = udp_cksum(&hdr, &udp, (u_int16_t *) packet_buf, src->sa_family); - /* pcap file packet header */ - gettimeofday(&tv, 0); - hdr.pcap.ts.tv_sec = tv.tv_sec; - hdr.pcap.ts.tv_usec = tv.tv_usec; - hdr.pcap.caplen = datalen + hdrlen; - hdr.pcap.len = datalen + hdrlen; - - hdrlen += sizeof(struct pcap_pkthdr); - datalen -= sizeof(struct udphdr); - - /* Write to pcap file. */ - fwrite(&hdr, hdrlen, 1, packet_log); /* pcap + IP */ - fwrite(&udp, sizeof(struct udphdr), 1, packet_log); /* UDP */ - if (add_espmarker) { - fwrite(&espmarker, sizeof espmarker, 1, packet_log); - datalen -= sizeof espmarker; - } - fwrite(packet_buf, datalen, 1, packet_log); /* IKE-data */ - fflush(packet_log); -} - -/* Copied from tcpdump/print-udp.c, mostly rewritten. */ -static int -udp_cksum(struct packhdr *hdr, const struct udphdr *u, u_int16_t *d, int af) -{ - struct ip *ip4; - struct ip6_hdr *ip6; - int i, hdrlen, tlen = ntohs(u->uh_ulen) - sizeof(struct udphdr); - - union phu { - struct ip4pseudo { - struct in_addr src; - struct in_addr dst; - u_int8_t z; - u_int8_t proto; - u_int16_t len; - } ip4p; - struct ip6pseudo { - struct in6_addr src; - struct in6_addr dst; - u_int32_t plen; - u_int16_t z0; - u_int8_t z1; - u_int8_t nxt; - } ip6p; - u_int16_t pa[20]; - } phu; - const u_int16_t *sp; - u_int32_t sum; - - /* Setup pseudoheader. */ - memset(phu.pa, 0, sizeof phu); - switch (af) { - case AF_INET: - ip4 = &hdr->ip.ip4; - memcpy(&phu.ip4p.src, &ip4->ip_src, sizeof(struct in_addr)); - memcpy(&phu.ip4p.dst, &ip4->ip_dst, sizeof(struct in_addr)); - phu.ip4p.proto = ip4->ip_p; - phu.ip4p.len = u->uh_ulen; - hdrlen = sizeof phu.ip4p; - break; - - case AF_INET6: - ip6 = &hdr->ip.ip6; - memcpy(&phu.ip6p.src, &ip6->ip6_src, sizeof(phu.ip6p.src)); - memcpy(&phu.ip6p.dst, &ip6->ip6_dst, sizeof(phu.ip6p.dst)); - phu.ip6p.plen = u->uh_ulen; - phu.ip6p.nxt = ip6->ip6_nxt; - hdrlen = sizeof phu.ip6p; - break; - - default: - return 0; - } - - /* IPv6 wants a 0xFFFF checksum "on error", not 0x0. */ - if (tlen < 0) - return (af == AF_INET ? 0 : 0xFFFF); - - sum = 0; - for (i = 0; i < hdrlen; i += 2) - sum += phu.pa[i / 2]; - - sp = (u_int16_t *) u; - for (i = 0; i < (int)sizeof(struct udphdr); i += 2) - sum += *sp++; - - sp = d; - for (i = 0; i < (tlen & ~1); i += 2) - sum += *sp++; - - if (tlen & 1) - sum += htons((*(const char *)sp) << 8); - - while (sum > 0xffff) - sum = (sum & 0xffff) + (sum >> 16); - sum = ~sum & 0xffff; - - return sum; -} - -/* Copied from tcpdump/print-ip.c, modified. */ -static u_int16_t -in_cksum(const u_int16_t *w, int len) -{ - int nleft = len, sum = 0; - u_int16_t answer; - - while (nleft > 1) { - sum += *w++; - nleft -= 2; - } - if (nleft == 1) - sum += htons(*(u_char *) w << 8); - - sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ - sum += (sum >> 16); /* add carry */ - answer = ~sum; /* truncate to 16 bits */ - return answer; -} - -#endif /* USE_DEBUG */ diff --git a/keyexchange/isakmpd-20041012/log.h b/keyexchange/isakmpd-20041012/log.h deleted file mode 100644 index dc36f5d..0000000 --- a/keyexchange/isakmpd-20041012/log.h +++ /dev/null @@ -1,102 +0,0 @@ -/* $OpenBSD: log.h,v 1.21 2004/05/23 18:17:56 hshoexer Exp $ */ -/* $EOM: log.h,v 1.19 2000/03/30 14:27:23 ho Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. - * Copyright (c) 2001, 2002, 2003 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _LOG_H_ -#define _LOG_H_ - -#include <sys/types.h> -#include <sys/socket.h> -#include <sys/uio.h> -#include <stdio.h> - -extern int verbose_logging; - -/* - * We cannot do the log strings dynamically sizeable as out of memory is one - * of the situations we need to report about. - */ -#define LOG_SIZE 200 - -enum log_classes { - LOG_MISC, LOG_TRANSPORT, LOG_MESSAGE, LOG_CRYPTO, LOG_TIMER, LOG_SYSDEP, - LOG_SA, LOG_EXCHANGE, LOG_NEGOTIATION, LOG_POLICY, LOG_UI, LOG_ENDCLASS -}; -#define LOG_CLASSES_TEXT \ - { "Misc", "Trpt", "Mesg", "Cryp", "Timr", "Sdep", "SA ", "Exch", "Negt", \ - "Plcy", "UI " } - -/* - * "Class" LOG_REPORT will always be logged to the current log channel, - * regardless of level. - */ -#define LOG_PRINT -1 -#define LOG_REPORT -2 - -#ifdef USE_DEBUG - -#define LOG_DBG(x) log_debug x -#define LOG_DBG_BUF(x) log_debug_buf x - -extern void log_debug(int, int, const char *,...) - __attribute__((__format__(__printf__, 3, 4))); -extern void log_debug_buf(int, int, const char *, const u_int8_t *, size_t); -extern void log_debug_cmd(int, int); -extern void log_debug_toggle(void); - -#define PCAP_FILE_DEFAULT "/var/run/isakmpd.pcap" -extern void log_packet_init(char *); -extern void log_packet_iov(struct sockaddr *, struct sockaddr *, - struct iovec *, int); -extern void log_packet_restart(char *); -extern void log_packet_stop(void); - -#else /* !USE_DEBUG */ - -#define LOG_DBG(x) -#define LOG_DBG_BUF(x) - -#endif /* USE_DEBUG */ - -extern FILE *log_current(void); -extern void log_error(const char *,...) - __attribute__((__format__(__printf__, 1, 2))); -extern void log_fatal(const char *,...) - __attribute__((__format__(__printf__, 1, 2))); -extern void log_print(const char *,...) - __attribute__((__format__(__printf__, 1, 2))); -extern void log_verbose(const char *,...) - __attribute__((__format__(__printf__, 1, 2))); -extern void log_to(FILE *); -extern void log_init(int); -extern void log_reinit(void); - -#endif /* _LOG_H_ */ diff --git a/keyexchange/isakmpd-20041012/math_2n.c b/keyexchange/isakmpd-20041012/math_2n.c deleted file mode 100644 index f8828ef..0000000 --- a/keyexchange/isakmpd-20041012/math_2n.c +++ /dev/null @@ -1,1107 +0,0 @@ -/* $OpenBSD: math_2n.c,v 1.16 2004/06/14 09:55:41 ho Exp $ */ -/* $EOM: math_2n.c,v 1.15 1999/04/20 09:23:30 niklas Exp $ */ - -/* - * Copyright (c) 1998 Niels Provos. All rights reserved. - * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -/* - * B2N is a module for doing arithmetic on the Field GF(2**n) which is - * isomorph to ring of polynomials GF(2)[x]/p(x) where p(x) is an - * irreduciable polynomial over GF(2)[x] with grade n. - * - * First we need functions which operate on GF(2)[x], operation - * on GF(2)[x]/p(x) can be done as for Z_p then. - */ - -#include <stdlib.h> -#include <string.h> -#include <stdio.h> - -#include "sysdep.h" - -#include "math_2n.h" -#include "util.h" - -static u_int8_t hex2int(char); - -static char int2hex[] = "0123456789abcdef"; -CHUNK_TYPE b2n_mask[CHUNK_BITS] = { - 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, -#if CHUNK_BITS > 8 - 0x0100, 0x0200, 0x0400, 0x0800, 0x1000, 0x2000, 0x4000, 0x8000, -#if CHUNK_BITS > 16 - 0x00010000, 0x00020000, 0x00040000, 0x00080000, - 0x00100000, 0x00200000, 0x00400000, 0x00800000, - 0x01000000, 0x02000000, 0x04000000, 0x08000000, - 0x10000000, 0x20000000, 0x40000000, 0x80000000, -#endif -#endif -}; - -/* Convert a hex character to its integer value. */ -static u_int8_t -hex2int(char c) -{ - if (c <= '9') - return c - '0'; - if (c <= 'f') - return 10 + c - 'a'; - - return 0; -} - -int -b2n_random(b2n_ptr n, u_int32_t bits) -{ - if (b2n_resize(n, (CHUNK_MASK + bits) >> CHUNK_SHIFTS)) - return -1; - - getrandom((u_int8_t *) n->limp, CHUNK_BYTES * n->chunks); - - /* Get the number of significant bits right */ - if (bits & CHUNK_MASK) { - CHUNK_TYPE m = - (((1 << ((bits & CHUNK_MASK) - 1)) - 1) << 1) | 1; - n->limp[n->chunks - 1] &= m; - } - n->dirty = 1; - return 0; -} - -/* b2n management functions */ - -void -b2n_init(b2n_ptr n) -{ - n->chunks = 0; - n->limp = 0; -} - -void -b2n_clear(b2n_ptr n) -{ - if (n->limp) - free(n->limp); -} - -int -b2n_resize(b2n_ptr n, unsigned int chunks) -{ - size_t old = n->chunks; - size_t size; - CHUNK_TYPE *new; - - if (chunks == 0) - chunks = 1; - - if (chunks == old) - return 0; - - size = CHUNK_BYTES * chunks; - - new = realloc(n->limp, size); - if (!new) - return -1; - - n->limp = new; - n->chunks = chunks; - n->bits = chunks << CHUNK_SHIFTS; - n->dirty = 1; - - if (chunks > old) - memset(n->limp + old, 0, size - CHUNK_BYTES * old); - - return 0; -} - -/* Simple assignment functions. */ - -int -b2n_set(b2n_ptr d, b2n_ptr s) -{ - if (d == s) - return 0; - - b2n_sigbit(s); - if (b2n_resize(d, (CHUNK_MASK + s->bits) >> CHUNK_SHIFTS)) - return -1; - memcpy(d->limp, s->limp, CHUNK_BYTES * d->chunks); - d->bits = s->bits; - d->dirty = s->dirty; - return 0; -} - -int -b2n_set_null(b2n_ptr n) -{ - if (b2n_resize(n, 1)) - return -1; - n->limp[0] = n->bits = n->dirty = 0; - return 0; -} - -int -b2n_set_ui(b2n_ptr n, unsigned int val) -{ -#if CHUNK_BITS < 32 - int i, chunks; - - chunks = (CHUNK_BYTES - 1 + sizeof(val)) / CHUNK_BYTES; - - if (b2n_resize(n, chunks)) - return -1; - - for (i = 0; i < chunks; i++) { - n->limp[i] = val & CHUNK_BMASK; - val >>= CHUNK_BITS; - } -#else - if (b2n_resize(n, 1)) - return -1; - n->limp[0] = val; -#endif - n->dirty = 1; - return 0; -} - -/* XXX This one only takes hex at the moment. */ -int -b2n_set_str(b2n_ptr n, char *str) -{ - int i, j, w, len, chunks; - CHUNK_TYPE tmp; - - if (strncasecmp(str, "0x", 2)) - return -1; - - /* Make the hex string even lengthed */ - len = strlen(str) - 2; - if (len & 1) { - len++; - str++; - } else - str += 2; - - len /= 2; - - chunks = (CHUNK_BYTES - 1 + len) / CHUNK_BYTES; - if (b2n_resize(n, chunks)) - return -1; - memset(n->limp, 0, CHUNK_BYTES * n->chunks); - - for (w = 0, i = 0; i < chunks; i++) { - tmp = 0; - for (j = (i == 0 ? - ((len - 1) % CHUNK_BYTES) + 1 : CHUNK_BYTES); - j > 0; j--) { - tmp <<= 8; - tmp |= (hex2int(str[w]) << 4) | hex2int(str[w + 1]); - w += 2; - } - n->limp[chunks - 1 - i] = tmp; - } - - n->dirty = 1; - return 0; -} - -/* Output function, mainly for debugging purposes. */ -void -b2n_print(b2n_ptr n) -{ - int i, j, w, flag = 0; - int left; - char buffer[2 * CHUNK_BYTES]; - CHUNK_TYPE tmp; - - left = ((((7 + b2n_sigbit(n)) >> 3) - 1) % CHUNK_BYTES) + 1; - printf("0x"); - for (i = 0; i < n->chunks; i++) { - tmp = n->limp[n->chunks - 1 - i]; - memset(buffer, '0', sizeof(buffer)); - for (w = 0, j = (i == 0 ? left : CHUNK_BYTES); j > 0; j--) { - buffer[w++] = int2hex[(tmp >> 4) & 0xf]; - buffer[w++] = int2hex[tmp & 0xf]; - tmp >>= 8; - } - - for (j = (i == 0 ? left - 1 : CHUNK_BYTES - 1); j >= 0; j--) - if (flag || (i == n->chunks - 1 && j == 0) || - buffer[2 * j] != '0' || buffer[2 * j + 1] != '0') { - putchar(buffer[2 * j]); - putchar(buffer[2 * j + 1]); - flag = 1; - } - } - printf("\n"); -} - -int -b2n_snprint(char *buf, size_t sz, b2n_ptr n) -{ - int i, j, w, flag = 0; - size_t k; - int left; - char buffer[2 * CHUNK_BYTES]; - CHUNK_TYPE tmp; - - left = ((((7 + b2n_sigbit(n)) >> 3) - 1) % CHUNK_BYTES) + 1; - - k = strlcpy(buf, "0x", sz); - for (i = 0; i < n->chunks && k < sz - 1; i++) { - tmp = n->limp[n->chunks - 1 - i]; - memset(buffer, '0', sizeof(buffer)); - for (w = 0, j = (i == 0 ? left : CHUNK_BYTES); j > 0; j--) { - buffer[w++] = int2hex[(tmp >> 4) & 0xf]; - buffer[w++] = int2hex[tmp & 0xf]; - tmp >>= 8; - } - - for (j = (i == 0 ? left - 1 : CHUNK_BYTES - 1); j >= 0 - && k < sz - 3; j--) - if (flag || (i == n->chunks - 1 && j == 0) || - buffer[2 * j] != '0' || buffer[2 * j + 1] != '0') { - buf[k++] = buffer[2 * j]; - buf[k++] = buffer[2 * j + 1]; - flag = 1; - } - } - - buf[k++] = 0; - return k; -} - -/* Arithmetic functions. */ - -u_int32_t -b2n_sigbit(b2n_ptr n) -{ - int i, j; - - if (!n->dirty) - return n->bits; - - for (i = n->chunks - 1; i > 0; i--) - if (n->limp[i]) - break; - - if (!n->limp[i]) - return 0; - - for (j = CHUNK_MASK; j > 0; j--) - if (n->limp[i] & b2n_mask[j]) - break; - - n->bits = (i << CHUNK_SHIFTS) + j + 1; - n->dirty = 0; - return n->bits; -} - -/* Addition on GF(2)[x] is nice, its just an XOR. */ -int -b2n_add(b2n_ptr d, b2n_ptr a, b2n_ptr b) -{ - int i; - b2n_ptr bmin, bmax; - - if (!b2n_cmp_null(a)) - return b2n_set(d, b); - - if (!b2n_cmp_null(b)) - return b2n_set(d, a); - - bmin = B2N_MIN(a, b); - bmax = B2N_MAX(a, b); - - if (b2n_resize(d, bmax->chunks)) - return -1; - - for (i = 0; i < bmin->chunks; i++) - d->limp[i] = bmax->limp[i] ^ bmin->limp[i]; - - /* - * If d is not bmax, we have to copy the rest of the bytes, and also - * need to adjust to number of relevant bits. - */ - if (d != bmax) { - for (; i < bmax->chunks; i++) - d->limp[i] = bmax->limp[i]; - - d->bits = bmax->bits; - } - /* - * Help to converse memory. When the result of the addition is zero - * truncate the used amount of memory. - */ - if (d != bmax && !b2n_cmp_null(d)) - return b2n_set_null(d); - else - d->dirty = 1; - return 0; -} - -/* Compare two polynomials. */ -int -b2n_cmp(b2n_ptr n, b2n_ptr m) -{ - int sn, sm; - int i; - - sn = b2n_sigbit(n); - sm = b2n_sigbit(m); - - if (sn > sm) - return 1; - if (sn < sm) - return -1; - - for (i = n->chunks - 1; i >= 0; i--) - if (n->limp[i] > m->limp[i]) - return 1; - else if (n->limp[i] < m->limp[i]) - return -1; - - return 0; -} - -int -b2n_cmp_null(b2n_ptr a) -{ - int i = 0; - - do { - if (a->limp[i]) - return 1; - } - while (++i < a->chunks); - - return 0; -} - -/* Left shift, needed for polynomial multiplication. */ -int -b2n_lshift(b2n_ptr d, b2n_ptr n, unsigned int s) -{ - int i, maj, min, chunks; - u_int16_t bits = b2n_sigbit(n), add; - CHUNK_TYPE *p, *op; - - if (!s) - return b2n_set(d, n); - - maj = s >> CHUNK_SHIFTS; - min = s & CHUNK_MASK; - - add = (!(bits & CHUNK_MASK) || - ((bits & CHUNK_MASK) + min) > CHUNK_MASK) ? 1 : 0; - chunks = n->chunks; - if (b2n_resize(d, chunks + maj + add)) - return -1; - memmove(d->limp + maj, n->limp, CHUNK_BYTES * chunks); - - if (maj) - memset(d->limp, 0, CHUNK_BYTES * maj); - if (add) - d->limp[d->chunks - 1] = 0; - - /* If !min there are no bit shifts, we are done */ - if (!min) - return 0; - - op = p = &d->limp[d->chunks - 1]; - for (i = d->chunks - 2; i >= maj; i--) { - op--; - *p = (*p << min) | (*op >> (CHUNK_BITS - min)); - p--; - } - *p <<= min; - - d->dirty = 0; - d->bits = bits + (maj << CHUNK_SHIFTS) + min; - return 0; -} - -/* Right shift, needed for polynomial division. */ -int -b2n_rshift(b2n_ptr d, b2n_ptr n, unsigned int s) -{ - int maj, min, size = n->chunks, newsize; - b2n_ptr tmp; - - if (!s) - return b2n_set(d, n); - - maj = s >> CHUNK_SHIFTS; - - newsize = size - maj; - - if (size < maj) - return b2n_set_null(d); - - min = (CHUNK_BITS - (s & CHUNK_MASK)) & CHUNK_MASK; - if (min) { - if ((b2n_sigbit(n) & CHUNK_MASK) > (u_int32_t) min) - newsize++; - - if (b2n_lshift(d, n, min)) - return -1; - tmp = d; - } else - tmp = n; - - memmove(d->limp, tmp->limp + maj + (min ? 1 : 0), - CHUNK_BYTES * newsize); - if (b2n_resize(d, newsize)) - return -1; - - d->bits = tmp->bits - ((maj + (min ? 1 : 0)) << CHUNK_SHIFTS); - return 0; -} - -/* Normal polynomial multiplication. */ -int -b2n_mul(b2n_ptr d, b2n_ptr n, b2n_ptr m) -{ - int i, j; - b2n_t tmp, tmp2; - - if (!b2n_cmp_null(m) || !b2n_cmp_null(n)) - return b2n_set_null(d); - - if (b2n_sigbit(m) == 1) - return b2n_set(d, n); - - if (b2n_sigbit(n) == 1) - return b2n_set(d, m); - - b2n_init(tmp); - b2n_init(tmp2); - - if (b2n_set(tmp, B2N_MAX(n, m))) - goto fail; - if (b2n_set(tmp2, B2N_MIN(n, m))) - goto fail; - - if (b2n_set_null(d)) - goto fail; - - for (i = 0; i < tmp2->chunks; i++) - if (tmp2->limp[i]) - for (j = 0; j < CHUNK_BITS; j++) { - if (tmp2->limp[i] & b2n_mask[j]) - if (b2n_add(d, d, tmp)) - goto fail; - - if (b2n_lshift(tmp, tmp, 1)) - goto fail; - } - else if (b2n_lshift(tmp, tmp, CHUNK_BITS)) - goto fail; - - b2n_clear(tmp); - b2n_clear(tmp2); - return 0; - -fail: - b2n_clear(tmp); - b2n_clear(tmp2); - return -1; -} - -/* - * Squaring in this polynomial ring is more efficient than normal - * multiplication. - */ -int -b2n_square(b2n_ptr d, b2n_ptr n) -{ - int i, j, maj, min, bits, chunk; - b2n_t t; - - maj = b2n_sigbit(n); - min = maj & CHUNK_MASK; - maj = (maj + CHUNK_MASK) >> CHUNK_SHIFTS; - - b2n_init(t); - if (b2n_resize(t, - 2 * maj + ((CHUNK_MASK + 2 * min) >> CHUNK_SHIFTS))) { - b2n_clear(t); - return -1; - } - chunk = 0; - bits = 0; - - for (i = 0; i < maj; i++) - if (n->limp[i]) - for (j = 0; j < CHUNK_BITS; j++) { - if (n->limp[i] & b2n_mask[j]) - t->limp[chunk] ^= b2n_mask[bits]; - - bits += 2; - if (bits >= CHUNK_BITS) { - chunk++; - bits &= CHUNK_MASK; - } - } - else - chunk += 2; - - t->dirty = 1; - B2N_SWAP(d, t); - b2n_clear(t); - return 0; -} - -/* - * Normal polynomial division. - * These functions are far from optimal in speed. - */ -int -b2n_div_q(b2n_ptr d, b2n_ptr n, b2n_ptr m) -{ - b2n_t r; - int rv; - - b2n_init(r); - rv = b2n_div(d, r, n, m); - b2n_clear(r); - return rv; -} - -int -b2n_div_r(b2n_ptr r, b2n_ptr n, b2n_ptr m) -{ - b2n_t q; - int rv; - - b2n_init(q); - rv = b2n_div(q, r, n, m); - b2n_clear(q); - return rv; -} - -int -b2n_div(b2n_ptr q, b2n_ptr r, b2n_ptr n, b2n_ptr m) -{ - int i, j, len, bits; - u_int32_t sm, sn; - b2n_t nenn, div, shift, mask; - - /* If Teiler > Zaehler, the result is 0 */ - if ((sm = b2n_sigbit(m)) > (sn = b2n_sigbit(n))) { - if (b2n_set_null(q)) - return -1; - return b2n_set(r, n); - } - if (sm == 0) - /* Division by Zero */ - return -1; - else if (sm == 1) { - /* Division by the One-Element */ - if (b2n_set(q, n)) - return -1; - return b2n_set_null(r); - } - b2n_init(nenn); - b2n_init(div); - b2n_init(shift); - b2n_init(mask); - - if (b2n_set(nenn, n)) - goto fail; - if (b2n_set(div, m)) - goto fail; - if (b2n_set(shift, m)) - goto fail; - if (b2n_set_ui(mask, 1)) - goto fail; - - if (b2n_resize(q, (sn - sm + CHUNK_MASK) >> CHUNK_SHIFTS)) - goto fail; - memset(q->limp, 0, CHUNK_BYTES * q->chunks); - - if (b2n_lshift(shift, shift, sn - sm)) - goto fail; - if (b2n_lshift(mask, mask, sn - sm)) - goto fail; - - /* Number of significant octets */ - len = (sn - 1) >> CHUNK_SHIFTS; - /* The first iteration is done over the relevant bits */ - bits = (CHUNK_MASK + sn) & CHUNK_MASK; - for (i = len; i >= 0 && b2n_sigbit(nenn) >= sm; i--) - for (j = (i == len ? bits : CHUNK_MASK); j >= 0 - && b2n_sigbit(nenn) >= sm; j--) { - if (nenn->limp[i] & b2n_mask[j]) { - if (b2n_sub(nenn, nenn, shift)) - goto fail; - if (b2n_add(q, q, mask)) - goto fail; - } - if (b2n_rshift(shift, shift, 1)) - goto fail; - if (b2n_rshift(mask, mask, 1)) - goto fail; - } - - B2N_SWAP(r, nenn); - - b2n_clear(nenn); - b2n_clear(div); - b2n_clear(shift); - b2n_clear(mask); - return 0; - -fail: - b2n_clear(nenn); - b2n_clear(div); - b2n_clear(shift); - b2n_clear(mask); - return -1; -} - -/* Functions for Operation on GF(2**n) ~= GF(2)[x]/p(x). */ -int -b2n_mod(b2n_ptr m, b2n_ptr n, b2n_ptr p) -{ - int bits, size; - - if (b2n_div_r(m, n, p)) - return -1; - - bits = b2n_sigbit(m); - size = ((CHUNK_MASK + bits) >> CHUNK_SHIFTS); - if (size == 0) - size = 1; - if (m->chunks > size) - if (b2n_resize(m, size)) - return -1; - - m->bits = bits; - m->dirty = 0; - return 0; -} - -int -b2n_gcd(b2n_ptr e, b2n_ptr go, b2n_ptr ho) -{ - b2n_t g, h; - - b2n_init(g); - b2n_init(h); - if (b2n_set(g, go)) - goto fail; - if (b2n_set(h, ho)) - goto fail; - - while (b2n_cmp_null(h)) { - if (b2n_mod(g, g, h)) - goto fail; - B2N_SWAP(g, h); - } - - B2N_SWAP(e, g); - - b2n_clear(g); - b2n_clear(h); - return 0; - -fail: - b2n_clear(g); - b2n_clear(h); - return -1; -} - -int -b2n_mul_inv(b2n_ptr ga, b2n_ptr be, b2n_ptr p) -{ - b2n_t a; - - b2n_init(a); - if (b2n_set_ui(a, 1)) - goto fail; - - if (b2n_div_mod(ga, a, be, p)) - goto fail; - - b2n_clear(a); - return 0; - -fail: - b2n_clear(a); - return -1; -} - -int -b2n_div_mod(b2n_ptr ga, b2n_ptr a, b2n_ptr be, b2n_ptr p) -{ - b2n_t s0, s1, s2, q, r0, r1; - - /* There is no multiplicative inverse to Null. */ - if (!b2n_cmp_null(be)) - return b2n_set_null(ga); - - b2n_init(s0); - b2n_init(s1); - b2n_init(s2); - b2n_init(r0); - b2n_init(r1); - b2n_init(q); - - if (b2n_set(r0, p)) - goto fail; - if (b2n_set(r1, be)) - goto fail; - - if (b2n_set_null(s0)) - goto fail; - if (b2n_set(s1, a)) - goto fail; - - while (b2n_cmp_null(r1)) { - if (b2n_div(q, r0, r0, r1)) - goto fail; - B2N_SWAP(r0, r1); - - if (b2n_mul(s2, q, s1)) - goto fail; - if (b2n_mod(s2, s2, p)) - goto fail; - if (b2n_sub(s2, s0, s2)) - goto fail; - - B2N_SWAP(s0, s1); - B2N_SWAP(s1, s2); - } - B2N_SWAP(ga, s0); - - b2n_clear(s0); - b2n_clear(s1); - b2n_clear(s2); - b2n_clear(r0); - b2n_clear(r1); - b2n_clear(q); - return 0; - -fail: - b2n_clear(s0); - b2n_clear(s1); - b2n_clear(s2); - b2n_clear(r0); - b2n_clear(r1); - b2n_clear(q); - return -1; -} - -/* - * The trace tells us if there do exist any square roots - * for 'a' in GF(2)[x]/p(x). The number of square roots is - * 2 - 2*Trace. - * If z is a square root, z + 1 is the other. - */ -int -b2n_trace(b2n_ptr ho, b2n_ptr a, b2n_ptr p) -{ - int i, m = b2n_sigbit(p) - 1; - b2n_t h; - - b2n_init(h); - if (b2n_set(h, a)) - goto fail; - - for (i = 0; i < m - 1; i++) { - if (b2n_square(h, h)) - goto fail; - if (b2n_mod(h, h, p)) - goto fail; - - if (b2n_add(h, h, a)) - goto fail; - } - B2N_SWAP(ho, h); - - b2n_clear(h); - return 0; - -fail: - b2n_clear(h); - return -1; -} - -/* - * The halftrace yields the square root if the degree of the - * irreduceable polynomial is odd. - */ -int -b2n_halftrace(b2n_ptr ho, b2n_ptr a, b2n_ptr p) -{ - int i, m = b2n_sigbit(p) - 1; - b2n_t h; - - b2n_init(h); - if (b2n_set(h, a)) - goto fail; - - for (i = 0; i < (m - 1) / 2; i++) { - if (b2n_square(h, h)) - goto fail; - if (b2n_mod(h, h, p)) - goto fail; - if (b2n_square(h, h)) - goto fail; - if (b2n_mod(h, h, p)) - goto fail; - - if (b2n_add(h, h, a)) - goto fail; - } - - B2N_SWAP(ho, h); - - b2n_clear(h); - return 0; - -fail: - b2n_clear(h); - return -1; -} - -/* - * Solving the equation: y**2 + y = b in GF(2**m) where ip is the - * irreduceable polynomial. If m is odd, use the half trace. - */ -int -b2n_sqrt(b2n_ptr zo, b2n_ptr b, b2n_ptr ip) -{ - int i, m = b2n_sigbit(ip) - 1; - b2n_t w, p, temp, z; - - if (!b2n_cmp_null(b)) - return b2n_set_null(z); - - if (m & 1) - return b2n_halftrace(zo, b, ip); - - b2n_init(z); - b2n_init(w); - b2n_init(p); - b2n_init(temp); - - do { - if (b2n_random(p, m)) - goto fail; - if (b2n_set_null(z)) - goto fail; - if (b2n_set(w, p)) - goto fail; - - for (i = 1; i < m; i++) { - if (b2n_square(z, z)) /* z**2 */ - goto fail; - if (b2n_mod(z, z, ip)) - goto fail; - - if (b2n_square(w, w)) /* w**2 */ - goto fail; - if (b2n_mod(w, w, ip)) - goto fail; - - if (b2n_mul(temp, w, b)) /* w**2 * b */ - goto fail; - if (b2n_mod(temp, temp, ip)) - goto fail; - if (b2n_add(z, z, temp)) /* z**2 + w**2 + b */ - goto fail; - - if (b2n_add(w, w, p)) /* w**2 + p */ - goto fail; - } - } - while (!b2n_cmp_null(w)); - - B2N_SWAP(zo, z); - - b2n_clear(w); - b2n_clear(p); - b2n_clear(temp); - b2n_clear(z); - return 0; - -fail: - b2n_clear(w); - b2n_clear(p); - b2n_clear(temp); - b2n_clear(z); - return -1; -} - -/* Exponentiation modulo a polynomial. */ -int -b2n_exp_mod(b2n_ptr d, b2n_ptr b0, u_int32_t e, b2n_ptr p) -{ - b2n_t u, b; - - b2n_init(u); - b2n_init(b); - if (b2n_set_ui(u, 1)) - goto fail; - if (b2n_mod(b, b0, p)) - goto fail; - - while (e) { - if (e & 1) { - if (b2n_mul(u, u, b)) - goto fail; - if (b2n_mod(u, u, p)) - goto fail; - } - if (b2n_square(b, b)) - goto fail; - if (b2n_mod(b, b, p)) - goto fail; - e >>= 1; - } - - B2N_SWAP(d, u); - - b2n_clear(u); - b2n_clear(b); - return 0; - -fail: - b2n_clear(u); - b2n_clear(b); - return -1; -} - -/* - * Low-level function to speed up scalar multiplication with - * elliptic curves. - * Multiplies a normal number by 3. - */ - -/* Normal addition behaves as Z_{2**n} and not F_{2**n}. */ -int -b2n_nadd(b2n_ptr d0, b2n_ptr a0, b2n_ptr b0) -{ - int i, carry; - b2n_ptr a, b; - b2n_t d; - - if (!b2n_cmp_null(a0)) - return b2n_set(d0, b0); - - if (!b2n_cmp_null(b0)) - return b2n_set(d0, a0); - - b2n_init(d); - a = B2N_MAX(a0, b0); - b = B2N_MIN(a0, b0); - - if (b2n_resize(d, a->chunks + 1)) { - b2n_clear(d); - return -1; - } - for (carry = i = 0; i < b->chunks; i++) { - d->limp[i] = a->limp[i] + b->limp[i] + carry; - carry = (d->limp[i] < a->limp[i] ? 1 : 0); - } - - for (; i < a->chunks && carry; i++) { - d->limp[i] = a->limp[i] + carry; - carry = (d->limp[i] < a->limp[i] ? 1 : 0); - } - - if (i < a->chunks) - memcpy(d->limp + i, a->limp + i, - CHUNK_BYTES * (a->chunks - i)); - - d->dirty = 1; - B2N_SWAP(d0, d); - - b2n_clear(d); - return 0; -} - -/* Very special sub, a > b. */ -int -b2n_nsub(b2n_ptr d0, b2n_ptr a, b2n_ptr b) -{ - int i, carry; - b2n_t d; - - if (b2n_cmp(a, b) <= 0) - return b2n_set_null(d0); - - b2n_init(d); - if (b2n_resize(d, a->chunks)) { - b2n_clear(d); - return -1; - } - for (carry = i = 0; i < b->chunks; i++) { - d->limp[i] = a->limp[i] - b->limp[i] - carry; - carry = (d->limp[i] > a->limp[i] ? 1 : 0); - } - - for (; i < a->chunks && carry; i++) { - d->limp[i] = a->limp[i] - carry; - carry = (d->limp[i] > a->limp[i] ? 1 : 0); - } - - if (i < a->chunks) - memcpy(d->limp + i, a->limp + i, - CHUNK_BYTES * (a->chunks - i)); - - d->dirty = 1; - - B2N_SWAP(d0, d); - - b2n_clear(d); - return 0; -} - -int -b2n_3mul(b2n_ptr d0, b2n_ptr e) -{ - b2n_t d; - - b2n_init(d); - if (b2n_lshift(d, e, 1)) - goto fail; - - if (b2n_nadd(d0, d, e)) - goto fail; - - b2n_clear(d); - return 0; - -fail: - b2n_clear(d); - return -1; -} diff --git a/keyexchange/isakmpd-20041012/math_2n.h b/keyexchange/isakmpd-20041012/math_2n.h deleted file mode 100644 index 0515199..0000000 --- a/keyexchange/isakmpd-20041012/math_2n.h +++ /dev/null @@ -1,132 +0,0 @@ -/* $OpenBSD: math_2n.h,v 1.7 2004/04/15 18:39:26 deraadt Exp $ */ -/* $EOM: math_2n.h,v 1.9 1999/04/17 23:20:32 niklas Exp $ */ - -/* - * Copyright (c) 1998 Niels Provos. All rights reserved. - * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _MATH_2N_H -#define _MATH_2N_H_ - -/* - * The chunk size we use is variable, this allows speed ups - * for processors like the Alpha with 64bit words. - * XXX - b2n_mask is only up to 32 bit at the moment. - */ - -#define USE_32BIT /* XXX - This obviously needs fixing */ - -#ifdef USE_32BIT -#define CHUNK_TYPE u_int32_t -#define CHUNK_BITS 32 -#define CHUNK_SHIFTS 5 -#define CHUNK_BMASK 0xffffffff -#define CHUNK_MASK (CHUNK_BITS - 1) -#define CHUNK_BYTES (CHUNK_BITS >> 3) -#define CHUNK_NIBBLES (CHUNK_BITS >> 2) -#else -#define CHUNK_TYPE u_int8_t -#define CHUNK_BITS 8 -#define CHUNK_SHIFTS 3 -#define CHUNK_BMASK 0xff -#define CHUNK_MASK (CHUNK_BITS - 1) -#define CHUNK_BYTES (CHUNK_BITS >> 3) -#define CHUNK_NIBBLES (CHUNK_BITS >> 2) -#endif - -extern CHUNK_TYPE b2n_mask[CHUNK_BITS]; - -/* An element of GF(2**n), n = bits */ - -typedef struct { - u_int16_t chunks; - u_int16_t bits; - u_int8_t dirty; /* Sig bits are dirty */ - CHUNK_TYPE *limp; -} _b2n; - -typedef _b2n *b2n_ptr; -typedef _b2n b2n_t[1]; - -#define B2N_SET(x,y) do \ - { \ - (x)->chunks = (y)->chunks; \ - (x)->bits = (y)->bits; \ - (x)->limp = (y)->limp; \ - (x)->dirty = (y)->dirty; \ - } \ -while (0) - -#define B2N_SWAP(x,y) do \ - { \ - b2n_t _t_; \ -\ - B2N_SET (_t_, (x)); \ - B2N_SET ((x), (y)); \ - B2N_SET ((y), _t_); \ - } \ -while (0) - -#define B2N_MIN(x,y) ((x)->chunks > (y)->chunks ? (y) : (x)) -#define B2N_MAX(x,y) ((x)->chunks > (y)->chunks ? (x) : (y)) - -int b2n_3mul(b2n_ptr, b2n_ptr); -int b2n_add(b2n_ptr, b2n_ptr, b2n_ptr); -int b2n_cmp(b2n_ptr, b2n_ptr); -int b2n_cmp_null(b2n_ptr); -int b2n_div(b2n_ptr, b2n_ptr, b2n_ptr, b2n_ptr); -int b2n_div_mod(b2n_ptr, b2n_ptr, b2n_ptr, b2n_ptr); -int b2n_div_q(b2n_ptr, b2n_ptr, b2n_ptr); -int b2n_div_r(b2n_ptr, b2n_ptr, b2n_ptr); -int b2n_exp_mod(b2n_ptr, b2n_ptr, u_int32_t, b2n_ptr); -void b2n_init(b2n_ptr); -void b2n_clear(b2n_ptr); -int b2n_gcd(b2n_ptr, b2n_ptr, b2n_ptr); -int b2n_halftrace(b2n_ptr, b2n_ptr, b2n_ptr); -int b2n_lshift(b2n_ptr, b2n_ptr, unsigned int); -int b2n_mod(b2n_ptr, b2n_ptr, b2n_ptr); -int b2n_mul(b2n_ptr, b2n_ptr, b2n_ptr); -int b2n_mul_inv(b2n_ptr, b2n_ptr, b2n_ptr); -int b2n_nadd(b2n_ptr, b2n_ptr, b2n_ptr); -int b2n_nsub(b2n_ptr, b2n_ptr, b2n_ptr); -void b2n_print(b2n_ptr); -int b2n_random(b2n_ptr, u_int32_t); -int b2n_resize(b2n_ptr, unsigned int); -int b2n_rshift(b2n_ptr, b2n_ptr, unsigned int); -int b2n_set(b2n_ptr, b2n_ptr); -int b2n_set_null(b2n_ptr); -int b2n_set_str(b2n_ptr, char *); -int b2n_set_ui(b2n_ptr, unsigned int); -u_int32_t b2n_sigbit(b2n_ptr); -int b2n_snprint(char *, size_t, b2n_ptr); -int b2n_sqrt(b2n_ptr, b2n_ptr, b2n_ptr); -int b2n_square(b2n_ptr, b2n_ptr); -#define b2n_sub b2n_add -int b2n_trace(b2n_ptr, b2n_ptr, b2n_ptr); - -#endif /* _MATH_2N_H_ */ diff --git a/keyexchange/isakmpd-20041012/math_ec2n.c b/keyexchange/isakmpd-20041012/math_ec2n.c deleted file mode 100644 index c06b37c..0000000 --- a/keyexchange/isakmpd-20041012/math_ec2n.c +++ /dev/null @@ -1,382 +0,0 @@ -/* $OpenBSD: math_ec2n.c,v 1.11 2004/05/23 18:17:56 hshoexer Exp $ */ -/* $EOM: math_ec2n.c,v 1.9 1999/04/20 09:23:31 niklas Exp $ */ - -/* - * Copyright (c) 1998 Niels Provos. All rights reserved. - * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/param.h> -#include <stdio.h> - -#include "sysdep.h" - -#include "math_2n.h" -#include "math_ec2n.h" - -void -ec2np_init(ec2np_ptr n) -{ - b2n_init(n->x); - b2n_init(n->y); - n->inf = 0; -} - -void -ec2np_clear(ec2np_ptr n) -{ - b2n_clear(n->x); - b2n_clear(n->y); -} - -int -ec2np_set(ec2np_ptr d, ec2np_ptr n) -{ - if (d == n) - return 0; - - d->inf = n->inf; - if (b2n_set(d->x, n->x)) - return -1; - return b2n_set(d->y, n->y); -} - -/* Group */ - -void -ec2ng_init(ec2ng_ptr n) -{ - b2n_init(n->a); - b2n_init(n->b); - b2n_init(n->p); -} - -void -ec2ng_clear(ec2ng_ptr n) -{ - b2n_clear(n->a); - b2n_clear(n->b); - b2n_clear(n->p); -} - -int -ec2ng_set(ec2ng_ptr d, ec2ng_ptr n) -{ - if (b2n_set(d->a, n->a)) - return -1; - if (b2n_set(d->b, n->b)) - return -1; - return b2n_set(d->p, n->p); -} - -/* Arithmetic functions */ - -int -ec2np_right(b2n_ptr n, ec2np_ptr p, ec2ng_ptr g) -{ - b2n_t temp; - - b2n_init(temp); - - /* First calc x**3 + ax**2 + b */ - if (b2n_square(n, p->x)) - goto fail; - if (b2n_mod(n, n, g->p)) - goto fail; - - if (b2n_mul(temp, g->a, n)) /* a*x**2 */ - goto fail; - if (b2n_mod(temp, temp, g->p)) - goto fail; - - if (b2n_mul(n, n, p->x))/* x**3 */ - goto fail; - if (b2n_mod(n, n, g->p)) - goto fail; - - if (b2n_add(n, n, temp)) - goto fail; - if (b2n_add(n, n, g->b)) - goto fail; - - b2n_clear(temp); - return 0; - -fail: - b2n_clear(temp); - return -1; -} - -int -ec2np_ison(ec2np_ptr p, ec2ng_ptr g) -{ - int res; - b2n_t x, y, temp; - - if (p->inf) - return 1; - - b2n_init(x); - b2n_init(y); - b2n_init(temp); - - /* First calc x**3 + ax**2 + b */ - if (ec2np_right(x, p, g)) - goto fail; - - /* Now calc y**2 + xy */ - if (b2n_square(y, p->y)) - goto fail; - if (b2n_mod(y, y, g->p)) - goto fail; - - if (b2n_mul(temp, p->y, p->x)) - goto fail; - if (b2n_mod(temp, temp, g->p)) - goto fail; - - if (b2n_add(y, y, temp)) - goto fail; - - res = !b2n_cmp(x, y); - - b2n_clear(x); - b2n_clear(y); - b2n_clear(temp); - return res; - -fail: - b2n_clear(x); - b2n_clear(y); - b2n_clear(temp); - return -1; -} - -int -ec2np_find_y(ec2np_ptr p, ec2ng_ptr g) -{ - b2n_t right; - - b2n_init(right); - - if (ec2np_right(right, p, g)) /* Right sight of equation */ - goto fail; - if (b2n_mul_inv(p->y, p->x, g->p)) - goto fail; - - if (b2n_square(p->y, p->y)) - goto fail; - if (b2n_mod(p->y, p->y, g->p)) - goto fail; - - if (b2n_mul(right, right, p->y)) /* x^-2 * right */ - goto fail; - if (b2n_mod(right, right, g->p)) - goto fail; - - if (b2n_sqrt(p->y, right, g->p)) /* Find root */ - goto fail; - if (b2n_mul(p->y, p->y, p->x)) - goto fail; - if (b2n_mod(p->y, p->y, g->p)) - goto fail; - - b2n_clear(right); - return 0; - -fail: - b2n_clear(right); - return -1; -} - -int -ec2np_add(ec2np_ptr d, ec2np_ptr a, ec2np_ptr b, ec2ng_ptr g) -{ - b2n_t lambda, temp; - ec2np_t pn; - - /* Check for Neutral Element */ - if (b->inf) - return ec2np_set(d, a); - if (a->inf) - return ec2np_set(d, b); - - if (!b2n_cmp(a->x, b->x) && (b2n_cmp(a->y, b->y) || - !b2n_cmp_null(a->x))) { - d->inf = 1; - if (b2n_set_null(d->x)) - return -1; - return b2n_set_null(d->y); - } - b2n_init(lambda); - b2n_init(temp); - ec2np_init(pn); - - if (b2n_cmp(a->x, b->x)) { - if (b2n_add(temp, a->x, b->x)) - goto fail; - if (b2n_add(lambda, a->y, b->y)) - goto fail; - if (b2n_div_mod(lambda, lambda, temp, g->p)) - goto fail; - - if (b2n_square(pn->x, lambda)) - goto fail; - if (b2n_mod(pn->x, pn->x, g->p)) - goto fail; - - if (b2n_add(pn->x, pn->x, lambda)) - goto fail; - if (b2n_add(pn->x, pn->x, g->a)) - goto fail; - if (b2n_add(pn->x, pn->x, a->x)) - goto fail; - if (b2n_add(pn->x, pn->x, b->x)) - goto fail; - } else { - if (b2n_div_mod(lambda, b->y, b->x, g->p)) - goto fail; - if (b2n_add(lambda, lambda, b->x)) - goto fail; - - if (b2n_square(pn->x, lambda)) - goto fail; - if (b2n_mod(pn->x, pn->x, g->p)) - goto fail; - if (b2n_add(pn->x, pn->x, lambda)) - goto fail; - if (b2n_add(pn->x, pn->x, g->a)) - goto fail; - } - - if (b2n_add(pn->y, b->x, pn->x)) - goto fail; - - if (b2n_mul(pn->y, pn->y, lambda)) - goto fail; - if (b2n_mod(pn->y, pn->y, g->p)) - goto fail; - - if (b2n_add(pn->y, pn->y, pn->x)) - goto fail; - if (b2n_add(pn->y, pn->y, b->y)) - goto fail; - - EC2NP_SWAP(d, pn); - - ec2np_clear(pn); - b2n_clear(lambda); - b2n_clear(temp); - return 0; - -fail: - ec2np_clear(pn); - b2n_clear(lambda); - b2n_clear(temp); - return -1; -} - -int -ec2np_mul(ec2np_ptr d, ec2np_ptr a, b2n_ptr e, ec2ng_ptr g) -{ - int i, j, bits, start; - b2n_t h, k; - ec2np_t q, mina; - - if (!b2n_cmp_null(e)) { - d->inf = 1; - if (b2n_set_null(d->x)) - return -1; - return b2n_set_null(d->y); - } - b2n_init(h); - b2n_init(k); - ec2np_init(q); - ec2np_init(mina); - - if (ec2np_set(q, a)) - goto fail; - - /* Create the point -a. */ - if (ec2np_set(mina, a)) - goto fail; - if (b2n_add(mina->y, mina->y, mina->x)) - goto fail; - - if (b2n_set(k, e)) - goto fail; - if (b2n_3mul(h, k)) - goto fail; - if (b2n_resize(k, h->chunks)) - goto fail; - - /* - * This is low level but can not be avoided, since we have to do single - * bit checks on h and k. - */ - bits = b2n_sigbit(h); - if ((bits & CHUNK_MASK) == 1) { - start = ((CHUNK_MASK + bits) >> CHUNK_SHIFTS) - 2; - bits = CHUNK_BITS; - } else { - start = ((CHUNK_MASK + bits) >> CHUNK_SHIFTS) - 1; - bits = ((bits - 1) & CHUNK_MASK); - } - - /* - * This is the addition, subtraction method which is faster because - * we avoid one out of three additions (mean). - */ - for (i = start; i >= 0; i--) - for (j = (i == start ? bits : CHUNK_BITS) - 1; j >= 0; j--) - if (i > 0 || j > 0) { - if (ec2np_add(q, q, q, g)) - goto fail; - if ((h->limp[i] & b2n_mask[j]) && !(k->limp[i] - & b2n_mask[j])) { - if (ec2np_add(q, q, a, g)) - goto fail; - } else if (!(h->limp[i] & b2n_mask[j]) - && (k->limp[i] & b2n_mask[j])) - if (ec2np_add(q, q, mina, g)) - goto fail; - } - EC2NP_SWAP(d, q); - - b2n_clear(k); - b2n_clear(h); - ec2np_clear(q); - ec2np_clear(mina); - return 0; - -fail: - b2n_clear(k); - b2n_clear(h); - ec2np_clear(q); - ec2np_clear(mina); - return -1; -} diff --git a/keyexchange/isakmpd-20041012/math_ec2n.h b/keyexchange/isakmpd-20041012/math_ec2n.h deleted file mode 100644 index 247f84a..0000000 --- a/keyexchange/isakmpd-20041012/math_ec2n.h +++ /dev/null @@ -1,94 +0,0 @@ -/* $OpenBSD: math_ec2n.h,v 1.7 2004/05/23 18:17:56 hshoexer Exp $ */ -/* $EOM: math_ec2n.h,v 1.4 1999/04/17 23:20:37 niklas Exp $ */ - -/* - * Copyright (c) 1998 Niels Provos. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _MATH_EC2N_H -#define _MATH_EC2N_H_ - -/* Definitions for points on an elliptic curve */ - -typedef struct { - int inf; /* Are we the point at infinity ? */ - b2n_t x, y; -} _ec2n_point; - -typedef _ec2n_point *ec2np_ptr; -typedef _ec2n_point ec2np_t[1]; - -#define EC2NP_SWAP(k,n) do \ - { \ - int _i_; \ -\ - _i_ = (k)->inf; \ - (k)->inf = (n)->inf; \ - (n)->inf = _i_; \ - B2N_SWAP ((k)->x, (n)->x); \ - B2N_SWAP ((k)->y, (n)->y); \ - } \ -while (0) - -void ec2np_init(ec2np_ptr); -void ec2np_clear(ec2np_ptr); -int ec2np_set(ec2np_ptr, ec2np_ptr); - -#define ec2np_set_x_ui(n, y) b2n_set_ui ((n)->x, y) -#define ec2np_set_y_ui(n, x) b2n_set_ui ((n)->y, x) -#define ec2np_set_x_str(n, y) b2n_set_str ((n)->x, y) -#define ec2np_set_y_str(n, x) b2n_set_str ((n)->y, x) - -/* Definitions for the group to which the points to belong to. */ - -typedef struct { - b2n_t a, b, p; -} _ec2n_group; - -typedef _ec2n_group *ec2ng_ptr; -typedef _ec2n_group ec2ng_t[1]; - -void ec2ng_init(ec2ng_ptr); -void ec2ng_clear(ec2ng_ptr); -int ec2ng_set(ec2ng_ptr, ec2ng_ptr); - -#define ec2ng_set_a_ui(n, x) b2n_set_ui ((n)->a, x) -#define ec2ng_set_b_ui(n, x) b2n_set_ui ((n)->b, x) -#define ec2ng_set_p_ui(n, x) b2n_set_ui ((n)->p, x) -#define ec2ng_set_a_str(n, x) b2n_set_str ((n)->a, x) -#define ec2ng_set_b_str(n, x) b2n_set_str ((n)->b, x) -#define ec2ng_set_p_str(n, x) b2n_set_str ((n)->p, x) - -/* Functions for computing on the elliptic group. */ - -int ec2np_add(ec2np_ptr, ec2np_ptr, ec2np_ptr, ec2ng_ptr); -int ec2np_find_y(ec2np_ptr, ec2ng_ptr); -int ec2np_ison(ec2np_ptr, ec2ng_ptr); -int ec2np_mul(ec2np_ptr, ec2np_ptr, b2n_ptr, ec2ng_ptr); -int ec2np_right(b2n_ptr n, ec2np_ptr, ec2ng_ptr); - -#endif /* _MATH_2N_H_ */ diff --git a/keyexchange/isakmpd-20041012/math_group.c b/keyexchange/isakmpd-20041012/math_group.c deleted file mode 100644 index 55f340f..0000000 --- a/keyexchange/isakmpd-20041012/math_group.c +++ /dev/null @@ -1,865 +0,0 @@ -/* $OpenBSD: math_group.c,v 1.23 2004/06/14 09:55:41 ho Exp $ */ -/* $EOM: math_group.c,v 1.25 2000/04/07 19:53:26 niklas Exp $ */ - -/* - * Copyright (c) 1998 Niels Provos. All rights reserved. - * Copyright (c) 1999, 2000 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/param.h> -#include <stdlib.h> -#include <string.h> - -#include "sysdep.h" - -#include "gmp_util.h" -#include "log.h" -#include "math_2n.h" -#include "math_ec2n.h" -#include "math_group.h" -#include "math_mp.h" - -/* We do not want to export these definitions. */ -int modp_getlen(struct group *); -void modp_getraw(struct group *, math_mp_t, u_int8_t *); -int modp_setraw(struct group *, math_mp_t, u_int8_t *, int); -int modp_setrandom(struct group *, math_mp_t); -int modp_operation(struct group *, math_mp_t, math_mp_t, math_mp_t); - -int ec2n_getlen(struct group *); -void ec2n_getraw(struct group *, ec2np_ptr, u_int8_t *); -int ec2n_setraw(struct group *, ec2np_ptr, u_int8_t *, int); -int ec2n_setrandom(struct group *, ec2np_ptr); -int ec2n_operation(struct group *, ec2np_ptr, ec2np_ptr, ec2np_ptr); - -struct ec2n_group { - ec2np_t gen; /* Generator */ - ec2ng_t grp; - ec2np_t a, b, c, d; -}; - -struct modp_group { - math_mp_t gen; /* Generator */ - math_mp_t p; /* Prime */ - math_mp_t a, b, c, d; -}; - -/* - * This module provides access to the operations on the specified group - * and is absolutly free of any cryptographic devices. This is math :-). - */ - -#define OAKLEY_GRP_1 1 -#define OAKLEY_GRP_2 2 -#define OAKLEY_GRP_3 3 -#define OAKLEY_GRP_4 4 -#define OAKLEY_GRP_5 5 -#define OAKLEY_GRP_6 6 -#define OAKLEY_GRP_7 7 -#define OAKLEY_GRP_8 8 -#define OAKLEY_GRP_9 9 -#define OAKLEY_GRP_10 10 -#define OAKLEY_GRP_11 11 -#define OAKLEY_GRP_12 12 -#define OAKLEY_GRP_13 13 -#define OAKLEY_GRP_14 14 -#define OAKLEY_GRP_15 15 -#define OAKLEY_GRP_16 16 -#define OAKLEY_GRP_17 17 -#define OAKLEY_GRP_18 18 - -/* Describe preconfigured MODP groups */ - -/* - * The Generalized Number Field Sieve has an asymptotic running time - * of: O(exp(1.9223 * (ln q)^(1/3) (ln ln q)^(2/3))), where q is the - * group order, e.g. q = 2**768. - */ - -struct modp_dscr oakley_modp[] = -{ - {OAKLEY_GRP_1, 72, /* This group is insecure, only sufficient - * for DES */ - "0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" - "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" - "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" - "E485B576625E7EC6F44C42E9A63A3620FFFFFFFFFFFFFFFF", - "0x02" - }, - {OAKLEY_GRP_2, 82, /* This group is a bit better */ - "0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" - "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" - "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" - "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" - "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381" - "FFFFFFFFFFFFFFFF", - "0x02" - }, - {OAKLEY_GRP_5, 102, - "0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" - "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" - "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" - "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" - "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" - "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" - "83655D23DCA3AD961C62F356208552BB9ED529077096966D" - "670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF", - "0x02" - }, - {OAKLEY_GRP_14, 135, /* 2048 bit */ - "0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" - "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" - "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" - "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" - "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" - "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" - "83655D23DCA3AD961C62F356208552BB9ED529077096966D" - "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" - "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" - "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" - "15728E5A8AACAA68FFFFFFFFFFFFFFFF", - "0x02" - }, - {OAKLEY_GRP_15, 170, /* 3072 bit */ - "0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" - "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" - "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" - "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" - "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" - "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" - "83655D23DCA3AD961C62F356208552BB9ED529077096966D" - "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" - "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" - "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" - "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" - "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" - "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" - "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" - "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" - "43DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF", - "0x02" - }, - {OAKLEY_GRP_16, 195, /* 4096 bit */ - "0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" - "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" - "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" - "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" - "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" - "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" - "83655D23DCA3AD961C62F356208552BB9ED529077096966D" - "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" - "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" - "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" - "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" - "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" - "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" - "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" - "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" - "43DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D7" - "88719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA" - "2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6" - "287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED" - "1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA9" - "93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199" - "FFFFFFFFFFFFFFFF", - "0x02" - }, - {OAKLEY_GRP_17, 220, /* 6144 bit */ - "0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" - "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" - "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" - "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" - "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" - "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" - "83655D23DCA3AD961C62F356208552BB9ED529077096966D" - "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" - "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" - "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" - "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" - "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" - "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" - "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" - "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" - "43DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D7" - "88719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA" - "2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6" - "287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED" - "1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA9" - "93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934028492" - "36C3FAB4D27C7026C1D4DCB2602646DEC9751E763DBA37BD" - "F8FF9406AD9E530EE5DB382F413001AEB06A53ED9027D831" - "179727B0865A8918DA3EDBEBCF9B14ED44CE6CBACED4BB1B" - "DB7F1447E6CC254B332051512BD7AF426FB8F401378CD2BF" - "5983CA01C64B92ECF032EA15D1721D03F482D7CE6E74FEF6" - "D55E702F46980C82B5A84031900B1C9E59E7C97FBEC7E8F3" - "23A97A7E36CC88BE0F1D45B7FF585AC54BD407B22B4154AA" - "CC8F6D7EBF48E1D814CC5ED20F8037E0A79715EEF29BE328" - "06A1D58BB7C5DA76F550AA3D8A1FBFF0EB19CCB1A313D55C" - "DA56C9EC2EF29632387FE8D76E3C0468043E8F663F4860EE" - "12BF2D5B0B7474D6E694F91E6DCC4024FFFFFFFFFFFFFFFF", - "0x02" - }, - {OAKLEY_GRP_18, 250, /* 8192 bit */ - "0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" - "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" - "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" - "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" - "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" - "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" - "83655D23DCA3AD961C62F356208552BB9ED529077096966D" - "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" - "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" - "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" - "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" - "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" - "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" - "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" - "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" - "43DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D7" - "88719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA" - "2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6" - "287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED" - "1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA9" - "93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934028492" - "36C3FAB4D27C7026C1D4DCB2602646DEC9751E763DBA37BD" - "F8FF9406AD9E530EE5DB382F413001AEB06A53ED9027D831" - "179727B0865A8918DA3EDBEBCF9B14ED44CE6CBACED4BB1B" - "DB7F1447E6CC254B332051512BD7AF426FB8F401378CD2BF" - "5983CA01C64B92ECF032EA15D1721D03F482D7CE6E74FEF6" - "D55E702F46980C82B5A84031900B1C9E59E7C97FBEC7E8F3" - "23A97A7E36CC88BE0F1D45B7FF585AC54BD407B22B4154AA" - "CC8F6D7EBF48E1D814CC5ED20F8037E0A79715EEF29BE328" - "06A1D58BB7C5DA76F550AA3D8A1FBFF0EB19CCB1A313D55C" - "DA56C9EC2EF29632387FE8D76E3C0468043E8F663F4860EE" - "12BF2D5B0B7474D6E694F91E6DBE115974A3926F12FEE5E4" - "38777CB6A932DF8CD8BEC4D073B931BA3BC832B68D9DD300" - "741FA7BF8AFC47ED2576F6936BA424663AAB639C5AE4F568" - "3423B4742BF1C978238F16CBE39D652DE3FDB8BEFC848AD9" - "22222E04A4037C0713EB57A81A23F0C73473FC646CEA306B" - "4BCBC8862F8385DDFA9D4B7FA2C087E879683303ED5BDD3A" - "062B3CF5B3A278A66D2A13F83F44F82DDF310EE074AB6A36" - "4597E899A0255DC164F31CC50846851DF9AB48195DED7EA1" - "B1D510BD7EE74D73FAF36BC31ECFA268359046F4EB879F92" - "4009438B481C6CD7889A002ED5EE382BC9190DA6FC026E47" - "9558E4475677E9AA9E3050E2765694DFC81F56E880B96E71" - "60C980DD98EDD3DFFFFFFFFFFFFFFFFF", - "0x02" - }, -}; - -#ifdef USE_EC -/* Describe preconfigured EC2N groups */ - -/* - * Related collision-search methods can compute discrete logarithmns - * in O(sqrt(r)), r being the subgroup order. - */ - -struct ec2n_dscr oakley_ec2n[] = { - { OAKLEY_GRP_3, 76, /* This group is also considered insecure - * (P1363) */ - "0x0800000000000000000000004000000000000001", - "0x7b", - "0x00", - "0x7338f" }, - { OAKLEY_GRP_4, 91, - "0x020000000000000000000000000000200000000000000001", - "0x18", - "0x00", - "0x1ee9" }, -}; -#endif /* USE_EC */ - -/* XXX I want to get rid of the casting here. */ -struct group groups[] = { - { - MODP, OAKLEY_GRP_1, 0, &oakley_modp[0], 0, 0, 0, 0, 0, - (int (*) (struct group *)) modp_getlen, - (void (*) (struct group *, void *, u_int8_t *)) modp_getraw, - (int (*) (struct group *, void *, u_int8_t *, int)) modp_setraw, - (int (*) (struct group *, void *)) modp_setrandom, - (int (*) (struct group *, void *, void *, void *)) modp_operation - }, - { - MODP, OAKLEY_GRP_2, 0, &oakley_modp[1], 0, 0, 0, 0, 0, - (int (*) (struct group *)) modp_getlen, - (void (*) (struct group *, void *, u_int8_t *)) modp_getraw, - (int (*) (struct group *, void *, u_int8_t *, int)) modp_setraw, - (int (*) (struct group *, void *)) modp_setrandom, - (int (*) (struct group *, void *, void *, void *)) modp_operation - }, -#ifdef USE_EC - { - EC2N, OAKLEY_GRP_3, 0, &oakley_ec2n[0], 0, 0, 0, 0, 0, - (int (*) (struct group *)) ec2n_getlen, - (void (*) (struct group *, void *, u_int8_t *)) ec2n_getraw, - (int (*) (struct group *, void *, u_int8_t *, int)) ec2n_setraw, - (int (*) (struct group *, void *)) ec2n_setrandom, - (int (*) (struct group *, void *, void *, void *)) ec2n_operation - }, - { - EC2N, OAKLEY_GRP_4, 0, &oakley_ec2n[1], 0, 0, 0, 0, 0, - (int (*) (struct group *)) ec2n_getlen, - (void (*) (struct group *, void *, u_int8_t *)) ec2n_getraw, - (int (*) (struct group *, void *, u_int8_t *, int)) ec2n_setraw, - (int (*) (struct group *, void *)) ec2n_setrandom, - (int (*) (struct group *, void *, void *, void *)) ec2n_operation - }, -#endif /* USE_EC */ - { - MODP, OAKLEY_GRP_5, 0, &oakley_modp[2], 0, 0, 0, 0, 0, - (int (*) (struct group *)) modp_getlen, - (void (*) (struct group *, void *, u_int8_t *)) modp_getraw, - (int (*) (struct group *, void *, u_int8_t *, int)) modp_setraw, - (int (*) (struct group *, void *)) modp_setrandom, - (int (*) (struct group *, void *, void *, void *)) modp_operation - }, -#ifdef USE_EC - /* XXX Higher EC2N group go here... */ -#endif /* USE_EC */ - /* XXX group 6 to 13 are not yet defined (draft-ike-ecc) */ - { - NOTYET, OAKLEY_GRP_6, 0, NULL, 0, 0, 0, 0, 0, - NULL, NULL, NULL, NULL, NULL - }, - { - NOTYET, OAKLEY_GRP_7, 0, NULL, 0, 0, 0, 0, 0, - NULL, NULL, NULL, NULL, NULL - }, - { - NOTYET, OAKLEY_GRP_8, 0, NULL, 0, 0, 0, 0, 0, - NULL, NULL, NULL, NULL, NULL - }, - { - NOTYET, OAKLEY_GRP_9, 0, NULL, 0, 0, 0, 0, 0, - NULL, NULL, NULL, NULL, NULL - }, - { - NOTYET, OAKLEY_GRP_10, 0, NULL, 0, 0, 0, 0, 0, - NULL, NULL, NULL, NULL, NULL - }, - { - NOTYET, OAKLEY_GRP_11, 0, NULL, 0, 0, 0, 0, 0, - NULL, NULL, NULL, NULL, NULL - }, - { - NOTYET, OAKLEY_GRP_12, 0, NULL, 0, 0, 0, 0, 0, - NULL, NULL, NULL, NULL, NULL - }, - { - NOTYET, OAKLEY_GRP_13, 0, NULL, 0, 0, 0, 0, 0, - NULL, NULL, NULL, NULL, NULL - }, - { - MODP, OAKLEY_GRP_14, 0, &oakley_modp[3], 0, 0, 0, 0, 0, - (int (*) (struct group *)) modp_getlen, - (void (*) (struct group *, void *, u_int8_t *)) modp_getraw, - (int (*) (struct group *, void *, u_int8_t *, int)) modp_setraw, - (int (*) (struct group *, void *)) modp_setrandom, - (int (*) (struct group *, void *, void *, void *)) modp_operation - }, - { - MODP, OAKLEY_GRP_15, 0, &oakley_modp[4], 0, 0, 0, 0, 0, - (int (*) (struct group *)) modp_getlen, - (void (*) (struct group *, void *, u_int8_t *)) modp_getraw, - (int (*) (struct group *, void *, u_int8_t *, int)) modp_setraw, - (int (*) (struct group *, void *)) modp_setrandom, - (int (*) (struct group *, void *, void *, void *)) modp_operation - }, - { - MODP, OAKLEY_GRP_16, 0, &oakley_modp[5], 0, 0, 0, 0, 0, - (int (*) (struct group *)) modp_getlen, - (void (*) (struct group *, void *, u_int8_t *)) modp_getraw, - (int (*) (struct group *, void *, u_int8_t *, int)) modp_setraw, - (int (*) (struct group *, void *)) modp_setrandom, - (int (*) (struct group *, void *, void *, void *)) modp_operation - }, - { - MODP, OAKLEY_GRP_17, 0, &oakley_modp[6], 0, 0, 0, 0, 0, - (int (*) (struct group *)) modp_getlen, - (void (*) (struct group *, void *, u_int8_t *)) modp_getraw, - (int (*) (struct group *, void *, u_int8_t *, int)) modp_setraw, - (int (*) (struct group *, void *)) modp_setrandom, - (int (*) (struct group *, void *, void *, void *)) modp_operation - }, - { - MODP, OAKLEY_GRP_18, 0, &oakley_modp[7], 0, 0, 0, 0, 0, - (int (*) (struct group *)) modp_getlen, - (void (*) (struct group *, void *, u_int8_t *)) modp_getraw, - (int (*) (struct group *, void *, u_int8_t *, int)) modp_setraw, - (int (*) (struct group *, void *)) modp_setrandom, - (int (*) (struct group *, void *, void *, void *)) modp_operation - }, -}; - -/* - * Initialize the group structure for later use, - * this is done by converting the values given in the describtion - * and converting them to their native representation. - */ -void -group_init(void) -{ - int i; - - for (i = sizeof(groups) / sizeof(groups[0]) - 1; i >= 0; i--) - switch (groups[i].type) { -#ifdef USE_EC - case EC2N: /* Initialize an Elliptic Curve over GF(2**n) */ - ec2n_init(&groups[i]); - break; -#endif - - case MODP: /* Initialize an over GF(p) */ - modp_init(&groups[i]); - break; - - case NOTYET: /* Not yet assigned, drop silently */ - break; - - default: - log_print("Unknown group type %d at index %d in " - "group_init().", groups[i].type, i); - break; - } -} - -struct group * -group_get(u_int32_t id) -{ - struct group *new, *clone; - - if (id < 1 || id > (sizeof(groups) / sizeof(groups[0]))) { - log_print("group_get: group ID (%u) out of range", id); - return 0; - } - clone = &groups[id - 1]; - - new = malloc(sizeof *new); - if (!new) { - log_error("group_get: malloc (%lu) failed", - (unsigned long)sizeof *new); - return 0; - } - switch (clone->type) { -#ifdef USE_EC - case EC2N: - new = ec2n_clone(new, clone); - break; -#endif - case MODP: - new = modp_clone(new, clone); - break; - default: - log_print("group_get: unknown group type %d", clone->type); - free(new); - return 0; - } - LOG_DBG((LOG_MISC, 70, "group_get: returning %p of group %d", new, - new->id)); - return new; -} - -void -group_free(struct group *grp) -{ - switch (grp->type) { -#ifdef USE_EC - case EC2N: - ec2n_free(grp); - break; -#endif - case MODP: - modp_free(grp); - break; - default: - log_print("group_free: unknown group type %d", grp->type); - break; - } - free(grp); -} - -struct group * -modp_clone(struct group *new, struct group *clone) -{ - struct modp_group *new_grp, *clone_grp = clone->group; - - new_grp = malloc(sizeof *new_grp); - if (!new_grp) { - log_print("modp_clone: malloc (%lu) failed", - (unsigned long)sizeof *new_grp); - free(new); - return 0; - } - memcpy(new, clone, sizeof(struct group)); - - new->group = new_grp; -#if MP_FLAVOUR == MP_FLAVOUR_GMP - mpz_init_set(new_grp->p, clone_grp->p); - mpz_init_set(new_grp->gen, clone_grp->gen); - - mpz_init(new_grp->a); - mpz_init(new_grp->b); - mpz_init(new_grp->c); -#elif MP_FLAVOUR == MP_FLAVOUR_OPENSSL - new_grp->p = BN_dup(clone_grp->p); - new_grp->gen = BN_dup(clone_grp->gen); - - new_grp->a = BN_new(); - new_grp->b = BN_new(); - new_grp->c = BN_new(); -#endif - - new->gen = new_grp->gen; - new->a = new_grp->a; - new->b = new_grp->b; - new->c = new_grp->c; - - return new; -} - -void -modp_free(struct group *old) -{ - struct modp_group *grp = old->group; - -#if MP_FLAVOUR == MP_FLAVOUR_GMP - mpz_clear(grp->p); - mpz_clear(grp->gen); - mpz_clear(grp->a); - mpz_clear(grp->b); - mpz_clear(grp->c); -#elif MP_FLAVOUR == MP_FLAVOUR_OPENSSL - BN_clear_free(grp->p); - BN_clear_free(grp->gen); - BN_clear_free(grp->a); - BN_clear_free(grp->b); - BN_clear_free(grp->c); -#endif - - free(grp); -} - -void -modp_init(struct group *group) -{ - struct modp_dscr *dscr = (struct modp_dscr *)group->group; - struct modp_group *grp; - - grp = malloc(sizeof *grp); - if (!grp) - log_fatal("modp_init: malloc (%lu) failed", - (unsigned long)sizeof *grp); - - group->bits = dscr->bits; - -#if MP_FLAVOUR == MP_FLAVOUR_GMP - mpz_init_set_str(grp->p, dscr->prime, 0); - mpz_init_set_str(grp->gen, dscr->gen, 0); - - mpz_init(grp->a); - mpz_init(grp->b); - mpz_init(grp->c); -#elif MP_FLAVOUR == MP_FLAVOUR_OPENSSL - grp->p = BN_new(); - BN_hex2bn(&grp->p, dscr->prime + 2); - grp->gen = BN_new(); - BN_hex2bn(&grp->gen, dscr->gen + 2); - - grp->a = BN_new(); - grp->b = BN_new(); - grp->c = BN_new(); -#endif - - group->gen = grp->gen; - group->a = grp->a; - group->b = grp->b; - group->c = grp->c; - - group->group = grp; -} - -#ifdef USE_EC -struct group * -ec2n_clone(struct group *new, struct group *clone) -{ - struct ec2n_group *new_grp, *clone_grp = clone->group; - - new_grp = malloc(sizeof *new_grp); - if (!new_grp) { - log_error("ec2n_clone: malloc (%lu) failed", - (unsigned long)sizeof *new_grp); - free(new); - return 0; - } - memcpy(new, clone, sizeof(struct group)); - - new->group = new_grp; - ec2ng_init(new_grp->grp); - ec2np_init(new_grp->gen); - ec2np_init(new_grp->a); - ec2np_init(new_grp->b); - ec2np_init(new_grp->c); - - if (ec2ng_set(new_grp->grp, clone_grp->grp)) - goto fail; - if (ec2np_set(new_grp->gen, clone_grp->gen)) - goto fail; - - new->gen = new_grp->gen; - new->a = new_grp->a; - new->b = new_grp->b; - new->c = new_grp->c; - new->d = ((ec2np_ptr) new->a)->x; - - return new; - -fail: - ec2ng_clear(new_grp->grp); - ec2np_clear(new_grp->gen); - ec2np_clear(new_grp->a); - ec2np_clear(new_grp->b); - ec2np_clear(new_grp->c); - free(new_grp); - free(new); - return 0; -} - -void -ec2n_free(struct group *old) -{ - struct ec2n_group *grp = old->group; - - ec2ng_clear(grp->grp); - ec2np_clear(grp->gen); - ec2np_clear(grp->a); - ec2np_clear(grp->b); - ec2np_clear(grp->c); - - free(grp); -} - -void -ec2n_init(struct group *group) -{ - struct ec2n_dscr *dscr = (struct ec2n_dscr *)group->group; - struct ec2n_group *grp; - - grp = malloc(sizeof *grp); - if (!grp) - log_fatal("ec2n_init: malloc (%lu) failed", - (unsigned long)sizeof *grp); - - group->bits = dscr->bits; - - ec2ng_init(grp->grp); - ec2np_init(grp->gen); - ec2np_init(grp->a); - ec2np_init(grp->b); - ec2np_init(grp->c); - - if (ec2ng_set_p_str(grp->grp, dscr->polynomial)) - goto fail; - grp->grp->p->bits = b2n_sigbit(grp->grp->p); - if (ec2ng_set_a_str(grp->grp, dscr->a)) - goto fail; - if (ec2ng_set_b_str(grp->grp, dscr->b)) - goto fail; - - if (ec2np_set_x_str(grp->gen, dscr->gen_x)) - goto fail; - if (ec2np_find_y(grp->gen, grp->grp)) - goto fail; - - /* Sanity check */ - if (!ec2np_ison(grp->gen, grp->grp)) - log_fatal("ec2n_init: generator is not on curve"); - - group->gen = grp->gen; - group->a = grp->a; - group->b = grp->b; - group->c = grp->c; - group->d = ((ec2np_ptr) group->a)->x; - - group->group = grp; - return; - -fail: - log_fatal("ec2n_init: general failure"); -} -#endif /* USE_EC */ - -int -modp_getlen(struct group *group) -{ - struct modp_group *grp = (struct modp_group *)group->group; - - return mpz_sizeinoctets(grp->p); -} - -void -modp_getraw(struct group *grp, math_mp_t v, u_int8_t *d) -{ - mpz_getraw(d, v, grp->getlen(grp)); -} - -int -modp_setraw(struct group *grp, math_mp_t d, u_int8_t *s, int l) -{ - mpz_setraw(d, s, l); - return 0; -} - -int -modp_setrandom(struct group *grp, math_mp_t d) -{ - int i, l = grp->getlen(grp); - u_int32_t tmp = 0; - -#if MP_FLAVOUR == MP_FLAVOUR_GMP - mpz_set_ui(d, 0); -#elif MP_FLAVOUR == MP_FLAVOUR_OPENSSL - BN_set_word(d, 0); -#endif - - for (i = 0; i < l; i++) { - if (i % 4) - tmp = sysdep_random(); - -#if MP_FLAVOUR == MP_FLAVOUR_GMP - mpz_mul_2exp(d, d, 8); - mpz_add_ui(d, d, tmp & 0xFF); -#elif MP_FLAVOUR == MP_FLAVOUR_OPENSSL - BN_lshift(d, d, 8); - BN_add_word(d, tmp & 0xFF); -#endif - tmp >>= 8; - } - return 0; -} - -int -modp_operation(struct group *group, math_mp_t d, math_mp_t a, math_mp_t e) -{ - struct modp_group *grp = (struct modp_group *)group->group; - -#if MP_FLAVOUR == MP_FLAVOUR_GMP - mpz_powm(d, a, e, grp->p); -#elif MP_FLAVOUR == MP_FLAVOUR_OPENSSL - BN_CTX *ctx = BN_CTX_new(); - BN_mod_exp(d, a, e, grp->p, ctx); - BN_CTX_free(ctx); -#endif - return 0; -} - -#ifdef USE_EC -int -ec2n_getlen(struct group *group) -{ - struct ec2n_group *grp = (struct ec2n_group *)group->group; - int bits = b2n_sigbit(grp->grp->p) - 1; - - return (7 + bits) >> 3; -} - -void -ec2n_getraw(struct group *group, ec2np_ptr xo, u_int8_t *e) -{ - struct ec2n_group *grp = (struct ec2n_group *) group->group; - int chunks, bytes, i, j; - b2n_ptr x = xo->x; - CHUNK_TYPE tmp; - - bytes = b2n_sigbit(grp->grp->p) - 1; - chunks = (CHUNK_MASK + bytes) >> CHUNK_SHIFTS; - bytes = ((7 + (bytes & CHUNK_MASK)) >> 3); - - for (i = chunks - 1; i >= 0; i--) { - tmp = (i >= x->chunks ? 0 : x->limp[i]); - for (j = (i == chunks - 1 ? bytes : CHUNK_BYTES) - 1; j >= 0; - j--) { - e[j] = tmp & 0xff; - tmp >>= 8; - } - e += (i == chunks - 1 ? bytes : CHUNK_BYTES); - } -} - -int -ec2n_setraw(struct group *grp, ec2np_ptr out, u_int8_t *s, int l) -{ - int len, bytes, i, j; - b2n_ptr outx = out->x; - CHUNK_TYPE tmp; - - len = (CHUNK_BYTES - 1 + l) / CHUNK_BYTES; - if (b2n_resize(outx, len)) - return -1; - - bytes = ((l - 1) % CHUNK_BYTES) + 1; - - for (i = len - 1; i >= 0; i--) { - tmp = 0; - for (j = (i == len - 1 ? bytes : CHUNK_BYTES); j > 0; j--) { - tmp <<= 8; - tmp |= *s++; - } - outx->limp[i] = tmp; - } - return 0; -} - -int -ec2n_setrandom(struct group *group, ec2np_ptr x) -{ - b2n_ptr d = x->x; - struct ec2n_group *grp = (struct ec2n_group *) group->group; - - return b2n_random(d, b2n_sigbit(grp->grp->p) - 1); -} - -/* - * This is an attempt at operation abstraction. It can happen - * that we need to initialize the y variable for the operation - * to proceed correctly. When this is the case operation has - * to supply the variable 'a' with the chunks of the Y cooridnate - * set to zero. - */ -int -ec2n_operation(struct group *grp, ec2np_ptr d, ec2np_ptr a, ec2np_ptr e) -{ - b2n_ptr ex = e->x; - struct ec2n_group *group = (struct ec2n_group *)grp->group; - - if (a->y->chunks == 0) - if (ec2np_find_y(a, group->grp)) - return -1; - - return ec2np_mul(d, a, ex, group->grp); -} -#endif /* USE_EC */ diff --git a/keyexchange/isakmpd-20041012/math_group.h b/keyexchange/isakmpd-20041012/math_group.h deleted file mode 100644 index d5a19bc..0000000 --- a/keyexchange/isakmpd-20041012/math_group.h +++ /dev/null @@ -1,94 +0,0 @@ -/* $OpenBSD: math_group.h,v 1.10 2004/04/15 18:39:26 deraadt Exp $ */ -/* $EOM: math_group.h,v 1.7 1999/04/17 23:20:40 niklas Exp $ */ - -/* - * Copyright (c) 1998 Niels Provos. All rights reserved. - * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _MATH_GROUP_H_ -#define _MATH_GROUP_H_ - -enum groups { - MODP, /* F_p, Z modulo a prime */ - EC2N, /* Elliptic Curve over the Field GF(2**N) */ - ECP, /* Elliptic Curve over the Field Z_p */ - NOTYET /* Not yet assigned */ -}; - -/* - * The group on which diffie hellmann calculations are done. - */ - -struct group { - enum groups type; - int id; /* Group ID */ - int bits; /* Number of key bits provided by this group */ - void *group; - void *a, *b, *c, *d; - void *gen; /* Group Generator */ - int (*getlen) (struct group *); - void (*getraw) (struct group *, void *, u_int8_t *); - int (*setraw) (struct group *, void *, u_int8_t *, int); - int (*setrandom) (struct group *, void *); - int (*operation) (struct group *, void *, void *, void *); -}; - -/* Description of an Elliptic Group over GF(2**n) for Boot-Strapping */ - -struct ec2n_dscr { - int id; - int bits; /* Key Bits provided by this group */ - char *polynomial; /* Irreduceable polynomial */ - char *gen_x; /* X - Coord. of Generator */ - char *a, *b; /* Curve Parameters */ -}; - -/* Description of F_p for Boot-Strapping */ - -struct modp_dscr { - int id; - int bits; /* Key Bits provided by this group */ - char *prime; /* Prime */ - char *gen; /* Generator */ -}; - -/* Prototypes */ - -void group_init(void); -void group_free(struct group *); -struct group *group_get(u_int32_t); - -void ec2n_free(struct group *); -struct group *ec2n_clone(struct group *, struct group *); -void ec2n_init(struct group *); - -void modp_free(struct group *); -struct group *modp_clone(struct group *, struct group *); -void modp_init(struct group *); - -#endif /* _MATH_GROUP_H_ */ diff --git a/keyexchange/isakmpd-20041012/math_mp.h b/keyexchange/isakmpd-20041012/math_mp.h deleted file mode 100644 index ed554fc..0000000 --- a/keyexchange/isakmpd-20041012/math_mp.h +++ /dev/null @@ -1,56 +0,0 @@ -/* $OpenBSD: math_mp.h,v 1.6 2004/04/15 18:39:26 deraadt Exp $ */ -/* $EOM: math_mp.h,v 1.4 2000/09/16 09:41:43 ho Exp $ */ - -/* - * Copyright (c) 1999, 2000 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _MATH_MP_H_ -#define _MATH_MP_H_ - -#define MP_FLAVOUR_GMP 1 -#define MP_FLAVOUR_OPENSSL 2 - -#if MP_FLAVOUR == MP_FLAVOUR_GMP - -#include <gmp.h> - -#define math_mp_t mpz_t - -#elif MP_FLAVOUR == MP_FLAVOUR_OPENSSL - -#include <openssl/bn.h> - -typedef BIGNUM *math_mp_t; - -#else - -#error "No multiprecision math library chosen." - -#endif - -#endif /* _MATH_MP_H_ */ diff --git a/keyexchange/isakmpd-20041012/message.c b/keyexchange/isakmpd-20041012/message.c deleted file mode 100644 index 9259e2d..0000000 --- a/keyexchange/isakmpd-20041012/message.c +++ /dev/null @@ -1,2530 +0,0 @@ -/* $OpenBSD: message.c,v 1.89 2004/09/17 13:45:02 ho Exp $ */ -/* $EOM: message.c,v 1.156 2000/10/10 12:36:39 provos Exp $ */ - -/* - * Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. - * Copyright (c) 1999 Angelos D. Keromytis. All rights reserved. - * Copyright (c) 1999, 2000, 2001, 2004 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/types.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <stdlib.h> -#include <string.h> - -#include "sysdep.h" - -#include "attribute.h" -#include "cert.h" -#include "constants.h" -#include "crypto.h" -#include "doi.h" -#ifdef USE_DPD -#include "dpd.h" -#endif -#include "exchange.h" -#include "field.h" -#include "hash.h" -#include "ipsec.h" -#include "ipsec_num.h" -#include "isakmp.h" -#include "log.h" -#include "message.h" -#if defined (USE_NAT_TRAVERSAL) -#include "nat_traversal.h" -#endif -#include "prf.h" -#include "sa.h" -#include "timer.h" -#include "transport.h" -#include "util.h" -#include "virtual.h" - -#ifdef __GNUC__ -#define INLINE __inline -#else -#define INLINE -#endif - -/* A local set datatype, coincidentally fd_set suits our purpose fine. */ -typedef fd_set set; -#define ISSET FD_ISSET -#define SET FD_SET -#define ZERO FD_ZERO - -static int message_check_duplicate(struct message *); -static int message_encrypt(struct message *); -static int message_index_payload(struct message *, struct payload *, - u_int8_t ,u_int8_t *); -static int message_parse_transform(struct message *, struct payload *, - u_int8_t, u_int8_t *); -static u_int16_t message_payload_sz(u_int8_t); -static int message_validate_attribute(struct message *, struct payload *); -static int message_validate_cert(struct message *, struct payload *); -static int message_validate_cert_req(struct message *, struct payload *); -static int message_validate_delete(struct message *, struct payload *); -static int message_validate_hash(struct message *, struct payload *); -static int message_validate_id(struct message *, struct payload *); -static int message_validate_key_exch(struct message *, struct payload *); -static int message_validate_nat_d(struct message *, struct payload *); -static int message_validate_nat_oa(struct message *, struct payload *); -static int message_validate_nonce(struct message *, struct payload *); -static int message_validate_notify(struct message *, struct payload *); -static int message_validate_proposal(struct message *, struct payload *); -static int message_validate_sa(struct message *, struct payload *); -static int message_validate_sig(struct message *, struct payload *); -static int message_validate_transform(struct message *, struct payload *); -static int message_validate_vendor(struct message *, struct payload *); - -static void message_packet_log(struct message *); - -static int (*message_validate_payload[])(struct message *, struct payload *) = -{ - message_validate_sa, message_validate_proposal, - message_validate_transform, message_validate_key_exch, - message_validate_id, message_validate_cert, message_validate_cert_req, - message_validate_hash, message_validate_sig, message_validate_nonce, - message_validate_notify, message_validate_delete, - message_validate_vendor, message_validate_attribute, - message_validate_nat_d, message_validate_nat_oa, - message_validate_nat_d, message_validate_nat_oa -}; - -static struct field *fields[] = { - isakmp_sa_fld, isakmp_prop_fld, isakmp_transform_fld, isakmp_ke_fld, - isakmp_id_fld, isakmp_cert_fld, isakmp_certreq_fld, isakmp_hash_fld, - isakmp_sig_fld, isakmp_nonce_fld, isakmp_notify_fld, isakmp_delete_fld, - isakmp_vendor_fld, isakmp_attribute_fld, isakmp_nat_d_fld, - isakmp_nat_oa_fld, isakmp_nat_d_fld, isakmp_nat_oa_fld -}; - -/* - * These maps are used for indexing the payloads in msg->payloads[i]. - * payload_revmap should be updated if the payloads in isakmp_num.cst change. - * payload_map is populated during startup by message_init(). - */ -static u_int8_t payload_revmap[] = { - ISAKMP_PAYLOAD_NONE, ISAKMP_PAYLOAD_SA, ISAKMP_PAYLOAD_PROPOSAL, - ISAKMP_PAYLOAD_TRANSFORM, ISAKMP_PAYLOAD_KEY_EXCH, ISAKMP_PAYLOAD_ID, - ISAKMP_PAYLOAD_CERT, ISAKMP_PAYLOAD_CERT_REQ, ISAKMP_PAYLOAD_HASH, - ISAKMP_PAYLOAD_SIG, ISAKMP_PAYLOAD_NONCE, ISAKMP_PAYLOAD_NOTIFY, - ISAKMP_PAYLOAD_DELETE, ISAKMP_PAYLOAD_VENDOR, ISAKMP_PAYLOAD_ATTRIBUTE, -#ifdef notyet - ISAKMP_PAYLOAD_SAK, ISAKMP_PAYLOAD_SAT, ISAKMP_PAYLOAD_KD, - ISAKMP_PAYLOAD_SEQ, ISAKMP_PAYLOAD_POP -#endif - ISAKMP_PAYLOAD_NAT_D, ISAKMP_PAYLOAD_NAT_OA, - ISAKMP_PAYLOAD_NAT_D_DRAFT, ISAKMP_PAYLOAD_NAT_OA_DRAFT -}; - -static u_int8_t payload_map[256]; -u_int8_t payload_index_max; - -/* - * Fields used for checking monotonic increasing of proposal and transform - * numbers. - */ -static u_int8_t *last_sa = 0; -static u_int32_t last_prop_no; -static u_int8_t *last_prop = 0; -static u_int32_t last_xf_no; - -/* - * Allocate a message structure bound to transport T, and with a first - * segment buffer sized SZ, copied from BUF if given. - */ -struct message * -message_alloc(struct transport *t, u_int8_t *buf, size_t sz) -{ - struct message *msg; - int i; - - /* - * We use calloc(3) because it zeroes the structure which we rely on in - * message_free when determining what sub-allocations to free. - */ - msg = (struct message *)calloc(1, sizeof *msg); - if (!msg) - return 0; - msg->iov = calloc(1, sizeof *msg->iov); - if (!msg->iov) { - message_free(msg); - return 0; - } - msg->iov[0].iov_len = sz; - msg->iov[0].iov_base = malloc(sz); - if (!msg->iov[0].iov_base) { - message_free(msg); - return 0; - } - msg->iovlen = 1; - if (buf) - memcpy(msg->iov[0].iov_base, buf, sz); - msg->nextp = (u_int8_t *)msg->iov[0].iov_base + - ISAKMP_HDR_NEXT_PAYLOAD_OFF; - msg->transport = t; - transport_reference(t); - msg->payload = (struct payload_head *)calloc(payload_index_max, - sizeof *msg->payload); - if (!msg->payload) { - message_free(msg); - return 0; - } - for (i = 0; i < payload_index_max; i++) - TAILQ_INIT(&msg->payload[i]); - TAILQ_INIT(&msg->post_send); - LOG_DBG((LOG_MESSAGE, 90, "message_alloc: allocated %p", msg)); - return msg; -} - -/* - * Allocate a message suitable for a reply to MSG. Just allocate an empty - * ISAKMP header as the first segment. - */ -struct message * -message_alloc_reply(struct message *msg) -{ - struct message *reply; - - reply = message_alloc(msg->transport, 0, ISAKMP_HDR_SZ); - reply->exchange = msg->exchange; - reply->isakmp_sa = msg->isakmp_sa; - if (msg->isakmp_sa) - sa_reference(msg->isakmp_sa); - return reply; -} - -/* Free up all resources used by the MSG message. */ -void -message_free(struct message *msg) -{ - u_int32_t i; - struct payload *payload, *next; - - LOG_DBG((LOG_MESSAGE, 20, "message_free: freeing %p", msg)); - if (!msg) - return; - if (msg->orig && msg->orig != (u_int8_t *) msg->iov[0].iov_base) - free(msg->orig); - if (msg->iov) { - for (i = 0; i < msg->iovlen; i++) - if (msg->iov[i].iov_base) - free(msg->iov[i].iov_base); - free(msg->iov); - } - if (msg->retrans) - timer_remove_event(msg->retrans); - if (msg->payload) { - for (i = 0; i < payload_index_max; i++) - for (payload = payload_first(msg, i); payload; - payload = next) { - next = TAILQ_NEXT(payload, link); - free(payload); - } - free(msg->payload); - } - while (TAILQ_FIRST(&msg->post_send) != 0) - TAILQ_REMOVE(&msg->post_send, TAILQ_FIRST(&msg->post_send), - link); - - /* If we are on the send queue, remove us from there. */ - if (msg->flags & MSG_IN_TRANSIT) - TAILQ_REMOVE(msg->transport->vtbl->get_queue(msg), msg, link); - - if (msg->transport) - transport_release(msg->transport); - - if (msg->isakmp_sa) - sa_release(msg->isakmp_sa); - - free(msg); -} - -/* - * Generic ISAKMP parser. - * MSG is the ISAKMP message to be parsed. NEXT is the type of the first - * payload to be parsed, and it's pointed to by BUF. ACCEPTED_PAYLOADS - * tells what payloads are accepted and FUNC is a pointer to a function - * to be called for each payload found. Returns the total length of the - * parsed payloads. - */ -static int -message_parse_payloads(struct message *msg, struct payload *p, u_int8_t next, - u_int8_t *buf, set *accepted_payloads, int (*func)(struct message *, - struct payload *, u_int8_t, u_int8_t *)) -{ - u_int8_t payload; - u_int16_t len; - int sz = 0; - - do { - LOG_DBG((LOG_MESSAGE, 50, - "message_parse_payloads: offset %ld payload %s", - (long)(buf - (u_int8_t *) msg->iov[0].iov_base), - constant_name(isakmp_payload_cst, next))); - - /* Does this payload's header fit? */ - if (buf + ISAKMP_GEN_SZ > (u_int8_t *)msg->iov[0].iov_base + - msg->iov[0].iov_len) { - log_print("message_parse_payloads: short message"); - message_drop(msg, - ISAKMP_NOTIFY_UNEQUAL_PAYLOAD_LENGTHS, 0, 1, 1); - return -1; - } - /* Ponder on the payload that is at BUF... */ - payload = next; - - /* Look at the next payload's type. */ - next = GET_ISAKMP_GEN_NEXT_PAYLOAD(buf); - if (next >= ISAKMP_PAYLOAD_RESERVED_MIN && - next <= ISAKMP_PAYLOAD_RESERVED_MAX) { - log_print("message_parse_payloads: invalid next " - "payload type %s in payload of type %d", - constant_name(isakmp_payload_cst, next), payload); - message_drop(msg, ISAKMP_NOTIFY_INVALID_PAYLOAD_TYPE, - 0, 1, 1); - return -1; - } - /* Reserved fields in ISAKMP messages should be zero. */ - if (GET_ISAKMP_GEN_RESERVED(buf) != 0) { - log_print("message_parse_payloads: reserved field " - "non-zero: %x", GET_ISAKMP_GEN_RESERVED(buf)); - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, - 0, 1, 1); - return -1; - } - /* - * Decode and validate the payload length field. - */ - len = GET_ISAKMP_GEN_LENGTH(buf); - - if (message_payload_sz(payload) == 0) { - log_print("message_parse_payloads: unknown minimum " - "payload size for payload type %s", - constant_name(isakmp_payload_cst, payload)); - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, - 0, 1, 1); - return -1; - } - if (len < message_payload_sz(payload)) { - log_print("message_parse_payloads: payload too " - "short: %u", len); - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, - 0, 1, 1); - return -1; - } - if (buf + len > (u_int8_t *)msg->iov[0].iov_base + - msg->iov[0].iov_len) { - log_print("message_parse_payloads: payload too " - "long: %u", len); - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, - 0, 1, 1); - return -1; - } - /* Ignore most private payloads. */ - if (next >= ISAKMP_PAYLOAD_PRIVATE_MIN && - next != ISAKMP_PAYLOAD_NAT_D_DRAFT && - next != ISAKMP_PAYLOAD_NAT_OA_DRAFT) { - LOG_DBG((LOG_MESSAGE, 30, "message_parse_payloads: " - "private next payload type %s in payload of " - "type %d ignored", - constant_name(isakmp_payload_cst, next), payload)); - goto next_payload; - } - /* - * Check if the current payload is one of the accepted ones at - * this stage. - */ - if (!ISSET(payload, accepted_payloads)) { - log_print("message_parse_payloads: payload type %s " - "unexpected", constant_name(isakmp_payload_cst, - payload)); - message_drop(msg, ISAKMP_NOTIFY_INVALID_PAYLOAD_TYPE, - 0, 1, 1); - return -1; - } - /* Call the payload handler specified by the caller. */ - if (func(msg, p, payload, buf)) - return -1; - -next_payload: - /* Advance to next payload. */ - buf += len; - sz += len; - } - while (next != ISAKMP_PAYLOAD_NONE); - return sz; -} - -/* - * Parse a proposal payload found in message MSG. PAYLOAD is always - * ISAKMP_PAYLOAD_PROPOSAL and ignored in here. It's needed as the API for - * message_parse_payloads requires it. BUF points to the proposal's - * generic payload header. - */ -static int -message_parse_proposal(struct message *msg, struct payload *p, - u_int8_t payload, u_int8_t *buf) -{ - set payload_set; - - /* Put the proposal into the proposal bucket. */ - message_index_payload(msg, p, payload, buf); - - ZERO(&payload_set); - SET(payload_revmap[ISAKMP_PAYLOAD_TRANSFORM], &payload_set); - if (message_parse_payloads(msg, - payload_last(msg, ISAKMP_PAYLOAD_PROPOSAL), - ISAKMP_PAYLOAD_TRANSFORM, buf + ISAKMP_PROP_SPI_OFF + - GET_ISAKMP_PROP_SPI_SZ(buf), &payload_set, message_parse_transform) - == -1) - return -1; - - return 0; -} - -static int -message_parse_transform(struct message *msg, struct payload *p, - u_int8_t payload, u_int8_t *buf) -{ - /* Put the transform into the transform bucket. */ - message_index_payload(msg, p, payload, buf); - - LOG_DBG((LOG_MESSAGE, 50, "Transform %d's attributes", - GET_ISAKMP_TRANSFORM_NO(buf))); -#ifdef USE_DEBUG - attribute_map(buf + ISAKMP_TRANSFORM_SA_ATTRS_OFF, - GET_ISAKMP_GEN_LENGTH(buf) - ISAKMP_TRANSFORM_SA_ATTRS_OFF, - msg->exchange->doi->debug_attribute, msg); -#endif - - return 0; -} - -/* Check payloads for their required minimum size. */ -static u_int16_t -message_payload_sz(u_int8_t payload) -{ - switch (payload) { - case ISAKMP_PAYLOAD_SA: - return ISAKMP_SA_SZ; - case ISAKMP_PAYLOAD_PROPOSAL: - return ISAKMP_PROP_SZ; - case ISAKMP_PAYLOAD_TRANSFORM: - return ISAKMP_TRANSFORM_SZ; - case ISAKMP_PAYLOAD_KEY_EXCH: - return ISAKMP_KE_SZ; - case ISAKMP_PAYLOAD_ID: - return ISAKMP_ID_SZ; - case ISAKMP_PAYLOAD_CERT: - return ISAKMP_CERT_SZ; - case ISAKMP_PAYLOAD_CERT_REQ: - return ISAKMP_CERTREQ_SZ; - case ISAKMP_PAYLOAD_HASH: - return ISAKMP_HASH_SZ; - case ISAKMP_PAYLOAD_SIG: - return ISAKMP_SIG_SZ; - case ISAKMP_PAYLOAD_NONCE: - return ISAKMP_NONCE_SZ; - case ISAKMP_PAYLOAD_NOTIFY: - return ISAKMP_NOTIFY_SZ; - case ISAKMP_PAYLOAD_DELETE: - return ISAKMP_DELETE_SZ; - case ISAKMP_PAYLOAD_VENDOR: - return ISAKMP_VENDOR_SZ; - case ISAKMP_PAYLOAD_ATTRIBUTE: - return ISAKMP_ATTRIBUTE_SZ; -#if defined (USE_NAT_TRAVERSAL) - case ISAKMP_PAYLOAD_NAT_D: - case ISAKMP_PAYLOAD_NAT_D_DRAFT: - return ISAKMP_NAT_D_SZ; - case ISAKMP_PAYLOAD_NAT_OA: - case ISAKMP_PAYLOAD_NAT_OA_DRAFT: - return ISAKMP_NAT_OA_SZ; -#endif - /* Not yet supported and any other unknown payloads. */ - case ISAKMP_PAYLOAD_SAK: - case ISAKMP_PAYLOAD_SAT: - case ISAKMP_PAYLOAD_KD: - case ISAKMP_PAYLOAD_SEQ: - case ISAKMP_PAYLOAD_POP: - default: - return 0; - } -} - -/* Validate the attribute payload P in message MSG. */ -static int -message_validate_attribute(struct message *msg, struct payload *p) -{ -#ifdef USE_ISAKMP_CFG - /* If we don't have an exchange yet, create one. */ - if (!msg->exchange) { - if (zero_test((u_int8_t *) msg->iov[0].iov_base + - ISAKMP_HDR_MESSAGE_ID_OFF, ISAKMP_HDR_MESSAGE_ID_LEN)) - msg->exchange = exchange_setup_p1(msg, - IPSEC_DOI_IPSEC); - else - msg->exchange = exchange_setup_p2(msg, - IPSEC_DOI_IPSEC); - if (!msg->exchange) { - log_print("message_validate_attribute: can not " - "create exchange"); - message_free(msg); - return -1; - } - } -#endif - return 0; -} - -/* Validate the certificate payload P in message MSG. */ -static int -message_validate_cert(struct message *msg, struct payload *p) -{ - if (GET_ISAKMP_CERT_ENCODING(p->p) >= ISAKMP_CERTENC_RESERVED_MIN) { - message_drop(msg, ISAKMP_NOTIFY_INVALID_CERT_ENCODING, 0, 1, - 1); - return -1; - } - return 0; -} - -/* Validate the certificate request payload P in message MSG. */ -static int -message_validate_cert_req(struct message *msg, struct payload *p) -{ - struct cert_handler *cert; - size_t len = - GET_ISAKMP_GEN_LENGTH(p->p) - ISAKMP_CERTREQ_AUTHORITY_OFF; - - if (GET_ISAKMP_CERTREQ_TYPE(p->p) >= ISAKMP_CERTENC_RESERVED_MIN) { - message_drop(msg, ISAKMP_NOTIFY_INVALID_CERT_ENCODING, 0, 1, - 1); - return -1; - } - /* - * Check the certificate types we support and if an acceptable - * authority is included in the payload check if it can be decoded - */ - cert = cert_get(GET_ISAKMP_CERTREQ_TYPE(p->p)); - if (!cert || (len && !cert->certreq_validate(p->p + - ISAKMP_CERTREQ_AUTHORITY_OFF, len))) { - message_drop(msg, ISAKMP_NOTIFY_CERT_TYPE_UNSUPPORTED, 0, 1, - 1); - return -1; - } - return 0; -} - -/* - * Validate the delete payload P in message MSG. As a side-effect, create - * an exchange if we do not have one already. - * - * Note: DELETEs are only accepted as part of an INFORMATIONAL exchange. - * exchange_validate() makes sure a HASH payload is present. Due to the order - * of message validation functions in message_validate_payload[] we can be - * sure that the HASH payload has been successfully validated at this point. - */ -static int -message_validate_delete(struct message *msg, struct payload *p) -{ - u_int8_t proto = GET_ISAKMP_DELETE_PROTO(p->p); - struct doi *doi; - struct sa *sa, *isakmp_sa; - struct sockaddr *dst, *dst_isa; - u_int32_t nspis = GET_ISAKMP_DELETE_NSPIS(p->p); - u_int8_t *spis = (u_int8_t *)p->p + ISAKMP_DELETE_SPI_OFF; - u_int32_t i; - char *addr; - - /* Only accept authenticated DELETEs. */ - if ((msg->flags & MSG_AUTHENTICATED) == 0) { - log_print("message_validate_delete: " - "got unauthenticated DELETE"); - message_free(msg); - return -1; - } - - doi = doi_lookup(GET_ISAKMP_DELETE_DOI(p->p)); - if (!doi) { - log_print("message_validate_delete: DOI not supported"); - message_free(msg); - return -1; - } - /* If we don't have an exchange yet, create one. */ - if (!msg->exchange) { - if (zero_test((u_int8_t *) msg->iov[0].iov_base - + ISAKMP_HDR_MESSAGE_ID_OFF, ISAKMP_HDR_MESSAGE_ID_LEN)) - msg->exchange = exchange_setup_p1(msg, doi->id); - else - msg->exchange = exchange_setup_p2(msg, doi->id); - if (!msg->exchange) { - log_print("message_validate_delete: can not create " - "exchange"); - message_free(msg); - return -1; - } - } - /* Only accept DELETE as part of an INFORMATIONAL exchange. */ - if (msg->exchange->type != ISAKMP_EXCH_INFO) { - log_print("message_validate_delete: delete in exchange other " - "than INFO: %s", constant_name(isakmp_exch_cst, - msg->exchange->type)); - message_free(msg); - return -1; - } - if (proto != ISAKMP_PROTO_ISAKMP && doi->validate_proto(proto)) { - log_print("message_validate_delete: protocol not supported"); - message_free(msg); - return -1; - } - /* Validate the SPIs. */ - for (i = 0; i < nspis; i++) { - /* Get ISAKMP SA protecting this message. */ - isakmp_sa = msg->isakmp_sa; - if (!isakmp_sa) { - /* XXX should not happen? */ - log_print("message_validate_delete: invalid spi (no " - "valid ISAKMP SA found)"); - message_free(msg); - return -1; - } - isakmp_sa->transport->vtbl->get_dst(isakmp_sa->transport, - &dst_isa); - - /* Get SA to be deleted. */ - msg->transport->vtbl->get_dst(msg->transport, &dst); - if (proto == ISAKMP_PROTO_ISAKMP) - sa = sa_lookup_isakmp_sa(dst, spis + i - * ISAKMP_HDR_COOKIES_LEN); - else - sa = ipsec_sa_lookup(dst, ((u_int32_t *) spis)[i], - proto); - if (!sa) { - LOG_DBG((LOG_MESSAGE, 50, "message_validate_delete: " - "invalid spi (no valid SA found)")); - message_free(msg); - return -1; - } - sa->transport->vtbl->get_dst(sa->transport, &dst); - - /* Destination addresses must match. */ - if (dst->sa_family != dst_isa->sa_family || - memcmp(sockaddr_addrdata(dst_isa), sockaddr_addrdata(dst), - sockaddr_addrlen(dst))) { - sockaddr2text(dst_isa, &addr, 0); - - log_print("message_validate_delete: invalid spi " - "(illegal delete request from %s)", addr); - free(addr); - message_free(msg); - return -1; - } - } - - return 0; -} - -/* - * Validate the hash payload P in message MSG. - * XXX Currently hash payloads are processed by the particular exchanges, - * except INFORMATIONAL. This should be actually done here. - */ -static int -message_validate_hash(struct message *msg, struct payload *p) -{ - struct sa *isakmp_sa = msg->isakmp_sa; - struct ipsec_sa *isa; - struct hash *hash; - struct payload *hashp = payload_first(msg, ISAKMP_PAYLOAD_HASH); - struct prf *prf; - u_int8_t *comp_hash, *rest; - u_int8_t message_id[ISAKMP_HDR_MESSAGE_ID_LEN]; - size_t rest_len; - - /* active exchanges other than INFORMATIONAL validates hash payload. */ - if (msg->exchange && (msg->exchange->type != ISAKMP_EXCH_INFO)) - return 0; - - if (isakmp_sa == NULL) { - log_print("message_validate_hash: invalid hash information"); - message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, - 0, 1, 1); - return -1; - } - isa = isakmp_sa->data; - hash = hash_get(isa->hash); - - if (hash == NULL) { - log_print("message_validate_hash: invalid hash information"); - message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, - 0, 1, 1); - return -1; - } - /* If no SKEYID_a, we can not do anything (should not happen). */ - if (!isa->skeyid_a) { - log_print("message_validate_hash: invalid hash information"); - message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, - 0, 1, 1); - return -1; - } - /* Allocate the prf and start calculating our HASH(1). */ - LOG_DBG_BUF((LOG_MISC, 90, "message_validate_hash: SKEYID_a", - isa->skeyid_a, isa->skeyid_len)); - prf = prf_alloc(isa->prf_type, hash->type, isa->skeyid_a, - isa->skeyid_len); - if (!prf) { - message_free(msg); - return -1; - } - comp_hash = (u_int8_t *)malloc(hash->hashsize); - if (!comp_hash) { - log_error("message_validate_hash: malloc (%lu) failed", - (unsigned long)hash->hashsize); - prf_free(prf); - message_free(msg); - return -1; - } - /* This is not an active exchange. */ - GET_ISAKMP_HDR_MESSAGE_ID(msg->iov[0].iov_base, message_id); - - prf->Init(prf->prfctx); - LOG_DBG_BUF((LOG_MISC, 90, "message_validate_hash: message_id", - message_id, ISAKMP_HDR_MESSAGE_ID_LEN)); - prf->Update(prf->prfctx, message_id, ISAKMP_HDR_MESSAGE_ID_LEN); - rest = hashp->p + GET_ISAKMP_GEN_LENGTH(hashp->p); - rest_len = (GET_ISAKMP_HDR_LENGTH(msg->iov[0].iov_base) - (rest - - (u_int8_t *)msg->iov[0].iov_base)); - LOG_DBG_BUF((LOG_MISC, 90, - "message_validate_hash: payloads after HASH(1)", rest, rest_len)); - prf->Update(prf->prfctx, rest, rest_len); - prf->Final(comp_hash, prf->prfctx); - prf_free(prf); - - if (memcmp(hashp->p + ISAKMP_HASH_DATA_OFF, comp_hash, - hash->hashsize)) { - log_print("message_validate_hash: invalid hash value for %s " - "payload", payload_first(msg, ISAKMP_PAYLOAD_DELETE) ? - "DELETE" : "NOTIFY"); - message_drop(msg, ISAKMP_NOTIFY_INVALID_HASH_INFORMATION, - 0, 1, 1); - free(comp_hash); - return -1; - } - free(comp_hash); - - /* Mark the HASH as handled. */ - hashp->flags |= PL_MARK; - - /* Mark message as authenticated. */ - msg->flags |= MSG_AUTHENTICATED; - - return 0; -} - -/* Validate the identification payload P in message MSG. */ -static int -message_validate_id(struct message *msg, struct payload *p) -{ - struct exchange *exchange = msg->exchange; - size_t len = GET_ISAKMP_GEN_LENGTH(p->p); - - if (!exchange) { - /* We should have an exchange at this point. */ - log_print("message_validate_id: payload out of sequence"); - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 1); - return -1; - } - if (exchange->doi - && exchange->doi->validate_id_information(GET_ISAKMP_ID_TYPE(p->p), - p->p + ISAKMP_ID_DOI_DATA_OFF, p->p + ISAKMP_ID_DATA_OFF, len - - ISAKMP_ID_DATA_OFF, exchange)) { - message_drop(msg, ISAKMP_NOTIFY_INVALID_ID_INFORMATION, 0, 1, - 1); - return -1; - } - return 0; -} - -/* Validate the key exchange payload P in message MSG. */ -static int -message_validate_key_exch(struct message *msg, struct payload *p) -{ - struct exchange *exchange = msg->exchange; - size_t len = GET_ISAKMP_GEN_LENGTH(p->p); - - if (!exchange) { - /* We should have an exchange at this point. */ - log_print("message_validate_key_exch: " - "payload out of sequence"); - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 1); - return -1; - } - if (exchange->doi && exchange->doi->validate_key_information(p->p + - ISAKMP_KE_DATA_OFF, len - ISAKMP_KE_DATA_OFF)) { - message_drop(msg, ISAKMP_NOTIFY_INVALID_KEY_INFORMATION, - 0, 1, 1); - return -1; - } - return 0; -} - -/* Validate the NAT-D payload P in message MSG. */ -static int -message_validate_nat_d(struct message *msg, struct payload *p) -{ - struct exchange *exchange = msg->exchange; - - if (!exchange) { - /* We should have an exchange at this point. */ - log_print("message_validate_nat_d: payload out of sequence"); - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 1); - return -1; - } - - if (exchange->phase != 1) { - log_print("message_validate_nat_d: " - "NAT-D payload must be in phase 1"); - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 1); - return -1; - } - - /* Mark as handled. */ - p->flags |= PL_MARK; - - return 0; -} - -/* Validate the NAT-OA payload P in message MSG. */ -static int -message_validate_nat_oa(struct message *msg, struct payload *p) -{ - struct exchange *exchange = msg->exchange; - - if (!exchange) { - /* We should have an exchange at this point. */ - log_print("message_validate_nat_d: payload out of sequence"); - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 1); - return -1; - } - -#ifdef notyet /* XXX Probably never, due to patent issues. */ - /* Mark as handled. */ - p->flags |= PL_MARK; -#endif - - return 0; -} - -/* Validate the nonce payload P in message MSG. */ -static int -message_validate_nonce(struct message *msg, struct payload *p) -{ - if (!msg->exchange) { - /* We should have an exchange at this point. */ - log_print("message_validate_nonce: payload out of sequence"); - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 1); - return -1; - } - /* Nonces require no specific validation. */ - return 0; -} - -/* - * Validate the notify payload P in message MSG. As a side-effect, create - * an exchange if we do not have one already. - */ -static int -message_validate_notify(struct message *msg, struct payload *p) -{ - u_int8_t proto = GET_ISAKMP_NOTIFY_PROTO(p->p); - u_int16_t type = GET_ISAKMP_NOTIFY_MSG_TYPE(p->p); - struct doi *doi; - - doi = doi_lookup(GET_ISAKMP_NOTIFY_DOI(p->p)); - if (!doi) { - log_print("message_validate_notify: DOI not supported"); - message_free(msg); - return -1; - } - /* If we don't have an exchange yet, create one. */ - if (!msg->exchange) { - if (zero_test((u_int8_t *) msg->iov[0].iov_base + - ISAKMP_HDR_MESSAGE_ID_OFF, ISAKMP_HDR_MESSAGE_ID_LEN)) - msg->exchange = exchange_setup_p1(msg, doi->id); - else - msg->exchange = exchange_setup_p2(msg, doi->id); - if (!msg->exchange) { - log_print("message_validate_notify: can not create " - "exchange"); - message_free(msg); - return -1; - } - } - if (proto != ISAKMP_PROTO_ISAKMP && doi->validate_proto(proto)) { - log_print("message_validate_notify: protocol not supported"); - message_free(msg); - return -1; - } - - /* Validate the SPI. XXX Just ISAKMP for now. */ - if (proto == ISAKMP_PROTO_ISAKMP && - GET_ISAKMP_NOTIFY_SPI_SZ(p->p) == ISAKMP_HDR_COOKIES_LEN && - msg->isakmp_sa && - memcmp(p->p + ISAKMP_NOTIFY_SPI_OFF, msg->isakmp_sa->cookies, - ISAKMP_HDR_COOKIES_LEN) != 0) { - log_print("message_validate_notify: bad cookies"); - message_drop(msg, ISAKMP_NOTIFY_INVALID_SPI, 0, 1, 0); - return -1; - } - - if (type < ISAKMP_NOTIFY_INVALID_PAYLOAD_TYPE - || (type >= ISAKMP_NOTIFY_RESERVED_MIN - && type < ISAKMP_NOTIFY_PRIVATE_MIN) - || (type >= ISAKMP_NOTIFY_STATUS_RESERVED1_MIN - && type <= ISAKMP_NOTIFY_STATUS_RESERVED1_MAX) - || (type >= ISAKMP_NOTIFY_STATUS_DOI_MIN - && type <= ISAKMP_NOTIFY_STATUS_DOI_MAX - && doi->validate_notification(type)) - || type >= ISAKMP_NOTIFY_STATUS_RESERVED2_MIN) { - log_print("message_validate_notify: " - "message type not supported"); - message_free(msg); - return -1; - } - - return 0; -} - -/* Validate the proposal payload P in message MSG. */ -static int -message_validate_proposal(struct message *msg, struct payload *p) -{ - u_int8_t proto = GET_ISAKMP_PROP_PROTO(p->p); - u_int8_t *sa = p->context->p; - - if (!msg->exchange) { - /* We should have an exchange at this point. */ - log_print("message_validate_proposal: " - "payload out of sequence"); - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 1); - return -1; - } - if (proto != ISAKMP_PROTO_ISAKMP - && msg->exchange->doi->validate_proto(proto)) { - message_drop(msg, ISAKMP_NOTIFY_INVALID_PROTOCOL_ID, 0, 1, 1); - return -1; - } - /* Check that we get monotonically increasing proposal IDs per SA. */ - if (sa != last_sa) - last_sa = sa; - else if (GET_ISAKMP_PROP_NO(p->p) < last_prop_no) { - message_drop(msg, ISAKMP_NOTIFY_BAD_PROPOSAL_SYNTAX, 0, 1, 1); - return -1; - } - last_prop_no = GET_ISAKMP_PROP_NO(p->p); - - /* XXX Validate the SPI, and other syntactic things. */ - - return 0; -} - -/* - * Validate the SA payload P in message MSG. - * Aside from normal validation, note what DOI is in use for other - * validation routines to look at. Also index the proposal payloads - * on the fly. - * XXX This assumes PAYLOAD_SA is always the first payload - * to be validated, which is true for IKE, except for quick mode where - * a PAYLOAD_HASH comes first, but in that specific case it does not matter. - * XXX Make sure the above comment is relevant, isn't SA always checked - * first due to the IANA assigned payload number? - */ -static int -message_validate_sa(struct message *msg, struct payload *p) -{ - set payload_set; - size_t len; - u_int32_t doi_id; - struct exchange *exchange = msg->exchange; - u_int8_t *pkt = msg->iov[0].iov_base; - - doi_id = GET_ISAKMP_SA_DOI(p->p); - if (!doi_lookup(doi_id)) { - log_print("message_validate_sa: DOI not supported"); - message_drop(msg, ISAKMP_NOTIFY_DOI_NOT_SUPPORTED, 0, 1, 1); - return -1; - } - /* - * It's time to figure out what SA this message is about. If it is - * already set, then we are creating a new phase 1 SA. Otherwise, - * lookup the SA using the cookies and the message ID. If we cannot - * find it, and the phase 1 SA is ready, setup a phase 2 SA. - */ - if (!exchange) { - if (zero_test(pkt + ISAKMP_HDR_RCOOKIE_OFF, - ISAKMP_HDR_RCOOKIE_LEN)) - exchange = exchange_setup_p1(msg, doi_id); - else if (msg->isakmp_sa->flags & SA_FLAG_READY) - exchange = exchange_setup_p2(msg, doi_id); - else { - /* XXX What to do here? */ - message_free(msg); - return -1; - } - if (!exchange) { - /* XXX Log? */ - message_free(msg); - return -1; - } - } - msg->exchange = exchange; - - /* - * Create a struct sa for each SA payload handed to us unless we are - * the initiator where we only will count them. - */ - if (exchange->initiator) { - /* XXX Count SA payloads. */ - } else if (sa_create(exchange, msg->transport)) { - /* XXX Remove exchange if we just created it? */ - message_free(msg); - return -1; - } - if (exchange->phase == 1) { - msg->isakmp_sa = TAILQ_FIRST(&exchange->sa_list); - if (msg->isakmp_sa) - sa_reference(msg->isakmp_sa); - } - /* - * Let the DOI validate the situation, at the same time it tells us - * what the length of the situation field is. - */ - if (exchange->doi->validate_situation(p->p + ISAKMP_SA_SIT_OFF, &len, - GET_ISAKMP_GEN_LENGTH(p->p) - ISAKMP_SA_SIT_OFF)) { - log_print("message_validate_sa: situation not supported"); - message_drop(msg, ISAKMP_NOTIFY_SITUATION_NOT_SUPPORTED, - 0, 1, 1); - return -1; - } - /* - * Reset the fields we base our proposal & transform number checks - * on. - */ - last_sa = last_prop = 0; - last_prop_no = last_xf_no = 0; - - /* Go through the PROPOSAL payloads. */ - ZERO(&payload_set); - SET(payload_revmap[ISAKMP_PAYLOAD_PROPOSAL], &payload_set); - if (message_parse_payloads(msg, p, ISAKMP_PAYLOAD_PROPOSAL, - p->p + ISAKMP_SA_SIT_OFF + len, &payload_set, - message_parse_proposal) == -1) - return -1; - - return 0; -} - -/* Validate the signature payload P in message MSG. */ -static int -message_validate_sig(struct message *msg, struct payload *p) -{ - if (!msg->exchange) { - /* We should have an exchange at this point. */ - log_print("message_validate_sig: payload out of sequence"); - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 1); - return -1; - } - /* XXX Not implemented yet. */ - return 0; -} - -/* Validate the transform payload P in message MSG. */ -static int -message_validate_transform(struct message *msg, struct payload *p) -{ - u_int8_t proto = GET_ISAKMP_PROP_PROTO(p->context->p); - u_int8_t *prop = p->context->p; - - if (!msg->exchange) { - /* We should have an exchange at this point. */ - log_print("message_validate_transform: " - "payload out of sequence"); - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 1); - return -1; - } - if (msg->exchange->doi - ->validate_transform_id(proto, GET_ISAKMP_TRANSFORM_ID(p->p))) { - message_drop(msg, ISAKMP_NOTIFY_INVALID_TRANSFORM_ID, 0, 1, 1); - return -1; - } - /* Check that the reserved field is zero. */ - if (!zero_test(p->p + ISAKMP_TRANSFORM_RESERVED_OFF, - ISAKMP_TRANSFORM_RESERVED_LEN)) { - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 1); - return -1; - } - /* - * Check that we get monotonically increasing transform numbers per - * proposal. - */ - if (prop != last_prop) - last_prop = prop; - else if (GET_ISAKMP_TRANSFORM_NO(p->p) <= last_xf_no) { - message_drop(msg, ISAKMP_NOTIFY_BAD_PROPOSAL_SYNTAX, 0, 1, 1); - return -1; - } - last_xf_no = GET_ISAKMP_TRANSFORM_NO(p->p); - - /* Validate the attributes. */ - if (attribute_map(p->p + ISAKMP_TRANSFORM_SA_ATTRS_OFF, - GET_ISAKMP_GEN_LENGTH(p->p) - ISAKMP_TRANSFORM_SA_ATTRS_OFF, - msg->exchange->doi->validate_attribute, msg)) { - message_drop(msg, ISAKMP_NOTIFY_ATTRIBUTES_NOT_SUPPORTED, - 0, 1, 1); - return -1; - } - return 0; -} - -/* Validate the vendor payload P in message MSG. */ -static int -message_validate_vendor(struct message *msg, struct payload *p) -{ - if (!msg->exchange) { - /* We should have an exchange at this point. */ - log_print("message_validate_vendor: payload out of sequence"); - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 1); - return -1; - } - /* Vendor IDs are only allowed in phase 1. */ - if (msg->exchange->phase != 1) { - message_drop(msg, ISAKMP_NOTIFY_INVALID_PAYLOAD_TYPE, 0, 1, 1); - return -1; - } -#if defined (USE_DPD) - dpd_check_vendor_payload(msg, p); -#endif -#if defined (USE_NAT_TRAVERSAL) - nat_t_check_vendor_payload(msg, p); -#endif - if (!(p->flags & PL_MARK)) - LOG_DBG((LOG_MESSAGE, 40, "message_validate_vendor: " - "vendor ID seen")); - return 0; -} - -/* - * Add an index-record pointing to the payload at BUF in message MSG - * to the PAYLOAD bucket of payloads. This allows us to quickly reference - * payloads by type. Also stash the parent payload P link into the new - * node so we can go from transforms -> payloads -> SAs. - */ -static int -message_index_payload(struct message *msg, struct payload *p, u_int8_t payload, - u_int8_t *buf) -{ - struct payload *payload_node; - - /* Put the payload pointer into the right bucket. */ - payload_node = malloc(sizeof *payload_node); - if (!payload_node) - return -1; - payload_node->p = buf; - payload_node->context = p; - payload_node->flags = 0; - TAILQ_INSERT_TAIL(&msg->payload[payload_map[payload]], payload_node, - link); - return 0; -} - -/* - * Group each payload found in MSG by type for easy reference later. - * While doing this, validate the generic parts of the message structure too. - * NEXT is the 1st payload's type. This routine will also register the - * computed message length (i.e. without padding) in msg->iov[0].iov_len. - */ -static int -message_sort_payloads(struct message *msg, u_int8_t next) -{ - set payload_set; - int i, sz; - - ZERO(&payload_set); - for (i = ISAKMP_PAYLOAD_SA; i < payload_index_max; i++) - if (i != ISAKMP_PAYLOAD_PROPOSAL && i != - ISAKMP_PAYLOAD_TRANSFORM) - SET(payload_revmap[i], &payload_set); - sz = message_parse_payloads(msg, 0, next, - (u_int8_t *)msg->iov[0].iov_base + ISAKMP_HDR_SZ, &payload_set, - message_index_payload); - if (sz == -1) - return -1; - msg->iov[0].iov_len = ISAKMP_HDR_SZ + sz; - SET_ISAKMP_HDR_LENGTH(msg->iov[0].iov_base, ISAKMP_HDR_SZ + sz); - return 0; -} - -/* Run all the generic payload tests that the drafts specify. */ -static int -message_validate_payloads(struct message *msg) -{ - int i; - struct payload *p; - - for (i = ISAKMP_PAYLOAD_SA; i < payload_index_max; i++) - for (p = payload_first(msg, i); p; p = TAILQ_NEXT(p, link)) { - LOG_DBG((LOG_MESSAGE, 60, "message_validate_payloads: " - "payload %s at %p of message %p", - constant_name(isakmp_payload_cst, i), p->p, msg)); - field_dump_payload(fields[i - ISAKMP_PAYLOAD_SA], - p->p); - if (message_validate_payload[i - ISAKMP_PAYLOAD_SA] - (msg, p)) - return -1; - } - return 0; -} - -/* - * All incoming messages go through here. We do generic validity checks - * and try to find or establish SAs. Last but not least we try to find - * the exchange this message, MSG, is part of, and feed it there. - */ -int -message_recv(struct message *msg) -{ - u_int8_t *buf = msg->iov[0].iov_base; - size_t sz = msg->iov[0].iov_len; - u_int8_t exch_type; - int setup_isakmp_sa, msgid_is_zero; - u_int8_t flags; - struct keystate *ks = 0; - struct proto tmp_proto; - struct sa tmp_sa; - - /* Messages shorter than an ISAKMP header are bad. */ - if (sz < ISAKMP_HDR_SZ || sz != GET_ISAKMP_HDR_LENGTH(buf)) { - log_print("message_recv: bad message length"); - message_drop(msg, ISAKMP_NOTIFY_UNEQUAL_PAYLOAD_LENGTHS, - 0, 1, 1); - return -1; - } -#ifdef USE_DEBUG - /* Possibly dump a raw hex image of the message to the log channel. */ - message_dump_raw("message_recv", msg, LOG_MESSAGE); -#endif - - /* - * If the responder cookie is zero, this is a request to setup an - * ISAKMP SA. Otherwise the cookies should refer to an existing - * ISAKMP SA. - * - * XXX This is getting ugly, please reread later to see if it can be - * made nicer. - */ - setup_isakmp_sa = zero_test(buf + ISAKMP_HDR_RCOOKIE_OFF, - ISAKMP_HDR_RCOOKIE_LEN); - if (setup_isakmp_sa) { - /* - * This might be a retransmission of a former ISAKMP SA setup - * message. If so, just drop it. - * XXX Must we really look in both the SA and exchange pools? - */ - if (exchange_lookup_from_icookie(buf + ISAKMP_HDR_ICOOKIE_OFF) - || sa_lookup_from_icookie(buf + ISAKMP_HDR_ICOOKIE_OFF)) { - /* - * XXX Later we should differentiate between - * retransmissions and potential replay attacks. - */ - LOG_DBG((LOG_MESSAGE, 90, - "message_recv: dropping setup for existing SA")); - message_free(msg); - return -1; - } - } else { - msg->isakmp_sa = sa_lookup_by_header(buf, 0); - if (msg->isakmp_sa) - sa_reference(msg->isakmp_sa); - - /* - * If we cannot find an ISAKMP SA out of the cookies, this is - * either a responder's first reply, and we need to upgrade - * our exchange, or it's just plain invalid cookies. - */ - if (!msg->isakmp_sa) { - msg->exchange = exchange_lookup_from_icookie(buf + - ISAKMP_HDR_ICOOKIE_OFF); - if (msg->exchange && msg->exchange->phase == 1 - && zero_test(msg->exchange->cookies + - ISAKMP_HDR_RCOOKIE_OFF, ISAKMP_HDR_RCOOKIE_LEN)) - exchange_upgrade_p1(msg); - else { - log_print("message_recv: invalid cookie(s) " - "%08x%08x %08x%08x", - decode_32(buf + ISAKMP_HDR_ICOOKIE_OFF), - decode_32(buf + ISAKMP_HDR_ICOOKIE_OFF + 4), - decode_32(buf + ISAKMP_HDR_RCOOKIE_OFF), - decode_32(buf + ISAKMP_HDR_RCOOKIE_OFF + 4)); - tmp_proto.sa = &tmp_sa; - tmp_sa.doi = doi_lookup(ISAKMP_DOI_ISAKMP); - tmp_proto.proto = ISAKMP_PROTO_ISAKMP; - tmp_proto.spi_sz[1] = ISAKMP_HDR_COOKIES_LEN; - tmp_proto.spi[1] = - buf + ISAKMP_HDR_COOKIES_OFF; - message_drop(msg, ISAKMP_NOTIFY_INVALID_COOKIE, - &tmp_proto, 1, 1); - return -1; - } -#if 0 - msg->isakmp_sa = sa_lookup_from_icookie(buf + - ISAKMP_HDR_ICOOKIE_OFF); - if (msg->isakmp_sa) - sa_isakmp_upgrade(msg); -#endif - } - msg->exchange = exchange_lookup(buf, 1); - } - - if (message_check_duplicate(msg)) - return -1; - - if (GET_ISAKMP_HDR_NEXT_PAYLOAD(buf) >= ISAKMP_PAYLOAD_RESERVED_MIN) { - log_print("message_recv: invalid payload type %d in ISAKMP " - "header (check passphrases, if applicable and in Phase 1)", - GET_ISAKMP_HDR_NEXT_PAYLOAD(buf)); - message_drop(msg, ISAKMP_NOTIFY_INVALID_PAYLOAD_TYPE, 0, 1, 1); - return -1; - } - /* Validate that the message is of version 1.0. */ - if (ISAKMP_VERSION_MAJOR(GET_ISAKMP_HDR_VERSION(buf)) != 1) { - log_print("message_recv: invalid version major %d", - ISAKMP_VERSION_MAJOR(GET_ISAKMP_HDR_VERSION(buf))); - message_drop(msg, ISAKMP_NOTIFY_INVALID_MAJOR_VERSION, 0, 1, - 1); - return -1; - } - if (ISAKMP_VERSION_MINOR(GET_ISAKMP_HDR_VERSION(buf)) != 0) { - log_print("message_recv: invalid version minor %d", - ISAKMP_VERSION_MINOR(GET_ISAKMP_HDR_VERSION(buf))); - message_drop(msg, ISAKMP_NOTIFY_INVALID_MINOR_VERSION, 0, 1, - 1); - return -1; - } - /* - * Validate the exchange type. If it's a DOI-specified exchange wait - * until after all payloads have been seen for the validation as the - * SA payload might not yet have been parsed, thus the DOI might be - * unknown. - */ - exch_type = GET_ISAKMP_HDR_EXCH_TYPE(buf); - if (exch_type == ISAKMP_EXCH_NONE - || (exch_type >= ISAKMP_EXCH_FUTURE_MIN && - exch_type <= ISAKMP_EXCH_FUTURE_MAX) - || (setup_isakmp_sa && exch_type >= ISAKMP_EXCH_DOI_MIN)) { - log_print("message_recv: invalid exchange type %s", - constant_name(isakmp_exch_cst, exch_type)); - message_drop(msg, ISAKMP_NOTIFY_INVALID_EXCHANGE_TYPE, 0, 1, - 1); - return -1; - } - /* - * Check for unrecognized flags, or the encryption flag when we don't - * have an ISAKMP SA to decrypt with. - */ - flags = GET_ISAKMP_HDR_FLAGS(buf); - if (flags & ~(ISAKMP_FLAGS_ENC | ISAKMP_FLAGS_COMMIT | - ISAKMP_FLAGS_AUTH_ONLY)) { - log_print("message_recv: invalid flags 0x%x", - GET_ISAKMP_HDR_FLAGS(buf)); - message_drop(msg, ISAKMP_NOTIFY_INVALID_FLAGS, 0, 1, 1); - return -1; - } - /* - * If we are about to setup an ISAKMP SA, the message ID must be - * zero. - */ - msgid_is_zero = zero_test(buf + ISAKMP_HDR_MESSAGE_ID_OFF, - ISAKMP_HDR_MESSAGE_ID_LEN); - if (setup_isakmp_sa && !msgid_is_zero) { - log_print("message_recv: invalid message id"); - message_drop(msg, ISAKMP_NOTIFY_INVALID_MESSAGE_ID, 0, 1, 1); - return -1; - } - if (!setup_isakmp_sa && msgid_is_zero) { - /* - * XXX Very likely redundant, look at the else clause of the - * if (setup_isakmp_sa) statement above. - */ - msg->exchange = exchange_lookup(buf, 0); - if (!msg->exchange) { - log_print("message_recv: phase 1 message after " - "ISAKMP SA is ready"); - message_free(msg); - return -1; - } else if (msg->exchange->last_sent) { - LOG_DBG((LOG_MESSAGE, 80, "message_recv: resending " - "last message from phase 1")); - message_send(msg->exchange->last_sent); - } - } - if (flags & ISAKMP_FLAGS_ENC) { - if (!msg->isakmp_sa) { - LOG_DBG((LOG_MISC, 10, "message_recv: no isakmp_sa " - "for encrypted message")); - message_free(msg); - return -1; - } - /* Decrypt rest of message using a DOI-specified IV. */ - ks = msg->isakmp_sa->doi->get_keystate(msg); - if (!ks) { - message_free(msg); - return -1; - } - msg->orig = malloc(sz); - if (!msg->orig) { - message_free(msg); - free(ks); - return -1; - } - memcpy(msg->orig, buf, sz); - crypto_decrypt(ks, buf + ISAKMP_HDR_SZ, sz - ISAKMP_HDR_SZ); - } else - msg->orig = buf; - msg->orig_sz = sz; - - /* IKE packet capture */ - message_packet_log(msg); - - /* - * Check the overall payload structure at the same time as indexing - * them by type. - */ - if (GET_ISAKMP_HDR_NEXT_PAYLOAD(buf) != ISAKMP_PAYLOAD_NONE - && message_sort_payloads(msg, GET_ISAKMP_HDR_NEXT_PAYLOAD(buf))) { - if (ks) - free(ks); - return -1; - } - /* - * Run generic payload tests now. If anything fails these checks, the - * message needs either to be retained for later duplicate checks or - * freed entirely. - * XXX Should SAs and even transports be cleaned up then too? - */ - if (message_validate_payloads(msg)) { - if (ks) - free(ks); - return -1; - } - /* - * If we have not found an exchange by now something is definitely - * wrong. - */ - if (!msg->exchange) { - log_print("message_recv: no exchange"); - message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 1); - if (ks) - free(ks); - return -1; - } - /* - * Now we can validate DOI-specific exchange types. If we have no SA - * DOI-specific exchange types are definitely wrong. - */ - if (exch_type >= ISAKMP_EXCH_DOI_MIN - && exch_type <= ISAKMP_EXCH_DOI_MAX - && msg->exchange->doi->validate_exchange(exch_type)) { - log_print("message_recv: invalid DOI exchange type %d", - exch_type); - message_drop(msg, ISAKMP_NOTIFY_INVALID_EXCHANGE_TYPE, 0, 1, - 1); - if (ks) - free(ks); - return -1; - } - /* Make sure the IV we used gets saved in the proper SA. */ - if (ks) { - if (!msg->exchange->keystate) { - msg->exchange->keystate = ks; - msg->exchange->crypto = ks->xf; - } else - free(ks); - } - /* Handle the flags. */ - if (flags & ISAKMP_FLAGS_ENC) - msg->exchange->flags |= EXCHANGE_FLAG_ENCRYPT; - if ((msg->exchange->flags & EXCHANGE_FLAG_COMMITTED) == 0 - && (flags & ISAKMP_FLAGS_COMMIT)) - msg->exchange->flags |= EXCHANGE_FLAG_HE_COMMITTED; - - /* - * Except for the 3rd Aggressive Mode message, require encryption - * as soon as we have the keystate for it. - */ - if ((flags & ISAKMP_FLAGS_ENC) == 0 && - (msg->exchange->phase == 2 || - (msg->exchange->keystate && - msg->exchange->type != ISAKMP_EXCH_AGGRESSIVE))) { - log_print("message_recv: cleartext phase %d message", - msg->exchange->phase); - message_drop(msg, ISAKMP_NOTIFY_INVALID_FLAGS, 0, 1, 1); - return -1; - } - - /* OK let the exchange logic do the rest. */ - exchange_run(msg); - - return 0; -} - -void -message_send_expire(struct message *msg) -{ - msg->retrans = 0; - - message_send(msg); -} - -/* Queue up message MSG for transmittal. */ -void -message_send(struct message *msg) -{ - struct exchange *exchange = msg->exchange; - struct message *m; - struct msg_head *q; - - /* Remove retransmissions on this message */ - if (msg->retrans) { - timer_remove_event(msg->retrans); - msg->retrans = 0; - } - /* IKE packet capture */ - message_packet_log(msg); - - /* - * If the ISAKMP SA has set up encryption, encrypt the message. - * However, in a retransmit, it is already encrypted. - */ - if ((msg->flags & MSG_ENCRYPTED) == 0 - && exchange->flags & EXCHANGE_FLAG_ENCRYPT) { - if (!exchange->keystate) { - exchange->keystate = exchange->doi->get_keystate(msg); - if (!exchange->keystate) - return; - exchange->crypto = exchange->keystate->xf; - exchange->flags |= EXCHANGE_FLAG_ENCRYPT; - } - if (message_encrypt(msg)) { - /* XXX Log. */ - return; - } - } - /* Keep the COMMIT bit on. */ - if (exchange->flags & EXCHANGE_FLAG_COMMITTED) - SET_ISAKMP_HDR_FLAGS(msg->iov[0].iov_base, - GET_ISAKMP_HDR_FLAGS(msg->iov[0].iov_base) - | ISAKMP_FLAGS_COMMIT); - -#ifdef USE_DEBUG - message_dump_raw("message_send", msg, LOG_MESSAGE); -#endif - msg->flags |= MSG_IN_TRANSIT; - exchange->in_transit = msg; - - /* - * If we get a retransmission of a message before our response - * has left the queue, don't queue it again, as it will result - * in a circular list. - */ - q = msg->transport->vtbl->get_queue(msg); - for (m = TAILQ_FIRST(q); m; m = TAILQ_NEXT(m, link)) - if (m == msg) { - LOG_DBG((LOG_MESSAGE, 60, - "message_send: msg %p already on sendq %p", m, q)); - return; - } - TAILQ_INSERT_TAIL(q, msg, link); -} - -/* - * Setup the ISAKMP message header for message MSG. EXCHANGE is the exchange - * type, FLAGS are the ISAKMP header flags and MSG_ID is message ID - * identifying the exchange. - */ -void -message_setup_header(struct message *msg, u_int8_t exchange, u_int8_t flags, - u_int8_t *msg_id) -{ - u_int8_t *buf = msg->iov[0].iov_base; - - SET_ISAKMP_HDR_ICOOKIE(buf, msg->exchange->cookies); - SET_ISAKMP_HDR_RCOOKIE(buf, msg->exchange->cookies + - ISAKMP_HDR_ICOOKIE_LEN); - SET_ISAKMP_HDR_NEXT_PAYLOAD(buf, ISAKMP_PAYLOAD_NONE); - SET_ISAKMP_HDR_VERSION(buf, ISAKMP_VERSION_MAKE(1, 0)); - SET_ISAKMP_HDR_EXCH_TYPE(buf, exchange); - SET_ISAKMP_HDR_FLAGS(buf, flags); - SET_ISAKMP_HDR_MESSAGE_ID(buf, msg_id); - SET_ISAKMP_HDR_LENGTH(buf, msg->iov[0].iov_len); -} - -/* - * Add the payload of type PAYLOAD in BUF sized SZ to the MSG message. - * The caller thereby is released from the responsibility of freeing BUF, - * unless we return a failure of course. If LINK is set the former - * payload's "next payload" field to PAYLOAD. - * - * XXX We might want to resize the iov array several slots at a time. - */ -int -message_add_payload(struct message *msg, u_int8_t payload, u_int8_t *buf, - size_t sz, int link) -{ - struct iovec *new_iov; - struct payload *payload_node; - - payload_node = calloc(1, sizeof *payload_node); - if (!payload_node) { - log_error("message_add_payload: calloc (1, %lu) failed", - (unsigned long)sizeof *payload_node); - return -1; - } - new_iov = (struct iovec *) realloc(msg->iov, (msg->iovlen + 1) * - sizeof *msg->iov); - if (!new_iov) { - log_error("message_add_payload: realloc (%p, %lu) failed", - msg->iov, (msg->iovlen + 1) * - (unsigned long)sizeof *msg->iov); - free(payload_node); - return -1; - } - msg->iov = new_iov; - new_iov[msg->iovlen].iov_base = buf; - new_iov[msg->iovlen].iov_len = sz; - msg->iovlen++; - if (link) - *msg->nextp = payload; - msg->nextp = buf + ISAKMP_GEN_NEXT_PAYLOAD_OFF; - *msg->nextp = ISAKMP_PAYLOAD_NONE; - SET_ISAKMP_GEN_RESERVED(buf, 0); - SET_ISAKMP_GEN_LENGTH(buf, sz); - SET_ISAKMP_HDR_LENGTH(msg->iov[0].iov_base, - GET_ISAKMP_HDR_LENGTH(msg->iov[0].iov_base) + sz); - - /* - * For the sake of exchange_validate we index the payloads even in - * outgoing messages, however context and flags are uninteresting in - * this situation. - */ - payload_node->p = buf; - TAILQ_INSERT_TAIL(&msg->payload[payload_map[payload]], payload_node, - link); - return 0; -} - -/* XXX Move up when ready. */ -struct info_args { - char discr; - u_int32_t doi; - u_int8_t proto; - u_int16_t spi_sz; - union { - struct { - u_int16_t msg_type; - u_int8_t *spi; - } n; - struct { - u_int16_t nspis; - u_int8_t *spis; - } d; -#if defined (USE_DPD) - struct { - u_int16_t msg_type; - u_int8_t *spi; - u_int32_t seq; - } dpd; -#endif - } u; -}; - -/* - * As a reaction to the incoming message MSG create an informational exchange - * protected by ISAKMP_SA and send a notify payload of type NOTIFY, with - * fields initialized from SA. INCOMING is true if the SPI field should be - * filled with the incoming SPI and false if it is to be filled with the - * outgoing one. - * - * XXX Should we handle sending multiple notify payloads? The draft allows - * it, but do we need it? Furthermore, should we not return a success - * status value? - */ -void -message_send_notification(struct message *msg, struct sa *isakmp_sa, - u_int16_t notify, struct proto *proto, int incoming) -{ - struct info_args args; - struct sa *doi_sa = proto ? proto->sa : isakmp_sa; - - args.discr = 'N'; - args.doi = doi_sa ? doi_sa->doi->id : ISAKMP_DOI_ISAKMP; - args.proto = proto ? proto->proto : ISAKMP_PROTO_ISAKMP; - args.spi_sz = proto ? proto->spi_sz[incoming] : 0; - args.u.n.msg_type = notify; - args.u.n.spi = proto ? proto->spi[incoming] : 0; - if (isakmp_sa && (isakmp_sa->flags & SA_FLAG_READY)) - exchange_establish_p2(isakmp_sa, ISAKMP_EXCH_INFO, 0, &args, - 0, 0); - else - exchange_establish_p1(msg->transport, ISAKMP_EXCH_INFO, - msg->exchange ? msg->exchange->doi->id : ISAKMP_DOI_ISAKMP, - 0, &args, 0, 0); -} - -/* Send a DELETE inside an informational exchange for each protocol in SA. */ -void -message_send_delete(struct sa *sa) -{ - struct info_args args; - struct proto *proto; - struct sa *isakmp_sa; - struct sockaddr *dst; - - sa->transport->vtbl->get_dst(sa->transport, &dst); - isakmp_sa = sa_isakmp_lookup_by_peer(dst, sysdep_sa_len(dst)); - if (!isakmp_sa) { - /* - * XXX We ought to setup an ISAKMP SA with our peer here and - * send the DELETE over that one. - */ - return; - } - args.discr = 'D'; - args.doi = sa->doi->id; - args.u.d.nspis = 1; - for (proto = TAILQ_FIRST(&sa->protos); proto; - proto = TAILQ_NEXT(proto, link)) { - args.proto = proto->proto; - args.spi_sz = proto->spi_sz[1]; - args.u.d.spis = proto->spi[1]; - exchange_establish_p2(isakmp_sa, ISAKMP_EXCH_INFO, 0, &args, - 0, 0); - } -} - -#if defined (USE_DPD) -void -message_send_dpd_notify(struct sa* isakmp_sa, u_int16_t notify, u_int32_t seq) -{ - struct info_args args; - - args.discr = 'P'; - args.doi = IPSEC_DOI_IPSEC; - args.proto = ISAKMP_PROTO_ISAKMP; - args.spi_sz = ISAKMP_HDR_COOKIES_LEN; - args.u.dpd.msg_type = notify; - args.u.dpd.spi = isakmp_sa->cookies; - args.u.dpd.seq = htonl(seq); - - exchange_establish_p2(isakmp_sa, ISAKMP_EXCH_INFO, 0, &args, 0, 0); -} -#endif - -/* Build the informational message into MSG. */ -int -message_send_info(struct message *msg) -{ - u_int8_t *buf; - size_t sz = 0; - struct info_args *args = msg->extra; - u_int8_t payload; - - /* Let the DOI get the first hand on the message. */ - if (msg->exchange->doi->informational_pre_hook) - if (msg->exchange->doi->informational_pre_hook(msg)) - return -1; - - switch (args->discr) { -#if defined (USE_DPD) - case 'P': - sz = sizeof args->u.dpd.seq; - /* FALLTHROUGH */ -#endif - case 'N': - sz += ISAKMP_NOTIFY_SPI_OFF + args->spi_sz; - break; - case 'D': - default: /* Silence gcc */ - sz = ISAKMP_DELETE_SPI_OFF + args->u.d.nspis * args->spi_sz; - break; - } - - buf = calloc(1, sz); - if (!buf) { - log_error("message_send_info: calloc (1, %lu) failed", - (unsigned long)sz); - message_free(msg); - return -1; - } - switch (args->discr) { -#if defined (USE_DPD) - case 'P': - memcpy(buf + ISAKMP_NOTIFY_SPI_OFF + args->spi_sz, - &args->u.dpd.seq, sizeof args->u.dpd.seq); - /* FALLTHROUGH */ -#endif - case 'N': - /* Build the NOTIFY payload. */ - payload = ISAKMP_PAYLOAD_NOTIFY; - SET_ISAKMP_NOTIFY_DOI(buf, args->doi); - SET_ISAKMP_NOTIFY_PROTO(buf, args->proto); - SET_ISAKMP_NOTIFY_SPI_SZ(buf, args->spi_sz); - SET_ISAKMP_NOTIFY_MSG_TYPE(buf, args->u.n.msg_type); - memcpy(buf + ISAKMP_NOTIFY_SPI_OFF, args->u.n.spi, - args->spi_sz); - break; - - case 'D': - default: /* Silence GCC. */ - /* Build the DELETE payload. */ - payload = ISAKMP_PAYLOAD_DELETE; - SET_ISAKMP_DELETE_DOI(buf, args->doi); - SET_ISAKMP_DELETE_PROTO(buf, args->proto); - SET_ISAKMP_DELETE_SPI_SZ(buf, args->spi_sz); - SET_ISAKMP_DELETE_NSPIS(buf, args->u.d.nspis); - memcpy(buf + ISAKMP_DELETE_SPI_OFF, args->u.d.spis, - args->u.d.nspis * args->spi_sz); - msg->flags |= MSG_PRIORITIZED; - break; - } - - if (message_add_payload(msg, payload, buf, sz, 1)) { - free(buf); - message_free(msg); - return -1; - } - /* Let the DOI get the last hand on the message. */ - if (msg->exchange->doi->informational_post_hook) - if (msg->exchange->doi->informational_post_hook(msg)) { - message_free(msg); - return -1; - } - return 0; -} - -/* - * Drop the MSG message due to reason given in NOTIFY. If NOTIFY is set - * send out a notification to the originator. Fill this notification with - * values from PROTO. INCOMING decides which SPI to include. If CLEAN is - * set, free the message when ready with it. - */ -void -message_drop(struct message *msg, int notify, struct proto *proto, - int incoming, int clean) -{ - struct transport *t = msg->transport; - struct sockaddr *dst; - char *address; - short port = 0; - - t->vtbl->get_dst(t, &dst); - if (sockaddr2text(dst, &address, 0)) { - log_error("message_drop: sockaddr2text () failed"); - address = 0; - } - switch (dst->sa_family) { - case AF_INET: - port = ((struct sockaddr_in *)dst)->sin_port; - break; - case AF_INET6: - port = ((struct sockaddr_in6 *)dst)->sin6_port; - break; - default: - log_print("message_drop: unknown protocol family %d", - dst->sa_family); - } - - log_print("dropped message from %s port %d due to notification type " - "%s", address ? address : "<unknown>", htons(port), - constant_name(isakmp_notify_cst, notify)); - - if (address) - free(address); - - /* If specified, return a notification. */ - if (notify) - message_send_notification(msg, msg->isakmp_sa, notify, proto, - incoming); - if (clean) - message_free(msg); -} - -/* - * If the user demands debug printouts, printout MSG with as much detail - * as we can without resorting to per-payload handling. - */ -void -message_dump_raw(char *header, struct message *msg, int class) -{ - u_int32_t i, j, k = 0; - char buf[80], *p = buf; - - LOG_DBG((class, 70, "%s: message %p", header, msg)); - field_dump_payload(isakmp_hdr_fld, msg->iov[0].iov_base); - for (i = 0; i < msg->iovlen; i++) - for (j = 0; j < msg->iov[i].iov_len; j++) { - snprintf(p, sizeof buf - (int) (p - buf), "%02x", - ((u_int8_t *) msg->iov[i].iov_base)[j]); - p += 2; - if (++k % 32 == 0) { - *p = '\0'; - LOG_DBG((class, 70, "%s: %s", header, buf)); - p = buf; - } else if (k % 4 == 0) - *p++ = ' '; - } - *p = '\0'; - if (p != buf) - LOG_DBG((class, 70, "%s: %s", header, buf)); -} - -static void -message_packet_log(struct message *msg) -{ -#if defined (USE_DEBUG) - struct sockaddr *src, *dst; - struct transport *t = msg->transport; - - /* Don't log retransmissions. Redundant for incoming packets... */ - if (msg->xmits > 0) - return; - -#if defined (USE_NAT_TRAVERSAL) - if (msg->exchange && msg->exchange->flags & EXCHANGE_FLAG_NAT_T_ENABLE) - t = ((struct virtual_transport *)msg->transport)->encap; -#endif - - /* Figure out direction. */ - if (msg->exchange && - msg->exchange->initiator ^ (msg->exchange->step % 2)) { - t->vtbl->get_src(t, &src); - t->vtbl->get_dst(t, &dst); - } else { - t->vtbl->get_src(t, &dst); - t->vtbl->get_dst(t, &src); - } - - log_packet_iov(src, dst, msg->iov, msg->iovlen); -#endif /* USE_DEBUG */ -} - -/* - * Encrypt an outgoing message MSG. As outgoing messages are represented - * with an iovec with one segment per payload, we need to coalesce them - * into just une buffer containing all payloads and some padding before - * we encrypt. - */ -static int -message_encrypt(struct message *msg) -{ - struct exchange *exchange = msg->exchange; - size_t i, sz = 0; - u_int8_t *buf; - - /* If no payloads, nothing to do. */ - if (msg->iovlen == 1) - return 0; - - /* - * For encryption we need to put all payloads together in a single - * buffer. This buffer should be padded to the current crypto - * transform's blocksize. - */ - for (i = 1; i < msg->iovlen; i++) - sz += msg->iov[i].iov_len; - sz = ((sz + exchange->crypto->blocksize - 1) / - exchange->crypto->blocksize) * exchange->crypto->blocksize; - buf = realloc(msg->iov[1].iov_base, sz); - if (!buf) { - log_error("message_encrypt: realloc (%p, %lu) failed", - msg->iov[1].iov_base, (unsigned long) sz); - return -1; - } - msg->iov[1].iov_base = buf; - for (i = 2; i < msg->iovlen; i++) { - memcpy(buf + msg->iov[1].iov_len, msg->iov[i].iov_base, - msg->iov[i].iov_len); - msg->iov[1].iov_len += msg->iov[i].iov_len; - free(msg->iov[i].iov_base); - } - - /* Pad with zeroes. */ - memset(buf + msg->iov[1].iov_len, '\0', sz - msg->iov[1].iov_len); - msg->iov[1].iov_len = sz; - msg->iovlen = 2; - - SET_ISAKMP_HDR_FLAGS(msg->iov[0].iov_base, - GET_ISAKMP_HDR_FLAGS(msg->iov[0].iov_base) | ISAKMP_FLAGS_ENC); - SET_ISAKMP_HDR_LENGTH(msg->iov[0].iov_base, ISAKMP_HDR_SZ + sz); - crypto_encrypt(exchange->keystate, buf, msg->iov[1].iov_len); - msg->flags |= MSG_ENCRYPTED; - - /* Update the IV so we can decrypt the next incoming message. */ - crypto_update_iv(exchange->keystate); - - return 0; -} - -/* - * Check whether the message MSG is a duplicate of the last one negotiating - * this specific SA. - */ -static int -message_check_duplicate(struct message *msg) -{ - struct exchange *exchange = msg->exchange; - size_t sz = msg->iov[0].iov_len; - u_int8_t *pkt = msg->iov[0].iov_base; - - /* If no SA has been found, we cannot test, thus it's good. */ - if (!exchange) - return 0; - - LOG_DBG((LOG_MESSAGE, 90, "message_check_duplicate: last_received %p", - exchange->last_received)); - if (exchange->last_received) { - LOG_DBG_BUF((LOG_MESSAGE, 95, - "message_check_duplicate: last_received", - exchange->last_received->orig, - exchange->last_received->orig_sz)); - /* Is it a duplicate, lose the new one. */ - if (sz == exchange->last_received->orig_sz - && memcmp(pkt, exchange->last_received->orig, sz) == 0) { - LOG_DBG((LOG_MESSAGE, 80, - "message_check_duplicate: dropping dup")); - - /* - * Retransmit if the previos sent message was the last - * of an exchange, otherwise just wait for the - * ordinary retransmission. - */ - if (exchange->last_sent && (exchange->last_sent->flags - & MSG_LAST)) - message_send(exchange->last_sent); - message_free(msg); - return -1; - } - } - /* - * As this new message is an indication that state is moving forward - * at the peer, remove the retransmit timer on our last message. - */ - if (exchange->last_sent) { - if (exchange->last_sent == exchange->in_transit) { - struct message *m = exchange->in_transit; - TAILQ_REMOVE(m->transport->vtbl->get_queue(m), m, - link); - exchange->in_transit = 0; - } - message_free(exchange->last_sent); - exchange->last_sent = 0; - } - return 0; -} - -/* Helper to message_negotiate_sa. */ -static INLINE struct payload * -step_transform(struct payload *tp, struct payload **propp, - struct payload **sap) -{ - tp = TAILQ_NEXT(tp, link); - if (tp) { - *propp = tp->context; - *sap = (*propp)->context; - } - return tp; -} - -/* - * Pick out the first transforms out of MSG (which should contain at least one - * SA payload) we accept as a full protection suite. - */ -int -message_negotiate_sa(struct message *msg, int (*validate)(struct exchange *, - struct sa *, struct sa *)) -{ - struct payload *tp, *propp, *sap, *next_tp = 0, *next_propp, *next_sap; - struct payload *saved_tp = 0, *saved_propp = 0, *saved_sap = 0; - struct sa *sa; - struct proto *proto; - int suite_ok_so_far = 0; - struct exchange *exchange = msg->exchange; - - /* - * This algorithm is a weird bottom-up thing... mostly due to the - * payload links pointing upwards. - * - * The algorithm goes something like this: - * Foreach transform - * If transform is compatible - * Remember that this protocol can work - * Skip to last transform of this protocol - * If next transform belongs to a new protocol inside the same suite - * If no transform was found for the current protocol - * Forget all earlier transforms for protocols in this suite - * Skip to last transform of this suite - * If next transform belongs to a new suite - * If the current protocol had an OK transform - * Skip to the last transform of this SA - * If the next transform belongs to a new SA - * If no transforms have been chosen - * Issue a NO_PROPOSAL_CHOSEN notification - */ - - sa = TAILQ_FIRST(&exchange->sa_list); - for (tp = payload_first(msg, ISAKMP_PAYLOAD_TRANSFORM); tp; - tp = next_tp) { - propp = tp->context; - sap = propp->context; - sap->flags |= PL_MARK; - next_tp = step_transform(tp, &next_propp, &next_sap); - - /* For each transform, see if it is compatible. */ - if (!attribute_map(tp->p + ISAKMP_TRANSFORM_SA_ATTRS_OFF, - GET_ISAKMP_GEN_LENGTH(tp->p) - - ISAKMP_TRANSFORM_SA_ATTRS_OFF, - exchange->doi->is_attribute_incompatible, msg)) { - LOG_DBG((LOG_NEGOTIATION, 30, "message_negotiate_sa: " - "transform %d proto %d proposal %d ok", - GET_ISAKMP_TRANSFORM_NO(tp->p), - GET_ISAKMP_PROP_PROTO(propp->p), - GET_ISAKMP_PROP_NO(propp->p))); - if (sa_add_transform(sa, tp, exchange->initiator, - &proto)) - goto cleanup; - suite_ok_so_far = 1; - - saved_tp = next_tp; - saved_propp = next_propp; - saved_sap = next_sap; - /* Skip to last transform of this protocol proposal. */ - while ((next_tp = step_transform(tp, &next_propp, - &next_sap)) && next_propp == propp) - tp = next_tp; - } -retry_transform: - /* - * Figure out if we will be looking at a new protocol proposal - * inside the current protection suite. - */ - if (next_tp && propp != next_propp && sap == next_sap - && (GET_ISAKMP_PROP_NO(propp->p) - == GET_ISAKMP_PROP_NO(next_propp->p))) { - if (!suite_ok_so_far) { - LOG_DBG((LOG_NEGOTIATION, 30, - "message_negotiate_sa: proto %d proposal " - "%d failed", - GET_ISAKMP_PROP_PROTO(propp->p), - GET_ISAKMP_PROP_NO(propp->p))); - /* - * Remove potentially succeeded choices from - * the SA. - */ - while (TAILQ_FIRST(&sa->protos)) - TAILQ_REMOVE(&sa->protos, - TAILQ_FIRST(&sa->protos), link); - - /* - * Skip to the last transform of this - * protection suite. - */ - while ((next_tp = step_transform(tp, - &next_propp, &next_sap)) - && (GET_ISAKMP_PROP_NO(next_propp->p) - == GET_ISAKMP_PROP_NO(propp->p)) - && next_sap == sap) - tp = next_tp; - } - suite_ok_so_far = 0; - } - /* - * Figure out if we will be looking at a new protection - * suite. - */ - if (!next_tp - || (propp != next_propp && (GET_ISAKMP_PROP_NO(propp->p) - != GET_ISAKMP_PROP_NO(next_propp->p))) - || sap != next_sap) { - /* - * Check if the suite we just considered was OK, if so - * we check it against the accepted ones. - */ - if (suite_ok_so_far) { - if (!validate || validate(exchange, sa, - msg->isakmp_sa)) { - LOG_DBG((LOG_NEGOTIATION, 30, - "message_negotiate_sa: proposal " - "%d succeeded", - GET_ISAKMP_PROP_NO(propp->p))); - - /* - * Skip to the last transform of this - * SA. - */ - while ((next_tp = step_transform(tp, - &next_propp, &next_sap)) - && next_sap == sap) - tp = next_tp; - } else { - /* Backtrack. */ - LOG_DBG((LOG_NEGOTIATION, 30, - "message_negotiate_sa: proposal " - "%d failed", - GET_ISAKMP_PROP_NO(propp->p))); - next_tp = saved_tp; - next_propp = saved_propp; - next_sap = saved_sap; - suite_ok_so_far = 0; - - /* - * Remove potentially succeeded - * choices from the SA. - */ - while (TAILQ_FIRST(&sa->protos)) - TAILQ_REMOVE(&sa->protos, - TAILQ_FIRST(&sa->protos), - link); - goto retry_transform; - } - } - } - /* Have we walked all the proposals of an SA? */ - if (!next_tp || sap != next_sap) { - if (!suite_ok_so_far) { - /* - * XXX We cannot possibly call this a drop... - * seeing we just turn down one of the offers, - * can we? I suggest renaming message_drop to - * something else. - */ - log_print("message_negotiate_sa: no " - "compatible proposal found"); - message_drop(msg, - ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0); - } - sa = TAILQ_NEXT(sa, next); - } - } - return 0; - -cleanup: - /* - * Remove potentially succeeded choices from the SA. - * XXX Do we leak struct protos and related data here? - */ - while (TAILQ_FIRST(&sa->protos)) - TAILQ_REMOVE(&sa->protos, TAILQ_FIRST(&sa->protos), link); - return -1; -} - -/* - * Add SA, proposal and transform payload(s) to MSG out of information - * found in the exchange MSG is part of.. - */ -int -message_add_sa_payload(struct message *msg) -{ - struct exchange *exchange = msg->exchange; - u_int8_t *sa_buf, *saved_nextp_sa, *saved_nextp_prop; - size_t sa_len, extra_sa_len; - int i, nprotos = 0; - struct proto *proto; - u_int8_t **transforms = 0, **proposals = 0; - size_t *transform_lens = 0, *proposal_lens = 0; - struct sa *sa; - struct doi *doi = exchange->doi; - u_int8_t *spi = 0; - size_t spi_sz; - - /* - * Generate SA payloads. - */ - for (sa = TAILQ_FIRST(&exchange->sa_list); sa; - sa = TAILQ_NEXT(sa, next)) { - /* Setup a SA payload. */ - sa_len = ISAKMP_SA_SIT_OFF + doi->situation_size(); - extra_sa_len = 0; - sa_buf = malloc(sa_len); - if (!sa_buf) { - log_error("message_add_sa_payload: " - "malloc (%lu) failed", (unsigned long)sa_len); - goto cleanup; - } - SET_ISAKMP_SA_DOI(sa_buf, doi->id); - doi->setup_situation(sa_buf); - - /* Count transforms. */ - nprotos = 0; - for (proto = TAILQ_FIRST(&sa->protos); proto; - proto = TAILQ_NEXT(proto, link)) - nprotos++; - - /* - * Allocate transient transform and proposal payload/size - * vectors. - */ - transforms = calloc(nprotos, sizeof *transforms); - if (!transforms) { - log_error("message_add_sa_payload: calloc (%d, %lu) " - "failed", nprotos, - (unsigned long)sizeof *transforms); - goto cleanup; - } - transform_lens = calloc(nprotos, sizeof *transform_lens); - if (!transform_lens) { - log_error("message_add_sa_payload: calloc (%d, %lu) " - "failed", nprotos, - (unsigned long) sizeof *transform_lens); - goto cleanup; - } - proposals = calloc(nprotos, sizeof *proposals); - if (!proposals) { - log_error("message_add_sa_payload: calloc (%d, %lu) " - "failed", nprotos, - (unsigned long)sizeof *proposals); - goto cleanup; - } - proposal_lens = calloc(nprotos, sizeof *proposal_lens); - if (!proposal_lens) { - log_error("message_add_sa_payload: calloc (%d, %lu) " - "failed", nprotos, - (unsigned long)sizeof *proposal_lens); - goto cleanup; - } - /* Pick out the chosen transforms. */ - for (proto = TAILQ_FIRST(&sa->protos), i = 0; proto; - proto = TAILQ_NEXT(proto, link), i++) { - transform_lens[i] = - GET_ISAKMP_GEN_LENGTH(proto->chosen->p); - transforms[i] = malloc(transform_lens[i]); - if (!transforms[i]) { - log_error("message_add_sa_payload: malloc " - "(%lu) failed", - (unsigned long)transform_lens[i]); - goto cleanup; - } - /* Get incoming SPI from application. */ - if (doi->get_spi) { - spi = doi->get_spi(&spi_sz, - GET_ISAKMP_PROP_PROTO(proto->chosen->context->p), - msg); - if (spi_sz && !spi) - goto cleanup; - proto->spi[1] = spi; - proto->spi_sz[1] = spi_sz; - } else - spi_sz = 0; - - proposal_lens[i] = ISAKMP_PROP_SPI_OFF + spi_sz; - proposals[i] = malloc(proposal_lens[i]); - if (!proposals[i]) { - log_error("message_add_sa_payload: malloc " - "(%lu) failed", - (unsigned long)proposal_lens[i]); - goto cleanup; - } - memcpy(transforms[i], proto->chosen->p, - transform_lens[i]); - memcpy(proposals[i], proto->chosen->context->p, - ISAKMP_PROP_SPI_OFF); - SET_ISAKMP_PROP_NTRANSFORMS(proposals[i], 1); - SET_ISAKMP_PROP_SPI_SZ(proposals[i], spi_sz); - if (spi_sz) - memcpy(proposals[i] + ISAKMP_PROP_SPI_OFF, spi, - spi_sz); - extra_sa_len += proposal_lens[i] + transform_lens[i]; - } - - /* - * Add the payloads. As this is a SA, we need to recompute the - * lengths of the payloads containing others. We also need to - * reset these payload's "next payload type" field. - */ - if (message_add_payload(msg, ISAKMP_PAYLOAD_SA, sa_buf, - sa_len, 1)) - goto cleanup; - SET_ISAKMP_GEN_LENGTH(sa_buf, sa_len + extra_sa_len); - sa_buf = 0; - - saved_nextp_sa = msg->nextp; - for (proto = TAILQ_FIRST(&sa->protos), i = 0; proto; - proto = TAILQ_NEXT(proto, link), i++) { - if (message_add_payload(msg, ISAKMP_PAYLOAD_PROPOSAL, - proposals[i], proposal_lens[i], i > 1)) - goto cleanup; - SET_ISAKMP_GEN_LENGTH(proposals[i], proposal_lens[i] + - transform_lens[i]); - proposals[i] = 0; - - saved_nextp_prop = msg->nextp; - if (message_add_payload(msg, ISAKMP_PAYLOAD_TRANSFORM, - transforms[i], transform_lens[i], 0)) - goto cleanup; - msg->nextp = saved_nextp_prop; - transforms[i] = 0; - } - msg->nextp = saved_nextp_sa; - - /* Free the temporary allocations made above. */ - free(transforms); - free(transform_lens); - free(proposals); - free(proposal_lens); - } - return 0; - -cleanup: - if (sa_buf) - free(sa_buf); - for (i = 0; i < nprotos; i++) { - if (transforms[i]) - free(transforms[i]); - if (proposals[i]) - free(proposals[i]); - } - if (transforms) - free(transforms); - if (transform_lens) - free(transform_lens); - if (proposals) - free(proposals); - if (proposal_lens) - free(proposal_lens); - return -1; -} - -/* - * Return a copy of MSG's constants starting from OFFSET and stash the size - * in SZP. It is the callers responsibility to free this up. - */ -u_int8_t * -message_copy(struct message *msg, size_t offset, size_t *szp) -{ - int skip = 0; - size_t i, sz = 0; - ssize_t start = -1; - u_int8_t *buf, *p; - - /* Calculate size of message and where we want to start to copy. */ - for (i = 1; i < msg->iovlen; i++) { - sz += msg->iov[i].iov_len; - if (sz <= offset) - skip = i; - else if (start < 0) - start = offset - (sz - msg->iov[i].iov_len); - } - - /* Allocate and copy. */ - *szp = sz - offset; - buf = malloc(*szp); - if (!buf) - return 0; - p = buf; - for (i = skip + 1; i < msg->iovlen; i++) { - memcpy(p, (u_int8_t *) msg->iov[i].iov_base + start, - msg->iov[i].iov_len - start); - p += msg->iov[i].iov_len - start; - start = 0; - } - return buf; -} - -/* Register a post-send function POST_SEND with message MSG. */ -int -message_register_post_send(struct message *msg, - void (*post_send)(struct message *)) -{ - struct post_send *node; - - node = malloc(sizeof *node); - if (!node) - return -1; - node->func = post_send; - TAILQ_INSERT_TAIL(&msg->post_send, node, link); - return 0; -} - -/* Run the post-send functions of message MSG. */ -void -message_post_send(struct message *msg) -{ - struct post_send *node; - - while ((node = TAILQ_FIRST(&msg->post_send)) != 0) { - TAILQ_REMOVE(&msg->post_send, node, link); - node->func(msg); - free(node); - } -} - -/* Initialize and populate payload_map[]. */ -void -message_init(void) -{ - u_int8_t i; - - memset(&payload_map, 0, sizeof payload_map); - - payload_index_max = sizeof payload_revmap / sizeof payload_revmap[0]; - for (i = 0; i < payload_index_max; i++) { - payload_map[payload_revmap[i]] = i; - LOG_DBG((LOG_MESSAGE, 95, "message_init: payload_map[%d] = %d", - payload_revmap[i], i)); - } -} - -struct payload * -payload_first(struct message *msg, u_int8_t payload) -{ - if (payload_map[payload]) - return TAILQ_FIRST(&msg->payload[payload_map[payload]]); - else - return 0; -} - -struct payload * -payload_last(struct message *msg, u_int8_t payload) -{ - if (payload_map[payload]) - return TAILQ_LAST(&msg->payload[payload_map[payload]], - payload_head); - else - return 0; -} diff --git a/keyexchange/isakmpd-20041012/message.h b/keyexchange/isakmpd-20041012/message.h deleted file mode 100644 index 14b1d9a..0000000 --- a/keyexchange/isakmpd-20041012/message.h +++ /dev/null @@ -1,205 +0,0 @@ -/* $OpenBSD: message.h,v 1.22 2004/08/10 15:59:10 ho Exp $ */ -/* $EOM: message.h,v 1.51 2000/10/10 12:36:39 provos Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. - * Copyright (c) 1999 Angelos D. Keromytis. All rights reserved. - * Copyright (c) 2001, 2004 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _MESSAGE_H_ -#define _MESSAGE_H_ - -#include <sys/param.h> -#include <sys/queue.h> -#include <sys/socket.h> -#include <sys/uio.h> - -#include "isakmp.h" - -struct event; -struct message; -struct proto; -struct sa; -struct transport; - -struct payload { - /* Link all payloads of the same type through here. */ - TAILQ_ENTRY(payload) link; - - /* The pointer to the actual payload data. */ - u_int8_t *p; - - /* - * A pointer to the parent payload, used for proposal and transform - * payloads. - */ - struct payload *context; - - /* Payload flags described below. */ - int flags; -}; - -/* Payload flags. */ - -/* - * Set this when a payload has been handled, so we later can sweep over - * unhandled ones. - */ -#define PL_MARK 1 - -/* A post-send chain of functions to be called. */ -struct post_send { - /* Link to the next function in the chain. */ - TAILQ_ENTRY(post_send) link; - - /* The actual function. */ - void (*func) (struct message *); -}; - -struct message { - /* Link message in send queues via this link. */ - TAILQ_ENTRY(message) link; - - /* Message flags described below. */ - u_int flags; - - /* - * This is the transport the message either arrived on or will be sent - * to. - */ - struct transport *transport; - - /* - * This is the ISAKMP SA protecting this message. - * XXX Needs to be redone to some keystate pointer or something. - */ - struct sa *isakmp_sa; - - /* This is the exchange where this message appears. */ - struct exchange *exchange; - - /* - * A segmented buffer structure holding the messages raw contents. On - * input only segment 0 will be filled, holding all of the message. - * On output, as long as the message body is unencrypted each segment - * will be one payload, after encryption segment 0 will be the - * unencrypted header, and segment 1 will be the encrypted payloads, - * all of them. - */ - struct iovec *iov; - - /* The segment count. */ - u_int iovlen; - - /* Pointer to the last "next payload" field. */ - u_int8_t *nextp; - - /* "Smart" pointers to each payload, sorted by type. */ - TAILQ_HEAD(payload_head, payload) *payload; - - /* Number of times this message has been sent. */ - int xmits; - - /* The timeout event causing retransmission of this message. */ - struct event *retrans; - - /* The (possibly encrypted) message text, used for duplicate testing. */ - u_int8_t *orig; - size_t orig_sz; - - /* - * Extra baggage needed to travel with the message. Used transiently - * in context sensitive ways. - */ - void *extra; - - /* - * Hooks for stuff needed to be done after the message has gone out to - * the wire. - */ - TAILQ_HEAD(post_send_head, post_send) post_send; -}; - -/* Message flags. */ - -/* - * This is the last message of an exchange, meaning it should not be - * retransmitted other than if we see duplicates from our peer's last - * message. - */ -#define MSG_LAST 0x01 - -/* The message has already been encrypted. */ -#define MSG_ENCRYPTED 0x02 - -/* The message is on the send queue. */ -#define MSG_IN_TRANSIT 0x04 - -/* This message should be kept on the prioritized sendq. */ -#define MSG_PRIORITIZED 0x08 - -/* This message has successfully been authenticated. */ -#define MSG_AUTHENTICATED 0x10 - -TAILQ_HEAD(msg_head, message); - -/* The number of different ISAKMP payloads supported. */ -extern u_int8_t payload_index_max; - -extern int message_add_payload(struct message *, u_int8_t, u_int8_t *, - size_t, int); -extern int message_add_sa_payload(struct message *); -extern struct message *message_alloc(struct transport *, u_int8_t *, size_t); -extern struct message *message_alloc_reply(struct message *); -extern u_int8_t *message_copy(struct message *, size_t, size_t *); -extern void message_drop(struct message *, int, struct proto *, int, int); -extern void message_dump_raw(char *, struct message *, int); -extern void message_free(struct message *); -extern void message_init(void); -extern int message_negotiate_sa(struct message *, - int (*)(struct exchange *, struct sa *, struct sa *)); -extern int message_recv(struct message *); -extern int message_register_post_send(struct message *, - void (*) (struct message *)); -extern void message_post_send(struct message *); -extern void message_send(struct message *); -extern void message_send_expire(struct message *); -extern void message_send_delete(struct sa *); -extern int message_send_info(struct message *); -extern void message_send_notification(struct message *, struct sa *, - u_int16_t, struct proto *, int); -extern void message_setup_header(struct message *, u_int8_t, u_int8_t, - u_int8_t *); -struct payload *payload_first(struct message *, u_int8_t); -struct payload *payload_last(struct message *, u_int8_t); - -#if defined (USE_DPD) -extern void message_send_dpd_notify(struct sa*, u_int16_t, u_int32_t); -#endif - -#endif /* _MESSAGE_H_ */ diff --git a/keyexchange/isakmpd-20041012/monitor.c b/keyexchange/isakmpd-20041012/monitor.c deleted file mode 100644 index bd14005..0000000 --- a/keyexchange/isakmpd-20041012/monitor.c +++ /dev/null @@ -1,1174 +0,0 @@ -/* $OpenBSD: monitor.c,v 1.29 2004/08/12 11:21:07 hshoexer Exp $ */ - -/* - * Copyright (c) 2003 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include <sys/param.h> -#include <sys/types.h> -#include <sys/socket.h> -#include <sys/ioctl.h> -#include <sys/stat.h> -#include <sys/wait.h> -#include <netinet/in.h> -#include <errno.h> -#include <fcntl.h> -#include <pwd.h> -#include <signal.h> -#include <stdlib.h> -#include <string.h> -#include <unistd.h> - -#if defined (USE_POLICY) -#include <regex.h> -#include <keynote.h> -#endif - -#include "sysdep.h" - -#include "conf.h" -#include "log.h" -#include "monitor.h" -#include "policy.h" -#include "ui.h" -#include "util.h" -#include "pf_key_v2.h" - -struct monitor_state { - pid_t pid; - int s; - char root[MAXPATHLEN]; -} m_state; - -volatile sig_atomic_t sigchlded = 0; -extern volatile sig_atomic_t sigtermed; -static volatile sig_atomic_t cur_state = STATE_INIT; - -/* Private functions. */ -int m_write_int32(int, int32_t); -int m_write_raw(int, char *, size_t); -int m_read_int32(int, int32_t *); -int m_read_raw(int, char *, size_t); -void m_flush(int); - -static void m_priv_getfd(int); -static void m_priv_getsocket(int); -static void m_priv_setsockopt(int); -static void m_priv_bind(int); -static int m_priv_local_sanitize_path(char *, size_t, int); -static int m_priv_check_sockopt(int, int); -static int m_priv_check_bind(const struct sockaddr *, socklen_t); -static void m_priv_increase_state(int); -static void m_priv_test_state(int); - -static void m_priv_ui_init(int); -static void m_priv_pfkey_open(int); - -/* - * Public functions, unprivileged. - */ - -/* Setup monitor context, fork, drop child privs. */ -pid_t -monitor_init(int debug) -{ - struct passwd *pw; - int p[2]; - - memset(&m_state, 0, sizeof m_state); - - if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, p) != 0) - log_fatal("monitor_init: socketpair() failed"); - - pw = getpwnam(ISAKMPD_PRIVSEP_USER); - if (pw == NULL) - log_fatal("monitor_init: getpwnam(\"%s\") failed", - ISAKMPD_PRIVSEP_USER); - - m_state.pid = fork(); - m_state.s = p[m_state.pid ? 1 : 0]; - strlcpy(m_state.root, pw->pw_dir, sizeof m_state.root); - - LOG_DBG((LOG_SYSDEP, 30, "monitor_init: pid %d my fd %d", m_state.pid, - m_state.s)); - - /* The child process should drop privileges now. */ - if (!m_state.pid) { - if (chroot(pw->pw_dir) != 0 || chdir("/") != 0) - log_fatal("monitor_init: chroot failed"); - - if (setgid(pw->pw_gid) != 0) - log_fatal("monitor_init: setgid(%d) failed", - pw->pw_gid); - - if (setuid(pw->pw_uid) != 0) - log_fatal("monitor_init: setuid(%d) failed", - pw->pw_uid); - - LOG_DBG((LOG_MISC, 10, - "monitor_init: privileges dropped for child process")); - } else { - setproctitle("monitor [priv]"); - } - - - /* With "-dd", stop and wait here. For gdb "attach" etc. */ - if (debug > 1) { - log_print("monitor_init: stopped %s PID %d fd %d%s", - m_state.pid ? "priv" : "child", getpid(), m_state.s, - m_state.pid ? ", waiting for SIGCONT" : ""); - kill(getpid(), SIGSTOP); /* Wait here for SIGCONT. */ - if (m_state.pid) - kill(m_state.pid, SIGCONT); /* Continue child. */ - } - - return m_state.pid; -} - -void -monitor_exit(int code) -{ - if (m_state.pid != 0) - kill(m_state.pid, SIGKILL); - - exit(code); -} - -void -monitor_ui_init(void) -{ - int32_t err; - - if (m_write_int32(m_state.s, MONITOR_UI_INIT)) - goto errout; - - if (m_read_int32(m_state.s, &err)) - goto errout; - - if (err != 0) { - log_fatal("monitor_ui_init: parent could not create FIFO " - "\"%s\"", ui_fifo); - exit(1); - } - - ui_socket = mm_receive_fd(m_state.s); - if (ui_socket < 0) - log_fatal("monitor_ui_init: parent could not create FIFO " - "\"%s\"", ui_fifo); - - return; - -errout: - log_error("monitor_ui_init: problem talking to privileged process"); - return; -} - -int -monitor_pf_key_v2_open(void) -{ - int32_t err; - - if (m_write_int32(m_state.s, MONITOR_PFKEY_OPEN)) - goto errout; - - if (m_read_int32(m_state.s, &err)) - goto errout; - - if (err < 0) { - log_error("monitor_pf_key_v2_open: parent could not create " - "PF_KEY socket"); - return -1; - } - - pf_key_v2_socket = mm_receive_fd(m_state.s); - if (pf_key_v2_socket < 0) { - log_error("monitor_pf_key_v2_open: mm_receive_fd() failed: %s", - strerror(errno)); - return -1; - } - return pf_key_v2_socket; - -errout: - log_error("monitor_pf_key_v2_open: problem talking to privileged " - "process"); - return -1; -} - -int -monitor_open(const char *path, int flags, mode_t mode) -{ - int fd, mode32 = (int32_t) mode; - int32_t err; - char realpath[MAXPATHLEN]; - - if (path[0] == '/') - strlcpy(realpath, path, sizeof realpath); - else - snprintf(realpath, sizeof realpath, "%s/%s", m_state.root, - path); - - /* Write data to priv process. */ - if (m_write_int32(m_state.s, MONITOR_GET_FD)) - goto errout; - - if (m_write_raw(m_state.s, realpath, strlen(realpath) + 1)) - goto errout; - - if (m_write_int32(m_state.s, flags)) - goto errout; - - if (m_write_int32(m_state.s, mode32)) - goto errout; - - if (m_read_int32(m_state.s, &err)) - goto errout; - - if (err != 0) { - errno = (int) err; - return -1; - } - /* Wait for response. */ - fd = mm_receive_fd(m_state.s); - if (fd < 0) { - log_error("monitor_open: mm_receive_fd () failed: %s", - strerror(errno)); - return -1; - } - return fd; - -errout: - log_error("monitor_open: problem talking to privileged process"); - return -1; -} - -FILE * -monitor_fopen(const char *path, const char *mode) -{ - FILE *fp; - int fd, flags = 0, saved_errno; - mode_t mask, cur_umask; - - /* Only the child process is supposed to run this. */ - if (m_state.pid) - log_fatal("[priv] bad call to monitor_fopen"); - - switch (mode[0]) { - case 'r': - flags = (mode[1] == '+' ? O_RDWR : O_RDONLY); - break; - case 'w': - flags = (mode[1] == '+' ? O_RDWR : O_WRONLY) | O_CREAT | - O_TRUNC; - break; - case 'a': - flags = (mode[1] == '+' ? O_RDWR : O_WRONLY) | O_CREAT | - O_APPEND; - break; - default: - log_fatal("monitor_fopen: bad call"); - } - - cur_umask = umask(0); - (void)umask(cur_umask); - mask = S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH; - mask &= ~cur_umask; - - fd = monitor_open(path, flags, mask); - if (fd < 0) - return NULL; - - /* Got the fd, attach a FILE * to it. */ - fp = fdopen(fd, mode); - if (!fp) { - log_error("monitor_fopen: fdopen() failed"); - saved_errno = errno; - close(fd); - errno = saved_errno; - return NULL; - } - return fp; -} - -int -monitor_stat(const char *path, struct stat *sb) -{ - int fd, r, saved_errno; - - /* O_NONBLOCK is needed for stat'ing fifos. */ - fd = monitor_open(path, O_RDONLY | O_NONBLOCK, 0); - if (fd < 0) - return -1; - - r = fstat(fd, sb); - saved_errno = errno; - close(fd); - errno = saved_errno; - return r; -} - -int -monitor_socket(int domain, int type, int protocol) -{ - int s; - int32_t err; - - if (m_write_int32(m_state.s, MONITOR_GET_SOCKET)) - goto errout; - - if (m_write_int32(m_state.s, (int32_t)domain)) - goto errout; - - if (m_write_int32(m_state.s, (int32_t)type)) - goto errout; - - if (m_write_int32(m_state.s, (int32_t)protocol)) - goto errout; - - if (m_read_int32(m_state.s, &err)) - goto errout; - - if (err != 0) { - errno = (int)err; - return -1; - } - /* Read result. */ - s = mm_receive_fd(m_state.s); - if (s < 0) { - log_error("monitor_socket: mm_receive_fd () failed: %s", - strerror(errno)); - return -1; - } - return s; - -errout: - log_error("monitor_socket: problem talking to privileged process"); - return -1; -} - -int -monitor_setsockopt(int s, int level, int optname, const void *optval, - socklen_t optlen) -{ - int32_t ret, err; - - if (m_write_int32(m_state.s, MONITOR_SETSOCKOPT)) - goto errout; - if (mm_send_fd(m_state.s, s)) - goto errout; - - if (m_write_int32(m_state.s, (int32_t)level)) - goto errout; - if (m_write_int32(m_state.s, (int32_t)optname)) - goto errout; - if (m_write_int32(m_state.s, (int32_t)optlen)) - goto errout; - if (m_write_raw(m_state.s, (char *)optval, (size_t)optlen)) - goto errout; - - if (m_read_int32(m_state.s, &err)) - goto errout; - - if (err != 0) - errno = (int)err; - - if (m_read_int32(m_state.s, &ret)) - goto errout; - - return (int)ret; - -errout: - log_print("monitor_setsockopt: read/write error"); - return -1; -} - -int -monitor_bind(int s, const struct sockaddr *name, socklen_t namelen) -{ - int32_t ret, err; - - if (m_write_int32(m_state.s, MONITOR_BIND)) - goto errout; - if (mm_send_fd(m_state.s, s)) - goto errout; - - if (m_write_int32(m_state.s, (int32_t)namelen)) - goto errout; - if (m_write_raw(m_state.s, (char *)name, (size_t)namelen)) - goto errout; - - if (m_read_int32(m_state.s, &err)) - goto errout; - - if (err != 0) - errno = (int)err; - - if (m_read_int32(m_state.s, &ret)) - goto errout; - - return (int)ret; - -errout: - log_print("monitor_bind: read/write error"); - return -1; -} - -struct monitor_dirents * -monitor_opendir(const char *path) -{ - char *buf, *cp; - size_t bufsize; - int fd, nbytes, entries; - long base; - struct stat sb; - struct dirent *dp; - struct monitor_dirents *direntries; - - fd = monitor_open(path, 0, O_RDONLY); - if (fd < 0) { - log_error("monitor_opendir: opendir(\"%s\") failed", path); - return NULL; - } - /* Now build a list with all dirents from fd. */ - if (fstat(fd, &sb) < 0) { - (void)close(fd); - return NULL; - } - if (!S_ISDIR(sb.st_mode)) { - (void)close(fd); - errno = EACCES; - return NULL; - } - bufsize = sb.st_size; - if (bufsize < sb.st_blksize) - bufsize = sb.st_blksize; - - buf = calloc(bufsize, sizeof(char)); - if (buf == NULL) { - (void)close(fd); - errno = EACCES; - return NULL; - } - nbytes = getdirentries(fd, buf, bufsize, &base); - if (nbytes <= 0) { - (void)close(fd); - free(buf); - errno = EACCES; - return NULL; - } - (void)close(fd); - - for (entries = 0, cp = buf; cp < buf + nbytes;) { - dp = (struct dirent *)cp; - cp += dp->d_reclen; - entries++; - } - - direntries = calloc(1, sizeof(struct monitor_dirents)); - if (direntries == NULL) { - free(buf); - errno = EACCES; - return NULL; - } - direntries->dirents = calloc(entries + 1, sizeof(struct dirent *)); - if (direntries->dirents == NULL) { - free(buf); - free(direntries); - errno = EACCES; - return NULL; - } - direntries->current = 0; - - for (entries = 0, cp = buf; cp < buf + nbytes;) { - dp = (struct dirent *)cp; - direntries->dirents[entries++] = dp; - cp += dp->d_reclen; - } - direntries->dirents[entries] = NULL; - - return direntries; -} - -struct dirent * -monitor_readdir(struct monitor_dirents *direntries) -{ - if (direntries->dirents[direntries->current] != NULL) - return direntries->dirents[direntries->current++]; - - return NULL; -} - -int -monitor_closedir(struct monitor_dirents *direntries) -{ - free(direntries->dirents); - free(direntries); - - return 0; -} - -void -monitor_init_done(void) -{ - if (m_write_int32(m_state.s, MONITOR_INIT_DONE)) - log_print("monitor_init_done: read/write error"); - - return; -} - -/* - * Start of code running with privileges (the monitor process). - */ - -/* Help functions for monitor_loop(). */ -static void -monitor_got_sigchld(int sig) -{ - sigchlded = 1; -} - -static void -sig_pass_to_chld(int sig) -{ - int oerrno = errno; - - if (m_state.pid != -1) - kill(m_state.pid, sig); - errno = oerrno; -} - -/* This function is where the privileged process waits(loops) indefinitely. */ -void -monitor_loop(int debug) -{ - pid_t pid; - fd_set *fds; - size_t fdsn; - int status, n, maxfd; - - if (!debug) - log_to(0); - - maxfd = m_state.s + 1; - - fdsn = howmany(maxfd, NFDBITS) * sizeof(fd_mask); - fds = (fd_set *)malloc(fdsn); - if (!fds) { - kill(m_state.pid, SIGTERM); - log_fatal("monitor_loop: malloc (%lu) failed", - (unsigned long)fdsn); - return; - } - /* If the child dies, we should shutdown also. */ - signal(SIGCHLD, monitor_got_sigchld); - - /* SIGHUP, SIGUSR1 and SIGUSR2 will be forwarded to child. */ - signal(SIGHUP, sig_pass_to_chld); - signal(SIGUSR1, sig_pass_to_chld); - signal(SIGUSR2, sig_pass_to_chld); - - while (cur_state < STATE_QUIT) { - /* - * Currently, there is no need for us to hang around if the - * child is in the process of shutting down. - */ - if (sigtermed) { - m_priv_increase_state(STATE_QUIT); - kill(m_state.pid, SIGTERM); - break; - } - - if (sigchlded) { - do { - pid = waitpid(m_state.pid, &status, WNOHANG); - } while (pid == -1 && errno == EINTR); - - if (pid == m_state.pid && (WIFEXITED(status) || - WIFSIGNALED(status))) { - m_priv_increase_state(STATE_QUIT); - break; - } - } - - memset(fds, 0, fdsn); - FD_SET(m_state.s, fds); - - n = select(maxfd, fds, NULL, NULL, NULL); - if (n == -1) { - if (errno != EINTR) { - log_error("select"); - sleep(1); - } - } else if (n) - if (FD_ISSET(m_state.s, fds)) { - int32_t msgcode; - if (m_read_int32(m_state.s, &msgcode)) - m_flush(m_state.s); - else - switch (msgcode) { - case MONITOR_GET_FD: - m_priv_getfd(m_state.s); - break; - - case MONITOR_UI_INIT: - LOG_DBG((LOG_MISC, 80, - "%s: MONITOR_UI_INIT", - __func__)); - m_priv_test_state(STATE_INIT); - m_priv_ui_init(m_state.s); - break; - - case MONITOR_PFKEY_OPEN: - LOG_DBG((LOG_MISC, 80, - "%s: MONITOR_PFKEY_OPEN", - __func__)); - m_priv_test_state(STATE_INIT); - m_priv_pfkey_open(m_state.s); - break; - - case MONITOR_GET_SOCKET: - LOG_DBG((LOG_MISC, 80, - "%s: MONITOR_GET_SOCKET", - __func__)); - m_priv_test_state(STATE_INIT); - m_priv_getsocket(m_state.s); - break; - - case MONITOR_SETSOCKOPT: - LOG_DBG((LOG_MISC, 80, - "%s: MONITOR_SETSOCKOPT", - __func__)); - m_priv_test_state(STATE_INIT); - m_priv_setsockopt(m_state.s); - break; - - case MONITOR_BIND: - LOG_DBG((LOG_MISC, 80, - "%s: MONITOR_BIND", - __func__)); - m_priv_test_state(STATE_INIT); - m_priv_bind(m_state.s); - break; - - case MONITOR_INIT_DONE: - LOG_DBG((LOG_MISC, 80, - "%s: MONITOR_INIT_DONE", - __func__)); - m_priv_test_state(STATE_INIT); - m_priv_increase_state( - STATE_RUNNING); - break; - - case MONITOR_SHUTDOWN: - LOG_DBG((LOG_MISC, 80, - "%s: MONITOR_SHUTDOWN", - __func__)); - m_priv_increase_state( - STATE_QUIT); - break; - - default: - log_print("monitor_loop: " - "got unknown code %d", - msgcode); - } - } - } - - free(fds); - exit(0); -} - - -/* Privileged: called by monitor_loop. */ -static void -m_priv_ui_init(int s) -{ - int32_t err; - - ui_init(); - - if (ui_socket >= 0) - err = 0; - else - err = -1; - - if (m_write_int32(s, err)) - goto errout; - - if (ui_socket >= 0 && mm_send_fd(s, ui_socket)) { - close(ui_socket); - goto errout; - } - - /* In case of stdin, we do not close the socket. */ - if (ui_socket > 0) - close(ui_socket); - return; - -errout: - log_error("m_priv_ui_init: read/write operation failed"); - return; -} - -/* Privileged: called by monitor_loop. */ -static void -m_priv_pfkey_open(int s) -{ - int fd; - int32_t err; - - fd = pf_key_v2_open(); - - if (fd < 0) - err = -1; - else - err = 0; - - if (m_write_int32(s, err)) - goto errout; - - if (fd > 0 && mm_send_fd(s, fd)) { - close(fd); - goto errout; - } - close(fd); - - return; - -errout: - log_error("m_priv_pfkey_open: read/write operation failed"); - return; -} - -/* Privileged: called by monitor_loop. */ -static void -m_priv_getfd(int s) -{ - char path[MAXPATHLEN]; - int32_t v, err; - int flags; - mode_t mode; - - /* - * We expect the following data on the socket: - * u_int32_t pathlen - * <variable> path - * u_int32_t flags - * u_int32_t mode - */ - - if (m_read_raw(s, path, MAXPATHLEN)) - goto errout; - - if (m_read_int32(s, &v)) - goto errout; - flags = (int)v; - - if (m_read_int32(s, &v)) - goto errout; - mode = (mode_t) v; - - if (m_priv_local_sanitize_path(path, sizeof path, flags) != 0) { - err = EACCES; - v = -1; - } else { - err = 0; - v = (int32_t)open(path, flags, mode); - if (v < 0) - err = (int32_t)errno; - } - - if (m_write_int32(s, err)) - goto errout; - - if (v > 0 && mm_send_fd(s, v)) { - close(v); - goto errout; - } - close(v); - return; - -errout: - log_error("m_priv_getfd: read/write operation failed"); - return; -} - -/* Privileged: called by monitor_loop. */ -static void -m_priv_getsocket(int s) -{ - int domain, type, protocol; - int32_t v, err; - - if (m_read_int32(s, &v)) - goto errout; - domain = (int)v; - - if (m_read_int32(s, &v)) - goto errout; - type = (int)v; - - if (m_read_int32(s, &v)) - goto errout; - protocol = (int)v; - - err = 0; - v = (int32_t)socket(domain, type, protocol); - if (v < 0) - err = (int32_t)errno; - - if (m_write_int32(s, err)) - goto errout; - - if (v > 0 && mm_send_fd(s, v)) { - close(v); - goto errout; - } - close(v); - return; - -errout: - log_error("m_priv_getsocket: read/write operation failed"); - return; -} - -/* Privileged: called by monitor_loop. */ -static void -m_priv_setsockopt(int s) -{ - int sock, level, optname; - char *optval = 0; - socklen_t optlen; - int32_t v, err; - - sock = mm_receive_fd(s); - if (sock < 0) - goto errout; - - if (m_read_int32(s, &level)) - goto errout; - - if (m_read_int32(s, &optname)) - goto errout; - - if (m_read_int32(s, &optlen)) - goto errout; - - optval = (char *)malloc(optlen); - if (!optval) - goto errout; - - if (m_read_raw(s, optval, optlen)) - goto errout; - - if (m_priv_check_sockopt(level, optname) != 0) { - err = EACCES; - v = -1; - } else { - err = 0; - v = (int32_t)setsockopt(sock, level, optname, optval, optlen); - if (v < 0) - err = (int32_t)errno; - } - - close(sock); - sock = -1; - - if (m_write_int32(s, err)) - goto errout; - - if (m_write_int32(s, v)) - goto errout; - - free(optval); - return; - -errout: - log_print("m_priv_setsockopt: read/write error"); - if (optval) - free(optval); - if (sock >= 0) - close(sock); - return; -} - -/* Privileged: called by monitor_loop. */ -static void -m_priv_bind(int s) -{ - int sock; - struct sockaddr *name = 0; - socklen_t namelen; - int32_t v, err; - - sock = mm_receive_fd(s); - if (sock < 0) - goto errout; - - if (m_read_int32(s, &v)) - goto errout; - namelen = (socklen_t) v; - - name = (struct sockaddr *)malloc(namelen); - if (!name) - goto errout; - - if (m_read_raw(s, (char *)name, (size_t)namelen)) - goto errout; - - if (m_priv_check_bind(name, namelen) != 0) { - err = EACCES; - v = -1; - } else { - err = 0; - v = (int32_t)bind(sock, name, namelen); - if (v < 0) { - log_error("m_priv_bind: bind(%d,%p,%d) returned %d", - sock, name, namelen, v); - err = (int32_t)errno; - } - } - - close(sock); - sock = -1; - - if (m_write_int32(s, err)) - goto errout; - - if (m_write_int32(s, v)) - goto errout; - - free(name); - return; - -errout: - log_print("m_priv_bind: read/write error"); - if (name) - free(name); - if (sock >= 0) - close(sock); - return; -} - -/* - * Help functions, used by both privileged and unprivileged code - */ - -/* Write a 32-bit value to a socket. */ -int -m_write_int32(int s, int32_t value) -{ - u_int32_t v; - - memcpy(&v, &value, sizeof v); - return (write(s, &v, sizeof v) == -1); -} - -/* Write a number of bytes of data to a socket. */ -int -m_write_raw(int s, char *data, size_t dlen) -{ - if (m_write_int32(s, (int32_t) dlen)) - return 1; - return (write(s, data, dlen) == -1); -} - -int -m_read_int32(int s, int32_t *value) -{ - u_int32_t v; - - if (read(s, &v, sizeof v) != sizeof v) - return 1; - memcpy(value, &v, sizeof v); - return 0; -} - -int -m_read_raw(int s, char *data, size_t maxlen) -{ - u_int32_t v; - int r; - - if (m_read_int32(s, &v)) - return 1; - if (v > maxlen) - return 1; - r = read(s, data, v); - return (r == -1); -} - -/* Drain all available input on a socket. */ -void -m_flush(int s) -{ - u_int8_t tmp; - int one = 1; - - ioctl(s, FIONBIO, &one);/* Non-blocking */ - while (read(s, &tmp, 1) > 0); - ioctl(s, FIONBIO, 0); /* Blocking */ -} - -/* Check that path/mode is permitted. */ -static int -m_priv_local_sanitize_path(char *path, size_t pmax, int flags) -{ - char *p; - - /* - * We only permit paths starting with - * /etc/isakmpd/ (read only) - * /var/run/ (rw) - */ - - if (strlen(path) < strlen("/var/run/")) - goto bad_path; - - /* Any path containing '..' is invalid. */ - for (p = path; *p && (p - path) < (int)pmax; p++) - if (*p == '.' && *(p + 1) == '.') - goto bad_path; - - /* For any write-mode, only a few paths are permitted. */ - if ((flags & O_ACCMODE) != O_RDONLY) { - if (strncmp("/var/run/", path, strlen("/var/run/")) == 0) - return 0; - goto bad_path; - } - /* Any other path is read-only. */ - if (strncmp(ISAKMPD_ROOT, path, strlen(ISAKMPD_ROOT)) == 0 || - strncmp("/var/run/", path, strlen("/var/run/")) == 0) - return 0; - -bad_path: - log_print("m_priv_local_sanitize_path: illegal path \"%.1023s\", " - "replaced with \"/dev/null\"", path); - strlcpy(path, "/dev/null", pmax); - return 1; -} - -/* Check setsockopt */ -static int -m_priv_check_sockopt(int level, int name) -{ - switch (level) { - /* These are allowed */ - case SOL_SOCKET: - case IPPROTO_IP: - case IPPROTO_IPV6: - break; - - default: - log_print("m_priv_check_sockopt: Illegal level %d", level); - return 1; - } - - switch (name) { - /* These are allowed */ - case SO_REUSEPORT: - case SO_REUSEADDR: - case IP_AUTH_LEVEL: - case IP_ESP_TRANS_LEVEL: - case IP_ESP_NETWORK_LEVEL: - case IP_IPCOMP_LEVEL: - case IPV6_AUTH_LEVEL: - case IPV6_ESP_TRANS_LEVEL: - case IPV6_ESP_NETWORK_LEVEL: - case IPV6_IPCOMP_LEVEL: - break; - - default: - log_print("m_priv_check_sockopt: Illegal option name %d", - name); - return 1; - } - - return 0; -} - -/* Check bind */ -static int -m_priv_check_bind(const struct sockaddr *sa, socklen_t salen) -{ - in_port_t port; - - if (sa == NULL) { - log_print("NULL address"); - return 1; - } - if (sysdep_sa_len((struct sockaddr *)sa) != salen) { - log_print("Length mismatch: %d %d", - (int)sysdep_sa_len((struct sockaddr *)sa), (int)salen); - return 1; - } - switch (sa->sa_family) { - case AF_INET: - if (salen != sizeof(struct sockaddr_in)) { - log_print("Invalid inet address length"); - return 1; - } - port = ((const struct sockaddr_in *)sa)->sin_port; - break; - case AF_INET6: - if (salen != sizeof(struct sockaddr_in6)) { - log_print("Invalid inet6 address length"); - return 1; - } - port = ((const struct sockaddr_in6 *)sa)->sin6_port; - break; - default: - log_print("Unknown address family"); - return 1; - } - - port = ntohs(port); - - if (port != ISAKMP_PORT_DEFAULT && port < 1024) { - log_print("Disallowed port %u", port); - return 1; - } - return 0; -} - -/* Increase state into less permissive mode */ -static void -m_priv_increase_state(int state) -{ - if (state <= cur_state) - log_print("m_priv_increase_state: attempt to decrase state " - "or match current state"); - if (state < STATE_INIT || state > STATE_QUIT) - log_print("m_priv_increase_state: attempt to switch to " - "invalid state"); - cur_state = state; -} - -static void -m_priv_test_state(int state) -{ - if (cur_state != state) - log_print("m_priv_test_state: Illegal state: %d != %d", - (int)cur_state, state); - return; -} diff --git a/keyexchange/isakmpd-20041012/monitor.h b/keyexchange/isakmpd-20041012/monitor.h deleted file mode 100644 index caea4ff..0000000 --- a/keyexchange/isakmpd-20041012/monitor.h +++ /dev/null @@ -1,104 +0,0 @@ -/* $OpenBSD: monitor.h,v 1.11 2004/06/26 06:07:03 hshoexer Exp $ */ - -/* - * Copyright (c) 2003 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#ifndef _MONITOR_H_ -#define _MONITOR_H_ - -#if defined (USE_PRIVSEP) -#include <sys/types.h> -#include <sys/stat.h> - -#include <dirent.h> -#include <stdio.h> - -#define ISAKMPD_PRIVSEP_USER "_isakmpd" - -#define ISAKMP_PORT_DEFAULT 500 - -enum monitor_reqtypes { - MONITOR_UI_INIT, - MONITOR_PFKEY_OPEN, - MONITOR_GET_FD, - MONITOR_GET_SOCKET, - MONITOR_SETSOCKOPT, - MONITOR_BIND, - MONITOR_MKFIFO, - MONITOR_INIT_DONE, - MONITOR_SHUTDOWN -}; - -enum priv_state { - STATE_INIT, /* just started */ - STATE_RUNNING, /* running */ - STATE_QUIT /* shutting down */ -}; - -struct monitor_dirents { - int current; - struct dirent **dirents; -}; - -pid_t monitor_init(int); -void monitor_loop(int); - -int mm_send_fd(int, int); -int mm_receive_fd(int); - -FILE *monitor_fopen(const char *, const char *); -int monitor_open(const char *, int, mode_t); -int monitor_stat(const char *, struct stat *); -int monitor_socket(int, int, int); -int monitor_setsockopt(int, int, int, const void *, socklen_t); -int monitor_bind(int, const struct sockaddr *, socklen_t); -int monitor_mkfifo(const char *, mode_t); -struct monitor_dirents *monitor_opendir(const char *); -struct dirent *monitor_readdir(struct monitor_dirents *); -int monitor_closedir(struct monitor_dirents *); -void monitor_init_done(void); - -void monitor_ui_init(void); -int monitor_pf_key_v2_open(void); -void monitor_exit(int); - -#else /* !USE_PRIVSEP */ - -#define monitor_fopen fopen -#define monitor_open open -#define monitor_stat stat -#define monitor_socket socket -#define monitor_setsockopt setsockopt -#define monitor_bind bind -#define monitor_mkfifo mkfifo -#define monitor_opendir opendir -#define monitor_readdir readdir -#define monitor_closedir closedir - -#define monitor_ui_init ui_init -#define monitor_exit exit -#define monitor_pf_key_v2_open pf_key_v2_open - -#endif /* USE_PRIVSEP */ -#endif /* _MONITOR_H_ */ diff --git a/keyexchange/isakmpd-20041012/monitor_fdpass.c b/keyexchange/isakmpd-20041012/monitor_fdpass.c deleted file mode 100644 index 0159653..0000000 --- a/keyexchange/isakmpd-20041012/monitor_fdpass.c +++ /dev/null @@ -1,112 +0,0 @@ -/* $OpenBSD: monitor_fdpass.c,v 1.11 2004/10/01 04:08:45 jsg Exp $ */ - -/* - * Copyright 2001 Niels Provos <provos@citi.umich.edu> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include <sys/types.h> -#include <sys/socket.h> -#include <sys/uio.h> - -#include <errno.h> -#include <string.h> - -#include "log.h" -#include "monitor.h" - -int -mm_send_fd(int socket, int fd) -{ - struct msghdr msg; - char tmp[CMSG_SPACE(sizeof(int))], ch = '\0'; - struct cmsghdr *cmsg; - struct iovec vec; - ssize_t n; - - memset(&msg, 0, sizeof msg); - msg.msg_control = (caddr_t) tmp; - msg.msg_controllen = CMSG_LEN(sizeof(int)); - cmsg = CMSG_FIRSTHDR(&msg); - cmsg->cmsg_len = CMSG_LEN(sizeof(int)); - cmsg->cmsg_level = SOL_SOCKET; - cmsg->cmsg_type = SCM_RIGHTS; - *(int *)CMSG_DATA(cmsg) = fd; - - vec.iov_base = &ch; - vec.iov_len = 1; - msg.msg_iov = &vec; - msg.msg_iovlen = 1; - - if ((n = sendmsg(socket, &msg, 0)) == -1) { - log_error("mm_send_fd: sendmsg(%d)", fd); - return -1; - } - if (n != 1) { - log_error("mm_send_fd: sendmsg: expected sent 1 got %ld", - (long)n); - return -1; - } - return 0; -} - -int -mm_receive_fd(int socket) -{ - struct msghdr msg; - char tmp[CMSG_SPACE(sizeof(int))], ch; - struct cmsghdr *cmsg; - struct iovec vec; - ssize_t n; - int fd; - - memset(&msg, 0, sizeof msg); - vec.iov_base = &ch; - vec.iov_len = 1; - msg.msg_iov = &vec; - msg.msg_iovlen = 1; - msg.msg_control = tmp; - msg.msg_controllen = sizeof tmp; - - if ((n = recvmsg(socket, &msg, 0)) == -1) { - log_error("mm_receive_fd: recvmsg"); - return -1; - } - if (n != 1) { - log_error("mm_receive_fd: recvmsg: expected received 1 got %ld", - (long)n); - return -1; - } - cmsg = CMSG_FIRSTHDR(&msg); - if (cmsg == NULL) { - log_error("mm_receive_fd: no message header"); - return -1; - } - if (cmsg->cmsg_type != SCM_RIGHTS) { - log_error("mm_receive_fd: expected type %d got %d", SCM_RIGHTS, - cmsg->cmsg_type); - return -1; - } - fd = (*(int *)CMSG_DATA(cmsg)); - return fd; -} diff --git a/keyexchange/isakmpd-20041012/nat_traversal.c b/keyexchange/isakmpd-20041012/nat_traversal.c deleted file mode 100644 index 86d2d57..0000000 --- a/keyexchange/isakmpd-20041012/nat_traversal.c +++ /dev/null @@ -1,439 +0,0 @@ -/* $OpenBSD: nat_traversal.c,v 1.17 2006/06/14 14:03:33 hshoexer Exp $ */ - -/* - * Copyright (c) 2004 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include <sys/types.h> -#include <stdlib.h> -#include <string.h> - -#include "sysdep.h" - -#include "conf.h" -#include "exchange.h" -#include "hash.h" -#include "ipsec.h" -#include "isakmp_fld.h" -#include "isakmp_num.h" -#include "ipsec_num.h" -#include "hash.h" -#include "log.h" -#include "message.h" -#include "nat_traversal.h" -#include "prf.h" -#include "sa.h" -#include "timer.h" -#include "transport.h" -#include "util.h" -#include "virtual.h" - -int disable_nat_t = 0; - -/* - * NAT-T capability of the other peer is determined by a particular vendor - * ID sent in the first message. This vendor ID string is supposed to be a - * MD5 hash of "RFC 3947". - * - * These seem to be the "well" known variants of this string in use by - * products today. - */ - -static struct nat_t_cap isakmp_nat_t_cap[] = { - { VID_DRAFT_V2_N, EXCHANGE_FLAG_NAT_T_DRAFT, - "draft-ietf-ipsec-nat-t-ike-02\n", NULL, 0 }, - { VID_DRAFT_V3, EXCHANGE_FLAG_NAT_T_DRAFT, - "draft-ietf-ipsec-nat-t-ike-03", NULL, 0 }, - { VID_RFC3947, EXCHANGE_FLAG_NAT_T_RFC, - "RFC 3947", NULL, 0 }, -}; - -#define NUMNATTCAP (sizeof isakmp_nat_t_cap / sizeof isakmp_nat_t_cap[0]) - -/* In seconds. Recommended in draft-ietf-ipsec-udp-encaps-09. */ -#define NAT_T_KEEPALIVE_INTERVAL 20 - -static int nat_t_setup_hashes(void); -static int nat_t_add_vendor_payload(struct message *, struct nat_t_cap *); -static int nat_t_add_nat_d(struct message *, struct sockaddr *); -static int nat_t_match_nat_d_payload(struct message *, struct sockaddr *); - -void -nat_t_init(void) -{ - nat_t_setup_hashes(); -} - -/* Generate the NAT-T capability marker hashes. Executed only once. */ -static int -nat_t_setup_hashes(void) -{ - struct hash *hash; - int n = NUMNATTCAP; - int i; - - /* The draft says to use MD5. */ - hash = hash_get(HASH_MD5); - if (!hash) { - /* Should never happen. */ - log_print("nat_t_setup_hashes: " - "could not find MD5 hash structure!"); - return -1; - } - - /* Populate isakmp_nat_t_cap with hashes. */ - for (i = 0; i < n; i++) { - isakmp_nat_t_cap[i].hashsize = hash->hashsize; - isakmp_nat_t_cap[i].hash = (char *)malloc(hash->hashsize); - if (!isakmp_nat_t_cap[i].hash) { - log_error("nat_t_setup_hashes: malloc (%lu) failed", - (unsigned long)hash->hashsize); - goto errout; - } - - hash->Init(hash->ctx); - hash->Update(hash->ctx, - (unsigned char *)isakmp_nat_t_cap[i].text, - strlen(isakmp_nat_t_cap[i].text)); - hash->Final(isakmp_nat_t_cap[i].hash, hash->ctx); - - LOG_DBG((LOG_EXCHANGE, 50, "nat_t_setup_hashes: " - "MD5(\"%s\") (%lu bytes)", isakmp_nat_t_cap[i].text, - (unsigned long)hash->hashsize)); - LOG_DBG_BUF((LOG_EXCHANGE, 50, "nat_t_setup_hashes", - isakmp_nat_t_cap[i].hash, hash->hashsize)); - } - - return 0; - -errout: - for (i = 0; i < n; i++) - if (isakmp_nat_t_cap[i].hash) - free(isakmp_nat_t_cap[i].hash); - return -1; -} - -/* Add one NAT-T VENDOR payload. */ -static int -nat_t_add_vendor_payload(struct message *msg, struct nat_t_cap *cap) -{ - size_t buflen = cap->hashsize + ISAKMP_GEN_SZ; - u_int8_t *buf; - - if (disable_nat_t) - return 0; - - buf = malloc(buflen); - if (!buf) { - log_error("nat_t_add_vendor_payload: malloc (%lu) failed", - (unsigned long)buflen); - return -1; - } - - SET_ISAKMP_GEN_LENGTH(buf, buflen); - memcpy(buf + ISAKMP_VENDOR_ID_OFF, cap->hash, cap->hashsize); - if (message_add_payload(msg, ISAKMP_PAYLOAD_VENDOR, buf, buflen, 1)) { - free(buf); - return -1; - } - return 0; -} - -/* Add the NAT-T capability markers (VENDOR payloads). */ -int -nat_t_add_vendor_payloads(struct message *msg) -{ - int i; - - if (disable_nat_t) - return 0; - - for (i = 0; i < NUMNATTCAP; i++) - if (nat_t_add_vendor_payload(msg, &isakmp_nat_t_cap[i])) - return -1; - return 0; -} - -/* - * Check an incoming message for NAT-T capability markers. - */ -void -nat_t_check_vendor_payload(struct message *msg, struct payload *p) -{ - u_int8_t *pbuf = p->p; - size_t vlen; - int i; - - if (disable_nat_t) - return; - - vlen = GET_ISAKMP_GEN_LENGTH(pbuf) - ISAKMP_GEN_SZ; - - for (i = 0; i < NUMNATTCAP; i++) { - if (vlen != isakmp_nat_t_cap[i].hashsize) { - LOG_DBG((LOG_EXCHANGE, 50, "nat_t_check_vendor_payload: " - "bad size %lu != %lu", (unsigned long)vlen, - (unsigned long)isakmp_nat_t_cap[i].hashsize)); - continue; - } - if (memcmp(isakmp_nat_t_cap[i].hash, pbuf + ISAKMP_GEN_SZ, - vlen) == 0) { - /* This peer is NAT-T capable. */ - msg->exchange->flags |= EXCHANGE_FLAG_NAT_T_CAP_PEER; - msg->exchange->flags |= isakmp_nat_t_cap[i].flags; - LOG_DBG((LOG_EXCHANGE, 10, - "nat_t_check_vendor_payload: " - "NAT-T capable peer detected")); - p->flags |= PL_MARK; - } - } - - return; -} - -/* Generate the NAT-D payload hash : HASH(CKY-I | CKY-R | IP | Port). */ -static u_int8_t * -nat_t_generate_nat_d_hash(struct message *msg, struct sockaddr *sa, - size_t *hashlen) -{ - struct ipsec_exch *ie = (struct ipsec_exch *)msg->exchange->data; - struct hash *hash; - u_int8_t *res; - in_port_t port; - - hash = hash_get(ie->hash->type); - if (hash == NULL) { - log_print ("nat_t_generate_nat_d_hash: no hash"); - return NULL; - } - - *hashlen = hash->hashsize; - - res = (u_int8_t *)malloc((unsigned long)*hashlen); - if (!res) { - log_print("nat_t_generate_nat_d_hash: malloc (%lu) failed", - (unsigned long)*hashlen); - *hashlen = 0; - return NULL; - } - - port = sockaddr_port(sa); - bzero(res, *hashlen); - - hash->Init(hash->ctx); - hash->Update(hash->ctx, msg->exchange->cookies, - sizeof msg->exchange->cookies); - hash->Update(hash->ctx, sockaddr_addrdata(sa), sockaddr_addrlen(sa)); - hash->Update(hash->ctx, (unsigned char *)&port, sizeof port); - hash->Final(res, hash->ctx); - return res; -} - -/* Add a NAT-D payload to our message. */ -static int -nat_t_add_nat_d(struct message *msg, struct sockaddr *sa) -{ - int ret; - u_int8_t *hbuf, *buf; - size_t hbuflen, buflen; - - hbuf = nat_t_generate_nat_d_hash(msg, sa, &hbuflen); - if (!hbuf) { - log_print("nat_t_add_nat_d: NAT-D hash gen failed"); - return -1; - } - - buflen = ISAKMP_NAT_D_DATA_OFF + hbuflen; - buf = malloc(buflen); - if (!buf) { - log_error("nat_t_add_nat_d: malloc (%lu) failed", - (unsigned long)buflen); - free(hbuf); - return -1; - } - - SET_ISAKMP_GEN_LENGTH(buf, buflen); - memcpy(buf + ISAKMP_NAT_D_DATA_OFF, hbuf, hbuflen); - free(hbuf); - - if (msg->exchange->flags & EXCHANGE_FLAG_NAT_T_RFC) - ret = message_add_payload(msg, ISAKMP_PAYLOAD_NAT_D, buf, - buflen, 1); - else if (msg->exchange->flags & EXCHANGE_FLAG_NAT_T_DRAFT) - ret = message_add_payload(msg, ISAKMP_PAYLOAD_NAT_D_DRAFT, - buf, buflen, 1); - else - ret = -1; - - if (ret) { - free(buf); - return -1; - } - return 0; -} - -/* We add two NAT-D payloads, one each for src and dst. */ -int -nat_t_exchange_add_nat_d(struct message *msg) -{ - struct sockaddr *sa; - - /* Remote address first. */ - msg->transport->vtbl->get_dst(msg->transport, &sa); - if (nat_t_add_nat_d(msg, sa)) - return -1; - - msg->transport->vtbl->get_src(msg->transport, &sa); - if (nat_t_add_nat_d(msg, sa)) - return -1; - return 0; -} - -/* Generate and match a NAT-D hash against the NAT-D payload (pl.) data. */ -static int -nat_t_match_nat_d_payload(struct message *msg, struct sockaddr *sa) -{ - struct payload *p; - u_int8_t *hbuf; - size_t hbuflen; - int found = 0; - - /* - * If there are no NAT-D payloads in the message, return "found" - * as this will avoid NAT-T (see nat_t_exchange_check_nat_d()). - */ - if ((p = payload_first(msg, ISAKMP_PAYLOAD_NAT_D_DRAFT)) == NULL && - (p = payload_first(msg, ISAKMP_PAYLOAD_NAT_D)) == NULL) - return 1; - - hbuf = nat_t_generate_nat_d_hash(msg, sa, &hbuflen); - if (!hbuf) - return 0; - - while (p) { - if (GET_ISAKMP_GEN_LENGTH (p->p) != - hbuflen + ISAKMP_NAT_D_DATA_OFF) - continue; - - if (memcmp(p->p + ISAKMP_NAT_D_DATA_OFF, hbuf, hbuflen) == 0) { - found++; - break; - } - p = TAILQ_NEXT(p, link); - } - free(hbuf); - return found; -} - -/* - * Check if we need to activate NAT-T, and if we need to send keepalive - * messages to the other side, i.e if we are a nat:ed peer. - */ -int -nat_t_exchange_check_nat_d(struct message *msg) -{ - struct sockaddr *sa; - int outgoing_path_is_clear, incoming_path_is_clear; - - /* Assume trouble, i.e NAT-boxes in our path. */ - outgoing_path_is_clear = incoming_path_is_clear = 0; - - msg->transport->vtbl->get_src(msg->transport, &sa); - if (nat_t_match_nat_d_payload(msg, sa)) - outgoing_path_is_clear = 1; - - msg->transport->vtbl->get_dst(msg->transport, &sa); - if (nat_t_match_nat_d_payload(msg, sa)) - incoming_path_is_clear = 1; - - if (outgoing_path_is_clear && incoming_path_is_clear) { - LOG_DBG((LOG_EXCHANGE, 40, "nat_t_exchange_check_nat_d: " - "no NAT")); - return 0; /* No NAT-T required. */ - } - - /* NAT-T handling required. */ - msg->exchange->flags |= EXCHANGE_FLAG_NAT_T_ENABLE; - - if (!outgoing_path_is_clear) { - msg->exchange->flags |= EXCHANGE_FLAG_NAT_T_KEEPALIVE; - LOG_DBG((LOG_EXCHANGE, 10, "nat_t_exchange_check_nat_d: " - "NAT detected, we're behind it")); - } else - LOG_DBG ((LOG_EXCHANGE, 10, - "nat_t_exchange_check_nat_d: NAT detected")); - return 1; -} - -static void -nat_t_send_keepalive(void *v_arg) -{ - struct sa *sa = (struct sa *)v_arg; - struct transport *t; - struct timeval now; - int interval; - - /* Send the keepalive message. */ - t = ((struct virtual_transport *)sa->transport)->encap; - t->vtbl->send_message(NULL, t); - - /* Set new timer. */ - interval = conf_get_num("General", "NAT-T-Keepalive", 0); - if (interval < 1) - interval = NAT_T_KEEPALIVE_INTERVAL; - gettimeofday(&now, 0); - now.tv_sec += interval; - - sa->nat_t_keepalive = timer_add_event("nat_t_send_keepalive", - nat_t_send_keepalive, v_arg, &now); - if (!sa->nat_t_keepalive) - log_print("nat_t_send_keepalive: " - "timer_add_event() failed, will send no more keepalives"); -} - -void -nat_t_setup_keepalive(struct sa *sa) -{ - struct sockaddr *src; - struct timeval now; - - if (sa->initiator) - sa->transport->vtbl->get_src(sa->transport, &src); - else - sa->transport->vtbl->get_dst(sa->transport, &src); - - if (!virtual_listen_lookup(src)) - return; - - gettimeofday(&now, 0); - now.tv_sec += NAT_T_KEEPALIVE_INTERVAL; - - sa->nat_t_keepalive = timer_add_event("nat_t_send_keepalive", - nat_t_send_keepalive, sa, &now); - if (!sa->nat_t_keepalive) - log_print("nat_t_setup_keepalive: " - "timer_add_event() failed, will not send keepalives"); - - LOG_DBG((LOG_TRANSPORT, 50, "nat_t_setup_keepalive: " - "added event for phase 1 SA %p", sa)); -} diff --git a/keyexchange/isakmpd-20041012/nat_traversal.h b/keyexchange/isakmpd-20041012/nat_traversal.h deleted file mode 100644 index 843d43b..0000000 --- a/keyexchange/isakmpd-20041012/nat_traversal.h +++ /dev/null @@ -1,55 +0,0 @@ -/* $OpenBSD: nat_traversal.h,v 1.4 2005/07/25 15:03:47 hshoexer Exp $ */ - -/* - * Copyright (c) 2004 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#ifndef _NAT_TRAVERSAL_H_ -#define _NAT_TRAVERSAL_H_ - -#define VID_DRAFT_V2 0 -#define VID_DRAFT_V2_N 1 -#define VID_DRAFT_V3 2 -#define VID_RFC3947 3 - -struct nat_t_cap { - int id; - u_int32_t flags; - const char *text; - char *hash; - size_t hashsize; -}; - -/* - * Set if -T is given on the command line to disable NAT-T support. - */ -extern int disable_nat_t; - -void nat_t_init(void); -int nat_t_add_vendor_payloads(struct message *); -void nat_t_check_vendor_payload(struct message *, struct payload *); -int nat_t_exchange_add_nat_d(struct message *); -int nat_t_exchange_check_nat_d(struct message *); -void nat_t_setup_keepalive(struct sa *); - -#endif /* _NAT_TRAVERSAL_H_ */ diff --git a/keyexchange/isakmpd-20041012/pf_key_v2.c b/keyexchange/isakmpd-20041012/pf_key_v2.c deleted file mode 100644 index 2614b7e..0000000 --- a/keyexchange/isakmpd-20041012/pf_key_v2.c +++ /dev/null @@ -1,4472 +0,0 @@ -/* $OpenBSD: pf_key_v2.c,v 1.150 2004/09/17 13:53:08 ho Exp $ */ -/* $EOM: pf_key_v2.c,v 1.79 2000/12/12 00:33:19 niklas Exp $ */ - -/* - * Copyright (c) 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. - * Copyright (c) 1999, 2000, 2001 Angelos D. Keromytis. All rights reserved. - * Copyright (c) 2001 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -// TODO Check this -#include <sys/socket.h> -#include <sys/un.h> -#include <stdlib.h> -#include <stdio.h> -//--- - -#include <sys/stat.h> -#include <fcntl.h> - -#include <sys/types.h> -#include <sys/ioctl.h> -#include <sys/queue.h> -#include <sys/socket.h> -#include <sys/time.h> -#include <sys/uio.h> - -#include "sysdep.h" - -#if !defined (LINUX_IPSEC) -#include <net/pfkeyv2.h> -#endif -#include <netinet/in.h> -#ifdef SADB_X_EXT_FLOW_TYPE -#include <sys/mbuf.h> -#include <netinet/ip_ipsp.h> -#endif -#include <arpa/inet.h> -#include <stdlib.h> -#include <string.h> -#include <unistd.h> -#include <pwd.h> -#include <errno.h> -#include <bitstring.h> - -#include "cert.h" -#include "conf.h" -#include "exchange.h" -#include "ipsec.h" -#include "ipsec_num.h" -#include "key.h" -#include "log.h" -#include "pf_key_v2.h" -#include "sa.h" -#include "timer.h" -#include "transport.h" -#include "util.h" - -#if defined (USE_KEYNOTE) -#include "policy.h" -#endif - -#if defined (USE_NAT_TRAVERSAL) -#include "udp_encap.h" -#endif - -#define IN6_IS_ADDR_FULL(a) \ - ((*(u_int32_t *)(void *)(&(a)->s6_addr[0]) == 0xffff) && \ - (*(u_int32_t *)(void *)(&(a)->s6_addr[4]) == 0xffff) && \ - (*(u_int32_t *)(void *)(&(a)->s6_addr[8]) == 0xffff) && \ - (*(u_int32_t *)(void *)(&(a)->s6_addr[12]) == 0xffff)) - -#define ADDRESS_MAX sizeof "ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255" - -/* - * PF_KEY v2 always work with 64-bit entities and aligns on 64-bit boundaries. - */ -#define PF_KEY_V2_CHUNK 8 -#define PF_KEY_V2_ROUND(x) \ - (((x) + PF_KEY_V2_CHUNK - 1) & ~(PF_KEY_V2_CHUNK - 1)) - -/* How many microseconds we will wait for a reply from the PF_KEY socket. */ -#define PF_KEY_REPLY_TIMEOUT 1000 - -struct pf_key_v2_node { - TAILQ_ENTRY(pf_key_v2_node) link; - void *seg; - size_t sz; - int cnt; - u_int16_t type; - u_int8_t flags; -}; - -TAILQ_HEAD(pf_key_v2_msg, pf_key_v2_node); - -#define PF_KEY_V2_NODE_MALLOCED 1 -#define PF_KEY_V2_NODE_MARK 2 - -#define PF_KEY_V2_SOCK_PATH "/var/run/pkkey" - -/* Used to derive "unique" connection identifiers. */ -int connection_seq = 0; - -#ifdef KAME -/* - * KAME requires the sadb_msg_seq of an UPDATE be the same of that of the - * GETSPI creating the larval SA. - */ -struct pf_key_v2_sa_seq { - TAILQ_ENTRY(pf_key_v2_sa_seq) link; - u_int8_t *spi; - size_t sz; - u_int8_t proto; - struct sockaddr *dst; - int dstlen; - u_int32_t seq; -}; - -TAILQ_HEAD(, pf_key_v2_sa_seq) pf_key_v2_sa_seq_map; -#endif - -#ifndef KAME -static u_int8_t *pf_key_v2_convert_id(u_int8_t *, int, size_t *, int *); -#endif -static struct pf_key_v2_msg *pf_key_v2_call(struct pf_key_v2_msg *); -static struct pf_key_v2_node *pf_key_v2_find_ext(struct pf_key_v2_msg *, - u_int16_t); -static void pf_key_v2_notify(struct pf_key_v2_msg *); -static struct pf_key_v2_msg *pf_key_v2_read(u_int32_t); -static u_int32_t pf_key_v2_seq(void); -static u_int32_t pf_key_v2_write(struct pf_key_v2_msg *); -static int pf_key_v2_remove_conf(char *); -static int pf_key_v2_conf_refhandle(int, char *); - -#ifdef SADB_X_ASKPOLICY -static int pf_key_v2_conf_refinc(int, char *); -#endif - -/* The socket to use for PF_KEY interactions. */ -int pf_key_v2_socket; - -#ifdef KAME -static int -pf_key_v2_register_sa_seq(u_int8_t *spi, size_t sz, u_int8_t proto, - struct sockaddr *dst, int dstlen, u_int32_t seq) -{ - struct pf_key_v2_sa_seq *node = 0; - - node = malloc(sizeof *node); - if (!node) - goto cleanup; - memset(node, '0', sizeof *node); - node->spi = malloc(sz); - if (!node->spi) - goto cleanup; - node->dst = malloc(sysdep_sa_len(dst)); - if (!node->dst) - goto cleanup; - memcpy(node->dst, dst, sysdep_sa_len(dst)); - node->dstlen = sysdep_sa_len(dst); - memcpy(node->spi, spi, sz); - node->sz = sz; - node->proto = proto; - node->seq = seq; - TAILQ_INSERT_TAIL(&pf_key_v2_sa_seq_map, node, link); - return 1; - -cleanup: - if (node->dst) - free(node->dst); - if (node) - free(node); - return 0; -} - -static u_int32_t -pf_key_v2_seq_by_sa(u_int8_t *spi, size_t sz, u_int8_t proto, - struct sockaddr *dst, int dstlen) -{ - struct pf_key_v2_sa_seq *node; - - for (node = TAILQ_FIRST(&pf_key_v2_sa_seq_map); node; - node = TAILQ_NEXT(node, link)) - if (node->proto == proto && - node->sz == sz && memcmp(node->spi, spi, sz) == 0 && - node->dstlen == sysdep_sa_len(dst) && - memcmp(node->dst, dst, sysdep_sa_len(dst)) == 0) - return node->seq; - return 0; -} -#endif - -static struct pf_key_v2_msg * -pf_key_v2_msg_new(struct sadb_msg *msg, int flags) -{ - struct pf_key_v2_node *node = 0; - struct pf_key_v2_msg *ret; - - node = malloc(sizeof *node); - if (!node) - goto cleanup; - ret = malloc(sizeof *ret); - if (!ret) - goto cleanup; - TAILQ_INIT(ret); - node->seg = msg; - node->sz = sizeof *msg; - node->type = 0; - node->cnt = 1; - node->flags = flags; - TAILQ_INSERT_HEAD(ret, node, link); - return ret; - -cleanup: - if (node) - free(node); - return 0; -} - -/* Add a SZ sized segment SEG to the PF_KEY message MSG. */ -static int -pf_key_v2_msg_add(struct pf_key_v2_msg *msg, struct sadb_ext *ext, int flags) -{ - struct pf_key_v2_node *node; - - node = malloc(sizeof *node); - if (!node) - return -1; - node->seg = ext; - node->sz = ext->sadb_ext_len * PF_KEY_V2_CHUNK; - node->type = ext->sadb_ext_type; - node->flags = flags; - TAILQ_FIRST(msg)->cnt++; - TAILQ_INSERT_TAIL(msg, node, link); - return 0; -} - -/* Deallocate the PF_KEY message MSG. */ -static void -pf_key_v2_msg_free(struct pf_key_v2_msg *msg) -{ - struct pf_key_v2_node *np; - - np = TAILQ_FIRST(msg); - while (np) { - TAILQ_REMOVE(msg, np, link); - if (np->flags & PF_KEY_V2_NODE_MALLOCED) - free(np->seg); - free(np); - np = TAILQ_FIRST(msg); - } - free(msg); -} - -/* Just return a new sequence number. */ -static u_int32_t -pf_key_v2_seq(void) -{ - static u_int32_t seq = 0; - - return ++seq; -} - -/* - * Read a PF_KEY packet with SEQ as the sequence number, looping if necessary. - * If SEQ is zero just read the first message we see, otherwise we queue - * messages up until both the PID and the sequence number match. - */ -static struct pf_key_v2_msg * -pf_key_v2_read(u_int32_t seq) -{ - ssize_t n; - u_int8_t *buf = 0; - struct pf_key_v2_msg *ret = 0; - struct sadb_msg *msg; - struct sadb_msg hdr; - struct sadb_ext *ext; - struct timeval tv; - fd_set *fds; - - while (1) { - /* - * If this is a read of a reply we should actually expect the - * reply to get lost as PF_KEY is an unreliable service per - * the specs. Currently we do this by setting a short timeout, - * and if it is not readable in that time, we fail the read. - */ - if (seq) { - fds = calloc(howmany(pf_key_v2_socket + 1, NFDBITS), - sizeof(fd_mask)); - if (!fds) { - log_error("pf_key_v2_read: " - "calloc (%lu, %lu) failed", - (unsigned long) howmany(pf_key_v2_socket + 1, - NFDBITS), - (unsigned long) sizeof(fd_mask)); - goto cleanup; - } - FD_SET(pf_key_v2_socket, fds); - tv.tv_sec = 0; - tv.tv_usec = PF_KEY_REPLY_TIMEOUT; - n = select(pf_key_v2_socket + 1, fds, 0, 0, &tv); - free(fds); - if (n == -1) { - log_error("pf_key_v2_read: " - "select (%d, fds, 0, 0, &tv) failed", - pf_key_v2_socket + 1); - goto cleanup; - } - if (!n) { - log_print("pf_key_v2_read: " - "no reply from PF_KEY"); - goto cleanup; - } - } - n = recv(pf_key_v2_socket, &hdr, sizeof hdr, MSG_PEEK); - if (n == -1) { - log_error("pf_key_v2_read: recv (%d, ...) failed", - pf_key_v2_socket); - goto cleanup; - } - if (n != sizeof hdr) { - log_error("pf_key_v2_read: recv (%d, ...) " - "returned short packet (%lu bytes)", - pf_key_v2_socket, (unsigned long) n); - goto cleanup; - } - n = hdr.sadb_msg_len * PF_KEY_V2_CHUNK; - buf = malloc(n); - if (!buf) { - log_error("pf_key_v2_read: malloc (%lu) failed", - (unsigned long) n); - goto cleanup; - } - n = read(pf_key_v2_socket, buf, n); - if (n == -1) { - log_error("pf_key_v2_read: read (%d, ...) failed", - pf_key_v2_socket); - goto cleanup; - } - if (n != hdr.sadb_msg_len * PF_KEY_V2_CHUNK) { - log_print("pf_key_v2_read: read (%d, ...) " - "returned short packet (%lu bytes)", - pf_key_v2_socket, (unsigned long) n); - goto cleanup; - } - LOG_DBG_BUF((LOG_SYSDEP, 80, "pf_key_v2_read: msg", buf, n)); - - /* We drop all messages that is not what we expect. */ - msg = (struct sadb_msg *) buf; - if (msg->sadb_msg_version != PF_KEY_V2 || - (msg->sadb_msg_pid != 0 && - msg->sadb_msg_pid != (u_int32_t) getpid())) { - if (seq) { - free(buf); - buf = 0; - continue; - } else { - LOG_DBG((LOG_SYSDEP, 90, "pf_key_v2_read:" - "bad version (%d) or PID (%d, mine is " - "%ld), ignored", msg->sadb_msg_version, - msg->sadb_msg_pid, (long) getpid())); - goto cleanup; - } - } - /* Parse the message. */ - ret = pf_key_v2_msg_new(msg, PF_KEY_V2_NODE_MALLOCED); - if (!ret) - goto cleanup; - buf = 0; - for (ext = (struct sadb_ext *) (msg + 1); - (u_int8_t *) ext - (u_int8_t *) msg < - msg->sadb_msg_len * PF_KEY_V2_CHUNK; - ext = (struct sadb_ext *) ((u_int8_t *) ext + - ext->sadb_ext_len * PF_KEY_V2_CHUNK)) - pf_key_v2_msg_add(ret, ext, 0); - - /* - * If the message is not the one we are waiting for, queue it - * up. - */ - if (seq && (msg->sadb_msg_pid != (u_int32_t) getpid() || - msg->sadb_msg_seq != seq)) { - gettimeofday(&tv, 0); - timer_add_event("pf_key_v2_notify", - (void (*) (void *)) pf_key_v2_notify, ret, &tv); - ret = 0; - continue; - } - return ret; - } - -cleanup: - if (buf) - free(buf); - if (ret) - pf_key_v2_msg_free(ret); - return 0; -} - -/* Write the message in PMSG to the PF_KEY socket. */ -u_int32_t -pf_key_v2_write(struct pf_key_v2_msg *pmsg) -{ - struct iovec *iov = 0; - ssize_t n; - size_t len; - int i, cnt = TAILQ_FIRST(pmsg)->cnt; - char header[80]; - struct sadb_msg *msg = TAILQ_FIRST(pmsg)->seg; - struct pf_key_v2_node *np = TAILQ_FIRST(pmsg); - - iov = (struct iovec *) malloc(cnt * sizeof *iov); - if (!iov) { - log_error("pf_key_v2_write: malloc (%lu) failed", - cnt * (unsigned long) sizeof *iov); - return 0; - } - msg->sadb_msg_version = PF_KEY_V2; - msg->sadb_msg_errno = 0; - msg->sadb_msg_reserved = 0; - msg->sadb_msg_pid = getpid(); - if (!msg->sadb_msg_seq) - msg->sadb_msg_seq = pf_key_v2_seq(); - - /* Compute the iovec segments as well as the message length. */ - len = 0; - for (i = 0; i < cnt; i++) { - iov[i].iov_base = np->seg; - len += iov[i].iov_len = np->sz; - - /* - * XXX One can envision setting specific extension fields, like - * *_reserved ones here. For now we require them to be set by the - * caller. - */ - - np = TAILQ_NEXT(np, link); - } - msg->sadb_msg_len = len / PF_KEY_V2_CHUNK; - - for (i = 0; i < cnt; i++) { - snprintf(header, sizeof header, "pf_key_v2_write: iov[%d]", i); - LOG_DBG_BUF((LOG_SYSDEP, 80, header, - (u_int8_t *) iov[i].iov_base, iov[i].iov_len)); - } - - n = writev(pf_key_v4_socket, iov, cnt); - if (n == -1) { - log_error("pf_key_v2_write: writev (%d, %p, %d) failed", - pf_key_v2_socket, iov, cnt); - goto cleanup; - } - if ((size_t) n != len) { - log_error("pf_key_v2_write: " - "writev (%d, ...) returned prematurely (%lu)", - pf_key_v2_socket, (unsigned long) n); - goto cleanup; - } - free(iov); - return msg->sadb_msg_seq; - -cleanup: - if (iov) - free(iov); - return 0; -} - -/* - * Do a PF_KEY "call", i.e. write a message MSG, read the reply and return - * it to the caller. - */ -static struct pf_key_v2_msg * -pf_key_v2_call(struct pf_key_v2_msg *msg) -{ - u_int32_t seq; - - seq = pf_key_v2_write(msg); - if (!seq) - return 0; - return pf_key_v2_read(seq); -} - -/* Find the TYPE extension in MSG. Return zero if none found. */ -static struct pf_key_v2_node * -pf_key_v2_find_ext(struct pf_key_v2_msg *msg, u_int16_t type) -{ - struct pf_key_v2_node *ext; - - for (ext = TAILQ_NEXT(TAILQ_FIRST(msg), link); ext; - ext = TAILQ_NEXT(ext, link)) - if (ext->type == type) - return ext; - return 0; -} - -/* - * Open the PF_KEYv2 sockets and return the descriptor used for notifies. - * Return -1 for failure and -2 if no notifies will show up. - */ -int -pf_key_v2_open(void) -{ - int fd = -1, err; - struct sadb_msg msg; - struct pf_key_v2_msg *regmsg = 0, *ret = 0; - struct sockaddr_un addr; - socklen_t addrLength = sizeof(addr); - - /* Open the socket we use to speak to IPsec. */ - pf_key_v2_socket = -1; - - fd = socket(PF_UNIX, SOCK_RAW, 0); - - if (fd == -1) { - log_error("pf_key_v2_open: " - "socket (PF_KEY, SOCK_RAW, PF_KEY_V2) failed"); - goto cleanup; - } - - memset(&addr, 0, sizeof(struct sockaddr_un)); - /* Clear structure */ - addr.sun_family = AF_UNIX; - strncpy(addr.sun_path, PF_KEY_V2_SOCK_PATH, - sizeof(addr.sun_path) - 1); - - if (connect(fd, (struct sockaddr *) &addr, - sizeof(struct sockaddr_un)) == -1) { - perror("bind"); - exit(EXIT_FAILURE); - } - - - pf_key_v2_socket = fd; - - /* Register it to get ESP and AH acquires from the kernel. */ - msg.sadb_msg_seq = 0; - msg.sadb_msg_type = SADB_REGISTER; - msg.sadb_msg_satype = SADB_SATYPE_ESP; - regmsg = pf_key_v2_msg_new(&msg, 0); - if (!regmsg) - goto cleanup; - ret = pf_key_v2_call(regmsg); - pf_key_v2_msg_free(regmsg); - if (!ret) - goto cleanup; - err = ((struct sadb_msg *)TAILQ_FIRST(ret)->seg)->sadb_msg_errno; - if (err) { - log_print("pf_key_v2_open: REGISTER: %s", strerror(err)); - goto cleanup; - } - /* XXX Register the accepted transforms. */ - - pf_key_v2_msg_free(ret); - ret = 0; - - msg.sadb_msg_seq = 0; - msg.sadb_msg_type = SADB_REGISTER; - msg.sadb_msg_satype = SADB_SATYPE_AH; - regmsg = pf_key_v2_msg_new(&msg, 0); - if (!regmsg) - goto cleanup; - ret = pf_key_v2_call(regmsg); - pf_key_v2_msg_free(regmsg); - if (!ret) - goto cleanup; - err = ((struct sadb_msg *)TAILQ_FIRST(ret)->seg)->sadb_msg_errno; - if (err) { - log_print("pf_key_v2_open: REGISTER: %s", strerror(err)); - goto cleanup; - } - /* XXX Register the accepted transforms. */ - - pf_key_v2_msg_free(ret); - ret = 0; - -#ifdef SADB_X_SATYPE_IPCOMP - msg.sadb_msg_seq = 0; - msg.sadb_msg_type = SADB_REGISTER; - msg.sadb_msg_satype = SADB_X_SATYPE_IPCOMP; - regmsg = pf_key_v2_msg_new(&msg, 0); - if (!regmsg) - goto cleanup; - ret = pf_key_v2_call(regmsg); - pf_key_v2_msg_free(regmsg); - if (!ret) - goto cleanup; - err = ((struct sadb_msg *)TAILQ_FIRST(ret)->seg)->sadb_msg_errno; - if (err) { - log_print("pf_key_v2_open: REGISTER: %s", strerror(err)); - goto cleanup; - } - /* XXX Register the accepted transforms. */ - - pf_key_v2_msg_free(ret); -#endif /* SADB_X_SATYPE_IPCOMP */ - -#ifdef KAME - TAILQ_INIT(&pf_key_v2_sa_seq_map); -#endif - - return fd; - -cleanup: - if (pf_key_v2_socket != -1) { - close(pf_key_v2_socket); - pf_key_v2_socket = -1; - } - if (ret) - pf_key_v2_msg_free(ret); - return -1; -} - -/* - * Generate a SPI for protocol PROTO and the source/destination pair given by - * SRC, SRCLEN, DST & DSTLEN. Stash the SPI size in SZ. - */ -u_int8_t * -pf_key_v2_get_spi(size_t *sz, u_int8_t proto, struct sockaddr *src, - struct sockaddr *dst, u_int32_t seq) -{ - struct sadb_msg msg; - struct sadb_sa *sa; - struct sadb_address *addr = 0; - struct sadb_spirange spirange; - struct pf_key_v2_msg *getspi = 0, *ret = 0; - struct pf_key_v2_node *ext; - u_int8_t *spi = 0; - int len, err; -#ifdef KAME - struct sadb_x_sa2 ssa2; -#endif - - msg.sadb_msg_type = SADB_GETSPI; - switch (proto) { - case IPSEC_PROTO_IPSEC_ESP: - msg.sadb_msg_satype = SADB_SATYPE_ESP; - break; - case IPSEC_PROTO_IPSEC_AH: - msg.sadb_msg_satype = SADB_SATYPE_AH; - break; -#ifdef SADB_X_SATYPE_IPCOMP - case IPSEC_PROTO_IPCOMP: - msg.sadb_msg_satype = SADB_X_SATYPE_IPCOMP; - break; -#endif - default: - log_print("pf_key_v2_get_spi: invalid proto %d", proto); - goto cleanup; - } - - /* Set the sequence number from the ACQUIRE message. */ - msg.sadb_msg_seq = seq; - getspi = pf_key_v2_msg_new(&msg, 0); - if (!getspi) - goto cleanup; - -#ifdef KAME - memset(&ssa2, 0, sizeof ssa2); - ssa2.sadb_x_sa2_exttype = SADB_X_EXT_SA2; - ssa2.sadb_x_sa2_len = sizeof ssa2 / PF_KEY_V2_CHUNK; - ssa2.sadb_x_sa2_mode = 0; - if (pf_key_v2_msg_add(getspi, (struct sadb_ext *)&ssa2, 0) == -1) - goto cleanup; -#endif - - /* Setup the ADDRESS extensions. */ - len = - sizeof(struct sadb_address) + PF_KEY_V2_ROUND(sysdep_sa_len(src)); - addr = calloc(1, len); - if (!addr) - goto cleanup; - addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC; - addr->sadb_address_len = len / PF_KEY_V2_CHUNK; -#ifndef __OpenBSD__ - addr->sadb_address_proto = 0; - addr->sadb_address_prefixlen = 0; -#endif - addr->sadb_address_reserved = 0; - memcpy(addr + 1, src, sysdep_sa_len(src)); - switch (((struct sockaddr *) (addr + 1))->sa_family) { - case AF_INET: - ((struct sockaddr_in *) (addr + 1))->sin_port = 0; - break; - case AF_INET6: - ((struct sockaddr_in6 *) (addr + 1))->sin6_port = 0; - break; - } - if (pf_key_v2_msg_add(getspi, (struct sadb_ext *) addr, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - addr = 0; - - len = - sizeof(struct sadb_address) + PF_KEY_V2_ROUND(sysdep_sa_len(dst)); - addr = calloc(1, len); - if (!addr) - goto cleanup; - addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST; - addr->sadb_address_len = len / PF_KEY_V2_CHUNK; -#ifndef __OpenBSD__ - addr->sadb_address_proto = 0; - addr->sadb_address_prefixlen = 0; -#endif - addr->sadb_address_reserved = 0; - memcpy(addr + 1, dst, sysdep_sa_len(dst)); - switch (((struct sockaddr *) (addr + 1))->sa_family) { - case AF_INET: - ((struct sockaddr_in *) (addr + 1))->sin_port = 0; - break; - case AF_INET6: - ((struct sockaddr_in6 *) (addr + 1))->sin6_port = 0; - break; - } - if (pf_key_v2_msg_add(getspi, (struct sadb_ext *) addr, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - addr = 0; - - /* Setup the SPIRANGE extension. */ - spirange.sadb_spirange_exttype = SADB_EXT_SPIRANGE; - spirange.sadb_spirange_len = sizeof spirange / PF_KEY_V2_CHUNK; - if (proto == IPSEC_PROTO_IPCOMP) { - spirange.sadb_spirange_min = CPI_RESERVED_MAX + 1; - spirange.sadb_spirange_max = CPI_PRIVATE_MIN - 1; - } else { - spirange.sadb_spirange_min = IPSEC_SPI_LOW; - spirange.sadb_spirange_max = 0xffffffff; - } - spirange.sadb_spirange_reserved = 0; - if (pf_key_v2_msg_add(getspi, (struct sadb_ext *)&spirange, 0) == -1) - goto cleanup; - - ret = pf_key_v2_call(getspi); - pf_key_v2_msg_free(getspi); - getspi = 0; - if (!ret) - goto cleanup; - err = ((struct sadb_msg *)TAILQ_FIRST(ret)->seg)->sadb_msg_errno; - if (err) { - log_print("pf_key_v2_get_spi: GETSPI: %s", strerror(err)); - goto cleanup; - } - ext = pf_key_v2_find_ext(ret, SADB_EXT_SA); - if (!ext) { - log_print("pf_key_v2_get_spi: no SA extension found"); - goto cleanup; - } - sa = ext->seg; - - /* IPCOMP CPIs are only 16 bits long. */ - *sz = (proto == IPSEC_PROTO_IPCOMP) ? sizeof(u_int16_t) - : sizeof sa->sadb_sa_spi; - spi = malloc(*sz); - if (!spi) - goto cleanup; - /* XXX This is ugly. */ - if (proto == IPSEC_PROTO_IPCOMP) { - u_int32_t tspi = ntohl(sa->sadb_sa_spi); - *(u_int16_t *) spi = htons((u_int16_t) tspi); - } else - memcpy(spi, &sa->sadb_sa_spi, *sz); - -#ifdef KAME - if (!pf_key_v2_register_sa_seq(spi, *sz, proto, dst, - sysdep_sa_len(dst), - ((struct sadb_msg *) (TAILQ_FIRST(ret)->seg))->sadb_msg_seq)) - goto cleanup; -#endif - pf_key_v2_msg_free(ret); - - LOG_DBG_BUF((LOG_SYSDEP, 50, "pf_key_v2_get_spi: spi", spi, *sz)); - return spi; - -cleanup: - if (spi) - free(spi); - if (addr) - free(addr); - if (getspi) - pf_key_v2_msg_free(getspi); - if (ret) - pf_key_v2_msg_free(ret); - return 0; -} - -/* Fetch SA information from the kernel. XXX OpenBSD only? */ -struct sa_kinfo * -pf_key_v2_get_kernel_sa(u_int8_t *spi, size_t spi_sz, u_int8_t proto, - struct sockaddr *dst) -{ - struct sadb_msg msg; - struct sadb_sa *ssa; - struct sadb_address *addr = 0; - struct sockaddr *sa; - struct sadb_lifetime *life; - struct pf_key_v2_msg *gettdb = 0, *ret = 0; - struct pf_key_v2_node *ext; - static struct sa_kinfo ksa; -#if defined (SADB_X_EXT_UDPENCAP) - struct sadb_x_udpencap *udpencap; -#endif - int len, err; - - if (spi_sz != sizeof (ssa->sadb_sa_spi)) - return 0; - - msg.sadb_msg_type = SADB_GET; - switch (proto) { - case IPSEC_PROTO_IPSEC_ESP: - msg.sadb_msg_satype = SADB_SATYPE_ESP; - break; - case IPSEC_PROTO_IPSEC_AH: - msg.sadb_msg_satype = SADB_SATYPE_AH; - break; -#ifdef SADB_X_SATYPE_IPCOMP - case IPSEC_PROTO_IPCOMP: - msg.sadb_msg_satype = SADB_X_SATYPE_IPCOMP; - break; -#endif - default: - log_print("pf_key_v2_get_kernel_sa: invalid proto %d", proto); - goto cleanup; - } - - gettdb = pf_key_v2_msg_new(&msg, 0); - if (!gettdb) - goto cleanup; - - /* SPI */ - ssa = (struct sadb_sa *)calloc(1, sizeof *ssa); - if (!ssa) { - log_print("pf_key_v2_get_kernel_sa: calloc(1, %lu) failed", - (unsigned long)sizeof *ssa); - goto cleanup; - } - - ssa->sadb_sa_exttype = SADB_EXT_SA; - ssa->sadb_sa_len = sizeof *ssa / PF_KEY_V2_CHUNK; - memcpy(&ssa->sadb_sa_spi, spi, sizeof ssa->sadb_sa_spi); - ssa->sadb_sa_state = SADB_SASTATE_MATURE; - if (pf_key_v2_msg_add(gettdb, (struct sadb_ext *)ssa, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - ssa = 0; - - /* XXX KAME SADB_X_EXT_xyz here? */ - - /* Address */ - len = - sizeof(struct sadb_address) + PF_KEY_V2_ROUND(sysdep_sa_len(dst)); - addr = calloc(1, len); - if (!addr) - goto cleanup; - addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST; - addr->sadb_address_len = len / PF_KEY_V2_CHUNK; -#ifndef __OpenBSD__ - addr->sadb_address_proto = 0; - addr->sadb_address_prefixlen = 0; -#endif - addr->sadb_address_reserved = 0; - memcpy(addr + 1, dst, sysdep_sa_len(dst)); - switch (((struct sockaddr *) (addr + 1))->sa_family) { - case AF_INET: - ((struct sockaddr_in *) (addr + 1))->sin_port = 0; - break; - case AF_INET6: - ((struct sockaddr_in6 *) (addr + 1))->sin6_port = 0; - break; - } - if (pf_key_v2_msg_add(gettdb, (struct sadb_ext *)addr, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - addr = 0; - - ret = pf_key_v2_call(gettdb); - pf_key_v2_msg_free(gettdb); - gettdb = 0; - if (!ret) - goto cleanup; - err = ((struct sadb_msg *)TAILQ_FIRST(ret)->seg)->sadb_msg_errno; - if (err) { - log_print("pf_key_v2_get_kernel_sa: SADB_GET: %s", - strerror(err)); - goto cleanup; - } - - /* Extract the data. */ - memset(&ksa, 0, sizeof ksa); - - ext = pf_key_v2_find_ext(ret, SADB_EXT_SA); - if (!ext) - goto cleanup; - - ssa = (struct sadb_sa *)ext; - ksa.spi = ssa->sadb_sa_spi; - ksa.wnd = ssa->sadb_sa_replay; - ksa.flags = ssa->sadb_sa_flags; - - ext = pf_key_v2_find_ext(ret, SADB_EXT_LIFETIME_CURRENT); - if (ext) { - life = (struct sadb_lifetime *)ext->seg; - ksa.cur_allocations = life->sadb_lifetime_allocations; - ksa.cur_bytes = life->sadb_lifetime_bytes; - ksa.first_use = life->sadb_lifetime_usetime; - ksa.established = life->sadb_lifetime_addtime; - } - - ext = pf_key_v2_find_ext(ret, SADB_EXT_LIFETIME_SOFT); - if (ext) { - life = (struct sadb_lifetime *)ext->seg; - ksa.soft_allocations = life->sadb_lifetime_allocations; - ksa.soft_bytes = life->sadb_lifetime_bytes; - ksa.soft_timeout = life->sadb_lifetime_addtime; - ksa.soft_first_use = life->sadb_lifetime_usetime; - } - - ext = pf_key_v2_find_ext(ret, SADB_EXT_LIFETIME_HARD); - if (ext) { - life = (struct sadb_lifetime *)ext->seg; - ksa.exp_allocations = life->sadb_lifetime_allocations; - ksa.exp_bytes = life->sadb_lifetime_bytes; - ksa.exp_timeout = life->sadb_lifetime_addtime; - ksa.exp_first_use = life->sadb_lifetime_usetime; - } - -#if defined (SADB_X_EXT_LIFETIME_LASTUSE) - ext = pf_key_v2_find_ext(ret, SADB_X_EXT_LIFETIME_LASTUSE); - if (ext) { - life = (struct sadb_lifetime *)ext->seg; - ksa.last_used = life->sadb_lifetime_usetime; - } -#endif - - ext = pf_key_v2_find_ext(ret, SADB_EXT_ADDRESS_SRC); - if (ext) { - sa = (struct sockaddr *)ext->seg; - memcpy(&ksa.src, sa, - sa->sa_family == AF_INET ? sizeof(struct sockaddr_in) : - sizeof(struct sockaddr_in6)); - } - - ext = pf_key_v2_find_ext(ret, SADB_EXT_ADDRESS_DST); - if (ext) { - sa = (struct sockaddr *)ext->seg; - memcpy(&ksa.dst, sa, - sa->sa_family == AF_INET ? sizeof(struct sockaddr_in) : - sizeof(struct sockaddr_in6)); - } - - ext = pf_key_v2_find_ext(ret, SADB_EXT_ADDRESS_PROXY); - if (ext) { - sa = (struct sockaddr *)ext->seg; - memcpy(sa, &ksa.proxy, - sa->sa_family == AF_INET ? sizeof(struct sockaddr_in) : - sizeof(struct sockaddr_in6)); - } - -#if defined (SADB_X_EXT_UDPENCAP) - ext = pf_key_v2_find_ext(ret, SADB_X_EXT_UDPENCAP); - if (ext) { - udpencap = (struct sadb_x_udpencap *)ext->seg; - ksa.udpencap_port = udpencap->sadb_x_udpencap_port; - } -#endif - - pf_key_v2_msg_free(ret); - - LOG_DBG_BUF((LOG_SYSDEP, 50, "pf_key_v2_get_kernel_sa: spi", spi, - spi_sz)); - - return &ksa; - - cleanup: - if (addr) - free (addr); - if (gettdb) - pf_key_v2_msg_free(gettdb); - if (ret) - pf_key_v2_msg_free(ret); - return 0; -} - -static void -pf_key_v2_setup_sockaddr(void *res, struct sockaddr *src, - struct sockaddr *dst, in_port_t port, int ingress) -{ - struct sockaddr_in *ip4_sa; - struct sockaddr_in6 *ip6_sa; - u_int8_t *p; - - switch (src->sa_family) { - case AF_INET: - ip4_sa = (struct sockaddr_in *) res; - ip4_sa->sin_family = AF_INET; -#ifndef USE_OLD_SOCKADDR - ip4_sa->sin_len = sizeof *ip4_sa; -#endif - ip4_sa->sin_port = port; - if (dst) - p = (u_int8_t *) (ingress ? - &((struct sockaddr_in *)src)->sin_addr.s_addr : - &((struct sockaddr_in *)dst)->sin_addr.s_addr); - else - p = (u_int8_t *)&((struct sockaddr_in *)src)->sin_addr.s_addr; - ip4_sa->sin_addr.s_addr = *((in_addr_t *) p); - break; - - case AF_INET6: - ip6_sa = (struct sockaddr_in6 *) res; - ip6_sa->sin6_family = AF_INET6; -#ifndef USE_OLD_SOCKADDR - ip6_sa->sin6_len = sizeof *ip6_sa; -#endif - ip6_sa->sin6_port = port; - if (dst) - p = (u_int8_t *) (ingress ? - &((struct sockaddr_in6 *)src)->sin6_addr.s6_addr : - &((struct sockaddr_in6 *)dst)->sin6_addr.s6_addr); - else - p = (u_int8_t *)&((struct sockaddr_in6 *)src)->sin6_addr.s6_addr; - memcpy(ip6_sa->sin6_addr.s6_addr, p, sizeof(struct in6_addr)); - break; - - default: - log_print("pf_key_v2_setup_sockaddr: unknown family %d\n", - src->sa_family); - break; - } -} - -/* - * Store/update a PF_KEY_V2 security association with full information from the - * IKE SA and PROTO into the kernel. INCOMING is set if we are setting the - * parameters for the incoming SA, and cleared otherwise. - */ -int -pf_key_v2_set_spi(struct sa *sa, struct proto *proto, int incoming, - struct sa *isakmp_sa) -{ - struct sadb_msg msg; - struct sadb_sa ssa; - struct sadb_lifetime *life = 0; - struct sadb_address *addr = 0; - struct sadb_key *key = 0; - struct sadb_ident *sid = 0; - struct sockaddr *src, *dst; - struct pf_key_v2_msg *update = 0, *ret = 0; - struct ipsec_proto *iproto = proto->data; - size_t len; - int keylen, hashlen, err; -#ifndef KAME - u_int8_t *pp; - int idtype; -#else /* KAME */ - struct sadb_x_sa2 ssa2; -#endif -#if defined (SADB_X_CREDTYPE_NONE) || defined (SADB_X_AUTHTYPE_NONE) - struct ipsec_sa *isa = sa->data; - struct sadb_x_cred *cred; - struct sadb_protocol flowtype, tprotocol; -#endif -#if defined (USE_NAT_TRAVERSAL) && defined (SADB_X_EXT_UDPENCAP) - struct sadb_x_udpencap udpencap; -#elif defined (USE_NAT_TRAVERSAL) && defined (SADB_X_EXT_NAT_T_TYPE) - struct sadb_x_nat_t_type nat_t_type; - struct sadb_x_nat_t_port nat_t_sport; - struct sadb_x_nat_t_port nat_t_dport; -#endif -#ifdef USE_DEBUG - char *addr_str; -#endif - - msg.sadb_msg_type = incoming ? SADB_UPDATE : SADB_ADD; - switch (proto->proto) { - case IPSEC_PROTO_IPSEC_ESP: - msg.sadb_msg_satype = SADB_SATYPE_ESP; - keylen = ipsec_esp_enckeylength(proto); - hashlen = ipsec_esp_authkeylength(proto); - - switch (proto->id) { - case IPSEC_ESP_DES: - case IPSEC_ESP_DES_IV32: - case IPSEC_ESP_DES_IV64: - ssa.sadb_sa_encrypt = SADB_EALG_DESCBC; - break; - - case IPSEC_ESP_3DES: - ssa.sadb_sa_encrypt = SADB_EALG_3DESCBC; - break; - -#ifdef SADB_X_EALG_AES - case IPSEC_ESP_AES: - /* case IPSEC_ESP_AES_128_CTR: */ - ssa.sadb_sa_encrypt = SADB_X_EALG_AES; - break; -#endif - -#ifdef SADB_X_EALG_CAST - case IPSEC_ESP_CAST: - ssa.sadb_sa_encrypt = SADB_X_EALG_CAST; - break; -#endif - -#ifdef SADB_X_EALG_BLF - case IPSEC_ESP_BLOWFISH: - ssa.sadb_sa_encrypt = SADB_X_EALG_BLF; - break; -#endif - - default: - LOG_DBG((LOG_SYSDEP, 50, "pf_key_v2_set_spi: " - "unknown encryption algorithm %d", proto->id)); - return -1; - } - - switch (iproto->auth) { - case IPSEC_AUTH_HMAC_MD5: -#ifdef SADB_AALG_MD5HMAC96 - ssa.sadb_sa_auth = SADB_AALG_MD5HMAC96; -#else - ssa.sadb_sa_auth = SADB_AALG_MD5HMAC; -#endif - break; - - case IPSEC_AUTH_HMAC_SHA: -#ifdef SADB_AALG_SHA1HMAC96 - ssa.sadb_sa_auth = SADB_AALG_SHA1HMAC96; -#else - ssa.sadb_sa_auth = SADB_AALG_SHA1HMAC; -#endif - break; - -#ifndef KAME - case IPSEC_AUTH_HMAC_RIPEMD: -#ifdef SADB_X_AALG_RIPEMD160HMAC96 - ssa.sadb_sa_auth = SADB_X_AALG_RIPEMD160HMAC96; -#elif defined (SADB_X_AALG_RIPEMD160HMAC) - ssa.sadb_sa_auth = SADB_X_AALG_RIPEMD160HMAC; -#elif defined (SADB_X_AALG_RIPEMD160) - ssa.sadb_sa_auth = SADB_X_AALG_RIPEMD160; -#else - ssa.sadb_sa_auth = SADB_AALG_RIPEMD160HMAC; -#endif - break; -#endif - -#ifdef SADB_X_AALG_SHA2_256 - case IPSEC_AUTH_HMAC_SHA2_256: - ssa.sadb_sa_auth = SADB_X_AALG_SHA2_256; - break; -#endif - -#ifdef SADB_X_AALG_SHA2_384 - case IPSEC_AUTH_HMAC_SHA2_384: - ssa.sadb_sa_auth = SADB_X_AALG_SHA2_384; - break; -#endif - -#ifdef SADB_X_AALG_SHA2_512 - case IPSEC_AUTH_HMAC_SHA2_512: - ssa.sadb_sa_auth = SADB_X_AALG_SHA2_512; - break; -#endif - - case IPSEC_AUTH_DES_MAC: - case IPSEC_AUTH_KPDK: - /* XXX We should be supporting KPDK */ - LOG_DBG((LOG_SYSDEP, 50, "pf_key_v2_set_spi: " - "unknown authentication algorithm %d", - iproto->auth)); - return -1; - - default: - ssa.sadb_sa_auth = SADB_AALG_NONE; - } - break; - - case IPSEC_PROTO_IPSEC_AH: - msg.sadb_msg_satype = SADB_SATYPE_AH; - hashlen = ipsec_ah_keylength(proto); - keylen = 0; - - ssa.sadb_sa_encrypt = SADB_EALG_NONE; - switch (proto->id) { - case IPSEC_AH_MD5: -#ifdef SADB_AALG_MD5HMAC96 - ssa.sadb_sa_auth = SADB_AALG_MD5HMAC96; -#else - ssa.sadb_sa_auth = SADB_AALG_MD5HMAC; -#endif - break; - - case IPSEC_AH_SHA: -#ifdef SADB_AALG_SHA1HMAC96 - ssa.sadb_sa_auth = SADB_AALG_SHA1HMAC96; -#else - ssa.sadb_sa_auth = SADB_AALG_SHA1HMAC; -#endif - break; - -#ifndef KAME - case IPSEC_AH_RIPEMD: -#ifdef SADB_X_AALG_RIPEMD160HMAC96 - ssa.sadb_sa_auth = SADB_X_AALG_RIPEMD160HMAC96; -#elif defined (SADB_X_AALG_RIPEMD160HMAC) - ssa.sadb_sa_auth = SADB_X_AALG_RIPEMD160HMAC; -#elif defined (SADB_X_AALG_RIPEMD160) - ssa.sadb_sa_auth = SADB_X_AALG_RIPEMD160; -#else - ssa.sadb_sa_auth = SADB_AALG_RIPEMD160HMAC; -#endif - break; -#endif - -#ifdef SADB_X_AALG_SHA2_256 - case IPSEC_AH_SHA2_256: - ssa.sadb_sa_auth = SADB_X_AALG_SHA2_256; - break; -#endif - -#ifdef SADB_X_AALG_SHA2_384 - case IPSEC_AH_SHA2_384: - ssa.sadb_sa_auth = SADB_X_AALG_SHA2_384; - break; -#endif - -#ifdef SADB_X_AALG_SHA2_512 - case IPSEC_AH_SHA2_512: - ssa.sadb_sa_auth = SADB_X_AALG_SHA2_512; - break; -#endif - - default: - LOG_DBG((LOG_SYSDEP, 50, "pf_key_v2_set_spi: " - "unknown authentication algorithm %d", proto->id)); - goto cleanup; - } - break; - -#ifdef SADB_X_SATYPE_IPCOMP - case IPSEC_PROTO_IPCOMP: - msg.sadb_msg_satype = SADB_X_SATYPE_IPCOMP; - ssa.sadb_sa_auth = SADB_AALG_NONE; - keylen = 0; - hashlen = 0; - - /* - * Put compression algorithm type in the sadb_sa_encrypt - * field. - */ - switch (proto->id) { -#ifdef SADB_X_CALG_OUI - case IPSEC_IPCOMP_OUI: - ssa.sadb_sa_encrypt = SADB_X_CALG_OUI; - break; -#endif - -#ifdef SADB_X_CALG_DEFLATE - case IPSEC_IPCOMP_DEFLATE: - ssa.sadb_sa_encrypt = SADB_X_CALG_DEFLATE; - break; -#endif - -#ifdef SADB_X_CALG_LZS - case IPSEC_IPCOMP_LZS: - ssa.sadb_sa_encrypt = SADB_X_CALG_LZS; - break; -#endif - -#ifdef SADB_X_CALG_V42BIS - case IPSEC_IPCOMP_V42BIS: - ssa.sadb_sa_encrypt = SADB_X_CALG_V42BIS; - break; -#endif - - default: - break; - } - break; -#endif /* SADB_X_SATYPE_IPCOMP */ - - default: - log_print("pf_key_v2_set_spi: invalid proto %d", proto->proto); - goto cleanup; - } - if (incoming) { - sa->transport->vtbl->get_src(sa->transport, &dst); - sa->transport->vtbl->get_dst(sa->transport, &src); - } - else { - sa->transport->vtbl->get_dst(sa->transport, &dst); - sa->transport->vtbl->get_src(sa->transport, &src); - } - -#ifdef KAME - msg.sadb_msg_seq = (incoming ? - pf_key_v2_seq_by_sa(proto->spi[incoming], sizeof ssa.sadb_sa_spi, - proto->proto, dst, sysdep_sa_len(dst)) : 0); -#else - msg.sadb_msg_seq = sa->seq; -#endif - update = pf_key_v2_msg_new(&msg, 0); - if (!update) - goto cleanup; - -#ifdef KAME - memset(&ssa2, 0, sizeof ssa2); - ssa2.sadb_x_sa2_exttype = SADB_X_EXT_SA2; - ssa2.sadb_x_sa2_len = sizeof ssa2 / PF_KEY_V2_CHUNK; -#if defined (LINUX_IPSEC) - if (iproto->encap_mode == IPSEC_ENCAP_TUNNEL) - ssa2.sadb_x_sa2_mode = IPSEC_MODE_TUNNEL; - else - ssa2.sadb_x_sa2_mode = IPSEC_MODE_TRANSPORT; -#else - ssa2.sadb_x_sa2_mode = 0; -#endif - if (pf_key_v2_msg_add(update, (struct sadb_ext *)&ssa2, 0) == -1) - goto cleanup; -#endif - - /* Setup the rest of the SA extension. */ - ssa.sadb_sa_exttype = SADB_EXT_SA; - ssa.sadb_sa_len = sizeof ssa / PF_KEY_V2_CHUNK; - if (proto->spi_sz[incoming] == 2) /* IPCOMP uses 16bit CPIs. */ - ssa.sadb_sa_spi = htonl(proto->spi[incoming][0] << 8 | - proto->spi[incoming][1]); - else - memcpy(&ssa.sadb_sa_spi, proto->spi[incoming], - sizeof ssa.sadb_sa_spi); - ssa.sadb_sa_replay = conf_get_str("General", "Shared-SADB") ? 0 : - iproto->replay_window; - ssa.sadb_sa_state = SADB_SASTATE_MATURE; - ssa.sadb_sa_flags = 0; -#ifdef SADB_X_SAFLAGS_TUNNEL - if (iproto->encap_mode == IPSEC_ENCAP_TUNNEL || - iproto->encap_mode == IPSEC_ENCAP_UDP_ENCAP_TUNNEL || - iproto->encap_mode == IPSEC_ENCAP_UDP_ENCAP_TUNNEL_DRAFT) - ssa.sadb_sa_flags = SADB_X_SAFLAGS_TUNNEL; -#endif - - if (isakmp_sa->flags & SA_FLAG_NAT_T_ENABLE) { -#if defined (USE_NAT_TRAVERSAL) && defined (SADB_X_EXT_UDPENCAP) - memset(&udpencap, 0, sizeof udpencap); - ssa.sadb_sa_flags |= SADB_X_SAFLAGS_UDPENCAP; - udpencap.sadb_x_udpencap_exttype = SADB_X_EXT_UDPENCAP; - udpencap.sadb_x_udpencap_len = - sizeof udpencap / PF_KEY_V2_CHUNK; - udpencap.sadb_x_udpencap_port = sockaddr_port(dst); - if (pf_key_v2_msg_add(update, (struct sadb_ext *)&udpencap, 0) - == -1) - goto cleanup; -#elif defined (USE_NAT_TRAVERSAL) && defined (SADB_X_EXT_NAT_T_TYPE) -#ifndef UDP_ENCAP_ESPINUDP -#define UDP_ENCAP_ESPINUDP 2 -#endif - memset(&nat_t_type, 0, sizeof nat_t_type); - memset(&nat_t_sport, 0, sizeof nat_t_sport); - memset(&nat_t_dport, 0, sizeof nat_t_dport); - - /* type = draft-udp-encap-06 */ - nat_t_type.sadb_x_nat_t_type_len = sizeof nat_t_type / PF_KEY_V2_CHUNK; - nat_t_type.sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE; - nat_t_type.sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP; - if(pf_key_v2_msg_add(update, (struct sadb_ext *)&nat_t_type, 0) == -1) - goto cleanup; - - /* source port */ - nat_t_sport.sadb_x_nat_t_port_len = sizeof nat_t_sport / - PF_KEY_V2_CHUNK; - nat_t_sport.sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT; - nat_t_sport.sadb_x_nat_t_port_port = sockaddr_port(src); - if(pf_key_v2_msg_add(update, (struct sadb_ext *)&nat_t_sport, 0) == -1) - goto cleanup; - - /* destination port */ - nat_t_dport.sadb_x_nat_t_port_len = sizeof nat_t_dport / - PF_KEY_V2_CHUNK; - nat_t_dport.sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT; - nat_t_dport.sadb_x_nat_t_port_port = sockaddr_port(dst); - if(pf_key_v2_msg_add(update, (struct sadb_ext *)&nat_t_dport, 0) == -1) - goto cleanup; - - /* original address (transport mode checksum missing info) goes here */ -#endif - } - - if (pf_key_v2_msg_add(update, (struct sadb_ext *)&ssa, 0) == -1) - goto cleanup; - - if (sa->seconds || sa->kilobytes) { - /* Setup the hard limits. */ - life = malloc(sizeof *life); - if (!life) - goto cleanup; - life->sadb_lifetime_len = sizeof *life / PF_KEY_V2_CHUNK; - life->sadb_lifetime_exttype = SADB_EXT_LIFETIME_HARD; - life->sadb_lifetime_allocations = 0; - life->sadb_lifetime_bytes = sa->kilobytes * 1024; - /* - * XXX I am not sure which one is best in security respect. - * Maybe the RFCs actually mandate what a lifetime really is. - */ -#if 0 - life->sadb_lifetime_addtime = 0; - life->sadb_lifetime_usetime = sa->seconds; -#else - life->sadb_lifetime_addtime = sa->seconds; - life->sadb_lifetime_usetime = 0; -#endif - if (pf_key_v2_msg_add(update, (struct sadb_ext *) life, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - life = 0; - - /* - * Setup the soft limits, we use 90 % of the hard ones. - * XXX A configurable ratio would be better. - */ - life = malloc(sizeof *life); - if (!life) - goto cleanup; - life->sadb_lifetime_len = sizeof *life / PF_KEY_V2_CHUNK; - life->sadb_lifetime_exttype = SADB_EXT_LIFETIME_SOFT; - life->sadb_lifetime_allocations = 0; - life->sadb_lifetime_bytes = sa->kilobytes * 1024 * 9 / 10; - /* - * XXX I am not sure which one is best in security respect. - * Maybe the RFCs actually mandate what a lifetime really is. - */ -#if 0 - life->sadb_lifetime_addtime = 0; - life->sadb_lifetime_usetime = sa->seconds * 9 / 10; -#else - life->sadb_lifetime_addtime = sa->seconds * 9 / 10; - life->sadb_lifetime_usetime = 0; -#endif - if (pf_key_v2_msg_add(update, (struct sadb_ext *) life, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - life = 0; - } - /* - * Setup the ADDRESS extensions. - */ - len = sizeof *addr + PF_KEY_V2_ROUND(sysdep_sa_len(src)); - addr = calloc(1, len); - if (!addr) - goto cleanup; - addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC; - addr->sadb_address_len = len / PF_KEY_V2_CHUNK; -#ifndef __OpenBSD__ - addr->sadb_address_proto = 0; - addr->sadb_address_prefixlen = 0; -#endif - addr->sadb_address_reserved = 0; - memcpy(addr + 1, src, sysdep_sa_len(src)); - switch (((struct sockaddr *) (addr + 1))->sa_family) { - case AF_INET: - ((struct sockaddr_in *) (addr + 1))->sin_port = 0; - break; - case AF_INET6: - ((struct sockaddr_in6 *) (addr + 1))->sin6_port = 0; - break; - } - if (pf_key_v2_msg_add(update, (struct sadb_ext *) addr, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - addr = 0; - - len = sizeof *addr + PF_KEY_V2_ROUND(sysdep_sa_len(dst)); - addr = calloc(1, len); - if (!addr) - goto cleanup; - addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST; - addr->sadb_address_len = len / PF_KEY_V2_CHUNK; -#ifndef __OpenBSD__ - addr->sadb_address_proto = 0; - addr->sadb_address_prefixlen = 0; -#endif - addr->sadb_address_reserved = 0; - memcpy(addr + 1, dst, sysdep_sa_len(dst)); - switch (((struct sockaddr *) (addr + 1))->sa_family) { - case AF_INET: - ((struct sockaddr_in *) (addr + 1))->sin_port = 0; - break; - case AF_INET6: - ((struct sockaddr_in6 *) (addr + 1))->sin6_port = 0; - break; - } - if (pf_key_v2_msg_add(update, (struct sadb_ext *) addr, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - addr = 0; - -#if 0 - /* XXX I am not sure about what to do here just yet. */ - if (iproto->encap_mode == IPSEC_ENCAP_TUNNEL) { - len = sizeof *addr + PF_KEY_V2_ROUND(sysdep_sa_len(dst)); - addr = calloc(1, len); - if (!addr) - goto cleanup; - addr->sadb_address_exttype = SADB_EXT_ADDRESS_PROXY; - addr->sadb_address_len = len / PF_KEY_V2_CHUNK; -#ifndef __OpenBSD__ - addr->sadb_address_proto = 0; - addr->sadb_address_prefixlen = 0; -#endif - addr->sadb_address_reserved = 0; - memcpy(addr + 1, dst, sysdep_sa_len(dst)); - switch (((struct sockaddr *) (addr + 1))->sa_family) { - case AF_INET: - ((struct sockaddr_in *) (addr + 1))->sin_port = 0; - break; - case AF_INET6: - ((struct sockaddr_in6 *) (addr + 1))->sin6_port = 0; - break; - } - if (pf_key_v2_msg_add(update, (struct sadb_ext *) addr, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - addr = 0; -#if 0 - msg->em_odst = msg->em_dst; - msg->em_osrc = msg->em_src; -#endif - } -#endif - - if (proto->proto != IPSEC_PROTO_IPCOMP) { - /* Setup the KEY extensions. */ - if (hashlen) { - len = sizeof *key + PF_KEY_V2_ROUND(hashlen); - key = malloc(len); - if (!key) - goto cleanup; - key->sadb_key_exttype = SADB_EXT_KEY_AUTH; - key->sadb_key_len = len / PF_KEY_V2_CHUNK; - key->sadb_key_bits = hashlen * 8; - key->sadb_key_reserved = 0; - memcpy(key + 1, - iproto->keymat[incoming] + - (proto->proto == - IPSEC_PROTO_IPSEC_ESP ? keylen : 0), - hashlen); - if (pf_key_v2_msg_add(update, (struct sadb_ext *) key, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - key = 0; - } - if (keylen) { - len = sizeof *key + PF_KEY_V2_ROUND(keylen); - key = malloc(len); - if (!key) - goto cleanup; - key->sadb_key_exttype = SADB_EXT_KEY_ENCRYPT; - key->sadb_key_len = len / PF_KEY_V2_CHUNK; - key->sadb_key_bits = keylen * 8; - key->sadb_key_reserved = 0; - memcpy(key + 1, iproto->keymat[incoming], keylen); - if (pf_key_v2_msg_add(update, (struct sadb_ext *) key, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - key = 0; - } - } -#ifndef KAME - /* Setup identity extensions. */ - if (isakmp_sa->id_i) { - pp = pf_key_v2_convert_id(isakmp_sa->id_i, isakmp_sa->id_i_len, - &len, &idtype); - if (!pp) - goto nosid; - - sid = calloc(PF_KEY_V2_ROUND(len + 1) + sizeof *sid, - sizeof(u_int8_t)); - if (!sid) { - free(pp); - goto cleanup; - } - sid->sadb_ident_type = idtype; - sid->sadb_ident_len = ((sizeof *sid) / PF_KEY_V2_CHUNK) + - PF_KEY_V2_ROUND(len + 1) / PF_KEY_V2_CHUNK; - if ((isakmp_sa->initiator && !incoming) || - (!isakmp_sa->initiator && incoming)) - sid->sadb_ident_exttype = SADB_EXT_IDENTITY_SRC; - else - sid->sadb_ident_exttype = SADB_EXT_IDENTITY_DST; - - memcpy(sid + 1, pp, len); - free(pp); - - if (pf_key_v2_msg_add(update, (struct sadb_ext *) sid, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - sid = 0; - -nosid: - if (sid) - free(sid); - sid = 0; - } - if (isakmp_sa->id_r) { - pp = pf_key_v2_convert_id(isakmp_sa->id_r, isakmp_sa->id_r_len, - &len, &idtype); - if (!pp) - goto nodid; - - sid = calloc(PF_KEY_V2_ROUND(len + 1) + sizeof *sid, - sizeof(u_int8_t)); - if (!sid) { - free(pp); - goto cleanup; - } - sid->sadb_ident_type = idtype; - sid->sadb_ident_len = ((sizeof *sid) / PF_KEY_V2_CHUNK) + - PF_KEY_V2_ROUND(len + 1) / PF_KEY_V2_CHUNK; - if ((isakmp_sa->initiator && !incoming) || - (!isakmp_sa->initiator && incoming)) - sid->sadb_ident_exttype = SADB_EXT_IDENTITY_DST; - else - sid->sadb_ident_exttype = SADB_EXT_IDENTITY_SRC; - - memcpy(sid + 1, pp, len); - free(pp); - - if (pf_key_v2_msg_add(update, (struct sadb_ext *) sid, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - sid = 0; - -nodid: - if (sid) - free(sid); - sid = 0; - } -#endif /* KAME */ - -#ifdef SADB_X_CREDTYPE_NONE - /* - * Send received credentials to the kernel. We don't bother with - * our credentials, since the process either knows them (if it - * specified them with setsockopt()), or has no business looking at - * them (e.g., system wide certs). - */ - if (isakmp_sa->recv_cert) { - switch (isakmp_sa->recv_certtype) { - case ISAKMP_CERTENC_NONE: - /* Nothing to be done here. */ - break; - -#if defined (USE_KEYNOTE) && defined (SADB_X_EXT_REMOTE_CREDENTIALS) - case ISAKMP_CERTENC_KEYNOTE: - len = strlen(isakmp_sa->recv_cert); - cred = calloc(PF_KEY_V2_ROUND(len) + sizeof *cred, - sizeof(u_int8_t)); - if (!cred) - goto cleanup; - - cred->sadb_x_cred_len = - ((sizeof *cred) / PF_KEY_V2_CHUNK) + - PF_KEY_V2_ROUND(len) / PF_KEY_V2_CHUNK; - cred->sadb_x_cred_exttype = - SADB_X_EXT_REMOTE_CREDENTIALS; - cred->sadb_x_cred_type = SADB_X_CREDTYPE_KEYNOTE; - memcpy(cred + 1, isakmp_sa->recv_cert, len); - - if (pf_key_v2_msg_add(update, (struct sadb_ext *) cred, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - break; -#endif /* USE_KEYNOTE */ - -#if defined (USE_X509) && defined (SADB_X_EXT_REMOTE_CREDENTIALS) - case ISAKMP_CERTENC_X509_SIG: - { - u_int8_t *data; - u_int32_t datalen; - struct cert_handler *handler; - - /* We do it this way to avoid weird includes.*/ - handler = cert_get(ISAKMP_CERTENC_X509_SIG); - if (!handler) - break; - handler->cert_serialize(isakmp_sa->recv_cert, - &data, &datalen); - if (!data) - break; - - len = datalen; - cred = - calloc(PF_KEY_V2_ROUND(len) + sizeof *cred, - sizeof(u_int8_t)); - if (!cred) { - free(data); - goto cleanup; - } - cred->sadb_x_cred_len = - ((sizeof *cred) / PF_KEY_V2_CHUNK) + - PF_KEY_V2_ROUND(len) / PF_KEY_V2_CHUNK; - cred->sadb_x_cred_exttype = - SADB_X_EXT_REMOTE_CREDENTIALS; - cred->sadb_x_cred_type = SADB_X_CREDTYPE_X509; - memcpy(cred + 1, data, len); - free(data); - - if (pf_key_v2_msg_add(update, - (struct sadb_ext *) cred, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - } - break; -#endif /* USE_X509 */ - } - } -#endif /* SADB_X_CREDTYPE_NONE */ - -#ifdef SADB_X_AUTHTYPE_NONE - /* - * Tell the kernel what the peer used to authenticate, unless it was a - * passphrase. - */ - if (isakmp_sa->recv_key) { - u_int8_t *data; - - /* - * If it's a private key, we shouldn't pass it to the kernel - * for processes to see; successful authentication of Phase 1 - * implies that the process already knew the passphrase. On - * the other hand, we don't want to reveal to processes any - * system-wide passphrases used for authentication with remote - * systems. Same reason we don't send up the key (private or - * passphrase) we used to authenticate with the peer. - */ - if (isakmp_sa->recv_keytype == ISAKMP_KEY_PASSPHRASE) - goto doneauth; - - key_serialize(isakmp_sa->recv_keytype, ISAKMP_KEYTYPE_PUBLIC, - isakmp_sa->recv_key, &data, &len); - if (!data) - goto cleanup; - - cred = calloc(PF_KEY_V2_ROUND(len) + sizeof *cred, - sizeof(u_int8_t)); - if (!cred) { - free(data); - goto cleanup; - } - cred->sadb_x_cred_len = ((sizeof *cred) / PF_KEY_V2_CHUNK) + - PF_KEY_V2_ROUND(len) / PF_KEY_V2_CHUNK; - cred->sadb_x_cred_exttype = SADB_X_EXT_REMOTE_AUTH; - memcpy(cred + 1, data, len); - free(data); - - switch (isakmp_sa->recv_keytype) { - case ISAKMP_KEY_RSA: - cred->sadb_x_cred_type = SADB_X_AUTHTYPE_RSA; - break; - - default: - log_print("pf_key_v2_set_spi: " - "unknown received key type %d", - isakmp_sa->recv_keytype); - free(cred); - goto cleanup; - } - - if (pf_key_v2_msg_add(update, (struct sadb_ext *) cred, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - } -doneauth: -#endif /* SADB_X_AUTHTYPE_NONE */ - -#ifdef SADB_X_EXT_FLOW_TYPE - /* Setup the flow type extension. */ - bzero(&flowtype, sizeof flowtype); - flowtype.sadb_protocol_exttype = SADB_X_EXT_FLOW_TYPE; - flowtype.sadb_protocol_len = sizeof flowtype / PF_KEY_V2_CHUNK; - flowtype.sadb_protocol_direction = incoming ? - IPSP_DIRECTION_IN : IPSP_DIRECTION_OUT; - - if (pf_key_v2_msg_add(update, (struct sadb_ext *)&flowtype, 0) == -1) - goto cleanup; - - bzero(&tprotocol, sizeof tprotocol); - tprotocol.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL; - tprotocol.sadb_protocol_len = sizeof tprotocol / PF_KEY_V2_CHUNK; - tprotocol.sadb_protocol_proto = isa->tproto; - - if (pf_key_v2_msg_add(update, (struct sadb_ext *)&tprotocol, - 0) == -1) - goto cleanup; - - len = sizeof *addr + PF_KEY_V2_ROUND(sysdep_sa_len(isa->src_net)); - addr = calloc(1, len); - if (!addr) - goto cleanup; - addr->sadb_address_exttype = incoming ? - SADB_X_EXT_DST_FLOW : SADB_X_EXT_SRC_FLOW; - addr->sadb_address_len = len / PF_KEY_V2_CHUNK; - addr->sadb_address_reserved = 0; - pf_key_v2_setup_sockaddr(addr + 1, isa->src_net, 0, isa->sport, 0); - if (pf_key_v2_msg_add(update, (struct sadb_ext *) addr, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - addr = 0; - - addr = calloc(1, len); - if (!addr) - goto cleanup; - addr->sadb_address_exttype = - incoming ? SADB_X_EXT_DST_MASK : SADB_X_EXT_SRC_MASK; - addr->sadb_address_len = len / PF_KEY_V2_CHUNK; - addr->sadb_address_reserved = 0; - pf_key_v2_setup_sockaddr(addr + 1, isa->src_mask, 0, - isa->sport ? 0xffff : 0, 0); - if (pf_key_v2_msg_add(update, (struct sadb_ext *) addr, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - addr = 0; - - addr = calloc(1, len); - if (!addr) - goto cleanup; - addr->sadb_address_exttype = incoming ? - SADB_X_EXT_SRC_FLOW : SADB_X_EXT_DST_FLOW; - addr->sadb_address_len = len / PF_KEY_V2_CHUNK; - addr->sadb_address_reserved = 0; - pf_key_v2_setup_sockaddr(addr + 1, isa->dst_net, 0, isa->dport, 0); - if (pf_key_v2_msg_add(update, (struct sadb_ext *) addr, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - addr = 0; - - addr = calloc(1, len); - if (!addr) - goto cleanup; - addr->sadb_address_exttype = - incoming ? SADB_X_EXT_SRC_MASK : SADB_X_EXT_DST_MASK; - addr->sadb_address_len = len / PF_KEY_V2_CHUNK; - addr->sadb_address_reserved = 0; - pf_key_v2_setup_sockaddr(addr + 1, isa->dst_mask, 0, - isa->dport ? 0xffff : 0, 0); - if (pf_key_v2_msg_add(update, (struct sadb_ext *) addr, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - addr = 0; -#endif /* SADB_X_EXT_FLOW_TYPE */ - - /* XXX Here can sensitivity extensions be setup. */ - -#ifdef USE_DEBUG - if (sockaddr2text(dst, &addr_str, 0)) - addr_str = 0; - - LOG_DBG((LOG_SYSDEP, 10, "pf_key_v2_set_spi: " - "satype %d dst %s SPI 0x%x", msg.sadb_msg_satype, - addr_str ? addr_str : "unknown", ntohl(ssa.sadb_sa_spi))); - - if (addr_str) - free(addr_str); -#endif /* USE_DEBUG */ - - /* - * Although PF_KEY knows about expirations, it is unreliable per the - * specs thus we need to do them inside isakmpd as well. - */ - if (sa->seconds) - if (sa_setup_expirations(sa)) - goto cleanup; - - ret = pf_key_v2_call(update); - pf_key_v2_msg_free(update); - update = 0; - if (!ret) - goto cleanup; - err = ((struct sadb_msg *)TAILQ_FIRST(ret)->seg)->sadb_msg_errno; - pf_key_v2_msg_free(ret); - ret = 0; - - /* - * If we are doing an addition into an SADB shared with our peer, - * errors here are to be expected as the peer will already have - * created the SA, and can thus be ignored. - */ - if (err && !(msg.sadb_msg_type == SADB_ADD && - conf_get_str("General", "Shared-SADB"))) { - log_print("pf_key_v2_set_spi: %s: %s", - msg.sadb_msg_type == SADB_ADD ? "ADD" : "UPDATE", - strerror(err)); - goto cleanup; - } - LOG_DBG((LOG_SYSDEP, 50, "pf_key_v2_set_spi: done")); - - return 0; - -cleanup: - if (sid) - free(sid); - if (addr) - free(addr); - if (life) - free(life); - if (key) - free(key); - if (update) - pf_key_v2_msg_free(update); - if (ret) - pf_key_v2_msg_free(ret); - return -1; -} - -static __inline__ int -pf_key_v2_mask_to_bits(u_int32_t mask) -{ - u_int32_t hmask = ntohl(mask); - - return (33 - ffs(~hmask + 1)) % 33; -} - -static int -pf_key_v2_mask6_to_bits(u_int8_t * mask) -{ - int n; - - bit_ffc(mask, 128, &n); - return n == -1 ? 128 : n; -} - -/* - * Enable/disable a flow. - * XXX Assumes OpenBSD {ADD,DEL}FLOW extensions. - * Should probably be moved to sysdep.c - */ -static int -pf_key_v2_flow(struct sockaddr *laddr, struct sockaddr *lmask, - struct sockaddr *raddr, struct sockaddr *rmask, - u_int8_t tproto, u_int16_t sport, u_int16_t dport, - u_int8_t *spi, u_int8_t proto, struct sockaddr *dst, - struct sockaddr *src, int delete, int ingress, - u_int8_t srcid_type, u_int8_t *srcid, int srcid_len, - u_int8_t dstid_type, u_int8_t *dstid, int dstid_len, - struct ipsec_proto *iproto) -{ -#ifdef USE_DEBUG - char *laddr_str, *lmask_str, *raddr_str, *rmask_str; -#endif - -#if defined (SADB_X_ADDFLOW) && defined (SADB_X_DELFLOW) - struct sadb_msg msg; -#if defined (SADB_X_EXT_FLOW_TYPE) - struct sadb_protocol flowtype; - struct sadb_ident *sid = 0; -#else - struct sadb_sa ssa; -#endif - struct sadb_address *addr = 0; - struct sadb_protocol tprotocol; - struct pf_key_v2_msg *flow = 0, *ret = 0; - size_t len; - int err; - -#if !defined (SADB_X_SAFLAGS_INGRESS_FLOW) && !defined (SADB_X_EXT_FLOW_TYPE) - if (ingress) - return 0; -#endif - - msg.sadb_msg_type = delete ? SADB_X_DELFLOW : SADB_X_ADDFLOW; - switch (proto) { - case IPSEC_PROTO_IPSEC_ESP: - msg.sadb_msg_satype = SADB_SATYPE_ESP; - break; - case IPSEC_PROTO_IPSEC_AH: - msg.sadb_msg_satype = SADB_SATYPE_AH; - break; - case IPSEC_PROTO_IPCOMP: - msg.sadb_msg_satype = SADB_X_SATYPE_IPCOMP; - break; - default: - log_print("pf_key_v2_flow: invalid proto %d", proto); - goto cleanup; - } - msg.sadb_msg_seq = 0; - flow = pf_key_v2_msg_new(&msg, 0); - if (!flow) - goto cleanup; - -#if defined (SADB_X_EXT_FLOW_TYPE) - if (!delete) { - /* Setup the source ID, if provided. */ - if (srcid) { - sid = calloc( - PF_KEY_V2_ROUND(srcid_len + 1) + sizeof *sid, - sizeof(u_int8_t)); - if (!sid) - goto cleanup; - - sid->sadb_ident_len = ((sizeof *sid) / PF_KEY_V2_CHUNK) - + PF_KEY_V2_ROUND(srcid_len + 1) / PF_KEY_V2_CHUNK; - sid->sadb_ident_exttype = SADB_EXT_IDENTITY_SRC; - sid->sadb_ident_type = srcid_type; - - memcpy(sid + 1, srcid, srcid_len); - - if (pf_key_v2_msg_add(flow, (struct sadb_ext *) sid, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - - sid = 0; - } - /* Setup the destination ID, if provided. */ - if (dstid) { - sid = calloc( - PF_KEY_V2_ROUND(dstid_len + 1) + sizeof *sid, - sizeof(u_int8_t)); - if (!sid) - goto cleanup; - - sid->sadb_ident_len = ((sizeof *sid) / PF_KEY_V2_CHUNK) - + PF_KEY_V2_ROUND(dstid_len + 1) / PF_KEY_V2_CHUNK; - sid->sadb_ident_exttype = SADB_EXT_IDENTITY_DST; - sid->sadb_ident_type = dstid_type; - - memcpy(sid + 1, dstid, dstid_len); - - if (pf_key_v2_msg_add(flow, (struct sadb_ext *) sid, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - - sid = 0; - } - } - /* Setup the flow type extension. */ - bzero(&flowtype, sizeof flowtype); - flowtype.sadb_protocol_exttype = SADB_X_EXT_FLOW_TYPE; - flowtype.sadb_protocol_len = sizeof flowtype / PF_KEY_V2_CHUNK; - flowtype.sadb_protocol_direction = - ingress ? IPSP_DIRECTION_IN : IPSP_DIRECTION_OUT; - flowtype.sadb_protocol_proto = - ingress ? SADB_X_FLOW_TYPE_USE : SADB_X_FLOW_TYPE_REQUIRE; - - if (pf_key_v2_msg_add(flow, (struct sadb_ext *)&flowtype, 0) == -1) - goto cleanup; -#else /* SADB_X_EXT_FLOW_TYPE */ - /* Setup the SA extension. */ - ssa.sadb_sa_exttype = SADB_EXT_SA; - ssa.sadb_sa_len = sizeof ssa / PF_KEY_V2_CHUNK; - memcpy(&ssa.sadb_sa_spi, spi, sizeof ssa.sadb_sa_spi); - ssa.sadb_sa_replay = 0; - ssa.sadb_sa_state = 0; - ssa.sadb_sa_auth = 0; - ssa.sadb_sa_encrypt = 0; - ssa.sadb_sa_flags = 0; -#if defined (SADB_X_SAFLAGS_INGRESS_FLOW) - if (ingress) - ssa.sadb_sa_flags |= SADB_X_SAFLAGS_INGRESS_FLOW; -#endif -#if defined (SADB_X_SAFLAGS_REPLACEFLOW) - if (!delete && !ingress) - ssa.sadb_sa_flags |= SADB_X_SAFLAGS_REPLACEFLOW; -#endif - - if (pf_key_v2_msg_add(flow, (struct sadb_ext *)&ssa, 0) == -1) - goto cleanup; -#endif /* SADB_X_EXT_FLOW_TYPE */ - - /* - * Setup the ADDRESS extensions. - */ - len = sizeof *addr + PF_KEY_V2_ROUND(sysdep_sa_len(src)); -#if !defined (SADB_X_EXT_FLOW_TYPE) - if (!delete || ingress) -#else - if (!delete) -#endif /* SADB_X_EXT_FLOW_TYPE */ - { - addr = calloc(1, len); - if (!addr) - goto cleanup; - addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST; - addr->sadb_address_len = len / PF_KEY_V2_CHUNK; - addr->sadb_address_reserved = 0; -#if defined (SADB_X_EXT_FLOW_TYPE) - pf_key_v2_setup_sockaddr(addr + 1, src, dst, 0, ingress); -#else - pf_key_v2_setup_sockaddr(addr + 1, dst, 0, 0, 0); -#endif - if (pf_key_v2_msg_add(flow, (struct sadb_ext *) addr, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - addr = 0; - } - len = sizeof *addr + PF_KEY_V2_ROUND(sysdep_sa_len(laddr)); - addr = calloc(1, len); - if (!addr) - goto cleanup; - addr->sadb_address_exttype = SADB_X_EXT_SRC_FLOW; - addr->sadb_address_len = len / PF_KEY_V2_CHUNK; - addr->sadb_address_reserved = 0; - pf_key_v2_setup_sockaddr(addr + 1, laddr, 0, sport, 0); - if (pf_key_v2_msg_add(flow, (struct sadb_ext *) addr, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - addr = 0; - - addr = calloc(1, len); - if (!addr) - goto cleanup; - addr->sadb_address_exttype = SADB_X_EXT_SRC_MASK; - addr->sadb_address_len = len / PF_KEY_V2_CHUNK; - addr->sadb_address_reserved = 0; - pf_key_v2_setup_sockaddr(addr + 1, lmask, 0, sport ? 0xffff : 0, 0); - if (pf_key_v2_msg_add(flow, (struct sadb_ext *) addr, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - addr = 0; - - addr = calloc(1, len); - if (!addr) - goto cleanup; - addr->sadb_address_exttype = SADB_X_EXT_DST_FLOW; - addr->sadb_address_len = len / PF_KEY_V2_CHUNK; - addr->sadb_address_reserved = 0; - pf_key_v2_setup_sockaddr(addr + 1, raddr, 0, dport, 0); - if (pf_key_v2_msg_add(flow, (struct sadb_ext *) addr, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - addr = 0; - - addr = calloc(1, len); - if (!addr) - goto cleanup; - addr->sadb_address_exttype = SADB_X_EXT_DST_MASK; - addr->sadb_address_len = len / PF_KEY_V2_CHUNK; - addr->sadb_address_reserved = 0; - pf_key_v2_setup_sockaddr(addr + 1, rmask, 0, dport ? 0xffff : 0, 0); - if (pf_key_v2_msg_add(flow, (struct sadb_ext *) addr, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - addr = 0; - - /* Setup the protocol extension. */ - bzero(&tprotocol, sizeof tprotocol); - tprotocol.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL; - tprotocol.sadb_protocol_len = sizeof tprotocol / PF_KEY_V2_CHUNK; - tprotocol.sadb_protocol_proto = tproto; - - if (pf_key_v2_msg_add(flow, (struct sadb_ext *)&tprotocol, 0) == -1) - goto cleanup; - -#ifdef USE_DEBUG - if (sockaddr2text(laddr, &laddr_str, 0)) - laddr_str = 0; - if (sockaddr2text(lmask, &lmask_str, 0)) - lmask_str = 0; - if (sockaddr2text(raddr, &raddr_str, 0)) - raddr_str = 0; - if (sockaddr2text(rmask, &rmask_str, 0)) - rmask_str = 0; - - LOG_DBG((LOG_SYSDEP, 50, - "pf_key_v2_flow: src %s %s dst %s %s proto %u sport %u dport %u", - laddr_str ? laddr_str : "<??\?>", lmask_str ? lmask_str : "<??\?>", - raddr_str ? raddr_str : "<??\?>", rmask_str ? rmask_str : "<??\?>", - tproto, ntohs(sport), ntohs(dport))); - - if (laddr_str) - free(laddr_str); - if (lmask_str) - free(lmask_str); - if (raddr_str) - free(raddr_str); - if (rmask_str) - free(rmask_str); -#endif /* USE_DEBUG */ - - ret = pf_key_v2_call(flow); - pf_key_v2_msg_free(flow); - flow = 0; - if (!ret) - goto cleanup; - err = ((struct sadb_msg *)TAILQ_FIRST(ret)->seg)->sadb_msg_errno; - if (err) { - if (err == ESRCH) /* These are common and usually - * harmless. */ - LOG_DBG((LOG_SYSDEP, 10, "pf_key_v2_flow: %sFLOW: %s", - delete ? "DEL" : "ADD", strerror(err))); - else - log_print("pf_key_v2_flow: %sFLOW: %s", - delete ? "DEL" : "ADD", strerror(err)); - goto cleanup; - } - pf_key_v2_msg_free(ret); - - LOG_DBG((LOG_MISC, 50, "pf_key_v2_flow: %sFLOW: done", - delete ? "DEL" : "ADD")); - - return 0; - -cleanup: -#if defined (SADB_X_EXT_FLOW_TYPE) - if (sid) - free(sid); -#endif /* SADB_X_EXT_FLOW_TYPE */ - if (addr) - free(addr); - if (flow) - pf_key_v2_msg_free(flow); - if (ret) - pf_key_v2_msg_free(ret); - return -1; - -#elif defined (SADB_X_SPDUPDATE) && defined (SADB_X_SPDDELETE) - struct sadb_msg msg; - struct sadb_x_policy *policy = 0; - struct sadb_x_ipsecrequest *ipsecrequest; - struct sadb_x_sa2 ssa2; - struct sadb_address *addr = 0; - struct sockaddr *saddr; - struct pf_key_v2_msg *flow = 0, *ret = 0; - u_int8_t *policy_buf; - size_t len; - int err; - struct sockaddr_in *ip4_sa; - struct sockaddr_in6 *ip6_sa; - - msg.sadb_msg_type = delete ? SADB_X_SPDDELETE : SADB_X_SPDUPDATE; - msg.sadb_msg_satype = SADB_SATYPE_UNSPEC; - msg.sadb_msg_seq = 0; - flow = pf_key_v2_msg_new(&msg, 0); - if (!flow) - goto cleanup; - - memset(&ssa2, 0, sizeof ssa2); - ssa2.sadb_x_sa2_exttype = SADB_X_EXT_SA2; - ssa2.sadb_x_sa2_len = sizeof ssa2 / PF_KEY_V2_CHUNK; - ssa2.sadb_x_sa2_mode = 0; - if (pf_key_v2_msg_add(flow, (struct sadb_ext *)&ssa2, 0) == -1) - goto cleanup; - - /* - * Setup the ADDRESS extensions. - */ - len = sizeof *addr + PF_KEY_V2_ROUND(sysdep_sa_len(src)); - addr = calloc(1, len); - if (!addr) - goto cleanup; - addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC; - addr->sadb_address_len = len / PF_KEY_V2_CHUNK; -#ifdef LINUX_IPSEC - addr->sadb_address_proto = tproto; -#else - addr->sadb_address_proto = IPSEC_ULPROTO_ANY; -#endif - addr->sadb_address_reserved = 0; -#ifdef LINUX_IPSEC - pf_key_v2_setup_sockaddr(addr + 1, laddr, 0, sport, 0); -#else - pf_key_v2_setup_sockaddr(addr + 1, laddr, 0, IPSEC_PORT_ANY, 0); -#endif - switch (laddr->sa_family) { - case AF_INET: - ip4_sa = (struct sockaddr_in *) lmask; - addr->sadb_address_prefixlen - = pf_key_v2_mask_to_bits(ip4_sa->sin_addr.s_addr); - break; - case AF_INET6: - ip6_sa = (struct sockaddr_in6 *) lmask; - addr->sadb_address_prefixlen = - pf_key_v2_mask6_to_bits(&ip6_sa->sin6_addr.s6_addr[0]); - break; - } - if (pf_key_v2_msg_add(flow, (struct sadb_ext *) addr, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - addr = 0; - - len = sizeof *addr + PF_KEY_V2_ROUND(sysdep_sa_len(raddr)); - addr = calloc(1, len); - if (!addr) - goto cleanup; - addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST; - addr->sadb_address_len = len / PF_KEY_V2_CHUNK; -#ifdef LINUX_IPSEC - addr->sadb_address_proto = tproto; -#else - addr->sadb_address_proto = IPSEC_ULPROTO_ANY; -#endif - addr->sadb_address_reserved = 0; -#ifdef LINUX_IPSEC - pf_key_v2_setup_sockaddr(addr + 1, raddr, 0, dport, 0); -#else - pf_key_v2_setup_sockaddr(addr + 1, raddr, 0, IPSEC_PORT_ANY, 0); -#endif - switch (raddr->sa_family) { - case AF_INET: - ip4_sa = (struct sockaddr_in *) rmask; - addr->sadb_address_prefixlen - = pf_key_v2_mask_to_bits(ip4_sa->sin_addr.s_addr); - break; - case AF_INET6: - ip6_sa = (struct sockaddr_in6 *) rmask; - addr->sadb_address_prefixlen = - pf_key_v2_mask6_to_bits(&ip6_sa->sin6_addr.s6_addr[0]); - break; - } - if (pf_key_v2_msg_add(flow, (struct sadb_ext *) addr, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - addr = 0; - - /* Setup the POLICY extension. */ - len = sizeof *policy + sizeof *ipsecrequest + - 2 * PF_KEY_V2_ROUND(sysdep_sa_len(src)); - policy_buf = (u_int8_t *) calloc(1, len); - if (!policy_buf) { - log_error("pf_key_v2_flow: calloc %lu failed", - (unsigned long) len); - goto cleanup; - } - policy = (struct sadb_x_policy *) policy_buf; - policy->sadb_x_policy_exttype = SADB_X_EXT_POLICY; - policy->sadb_x_policy_len = len / PF_KEY_V2_CHUNK; - policy->sadb_x_policy_type = IPSEC_POLICY_IPSEC; - if (ingress) - policy->sadb_x_policy_dir = IPSEC_DIR_INBOUND; - else - policy->sadb_x_policy_dir = IPSEC_DIR_OUTBOUND; - policy->sadb_x_policy_reserved = 0; - - /* Setup the IPSECREQUEST extension part. */ - ipsecrequest = (struct sadb_x_ipsecrequest *) (policy + 1); - ipsecrequest->sadb_x_ipsecrequest_len = len - sizeof *policy; - switch (proto) { - case IPSEC_PROTO_IPSEC_ESP: - ipsecrequest->sadb_x_ipsecrequest_proto = IPPROTO_ESP; - break; - case IPSEC_PROTO_IPSEC_AH: - ipsecrequest->sadb_x_ipsecrequest_proto = IPPROTO_AH; - break; - default: - log_print("pf_key_v2_flow: invalid proto %d", proto); - goto cleanup; - } -#if defined (LINUX_IPSEC) - if (iproto->encap_mode == IPSEC_ENCAP_TUNNEL) - ipsecrequest->sadb_x_ipsecrequest_mode = IPSEC_MODE_TUNNEL; - else - ipsecrequest->sadb_x_ipsecrequest_mode = IPSEC_MODE_TRANSPORT; -#else - ipsecrequest->sadb_x_ipsecrequest_mode = IPSEC_MODE_TUNNEL; /* XXX */ -#endif - ipsecrequest->sadb_x_ipsecrequest_level - = ingress ? IPSEC_LEVEL_USE : IPSEC_LEVEL_REQUIRE; - ipsecrequest->sadb_x_ipsecrequest_reqid = 0; /* XXX */ - - /* Add source and destination addresses. */ - saddr = (struct sockaddr *)(ipsecrequest + 1); - pf_key_v2_setup_sockaddr(saddr, src, 0, 0, 0); - switch (src->sa_family) { - case AF_INET: - saddr = (struct sockaddr *)((struct sockaddr_in *)saddr + 1); - break; - case AF_INET6: - saddr = (struct sockaddr *)((struct sockaddr_in6 *)saddr + 1); - break; - } - pf_key_v2_setup_sockaddr(saddr, dst, 0, 0, 0); - if (pf_key_v2_msg_add(flow, (struct sadb_ext *)policy, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - policy = 0; - -#ifdef USE_DEBUG - if (sockaddr2text(laddr, &laddr_str, 0)) - laddr_str = 0; - if (sockaddr2text(lmask, &lmask_str, 0)) - lmask_str = 0; - if (sockaddr2text(raddr, &raddr_str, 0)) - raddr_str = 0; - if (sockaddr2text(rmask, &rmask_str, 0)) - rmask_str = 0; - - LOG_DBG((LOG_SYSDEP, 50, "pf_key_v2_flow: src %s %s dst %s %s", - laddr_str ? laddr_str : "<??\?>", lmask_str ? lmask_str : "<??\?>", - raddr_str ? raddr_str : "<??\?>", - rmask_str ? rmask_str : "<??\?>")); - - if (laddr_str) - free(laddr_str); - if (lmask_str) - free(lmask_str); - if (raddr_str) - free(raddr_str); - if (rmask_str) - free(rmask_str); -#endif - - ret = pf_key_v2_call(flow); - pf_key_v2_msg_free(flow); - flow = 0; - if (!ret) - goto cleanup; - err = ((struct sadb_msg *)TAILQ_FIRST(ret)->seg)->sadb_msg_errno; - if (!delete && err == EEXIST) { - LOG_DBG((LOG_SYSDEP, 50, "pf_key_v2_flow: " - "SPDADD returns EEXIST")); - } else if (err) { - log_print("pf_key_v2_flow: SPD%s: %s", - delete ? "DELETE" : "ADD", strerror(err)); - goto cleanup; - } - pf_key_v2_msg_free(ret); - - LOG_DBG((LOG_SYSDEP, 50, "pf_key_v2_flow: SPD%s: done", - delete ? "DELETE" : "ADD")); - - return 0; - -cleanup: - if (addr) - free(addr); - if (policy) - free(policy); - if (flow) - pf_key_v2_msg_free(flow); - if (ret) - pf_key_v2_msg_free(ret); - return -1; - -#else - log_print("pf_key_v2_flow: not supported in pure PF_KEYv2"); - return -1; -#endif -} - -#ifndef KAME -static u_int8_t * -pf_key_v2_convert_id(u_int8_t * id, int idlen, size_t * reslen, int *idtype) -{ - u_int8_t *addr, *res = 0; - char addrbuf[ADDRESS_MAX + 5]; - - switch (id[0]) { - case IPSEC_ID_FQDN: - res = calloc(idlen - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ, - sizeof(u_int8_t)); - if (!res) - return 0; - - *reslen = idlen - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ; - memcpy(res, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, *reslen); - *idtype = SADB_IDENTTYPE_FQDN; - LOG_DBG((LOG_SYSDEP, 40, "pf_key_v2_convert_id: FQDN %.*s", - (int) *reslen, res)); - return res; - - case IPSEC_ID_USER_FQDN: - res = calloc(idlen - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ, - sizeof(u_int8_t)); - if (!res) - return 0; - - *reslen = idlen - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ; - memcpy(res, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, *reslen); - *idtype = SADB_IDENTTYPE_USERFQDN; - LOG_DBG((LOG_SYSDEP, 40, "pf_key_v2_convert_id: UFQDN %.*s", - (int) *reslen, res)); - return res; - - case IPSEC_ID_IPV4_ADDR: /* XXX CONNECTION ? */ - if (inet_ntop(AF_INET, id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, - addrbuf, ADDRESS_MAX) == NULL) - return 0; - *reslen = strlen(addrbuf) + 3; - strlcat(addrbuf, "/32", ADDRESS_MAX + 5); - res = (u_int8_t *) strdup(addrbuf); - if (!res) - return 0; - *idtype = SADB_IDENTTYPE_PREFIX; - LOG_DBG((LOG_SYSDEP, 40, "pf_key_v2_convert_id: " - "IPv4 address %s", res)); - return res; - - case IPSEC_ID_IPV6_ADDR: /* XXX CONNECTION ? */ - if (inet_ntop(AF_INET6, - id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, - addrbuf, ADDRESS_MAX) == NULL) - return 0; - *reslen = strlen(addrbuf) + 4; - strlcat(addrbuf, "/128", ADDRESS_MAX + 5); - res = (u_int8_t *) strdup(addrbuf); - if (!res) - return 0; - LOG_DBG((LOG_SYSDEP, 40, "pf_key_v2_convert_id: " - "IPv6 address %s", res)); - *idtype = SADB_IDENTTYPE_PREFIX; - return res; - - case IPSEC_ID_IPV4_ADDR_SUBNET: /* XXX PREFIX */ - addr = id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; - if (inet_ntop(AF_INET, addr, addrbuf, ADDRESS_MAX) == NULL) - return 0; - snprintf(addrbuf + strlen(addrbuf), - ADDRESS_MAX - strlen(addrbuf), "/%d", - pf_key_v2_mask_to_bits(*(u_int32_t *)(addr + - sizeof(struct in_addr)))); - *reslen = strlen(addrbuf); - res = (u_int8_t *) strdup(addrbuf); - if (!res) - return 0; - *idtype = SADB_IDENTTYPE_PREFIX; - LOG_DBG((LOG_SYSDEP, 40, "pf_key_v2_convert_id: " - "IPv4 subnet %s", res)); - return res; - - case IPSEC_ID_IPV6_ADDR_SUBNET: /* XXX PREFIX */ - addr = id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; - if (inet_ntop(AF_INET6, addr, addrbuf, ADDRESS_MAX) == NULL) - return 0; - snprintf(addrbuf + strlen(addrbuf), - ADDRESS_MAX - strlen(addrbuf), "/%d", - pf_key_v2_mask6_to_bits(addr + - sizeof(struct in6_addr))); - *reslen = strlen(addrbuf); - res = (u_int8_t *) strdup(addrbuf); - if (!res) - return 0; - LOG_DBG((LOG_SYSDEP, 40, "pf_key_v2_convert_id: " - "IPv6 subnet %s", res)); - *idtype = SADB_IDENTTYPE_PREFIX; - return res; - - case IPSEC_ID_IPV4_RANGE: - case IPSEC_ID_IPV6_RANGE: - case IPSEC_ID_DER_ASN1_DN: - case IPSEC_ID_DER_ASN1_GN: - case IPSEC_ID_KEY_ID: - /* XXX Not implemented yet. */ - return 0; - } - - return 0; -} -#endif - -/* Enable a flow given an SA. */ -int -pf_key_v2_enable_sa(struct sa *sa, struct sa *isakmp_sa) -{ - struct ipsec_sa *isa = sa->data; - struct sockaddr *dst, *src; - int error; - struct proto *proto = TAILQ_FIRST(&sa->protos); - int sidtype = 0, didtype = 0; - size_t sidlen = 0, didlen = 0; - u_int8_t *sid = 0, *did = 0; -#if !defined (SADB_X_EXT_FLOW_TYPE) - struct sockaddr_storage hostmask_storage; - struct sockaddr *hostmask = (struct sockaddr *)&hostmask_storage; -#endif /* SADB_X_EXT_FLOW_TYPE */ - - sa->transport->vtbl->get_dst(sa->transport, &dst); - sa->transport->vtbl->get_src(sa->transport, &src); - -#if defined (SADB_X_EXT_FLOW_TYPE) - if (isakmp_sa->id_i) { - if (isakmp_sa->initiator) - sid = pf_key_v2_convert_id(isakmp_sa->id_i, - isakmp_sa->id_i_len, &sidlen, &sidtype); - else - did = pf_key_v2_convert_id(isakmp_sa->id_i, - isakmp_sa->id_i_len, &didlen, &didtype); - } - if (isakmp_sa->id_r) { - if (isakmp_sa->initiator) - did = pf_key_v2_convert_id(isakmp_sa->id_r, - isakmp_sa->id_r_len, &didlen, &didtype); - else - sid = pf_key_v2_convert_id(isakmp_sa->id_r, - isakmp_sa->id_r_len, &sidlen, &sidtype); - } -#endif /* SADB_X_EXT_FLOW_TYPE */ - - error = pf_key_v2_flow(isa->src_net, isa->src_mask, isa->dst_net, - isa->dst_mask, isa->tproto, isa->sport, isa->dport, - proto->spi[0], proto->proto, dst, src, 0, 0, - sidtype, sid, sidlen, didtype, did, didlen, - proto->data); - if (error) - goto cleanup; - -#if !defined (SADB_X_EXT_FLOW_TYPE) - /* Set hostmask to '-1'. */ - switch (dst->sa_family) { - case AF_INET: - ((struct sockaddr_in *) hostmask)->sin_family = AF_INET; -#ifndef USE_OLD_SOCKADDR - ((struct sockaddr_in *) hostmask)->sin_len = - sizeof(struct in_addr); -#endif - memset(&((struct sockaddr_in *) hostmask)->sin_addr.s_addr, - 0xff, sizeof(struct in_addr)); - break; - case AF_INET6: - ((struct sockaddr_in6 *) hostmask)->sin6_family = AF_INET6; -#ifndef USE_OLD_SOCKADDR - ((struct sockaddr_in6 *) hostmask)->sin6_len = - sizeof(struct in6_addr); -#endif - memset(&((struct sockaddr_in6 *) hostmask)->sin6_addr.s6_addr, - 0xff, sizeof(struct in6_addr)); - break; - } - - /* Ingress flows, handling SA bundles. */ - while (TAILQ_NEXT(proto, link)) { - error = pf_key_v2_flow(dst, hostmask, src, hostmask, 0, 0, 0, - proto->spi[1], proto->proto, src, dst, - 0, 1, 0, 0, 0, 0, 0, 0, proto->data); - if (error) - goto cleanup; - proto = TAILQ_NEXT(proto, link); - } -#endif /* SADB_X_EXT_FLOW_TYPE */ - - error = pf_key_v2_flow(isa->dst_net, isa->dst_mask, isa->src_net, - isa->src_mask, isa->tproto, isa->dport, isa->sport, - proto->spi[1], proto->proto, src, dst, 0, 1, - sidtype, sid, sidlen, didtype, did, didlen, - proto->data); - -cleanup: -#if defined (SADB_X_EXT_FLOW_TYPE) - if (sid) - free(sid); - if (did) - free(did); -#endif /* SADB_X_EXT_FLOW_TYPE */ - - return error; -} - -#if defined (SADB_X_ASKPOLICY) -/* Increase reference count of refcounted sections. */ -static int -pf_key_v2_conf_refinc(int af, char *section) -{ - char conn[22]; - int num; - - if (!section) - return 0; - - num = conf_get_num(section, "Refcount", 0); - if (num == 0) - return 0; - - snprintf(conn, sizeof conn, "%d", num + 1); - conf_set(af, section, "Refcount", conn, 1, 0); - return 0; -} -#endif - -/* - * Return 0 if the section didn't exist or was removed, non-zero otherwise. - * Don't touch non-refcounted (statically defined) sections. - */ -static int -pf_key_v2_conf_refhandle(int af, char *section) -{ - char conn[22]; - int num; - - if (!section) - return 0; - - num = conf_get_num(section, "Refcount", 0); - if (num == 1) { - conf_remove_section(af, section); - num--; - } else if (num != 0) { - snprintf(conn, sizeof conn, "%d", num - 1); - conf_set(af, section, "Refcount", conn, 1, 0); - } - return num; -} - -/* Remove all dynamically-established configuration entries. */ -static int -pf_key_v2_remove_conf(char *section) -{ - char *ikepeer, *localid, *remoteid, *configname; - struct conf_list_node *attr; - struct conf_list *attrs; - int af; - - if (!section) - return 0; - - if (!conf_get_str(section, "Phase")) - return 0; - - /* Only remove dynamically-established entries. */ - attrs = conf_get_list(section, "Flags"); - if (attrs) { - for (attr = TAILQ_FIRST(&attrs->fields); attr; - attr = TAILQ_NEXT(attr, link)) - if (!strcasecmp(attr->field, "__ondemand")) - goto passed; - - conf_free_list(attrs); - } - return 0; - -passed: - conf_free_list(attrs); - - af = conf_begin(); - - configname = conf_get_str(section, "Configuration"); - conf_remove_section(af, configname); - - /* These are the Phase 2 Local/Remote IDs. */ - localid = conf_get_str(section, "Local-ID"); - pf_key_v2_conf_refhandle(af, localid); - - remoteid = conf_get_str(section, "Remote-ID"); - pf_key_v2_conf_refhandle(af, remoteid); - - ikepeer = conf_get_str(section, "ISAKMP-peer"); - - pf_key_v2_conf_refhandle(af, section); - - if (ikepeer) { - remoteid = conf_get_str(ikepeer, "Remote-ID"); - localid = conf_get_str(ikepeer, "ID"); - configname = conf_get_str(ikepeer, "Configuration"); - - pf_key_v2_conf_refhandle(af, ikepeer); - pf_key_v2_conf_refhandle(af, configname); - - /* Phase 1 IDs */ - pf_key_v2_conf_refhandle(af, localid); - pf_key_v2_conf_refhandle(af, remoteid); - } - conf_end(af, 1); - return 0; -} - -/* Disable a flow given a SA. */ -static int -pf_key_v2_disable_sa(struct sa *sa, int incoming) -{ - struct ipsec_sa *isa = sa->data; - struct sockaddr *dst, *src; - struct proto *proto = TAILQ_FIRST(&sa->protos); -#if !defined (SADB_X_EXT_FLOW_TYPE) - struct sockaddr_storage hostmask_storage; - struct sockaddr *hostmask = (struct sockaddr *)&hostmask_storage; - int error; -#endif /* SADB_X_EXT_FLOW_TYPE */ - - sa->transport->vtbl->get_dst(sa->transport, &dst); - sa->transport->vtbl->get_src(sa->transport, &src); - - if (!incoming) - return pf_key_v2_flow(isa->src_net, isa->src_mask, - isa->dst_net, isa->dst_mask, isa->tproto, isa->sport, - isa->dport, proto->spi[0], proto->proto, src, dst, 1, 0, - 0, 0, 0, 0, 0, 0, proto->data); - else { -#if !defined (SADB_X_EXT_FLOW_TYPE) - /* Set hostmask to '-1'. */ - switch (dst->sa_family) { - case AF_INET: - ((struct sockaddr_in *) hostmask)->sin_family = - AF_INET; -#ifndef USE_OLD_SOCKADDR - ((struct sockaddr_in *) hostmask)->sin_len = - sizeof(struct in_addr); -#endif - memset(&((struct sockaddr_in *) hostmask)->sin_addr.s_addr, - 0xff, sizeof(struct in_addr)); - break; - case AF_INET6: - ((struct sockaddr_in6 *) hostmask)->sin6_family = - AF_INET6; -#ifndef USE_OLD_SOCKADDR - ((struct sockaddr_in6 *) hostmask)->sin6_len = - sizeof(struct in6_addr); -#endif - memset(&((struct sockaddr_in6 *) hostmask)->sin6_addr.s6_addr, - 0xff, sizeof(struct in6_addr)); - break; - } - - /* Ingress flow --- SA bundles */ - while (TAILQ_NEXT(proto, link)) { - error = pf_key_v2_flow(dst, hostmask, src, hostmask, - 0, 0, 0, proto->spi[1], proto->proto, src, dst, - 1, 1, 0, 0, 0, 0, 0, 0, proto->data); - if (error) - return error; - proto = TAILQ_NEXT(proto, link); - } -#endif /* SADB_X_EXT_FLOW_TYPE */ - - return pf_key_v2_flow(isa->dst_net, isa->dst_mask, - isa->src_net, isa->src_mask, isa->tproto, isa->dport, - isa->sport, proto->spi[1], proto->proto, src, dst, 1, 1, - 0, 0, 0, 0, 0, 0, proto->data); - } -} - -/* - * Delete the IPsec SA represented by the INCOMING direction in protocol PROTO - * of the IKE security association SA. Also delete potential flows tied to it. - */ -int -pf_key_v2_delete_spi(struct sa *sa, struct proto *proto, int incoming) -{ - struct sadb_msg msg; - struct sadb_sa ssa; - struct sadb_address *addr = 0; - struct sockaddr *saddr; - int len, err; - struct pf_key_v2_msg *delete = 0, *ret = 0; -#ifdef KAME - struct sadb_x_sa2 ssa2; -#endif - - /* If it's not an established SA, don't proceed. */ - if (!(sa->flags & SA_FLAG_READY)) - return 0; - - /* - * If the SA was not replaced and was not one acquired through the - * kernel (ACQUIRE message), remove the flow associated with it. - * We ignore any errors from the disabling of the flow. - */ - if (!(sa->flags & SA_FLAG_REPLACED) - && !(sa->flags & SA_FLAG_ONDEMAND)) - pf_key_v2_disable_sa(sa, incoming); - - if (sa->name && !(sa->flags & SA_FLAG_REPLACED)) { - LOG_DBG((LOG_SYSDEP, 50, - "pf_key_v2_delete_spi: removing configuration %s", - sa->name)); - pf_key_v2_remove_conf(sa->name); - } - msg.sadb_msg_type = SADB_DELETE; - switch (proto->proto) { - case IPSEC_PROTO_IPSEC_ESP: - msg.sadb_msg_satype = SADB_SATYPE_ESP; - break; - case IPSEC_PROTO_IPSEC_AH: - msg.sadb_msg_satype = SADB_SATYPE_AH; - break; -#if defined (SADB_X_SATYPE_IPCOMP) - case IPSEC_PROTO_IPCOMP: - msg.sadb_msg_satype = SADB_X_SATYPE_IPCOMP; - break; -#endif - default: - log_print("pf_key_v2_delete_spi: invalid proto %d", - proto->proto); - goto cleanup; - } - msg.sadb_msg_seq = 0; - delete = pf_key_v2_msg_new(&msg, 0); - if (!delete) - goto cleanup; - - /* Setup the SA extension. */ - ssa.sadb_sa_exttype = SADB_EXT_SA; - ssa.sadb_sa_len = sizeof ssa / PF_KEY_V2_CHUNK; - memcpy(&ssa.sadb_sa_spi, proto->spi[incoming], sizeof ssa.sadb_sa_spi); - ssa.sadb_sa_replay = 0; - ssa.sadb_sa_state = 0; - ssa.sadb_sa_auth = 0; - ssa.sadb_sa_encrypt = 0; - ssa.sadb_sa_flags = 0; - if (pf_key_v2_msg_add(delete, (struct sadb_ext *)&ssa, 0) == -1) - goto cleanup; - -#ifdef KAME - memset(&ssa2, 0, sizeof ssa2); - ssa2.sadb_x_sa2_exttype = SADB_X_EXT_SA2; - ssa2.sadb_x_sa2_len = sizeof ssa2 / PF_KEY_V2_CHUNK; - ssa2.sadb_x_sa2_mode = 0; - if (pf_key_v2_msg_add(delete, (struct sadb_ext *)&ssa2, 0) == -1) - goto cleanup; -#endif - - /* - * Setup the ADDRESS extensions. - */ - if (incoming) - sa->transport->vtbl->get_dst(sa->transport, &saddr); - else - sa->transport->vtbl->get_src(sa->transport, &saddr); - len = sizeof *addr + PF_KEY_V2_ROUND(sysdep_sa_len(saddr)); - addr = calloc(1, len); - if (!addr) - goto cleanup; - addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC; - addr->sadb_address_len = len / PF_KEY_V2_CHUNK; -#ifndef __OpenBSD__ - addr->sadb_address_proto = 0; - addr->sadb_address_prefixlen = 0; -#endif - addr->sadb_address_reserved = 0; - memcpy(addr + 1, saddr, sysdep_sa_len(saddr)); - switch (saddr->sa_family) { - case AF_INET: - ((struct sockaddr_in *) (addr + 1))->sin_port = 0; - break; - case AF_INET6: - ((struct sockaddr_in6 *) (addr + 1))->sin6_port = 0; - break; - } - if (pf_key_v2_msg_add(delete, (struct sadb_ext *) addr, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - addr = 0; - - if (incoming) - sa->transport->vtbl->get_src(sa->transport, &saddr); - else - sa->transport->vtbl->get_dst(sa->transport, &saddr); - len = sizeof *addr + PF_KEY_V2_ROUND(sysdep_sa_len(saddr)); - addr = calloc(1, len); - if (!addr) - goto cleanup; - addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST; - addr->sadb_address_len = len / PF_KEY_V2_CHUNK; -#ifndef __OpenBSD__ - addr->sadb_address_proto = 0; - addr->sadb_address_prefixlen = 0; -#endif - addr->sadb_address_reserved = 0; - memcpy(addr + 1, saddr, sysdep_sa_len(saddr)); - switch (saddr->sa_family) { - case AF_INET: - ((struct sockaddr_in *) (addr + 1))->sin_port = 0; - break; - case AF_INET6: - ((struct sockaddr_in6 *) (addr + 1))->sin6_port = 0; - break; - } - if (pf_key_v2_msg_add(delete, (struct sadb_ext *) addr, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - addr = 0; - - ret = pf_key_v2_call(delete); - pf_key_v2_msg_free(delete); - delete = 0; - if (!ret) - goto cleanup; - err = ((struct sadb_msg *)TAILQ_FIRST(ret)->seg)->sadb_msg_errno; - if (err) { - LOG_DBG((LOG_SYSDEP, 10, "pf_key_v2_delete_spi: DELETE: %s", - strerror(err))); - goto cleanup; - } - pf_key_v2_msg_free(ret); - - LOG_DBG((LOG_SYSDEP, 50, "pf_key_v2_delete_spi: done")); - - return 0; - -cleanup: - if (addr) - free(addr); - if (delete) - pf_key_v2_msg_free(delete); - if (ret) - pf_key_v2_msg_free(ret); - return -1; -} - -static void -pf_key_v2_stayalive(struct exchange *exchange, void *vconn, int fail) -{ - char *conn = vconn; - struct sa *sa; - - /* XXX What if it is phase 1 ? */ - sa = sa_lookup_by_name(conn, 2); - if (sa) - sa->flags |= SA_FLAG_STAYALIVE; - - /* - * Remove failed configuration entry -- call twice because it is - * created with a Refcount of 2. - */ - if (fail && (!exchange || exchange->name)) { - pf_key_v2_remove_conf(conn); - pf_key_v2_remove_conf(conn); - } -} - -/* Check if a connection CONN exists, otherwise establish it. */ -void -pf_key_v2_connection_check(char *conn) -{ - if (!sa_lookup_by_name(conn, 2)) { - LOG_DBG((LOG_SYSDEP, 70, - "pf_key_v2_connection_check: SA for %s missing", conn)); - exchange_establish(conn, pf_key_v2_stayalive, conn); - } else - LOG_DBG((LOG_SYSDEP, 70, "pf_key_v2_connection_check: " - "SA for %s exists", conn)); -} - -/* Handle a PF_KEY lifetime expiration message PMSG. */ -static void -pf_key_v2_expire(struct pf_key_v2_msg *pmsg) -{ - struct sadb_msg *msg; - struct sadb_sa *ssa; - struct sadb_address *dst; - struct sockaddr *dstaddr; - struct sadb_lifetime *life, *lifecurrent; - struct sa *sa; - struct pf_key_v2_node *lifenode, *ext; -#ifdef USE_DEBUG - char *dst_str; -#endif - - msg = (struct sadb_msg *)TAILQ_FIRST(pmsg)->seg; - ext = pf_key_v2_find_ext(pmsg, SADB_EXT_SA); - if (!ext) { - log_print("pf_key_v2_expire: no SA extension found"); - return; - } - ssa = ext->seg; - ext = pf_key_v2_find_ext(pmsg, SADB_EXT_ADDRESS_DST); - if (!ext) { - log_print("pf_key_v2_expire: " - "no destination address extension found"); - return; - } - dst = ext->seg; - dstaddr = (struct sockaddr *) (dst + 1); - lifenode = pf_key_v2_find_ext(pmsg, SADB_EXT_LIFETIME_HARD); - if (!lifenode) - lifenode = pf_key_v2_find_ext(pmsg, SADB_EXT_LIFETIME_SOFT); - if (!lifenode) { - log_print("pf_key_v2_expire: no lifetime extension found"); - return; - } - life = lifenode->seg; - - lifenode = pf_key_v2_find_ext(pmsg, SADB_EXT_LIFETIME_CURRENT); - if (!lifenode) { - log_print("pf_key_v2_expire: " - "no current lifetime extension found"); - return; - } - lifecurrent = lifenode->seg; - -#ifdef USE_DEBUG - - if (sockaddr2text(dstaddr, &dst_str, 0)) - dst_str = 0; - - LOG_DBG((LOG_SYSDEP, 20, "pf_key_v2_expire: " - "%s dst %s SPI %x sproto %d", - life->sadb_lifetime_exttype == SADB_EXT_LIFETIME_SOFT ? "SOFT" - : "HARD", dst_str ? dst_str : "<unknown>", - ntohl(ssa->sadb_sa_spi), msg->sadb_msg_satype)); - - if (dst_str) - free(dst_str); - -#endif /* USE_DEBUG */ - - /* - * Find the IPsec SA. The IPsec stack has two SAs for every IKE SA, - * one outgoing and one incoming, we regard expirations for any of - * them as an expiration of the full IKE SA. Likewise, in - * protection suites consisting of more than one protocol, any - * expired individual IPsec stack SA will be seen as an expiration - * of the full suite. - */ - switch (msg->sadb_msg_satype) { - case SADB_SATYPE_ESP: - sa = ipsec_sa_lookup(dstaddr, ssa->sadb_sa_spi, - IPSEC_PROTO_IPSEC_ESP); - break; - - case SADB_SATYPE_AH: - sa = ipsec_sa_lookup(dstaddr, ssa->sadb_sa_spi, - IPSEC_PROTO_IPSEC_AH); - break; - -#ifdef SADB_X_SATYPE_IPCOMP - case SADB_X_SATYPE_IPCOMP: - sa = ipsec_sa_lookup(dstaddr, ssa->sadb_sa_spi, - IPSEC_PROTO_IPCOMP); - break; -#endif - - default: - /* XXX Log? */ - sa = 0; - break; - } - - /* If the SA is already gone, don't do anything. */ - if (!sa) - return; - - /* - * If we got a notification, try to renegotiate the SA -- unless of - * course it has already been replaced by another. - * Also, ignore SAs that were not dynamically established, or that - * did not see any use. - */ - if (!(sa->flags & SA_FLAG_REPLACED) && - (sa->flags & SA_FLAG_ONDEMAND) && - lifecurrent->sadb_lifetime_bytes) - exchange_establish(sa->name, 0, 0); - - if (life->sadb_lifetime_exttype == SADB_EXT_LIFETIME_HARD) { - /* Remove the old SA, it isn't useful anymore. */ - sa_free(sa); - } -} - -/* Handle a PF_KEY SA ACQUIRE message PMSG. */ -static void -pf_key_v2_acquire(struct pf_key_v2_msg *pmsg) -{ -#if defined (SADB_X_ASKPOLICY) - struct sadb_msg *msg, askpolicy_msg; - struct pf_key_v2_msg *askpolicy = 0, *ret = 0; - struct sadb_x_policy policy; - struct sadb_address *dst = 0, *src = 0; - struct sockaddr *dstaddr, *srcaddr = 0; - struct sadb_comb *scmb = 0; - struct sadb_prop *sprp = 0; - struct sadb_ident *srcident = 0, *dstident = 0; - char dstbuf[ADDRESS_MAX], srcbuf[ADDRESS_MAX], *peer = 0, - *conn = 0; - char confname[120]; - char *srcid = 0, *dstid = 0, *prefstring = 0; - int slen, af, afamily, masklen, buflen; - struct sockaddr *smask, *sflow, *dmask, *dflow; - struct sadb_protocol *sproto; - char ssflow[ADDRESS_MAX], sdflow[ADDRESS_MAX]; - char sdmask[ADDRESS_MAX], ssmask[ADDRESS_MAX]; - char *sidtype = 0, *didtype = 0; - char lname[100], dname[100], configname[30]; - int shostflag = 0, dhostflag = 0; - struct pf_key_v2_node *ext; - struct passwd *pwd = 0; - u_int16_t sport = 0, dport = 0; - u_int8_t tproto = 0; - char tmbuf[sizeof sport * 3 + 1], *xform; - int connlen; -#if defined (SADB_X_CREDTYPE_NONE) - struct sadb_x_cred *cred = 0, *sauth = 0; -#endif - - /* This needs to be dynamically allocated. */ - connlen = 22; - conn = malloc(connlen); - if (!conn) { - log_error("pf_key_v2_acquire: malloc (%d) failed", connlen); - return; - } - msg = (struct sadb_msg *)TAILQ_FIRST(pmsg)->seg; - - ext = pf_key_v2_find_ext(pmsg, SADB_EXT_ADDRESS_DST); - if (!ext) { - log_print("pf_key_v2_acquire: " - "no destination address specified"); - return; - } - dst = ext->seg; - - ext = pf_key_v2_find_ext(pmsg, SADB_EXT_ADDRESS_SRC); - if (ext) - src = ext->seg; - - ext = pf_key_v2_find_ext(pmsg, SADB_EXT_PROPOSAL); - if (ext) { - sprp = ext->seg; - scmb = (struct sadb_comb *) (sprp + 1); - } - ext = pf_key_v2_find_ext(pmsg, SADB_EXT_IDENTITY_SRC); - if (ext) - srcident = ext->seg; - - ext = pf_key_v2_find_ext(pmsg, SADB_EXT_IDENTITY_DST); - if (ext) - dstident = ext->seg; - - /* Ask the kernel for the matching policy. */ - bzero(&askpolicy_msg, sizeof askpolicy_msg); - askpolicy_msg.sadb_msg_type = SADB_X_ASKPOLICY; - askpolicy = pf_key_v2_msg_new(&askpolicy_msg, 0); - if (!askpolicy) - goto fail; - - policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY; - policy.sadb_x_policy_len = sizeof policy / PF_KEY_V2_CHUNK; - policy.sadb_x_policy_seq = msg->sadb_msg_seq; - if (pf_key_v2_msg_add(askpolicy, (struct sadb_ext *)&policy, 0) == -1) - goto fail; - - ret = pf_key_v2_call(askpolicy); - if (!ret) - goto fail; - - /* Now we have all the information needed. */ - - ext = pf_key_v2_find_ext(ret, SADB_X_EXT_SRC_FLOW); - if (!ext) { - log_print("pf_key_v2_acquire: no source flow extension found"); - goto fail; - } - sflow = (struct sockaddr *) (((struct sadb_address *) ext->seg) + 1); - - ext = pf_key_v2_find_ext(ret, SADB_X_EXT_DST_FLOW); - if (!ext) { - log_print("pf_key_v2_acquire: " - "no destination flow extension found"); - goto fail; - } - dflow = (struct sockaddr *) (((struct sadb_address *) ext->seg) + 1); - ext = pf_key_v2_find_ext(ret, SADB_X_EXT_SRC_MASK); - if (!ext) { - log_print("pf_key_v2_acquire: no source mask extension found"); - goto fail; - } - smask = (struct sockaddr *) (((struct sadb_address *) ext->seg) + 1); - - ext = pf_key_v2_find_ext(ret, SADB_X_EXT_DST_MASK); - if (!ext) { - log_print("pf_key_v2_acquire: " - "no destination mask extension found"); - goto fail; - } - dmask = (struct sockaddr *) (((struct sadb_address *) ext->seg) + 1); - - ext = pf_key_v2_find_ext(ret, SADB_X_EXT_FLOW_TYPE); - if (!ext) { - log_print("pf_key_v2_acquire: no flow type extension found"); - goto fail; - } - sproto = ext->seg; - tproto = sproto->sadb_protocol_proto; - -#if defined (SADB_X_EXT_LOCAL_CREDENTIALS) - ext = pf_key_v2_find_ext(pmsg, SADB_X_EXT_LOCAL_CREDENTIALS); - if (ext) - cred = (struct sadb_x_cred *) ext->seg; - else - cred = 0; -#endif - -#if defined (SADB_X_EXT_LOCAL_AUTH) - ext = pf_key_v2_find_ext(pmsg, SADB_X_EXT_LOCAL_AUTH); - if (ext) - sauth = (struct sadb_x_cred *) ext->seg; - else - sauth = 0; -#endif - - bzero(ssflow, sizeof ssflow); - bzero(sdflow, sizeof sdflow); - bzero(ssmask, sizeof ssmask); - bzero(sdmask, sizeof sdmask); - - sidtype = didtype = "IPV4_ADDR_SUBNET"; /* default */ - - switch (sflow->sa_family) { - case AF_INET: - if (inet_ntop(AF_INET, - &((struct sockaddr_in *) sflow)->sin_addr, ssflow, - ADDRESS_MAX) == NULL) { - log_print("pf_key_v2_acquire: inet_ntop failed"); - goto fail; - } - sport = ((struct sockaddr_in *) sflow)->sin_port; - if (inet_ntop(AF_INET, - &((struct sockaddr_in *) dflow)->sin_addr, sdflow, - ADDRESS_MAX) == NULL) { - log_print("pf_key_v2_acquire: inet_ntop failed"); - goto fail; - } - dport = ((struct sockaddr_in *) dflow)->sin_port; - if (inet_ntop(AF_INET, - &((struct sockaddr_in *) smask)->sin_addr, ssmask, - ADDRESS_MAX) == NULL) { - log_print("pf_key_v2_acquire: inet_ntop failed"); - goto fail; - } - if (inet_ntop(AF_INET, - &((struct sockaddr_in *) dmask)->sin_addr, sdmask, - ADDRESS_MAX) == NULL) { - log_print("pf_key_v2_acquire: inet_ntop failed"); - goto fail; - } - if (((struct sockaddr_in *) smask)->sin_addr.s_addr == - INADDR_BROADCAST) { - shostflag = 1; - sidtype = "IPV4_ADDR"; - } - if (((struct sockaddr_in *) dmask)->sin_addr.s_addr == - INADDR_BROADCAST) { - dhostflag = 1; - didtype = "IPV4_ADDR"; - } - break; - - case AF_INET6: - if (inet_ntop(AF_INET6, - &((struct sockaddr_in6 *) sflow)->sin6_addr, - ssflow, ADDRESS_MAX) == NULL) { - log_print("pf_key_v2_acquire: inet_ntop failed"); - goto fail; - } - sport = ((struct sockaddr_in6 *) sflow)->sin6_port; - if (inet_ntop(AF_INET6, - &((struct sockaddr_in6 *) dflow)->sin6_addr, - sdflow, ADDRESS_MAX) == NULL) { - log_print("pf_key_v2_acquire: inet_ntop failed"); - goto fail; - } - dport = ((struct sockaddr_in6 *) dflow)->sin6_port; - if (inet_ntop(AF_INET6, - &((struct sockaddr_in6 *) smask)->sin6_addr, - ssmask, ADDRESS_MAX) == NULL) { - log_print("pf_key_v2_acquire: inet_ntop failed"); - goto fail; - } - if (inet_ntop(AF_INET6, - &((struct sockaddr_in6 *) dmask)->sin6_addr, - sdmask, ADDRESS_MAX) == NULL) { - log_print("pf_key_v2_acquire: inet_ntop failed"); - goto fail; - } - sidtype = didtype = "IPV6_ADDR_SUBNET"; - if (IN6_IS_ADDR_FULL(&((struct sockaddr_in6 *)smask)->sin6_addr)) { - shostflag = 1; - sidtype = "IPV6_ADDR"; - } - if (IN6_IS_ADDR_FULL(&((struct sockaddr_in6 *)dmask)->sin6_addr)) { - dhostflag = 1; - didtype = "IPV6_ADDR"; - } - break; - } - - dstaddr = (struct sockaddr *)(dst + 1); - bzero(dstbuf, sizeof dstbuf); - bzero(srcbuf, sizeof srcbuf); - - if (dstaddr->sa_family == 0) { - /* - * Destination was not specified in the flow -- can we derive - * it? - */ - if (dhostflag == 0) { - log_print("pf_key_v2_acquire: " - "Cannot determine precise destination"); - goto fail; - } - dstaddr = dflow; - } - switch (dstaddr->sa_family) { - case AF_INET: - if (inet_ntop(AF_INET, - &((struct sockaddr_in *) dstaddr)->sin_addr, - dstbuf, ADDRESS_MAX) == NULL) { - log_print("pf_key_v2_acquire: inet_ntop failed"); - goto fail; - } - LOG_DBG((LOG_SYSDEP, 20, - "pf_key_v2_acquire: dst=%s sproto %d", dstbuf, - msg->sadb_msg_satype)); - break; - - case AF_INET6: - if (inet_ntop(AF_INET6, - &((struct sockaddr_in6 *) dstaddr)->sin6_addr, - dstbuf, ADDRESS_MAX) == NULL) { - log_print("pf_key_v2_acquire: inet_ntop failed"); - goto fail; - } - LOG_DBG((LOG_SYSDEP, 20, - "pf_key_v2_acquire: dst=%s sproto %d", dstbuf, - msg->sadb_msg_satype)); - break; - } - - if (src) { - srcaddr = (struct sockaddr *) (src + 1); - - switch (srcaddr->sa_family) { - case AF_INET: - if (inet_ntop(AF_INET, - &((struct sockaddr_in *) srcaddr)->sin_addr, - srcbuf, ADDRESS_MAX) == NULL) { - log_print("pf_key_v2_acquire: " - "inet_ntop failed"); - goto fail; - } - break; - - case AF_INET6: - if (inet_ntop(AF_INET6, - &((struct sockaddr_in6 *)srcaddr)->sin6_addr, - srcbuf, ADDRESS_MAX) == NULL) { - log_print("pf_key_v2_acquire: " - "inet_ntop failed"); - goto fail; - } - break; - - default: - /* - * The kernel will pass an all '0' EXT_ADDRESS_SRC if - * it wasn't specified for the flow. In that case, do - * NOT specify the srcaddr in the Peer-name below - */ - srcbuf[0] = 0; - srcaddr = NULL; - break; - } - } - /* Insert source ID. */ - if (srcident) { - slen = (srcident->sadb_ident_len * sizeof(u_int64_t)) - - sizeof(struct sadb_ident); - if (((unsigned char *) (srcident + 1))[slen - 1] != '\0') { - log_print("pf_key_v2_acquire: " - "source identity not NUL-terminated"); - goto fail; - } - /* Check for valid type. */ - switch (srcident->sadb_ident_type) { -#if defined (SADB_X_IDENTTYPE_CONNECTION) - case SADB_X_IDENTTYPE_CONNECTION: - /* XXX */ - break; -#endif - - case SADB_IDENTTYPE_PREFIX: - /* Determine what the address family is. */ - srcid = memchr(srcident + 1, ':', slen); - if (srcid) - afamily = AF_INET6; - else - afamily = AF_INET; - - srcid = memchr(srcident + 1, '/', slen); - if (!srcid) { - log_print("pf_key_v2_acquire: " - "badly formatted PREFIX identity"); - goto fail; - } - masklen = atoi(srcid + 1); - - /* XXX We only support host addresses. */ - if ((afamily == AF_INET6 && masklen != 128) - || (afamily == AF_INET && masklen != 32)) { - log_print("pf_key_v2_acquire: " - "non-host address specified in source " - "identity (mask length %d), ignoring " - "request", masklen); - goto fail; - } - /* - * NUL-terminate the PREFIX string at the separator, - * then dup. - */ - *srcid = '\0'; - slen = strlen((char *) (srcident + 1)) + - sizeof "ID:Address/"; - srcid = malloc(slen); - if (!srcid) { - log_error("pf_key_v2_acquire: " - "malloc (%d) failed", slen); - goto fail; - } - snprintf(srcid, slen, "ID:Address/%s", - (char *) (srcident + 1)); - - /* Set the section if it doesn't already exist. */ - af = conf_begin(); - if (!conf_get_str(srcid, "ID-type")) { - if (conf_set(af, srcid, "ID-type", - afamily == AF_INET ? "IPV4_ADDR" : - "IPV6_ADDR", 1, 0) - || conf_set(af, srcid, "Refcount", "1", 1, - 0) - || conf_set(af, srcid, "Address", - (char *) (srcident + 1), 1, 0)) { - conf_end(af, 0); - goto fail; - } - } else - pf_key_v2_conf_refinc(af, srcid); - conf_end(af, 1); - break; - - case SADB_IDENTTYPE_FQDN: - prefstring = "FQDN"; - /* Fall through */ - case SADB_IDENTTYPE_USERFQDN: - if (!prefstring) { - prefstring = "USER_FQDN"; - - /* - * Check whether there is a string following - * the header; if no, that there is a user ID - * (and acquire the login name). If there is - * both a string and a user ID, check that - * they match. - */ - if ((slen == 0) && - (srcident->sadb_ident_id == 0)) { - log_print("pf_key_v2_acquire: " - "no user FQDN or ID provided"); - goto fail; - } - if (srcident->sadb_ident_id) { - pwd = - getpwuid(srcident->sadb_ident_id); - if (!pwd) { - log_error("pf_key_v2_acquire: " - "could not acquire " - "username from provided " - "ID %llu", - srcident->sadb_ident_id); - goto fail; - } - if (slen != 0) - if (strcmp(pwd->pw_name, - (char *) (srcident + 1)) - != 0) { - log_print("pf_key_v2_acquire: " - "provided user " - "name and ID do " - "not match (%s != " - "%s)", - (char *) (srcident + 1), - pwd->pw_name); - /* - * String has - * precedence, per - * RFC 2367. - */ - } - } - } - buflen = (slen ? slen : strlen(pwd->pw_name)) + - strlen(prefstring) + sizeof "ID:/"; - srcid = malloc(buflen); - if (!srcid) { - log_error("pf_key_v2_acquire: " - "malloc (%d) failed", buflen); - goto fail; - } - snprintf(srcid, buflen, "ID:%s/", prefstring); - if (slen != 0) - strlcat(srcid, - (char *) (srcident + 1), buflen); - else - strlcat(srcid, pwd->pw_name, buflen); - pwd = 0; - - /* Set the section if it doesn't already exist. */ - af = conf_begin(); - if (!conf_get_str(srcid, "ID-type")) { - if (conf_set(af, srcid, "ID-type", prefstring, - 1, 0) - || conf_set(af, srcid, "Refcount", "1", 1, - 0) - || conf_set(af, srcid, "Name", - srcid + sizeof "ID:/" - 1 + - strlen(prefstring), 1, 0)) { - conf_end(af, 0); - goto fail; - } - } else - pf_key_v2_conf_refinc(af, srcid); - conf_end(af, 1); - break; - - default: - LOG_DBG((LOG_SYSDEP, 20, - "pf_key_v2_acquire: invalid source ID type %d", - srcident->sadb_ident_type)); - goto fail; - } - - LOG_DBG((LOG_SYSDEP, 50, - "pf_key_v2_acquire: constructed source ID \"%s\"", srcid)); - prefstring = 0; - } - /* Insert destination ID. */ - if (dstident) { - slen = (dstident->sadb_ident_len * sizeof(u_int64_t)) - - sizeof(struct sadb_ident); - - /* Check for valid type. */ - switch (dstident->sadb_ident_type) { -#if defined (SADB_X_IDENTTYPE_CONNECTION) - case SADB_X_IDENTTYPE_CONNECTION: - /* XXX */ - break; -#endif - - case SADB_IDENTTYPE_PREFIX: - /* Determine what the address family is. */ - dstid = memchr(dstident + 1, ':', slen); - if (dstid) - afamily = AF_INET6; - else - afamily = AF_INET; - - dstid = memchr(dstident + 1, '/', slen); - if (!dstid) { - log_print("pf_key_v2_acquire: " - "badly formatted PREFIX identity"); - goto fail; - } - masklen = atoi(dstid + 1); - - /* XXX We only support host addresses. */ - if ((afamily == AF_INET6 && masklen != 128) - || (afamily == AF_INET && masklen != 32)) { - log_print("pf_key_v2_acquire: " - "non-host address specified in " - "destination identity (mask length %d), " - "ignoring request", masklen); - goto fail; - } - /* - * NUL-terminate the PREFIX string at the separator, - * then dup. - */ - *dstid = '\0'; - slen = strlen((char *) (dstident + 1)) + - sizeof "ID:Address/"; - dstid = malloc(slen); - if (!dstid) { - log_error("pf_key_v2_acquire: " - "malloc (%d) failed", slen); - goto fail; - } - snprintf(dstid, slen, "ID:Address/%s", - (char *) (dstident + 1)); - - /* Set the section if it doesn't already exist. */ - af = conf_begin(); - if (!conf_get_str(dstid, "ID-type")) { - if (conf_set(af, dstid, "ID-type", - afamily == AF_INET ? "IPV4_ADDR" : - "IPV6_ADDR", 1, 0) - || conf_set(af, dstid, "Refcount", "1", 1, - 0) - || conf_set(af, dstid, "Address", - (char *) (dstident + 1), 1, 0)) { - conf_end(af, 0); - goto fail; - } - } else - pf_key_v2_conf_refinc(af, dstid); - conf_end(af, 1); - break; - - case SADB_IDENTTYPE_FQDN: - prefstring = "FQDN"; - /* Fall through */ - - case SADB_IDENTTYPE_USERFQDN: - if (!prefstring) { - prefstring = "USER_FQDN"; - - /* - * Check whether there is a string following - * the header; if no, that there is a user ID - * (and acquire the login name). If there is - * both a string and a user ID, check that - * they match. - */ - if (slen == 0 && - dstident->sadb_ident_id == 0) { - log_print("pf_key_v2_acquire: " - "no user FQDN or ID provided"); - goto fail; - } - if (dstident->sadb_ident_id) { - pwd = getpwuid(dstident->sadb_ident_id); - if (!pwd) { - log_error("pf_key_v2_acquire: " - "could not acquire " - "username from provided " - "ID %llu", - dstident->sadb_ident_id); - goto fail; - } - if (slen != 0) - if (strcmp(pwd->pw_name, - (char *) (dstident + 1)) - != 0) { - log_print("pf_key_v2_acquire: " - "provided user " - "name and ID do " - "not match (%s != " - "%s)", - (char *) (dstident + 1), - pwd->pw_name); - /* - * String has - * precedence, per RF - * 2367. - */ - } - } - } - buflen = (slen ? slen : strlen(pwd->pw_name)) + - strlen(prefstring) + sizeof "ID:/"; - dstid = malloc(buflen); - if (!dstid) { - log_error("pf_key_v2_acquire: " - "malloc (%d) failed", buflen); - goto fail; - } - snprintf(dstid, buflen, "ID:%s/", prefstring); - if (slen != 0) - strlcat(dstid, (char *) (dstident + 1), - buflen); - else - strlcat(dstid, pwd->pw_name, buflen); - pwd = 0; - - /* Set the section if it doesn't already exist. */ - af = conf_begin(); - if (!conf_get_str(dstid, "ID-type")) { - if (conf_set(af, dstid, "ID-type", prefstring, - 1, 0) - || conf_set(af, dstid, "Refcount", "1", 1, - 0) - || conf_set(af, dstid, "Name", - dstid + sizeof "ID:/" - 1 + - strlen(prefstring), 1, 0)) { - conf_end(af, 0); - goto fail; - } - } else - pf_key_v2_conf_refinc(af, dstid); - conf_end(af, 1); - break; - - default: - LOG_DBG((LOG_SYSDEP, 20, "pf_key_v2_acquire: " - "invalid destination ID type %d", - dstident->sadb_ident_type)); - goto fail; - } - - LOG_DBG((LOG_SYSDEP, 50, - "pf_key_v2_acquire: constructed destination ID \"%s\"", - dstid)); - } - /* Now we've placed the necessary IDs in the configuration space. */ - - /* Get a new connection sequence number. */ - for (;; connection_seq++) { - snprintf(conn, connlen, "Connection-%u", connection_seq); - snprintf(configname, sizeof configname, "Config-Phase2-%u", - connection_seq); - - /* Does it exist ? */ - if (!conf_get_str(conn, "Phase") - && !conf_get_str(configname, "Suites")) - break; - } - - /* - * Set the IPsec connection entry. In particular, the following fields: - * - Phase - * - ISAKMP-peer - * - Local-ID/Remote-ID (if provided) - * - Acquire-ID (sequence number of kernel message, e.g., PF_KEYv2) - * - Configuration - * - * Also set the following section: - * [Peer-dstaddr(/srcaddr)(-srcid)(/dstid)] - * with these fields: - * - Phase - * - ID (if provided) - * - Remote-ID (if provided) - * - Local-address (if provided) - * - Address - * - Configuration (if an entry ISAKMP-configuration-dstaddr(/srcaddr) - * exists -- otherwise use the defaults) - */ - - slen = strlen(dstbuf) + strlen(srcbuf) + (srcid ? strlen(srcid) : 0) - + (dstid ? strlen(dstid) : 0) + sizeof "Peer-/-/"; - peer = malloc(slen); - if (!peer) - goto fail; - - /* - * The various cases: - * - Peer-dstaddr - * - Peer-dstaddr/srcaddr - * - Peer-dstaddr/srcaddr-srcid - * - Peer-dstaddr/srcaddr-srcid/dstid - * - Peer-dstaddr/srcaddr-/dstid - * - Peer-dstaddr-srcid/dstid - * - Peer-dstaddr-/dstid - * - Peer-dstaddr-srcid - */ - snprintf(peer, slen, "Peer-%s%s%s%s%s%s%s", dstbuf, srcaddr ? "/" : "", - srcaddr ? srcbuf : "", srcid ? "-" : "", srcid ? srcid : "", - dstid ? (srcid ? "/" : "-/") : "", dstid ? dstid : ""); - - /* - * Set the IPsec connection section. Refcount is set to 2, because - * it will be linked both to the incoming and the outgoing SA. - */ - af = conf_begin(); - if (conf_set(af, conn, "Phase", "2", 0, 0) - || conf_set(af, conn, "Flags", "__ondemand", 0, 0) - || conf_set(af, conn, "Refcount", "2", 0, 0) - || conf_set(af, conn, "ISAKMP-peer", peer, 0, 0)) { - conf_end(af, 0); - goto fail; - } - /* Set the sequence number. */ - snprintf(lname, sizeof lname, "%u", msg->sadb_msg_seq); - if (conf_set(af, conn, "Acquire-ID", lname, 0, 0)) { - conf_end(af, 0); - goto fail; - } - /* Set Phase 2 IDs -- this is the Local-ID section. */ - snprintf(lname, sizeof lname, "Phase2-ID:%s/%s/%u/%u", ssflow, ssmask, - tproto, sport); - if (conf_set(af, conn, "Local-ID", lname, 0, 0)) { - conf_end(af, 0); - goto fail; - } - if (!conf_get_str(lname, "ID-type")) { - if (conf_set(af, lname, "Refcount", "1", 0, 0)) { - conf_end(af, 0); - goto fail; - } - if (shostflag) { - if (conf_set(af, lname, "ID-type", sidtype, 0, 0) - || conf_set(af, lname, "Address", ssflow, 0, 0)) { - conf_end(af, 0); - goto fail; - } - } else { - if (conf_set(af, lname, "ID-type", sidtype, 0, 0) - || conf_set(af, lname, "Network", ssflow, 0, 0) - || conf_set(af, lname, "Netmask", ssmask, 0, 0)) { - conf_end(af, 0); - goto fail; - } - } - if (tproto) { - snprintf(tmbuf, sizeof sport * 3 + 1, "%u", tproto); - if (conf_set(af, lname, "Protocol", tmbuf, 0, 0)) { - conf_end(af, 0); - goto fail; - } - if (sport) { - snprintf(tmbuf, sizeof sport * 3 + 1, "%u", - ntohs(sport)); - if (conf_set(af, lname, "Port", tmbuf, 0, 0)) { - conf_end(af, 0); - goto fail; - } - } - } - } else - pf_key_v2_conf_refinc(af, lname); - - /* Set Remote-ID section. */ - snprintf(dname, sizeof dname, "Phase2-ID:%s/%s/%u/%u", sdflow, sdmask, - tproto, dport); - if (conf_set(af, conn, "Remote-ID", dname, 0, 0)) { - conf_end(af, 0); - goto fail; - } - if (!conf_get_str(dname, "ID-type")) { - if (conf_set(af, dname, "Refcount", "1", 0, 0)) { - conf_end(af, 0); - goto fail; - } - if (dhostflag) { - if (conf_set(af, dname, "ID-type", didtype, 0, 0) - || conf_set(af, dname, "Address", sdflow, 0, 0)) { - conf_end(af, 0); - goto fail; - } - } else { - if (conf_set(af, dname, "ID-type", didtype, 0, 0) - || conf_set(af, dname, "Network", sdflow, 0, 0) - || conf_set(af, dname, "Netmask", sdmask, 0, 0)) { - conf_end(af, 0); - goto fail; - } - } - - if (tproto) { - snprintf(tmbuf, sizeof dport * 3 + 1, "%u", tproto); - if (conf_set(af, dname, "Protocol", tmbuf, 0, 0)) { - conf_end(af, 0); - goto fail; - } - if (dport) { - snprintf(tmbuf, sizeof dport * 3 + 1, "%u", - ntohs(dport)); - if (conf_set(af, dname, "Port", tmbuf, 0, 0)) { - conf_end(af, 0); - goto fail; - } - } - } - } else - pf_key_v2_conf_refinc(af, dname); - - /* - * XXX - * We should be using information from the proposal to set this up. - * At least, we should make this selectable. - */ - - /* Phase 2 configuration. */ - if (conf_set(af, conn, "Configuration", configname, 0, 0)) { - conf_end(af, 0); - goto fail; - } - if (conf_set(af, configname, "Exchange_type", "Quick_mode", 0, 0) - || conf_set(af, configname, "DOI", "IPSEC", 0, 0)) { - conf_end(af, 0); - goto fail; - } - if (conf_get_str("General", "Default-phase-2-suites")) { - if (conf_set(af, configname, "Suites", - conf_get_str("General", "Default-phase-2-suites"), 0, 0)) { - conf_end(af, 0); - goto fail; - } - } else { - if (conf_set(af, configname, "Suites", - "QM-ESP-3DES-SHA-PFS-SUITE", 0, 0)) { - conf_end(af, 0); - goto fail; - } - } - - /* Set the ISAKMP-peer section. */ - if (!conf_get_str(peer, "Phase")) { - if (conf_set(af, peer, "Phase", "1", 0, 0) - || conf_set(af, peer, "Refcount", "1", 0, 0) - || conf_set(af, peer, "Address", dstbuf, 0, 0)) { - conf_end(af, 0); - goto fail; - } - if (srcaddr && conf_set(af, peer, "Local-address", srcbuf, 0, - 0)) { - conf_end(af, 0); - goto fail; - } - snprintf(confname, sizeof confname, "ISAKMP-Configuration-%s", - peer); - if (conf_set(af, peer, "Configuration", confname, 0, 0)) { - conf_end(af, 0); - goto fail; - } -#if defined (SADB_X_CREDTYPE_NONE) - /* Store any credentials passed to us. */ - if (cred) { - struct cert_handler *handler = 0; - void *cert; - char num[12], *certprint; - - /* Convert to bytes in-place. */ - cred->sadb_x_cred_len *= PF_KEY_V2_CHUNK; - - if (cred->sadb_x_cred_len <= sizeof *cred) { - log_print("pf_key_v2_acquire: " - "zero-length credentials, aborting SA " - "acquisition"); - conf_end(af, 0); - goto fail; - } - switch (cred->sadb_x_cred_type) { - case SADB_X_CREDTYPE_X509: - snprintf(num, sizeof num, "%d", - ISAKMP_CERTENC_X509_SIG); - handler = cert_get(ISAKMP_CERTENC_X509_SIG); - break; - case SADB_X_CREDTYPE_KEYNOTE: - snprintf(num, sizeof num, "%d", - ISAKMP_CERTENC_KEYNOTE); - handler = cert_get(ISAKMP_CERTENC_KEYNOTE); - break; - default: - log_print("pf_key_v2_acquire: " - "unknown credential type %d", - cred->sadb_x_cred_type); - conf_end(af, 0); - goto fail; - } - - if (!handler) { - log_print("pf_key_v2_acquire: " - "cert_get (%s) failed", num); - conf_end(af, 0); - goto fail; - } - /* Set the credential type as a number. */ - if (conf_set(af, peer, "Credential_type", num, 0, 0)) { - conf_end(af, 0); - goto fail; - } - /* Get the certificate. */ - cert = handler->cert_get((u_int8_t *) (cred + 1), - cred->sadb_x_cred_len - sizeof *cred); - - /* Now convert to printable format. */ - certprint = handler->cert_printable(cert); - handler->cert_free(cert); - if (!certprint - || conf_set(af, peer, "Credentials", certprint, 0, - 0)) { - if (certprint) - free(certprint); - conf_end(af, 0); - goto fail; - } - free(certprint); - } -#endif /* SADB_X_CREDTYPE_NONE */ - - /* Phase 1 configuration. */ - if (!conf_get_str(confname, "exchange_type")) { -#if defined (SADB_X_EXT_LOCAL_AUTH) - /* - * We may have been provided with authentication - * material. - */ - if (sauth) { - char *authm; - - /* Convert to bytes in-place. */ - sauth->sadb_x_cred_len *= PF_KEY_V2_CHUNK; - - switch (sauth->sadb_x_cred_type) { - case SADB_X_AUTHTYPE_PASSPHRASE: - if (conf_set(af, confname, - "Transforms", "3DES-SHA", 0, 0)) { - conf_end(af, 0); - goto fail; - } - if (sauth->sadb_x_cred_len <= - sizeof *sauth) { - log_print("pf_key_v2_acquire: " - "zero-length passphrase, " - "aborting SA acquisition"); - conf_end(af, 0); - goto fail; - } - authm = malloc(sauth->sadb_x_cred_len - - sizeof *sauth + 1); - if (!authm) { - log_error("pf_key_v2_acquire: " - "malloc (%lu) failed", - sauth->sadb_x_cred_len - - (unsigned long) sizeof *sauth + 1); - conf_end(af, 0); - goto fail; - } - memcpy(authm, sauth + 1, - sauth->sadb_x_cred_len - - sizeof *sauth + 1); - - /* Set the passphrase in the peer. */ - if (conf_set(af, peer, - "Authentication", authm, 0, 0)) { - free(authm); - conf_end(af, 0); - goto fail; - } - free(authm); - break; - - case SADB_X_AUTHTYPE_RSA: - if (conf_set(af, confname, - "Transforms", "3DES-SHA-RSA_SIG", - 0, 0)) { - conf_end(af, 0); - goto fail; - } - if (sauth->sadb_x_cred_len <= - sizeof *sauth) { - log_print("pf_key_v2_acquire: " - "zero-length RSA key, " - "aborting SA acquisition"); - conf_end(af, 0); - goto fail; - } - authm = key_printable(ISAKMP_KEY_RSA, - ISAKMP_KEYTYPE_PRIVATE, - (u_int8_t *) sauth + 1, - sauth->sadb_x_cred_len - - sizeof *sauth); - if (!authm) { - log_print("pf_key_v2_acquire: " - "failed to convert " - "private key to printable " - "format (size %lu)", - sauth->sadb_x_cred_len - - (unsigned long) sizeof *sauth); - conf_end(af, 0); - goto fail; - } - /* - * Set the key in the peer. We don't - * use "Authentication" to avoid - * potential conflicts with file-based - * configurations that use public key - * authentication but still specify - * an "Authentication" tag (typically - * as a remnant of passphrase-based - * testing). - */ - if (conf_set(af, peer, - "PKAuthentication", authm, 0, 0)) { - free(authm); - conf_end(af, 0); - goto fail; - } - free(authm); - break; - - default: - log_print("pf_key_v2_acquire: " - "unknown authentication " - "material type %d received from " - "kernel", sauth->sadb_x_cred_type); - conf_end(af, 0); - goto fail; - } - } else /* Fall through */ -#endif /* SADB_X_EXT_LOCAL_AUTH */ - { - xform = conf_get_str( - "Default-phase-1-configuration", - "Transforms"); - if (conf_set(af, confname, "Transforms", - xform ? xform : "3DES-SHA-RSA_SIG", 0, - 0)) { - conf_end(af, 0); - goto fail; - } - } - - if (conf_set(af, confname, "Exchange_Type", "ID_PROT", - 0, 0) - || conf_set(af, confname, "DOI", "IPSEC", 0, 0) - || conf_set(af, confname, "Refcount", "1", 0, 0)) { - conf_end(af, 0); - goto fail; - } - } else - pf_key_v2_conf_refinc(af, confname); - - /* The ID we should use in Phase 1. */ - if (srcid && conf_set(af, peer, "ID", srcid, 0, 0)) { - conf_end(af, 0); - goto fail; - } - /* The ID the other side should use in Phase 1. */ - if (dstid && conf_set(af, peer, "Remote-ID", dstid, 0, 0)) { - conf_end(af, 0); - goto fail; - } - } else - pf_key_v2_conf_refinc(af, peer); - - /* All done. */ - conf_end(af, 1); - - /* Let's rock 'n roll. */ - pf_key_v2_connection_check(conn); - conn = 0; - - /* Fall-through to cleanup. */ -fail: - if (ret) - pf_key_v2_msg_free(ret); - if (askpolicy) - pf_key_v2_msg_free(askpolicy); - if (srcid) - free(srcid); - if (dstid) - free(dstid); - if (peer) - free(peer); - if (conn) - free(conn); - return; -#else - /* acquire not supported */ - return; -#endif /* SADB_X_ASKPOLICY */ -} - -static void -pf_key_v2_notify(struct pf_key_v2_msg *msg) -{ - switch (((struct sadb_msg *)TAILQ_FIRST(msg)->seg)->sadb_msg_type) { - case SADB_EXPIRE: - pf_key_v2_expire(msg); - break; - - case SADB_ACQUIRE: - pf_key_v2_acquire(msg); - break; - - default: - log_print("pf_key_v2_notify: unexpected message type (%d)", - ((struct sadb_msg *)TAILQ_FIRST(msg)->seg)->sadb_msg_type); - } - pf_key_v2_msg_free(msg); -} - -void -pf_key_v2_handler(int fd) -{ - struct pf_key_v2_msg *msg; -#if !defined (LINUX_IPSEC) - int n; - - /* - * As synchronous read/writes to the socket can have taken place - * between the select(2) call of the main loop and this handler, we - * need to recheck the readability. - */ - if (ioctl(pf_key_v2_socket, FIONREAD, &n) == -1) { - log_error("pf_key_v2_handler: ioctl (%d, FIONREAD, &n) failed", - pf_key_v2_socket); - return; - } - if (!n) - return; -#endif /* LINUX_IPSEC */ - - msg = pf_key_v2_read(0); - if (msg) - pf_key_v2_notify(msg); -} - -/* - * Group 2 IPsec SAs given by the PROTO1 and PROTO2 protocols of the SA IKE - * security association in a chain. - * XXX Assumes OpenBSD GRPSPIS extension. Should probably be moved to sysdep.c - */ -int -pf_key_v2_group_spis(struct sa *sa, struct proto *proto1, - struct proto *proto2, int incoming) -{ -#if defined (SADB_X_GRPSPIS) - struct sadb_msg msg; - struct sadb_sa sa1, sa2; - struct sadb_address *addr = 0; - struct sadb_protocol protocol; - struct pf_key_v2_msg *grpspis = 0, *ret = 0; - struct sockaddr *saddr; - int err; - size_t len; -#ifdef KAME - struct sadb_x_sa2 kamesa2; -#endif - - msg.sadb_msg_type = SADB_X_GRPSPIS; - switch (proto1->proto) { - case IPSEC_PROTO_IPSEC_ESP: - msg.sadb_msg_satype = SADB_SATYPE_ESP; - break; - case IPSEC_PROTO_IPSEC_AH: - msg.sadb_msg_satype = SADB_SATYPE_AH; - break; -#if defined (SADB_X_SATYPE_IPCOMP) - case IPSEC_PROTO_IPCOMP: - msg.sadb_msg_satype = SADB_X_SATYPE_IPCOMP; - break; -#endif - default: - log_print("pf_key_v2_group_spis: invalid proto %d", - proto1->proto); - goto cleanup; - } - msg.sadb_msg_seq = 0; - grpspis = pf_key_v2_msg_new(&msg, 0); - if (!grpspis) - goto cleanup; - - /* Setup the SA extensions. */ - sa1.sadb_sa_exttype = SADB_EXT_SA; - sa1.sadb_sa_len = sizeof sa1 / PF_KEY_V2_CHUNK; - memcpy(&sa1.sadb_sa_spi, proto1->spi[incoming], - sizeof sa1.sadb_sa_spi); - sa1.sadb_sa_replay = 0; - sa1.sadb_sa_state = 0; - sa1.sadb_sa_auth = 0; - sa1.sadb_sa_encrypt = 0; - sa1.sadb_sa_flags = 0; - if (pf_key_v2_msg_add(grpspis, (struct sadb_ext *)&sa1, 0) == -1) - goto cleanup; - -#ifndef KAME - sa2.sadb_sa_exttype = SADB_X_EXT_SA2; - sa2.sadb_sa_len = sizeof sa2 / PF_KEY_V2_CHUNK; - memcpy(&sa2.sadb_sa_spi, proto2->spi[incoming], - sizeof sa2.sadb_sa_spi); - sa2.sadb_sa_replay = 0; - sa2.sadb_sa_state = 0; - sa2.sadb_sa_auth = 0; - sa2.sadb_sa_encrypt = 0; - sa2.sadb_sa_flags = 0; - if (pf_key_v2_msg_add(grpspis, (struct sadb_ext *)&sa2, 0) == -1) - goto cleanup; -#else - memset(&kamesa2, 0, sizeof kamesa2); - kamesa2.sadb_x_sa2_exttype = SADB_X_EXT_SA2; - kamesa2.sadb_x_sa2_len = sizeof kamesa2 / PF_KEY_V2_CHUNK; - kamesa2.sadb_x_sa2_mode = 0; - if (pf_key_v2_msg_add(grpspis, (struct sadb_ext *)&kamesa2, 0) == -1) - goto cleanup; -#endif - - /* - * Setup the ADDRESS extensions. - */ - if (incoming) - sa->transport->vtbl->get_src(sa->transport, &saddr); - else - sa->transport->vtbl->get_dst(sa->transport, &saddr); - len = sizeof *addr + PF_KEY_V2_ROUND(sysdep_sa_len(saddr)); - addr = calloc(1, len); - if (!addr) - goto cleanup; - addr->sadb_address_exttype = SADB_EXT_ADDRESS_DST; - addr->sadb_address_len = len / PF_KEY_V2_CHUNK; -#ifndef __OpenBSD__ - addr->sadb_address_proto = 0; - addr->sadb_address_prefixlen = 0; -#endif - addr->sadb_address_reserved = 0; - memcpy(addr + 1, saddr, sysdep_sa_len(saddr)); - ((struct sockaddr_in *) (addr + 1))->sin_port = 0; - if (pf_key_v2_msg_add(grpspis, (struct sadb_ext *) addr, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - addr = 0; - - addr = calloc(1, len); - if (!addr) - goto cleanup; - addr->sadb_address_exttype = SADB_X_EXT_DST2; - addr->sadb_address_len = len / PF_KEY_V2_CHUNK; -#ifndef __OpenBSD__ - addr->sadb_address_proto = 0; - addr->sadb_address_prefixlen = 0; -#endif - addr->sadb_address_reserved = 0; - memcpy(addr + 1, saddr, sysdep_sa_len(saddr)); - ((struct sockaddr_in *) (addr + 1))->sin_port = 0; - if (pf_key_v2_msg_add(grpspis, (struct sadb_ext *) addr, - PF_KEY_V2_NODE_MALLOCED) == -1) - goto cleanup; - addr = 0; - - /* Setup the PROTOCOL extension. */ - protocol.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL; - protocol.sadb_protocol_len = sizeof protocol / PF_KEY_V2_CHUNK; - switch (proto2->proto) { - case IPSEC_PROTO_IPSEC_ESP: - protocol.sadb_protocol_proto = SADB_SATYPE_ESP; - break; - case IPSEC_PROTO_IPSEC_AH: - protocol.sadb_protocol_proto = SADB_SATYPE_AH; - break; -#if defined (SADB_X_SATYPE_IPCOMP) - case IPSEC_PROTO_IPCOMP: - protocol.sadb_protocol_proto = SADB_X_SATYPE_IPCOMP; - break; -#endif - default: - log_print("pf_key_v2_group_spis: invalid proto %d", - proto2->proto); - goto cleanup; - } - protocol.sadb_protocol_reserved2 = 0; - if (pf_key_v2_msg_add(grpspis, - (struct sadb_ext *)&protocol, 0) == -1) - goto cleanup; - - ret = pf_key_v2_call(grpspis); - pf_key_v2_msg_free(grpspis); - grpspis = 0; - if (!ret) - goto cleanup; - err = ((struct sadb_msg *)TAILQ_FIRST(ret)->seg)->sadb_msg_errno; - if (err) { - log_print("pf_key_v2_group_spis: GRPSPIS: %s", strerror(err)); - goto cleanup; - } - pf_key_v2_msg_free(ret); - - LOG_DBG((LOG_SYSDEP, 50, "pf_key_v2_group_spis: done")); - - return 0; - -cleanup: - if (addr) - free(addr); - if (grpspis) - pf_key_v2_msg_free(grpspis); - if (ret) - pf_key_v2_msg_free(ret); - return -1; - -#else /* SADB_X_GRPSPIS */ - log_print("pf_key_v2_group_spis: not supported in pure PF_KEYv2"); - return -1; -#endif -} diff --git a/keyexchange/isakmpd-20041012/pf_key_v2.h b/keyexchange/isakmpd-20041012/pf_key_v2.h deleted file mode 100644 index 8eaed1a..0000000 --- a/keyexchange/isakmpd-20041012/pf_key_v2.h +++ /dev/null @@ -1,61 +0,0 @@ -/* $OpenBSD: pf_key_v2.h,v 1.12 2004/08/10 15:59:10 ho Exp $ */ -/* $EOM: pf_key_v2.h,v 1.4 2000/12/04 04:46:35 angelos Exp $ */ - -/* - * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _PF_KEY_V2_H_ -#define _PF_KEY_V2_H_ - -#include <sys/types.h> -#include <sys/queue.h> - -struct proto; -struct sa; -struct sockaddr; -struct kernel_sa; - -extern int pf_key_v2_socket; - -extern void pf_key_v2_connection_check(char *); -extern int pf_key_v2_delete_spi(struct sa *, struct proto *, int); -extern int pf_key_v2_enable_sa(struct sa *, struct sa *); -extern int pf_key_v2_enable_spi(in_addr_t, in_addr_t, in_addr_t, - in_addr_t, u_int8_t *, u_int8_t, in_addr_t); -extern struct sa_kinfo *pf_key_v2_get_kernel_sa(u_int8_t *, size_t, u_int8_t, - struct sockaddr *); -extern u_int8_t *pf_key_v2_get_spi(size_t *, u_int8_t, struct sockaddr *, - struct sockaddr *, u_int32_t); -extern int pf_key_v2_group_spis(struct sa *, struct proto *, - struct proto *, int); -extern void pf_key_v2_handler(int); -extern int pf_key_v2_open(void); -extern int pf_key_v2_set_spi(struct sa *, struct proto *, int, - struct sa *); - -#endif /* _PF_KEY_V2_H_ */ diff --git a/keyexchange/isakmpd-20041012/policy.c b/keyexchange/isakmpd-20041012/policy.c deleted file mode 100644 index 279b3a1..0000000 --- a/keyexchange/isakmpd-20041012/policy.c +++ /dev/null @@ -1,2318 +0,0 @@ -/* $OpenBSD: policy.c,v 1.78 2004/08/08 19:11:06 deraadt Exp $ */ -/* $EOM: policy.c,v 1.49 2000/10/24 13:33:39 niklas Exp $ */ - -/* - * Copyright (c) 1999, 2000, 2001 Angelos D. Keromytis. All rights reserved. - * Copyright (c) 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. - * Copyright (c) 2001 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/types.h> -#include <sys/param.h> -#include <sys/mman.h> -#include <sys/queue.h> -#include <sys/stat.h> -#include <regex.h> -#include <ctype.h> -#include <fcntl.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <unistd.h> -#include <keynote.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <errno.h> -#include <openssl/ssl.h> -#include <netdb.h> - -#include "sysdep.h" - -#include "conf.h" -#include "exchange.h" -#include "ipsec.h" -#include "isakmp_doi.h" -#include "sa.h" -#include "transport.h" -#include "log.h" -#include "message.h" -#include "monitor.h" -#include "util.h" -#include "policy.h" -#include "x509.h" - -char **policy_asserts = NULL; -int ignore_policy = 0; -int policy_asserts_num = 0; -struct exchange *policy_exchange = 0; -struct sa *policy_sa = 0; -struct sa *policy_isakmp_sa = 0; - -static const char hextab[] = { - '0', '1', '2', '3', '4', '5', '6', '7', - '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' -}; - -/* - * Adaptation of Vixie's inet_ntop4 () - */ -static const char * -my_inet_ntop4(const in_addr_t *src, char *dst, size_t size, int normalize) -{ - static const char fmt[] = "%03u.%03u.%03u.%03u"; - char tmp[sizeof "255.255.255.255"]; - in_addr_t src2; - - if (normalize) - src2 = ntohl(*src); - else - src2 = *src; - - if (snprintf(tmp, sizeof tmp, fmt, ((u_int8_t *)&src2)[0], - ((u_int8_t *)&src2)[1], ((u_int8_t *)&src2)[2], - ((u_int8_t *)&src2)[3]) > (int)size) { - errno = ENOSPC; - return 0; - } - strlcpy(dst, tmp, size); - return dst; -} - -static const char * -my_inet_ntop6(const unsigned char *src, char *dst, size_t size) -{ - static const char fmt[] = - "%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x"; - char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"]; - - if (snprintf(tmp, sizeof tmp, fmt, src[0], src[1], src[2], src[3], - src[4], src[5], src[6], src[7], src[8], src[9], src[10], src[11], - src[12], src[13], src[14], src[15]) > (int)size) { - errno = ENOSPC; - return 0; - } - strlcpy(dst, tmp, size); - return dst; -} - -char * -policy_callback(char *name) -{ - struct proto *proto; - - u_int8_t *attr, *value, *id, *idlocal, *idremote; - size_t id_sz, idlocalsz, idremotesz; - struct sockaddr *sin; - struct ipsec_exch *ie; - struct ipsec_sa *is; - size_t i; - int fmt, lifetype = 0; - in_addr_t net, subnet; - u_int16_t len, type; - time_t tt; - char *addr; - static char mytimeofday[15]; - - /* We use all these as a cache. */ -#define PMAX 32 - static char *esp_present, *ah_present, *comp_present; - static char *ah_hash_alg, *ah_auth_alg, *esp_auth_alg, *esp_enc_alg; - static char *comp_alg, ah_life_kbytes[PMAX], ah_life_seconds[PMAX]; - static char esp_life_kbytes[PMAX], esp_life_seconds[PMAX]; - static char comp_life_kbytes[PMAX]; - static char *ah_ecn, *esp_ecn, *comp_ecn; - static char comp_life_seconds[PMAX], *ah_encapsulation; - static char *esp_encapsulation, *comp_encapsulation; - static char ah_key_length[PMAX], esp_key_length[PMAX]; - static char ah_key_rounds[PMAX], esp_key_rounds[PMAX]; - static char comp_dict_size[PMAX], comp_private_alg[PMAX]; - static char *remote_filter_type, *local_filter_type; - static char remote_filter_addr_upper[NI_MAXHOST]; - static char remote_filter_addr_lower[NI_MAXHOST]; - static char local_filter_addr_upper[NI_MAXHOST]; - static char local_filter_addr_lower[NI_MAXHOST]; - static char ah_group_desc[PMAX], esp_group_desc[PMAX]; - static char comp_group_desc[PMAX], remote_ike_address[NI_MAXHOST]; - static char local_ike_address[NI_MAXHOST]; - static char *remote_id_type, remote_id_addr_upper[NI_MAXHOST]; - static char *phase_1, remote_id_addr_lower[NI_MAXHOST]; - static char *remote_id_proto, remote_id_port[PMAX]; - static char remote_filter_port[PMAX], local_filter_port[PMAX]; - static char *remote_filter_proto, *local_filter_proto, *pfs; - static char *initiator, remote_filter_proto_num[3]; - static char local_filter_proto_num[3], remote_id_proto_num[3]; - static char phase1_group[PMAX]; - - /* Allocated. */ - static char *remote_filter = 0, *local_filter = 0, *remote_id = 0; - - static int dirty = 1; - - /* We only need to set dirty at initialization time really. */ - if (strcmp(name, KEYNOTE_CALLBACK_CLEANUP) == 0 - || strcmp(name, KEYNOTE_CALLBACK_INITIALIZE) == 0) { - esp_present = ah_present = comp_present = pfs = "no"; - ah_hash_alg = ah_auth_alg = phase_1 = ""; - esp_auth_alg = esp_enc_alg = comp_alg = ah_encapsulation = ""; - ah_ecn = esp_ecn = comp_ecn = "no"; - esp_encapsulation = comp_encapsulation = ""; - remote_filter_type = ""; - local_filter_type = remote_id_type = initiator = ""; - remote_filter_proto = local_filter_proto = ""; - remote_id_proto = ""; - - if (remote_filter != 0) { - free(remote_filter); - remote_filter = 0; - } - if (local_filter != 0) { - free(local_filter); - local_filter = 0; - } - if (remote_id != 0) { - free(remote_id); - remote_id = 0; - } - memset(remote_ike_address, 0, sizeof remote_ike_address); - memset(local_ike_address, 0, sizeof local_ike_address); - memset(ah_life_kbytes, 0, sizeof ah_life_kbytes); - memset(ah_life_seconds, 0, sizeof ah_life_seconds); - memset(esp_life_kbytes, 0, sizeof esp_life_kbytes); - memset(esp_life_seconds, 0, sizeof esp_life_seconds); - memset(comp_life_kbytes, 0, sizeof comp_life_kbytes); - memset(comp_life_seconds, 0, sizeof comp_life_seconds); - memset(ah_key_length, 0, sizeof ah_key_length); - memset(ah_key_rounds, 0, sizeof ah_key_rounds); - memset(esp_key_length, 0, sizeof esp_key_length); - memset(esp_key_rounds, 0, sizeof esp_key_rounds); - memset(comp_dict_size, 0, sizeof comp_dict_size); - memset(comp_private_alg, 0, sizeof comp_private_alg); - memset(remote_filter_addr_upper, 0, - sizeof remote_filter_addr_upper); - memset(remote_filter_addr_lower, 0, - sizeof remote_filter_addr_lower); - memset(local_filter_addr_upper, 0, - sizeof local_filter_addr_upper); - memset(local_filter_addr_lower, 0, - sizeof local_filter_addr_lower); - memset(remote_id_addr_upper, 0, sizeof remote_id_addr_upper); - memset(remote_id_addr_lower, 0, sizeof remote_id_addr_lower); - memset(ah_group_desc, 0, sizeof ah_group_desc); - memset(esp_group_desc, 0, sizeof esp_group_desc); - memset(remote_id_port, 0, sizeof remote_id_port); - memset(remote_filter_port, 0, sizeof remote_filter_port); - memset(local_filter_port, 0, sizeof local_filter_port); - memset(phase1_group, 0, sizeof phase1_group); - - dirty = 1; - return ""; - } - /* - * If dirty is set, this is the first request for an attribute, so - * populate our value cache. - */ - if (dirty) { - ie = policy_exchange->data; - - if (ie->pfs) - pfs = "yes"; - - is = policy_isakmp_sa->data; - snprintf(phase1_group, sizeof phase1_group, "%u", - is->group_desc); - - for (proto = TAILQ_FIRST(&policy_sa->protos); proto; - proto = TAILQ_NEXT(proto, link)) { - switch (proto->proto) { - case IPSEC_PROTO_IPSEC_AH: - ah_present = "yes"; - switch (proto->id) { - case IPSEC_AH_MD5: - ah_hash_alg = "md5"; - break; - - case IPSEC_AH_SHA: - ah_hash_alg = "sha"; - break; - - case IPSEC_AH_RIPEMD: - ah_hash_alg = "ripemd"; - break; - - case IPSEC_AH_SHA2_256: - ah_auth_alg = "sha2-256"; - break; - - case IPSEC_AH_SHA2_384: - ah_auth_alg = "sha2-384"; - break; - - case IPSEC_AH_SHA2_512: - ah_auth_alg = "sha2-512"; - break; - - case IPSEC_AH_DES: - ah_hash_alg = "des"; - break; - } - - break; - - case IPSEC_PROTO_IPSEC_ESP: - esp_present = "yes"; - switch (proto->id) { - case IPSEC_ESP_DES_IV64: - esp_enc_alg = "des-iv64"; - break; - - case IPSEC_ESP_DES: - esp_enc_alg = "des"; - break; - - case IPSEC_ESP_3DES: - esp_enc_alg = "3des"; - break; - - case IPSEC_ESP_AES: - case IPSEC_ESP_AES_128_CTR: - esp_enc_alg = "aes"; - break; - - case IPSEC_ESP_RC5: - esp_enc_alg = "rc5"; - break; - - case IPSEC_ESP_IDEA: - esp_enc_alg = "idea"; - break; - - case IPSEC_ESP_CAST: - esp_enc_alg = "cast"; - break; - - case IPSEC_ESP_BLOWFISH: - esp_enc_alg = "blowfish"; - break; - - case IPSEC_ESP_3IDEA: - esp_enc_alg = "3idea"; - break; - - case IPSEC_ESP_DES_IV32: - esp_enc_alg = "des-iv32"; - break; - - case IPSEC_ESP_RC4: - esp_enc_alg = "rc4"; - break; - - case IPSEC_ESP_NULL: - esp_enc_alg = "null"; - break; - } - - break; - - case IPSEC_PROTO_IPCOMP: - comp_present = "yes"; - switch (proto->id) { - case IPSEC_IPCOMP_OUI: - comp_alg = "oui"; - break; - - case IPSEC_IPCOMP_DEFLATE: - comp_alg = "deflate"; - break; - - case IPSEC_IPCOMP_LZS: - comp_alg = "lzs"; - break; - - case IPSEC_IPCOMP_V42BIS: - comp_alg = "v42bis"; - break; - } - - break; - } - - for (attr = proto->chosen->p + - ISAKMP_TRANSFORM_SA_ATTRS_OFF; - attr < proto->chosen->p + - GET_ISAKMP_GEN_LENGTH(proto->chosen->p); - attr = value + len) { - if (attr + ISAKMP_ATTR_VALUE_OFF > - (proto->chosen->p + - GET_ISAKMP_GEN_LENGTH(proto->chosen->p))) - return ""; - - type = GET_ISAKMP_ATTR_TYPE(attr); - fmt = ISAKMP_ATTR_FORMAT(type); - type = ISAKMP_ATTR_TYPE(type); - value = attr + (fmt ? - ISAKMP_ATTR_LENGTH_VALUE_OFF : - ISAKMP_ATTR_VALUE_OFF); - len = (fmt ? ISAKMP_ATTR_LENGTH_VALUE_LEN : - GET_ISAKMP_ATTR_LENGTH_VALUE(attr)); - - if (value + len > proto->chosen->p + - GET_ISAKMP_GEN_LENGTH(proto->chosen->p)) - return ""; - - switch (type) { - case IPSEC_ATTR_SA_LIFE_TYPE: - lifetype = decode_16(value); - break; - - case IPSEC_ATTR_SA_LIFE_DURATION: - switch (proto->proto) { - case IPSEC_PROTO_IPSEC_AH: - if (lifetype == IPSEC_DURATION_SECONDS) { - if (len == 2) - snprintf(ah_life_seconds, sizeof ah_life_seconds, - "%u", decode_16(value)); - else - snprintf(ah_life_seconds, sizeof ah_life_seconds, - "%u", decode_32(value)); - } else { - if (len == 2) - snprintf(ah_life_kbytes, sizeof ah_life_kbytes, - "%u", decode_16(value)); - else - snprintf(ah_life_kbytes, sizeof ah_life_kbytes, - "%u", decode_32(value)); - } - - break; - - case IPSEC_PROTO_IPSEC_ESP: - if (lifetype == IPSEC_DURATION_SECONDS) { - if (len == 2) - snprintf(esp_life_seconds, - sizeof esp_life_seconds, "%u", - decode_16(value)); - else - snprintf(esp_life_seconds, - sizeof esp_life_seconds, "%u", - decode_32(value)); - } else { - if (len == 2) - snprintf(esp_life_kbytes, - sizeof esp_life_kbytes, "%u", - decode_16(value)); - else - snprintf(esp_life_kbytes, - sizeof esp_life_kbytes, "%u", - decode_32(value)); - } - - break; - - case IPSEC_PROTO_IPCOMP: - if (lifetype == IPSEC_DURATION_SECONDS) { - if (len == 2) - snprintf(comp_life_seconds, - sizeof comp_life_seconds, "%u", - decode_16(value)); - else - snprintf(comp_life_seconds, - sizeof comp_life_seconds, "%u", - decode_32(value)); - } else { - if (len == 2) - snprintf(comp_life_kbytes, - sizeof comp_life_kbytes, "%u", - decode_16(value)); - else - snprintf(comp_life_kbytes, - sizeof comp_life_kbytes, "%u", - decode_32(value)); - } - break; - } - break; - - case IPSEC_ATTR_GROUP_DESCRIPTION: - switch (proto->proto) { - case IPSEC_PROTO_IPSEC_AH: - snprintf(ah_group_desc, - sizeof ah_group_desc, "%u", - decode_16(value)); - break; - - case IPSEC_PROTO_IPSEC_ESP: - snprintf(esp_group_desc, - sizeof esp_group_desc, "%u", - decode_16(value)); - break; - - case IPSEC_PROTO_IPCOMP: - snprintf(comp_group_desc, - sizeof comp_group_desc, "%u", - decode_16(value)); - break; - } - break; - - case IPSEC_ATTR_ECN_TUNNEL: - if (decode_16(value)) - switch (proto->proto) { - case IPSEC_PROTO_IPSEC_AH: - ah_ecn = "yes"; - break; - - case IPSEC_PROTO_IPSEC_ESP: - esp_ecn = "yes"; - break; - - case IPSEC_PROTO_IPCOMP: - comp_ecn = "yes"; - break; - } - - case IPSEC_ATTR_ENCAPSULATION_MODE: - if (decode_16(value) == IPSEC_ENCAP_TUNNEL) - switch (proto->proto) { - case IPSEC_PROTO_IPSEC_AH: - ah_encapsulation = "tunnel"; - break; - - case IPSEC_PROTO_IPSEC_ESP: - esp_encapsulation = "tunnel"; - break; - - case IPSEC_PROTO_IPCOMP: - comp_encapsulation = "tunnel"; - break; - } -#if defined (USE_NAT_TRAVERSAL) - else if (decode_16(value) == - IPSEC_ENCAP_UDP_ENCAP_TUNNEL || - decode_16(value) == - IPSEC_ENCAP_UDP_ENCAP_TUNNEL_DRAFT) - switch (proto->proto) { - case IPSEC_PROTO_IPSEC_AH: - ah_encapsulation = "udp-encap-tunnel"; - break; - - case IPSEC_PROTO_IPSEC_ESP: - esp_encapsulation = "udp-encap-tunnel"; - break; - - case IPSEC_PROTO_IPCOMP: - comp_encapsulation = "udp-encap-tunnel"; - break; - } - /* XXX IPSEC_ENCAP_UDP_ENCAP_TRANSPORT */ -#endif - else - switch (proto->proto) { - case IPSEC_PROTO_IPSEC_AH: - ah_encapsulation = "transport"; - break; - - case IPSEC_PROTO_IPSEC_ESP: - esp_encapsulation = "transport"; - break; - - case IPSEC_PROTO_IPCOMP: - comp_encapsulation = "transport"; - break; - } - break; - - case IPSEC_ATTR_AUTHENTICATION_ALGORITHM: - switch (proto->proto) { - case IPSEC_PROTO_IPSEC_AH: - switch (decode_16(value)) { - case IPSEC_AUTH_HMAC_MD5: - ah_auth_alg = "hmac-md5"; - break; - - case IPSEC_AUTH_HMAC_SHA: - ah_auth_alg = "hmac-sha"; - break; - - case IPSEC_AUTH_HMAC_RIPEMD: - ah_auth_alg = "hmac-ripemd"; - break; - - case IPSEC_AUTH_HMAC_SHA2_256: - ah_auth_alg = "hmac-sha2-256"; - break; - - case IPSEC_AUTH_HMAC_SHA2_384: - ah_auth_alg = "hmac-sha2-384"; - break; - - case IPSEC_AUTH_HMAC_SHA2_512: - ah_auth_alg = "hmac-sha2-512"; - break; - - case IPSEC_AUTH_DES_MAC: - ah_auth_alg = "des-mac"; - break; - - case IPSEC_AUTH_KPDK: - ah_auth_alg = "kpdk"; - break; - } - break; - - case IPSEC_PROTO_IPSEC_ESP: - switch (decode_16(value)) { - case IPSEC_AUTH_HMAC_MD5: - esp_auth_alg = "hmac-md5"; - break; - - case IPSEC_AUTH_HMAC_SHA: - esp_auth_alg = "hmac-sha"; - break; - - case IPSEC_AUTH_HMAC_RIPEMD: - esp_auth_alg = "hmac-ripemd"; - break; - - case IPSEC_AUTH_HMAC_SHA2_256: - esp_auth_alg = "hmac-sha2-256"; - break; - - case IPSEC_AUTH_HMAC_SHA2_384: - esp_auth_alg = "hmac-sha2-384"; - break; - - case IPSEC_AUTH_HMAC_SHA2_512: - esp_auth_alg = "hmac-sha2-512"; - break; - - case IPSEC_AUTH_DES_MAC: - esp_auth_alg = "des-mac"; - break; - - case IPSEC_AUTH_KPDK: - esp_auth_alg = "kpdk"; - break; - } - break; - } - break; - - case IPSEC_ATTR_KEY_LENGTH: - switch (proto->proto) { - case IPSEC_PROTO_IPSEC_AH: - snprintf(ah_key_length, - sizeof ah_key_length, "%u", - decode_16(value)); - break; - - case IPSEC_PROTO_IPSEC_ESP: - snprintf(esp_key_length, - sizeof esp_key_length, "%u", - decode_16(value)); - break; - } - break; - - case IPSEC_ATTR_KEY_ROUNDS: - switch (proto->proto) { - case IPSEC_PROTO_IPSEC_AH: - snprintf(ah_key_rounds, - sizeof ah_key_rounds, "%u", - decode_16(value)); - break; - - case IPSEC_PROTO_IPSEC_ESP: - snprintf(esp_key_rounds, - sizeof esp_key_rounds, "%u", - decode_16(value)); - break; - } - break; - - case IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE: - snprintf(comp_dict_size, - sizeof comp_dict_size, "%u", - decode_16(value)); - break; - - case IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM: - snprintf(comp_private_alg, - sizeof comp_private_alg, "%u", - decode_16(value)); - break; - } - } - } - - policy_sa->transport->vtbl->get_src(policy_sa->transport, - &sin); - if (sockaddr2text(sin, &addr, 1)) { - log_error("policy_callback: sockaddr2text failed"); - goto bad; - } - strlcpy(local_ike_address, addr, sizeof local_ike_address); - free(addr); - - policy_sa->transport->vtbl->get_dst(policy_sa->transport, - &sin); - if (sockaddr2text(sin, &addr, 1)) { - log_error("policy_callback: sockaddr2text failed"); - goto bad; - } - strlcpy(remote_ike_address, addr, sizeof remote_ike_address); - free(addr); - - switch (policy_isakmp_sa->exch_type) { - case ISAKMP_EXCH_AGGRESSIVE: - phase_1 = "aggressive"; - break; - - case ISAKMP_EXCH_ID_PROT: - phase_1 = "main"; - break; - } - - if (policy_isakmp_sa->initiator) { - id = policy_isakmp_sa->id_r; - id_sz = policy_isakmp_sa->id_r_len; - } else { - id = policy_isakmp_sa->id_i; - id_sz = policy_isakmp_sa->id_i_len; - } - - switch (id[0]) { - case IPSEC_ID_IPV4_ADDR: - remote_id_type = "IPv4 address"; - - net = decode_32(id + ISAKMP_ID_DATA_OFF - - ISAKMP_GEN_SZ); - my_inet_ntop4(&net, remote_id_addr_upper, - sizeof remote_id_addr_upper - 1, 1); - my_inet_ntop4(&net, remote_id_addr_lower, - sizeof remote_id_addr_lower - 1, 1); - remote_id = strdup(remote_id_addr_upper); - if (!remote_id) { - log_error("policy_callback: " - "strdup (\"%s\") failed", - remote_id_addr_upper); - goto bad; - } - break; - - case IPSEC_ID_IPV4_RANGE: - remote_id_type = "IPv4 range"; - - net = decode_32(id + ISAKMP_ID_DATA_OFF - - ISAKMP_GEN_SZ); - my_inet_ntop4(&net, remote_id_addr_lower, - sizeof remote_id_addr_lower - 1, 1); - net = decode_32(id + ISAKMP_ID_DATA_OFF - - ISAKMP_GEN_SZ + 4); - my_inet_ntop4(&net, remote_id_addr_upper, - sizeof remote_id_addr_upper - 1, 1); - len = strlen(remote_id_addr_upper) + - strlen(remote_id_addr_lower) + 2; - remote_id = calloc(len, sizeof(char)); - if (!remote_id) { - log_error("policy_callback: " - "calloc (%d, %lu) failed", len, - (unsigned long)sizeof(char)); - goto bad; - } - strlcpy(remote_id, remote_id_addr_lower, len); - strlcat(remote_id, "-", len); - strlcat(remote_id, remote_id_addr_upper, len); - break; - - case IPSEC_ID_IPV4_ADDR_SUBNET: - remote_id_type = "IPv4 subnet"; - - net = decode_32(id + ISAKMP_ID_DATA_OFF - - ISAKMP_GEN_SZ); - subnet = decode_32(id + ISAKMP_ID_DATA_OFF - - ISAKMP_GEN_SZ + 4); - net &= subnet; - my_inet_ntop4(&net, remote_id_addr_lower, - sizeof remote_id_addr_lower - 1, 1); - net |= ~subnet; - my_inet_ntop4(&net, remote_id_addr_upper, - sizeof remote_id_addr_upper - 1, 1); - len = strlen(remote_id_addr_upper) + - strlen(remote_id_addr_lower) + 2; - remote_id = calloc(len, sizeof(char)); - if (!remote_id) { - log_error("policy_callback: " - "calloc (%d, %lu) failed", len, - (unsigned long)sizeof(char)); - goto bad; - } - strlcpy(remote_id, remote_id_addr_lower, len); - strlcat(remote_id, "-", len); - strlcat(remote_id, remote_id_addr_upper, len); - break; - - case IPSEC_ID_IPV6_ADDR: - remote_id_type = "IPv6 address"; - my_inet_ntop6(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, - remote_id_addr_upper, sizeof remote_id_addr_upper); - strlcpy(remote_id_addr_lower, remote_id_addr_upper, - sizeof remote_id_addr_lower); - remote_id = strdup(remote_id_addr_upper); - if (!remote_id) { - log_error("policy_callback: " - "strdup (\"%s\") failed", - remote_id_addr_upper); - goto bad; - } - break; - - case IPSEC_ID_IPV6_RANGE: - remote_id_type = "IPv6 range"; - - my_inet_ntop6(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, - remote_id_addr_lower, - sizeof remote_id_addr_lower - 1); - - my_inet_ntop6(id + ISAKMP_ID_DATA_OFF - - ISAKMP_GEN_SZ + 16, remote_id_addr_upper, - sizeof remote_id_addr_upper - 1); - - len = strlen(remote_id_addr_upper) + - strlen(remote_id_addr_lower) + 2; - remote_id = calloc(len, sizeof(char)); - if (!remote_id) { - log_error("policy_callback: " - "calloc (%d, %lu) failed", len, - (unsigned long)sizeof(char)); - goto bad; - } - strlcpy(remote_id, remote_id_addr_lower, len); - strlcat(remote_id, "-", len); - strlcat(remote_id, remote_id_addr_upper, len); - break; - - case IPSEC_ID_IPV6_ADDR_SUBNET: - { - struct in6_addr net, mask; - - remote_id_type = "IPv6 subnet"; - - bcopy(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, &net, - sizeof(net)); - bcopy(id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ + 16, - &mask, sizeof(mask)); - - for (i = 0; i < 16; i++) - net.s6_addr[i] &= mask.s6_addr[i]; - - my_inet_ntop6((unsigned char *)&net, - remote_id_addr_lower, - sizeof remote_id_addr_lower - 1); - - for (i = 0; i < 16; i++) - net.s6_addr[i] |= ~mask.s6_addr[i]; - - my_inet_ntop6((unsigned char *)&net, - remote_id_addr_upper, - sizeof remote_id_addr_upper - 1); - - len = strlen(remote_id_addr_upper) + - strlen(remote_id_addr_lower) + 2; - remote_id = calloc(len, sizeof(char)); - if (!remote_id) { - log_error("policy_callback: " - "calloc (%d, %lu) failed", len, - (unsigned long)sizeof(char)); - goto bad; - } - strlcpy(remote_id, remote_id_addr_lower, len); - strlcat(remote_id, "-", len); - strlcat(remote_id, remote_id_addr_upper, len); - break; - } - - case IPSEC_ID_FQDN: - remote_id_type = "FQDN"; - remote_id = calloc(id_sz - ISAKMP_ID_DATA_OFF + - ISAKMP_GEN_SZ + 1, sizeof(char)); - if (!remote_id) { - log_error("policy_callback: " - "calloc (%lu, %lu) failed", - (unsigned long)id_sz - ISAKMP_ID_DATA_OFF + - ISAKMP_GEN_SZ + 1, - (unsigned long)sizeof(char)); - goto bad; - } - memcpy(remote_id, - id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, - id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); - break; - - case IPSEC_ID_USER_FQDN: - remote_id_type = "User FQDN"; - remote_id = calloc(id_sz - ISAKMP_ID_DATA_OFF + - ISAKMP_GEN_SZ + 1, sizeof(char)); - if (!remote_id) { - log_error("policy_callback: " - "calloc (%lu, %lu) failed", - (unsigned long)id_sz - ISAKMP_ID_DATA_OFF + - ISAKMP_GEN_SZ + 1, - (unsigned long)sizeof(char)); - goto bad; - } - memcpy(remote_id, - id + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ, - id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); - break; - - case IPSEC_ID_DER_ASN1_DN: - remote_id_type = "ASN1 DN"; - - remote_id = x509_DN_string(id + ISAKMP_ID_DATA_OFF - - ISAKMP_GEN_SZ, - id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ); - if (!remote_id) { - LOG_DBG((LOG_POLICY, 50, - "policy_callback: failed to decode name")); - goto bad; - } - break; - - case IPSEC_ID_DER_ASN1_GN: /* XXX */ - remote_id_type = "ASN1 GN"; - break; - - case IPSEC_ID_KEY_ID: - remote_id_type = "Key ID"; - remote_id = calloc(2 * (id_sz - ISAKMP_ID_DATA_OFF + - ISAKMP_GEN_SZ) + 1, sizeof(char)); - if (!remote_id) { - log_error("policy_callback: " - "calloc (%lu, %lu) failed", - 2 * ((unsigned long)id_sz - - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) + 1, - (unsigned long)sizeof(char)); - goto bad; - } - /* Does it contain any non-printable characters ? */ - for (i = 0; - i < id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ; - i++) - if (!isprint(*(id + ISAKMP_ID_DATA_OFF - - ISAKMP_GEN_SZ + i))) - break; - if (i >= id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ) { - memcpy(remote_id, id + ISAKMP_ID_DATA_OFF - - ISAKMP_GEN_SZ, - id_sz - ISAKMP_ID_DATA_OFF + - ISAKMP_GEN_SZ); - break; - } - /* Non-printable characters, convert to hex */ - for (i = 0; - i < id_sz - ISAKMP_ID_DATA_OFF + ISAKMP_GEN_SZ; - i++) { - remote_id[2 * i] = hextab[*(id + - ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) >> 4]; - remote_id[2 * i + 1] = hextab[*(id + - ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ) & 0xF]; - } - break; - - default: - log_print("policy_callback: " - "unknown remote ID type %u", id[0]); - goto bad; - } - - switch (id[1]) { - case IPPROTO_TCP: - remote_id_proto = "tcp"; - break; - - case IPPROTO_UDP: - remote_id_proto = "udp"; - break; - -#ifdef IPPROTO_ETHERIP - case IPPROTO_ETHERIP: - remote_id_proto = "etherip"; - break; -#endif - - default: - snprintf(remote_id_proto_num, - sizeof remote_id_proto_num, "%d", - id[1]); - remote_id_proto = remote_id_proto_num; - break; - } - - snprintf(remote_id_port, sizeof remote_id_port, "%u", - decode_16(id + 2)); - - if (policy_exchange->initiator) { - initiator = "yes"; - idlocal = ie->id_ci; - idremote = ie->id_cr; - idlocalsz = ie->id_ci_sz; - idremotesz = ie->id_cr_sz; - } else { - initiator = "no"; - idlocal = ie->id_cr; - idremote = ie->id_ci; - idlocalsz = ie->id_cr_sz; - idremotesz = ie->id_ci_sz; - } - - /* Initialize the ID variables. */ - if (idremote) { - switch (GET_ISAKMP_ID_TYPE(idremote)) { - case IPSEC_ID_IPV4_ADDR: - remote_filter_type = "IPv4 address"; - - net = decode_32(idremote + ISAKMP_ID_DATA_OFF); - my_inet_ntop4(&net, remote_filter_addr_upper, - sizeof remote_filter_addr_upper - 1, 1); - my_inet_ntop4(&net, remote_filter_addr_lower, - sizeof remote_filter_addr_lower - 1, 1); - remote_filter = - strdup(remote_filter_addr_upper); - if (!remote_filter) { - log_error("policy_callback: strdup " - "(\"%s\") failed", - remote_filter_addr_upper); - goto bad; - } - break; - - case IPSEC_ID_IPV4_RANGE: - remote_filter_type = "IPv4 range"; - - net = decode_32(idremote + ISAKMP_ID_DATA_OFF); - my_inet_ntop4(&net, remote_filter_addr_lower, - sizeof remote_filter_addr_lower - 1, 1); - net = decode_32(idremote + ISAKMP_ID_DATA_OFF + - 4); - my_inet_ntop4(&net, remote_filter_addr_upper, - sizeof remote_filter_addr_upper - 1, 1); - len = strlen(remote_filter_addr_upper) + - strlen(remote_filter_addr_lower) + 2; - remote_filter = calloc(len, sizeof(char)); - if (!remote_filter) { - log_error("policy_callback: calloc " - "(%d, %lu) failed", len, - (unsigned long)sizeof(char)); - goto bad; - } - strlcpy(remote_filter, - remote_filter_addr_lower, len); - strlcat(remote_filter, "-", len); - strlcat(remote_filter, - remote_filter_addr_upper, len); - break; - - case IPSEC_ID_IPV4_ADDR_SUBNET: - remote_filter_type = "IPv4 subnet"; - - net = decode_32(idremote + ISAKMP_ID_DATA_OFF); - subnet = decode_32(idremote + - ISAKMP_ID_DATA_OFF + 4); - net &= subnet; - my_inet_ntop4(&net, remote_filter_addr_lower, - sizeof remote_filter_addr_lower - 1, 1); - net |= ~subnet; - my_inet_ntop4(&net, remote_filter_addr_upper, - sizeof remote_filter_addr_upper - 1, 1); - len = strlen(remote_filter_addr_upper) + - strlen(remote_filter_addr_lower) + 2; - remote_filter = calloc(len, sizeof(char)); - if (!remote_filter) { - log_error("policy_callback: calloc " - "(%d, %lu) failed", len, - (unsigned long)sizeof(char)); - goto bad; - } - strlcpy(remote_filter, - remote_filter_addr_lower, len); - strlcat(remote_filter, "-", len); - strlcat(remote_filter, - remote_filter_addr_upper, len); - break; - - case IPSEC_ID_IPV6_ADDR: - remote_filter_type = "IPv6 address"; - my_inet_ntop6(idremote + ISAKMP_ID_DATA_OFF, - remote_filter_addr_upper, - sizeof remote_filter_addr_upper - 1); - strlcpy(remote_filter_addr_lower, - remote_filter_addr_upper, - sizeof remote_filter_addr_lower); - remote_filter = - strdup(remote_filter_addr_upper); - if (!remote_filter) { - log_error("policy_callback: strdup " - "(\"%s\") failed", - remote_filter_addr_upper); - goto bad; - } - break; - - case IPSEC_ID_IPV6_RANGE: - remote_filter_type = "IPv6 range"; - - my_inet_ntop6(idremote + ISAKMP_ID_DATA_OFF, - remote_filter_addr_lower, - sizeof remote_filter_addr_lower - 1); - - my_inet_ntop6(idremote + ISAKMP_ID_DATA_OFF + - 16, remote_filter_addr_upper, - sizeof remote_filter_addr_upper - 1); - - len = strlen(remote_filter_addr_upper) + - strlen(remote_filter_addr_lower) + 2; - remote_filter = calloc(len, sizeof(char)); - if (!remote_filter) { - log_error("policy_callback: calloc " - "(%d, %lu) failed", len, - (unsigned long)sizeof(char)); - goto bad; - } - strlcpy(remote_filter, - remote_filter_addr_lower, len); - strlcat(remote_filter, "-", len); - strlcat(remote_filter, - remote_filter_addr_upper, len); - break; - - case IPSEC_ID_IPV6_ADDR_SUBNET: - { - struct in6_addr net, mask; - - remote_filter_type = "IPv6 subnet"; - - bcopy(idremote + ISAKMP_ID_DATA_OFF, - &net, sizeof(net)); - bcopy(idremote + ISAKMP_ID_DATA_OFF + - 16, &mask, sizeof(mask)); - - for (i = 0; i < 16; i++) - net.s6_addr[i] &= - mask.s6_addr[i]; - - my_inet_ntop6((unsigned char *)&net, - remote_filter_addr_lower, - sizeof remote_filter_addr_lower - 1); - - for (i = 0; i < 16; i++) - net.s6_addr[i] |= - ~mask.s6_addr[i]; - - my_inet_ntop6((unsigned char *)&net, - remote_filter_addr_upper, - sizeof remote_filter_addr_upper - 1); - - len = strlen(remote_filter_addr_upper) - + strlen(remote_filter_addr_lower) + 2; - remote_filter = calloc(len, - sizeof(char)); - if (!remote_filter) { - log_error("policy_callback: " - "calloc (%d, %lu) failed", - len, - (unsigned long)sizeof(char)); - goto bad; - } - strlcpy(remote_filter, - remote_filter_addr_lower, len); - strlcat(remote_filter, "-", len); - strlcat(remote_filter, - remote_filter_addr_upper, len); - break; - } - - case IPSEC_ID_FQDN: - remote_filter_type = "FQDN"; - remote_filter = malloc(idremotesz - - ISAKMP_ID_DATA_OFF + 1); - if (!remote_filter) { - log_error("policy_callback: " - "malloc (%lu) failed", - (unsigned long)idremotesz - - ISAKMP_ID_DATA_OFF + 1); - goto bad; - } - memcpy(remote_filter, - idremote + ISAKMP_ID_DATA_OFF, - idremotesz - ISAKMP_ID_DATA_OFF); - remote_filter[idremotesz - ISAKMP_ID_DATA_OFF] - = '\0'; - break; - - case IPSEC_ID_USER_FQDN: - remote_filter_type = "User FQDN"; - remote_filter = malloc(idremotesz - - ISAKMP_ID_DATA_OFF + 1); - if (!remote_filter) { - log_error("policy_callback: " - "malloc (%lu) failed", - (unsigned long)idremotesz - - ISAKMP_ID_DATA_OFF + 1); - goto bad; - } - memcpy(remote_filter, - idremote + ISAKMP_ID_DATA_OFF, - idremotesz - ISAKMP_ID_DATA_OFF); - remote_filter[idremotesz - ISAKMP_ID_DATA_OFF] - = '\0'; - break; - - case IPSEC_ID_DER_ASN1_DN: - remote_filter_type = "ASN1 DN"; - - remote_filter = x509_DN_string(idremote + - ISAKMP_ID_DATA_OFF, - idremotesz - ISAKMP_ID_DATA_OFF); - if (!remote_filter) { - LOG_DBG((LOG_POLICY, 50, - "policy_callback: " - "failed to decode name")); - goto bad; - } - break; - - case IPSEC_ID_DER_ASN1_GN: /* XXX -- not sure - * what's in this. */ - remote_filter_type = "ASN1 GN"; - break; - - case IPSEC_ID_KEY_ID: - remote_filter_type = "Key ID"; - remote_filter - = calloc(2 * (idremotesz - - ISAKMP_ID_DATA_OFF) + 1, - sizeof(char)); - if (!remote_filter) { - log_error("policy_callback: " - "calloc (%lu, %lu) failed", - 2 * ((unsigned long)idremotesz - - ISAKMP_ID_DATA_OFF) + 1, - (unsigned long)sizeof(char)); - goto bad; - } - /* - * Does it contain any non-printable - * characters ? - */ - for (i = 0; - i < idremotesz - ISAKMP_ID_DATA_OFF; i++) - if (!isprint(*(idremote + - ISAKMP_ID_DATA_OFF + i))) - break; - if (i >= idremotesz - ISAKMP_ID_DATA_OFF) { - memcpy(remote_filter, - idremote + ISAKMP_ID_DATA_OFF, - idremotesz - ISAKMP_ID_DATA_OFF); - break; - } - /* Non-printable characters, convert to hex */ - for (i = 0; - i < idremotesz - ISAKMP_ID_DATA_OFF; - i++) { - remote_filter[2 * i] - = hextab[*(idremote + - ISAKMP_ID_DATA_OFF) >> 4]; - remote_filter[2 * i + 1] - = hextab[*(idremote + - ISAKMP_ID_DATA_OFF) & 0xF]; - } - break; - - default: - log_print("policy_callback: " - "unknown Remote ID type %u", - GET_ISAKMP_ID_TYPE(idremote)); - goto bad; - } - - switch (idremote[ISAKMP_GEN_SZ + 1]) { - case IPPROTO_TCP: - remote_filter_proto = "tcp"; - break; - - case IPPROTO_UDP: - remote_filter_proto = "udp"; - break; - -#ifdef IPPROTO_ETHERIP - case IPPROTO_ETHERIP: - remote_filter_proto = "etherip"; - break; -#endif - - default: - snprintf(remote_filter_proto_num, - sizeof remote_filter_proto_num, "%d", - idremote[ISAKMP_GEN_SZ + 1]); - remote_filter_proto = remote_filter_proto_num; - break; - } - - snprintf(remote_filter_port, sizeof remote_filter_port, - "%u", decode_16(idremote + ISAKMP_GEN_SZ + 2)); - } else { - policy_sa->transport->vtbl->get_dst(policy_sa->transport, &sin); - switch (sin->sa_family) { - case AF_INET: - remote_filter_type = "IPv4 address"; - break; - case AF_INET6: - remote_filter_type = "IPv6 address"; - break; - default: - log_print("policy_callback: " - "unsupported protocol family %d", - sin->sa_family); - goto bad; - } - if (sockaddr2text(sin, &addr, 1)) { - log_error("policy_callback: " - "sockaddr2text failed"); - goto bad; - } - memcpy(remote_filter_addr_upper, addr, - sizeof remote_filter_addr_upper); - memcpy(remote_filter_addr_lower, addr, - sizeof remote_filter_addr_lower); - free(addr); - remote_filter = strdup(remote_filter_addr_upper); - if (!remote_filter) { - log_error("policy_callback: " - "strdup (\"%s\") failed", - remote_filter_addr_upper); - goto bad; - } - } - - if (idlocal) { - switch (GET_ISAKMP_ID_TYPE(idlocal)) { - case IPSEC_ID_IPV4_ADDR: - local_filter_type = "IPv4 address"; - - net = decode_32(idlocal + ISAKMP_ID_DATA_OFF); - my_inet_ntop4(&net, local_filter_addr_upper, - sizeof local_filter_addr_upper - 1, 1); - my_inet_ntop4(&net, local_filter_addr_lower, - sizeof local_filter_addr_upper - 1, 1); - local_filter = strdup(local_filter_addr_upper); - if (!local_filter) { - log_error("policy_callback: " - "strdup (\"%s\") failed", - local_filter_addr_upper); - goto bad; - } - break; - - case IPSEC_ID_IPV4_RANGE: - local_filter_type = "IPv4 range"; - - net = decode_32(idlocal + ISAKMP_ID_DATA_OFF); - my_inet_ntop4(&net, local_filter_addr_lower, - sizeof local_filter_addr_lower - 1, 1); - net = decode_32(idlocal + ISAKMP_ID_DATA_OFF + - 4); - my_inet_ntop4(&net, local_filter_addr_upper, - sizeof local_filter_addr_upper - 1, 1); - len = strlen(local_filter_addr_upper) - + strlen(local_filter_addr_lower) + 2; - local_filter = calloc(len, sizeof(char)); - if (!local_filter) { - log_error("policy_callback: " - "calloc (%d, %lu) failed", len, - (unsigned long)sizeof(char)); - goto bad; - } - strlcpy(local_filter, local_filter_addr_lower, - len); - strlcat(local_filter, "-", len); - strlcat(local_filter, local_filter_addr_upper, - len); - break; - - case IPSEC_ID_IPV4_ADDR_SUBNET: - local_filter_type = "IPv4 subnet"; - - net = decode_32(idlocal + ISAKMP_ID_DATA_OFF); - subnet = decode_32(idlocal + - ISAKMP_ID_DATA_OFF + 4); - net &= subnet; - my_inet_ntop4(&net, local_filter_addr_lower, - sizeof local_filter_addr_lower - 1, 1); - net |= ~subnet; - my_inet_ntop4(&net, local_filter_addr_upper, - sizeof local_filter_addr_upper - 1, 1); - len = strlen(local_filter_addr_upper) - + strlen(local_filter_addr_lower) + 2; - local_filter = calloc(len, sizeof(char)); - if (!local_filter) { - log_error("policy_callback: " - "calloc (%d, %lu) failed", len, - (unsigned long)sizeof(char)); - goto bad; - } - strlcpy(local_filter, local_filter_addr_lower, - len); - strlcat(local_filter, "-", len); - strlcat(local_filter, local_filter_addr_upper, - len); - break; - - case IPSEC_ID_IPV6_ADDR: - local_filter_type = "IPv6 address"; - my_inet_ntop6(idlocal + ISAKMP_ID_DATA_OFF, - local_filter_addr_upper, - sizeof local_filter_addr_upper - 1); - strlcpy(local_filter_addr_lower, - local_filter_addr_upper, - sizeof local_filter_addr_lower); - local_filter = strdup(local_filter_addr_upper); - if (!local_filter) { - log_error("policy_callback: " - "strdup (\"%s\") failed", - local_filter_addr_upper); - goto bad; - } - break; - - case IPSEC_ID_IPV6_RANGE: - local_filter_type = "IPv6 range"; - - my_inet_ntop6(idlocal + ISAKMP_ID_DATA_OFF, - local_filter_addr_lower, - sizeof local_filter_addr_lower - 1); - - my_inet_ntop6(idlocal + ISAKMP_ID_DATA_OFF + - 16, local_filter_addr_upper, - sizeof local_filter_addr_upper - 1); - - len = strlen(local_filter_addr_upper) - + strlen(local_filter_addr_lower) + 2; - local_filter = calloc(len, sizeof(char)); - if (!local_filter) { - log_error("policy_callback: " - "calloc (%d, %lu) failed", len, - (unsigned long)sizeof(char)); - goto bad; - } - strlcpy(local_filter, local_filter_addr_lower, - len); - strlcat(local_filter, "-", len); - strlcat(local_filter, local_filter_addr_upper, - len); - break; - - case IPSEC_ID_IPV6_ADDR_SUBNET: - { - struct in6_addr net, mask; - - local_filter_type = "IPv6 subnet"; - - bcopy(idlocal + ISAKMP_ID_DATA_OFF, - &net, sizeof(net)); - bcopy(idlocal + ISAKMP_ID_DATA_OFF + - 16, &mask, sizeof(mask)); - - for (i = 0; i < 16; i++) - net.s6_addr[i] &= - mask.s6_addr[i]; - - my_inet_ntop6((unsigned char *)&net, - local_filter_addr_lower, - sizeof local_filter_addr_lower - 1); - - for (i = 0; i < 16; i++) - net.s6_addr[i] |= - ~mask.s6_addr[i]; - - my_inet_ntop6((unsigned char *)&net, - local_filter_addr_upper, - sizeof local_filter_addr_upper - - 1); - - len = strlen(local_filter_addr_upper) - + strlen(local_filter_addr_lower) - + 2; - local_filter = calloc(len, - sizeof(char)); - if (!local_filter) { - log_error("policy_callback: " - "calloc (%d, %lu) failed", - len, - (unsigned long)sizeof(char)); - goto bad; - } - strlcpy(local_filter, - local_filter_addr_lower, len); - strlcat(local_filter, "-", len); - strlcat(local_filter, - local_filter_addr_upper, len); - break; - } - - case IPSEC_ID_FQDN: - local_filter_type = "FQDN"; - local_filter = malloc(idlocalsz - - ISAKMP_ID_DATA_OFF + 1); - if (!local_filter) { - log_error("policy_callback: " - "malloc (%lu) failed", - (unsigned long)idlocalsz - - ISAKMP_ID_DATA_OFF + 1); - goto bad; - } - memcpy(local_filter, - idlocal + ISAKMP_ID_DATA_OFF, - idlocalsz - ISAKMP_ID_DATA_OFF); - local_filter[idlocalsz - ISAKMP_ID_DATA_OFF] - = '\0'; - break; - - case IPSEC_ID_USER_FQDN: - local_filter_type = "User FQDN"; - local_filter = malloc(idlocalsz - - ISAKMP_ID_DATA_OFF + 1); - if (!local_filter) { - log_error("policy_callback: " - "malloc (%lu) failed", - (unsigned long)idlocalsz - - ISAKMP_ID_DATA_OFF + 1); - goto bad; - } - memcpy(local_filter, - idlocal + ISAKMP_ID_DATA_OFF, - idlocalsz - ISAKMP_ID_DATA_OFF); - local_filter[idlocalsz - ISAKMP_ID_DATA_OFF] - = '\0'; - break; - - case IPSEC_ID_DER_ASN1_DN: - local_filter_type = "ASN1 DN"; - - local_filter = x509_DN_string(idlocal + - ISAKMP_ID_DATA_OFF, - idlocalsz - ISAKMP_ID_DATA_OFF); - if (!local_filter) { - LOG_DBG((LOG_POLICY, 50, - "policy_callback: failed to decode" - " name")); - goto bad; - } - break; - - case IPSEC_ID_DER_ASN1_GN: - /* XXX -- not sure what's in this. */ - local_filter_type = "ASN1 GN"; - break; - - case IPSEC_ID_KEY_ID: - local_filter_type = "Key ID"; - local_filter = calloc(2 * (idlocalsz - - ISAKMP_ID_DATA_OFF) + 1, - sizeof(char)); - if (!local_filter) { - log_error("policy_callback: " - "calloc (%lu, %lu) failed", - 2 * ((unsigned long)idlocalsz - - ISAKMP_ID_DATA_OFF) + 1, - (unsigned long)sizeof(char)); - goto bad; - } - /* - * Does it contain any non-printable - * characters ? - */ - for (i = 0; - i < idlocalsz - ISAKMP_ID_DATA_OFF; i++) - if (!isprint(*(idlocal + - ISAKMP_ID_DATA_OFF + i))) - break; - if (i >= idlocalsz - ISAKMP_ID_DATA_OFF) { - memcpy(local_filter, idlocal + - ISAKMP_ID_DATA_OFF, - idlocalsz - ISAKMP_ID_DATA_OFF); - break; - } - /* Non-printable characters, convert to hex */ - for (i = 0; - i < idlocalsz - ISAKMP_ID_DATA_OFF; i++) { - local_filter[2 * i] - = hextab[*(idlocal + - ISAKMP_ID_DATA_OFF) >> 4]; - local_filter[2 * i + 1] - = hextab[*(idlocal + - ISAKMP_ID_DATA_OFF) & 0xF]; - } - break; - - default: - log_print("policy_callback: " - "unknown Local ID type %u", - GET_ISAKMP_ID_TYPE(idlocal)); - goto bad; - } - - switch (idlocal[ISAKMP_GEN_SZ + 1]) { - case IPPROTO_TCP: - local_filter_proto = "tcp"; - break; - - case IPPROTO_UDP: - local_filter_proto = "udp"; - break; - -#ifdef IPPROTO_ETHERIP - case IPPROTO_ETHERIP: - local_filter_proto = "etherip"; - break; -#endif - - default: - snprintf(local_filter_proto_num, - sizeof local_filter_proto_num, - "%d", idlocal[ISAKMP_GEN_SZ + 1]); - local_filter_proto = local_filter_proto_num; - break; - } - - snprintf(local_filter_port, sizeof local_filter_port, - "%u", decode_16(idlocal + ISAKMP_GEN_SZ + 2)); - } else { - policy_sa->transport->vtbl->get_src(policy_sa->transport, - (struct sockaddr **)&sin); - switch (sin->sa_family) { - case AF_INET: - local_filter_type = "IPv4 address"; - break; - case AF_INET6: - local_filter_type = "IPv6 address"; - break; - default: - log_print("policy_callback: " - "unsupported protocol family %d", - sin->sa_family); - goto bad; - } - - if (sockaddr2text(sin, &addr, 1)) { - log_error("policy_callback: " - "sockaddr2text failed"); - goto bad; - } - memcpy(local_filter_addr_upper, addr, - sizeof local_filter_addr_upper); - memcpy(local_filter_addr_lower, addr, - sizeof local_filter_addr_lower); - free(addr); - local_filter = strdup(local_filter_addr_upper); - if (!local_filter) { - log_error("policy_callback: " - "strdup (\"%s\") failed", - local_filter_addr_upper); - goto bad; - } - } - - LOG_DBG((LOG_POLICY, 80, - "Policy context (action attributes):")); - LOG_DBG((LOG_POLICY, 80, "esp_present == %s", esp_present)); - LOG_DBG((LOG_POLICY, 80, "ah_present == %s", ah_present)); - LOG_DBG((LOG_POLICY, 80, "comp_present == %s", comp_present)); - LOG_DBG((LOG_POLICY, 80, "ah_hash_alg == %s", ah_hash_alg)); - LOG_DBG((LOG_POLICY, 80, "esp_enc_alg == %s", esp_enc_alg)); - LOG_DBG((LOG_POLICY, 80, "comp_alg == %s", comp_alg)); - LOG_DBG((LOG_POLICY, 80, "ah_auth_alg == %s", ah_auth_alg)); - LOG_DBG((LOG_POLICY, 80, "esp_auth_alg == %s", esp_auth_alg)); - LOG_DBG((LOG_POLICY, 80, "ah_life_seconds == %s", - ah_life_seconds)); - LOG_DBG((LOG_POLICY, 80, "ah_life_kbytes == %s", - ah_life_kbytes)); - LOG_DBG((LOG_POLICY, 80, "esp_life_seconds == %s", - esp_life_seconds)); - LOG_DBG((LOG_POLICY, 80, "esp_life_kbytes == %s", - esp_life_kbytes)); - LOG_DBG((LOG_POLICY, 80, "comp_life_seconds == %s", - comp_life_seconds)); - LOG_DBG((LOG_POLICY, 80, "comp_life_kbytes == %s", - comp_life_kbytes)); - LOG_DBG((LOG_POLICY, 80, "ah_encapsulation == %s", - ah_encapsulation)); - LOG_DBG((LOG_POLICY, 80, "esp_encapsulation == %s", - esp_encapsulation)); - LOG_DBG((LOG_POLICY, 80, "comp_encapsulation == %s", - comp_encapsulation)); - LOG_DBG((LOG_POLICY, 80, "comp_dict_size == %s", - comp_dict_size)); - LOG_DBG((LOG_POLICY, 80, "comp_private_alg == %s", - comp_private_alg)); - LOG_DBG((LOG_POLICY, 80, "ah_key_length == %s", - ah_key_length)); - LOG_DBG((LOG_POLICY, 80, "ah_key_rounds == %s", - ah_key_rounds)); - LOG_DBG((LOG_POLICY, 80, "esp_key_length == %s", - esp_key_length)); - LOG_DBG((LOG_POLICY, 80, "esp_key_rounds == %s", - esp_key_rounds)); - LOG_DBG((LOG_POLICY, 80, "ah_group_desc == %s", - ah_group_desc)); - LOG_DBG((LOG_POLICY, 80, "esp_group_desc == %s", - esp_group_desc)); - LOG_DBG((LOG_POLICY, 80, "comp_group_desc == %s", - comp_group_desc)); - LOG_DBG((LOG_POLICY, 80, "ah_ecn == %s", ah_ecn)); - LOG_DBG((LOG_POLICY, 80, "esp_ecn == %s", esp_ecn)); - LOG_DBG((LOG_POLICY, 80, "comp_ecn == %s", comp_ecn)); - LOG_DBG((LOG_POLICY, 80, "remote_filter_type == %s", - remote_filter_type)); - LOG_DBG((LOG_POLICY, 80, "remote_filter_addr_upper == %s", - remote_filter_addr_upper)); - LOG_DBG((LOG_POLICY, 80, "remote_filter_addr_lower == %s", - remote_filter_addr_lower)); - LOG_DBG((LOG_POLICY, 80, "remote_filter == %s", - (remote_filter ? remote_filter : ""))); - LOG_DBG((LOG_POLICY, 80, "remote_filter_port == %s", - remote_filter_port)); - LOG_DBG((LOG_POLICY, 80, "remote_filter_proto == %s", - remote_filter_proto)); - LOG_DBG((LOG_POLICY, 80, "local_filter_type == %s", - local_filter_type)); - LOG_DBG((LOG_POLICY, 80, "local_filter_addr_upper == %s", - local_filter_addr_upper)); - LOG_DBG((LOG_POLICY, 80, "local_filter_addr_lower == %s", - local_filter_addr_lower)); - LOG_DBG((LOG_POLICY, 80, "local_filter == %s", - (local_filter ? local_filter : ""))); - LOG_DBG((LOG_POLICY, 80, "local_filter_port == %s", - local_filter_port)); - LOG_DBG((LOG_POLICY, 80, "local_filter_proto == %s", - local_filter_proto)); - LOG_DBG((LOG_POLICY, 80, "remote_id_type == %s", - remote_id_type)); - LOG_DBG((LOG_POLICY, 80, "remote_id_addr_upper == %s", - remote_id_addr_upper)); - LOG_DBG((LOG_POLICY, 80, "remote_id_addr_lower == %s", - remote_id_addr_lower)); - LOG_DBG((LOG_POLICY, 80, "remote_id == %s", - (remote_id ? remote_id : ""))); - LOG_DBG((LOG_POLICY, 80, "remote_id_port == %s", - remote_id_port)); - LOG_DBG((LOG_POLICY, 80, "remote_id_proto == %s", - remote_id_proto)); - LOG_DBG((LOG_POLICY, 80, "remote_negotiation_address == %s", - remote_ike_address)); - LOG_DBG((LOG_POLICY, 80, "local_negotiation_address == %s", - local_ike_address)); - LOG_DBG((LOG_POLICY, 80, "pfs == %s", pfs)); - LOG_DBG((LOG_POLICY, 80, "initiator == %s", initiator)); - LOG_DBG((LOG_POLICY, 80, "phase1_group_desc == %s", - phase1_group)); - - /* Unset dirty now. */ - dirty = 0; - } - if (strcmp(name, "phase_1") == 0) - return phase_1; - - if (strcmp(name, "GMTTimeOfDay") == 0) { - tt = time((time_t)NULL); - strftime(mytimeofday, 14, "%Y%m%d%H%M%S", gmtime(&tt)); - return mytimeofday; - } - if (strcmp(name, "LocalTimeOfDay") == 0) { - tt = time((time_t)NULL); - strftime(mytimeofday, 14, "%Y%m%d%H%M%S", localtime(&tt)); - return mytimeofday; - } - if (strcmp(name, "initiator") == 0) - return initiator; - - if (strcmp(name, "pfs") == 0) - return pfs; - - if (strcmp(name, "app_domain") == 0) - return "IPsec policy"; - - if (strcmp(name, "doi") == 0) - return "ipsec"; - - if (strcmp(name, "esp_present") == 0) - return esp_present; - - if (strcmp(name, "ah_present") == 0) - return ah_present; - - if (strcmp(name, "comp_present") == 0) - return comp_present; - - if (strcmp(name, "ah_hash_alg") == 0) - return ah_hash_alg; - - if (strcmp(name, "ah_auth_alg") == 0) - return ah_auth_alg; - - if (strcmp(name, "esp_auth_alg") == 0) - return esp_auth_alg; - - if (strcmp(name, "esp_enc_alg") == 0) - return esp_enc_alg; - - if (strcmp(name, "comp_alg") == 0) - return comp_alg; - - if (strcmp(name, "ah_life_kbytes") == 0) - return ah_life_kbytes; - - if (strcmp(name, "ah_life_seconds") == 0) - return ah_life_seconds; - - if (strcmp(name, "esp_life_kbytes") == 0) - return esp_life_kbytes; - - if (strcmp(name, "esp_life_seconds") == 0) - return esp_life_seconds; - - if (strcmp(name, "comp_life_kbytes") == 0) - return comp_life_kbytes; - - if (strcmp(name, "comp_life_seconds") == 0) - return comp_life_seconds; - - if (strcmp(name, "ah_encapsulation") == 0) - return ah_encapsulation; - - if (strcmp(name, "esp_encapsulation") == 0) - return esp_encapsulation; - - if (strcmp(name, "comp_encapsulation") == 0) - return comp_encapsulation; - - if (strcmp(name, "ah_key_length") == 0) - return ah_key_length; - - if (strcmp(name, "ah_key_rounds") == 0) - return ah_key_rounds; - - if (strcmp(name, "esp_key_length") == 0) - return esp_key_length; - - if (strcmp(name, "esp_key_rounds") == 0) - return esp_key_rounds; - - if (strcmp(name, "comp_dict_size") == 0) - return comp_dict_size; - - if (strcmp(name, "comp_private_alg") == 0) - return comp_private_alg; - - if (strcmp(name, "remote_filter_type") == 0) - return remote_filter_type; - - if (strcmp(name, "remote_filter") == 0) - return (remote_filter ? remote_filter : ""); - - if (strcmp(name, "remote_filter_addr_upper") == 0) - return remote_filter_addr_upper; - - if (strcmp(name, "remote_filter_addr_lower") == 0) - return remote_filter_addr_lower; - - if (strcmp(name, "remote_filter_port") == 0) - return remote_filter_port; - - if (strcmp(name, "remote_filter_proto") == 0) - return remote_filter_proto; - - if (strcmp(name, "local_filter_type") == 0) - return local_filter_type; - - if (strcmp(name, "local_filter") == 0) - return (local_filter ? local_filter : ""); - - if (strcmp(name, "local_filter_addr_upper") == 0) - return local_filter_addr_upper; - - if (strcmp(name, "local_filter_addr_lower") == 0) - return local_filter_addr_lower; - - if (strcmp(name, "local_filter_port") == 0) - return local_filter_port; - - if (strcmp(name, "local_filter_proto") == 0) - return local_filter_proto; - - if (strcmp(name, "remote_ike_address") == 0) - return remote_ike_address; - - if (strcmp(name, "remote_negotiation_address") == 0) - return remote_ike_address; - - if (strcmp(name, "local_ike_address") == 0) - return local_ike_address; - - if (strcmp(name, "local_negotiation_address") == 0) - return local_ike_address; - - if (strcmp(name, "remote_id_type") == 0) - return remote_id_type; - - if (strcmp(name, "remote_id") == 0) - return (remote_id ? remote_id : ""); - - if (strcmp(name, "remote_id_addr_upper") == 0) - return remote_id_addr_upper; - - if (strcmp(name, "remote_id_addr_lower") == 0) - return remote_id_addr_lower; - - if (strcmp(name, "remote_id_port") == 0) - return remote_id_port; - - if (strcmp(name, "remote_id_proto") == 0) - return remote_id_proto; - - if (strcmp(name, "phase1_group_desc") == 0) - return phase1_group; - - if (strcmp(name, "esp_group_desc") == 0) - return esp_group_desc; - - if (strcmp(name, "ah_group_desc") == 0) - return ah_group_desc; - - if (strcmp(name, "comp_group_desc") == 0) - return comp_group_desc; - - if (strcmp(name, "comp_ecn") == 0) - return comp_ecn; - - if (strcmp(name, "ah_ecn") == 0) - return ah_ecn; - - if (strcmp(name, "esp_ecn") == 0) - return esp_ecn; - - return ""; - -bad: - policy_callback(KEYNOTE_CALLBACK_INITIALIZE); - return ""; -} - -void -policy_init(void) -{ - char *ptr, *policy_file, *use_keynote; - char **asserts; - size_t sz, len; - int fd, i; - - LOG_DBG((LOG_POLICY, 30, "policy_init: initializing")); - - /* Do we want to use the policy modules? */ - use_keynote = conf_get_str("General", "Use-Keynote"); - if (ignore_policy || - (use_keynote && strncmp("yes", use_keynote, 3))) - return; - - /* Get policy file from configuration. */ - policy_file = conf_get_str("General", "Policy-file"); - if (!policy_file) - policy_file = CONF_DFLT_POLICY_FILE; - - /* Open policy file. */ - fd = monitor_open(policy_file, O_RDONLY, 0); - if (fd == -1) - log_fatal("policy_init: open (\"%s\", O_RDONLY) failed", - policy_file); - - /* Check file modes and collect file size */ - if (check_file_secrecy_fd(fd, policy_file, &sz)) { - close(fd); - log_fatal("policy_init: cannot read %s", policy_file); - } - - /* Allocate memory to keep policies. */ - ptr = calloc(sz + 1, sizeof(char)); - if (!ptr) - log_fatal("policy_init: calloc (%lu, %lu) failed", - (unsigned long)sz + 1, (unsigned long)sizeof(char)); - - /* Just in case there are short reads... */ - for (len = 0; len < sz; len += i) { - i = read(fd, ptr + len, sz - len); - if (i == -1) - log_fatal("policy_init: read (%d, %p, %lu) failed", fd, - ptr + len, (unsigned long)(sz - len)); - } - - /* We're done with this. */ - close(fd); - - /* Parse buffer, break up into individual policies. */ - asserts = kn_read_asserts(ptr, sz, &i); - - /* Begone! */ - free(ptr); - - if (asserts == (char **)NULL) - log_print("policy_init: all policies flushed"); - - /* Cleanup */ - if (policy_asserts) { - for (fd = 0; fd < policy_asserts_num; fd++) - if (policy_asserts && policy_asserts[fd]) - free(policy_asserts[fd]); - - free(policy_asserts); - } - policy_asserts = asserts; - policy_asserts_num = i; -} - -/* Nothing needed for initialization */ -int -keynote_cert_init(void) -{ - return 1; -} - -/* Just copy and return. */ -void * -keynote_cert_get(u_int8_t *data, u_int32_t len) -{ - char *foo = malloc(len + 1); - - if (foo == NULL) - return NULL; - - memcpy(foo, data, len); - foo[len] = '\0'; - return foo; -} - -/* - * We just verify the signature on the credentials. - * On signature failure, just drop the whole payload. - */ -int -keynote_cert_validate(void *scert) -{ - char **foo; - int num, i; - - if (scert == NULL) - return 0; - - foo = kn_read_asserts((char *)scert, strlen((char *)scert), &num); - if (foo == NULL) - return 0; - - for (i = 0; i < num; i++) { - if (kn_verify_assertion(scert, strlen((char *)scert)) - != SIGRESULT_TRUE) { - for (; i < num; i++) - free(foo[i]); - free(foo); - return 0; - } - free(foo[i]); - } - - free(foo); - return 1; -} - -/* Add received credentials. */ -int -keynote_cert_insert(int sid, void *scert) -{ - char **foo; - int num; - - if (scert == NULL) - return 0; - - foo = kn_read_asserts((char *)scert, strlen((char *)scert), &num); - if (foo == NULL) - return 0; - - while (num--) - kn_add_assertion(sid, foo[num], strlen(foo[num]), 0); - - return 1; -} - -/* Just regular memory free. */ -void -keynote_cert_free(void *cert) -{ - free(cert); -} - -/* Verify that the key given to us is valid. */ -int -keynote_certreq_validate(u_int8_t *data, u_int32_t len) -{ - struct keynote_deckey dc; - int err = 1; - char *dat; - - dat = calloc(len + 1, sizeof(char)); - if (!dat) { - log_error("keynote_certreq_validate: calloc (%d, %lu) failed", - len + 1, (unsigned long)sizeof(char)); - return 0; - } - memcpy(dat, data, len); - - if (kn_decode_key(&dc, dat, KEYNOTE_PUBLIC_KEY) != 0) - err = 0; - else - kn_free_key(&dc); - - free(dat); - - return err; -} - -/* Beats me what we should be doing with this. */ -void * -keynote_certreq_decode(u_int8_t *data, u_int32_t len) -{ - /* XXX */ - return NULL; -} - -void -keynote_free_aca(void *blob) -{ - /* XXX */ -} - -int -keynote_cert_obtain(u_int8_t *id, size_t id_len, void *data, u_int8_t **cert, - u_int32_t *certlen) -{ - char *dirname, *file, *addr_str; - struct stat sb; - size_t size; - int idtype, fd, len; - - if (!id) { - log_print("keynote_cert_obtain: ID is missing"); - return 0; - } - /* Get type of ID. */ - idtype = id[0]; - id += ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; - id_len -= ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; - - dirname = conf_get_str("KeyNote", "Credential-directory"); - if (!dirname) { - LOG_DBG((LOG_POLICY, 30, - "keynote_cert_obtain: no Credential-directory")); - return 0; - } - len = strlen(dirname) + strlen(CREDENTIAL_FILE) + 3; - - switch (idtype) { - case IPSEC_ID_IPV4_ADDR: - case IPSEC_ID_IPV6_ADDR: - util_ntoa(&addr_str, idtype == IPSEC_ID_IPV4_ADDR ? - AF_INET : AF_INET6, id); - if (addr_str == 0) - return 0; - - file = calloc(len + strlen(addr_str), sizeof(char)); - if (file == NULL) { - log_error("keynote_cert_obtain: failed to allocate " - "%lu bytes", (unsigned long)len + - strlen(addr_str)); - free(addr_str); - return 0; - } - snprintf(file, len + strlen(addr_str), "%s/%s/%s", dirname, - addr_str, CREDENTIAL_FILE); - free(addr_str); - break; - - case IPSEC_ID_FQDN: - case IPSEC_ID_USER_FQDN: { - file = calloc(len + id_len, sizeof(char)); - if (file == NULL) { - log_error("keynote_cert_obtain: " - "failed to allocate %lu bytes", - (unsigned long)len + id_len); - return 0; - } - snprintf(file, len + id_len, "%s/", dirname); - memcpy(file + strlen(dirname) + 1, id, id_len); - snprintf(file + strlen(dirname) + 1 + id_len, - len - strlen(dirname) - 1, "/%s", CREDENTIAL_FILE); - break; - } - - default: - return 0; - } - - fd = monitor_open(file, O_RDONLY, 0); - if (fd < 0) { - LOG_DBG((LOG_POLICY, 30, "keynote_cert_obtain: " - "failed to open \"%s\"", file)); - free(file); - return 0; - } - - if (fstat(fd, &sb) < 0) { - LOG_DBG((LOG_POLICY, 30, "keynote_cert_obtain: " - "failed to stat \"%s\"", file)); - free(file); - close(fd); - return 0; - } - size = (size_t)sb.st_size; - - *cert = calloc(size + 1, sizeof(char)); - if (*cert == NULL) { - log_error("keynote_cert_obtain: failed to allocate %lu bytes", - (unsigned long)size); - free(file); - return 0; - } - - if (read(fd, *cert, size) != (int)size) { - LOG_DBG((LOG_POLICY, 30, "keynote_cert_obtain: " - "failed to read %lu bytes from \"%s\"", - (unsigned long)size, file)); - free(file); - close(fd); - return 0; - } - close(fd); - free(file); - *certlen = size; - return 1; -} - -/* This should never be called. */ -int -keynote_cert_get_subjects(void *scert, int *n, u_int8_t ***id, - u_int32_t **id_len) -{ - return 0; -} - -/* Get the authorizer key. */ -int -keynote_cert_get_key(void *scert, void *keyp) -{ - struct keynote_keylist *kl; - int sid, kid, num; - char **foo; - - foo = kn_read_asserts((char *)scert, strlen((char *)scert), &num); - if (foo == NULL || num == 0) { - log_print("keynote_cert_get_key: " - "failed to decompose credentials"); - return 0; - } - kid = kn_init(); - if (kid == -1) { - log_print("keynote_cert_get_key: " - "failed to initialize new policy session"); - while (num--) - free(foo[num]); - free(foo); - return 0; - } - sid = kn_add_assertion(kid, foo[num - 1], strlen(foo[num - 1]), 0); - while (num--) - free(foo[num]); - free(foo); - - if (sid == -1) { - log_print("keynote_cert_get_key: failed to add assertion"); - kn_close(kid); - return 0; - } - *(RSA **)keyp = NULL; - - kl = kn_get_licensees(kid, sid); - while (kl) { - if (kl->key_alg == KEYNOTE_ALGORITHM_RSA || - kl->key_alg == KEYNOTE_ALGORITHM_X509) { - *(RSA **)keyp = RSAPublicKey_dup(kl->key_key); - break; - } - kl = kl->key_next; - } - - kn_remove_assertion(kid, sid); - kn_close(kid); - return *(RSA **)keyp == NULL ? 0 : 1; -} - -void * -keynote_cert_dup(void *cert) -{ - return strdup((char *)cert); -} - -void -keynote_serialize(void *cert, u_int8_t **data, u_int32_t *datalen) -{ - *datalen = strlen((char *)cert) + 1; - *data = (u_int8_t *)strdup(cert); /* i.e an extra character at - * the end... */ - if (*data == NULL) - log_error("keynote_serialize: malloc (%d) failed", *datalen); -} - -/* From cert to printable */ -char * -keynote_printable(void *cert) -{ - return strdup((char *)cert); -} - -/* From printable to cert */ -void * -keynote_from_printable(char *cert) -{ - return strdup(cert); -} diff --git a/keyexchange/isakmpd-20041012/policy.h b/keyexchange/isakmpd-20041012/policy.h deleted file mode 100644 index e4b5e9a..0000000 --- a/keyexchange/isakmpd-20041012/policy.h +++ /dev/null @@ -1,70 +0,0 @@ -/* $OpenBSD: policy.h,v 1.15 2004/06/25 20:25:34 hshoexer Exp $ */ -/* $EOM: policy.h,v 1.12 2000/09/28 12:53:27 niklas Exp $ */ - -/* - * Copyright (c) 1999, 2000 Angelos D. Keromytis. All rights reserved. - * Copyright (c) 2000 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _POLICY_H_ -#define _POLICY_H_ - -#if defined (USE_KEYNOTE) -#define CREDENTIAL_FILE "credentials" -#define PRIVATE_KEY_FILE "private_key" -#endif - -extern int ignore_policy; -extern int policy_asserts_num; -extern int x509_policy_asserts_num; -extern int x509_policy_asserts_num_alloc; -extern char **policy_asserts; -extern char **x509_policy_asserts; -extern struct exchange *policy_exchange; -extern struct sa *policy_sa; -extern struct sa *policy_isakmp_sa; - -extern void policy_init(void); -extern char *policy_callback(char *); -extern int keynote_cert_init(void); -extern void *keynote_cert_get(u_int8_t *, u_int32_t); -extern int keynote_cert_validate(void *); -extern int keynote_cert_insert(int, void *); -extern void keynote_cert_free(void *); -extern int keynote_certreq_validate(u_int8_t *, u_int32_t); -extern void *keynote_certreq_decode(u_int8_t *, u_int32_t); -extern void keynote_free_aca(void *); -extern int keynote_cert_obtain(u_int8_t *, size_t, void *, - u_int8_t **, u_int32_t *); -extern int keynote_cert_get_subjects(void *, int *, u_int8_t ***, - u_int32_t **); -extern int keynote_cert_get_key(void *, void *); -extern void *keynote_cert_dup(void *); -extern void keynote_serialize(void *, u_int8_t **, u_int32_t *); -extern char *keynote_printable(void *); -extern void *keynote_from_printable(char *); -#endif /* _POLICY_H_ */ diff --git a/keyexchange/isakmpd-20041012/prf.c b/keyexchange/isakmpd-20041012/prf.c deleted file mode 100644 index fdb91fe..0000000 --- a/keyexchange/isakmpd-20041012/prf.c +++ /dev/null @@ -1,161 +0,0 @@ -/* $OpenBSD: prf.c,v 1.14 2004/05/23 18:17:56 hshoexer Exp $ */ -/* $EOM: prf.c,v 1.7 1999/05/02 12:50:29 niklas Exp $ */ - -/* - * Copyright (c) 1998 Niels Provos. All rights reserved. - * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/param.h> -#include <stdlib.h> -#include <string.h> - -#include "sysdep.h" - -#include "hash.h" -#include "log.h" -#include "prf.h" - -void prf_hash_init(struct prf_hash_ctx *); -void prf_hash_update(struct prf_hash_ctx *, unsigned char *, unsigned int); -void prf_hash_final(unsigned char *, struct prf_hash_ctx *); - -/* PRF behaves likes a hash */ - -void -prf_hash_init(struct prf_hash_ctx *ctx) -{ - memcpy(ctx->hash->ctx, ctx->ctx, ctx->hash->ctxsize); - memcpy(ctx->hash->ctx2, ctx->ctx2, ctx->hash->ctxsize); -} - -void -prf_hash_update(struct prf_hash_ctx *ctx, unsigned char *data, - unsigned int len) -{ - ctx->hash->Update(ctx->hash->ctx, data, len); -} - -void -prf_hash_final(unsigned char *digest, struct prf_hash_ctx *ctx) -{ - ctx->hash->HMACFinal(digest, ctx->hash); -} - -/* - * Obtain a Pseudo-Random Function for us. At the moment this is - * the HMAC version of a hash. See RFC-2104 for reference. - */ -struct prf * -prf_alloc(enum prfs type, int subtype, unsigned char *shared, - unsigned int sharedsize) -{ - struct hash *hash; - struct prf *prf; - struct prf_hash_ctx *prfctx; - - switch (type) { - case PRF_HMAC: - hash = hash_get(subtype); - if (!hash) { - log_print("prf_alloc: unknown hash type %d", subtype); - return 0; - } - break; - default: - log_print("prf_alloc: unknown PRF type %d", type); - return 0; - } - - prf = malloc(sizeof *prf); - if (!prf) { - log_error("prf_alloc: malloc (%lu) failed", - (unsigned long)sizeof *prf); - return 0; - } - if (type == PRF_HMAC) { - /* Obtain needed memory. */ - prfctx = malloc(sizeof *prfctx); - if (!prfctx) { - log_error("prf_alloc: malloc (%lu) failed", - (unsigned long)sizeof *prfctx); - goto cleanprf; - } - prf->prfctx = prfctx; - - prfctx->ctx = malloc(hash->ctxsize); - if (!prfctx->ctx) { - log_error("prf_alloc: malloc (%d) failed", - hash->ctxsize); - goto cleanprfctx; - } - prfctx->ctx2 = malloc(hash->ctxsize); - if (!prfctx->ctx2) { - log_error("prf_alloc: malloc (%d) failed", - hash->ctxsize); - free(prfctx->ctx); - goto cleanprfctx; - } - prf->type = PRF_HMAC; - prf->blocksize = hash->hashsize; - prfctx->hash = hash; - - /* Use the correct function pointers. */ - prf->Init = (void(*)(void *))prf_hash_init; - prf->Update = (void(*)(void *, unsigned char *, - unsigned int))prf_hash_update; - prf->Final = (void(*)(unsigned char *, void *))prf_hash_final; - - /* Init HMAC contexts. */ - hash->HMACInit(hash, shared, sharedsize); - - /* Save contexts. */ - memcpy(prfctx->ctx, hash->ctx, hash->ctxsize); - memcpy(prfctx->ctx2, hash->ctx2, hash->ctxsize); - } - return prf; - -cleanprfctx: - free(prf->prfctx); -cleanprf: - free(prf); - return 0; -} - -/* Deallocate the PRF pointed to by PRF. */ -void -prf_free(struct prf *prf) -{ - struct prf_hash_ctx *prfctx = prf->prfctx; - - if (prf->type == PRF_HMAC) { - free(prfctx->ctx2); - free(prfctx->ctx); - } - free(prf->prfctx); - free(prf); -} diff --git a/keyexchange/isakmpd-20041012/prf.h b/keyexchange/isakmpd-20041012/prf.h deleted file mode 100644 index 08a6fb3..0000000 --- a/keyexchange/isakmpd-20041012/prf.h +++ /dev/null @@ -1,58 +0,0 @@ -/* $OpenBSD: prf.h,v 1.10 2004/04/15 18:39:26 deraadt Exp $ */ -/* $EOM: prf.h,v 1.1 1998/07/11 20:06:22 provos Exp $ */ - -/* - * Copyright (c) 1998 Niels Provos. All rights reserved. - * Copyright (c) 2001 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _PRF_H_ -#define _PRF_H_ - -/* Enumeration of possible PRF - Pseudo-Random Functions. */ -enum prfs { - PRF_HMAC = 0 /* No PRFs in drafts, this is the default */ -}; - -struct prf { - enum prfs type; /* Type of PRF */ - void *prfctx; /* Context for PRF */ - u_int8_t blocksize; /* The blocksize of PRF */ - void (*Init) (void *); - void (*Update) (void *, unsigned char *, unsigned int); - void (*Final) (unsigned char *, void *); -}; - -struct prf_hash_ctx { - struct hash *hash; /* Hash type to use */ - void *ctx, *ctx2; /* Contexts we need for later */ -}; - -struct prf *prf_alloc(enum prfs, int, unsigned char *, unsigned int); -void prf_free(struct prf *); - -#endif /* _PRF_H_ */ diff --git a/keyexchange/isakmpd-20041012/regress/Makefile b/keyexchange/isakmpd-20041012/regress/Makefile deleted file mode 100644 index bcbf7e5..0000000 --- a/keyexchange/isakmpd-20041012/regress/Makefile +++ /dev/null @@ -1,34 +0,0 @@ -# $OpenBSD: Makefile,v 1.9 2003/06/03 14:39:50 ho Exp $ -# $EOM: Makefile,v 1.8 1999/07/17 20:44:13 niklas Exp $ - -# -# Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Ericsson Radio Systems. -# - -SUBDIR= b2n crypto dh ec2n exchange group hmac prf rsakeygen util x509 - -.include <bsd.subdir.mk> diff --git a/keyexchange/isakmpd-20041012/regress/b2n/.cvsignore b/keyexchange/isakmpd-20041012/regress/b2n/.cvsignore deleted file mode 100644 index ed605b2..0000000 --- a/keyexchange/isakmpd-20041012/regress/b2n/.cvsignore +++ /dev/null @@ -1,2 +0,0 @@ -b2ntest -obj diff --git a/keyexchange/isakmpd-20041012/regress/b2n/Makefile b/keyexchange/isakmpd-20041012/regress/b2n/Makefile deleted file mode 100644 index 57ffb1f..0000000 --- a/keyexchange/isakmpd-20041012/regress/b2n/Makefile +++ /dev/null @@ -1,16 +0,0 @@ -# $OpenBSD: Makefile,v 1.7 2004/02/25 16:01:29 hshoexer Exp $ -# $EOM: Makefile,v 1.12 2000/10/13 13:04:17 ho Exp $ - -# Test some math - -PROG= b2ntest -SRCS= b2ntest.c conf.c log.c math_2n.c sysdep.c util.c -NOMAN= -TOPSRC= ${.CURDIR}/../.. -TOPOBJ!= cd ${TOPSRC}; printf "all:\n\t@pwd\n" |${MAKE} -f- -OS!= awk '/^OS=/ { print $$2 }' ${.CURDIR}/../../Makefile -.PATH: ${TOPSRC} ${TOPSRC}/sysdep/${OS} ${TOPOBJ} -CFLAGS+= -I${TOPSRC} -I${TOPSRC}/sysdep/${OS} -I${TOPOBJ} -Wall -DEBUG= -g - -.include <bsd.prog.mk> diff --git a/keyexchange/isakmpd-20041012/regress/b2n/b2ntest.c b/keyexchange/isakmpd-20041012/regress/b2n/b2ntest.c deleted file mode 100644 index 97284db..0000000 --- a/keyexchange/isakmpd-20041012/regress/b2n/b2ntest.c +++ /dev/null @@ -1,368 +0,0 @@ -/* $OpenBSD: b2ntest.c,v 1.8 2003/06/03 14:39:50 ho Exp $ */ -/* $EOM: b2ntest.c,v 1.4 1998/07/16 19:31:55 provos Exp $ */ - -/* - * Copyright (c) 1998 Niels Provos. All rights reserved. - * Copyright (c) 2001 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -/* - * B2N is a module for doing arithmetic on the Field GF(2**n) which is - * isomorph to ring of polynomials GF(2)[x]/p(x) where p(x) is an - * irreduciable polynomial over GF(2)[x] with grade n. - */ - -#include <stdlib.h> -#include <string.h> -#include <stdio.h> - -#include "math_2n.h" - -#define BUFSIZE 200 - -#define CMP_FAIL(n,x) b2n_snprint (buf, BUFSIZE, n); if (strcmp (buf, (x))) \ - printf ("FAILED: %s != %s ", buf, x); else printf ("OKAY "); - -int -main (void) -{ - int i; - b2n_t n, m, d, r; - char buf[BUFSIZE]; - - b2n_init (n); - b2n_init (m); - b2n_init (d); - b2n_init (r); - - printf ("Arithimetic Tests for GF(2)[x]:\n"); - printf ("Testing: b2n_set*: "); - b2n_set_ui (n, 0xffc0); - CMP_FAIL (n, "0xffc0"); - - b2n_set_str (m, "0x180c0"); - CMP_FAIL (m, "0x0180c0"); - b2n_set_str (m, "0x808b8080c0"); - CMP_FAIL (m, "0x808b8080c0"); - - printf ("\nTesting: b2n_add: "); - b2n_add (d, n, m); - CMP_FAIL (d, "0x808b807f00"); - b2n_add (n, n, m); - CMP_FAIL (n, "0x808b807f00"); - b2n_add (n, n, n); - CMP_FAIL (n, "0x00"); - b2n_set_str (n, "0x9090900000000000000000"); - b2n_set_ui (m, 0); - b2n_add (n, n, m); - CMP_FAIL (n, "0x9090900000000000000000"); - - printf ("\nTesting: b2n_lshift: "); - b2n_set_str (m, "0x808b8080c0"); - b2n_lshift (n, m, 3); - CMP_FAIL (n, "0x04045c040600"); - b2n_lshift (n, m, 11); - CMP_FAIL (n, "0x04045c04060000"); - b2n_set (n, m); - for (i = 0; i < 11; i++) - b2n_lshift (n, n, 1); - CMP_FAIL (n, "0x04045c04060000"); - b2n_lshift (d, m, 12); - CMP_FAIL (d, "0x0808b8080c0000"); - b2n_set_str (m, "0xdeadbeef"); - b2n_lshift (d, m, 103); - CMP_FAIL (d, "0x6f56df7780000000000000000000000000"); - - printf ("\nTesting: b2n_rshift: "); - b2n_rshift (m, n, 3); - CMP_FAIL (m, "0x808b8080c000"); - b2n_rshift (m, m, 11); - CMP_FAIL (m, "0x1011701018"); - b2n_set_str (m, "0x12381998713258186712365"); - b2n_rshift (m, m, 23); - CMP_FAIL (m, "0x024703330e264b030c"); - b2n_set_str (m, "0x12381998713258186712365"); - for (i=0; i<23; i++) - b2n_rshift (m, m, 1); - CMP_FAIL (m, "0x024703330e264b030c"); - - printf ("\nTesting: b2n_mul: 0x9 o 0x5: "); - b2n_set_ui (n, 9); - b2n_set_ui (m, 5); - b2n_mul (d, n, m); - CMP_FAIL (d, "0x2d"); - b2n_mul (n, n, m); - CMP_FAIL (d, "0x2d"); - - printf ("\nTesting: b2n_mul: 0x9 o 0x0: "); - b2n_set_ui (n, 9); - b2n_set_ui (m, 0); - b2n_mul (d, n, m); - CMP_FAIL (d, "0x00"); - b2n_set_ui (n, 0); - b2n_set_ui (m, 9); - b2n_mul (d, n, m); - CMP_FAIL (d, "0x00"); - - printf ("\nTesting: b2n_mul: 0x9 o 0x1: "); - b2n_set_ui (n, 9); - b2n_set_ui (m, 1); - b2n_mul (d, n, m); - CMP_FAIL (d, "0x09"); - - printf ("\nTesting: b2n_mul: 0x12329 o 0x1235: "); - b2n_set_str (n, "0x12329"); - b2n_set_str (m, "0x1235"); - b2n_mul (d, n, m); - CMP_FAIL (d, "0x10473a3d"); - b2n_mul (n, n, m); - CMP_FAIL (d, "0x10473a3d"); - - printf ("\nTesting: b2n_square: 0x1235 o 0x1235: "); - b2n_set_str (m, "0x1235"); - b2n_square (n, m); - CMP_FAIL (n, "0x01040511"); - - printf ("\nTesting: b2n_square: 0x80c1235 o 0x80c1235: "); - b2n_set_str (m, "0x80c1235"); - b2n_square (n, m); - CMP_FAIL (n, "0x40005001040511"); - - b2n_set_str (m, "0x12329"); - printf ("\nTesting: sigbit: 0x12329: %d, %s", - b2n_sigbit(m), b2n_sigbit(m) == 17 ? "OKAY" : "FAILED"); - b2n_set_ui (m, 0); - printf ("\nTesting: sigbit: 0x0: %d, %s", - b2n_sigbit(m), b2n_sigbit(m) == 0 ? "OKAY" : "FAILED"); - b2n_set_str (m, "0x7f3290000"); - printf ("\nTesting: sigbit: 0x7f3290000: %d, %s", - b2n_sigbit(m), b2n_sigbit(m) == 35 ? "OKAY" : "FAILED"); - - printf ("\nTesting: b2n_cmp: "); - b2n_set_str (m, "0x2234"); - b2n_set_str (n, "0x1234"); - printf ("%d <-> %d, ", b2n_sigbit (m), b2n_sigbit(n)); - printf ("%d, %d ,%d: ", b2n_cmp (m,m), b2n_cmp (m,n), b2n_cmp (n,m)); - if (b2n_cmp (m,m) || b2n_cmp (m,n) != 1 || b2n_cmp (n,m) != -1) - printf ("FAILED"); - else - printf ("OKAY"); - printf ("\nTesting: b2n_cmp_null: "); - b2n_set_str (m, "0x2234"); - b2n_set_ui (n, 0); - printf ("%d, %d: ", b2n_cmp_null (m), b2n_cmp_null (n)); - if (b2n_cmp_null (m) != 1 || b2n_cmp_null (n)) - printf ("FAILED"); - else - printf ("OKAY"); - - printf ("\nTesting: b2n_div: 0x2d / 0x5: "); - b2n_set_str (n, "0x2d"); - b2n_set_ui (m, 5); - b2n_div (n, m, n, m); - CMP_FAIL (n, "0x09"); - CMP_FAIL (m, "0x00"); - printf ("\nTesting: b2n_div: 0x2d / 0x1: "); - b2n_set_str (n, "0x2d"); - b2n_set_ui (m, 1); - b2n_div (n, m, n, m); - CMP_FAIL (n, "0x2d"); - CMP_FAIL (m, "0x00"); - - printf ("\nTesting: b2n_div: 0x10473a3d / 0x1235: "); - b2n_set_str (n, "0x10473a3d"); - b2n_set_str (m, "0x1235"); - b2n_div (n, m, n, m); - CMP_FAIL (n, "0x012329"); - CMP_FAIL (m, "0x00"); - - printf ("\nTesting: b2n_div: 0x10473a3d / 0x1536: "); - b2n_set_str (n, "0x10473a3d"); - b2n_set_str (m, "0x1536"); - b2n_div (n, m, n, m); - CMP_FAIL (n, "0x014331"); - CMP_FAIL (m, "0xab"); - b2n_set_str (n, "0x10473a3d"); - b2n_set_str (m, "0x1536"); - b2n_div_q (d, n, m); - CMP_FAIL (d, "0x014331"); - b2n_div_r (d, n, m); - CMP_FAIL (d, "0xab"); - - printf ("\nTesting: b2n_div: " - "0x0800000000000000000000004000000000000001 / 0xffab09909a00: "); - b2n_set_str (n, "0x0800000000000000000000004000000000000001"); - b2n_set_str (m, "0xffab09909a00"); - b2n_div_q (d, n, m); - CMP_FAIL (d, "0x18083e83a98647cedae0b3e69a5e"); - b2n_div_r (d, n, m); - CMP_FAIL (d, "0x5b8bf98cac01"); - b2n_set (d, m); - b2n_div (n, m, n, m); - CMP_FAIL (n, "0x18083e83a98647cedae0b3e69a5e"); - CMP_FAIL (m, "0x5b8bf98cac01"); - - printf ("\nTesting: b2n_div: " - "0x0800000000000000000000004000000000000001 / 0x7b: "); - b2n_set_str (n, "0x0800000000000000000000004000000000000001"); - b2n_set_str (m, "0x7b"); - b2n_div (n, m, n, m); - CMP_FAIL (n, "0x32dea27065bd44e0cb7a89c000000000000000"); - CMP_FAIL (m, "0x01"); - - printf ("\n\nArithimetic Tests for GF(2**m) ~= GF(2)[x]/p(x):\n"); - printf ("Testing: b2n_gcd: "); - b2n_set_str (d, "0x771"); - b2n_set_str (m, "0x26d"); - b2n_gcd (n, m, d); - CMP_FAIL (n, "0x0b"); - b2n_set_str (d, "0x0800000000000000000000004000000000000001"); - b2n_set_str (m, "0xffab09909a00"); - b2n_gcd (n, m, d); - CMP_FAIL (n, "0x01"); - b2n_set_str (d, "0x0800000000000000000000004000000000000001"); - b2n_set_str (m, "0x7b"); - b2n_gcd (n, m, d); - CMP_FAIL (n, "0x01"); - - printf ("\nTesting: b2n_mul_inv: "); - b2n_set_str (d, "0x0800000000000000000000004000000000000001"); - b2n_set_str (m, "0xffab09909a00"); - b2n_mul_inv (n, m, d); - CMP_FAIL (n, "0x074029149f69304174d28858ae5c60df208a22a8"); - b2n_set_str (n, "0xffab09909a00"); - b2n_mul_inv (n, n, d); - CMP_FAIL (n, "0x074029149f69304174d28858ae5c60df208a22a8"); - b2n_mul (n, n, m); - b2n_mod (n, n, d); - CMP_FAIL (n, "0x01"); - b2n_set_str (d, "0x0800000000000000000000004000000000000001"); - b2n_set_str (m, "0x7b"); - b2n_mul_inv (n, m, d); - CMP_FAIL (n, "0x32dea27065bd44e0cb7a89c000000000000000"); - b2n_mul (n, n, m); - b2n_mod (n, n, d); - CMP_FAIL (n, "0x01"); - - printf ("\nTesting: b2n_random: "); - b2n_random (m, 155); - b2n_snprint (buf, BUFSIZE, m); - printf ("%s, %d", buf, b2n_sigbit(m)); - - printf ("\nTesting: b2n_sqrt: "); - b2n_set_str (n, "0x0800000000000000000000004000000000000001"); - b2n_set_ui (d, 2); - b2n_sqrt (m, d, n); - b2n_square (d, m); - b2n_add (d, d, m); - b2n_mod (d, d, n); - CMP_FAIL (d, "0x02"); - - /* x**3 + b */ - b2n_set_ui (n, 0x7b); - b2n_square (d, n); - b2n_mul (d, d, n); - b2n_set_str (n, "0x07338f"); - b2n_add (d, d, n); - b2n_set_str (n, "0x0800000000000000000000004000000000000001"); - b2n_mod (d, d, n); - /* \alpha = x**3 + b - end */ - - /* \beta = x**(-2)*\alpha */ - b2n_set_ui (m, 0x7b); - b2n_mul_inv (m, m, n); - b2n_square (m, m); - b2n_mod (m, m, n); - b2n_mul (d, d, m); - b2n_mod (d, d, n); - b2n_set (r, d); - /* \beta = x**(-2)*\alpha - end */ - - b2n_sqrt (m, d, n); - CMP_FAIL (m, "0x0690aec7cd215d8f9a42bb1f0000000000000004"); - b2n_square (d, m); - b2n_mod (d, d, n); - b2n_add (d, d, m); - b2n_mod (d, d, n); - printf ("Squaring Check: "); - CMP_FAIL (d, "0x03d5af92c8311d9e8f56be4b3e690aec7cd215cc"); - - printf ("\nTesting: b2n_trace: "); - b2n_set_ui (m, 2); - b2n_trace (d, m, n); - CMP_FAIL (d, "0x00"); - b2n_set_ui (m, 0x11223); - b2n_trace (d, m, n); - CMP_FAIL (d, "0x01"); - - printf ("\nTesting: b2n_exp_mod: "); - b2n_set_ui (m, 0x7b); - b2n_exp_mod (d, m, 5, n); - CMP_FAIL (d, "0x7cccb7cb"); - b2n_set_str (m, "0x123456789abcdef"); - b2n_exp_mod (d, m, 13, n); - CMP_FAIL (d, "0x043f0a8550cb69b3c50d0340d1c6d5c97ecd60d4"); - - printf ("\nTesting: b2n_3mul: "); - b2n_set_ui (m, 0x7b); - b2n_3mul (m, m); - CMP_FAIL (m, "0x0171"); - - b2n_set_ui (m, 0x7fffffff); - b2n_3mul (m, m); - CMP_FAIL (m, "0x017ffffffd"); - - printf ("\nTesting: b2n_nadd: "); - b2n_set_str (m, "0x7fffffff"); - b2n_set_str (n, "0x10203045"); - b2n_nadd (d, n, m); - CMP_FAIL (d, "0x90203044"); - - b2n_set_str (m, "0x9a4a54d8b8dfa566112849991214329a233d"); - b2n_set_str (n, "0x70ee40dd60c8657e58eda9a17ad9176e28b4b457e5a34a0948e335"); - b2n_nadd (d, n, m); - CMP_FAIL (d, "0x70ee40dd60c8657e5987f3f65391f7138ec5dca17eb55e3be30672"); - - printf ("\nTesting: b2n_nsub: "); - b2n_set_str (n, "0x90203044"); - b2n_set_str (m, "0x10203045"); - b2n_nsub (d, n, m); - CMP_FAIL (d, "0x7fffffff"); - - b2n_set_str (n, "0x70ee40dd60c8657e5987f3f65391f7138ec5dca17eb55e3be30672"); - b2n_set_str (m, "0x70ee40dd60c8657e58eda9a17ad9176e28b4b457e5a34a0948e335"); - b2n_nsub (d, n, m); - CMP_FAIL (d, "0x9a4a54d8b8dfa566112849991214329a233d"); - - b2n_clear (n); - b2n_clear (m); - b2n_clear (d); - b2n_clear (r); - - printf ("\n"); - return 1; -} diff --git a/keyexchange/isakmpd-20041012/regress/check.sh b/keyexchange/isakmpd-20041012/regress/check.sh deleted file mode 100644 index ea726c5..0000000 --- a/keyexchange/isakmpd-20041012/regress/check.sh +++ /dev/null @@ -1,88 +0,0 @@ -#!/bin/sh -# $OpenBSD: check.sh,v 1.4 2003/06/03 14:39:50 ho Exp $ -# $EOM: check.sh,v 1.4 1998/07/17 21:33:13 niklas Exp $ - -# -# Copyright (c) 1998 Niklas Hallqvist. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Ericsson. -# - -PROGNAME=$0 -NC=/usr/bin/nc -HOST=localhost -ISAKMP_PORT=500 - -set -- `getopt p: $*` -if [ $? != 0 ]; then - echo 'usage: $PROGNAME [-p port] host' >&2 - exit 2 -fi -for i; do - case "$i" in - -p) - ISAKMP_PORT=$2; shift; shift;; - --) - shift; break;; - esac -done - -if [ $# -gt 0 ]; then - HOST=$1 -fi - -send () { - ${NC} -u -w 1 ${HOST} ${ISAKMP_PORT} -} - -# Short message -printf "SHORT!" |send - -# (Most probably) invalid cookie -printf "INVALID COOKIES!\0\x10\0\0\0\0\0\0\0\0\0\x1c" |send - -# Invalid next payload type -printf "01234567\0\0\0\0\0\0\0\0!\x10\0\0\0\0\0\0\0\0\0\x1c" |send - -# Invalid major version -printf "01234567\0\0\0\0\0\0\0\0\0\x20\0\0\0\0\0\0\0\0\0\x1c" |send - -# Invalid minor version -printf "01234567\0\0\0\0\0\0\0\0\0\x11\0\0\0\0\0\0\0\0\0\x1c" |send - -# Invalid exchange type -printf "01234567\0\0\0\0\0\0\0\0\0\x10!\0\0\0\0\0\0\0\0\x1c" |send - -# Invalid flags -printf "01234567\0\0\0\0\0\0\0\0\0\x10\2\x80\0\0\0\0\0\0\0\x1c" |send - -# Invalid message ID -printf "01234567\0\0\0\0\0\0\0\0\0\x10\2\0BAD!\0\0\0\x1c" |send - -# Short length -printf "01234567\0\0\0\0\0\0\0\0\0\x10\2\0\0\0\0\0\0\0\0\x1b" |send - -# Long length -printf "01234567\0\0\0\0\0\0\0\0\0\x10\2\0\0\0\0\0\0\0\0\x1d" |send diff --git a/keyexchange/isakmpd-20041012/regress/crypto/.cvsignore b/keyexchange/isakmpd-20041012/regress/crypto/.cvsignore deleted file mode 100644 index 7b3c6ec..0000000 --- a/keyexchange/isakmpd-20041012/regress/crypto/.cvsignore +++ /dev/null @@ -1,2 +0,0 @@ -cryptotest -obj diff --git a/keyexchange/isakmpd-20041012/regress/crypto/Makefile b/keyexchange/isakmpd-20041012/regress/crypto/Makefile deleted file mode 100644 index b2a0ef9..0000000 --- a/keyexchange/isakmpd-20041012/regress/crypto/Makefile +++ /dev/null @@ -1,20 +0,0 @@ -# $OpenBSD: Makefile,v 1.11 2004/02/25 16:01:29 hshoexer Exp $ -# $EOM: Makefile,v 1.7 2000/03/28 21:22:06 ho Exp $ - -# Test Crypto: - -PROG= cryptotest -SRCS= crypto.c cryptotest.c conf.c log.c sysdep.c util.c -TOPSRC= ${.CURDIR}/../.. -TOPOBJ!= cd ${TOPSRC}; printf "all:\n\t@pwd\n" |${MAKE} -f- -OS!= awk '/^OS=/ { print $$2 }' ${.CURDIR}/../../Makefile -.PATH: ${TOPSRC} ${TOPSRC}/sysdep/${OS} ${TOPOBJ} -CFLAGS+= -I${TOPSRC} -I${TOPSRC}/sysdep/${OS} -I${TOPOBJ} -Wall \ - -DUSE_TRIPLEDES -DUSE_CAST -DUSE_BLOWFISH -DUSE_DES \ - -DUSE_AES -LDADD+= -lcrypto -ldes -DPADD+= ${LIBCRYPTO} ${LIBDES} -NOMAN= -DEBUG= -g - -.include <bsd.prog.mk> diff --git a/keyexchange/isakmpd-20041012/regress/crypto/cryptotest.c b/keyexchange/isakmpd-20041012/regress/crypto/cryptotest.c deleted file mode 100644 index d860ddd..0000000 --- a/keyexchange/isakmpd-20041012/regress/crypto/cryptotest.c +++ /dev/null @@ -1,178 +0,0 @@ -/* $OpenBSD: cryptotest.c,v 1.13 2004/04/07 22:45:50 ho Exp $ */ -/* $EOM: cryptotest.c,v 1.5 1998/10/07 16:40:49 niklas Exp $ */ - -/* - * Copyright (c) 1998 Niels Provos. All rights reserved. - * Copyright (c) 2001 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/param.h> -#include <ctype.h> -#include <stdlib.h> -#include <stdio.h> -#include <string.h> - -#include "crypto.h" - -void test_crypto (enum transform); - -#define SET_KEY(x,y) {size_t i; for (i=0; i < (y); i++) (x)[i] = i;} - -int -verify_buf (u_int8_t *buf, u_int16_t len) -{ - int i; - - for (i = 0; i < len; i++) - if (buf[i] != i) - return 0; - - return 1; -} - -#define nibble2bin(y) (tolower((y)) < 'a' ? (y) - '0': tolower((y)) - 'a' + 10) -#define hexchar2bin(x) ((nibble2bin((x)[0]) << 4) + nibble2bin((x)[1])) -#define nibble2c(x) ((x) >= 10 ? ('a'-10+(x)) : ('0' + (x))) - -static void asc2bin (u_int8_t *bin, u_int8_t *asc, u_int16_t len) -{ - int i; - - for (i = 0; i < len; i += 2, asc += 2) - { - *bin++ = hexchar2bin(asc); - } -} - -void -special_test_blf (void) -{ - u_int8_t *akey = "0123456789ABCDEFF0E1D2C3B4A59687"; - u_int8_t *aiv = "FEDCBA9876543210"; - u_int8_t data[] = "7654321 Now is the time for \0\0\0"; /* len 29 */ - u_int8_t *acipher - = "6B77B4D63006DEE605B156E27403979358DEB9E7154616D959F1652BD5FF92CCE7"; - u_int8_t key[16], cipher[32], iv[8]; - struct crypto_xf *xf; - struct keystate *ks; - enum cryptoerr err; - int i; - - asc2bin (key, akey, strlen (akey)); - asc2bin (iv, aiv, strlen (aiv)); - asc2bin (cipher, acipher, 64); - - xf = crypto_get (BLOWFISH_CBC); - printf ("Special Test-Case %s: ", xf->name); - - ks = crypto_init (xf, key, 16, &err); - if (!ks) - { - printf ("FAILED (init %d)", err); - goto fail; - } - - crypto_init_iv (ks, iv, xf->blocksize); - crypto_encrypt (ks, data, 32); - - for (i = 0; i < 32; i++) - if (data[i] != cipher[i]) - break; - if (i < 32) - printf ("FAILED "); - else - printf ("OKAY "); - - free (ks); - -fail: - printf ("\n"); - return; -} - -int -main (void) -{ - test_crypto (DES_CBC); - - test_crypto (TRIPLEDES_CBC); - - test_crypto (BLOWFISH_CBC); - - test_crypto (CAST_CBC); - - test_crypto (AES_CBC); - - special_test_blf (); - - return 1; -} - -void -dump_buf (u_int8_t *buf, size_t len) -{ - size_t i; - - for (i = 0; i < len; i++) - printf ("%02x ", buf[i]); - printf ("\n"); -} - -void -test_crypto (enum transform which) -{ - u_int8_t buf[256]; - struct crypto_xf *xf; - struct keystate *ks; - enum cryptoerr err; - - xf = crypto_get (which); - printf ("Testing %s: ", xf->name); - - SET_KEY (buf, xf->keymax); - ks = crypto_init (xf, buf, xf->keymax, &err); - if (!ks) - { - printf ("FAILED (init %d)", err); - goto fail; - } - SET_KEY (buf, sizeof (buf)); - crypto_init_iv (ks, buf, xf->blocksize); - crypto_encrypt (ks, buf, sizeof (buf)); - dump_buf (buf, sizeof buf); - crypto_decrypt (ks, buf, sizeof (buf)); - if (!verify_buf (buf, sizeof (buf))) - printf ("FAILED "); - else - printf ("OKAY "); - - free (ks); - - fail: - printf ("\n"); - return; -} diff --git a/keyexchange/isakmpd-20041012/regress/dh/.cvsignore b/keyexchange/isakmpd-20041012/regress/dh/.cvsignore deleted file mode 100644 index d47de54..0000000 --- a/keyexchange/isakmpd-20041012/regress/dh/.cvsignore +++ /dev/null @@ -1,2 +0,0 @@ -dhtest -obj diff --git a/keyexchange/isakmpd-20041012/regress/dh/Makefile b/keyexchange/isakmpd-20041012/regress/dh/Makefile deleted file mode 100644 index e7f8d79..0000000 --- a/keyexchange/isakmpd-20041012/regress/dh/Makefile +++ /dev/null @@ -1,29 +0,0 @@ -# $OpenBSD: Makefile,v 1.8 2004/02/25 16:01:29 hshoexer Exp $ -# $EOM: Makefile,v 1.10 2000/04/07 20:19:43 niklas Exp $ - -# Test DH: - -PROG= dhtest -SRCS= math_2n.c math_ec2n.c math_group.c dh.c dhtest.c log.c util.c \ - sysdep.c gmp_util.c conf.c -TOPSRC= ${.CURDIR}/../.. -TOPOBJ!= cd ${TOPSRC}; printf "all:\n\t@pwd\n" |${MAKE} -f- -OS!= awk '/^OS=/ { print $$2 }' ${.CURDIR}/../../Makefile -FEATURES!= awk '/^FEATURES=/ { print $$0 }' ${.CURDIR}/../../Makefile | sed 's/FEATURES=.//' -.PATH: ${TOPSRC} ${TOPSRC}/sysdep/${OS} ${TOPOBJ} -CFLAGS+= -I${TOPSRC} -I${TOPSRC}/sysdep/${OS} -I${TOPOBJ} -Wall \ - -DUSE_EC -NOMAN= -LDADD+= -lcrypto -DPADD+= ${LIBCRYPTO} -DEBUG= -g - -.if ${FEATURES:Mgmp} == "gmp" -CFLAGS+= -DMP_FLAVOUR=MP_FLAVOUR_GMP -LDADD+= -lgmp -DPADD+= ${LIBGMP} -.else -CFLAGS+= -DMP_FLAVOUR=MP_FLAVOUR_OPENSSL -.endif - -.include <bsd.prog.mk> diff --git a/keyexchange/isakmpd-20041012/regress/dh/dhtest.c b/keyexchange/isakmpd-20041012/regress/dh/dhtest.c deleted file mode 100644 index ef23caf..0000000 --- a/keyexchange/isakmpd-20041012/regress/dh/dhtest.c +++ /dev/null @@ -1,102 +0,0 @@ -/* $OpenBSD: dhtest.c,v 1.5 2003/06/03 14:39:50 ho Exp $ */ -/* $EOM: dhtest.c,v 1.1 1998/07/18 21:14:20 provos Exp $ */ - -/* - * Copyright (c) 1998 Niels Provos. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -/* - * This module does a Diffie-Hellman Exchange - */ - -#include <stdlib.h> -#include <string.h> -#include <stdio.h> - -#include "math_group.h" -#include "dh.h" - -#define DUMP_X(_x_) point = (_x_); b2n_print (point->x); - -int -main (void) -{ - int len; - char buf[100], buf2[100]; - char sec[100], sec2[100]; - struct group *group, *group2; - - group_init (); - group = group_get (4); - group2 = group_get (4); - - printf ("Testing DH (elliptic curve): \n"); - - printf ("dh_getlen\n"); - len = dh_getlen (group); - printf ("dh_create_exchange\n"); - dh_create_exchange (group, buf); - dh_create_exchange (group2, buf2); - - printf ("dh_create_shared\n"); - dh_create_shared (group, sec, buf2); - dh_create_shared (group2, sec2, buf); - - printf ("Result: "); - if (memcmp (sec, sec2, len)) - printf ("FAILED "); - else - printf ("OKAY "); - - group_free (group); - group_free (group2); - - printf ("\nTesting DH (MODP): \n"); - - group = group_get (1); - group2 = group_get (1); - - printf ("dh_getlen\n"); - len = dh_getlen (group); - printf ("dh_create_exchange\n"); - dh_create_exchange (group, buf); - dh_create_exchange (group2, buf2); - - printf ("dh_create_shared\n"); - dh_create_shared (group, sec, buf2); - dh_create_shared (group2, sec2, buf); - - printf ("Result: "); - if (memcmp (sec, sec2, len)) - printf ("FAILED "); - else - printf ("OKAY "); - - - printf ("\n"); - return 1; -} diff --git a/keyexchange/isakmpd-20041012/regress/ec2n/.cvsignore b/keyexchange/isakmpd-20041012/regress/ec2n/.cvsignore deleted file mode 100644 index 6f2d7c6..0000000 --- a/keyexchange/isakmpd-20041012/regress/ec2n/.cvsignore +++ /dev/null @@ -1,2 +0,0 @@ -ec2ntest -obj diff --git a/keyexchange/isakmpd-20041012/regress/ec2n/Makefile b/keyexchange/isakmpd-20041012/regress/ec2n/Makefile deleted file mode 100644 index 827ecbe..0000000 --- a/keyexchange/isakmpd-20041012/regress/ec2n/Makefile +++ /dev/null @@ -1,16 +0,0 @@ -# $OpenBSD: Makefile,v 1.7 2004/02/25 16:01:29 hshoexer Exp $ -# $EOM: Makefile,v 1.9 2000/10/13 13:04:17 ho Exp $ - -# Test EC2N: - -PROG= ec2ntest -SRCS= math_2n.c math_ec2n.c ec2ntest.c log.c sysdep.c util.c conf.c -TOPSRC= ${.CURDIR}/../.. -TOPOBJ!= cd ${TOPSRC}; printf "all:\n\t@pwd\n" |${MAKE} -f- -OS!= awk '/^OS=/ { print $$2 }' ${.CURDIR}/../../Makefile -.PATH: ${TOPSRC} ${TOPSRC}/sysdep/${OS} ${TOPOBJ} -CFLAGS+= -I${TOPSRC} -I${TOPSRC}/sysdep/${OS} -I${TOPOBJ} -Wall -NOMAN= -DEBUG= -g - -.include <bsd.prog.mk> diff --git a/keyexchange/isakmpd-20041012/regress/ec2n/ec2ntest.c b/keyexchange/isakmpd-20041012/regress/ec2n/ec2ntest.c deleted file mode 100644 index 0535e8c..0000000 --- a/keyexchange/isakmpd-20041012/regress/ec2n/ec2ntest.c +++ /dev/null @@ -1,144 +0,0 @@ -/* $OpenBSD: ec2ntest.c,v 1.5 2003/06/04 07:31:17 ho Exp $ */ -/* $EOM: ec2ntest.c,v 1.3 1998/07/16 09:21:59 niklas Exp $ */ - -/* - * Copyright (c) 1998 Niels Provos. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -/* - * B2N is a module for doing arithmetic on the Field GF(2**n) which is - * isomorph to ring of polynomials GF(2)[x]/p(x) where p(x) is an - * irreduciable polynomial over GF(2)[x] with grade n. - */ - -#include <stdlib.h> -#include <string.h> -#include <stdio.h> - -#include "math_2n.h" -#include "math_ec2n.h" - -#define BUFSIZE 200 - -#define CMP_FAIL(n,x) b2n_snprint (buf, BUFSIZE, n); if (strcmp (buf, (x))) \ - printf ("FAILED: %s != %s ", buf, x); else printf ("OKAY "); - -int -main (void) -{ - b2n_t k; - ec2np_t p, q, r; - ec2ng_t g; - char buf[BUFSIZE]; - - b2n_init (k); - ec2np_init (p); - ec2np_init (q); - ec2np_init (r); - ec2ng_init (g); - - printf ("Testing: ec2ng_set* :"); - /* Init Group */ - ec2ng_set_p_str (g, "0x0800000000000000000000004000000000000001"); - CMP_FAIL (g->p, "0x0800000000000000000000004000000000000001"); - ec2ng_set_a_ui (g, 0); - CMP_FAIL (g->a, "0x00"); - ec2ng_set_b_str (g, "0x07338f"); - CMP_FAIL (g->b, "0x07338f"); - - printf ("\nTesting: ec2np_find_y: "); - /* Init Point */ - ec2np_set_x_ui (p, 0x7b); - ec2np_find_y (p, g); - - CMP_FAIL (p->y, "0x01c8"); - - printf ("\nTesting: ec2np_ison: "); - if (ec2np_ison (p, g)) - printf ("OKAY "); - else - printf ("FAILED "); - - ec2np_set_x_ui (q, 0x4); - ec2np_find_y (q, g); - if (ec2np_ison (q, g)) - printf ("OKAY "); - else - printf ("FAILED "); - - printf ("\nTesting: ec2np_add: "); - ec2np_set (r, p); - b2n_add (r->y, r->y, r->x); - ec2np_add (r, r, p, g); - if (!r->inf) - printf ("FAILED "); - else - printf ("OKAY "); - - ec2np_add (q, p, q, g); - CMP_FAIL (q->x, "0x06f32d7cc82cec8612a87a86e026350fb7595469"); - CMP_FAIL (q->y, "0x4ab92e21e51358ca8deab3fbbc9f7d8a7d1575"); - if (ec2np_ison (q, g)) - printf ("OKAY "); - else - printf ("FAILED "); - - ec2np_add (p, q, q, g); - CMP_FAIL (p->x, "0x0390001461385559a22ac9b6181c1e1889b38451"); - CMP_FAIL (p->y, "0x0188e61f38d747d7813c6a8b33d14dfb7418b04c"); - if (ec2np_ison (p, g)) - printf ("OKAY "); - else - printf ("FAILED "); - - printf ("\nTesting: ec2np_mul: "); - b2n_set_ui (k, 57); - ec2np_set (q, p); - ec2np_mul (q, q, k, g); - if (ec2np_ison (q, g)) - printf ("OKAY "); - else - printf ("FAILED "); - CMP_FAIL (q->x, "0x06bcf88caab88f99399350c46559da3b91afbf9d"); - - b2n_set_str (k, "0x0800000000000000000057db5698537193aef943"); - ec2np_set (q, p); - ec2np_mul (q, q, k, g); - if (ec2np_ison (q, g)) - printf ("OKAY "); - else - printf ("FAILED "); - CMP_FAIL (q->x, "0x0390001461385559a22ac9b6181c1e1889b38451"); - - printf ("\n"); - ec2np_clear (p); - ec2np_clear (q); - ec2np_clear (r); - ec2ng_clear (g); - b2n_clear (k); - return 1; -} diff --git a/keyexchange/isakmpd-20041012/regress/exchange/.cvsignore b/keyexchange/isakmpd-20041012/regress/exchange/.cvsignore deleted file mode 100644 index b672fde..0000000 --- a/keyexchange/isakmpd-20041012/regress/exchange/.cvsignore +++ /dev/null @@ -1 +0,0 @@ -obj diff --git a/keyexchange/isakmpd-20041012/regress/exchange/Makefile b/keyexchange/isakmpd-20041012/regress/exchange/Makefile deleted file mode 100644 index ac22db8..0000000 --- a/keyexchange/isakmpd-20041012/regress/exchange/Makefile +++ /dev/null @@ -1,58 +0,0 @@ -# $OpenBSD: Makefile,v 1.7 2003/06/03 14:39:50 ho Exp $ -# $EOM: Makefile,v 1.8 2000/03/28 21:22:07 ho Exp $ - -# -# Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Ericsson Radio Systems. -# - -TOPSRC= ${.CURDIR}/../.. -TOPOBJ!= cd ${TOPSRC}; printf "all:\n\t@pwd\n" |${MAKE} -f- -OS!= awk '/^OS=/ { print $$2 }' ${.CURDIR}/../../Makefile -.PATH: ${TOPSRC} ${TOPSRC}/sysdep/${OS} ${TOPOBJ} -CFLAGS+= -I${TOPSRC} -I${TOPSRC}/sysdep/${OS} -I${TOPOBJ} -Wall -RUN= ISAKMPD=${TOPOBJ}/isakmpd ${.CURDIR}/run.sh - -TESTS= def - -all: - -test: ${TESTS:S/^/test-/} - -.for TEST in ${TESTS} -test-${TEST}: -.ifdef ONLY_INIT - @echo Testing "${TEST}" test as initiator - @${RUN} ${RUNFLAGS} ${.CURDIR}/${TEST} -.endif -.ifdef ONLY_RESP - @echo Testing "${TEST}" test as responder - @${RUN} -r ${RUNFLAGS} ${.CURDIR}/${TEST} -.endif -.endfor - -.include <bsd.obj.mk> -.include <bsd.subdir.mk> diff --git a/keyexchange/isakmpd-20041012/regress/exchange/README b/keyexchange/isakmpd-20041012/regress/exchange/README deleted file mode 100644 index cd1555b..0000000 --- a/keyexchange/isakmpd-20041012/regress/exchange/README +++ /dev/null @@ -1,78 +0,0 @@ -$OpenBSD: README,v 1.1 1999/08/05 22:41:39 niklas Exp $ -$EOM: README,v 1.1 1999/08/05 15:07:37 niklas Exp $ - -XXX The old run.sh test-framework is obsoleted, it will go away anyday. - -We wanted to do a regression test environment which was flexible -enough to be able to easily reproduce anomalies in isakmpd. It -turns out this is not easy to do, as many problems are timing related. - -Currently ticks are milliseconds. An idea is to try to measure -isakmpd's response time somehow, and use that time as some kind of -basis for a tick. - -Our test environment should be able to parse scripts like this: - -#Tick Action Format Data -0 send H* ffffffff -0 recv H* 00000000 -1000 send H* deadbeef - -Ticks are not absolute but relative to the last event. the format is -Perl's pack/unpack template formats. Data is in the given format with -one exception, spaces are ignored, newlines are end-of-data unless -preceeded by a backslash. - -Comments are lines with a numbersign as the first non-whitespace -character. Empty lines are ignored, unless inside a multi-line data -in which it will be part of the data buffer. - -Here is a real world example: - -# $RCSId$ - -# Initiate a MM -0 send H* ad9de636 f12460bb 00000000 00000000 01100200 00000000 \ - 00000050 00000034 00000001 00000001 00000028 01010001 \ - 00000020 00010000 80010005 80020002 80030001 80040002 \ - 800b0001 800c0258 - -400 recv H* ad9de636 f12460bb 2aa5a583 ab2f3980 01100200 00000000 \ - 00000050 00000034 00000001 00000001 00000028 01010001 \ - 00000020 00010000 80010005 80020002 80030001 80040002 \ - 800b0001 800c0258 - -110 send H* ad9de636 f12460bb 2aa5a583 ab2f3980 04100200 00000000 \ - 000000b4 0a000084 60a8c102 ce97687e 45e3fdd9 6fd586b4 \ - f3a91167 559dd214 a78d678e 2772b7b2 83267487 15ec02a9 \ - 419b77ee 0f2add09 e9e09b7d ad40c883 ef2039c9 c59b67ff \ - 56e4d6f8 c99d47cb d4a565bc 8d192f76 f695d243 09121df5 \ - 524884a7 3f702630 7f4fad44 e222c4b1 242fd1cd ca3a161d \ - bcdf6706 025cc90d c4b00ef9 bee5ada2 00000014 ff7c493c \ - 88e68a10 4ab19a6a 7e75c771 - -800 recv H* ad9de636 f12460bb 2aa5a583 ab2f3980 04100200 00000000 \ - 000000b4 0a000084 681b9859 7680a3ff 894bb982 ef924bc8 \ - 4d9c7ebf 3a92db7b bcfe68f7 6e1de327 a975293f f5c550b1 \ - 9c69d6ed 64f201ec 514f4f44 0e6242b9 df4917e6 4418212d \ - 66a66eb1 f3b70c2d 4e14e382 d42ebe04 1027957c 5dadcaf1 \ - a531c085 6cee739f 433c185c 12a8a946 88622f66 f211783c \ - 277e134d 22d8e809 f1d38bab 6ca2a35f 00000014 6a917048 \ - a406fd47 b3d16554 cd6f0967 - -140 send H* ad9de636 f12460bb 2aa5a583 ab2f3980 05100201 00000000 \ - 0000005c d6571dec a8b55acb 1069210c 7d195417 1c2738e9 \ - 42f1d9a3 8561d0ec 0697cd06 ac1beb19 1dc8acf5 904ec1d5 \ - 5b2b154e 38b0de90 4f2e1f71 083047ca 10cab3d5 - -900 recv H* ad9de636 f12460bb 2aa5a583 ab2f3980 05100201 00000000 \ - 00000044 b46b1db4 9ecfbfa6 a5e9baa2 8eb3cb68 be3a857c \ - b039fa72 d595e69f 03669dbd 350781e2 56c36dce - -run with: - -perl run.pl filename - -You need to have an isakmpd listening on the address which is given in -run.pl. Of course you need to run it in deterministic mode (-r). -There will be a better explanation soon. diff --git a/keyexchange/isakmpd-20041012/regress/exchange/def-i.1 b/keyexchange/isakmpd-20041012/regress/exchange/def-i.1 Binary files differdeleted file mode 100644 index 1712249..0000000 --- a/keyexchange/isakmpd-20041012/regress/exchange/def-i.1 +++ /dev/null diff --git a/keyexchange/isakmpd-20041012/regress/exchange/def-r.1 b/keyexchange/isakmpd-20041012/regress/exchange/def-r.1 Binary files differdeleted file mode 100644 index 56f5e62..0000000 --- a/keyexchange/isakmpd-20041012/regress/exchange/def-r.1 +++ /dev/null diff --git a/keyexchange/isakmpd-20041012/regress/exchange/mm-1-setup.sh b/keyexchange/isakmpd-20041012/regress/exchange/mm-1-setup.sh deleted file mode 100644 index 0efd7c9..0000000 --- a/keyexchange/isakmpd-20041012/regress/exchange/mm-1-setup.sh +++ /dev/null @@ -1,12 +0,0 @@ -# $OpenBSD: mm-1-setup.sh,v 1.2 2000/01/26 15:23:52 niklas Exp $ -# $EOM: mm-1-setup.sh,v 1.2 1999/10/05 12:54:27 niklas Exp $ - -# XXX Need to start isakmpd here in a nice way. - -echo "C set [Phase 1]:127.0.0.1=localhost 1">/tmp/fifo -echo "C set [localhost]:phase=1 1">/tmp/fifo -echo "C set [localhost]:transport=udp 1">/tmp/fifo -echo "C set [localhost]:address=127.0.0.1 1">/tmp/fifo -echo "C set [localhost]:port=1501 1">/tmp/fifo -echo "C set [localhost]:configuration=default-main-mode 1">/tmp/fifo -echo "C set [localhost]:authentication=mekmitasdigoat 1">/tmp/fifo diff --git a/keyexchange/isakmpd-20041012/regress/exchange/mm-i-1.t b/keyexchange/isakmpd-20041012/regress/exchange/mm-i-1.t deleted file mode 100644 index 9f9b1be..0000000 --- a/keyexchange/isakmpd-20041012/regress/exchange/mm-i-1.t +++ /dev/null @@ -1,43 +0,0 @@ -# $OpenBSD: mm-i-1.t,v 1.1 1999/08/05 22:41:39 niklas Exp $ -# $EOM: mm-i-1.t,v 1.1 1999/08/05 15:07:38 niklas Exp $ - -# The seed to isakmpd was 19990805 - -# Initiate a MM -0 send H* ad9de636 f12460bb 00000000 00000000 01100200 00000000 \ - 00000050 00000034 00000001 00000001 00000028 01010001 \ - 00000020 00010000 80010005 80020002 80030001 80040002 \ - 800b0001 800c0258 - -400 recv H* ad9de636 f12460bb 2aa5a583 ab2f3980 01100200 00000000 \ - 00000050 00000034 00000001 00000001 00000028 01010001 \ - 00000020 00010000 80010005 80020002 80030001 80040002 \ - 800b0001 800c0258 - -110 send H* ad9de636 f12460bb 2aa5a583 ab2f3980 04100200 00000000 \ - 000000b4 0a000084 60a8c102 ce97687e 45e3fdd9 6fd586b4 \ - f3a91167 559dd214 a78d678e 2772b7b2 83267487 15ec02a9 \ - 419b77ee 0f2add09 e9e09b7d ad40c883 ef2039c9 c59b67ff \ - 56e4d6f8 c99d47cb d4a565bc 8d192f76 f695d243 09121df5 \ - 524884a7 3f702630 7f4fad44 e222c4b1 242fd1cd ca3a161d \ - bcdf6706 025cc90d c4b00ef9 bee5ada2 00000014 ff7c493c \ - 88e68a10 4ab19a6a 7e75c771 - -800 recv H* ad9de636 f12460bb 2aa5a583 ab2f3980 04100200 00000000 \ - 000000b4 0a000084 681b9859 7680a3ff 894bb982 ef924bc8 \ - 4d9c7ebf 3a92db7b bcfe68f7 6e1de327 a975293f f5c550b1 \ - 9c69d6ed 64f201ec 514f4f44 0e6242b9 df4917e6 4418212d \ - 66a66eb1 f3b70c2d 4e14e382 d42ebe04 1027957c 5dadcaf1 \ - a531c085 6cee739f 433c185c 12a8a946 88622f66 f211783c \ - 277e134d 22d8e809 f1d38bab 6ca2a35f 00000014 6a917048 \ - a406fd47 b3d16554 cd6f0967 - -140 send H* ad9de636 f12460bb 2aa5a583 ab2f3980 05100201 00000000 \ - 0000005c d6571dec a8b55acb 1069210c 7d195417 1c2738e9 \ - 42f1d9a3 8561d0ec 0697cd06 ac1beb19 1dc8acf5 904ec1d5 \ - 5b2b154e 38b0de90 4f2e1f71 083047ca 10cab3d5 - -900 recv H* ad9de636 f12460bb 2aa5a583 ab2f3980 05100201 00000000 \ - 00000044 b46b1db4 9ecfbfa6 a5e9baa2 8eb3cb68 be3a857c \ - b039fa72 d595e69f 03669dbd 350781e2 56c36dce - diff --git a/keyexchange/isakmpd-20041012/regress/exchange/mm-r-1.t b/keyexchange/isakmpd-20041012/regress/exchange/mm-r-1.t deleted file mode 100644 index 0c48224..0000000 --- a/keyexchange/isakmpd-20041012/regress/exchange/mm-r-1.t +++ /dev/null @@ -1,42 +0,0 @@ -# $OpenBSD: mm-r-1.t,v 1.1 1999/08/05 22:41:39 niklas Exp $ -# $EOM: mm-r-1.t,v 1.1 1999/08/05 15:07:38 niklas Exp $ - -# The seed to isakmpd was 19990805 - -# Respond to this MM -999999 recv H* ad9de636 f12460bb 00000000 00000000 01100200 00000000 \ - 00000050 00000034 00000001 00000001 00000028 01010001 \ - 00000020 00010000 80010005 80020002 80030001 80040002 \ - 800b0001 800c0258 - -40 send H* ad9de636 f12460bb 2aa5a583 ab2f3980 01100200 00000000 \ - 00000050 00000034 00000001 00000001 00000028 01010001 \ - 00000020 00010000 80010005 80020002 80030001 80040002 \ - 800b0001 800c0258 - -1100 recv H* ad9de636 f12460bb 2aa5a583 ab2f3980 04100200 00000000 \ - 000000b4 0a000084 60a8c102 ce97687e 45e3fdd9 6fd586b4 \ - f3a91167 559dd214 a78d678e 2772b7b2 83267487 15ec02a9 \ - 419b77ee 0f2add09 e9e09b7d ad40c883 ef2039c9 c59b67ff \ - 56e4d6f8 c99d47cb d4a565bc 8d192f76 f695d243 09121df5 \ - 524884a7 3f702630 7f4fad44 e222c4b1 242fd1cd ca3a161d \ - bcdf6706 025cc90d c4b00ef9 bee5ada2 00000014 ff7c493c \ - 88e68a10 4ab19a6a 7e75c771 - -80 send H* ad9de636 f12460bb 2aa5a583 ab2f3980 04100200 00000000 \ - 000000b4 0a000084 681b9859 7680a3ff 894bb982 ef924bc8 \ - 4d9c7ebf 3a92db7b bcfe68f7 6e1de327 a975293f f5c550b1 \ - 9c69d6ed 64f201ec 514f4f44 0e6242b9 df4917e6 4418212d \ - 66a66eb1 f3b70c2d 4e14e382 d42ebe04 1027957c 5dadcaf1 \ - a531c085 6cee739f 433c185c 12a8a946 88622f66 f211783c \ - 277e134d 22d8e809 f1d38bab 6ca2a35f 00000014 6a917048 \ - a406fd47 b3d16554 cd6f0967 - -1400 recv H* ad9de636 f12460bb 2aa5a583 ab2f3980 05100201 00000000 \ - 0000005c d6571dec a8b55acb 1069210c 7d195417 1c2738e9 \ - 42f1d9a3 8561d0ec 0697cd06 ac1beb19 1dc8acf5 904ec1d5 \ - 5b2b154e 38b0de90 4f2e1f71 083047ca 10cab3d5 - -90 send H* ad9de636 f12460bb 2aa5a583 ab2f3980 05100201 00000000 \ - 00000044 b46b1db4 9ecfbfa6 a5e9baa2 8eb3cb68 be3a857c \ - b039fa72 d595e69f 03669dbd 350781e2 56c36dce diff --git a/keyexchange/isakmpd-20041012/regress/exchange/run.pl b/keyexchange/isakmpd-20041012/regress/exchange/run.pl deleted file mode 100644 index d9fce2d..0000000 --- a/keyexchange/isakmpd-20041012/regress/exchange/run.pl +++ /dev/null @@ -1,105 +0,0 @@ -#!/usr/bin/perl -# $OpenBSD: run.pl,v 1.2 2004/01/26 14:56:03 niklas Exp $ -# $EOM: run.pl,v 1.2 1999/08/05 22:42:42 niklas Exp $ - -# -# Copyright (c) 2004 Niklas Hallqvist. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -use strict; -require 5.002; -require 'sys/syscall.ph'; -use Socket; -use Sys::Hostname; - -my ($rfd, $tickfac, $myaddr, $myport, $hisaddr, $hisport, $proto, $bindaddr, - $conaddr, $sec, $tick, $action, $template, $data, $next, - $nfd, $pkt, $verbose); - -$| = 1; - -$verbose = 1; -$tickfac = 0.001; -$myaddr = gethostbyname ('127.0.0.1'); -$myport = 1501; - $hisaddr = inet_aton ('127.0.0.1'); -$hisport = 1500; - -$proto = getprotobyname ('udp'); -$bindaddr = sockaddr_in ($myport, $myaddr); -socket (SOCKET, PF_INET, SOCK_DGRAM, $proto) || die "socket: $!"; -bind (SOCKET, $bindaddr); -vec ($rfd, fileno SOCKET, 1) = 1; - -$conaddr = sockaddr_in ($hisport, $hisaddr); - -sub getsec -{ - my ($tv) = pack ("ll", 0, 0); - my ($tz) = pack ("ii", 0, 0); - syscall (&SYS_gettimeofday, $tv, $tz) && return undef; - my ($sec, $usec) = unpack ("ll", $tv); - $sec % 86400 + $usec / 1000000; -} - -$sec = &getsec; -while (<>) { - next if /^\s*#/o || /^\s*$/o; - chop; - ($tick, $action, $template, $data) = split ' ', $_, 4; - while ($data =~ /\\$/o) { - chop $data; - $_ = <>; - next if /^\s*#/o; - chop; - $data .= $_; - } - $data =~ s/\s//go; - $data = pack $template, $data; - $next = $sec + $tick * $tickfac; - if ($action eq "send") { - # Wait for the moment to come. - print STDERR "waiting ", $next - $sec, " secs\n"; - select undef, undef, undef, $next - $sec - while ($sec = &getsec) < $next; -# print $data; - send SOCKET, $data, 0, $conaddr; - print STDERR "sent ", unpack ("H*", $data), "\n" if $verbose; - } elsif ($action eq "recv") { - $sec = &getsec; - printf (STDERR "waiting for data or the %.3f sec timeout\n", - $next - $sec); - $nfd = select $rfd, undef, undef, $next - $sec; - if ($nfd) { - printf STDERR "got back after %.3f secs\n", &getsec - $sec - if $verbose; -# sysread (STDIN, $pkt, 65536) if $nfd; - sysread (SOCKET, $pkt, 65536) if $nfd; - print STDERR "read ", unpack ("H*", $pkt), "\n" if $verbose; - print STDERR "cmp ", unpack ("H*", $data), "\n" if $verbose; - } else { - print STDERR "timed out\n" if $verbose; - } - die "mismatch\n" if $pkt ne $data; - } -} diff --git a/keyexchange/isakmpd-20041012/regress/exchange/run.sh b/keyexchange/isakmpd-20041012/regress/exchange/run.sh deleted file mode 100644 index 587c2c1..0000000 --- a/keyexchange/isakmpd-20041012/regress/exchange/run.sh +++ /dev/null @@ -1,137 +0,0 @@ -#!/bin/sh -# $OpenBSD: run.sh,v 1.8 2004/01/09 10:03:04 hshoexer Exp $ -# $EOM: run.sh,v 1.6 1999/08/05 15:02:33 niklas Exp $ - -# -# Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Ericsson Radio Systems. -# - -# Defaults -SRCPORT=1500 -DSTPORT=1501 -FIFO=test.fifo -TIMEOUT=2 - -NC=${NC:-/usr/bin/nc} -ISAKMPD=${ISAKMPD:-/sbin/isakmpd} - -progname=`basename $0` -indent=`echo -n $progname |sed 's/./ /g'` -seed=980801 -initiator=yes -retval=0 -verbose=no -clean=yes - -usage () -{ - echo "usage: $progname [-nrv] [-d dst-port] [-f fifo] [-s src-port]" >&2 - echo " $indent [-t timeout] testsuite" >&2 - exit 2 -} - -set -- `getopt d:f:nrs:t:v $*` -if [ $? != 0 ]; then - usage -fi -for i; do - case "$i" in - -d) - DSTPORT=$2; shift; shift;; - -f) - FIFO=$2; shift; shift;; - -n) - clean=no; shift;; - -r) - initiator=no; shift;; - -s) - SRCPORT=$2; shift; shift;; - -t) - TIMEOUT=$2; shift; shift;; - -v) - verbose=yes; shift;; - --) - shift; break;; - esac -done - -if [ $# -eq 1 ]; then - suite=$1 -else - usage -fi - -[ ${verbose} = yes ] && set -x - -# Start isakmpd and wait for the fifo to get created -rm -f ${FIFO} -${ISAKMPD} -d -p${SRCPORT} -f${FIFO} -r${seed} & -isakmpd_pid=$! -trap 'kill $isakmpd_pid; rm -f${FIFO}; [ $clean = yes ] && rm -f packet' 1 2 15 -while [ ! -p ${FIFO} ]; do - sleep 1 -done - -# Start the exchange -if [ $initiator = yes ]; then - ${NC} -nul -w${TIMEOUT} 127.0.0.1 ${DSTPORT} </dev/null >packet & -# ${NC} -nu -w${TIMEOUT} -p${SRCPORT} 127.0.0.1 ${DSTPORT} </dev/null >packet - sleep 1 - echo "c udp 127.0.0.1:${DSTPORT} 2 1" >${FIFO} - in_packets=`ls ${suite}-i.* 2>/dev/null` - out_packets=`ls ${suite}-r.* 2>/dev/null` -else - in_packets=`ls ${suite}-r.* 2>/dev/null` - out_packets=`ls ${suite}-i.* 2>/dev/null` -fi -his_turn=$initiator -while [ \( $his_turn = yes -a X"$in_packets" != X \) \ - -o \( $his_turn = no -a X"$out_packets" != X \) ]; do - if [ $his_turn = no ]; then - set $out_packets - packet=$1 - shift - out_packets=$* - cat $packet |${NC} -nu -w${TIMEOUT} -p${SRCPORT} 127.0.0.1 ${DSTPORT} \ - >packet - my_turn=no - else - set $in_packets - packet=$1 - shift - in_packets=$* - if ! cmp $packet packet 2>/dev/null; then - retval=1 - break - fi - my_turn=yes - fi -done -kill $isakmpd_pid -rm -f ${FIFO} -[ $clean = yes ] && rm -f packet -exit $retval diff --git a/keyexchange/isakmpd-20041012/regress/group/.cvsignore b/keyexchange/isakmpd-20041012/regress/group/.cvsignore deleted file mode 100644 index 2326f3a..0000000 --- a/keyexchange/isakmpd-20041012/regress/group/.cvsignore +++ /dev/null @@ -1,2 +0,0 @@ -grouptest -obj diff --git a/keyexchange/isakmpd-20041012/regress/group/Makefile b/keyexchange/isakmpd-20041012/regress/group/Makefile deleted file mode 100644 index 9dc9982..0000000 --- a/keyexchange/isakmpd-20041012/regress/group/Makefile +++ /dev/null @@ -1,29 +0,0 @@ -# $OpenBSD: Makefile,v 1.8 2004/02/25 16:01:29 hshoexer Exp $ -# $EOM: Makefile,v 1.12 2000/04/07 20:19:43 niklas Exp $ - -# Test Group: - -PROG= grouptest -SRCS= math_2n.c math_ec2n.c math_group.c grouptest.c log.c util.c \ - sysdep.c gmp_util.c conf.c -TOPSRC= ${.CURDIR}/../.. -TOPOBJ!= cd ${TOPSRC}; printf "all:\n\t@pwd\n" |${MAKE} -f- -OS!= awk '/^OS=/ { print $$2 }' ${.CURDIR}/../../Makefile -FEATURES!= awk '/^FEATURES=/ { print $$0 }' ${.CURDIR}/../../Makefile | sed 's/FEATURES=.//' -.PATH: ${TOPSRC} ${TOPSRC}/sysdep/${OS} ${TOPOBJ} -CFLAGS+= -I${TOPSRC} -I${TOPSRC}/sysdep/${OS} -I${TOPOBJ} -Wall \ - -DUSE_EC -NOMAN= -LDADD+= -lcrypto -DPADD+= ${LIBCRYPTO} -DEBUG= -g - -.if ${FEATURES:Mgmp} == "gmp" -CFLAGS+= -DMP_FLAVOUR=MP_FLAVOUR_GMP -LDADD+= -lgmp -DPADD+= ${LIBGMP} -.else -CFLAGS+= -DMP_FLAVOUR=MP_FLAVOUR_OPENSSL -.endif - -.include <bsd.prog.mk> diff --git a/keyexchange/isakmpd-20041012/regress/group/grouptest.c b/keyexchange/isakmpd-20041012/regress/group/grouptest.c deleted file mode 100644 index ba03283..0000000 --- a/keyexchange/isakmpd-20041012/regress/group/grouptest.c +++ /dev/null @@ -1,121 +0,0 @@ -/* $OpenBSD: grouptest.c,v 1.4 2003/06/03 14:39:51 ho Exp $ */ -/* $EOM: grouptest.c,v 1.2 1998/07/18 21:15:55 provos Exp $ */ - -/* - * Copyright (c) 1998 Niels Provos. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -/* - * This module exercises the operations supplied by the group abstraction. - */ - -#include <stdlib.h> -#include <string.h> -#include <stdio.h> - -#include "math_2n.h" -#include "math_ec2n.h" -#include "math_group.h" - -#define DUMP_X(_x_) point = (_x_); b2n_print (point->x); - -int -main (void) -{ - int i; - char buf[100]; - char buf2[100]; - struct group *group, *group2; - ec2np_ptr point; - - group_init (); - group = group_get (3); - group2 = group_get (3); - - printf ("Testing: setraw, getraw: "); - for (i = 0; i < 20; i++) - buf[i] = i; - - group->setraw (group, group->c, buf, 20); - if (group->getlen (group) != 20) - printf ("FAILED "); - else - printf ("OKAY "); - - group->getraw (group, group->c, buf2); - for (i = 0; i < 20; i++) - if (buf2[i] != i) - break; - if (i < 20) - printf ("FAILED "); - else - printf ("OKAY "); - - printf ("\nTesting: setrandom: "); - group->setrandom (group, group->c); - DUMP_X (group->c); - group2->setrandom (group2, group2->c); - DUMP_X (group2->c); - - printf ("\nTesting: operation:\n"); - group->operation (group, group->a, group->gen, group->c); - point = group->a; - printf ("\tX (%d): ", point->x->chunks); b2n_print (point->x); - printf ("\tY (%d): ", point->y->chunks); b2n_print (point->y); - - group2->operation (group2, group2->a, group2->gen, group2->c); - point = group2->a; - printf ("\tX (%d): ", point->x->chunks); b2n_print (point->x); - printf ("\tY (%d): ", point->y->chunks); b2n_print (point->y); - - printf ("Exchange Value 1: "); b2n_print (group->d); - printf ("Exchange Value 2: "); b2n_print (group2->d); - - printf ("Testing: operation ...:\n"); - group->getraw (group, group->a, buf); - group2->setraw (group2, group2->b, buf, 20); - - group2->getraw (group2, group2->a, buf); - group->setraw (group, group->b, buf, 20); - - group2->operation (group2, group2->a, group2->b, group2->c); - printf ("Exchange Value 21: "); DUMP_X (group2->a); - - group->operation (group, group->a, group->b, group->c); - printf ("Exchange Value 12: "); DUMP_X (group->a); - - group->getraw (group, group->a, buf); - group2->getraw (group2, group2->a, buf2); - printf ("Testing: operation ...: "); - if (memcmp(buf, buf2, 20)) - printf ("FAILED "); - else - printf ("OKAY "); - - printf ("\n"); - return 1; -} diff --git a/keyexchange/isakmpd-20041012/regress/hmac/.cvsignore b/keyexchange/isakmpd-20041012/regress/hmac/.cvsignore deleted file mode 100644 index 5fc5f86..0000000 --- a/keyexchange/isakmpd-20041012/regress/hmac/.cvsignore +++ /dev/null @@ -1,2 +0,0 @@ -hmactest -obj diff --git a/keyexchange/isakmpd-20041012/regress/hmac/Makefile b/keyexchange/isakmpd-20041012/regress/hmac/Makefile deleted file mode 100644 index 39bb2c7..0000000 --- a/keyexchange/isakmpd-20041012/regress/hmac/Makefile +++ /dev/null @@ -1,16 +0,0 @@ -# $OpenBSD: Makefile,v 1.4 1999/02/26 03:28:31 niklas Exp $ -# $EOM: Makefile,v 1.3 1999/02/25 15:14:24 niklas Exp $ - -# Test HMAC: - -PROG= hmactest -SRCS= hash.c hmactest.c -TOPSRC= ${.CURDIR}/../.. -TOPOBJ!= cd ${TOPSRC}; printf "all:\n\t@pwd\n" |${MAKE} -f- -OS!= awk '/^OS=/ { print $$2 }' ${.CURDIR}/../../Makefile -.PATH: ${TOPSRC} ${TOPSRC}/sysdep/${OS} ${TOPOBJ} -CFLAGS+= -I${TOPSRC} -I${TOPSRC}/sysdep/${OS} -I${TOPOBJ} -Wall -NOMAN= -DEBUG= -g - -.include <bsd.prog.mk> diff --git a/keyexchange/isakmpd-20041012/regress/hmac/hmactest.c b/keyexchange/isakmpd-20041012/regress/hmac/hmactest.c deleted file mode 100644 index 3b86f06..0000000 --- a/keyexchange/isakmpd-20041012/regress/hmac/hmactest.c +++ /dev/null @@ -1,93 +0,0 @@ -/* $OpenBSD: hmactest.c,v 1.5 2003/06/04 07:31:17 ho Exp $ */ -/* $EOM: hmactest.c,v 1.3 1998/08/09 19:16:24 niklas Exp $ */ - -/* - * Copyright (c) 1998 Niels Provos. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/param.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> - -#include "hash.h" - -int test_hmac(char *, struct hash *, char *, int, char *, int, char *); - -#define nibble2c(x) ((x) >= 10 ? ('a'-10+(x)) : ('0' + (x))) - -int -main (void) -{ - char key[100]; - - memset(key, 11, 20); - test_hmac ("HMAC-MD5 Test Case 1", hash_get (HASH_MD5), - key, 16, "Hi There", 8, "9294727a3638bb1c13f48ef8158bfc9d"); - test_hmac ("HMAC-MD5 Test Case 2", hash_get (HASH_MD5), - "Jefe", 4, - "what do ya want for nothing?", 28, - "750c783e6ab0b503eaa86e310a5db738"); - test_hmac ("HMAC-SHA1 Test Case 1", hash_get (HASH_SHA1), - key, 20, "Hi There", 8, - "b617318655057264e28bc0b6fb378c8ef146be00"); - test_hmac ("HMAC-SHA1 Test Case 2", hash_get (HASH_SHA1), - "Jefe", 4, "what do ya want for nothing?", 28, - "effcdf6ae5eb2fa2d27416d5f184df9c259a7c79"); - - return 1; -} - -int -test_hmac(char *test, struct hash *hash, char *key, int klen, - char *data, int dlen, char *cmp) -{ - char output[2*HASH_MAX+1]; - int i; - - printf("Testing %s: ", test); - - hash->HMACInit(hash, key, klen); - hash->Update(hash->ctx, data, dlen); - hash->HMACFinal(hash->digest, hash); - - for (i=0; i<hash->hashsize; i++) - { - output[2*i] = nibble2c((hash->digest[i] >> 4) & 0xf); - output[2*i+1] = nibble2c(hash->digest[i] & 0xf); - } - output[2*i] = 0; - - if (!strcmp(output, cmp)) - { - printf("OKAY\n"); - return 1; - } - - printf("%s <-> %s\n", output, cmp); - return 0; -} diff --git a/keyexchange/isakmpd-20041012/regress/prf/.cvsignore b/keyexchange/isakmpd-20041012/regress/prf/.cvsignore deleted file mode 100644 index 023b310..0000000 --- a/keyexchange/isakmpd-20041012/regress/prf/.cvsignore +++ /dev/null @@ -1,2 +0,0 @@ -prftest -obj diff --git a/keyexchange/isakmpd-20041012/regress/prf/Makefile b/keyexchange/isakmpd-20041012/regress/prf/Makefile deleted file mode 100644 index 5d9b1fa..0000000 --- a/keyexchange/isakmpd-20041012/regress/prf/Makefile +++ /dev/null @@ -1,16 +0,0 @@ -# $OpenBSD: Makefile,v 1.7 2004/02/25 16:01:29 hshoexer Exp $ -# $EOM: Makefile,v 1.6 2000/03/28 21:22:07 ho Exp $ - -# Test PRF: - -PROG= prftest -SRCS= prf.c hash.c log.c prftest.c conf.c sysdep.c util.c -TOPSRC= ${.CURDIR}/../.. -TOPOBJ!= cd ${TOPSRC}; printf "all:\n\t@pwd\n" |${MAKE} -f- -OS!= awk '/^OS=/ { print $$2 }' ${.CURDIR}/../../Makefile -.PATH: ${TOPSRC} ${TOPSRC}/sysdep/${OS} ${TOPOBJ} -CFLAGS+= -I${TOPSRC} -I${TOPSRC}/sysdep/${OS} -I${TOPOBJ} -Wall -NOMAN= -DEBUG= -g - -.include <bsd.prog.mk> diff --git a/keyexchange/isakmpd-20041012/regress/prf/prftest.c b/keyexchange/isakmpd-20041012/regress/prf/prftest.c deleted file mode 100644 index 15d7578..0000000 --- a/keyexchange/isakmpd-20041012/regress/prf/prftest.c +++ /dev/null @@ -1,116 +0,0 @@ -/* $OpenBSD: prftest.c,v 1.7 2003/06/03 14:39:51 ho Exp $ */ -/* $EOM: prftest.c,v 1.2 1998/10/07 16:40:50 niklas Exp $ */ - -/* - * Copyright (c) 1998 Niels Provos. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/param.h> -#include <stdlib.h> -#include <stdio.h> -#include <string.h> - -#include "hash.h" -#include "prf.h" - -int test_prf (char *, enum hashes, char *, int, char *, int, char *); - -#define nibble2c(x) ((x) >= 10 ? ('a'-10+(x)) : ('0' + (x))) - -/* - * Basically the same as the HMAC regress, but to keep with modularity - * prf seems to be useful. So here we just check the HMAC test cases, - * until there are more PRFs. - */ - -int -main (void) -{ - char key[100]; - - memset (key, 11, 20); - test_prf ("PRF MD5 Test Case 1", HASH_MD5, - key, 16, "Hi There", 8, "9294727a3638bb1c13f48ef8158bfc9d"); - test_prf ("PRF MD5 Test Case 2", HASH_MD5, - "Jefe", 4, - "what do ya want for nothing?", 28, - "750c783e6ab0b503eaa86e310a5db738"); - test_prf ("PRF SHA1 Test Case 1", HASH_SHA1, - key, 20, "Hi There", 8, - "b617318655057264e28bc0b6fb378c8ef146be00"); - test_prf ("PRF SHA1 Test Case 2", HASH_SHA1, - "Jefe", 4, "what do ya want for nothing?", 28, - "effcdf6ae5eb2fa2d27416d5f184df9c259a7c79"); - test_prf ("PRF SHA1 Test Case 3", HASH_SHA1, - "Bloody long key, this one, eben longer than the blocksize " - "of ordinary keyed HMAC functions", 90, - "what do ya want for nothing?", 28, - "52ca5fbcd7d4821bc6bf8b6e95e131109dff901b"); - - return 0; -} - -int -test_prf (char *test, enum hashes hash, char *key, int klen, - char *data, int dlen, char *cmp) -{ - char output[2*HASH_MAX+1]; - char digest[HASH_MAX]; - struct prf *prf; - int i; - - printf ("Testing %s: ", test); - - prf = prf_alloc (PRF_HMAC, hash, key, klen); - if (!prf) - { - printf("prf_alloc () failed\n"); - return 0; - } - - prf->Init (prf->prfctx); - prf->Update (prf->prfctx, data, dlen); - prf->Final (digest, prf->prfctx); - - prf_free (prf); - - for (i = 0; i < prf->blocksize; i++) - { - output[2 * i] = nibble2c ((digest[i] >> 4) & 0xf); - output[2 * i + 1] = nibble2c (digest[i] & 0xf); - } - output[2 * i] = 0; - - if (strcmp (output, cmp) == 0) - { - printf ("OKAY\n"); - return 1; - } - - printf ("%s <-> %s\n", output, cmp); - return 0; -} diff --git a/keyexchange/isakmpd-20041012/regress/rsakeygen/.cvsignore b/keyexchange/isakmpd-20041012/regress/rsakeygen/.cvsignore deleted file mode 100644 index 0ecb82e..0000000 --- a/keyexchange/isakmpd-20041012/regress/rsakeygen/.cvsignore +++ /dev/null @@ -1,4 +0,0 @@ -isakmpd_key -isakmpd_key.pub -rsakeygen -obj diff --git a/keyexchange/isakmpd-20041012/regress/rsakeygen/Makefile b/keyexchange/isakmpd-20041012/regress/rsakeygen/Makefile deleted file mode 100644 index 578a7b5..0000000 --- a/keyexchange/isakmpd-20041012/regress/rsakeygen/Makefile +++ /dev/null @@ -1,83 +0,0 @@ -# $OpenBSD: Makefile,v 1.15 2004/02/25 16:01:29 hshoexer Exp $ -# $EOM: Makefile,v 1.10 2000/03/28 21:23:24 ho Exp $ - -# -# Copyright (c) 1999 Niels Provos. All rights reserved. -# Copyright (c) 1999, 2001 Niklas Hallqvist. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Ericsson Radio Systems. -# - -# RSA Key Generation - -PROG= rsakeygen -SRCS= libcrypto.c log.c rsakeygen.c sysdep.c util.c conf.c -TOPSRC= ${.CURDIR}/../.. -TOPOBJ!= cd ${TOPSRC}; printf "all:\n\t@pwd\n" |${MAKE} -f- -OS!= awk '/^OS=/ { print $$2 }' ${.CURDIR}/../../Makefile -FEATURES!= awk '/^FEATURES=/ { print $$0 }' ${.CURDIR}/../../Makefile | sed 's/FEATURES=.//' -.PATH: ${TOPSRC} ${TOPSRC}/sysdep/${OS} ${TOPOBJ} -CFLAGS+= -I${TOPSRC} -I${TOPSRC}/sysdep/${OS} -I${TOPOBJ} -Wall \ - -DUSE_DEBUG -NOMAN= -DEBUG= -g - -.if ${FEATURES:Mgmp} == "gmp" -CFLAGS+= -DMP_FLAVOUR=MP_FLAVOUR_GMP -LDADD+= -lgmp -DPADD+= ${LIBGMP} -.else -CFLAGS+= -DMP_FLAVOUR=MP_FLAVOUR_OPENSSL -.endif - -.include "${TOPSRC}/sysdep/${OS}/Makefile.sysdep" - -.ifdef HAVE_DLOPEN -CFLAGS+= -DHAVE_DLOPEN -SRCS+= dyn.c -.endif - -.ifdef USE_LIBCRYPTO -CFLAGS+= -DUSE_LIBCRYPTO -LDADD+= -lcrypto -DPADD+= ${LIBCRYPTO} -.endif - -.if !defined (HAVE_DLOPEN) && !defined (USE_LIBCRYPTO) -.BEGIN: - @echo RSA cannot be used in this environmet, skipping... - -PROG= -.else -# USE_X509 is required for libcrypto.h to include the correct headers, -# but it is not set by ${OS}/Makefile.sysdep - setting it manually here -# should be safe enough. -CFLAGS+= -DUSE_X509 -.endif - -LDADD+= ${DESLIB} -DPADD+= ${DESLIBDEP} - -.include <bsd.prog.mk> diff --git a/keyexchange/isakmpd-20041012/regress/rsakeygen/rsakeygen.c b/keyexchange/isakmpd-20041012/regress/rsakeygen/rsakeygen.c deleted file mode 100644 index 08548a0..0000000 --- a/keyexchange/isakmpd-20041012/regress/rsakeygen/rsakeygen.c +++ /dev/null @@ -1,128 +0,0 @@ -/* $OpenBSD: rsakeygen.c,v 1.19 2004/02/26 15:27:05 hshoexer Exp $ */ -/* $EOM: rsakeygen.c,v 1.10 2000/12/21 15:18:53 ho Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niels Provos. All rights reserved. - * Copyright (c) 1999, 2001 Niklas Hallqvist. All rights reserved. - * Copyright (c) 2001 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/param.h> -#include <ctype.h> -#include <stdlib.h> -#include <stdio.h> -#include <string.h> - -#include "libcrypto.h" -#include "log.h" -#include "math_mp.h" - -#define nibble2bin(y) (tolower (y) < 'a' ? (y) - '0' : tolower (y) - 'a' + 10) -#define hexchar2bin(x) ((nibble2bin ((x)[0]) << 4) + nibble2bin ((x)[1])) -#define nibble2c(x) ((x) >= 10 ? ('a' - 10 + (x)) : ('0' + (x))) - -#define TEST_STRING "!Dies ist ein Test" - -int -main (void) -{ - u_int8_t enc[256], dec[256], *asn, *foo; - int len; - FILE *fd; - int erg = 0; - RSA *key; - - libcrypto_init (); - - log_debug_cmd (LOG_CRYPTO, 99); - memset (dec, '\0', sizeof dec); - strlcpy (dec, TEST_STRING, 256); - - key = RSA_generate_key (1024, RSA_F4, NULL, NULL); - if (key == NULL) - { - printf("Failed to generate key\n"); - return 0; - } - - printf ("n: 0x"); - BN_print_fp (stdout, key->n); - printf ("\ne: 0x"); - BN_print_fp (stdout, key->e); - printf ("\n"); - - printf ("n: 0x"); - BN_print_fp (stdout, key->n); - printf ("\ne: 0x"); - BN_print_fp (stdout, key->e); - printf ("\nd: 0x"); - BN_print_fp (stdout, key->d); - printf ("\np: 0x"); - BN_print_fp (stdout, key->p); - printf ("\nq: 0x"); - BN_print_fp (stdout, key->q); - printf ("\n"); - - printf ("Testing Signing/Verifying: "); - /* Sign with Private Key */ - len = RSA_private_encrypt (strlen (dec) + 1, dec, enc, key, - RSA_PKCS1_PADDING); - if (len == -1) - printf ("SIGN FAILED "); - else - { - /* Decrypt/Verify with Public Key */ - erg = RSA_public_decrypt (len, enc, dec, key, RSA_PKCS1_PADDING); - - if (erg == -1 || strcmp (dec, TEST_STRING)) - printf ("VERIFY FAILED"); - else - printf ("OKAY"); - } - - printf ("\n"); - - len = i2d_RSAPublicKey (key, NULL); - foo = asn = malloc (len); - len = i2d_RSAPublicKey (key, &foo); - fd = fopen ("isakmpd_key.pub", "w"); - fwrite (asn, len, 1, fd); - fclose (fd); - free (asn); - - len = i2d_RSAPrivateKey (key, NULL); - foo = asn = malloc (len); - len = i2d_RSAPrivateKey (key, &foo); - fd = fopen ("isakmpd_key", "w"); - fwrite (asn, len, 1, fd); - fclose (fd); - free (asn); - - RSA_free (key); - - return 1; -} diff --git a/keyexchange/isakmpd-20041012/regress/util/Makefile b/keyexchange/isakmpd-20041012/regress/util/Makefile deleted file mode 100644 index 88c0785..0000000 --- a/keyexchange/isakmpd-20041012/regress/util/Makefile +++ /dev/null @@ -1,15 +0,0 @@ -# $OpenBSD: Makefile,v 1.2 2004/02/25 16:01:29 hshoexer Exp $ - -# Test some utility functions - -PROG= utiltest -SRCS= log.c sysdep.c util.c utiltest.c conf.c -TOPSRC= ${.CURDIR}/../.. -TOPOBJ!= cd ${TOPSRC}; printf "all:\n\t@pwd\n" |${MAKE} -f- -OS!= awk '/^OS=/ { print $$2 }' ${.CURDIR}/../../Makefile -.PATH: ${TOPSRC} ${TOPSRC}/sysdep/${OS} ${TOPOBJ} -CFLAGS+= -I${TOPSRC} -I${TOPSRC}/sysdep/${OS} -I${TOPOBJ} -Wall -NOMAN= -DEBUG= -g - -.include <bsd.prog.mk> diff --git a/keyexchange/isakmpd-20041012/regress/util/utiltest.c b/keyexchange/isakmpd-20041012/regress/util/utiltest.c deleted file mode 100644 index 89d8615..0000000 --- a/keyexchange/isakmpd-20041012/regress/util/utiltest.c +++ /dev/null @@ -1,85 +0,0 @@ -/* $OpenBSD: utiltest.c,v 1.3 2003/06/03 14:39:51 ho Exp $ */ - -/* - * Copyright (c) 2001 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include <sys/types.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <stdio.h> - -#include "sysdep.h" - -#include "util.h" - -int test_1 (char *, char *, int); - -int -main (int argc, char *argv[]) -{ - test_1 ("10.0.0.1", "10", 0); - test_1 ("10.0.0.1", "isakmp", 0); - test_1 ("10::1", "10", 0); - test_1 ("10::1", "isakmp", 0); - test_1 ("10.0x0.1", "10", -1); - test_1 ("10.0.0.1", "telnet", -1); - test_1 ("10::x:1", "10", -1); - test_1 ("10::1", "telnet", -1); - return 0; -} - -int test_1 (char *address, char *port, int ok) -{ - struct sockaddr *sa; -#ifdef DEBUG - struct sockaddr_in *sai; - struct sockaddr_in6 *sai6; - int i; -#endif - int rv; - - printf ("test_1 (\"%s\", \"%s\") ", address, port); - rv = text2sockaddr (address, port, &sa) == ok; - printf (rv ? "OK" : "FAIL"); - printf ("\n"); - -#ifdef DEBUG - printf ("af %d len %d ", sa->sa_family, sa->sa_len); - if (sa->sa_family == AF_INET) - { - sai = (struct sockaddr_in *)sa; - printf ("addr %08x port %d\n", ntohl (sai->sin_addr.s_addr), - ntohs (sai->sin_port)); - } - else - { - sai6 = (struct sockaddr_in6 *)sa; - printf ("addr "); - for (i = 0; i < sizeof sai6->sin6_addr; i++) - printf ("%02x", sai6->sin6_addr.s6_addr[i]); - printf (" port %d\n", ntohs (sai6->sin6_port)); - } -#endif - return rv; -} diff --git a/keyexchange/isakmpd-20041012/regress/x509/.cvsignore b/keyexchange/isakmpd-20041012/regress/x509/.cvsignore deleted file mode 100644 index 9863c98..0000000 --- a/keyexchange/isakmpd-20041012/regress/x509/.cvsignore +++ /dev/null @@ -1,2 +0,0 @@ -x509test -obj diff --git a/keyexchange/isakmpd-20041012/regress/x509/Makefile b/keyexchange/isakmpd-20041012/regress/x509/Makefile deleted file mode 100644 index 2ce1e95..0000000 --- a/keyexchange/isakmpd-20041012/regress/x509/Makefile +++ /dev/null @@ -1,95 +0,0 @@ -# $OpenBSD: Makefile,v 1.14 2003/06/03 14:39:51 ho Exp $ -# $EOM: Makefile,v 1.16 2000/09/28 12:53:27 niklas Exp $ - -# -# Copyright (c) 1999 Niels Provos. All rights reserved. -# Copyright (c) 1999, 2001 Niklas Hallqvist. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Ericsson Radio Systems. -# - -# Test X509 - -# Enable this if you have a DNSSEC enabled OpenSSL -#LIBLWRES= /usr/local/lib/liblwres.a - -PROG= x509test -SRCS= x509test.c conf.c log.c libcrypto.c sysdep.c field.c util.c \ - isakmp_fld.c ipsec_fld.c ipsec_num.c isakmp_num.c constants.c \ - cert.c -TOPSRC= ${.CURDIR}/../.. -TOPOBJ!= cd ${TOPSRC}; printf "all:\n\t@pwd\n" |${MAKE} -f- -OS!= awk '/^OS=/ { print $$2 }' ${.CURDIR}/../../Makefile -FEATURES!= awk '/^FEATURES=/ { print $$0 }' ${.CURDIR}/../../Makefile | sed 's/FEATURES=.//' -.PATH: ${TOPSRC} ${TOPSRC}/sysdep/${OS} ${TOPOBJ} -CFLAGS+= -I${TOPSRC} -I${TOPSRC}/sysdep/${OS} -I${TOPOBJ} -Wall \ - -DUSE_X509 -NOMAN= -DEBUG= -g - -.if ${FEATURES:Mgmp} == "gmp" -CFLAGS+= -DMP_FLAVOUR=MP_FLAVOUR_GMP -LDADD+= -lgmp -DPADD+= ${LIBGMP} -.else -CFLAGS+= -DMP_FLAVOUR=MP_FLAVOUR_OPENSSL -.endif - -.include "${TOPSRC}/sysdep/${OS}/Makefile.sysdep" - -.ifdef HAVE_DLOPEN -X509= x509.c -POLICY= policy.c -CFLAGS+= -DHAVE_DLOPEN -SRCS+= dyn.c -.endif - -.ifdef USE_KEYNOTE -USE_LIBCRYPTO= yes -POLICY= policy.c -LDADD+= -lkeynote -lm -DPADD+= ${LIBKEYNOTE} ${LIBM} -CFLAGS+= -DUSE_KEYNOTE -.endif - -.ifdef USE_LIBCRYPTO -X509= x509.c -CFLAGS+= -DUSE_LIBCRYPTO -LDADD+= -lcrypto ${LIBLWRES} -DPADD+= ${LIBCRYPTO} -.endif - -.if !defined (HAVE_DLOPEN) && !defined (USE_LIBCRYPTO) || !defined (USE_KEYNOTE) -.BEGIN: - -PROG= -.endif - -SRCS+= ${X509} ${POLICY} - -LDADD+= ${DESLIB} -DPADD+= ${DESLIBDEP} - -.include <bsd.prog.mk> diff --git a/keyexchange/isakmpd-20041012/regress/x509/x509test.c b/keyexchange/isakmpd-20041012/regress/x509/x509test.c deleted file mode 100644 index 25b8bab..0000000 --- a/keyexchange/isakmpd-20041012/regress/x509/x509test.c +++ /dev/null @@ -1,291 +0,0 @@ -/* $OpenBSD: x509test.c,v 1.22 2003/06/03 14:39:51 ho Exp $ */ -/* $EOM: x509test.c,v 1.9 2000/12/21 15:24:25 ho Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niels Provos. All rights reserved. - * Copyright (c) 1999, 2001 Niklas Hallqvist. All rights reserved. - * Copyright (c) 2001 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -/* - * This program takes a certificate generated by ssleay and a key pair - * from rsakeygen. It reads the IP address from certificate.txt and - * includes this as subject alt name extension into the certifcate. - * The result gets written as new certificate that can be used by - * isakmpd. - */ - -#include <sys/param.h> -#include <sys/types.h> -#include <sys/mman.h> -#include <sys/stat.h> -#include <ctype.h> -#include <fcntl.h> -#include <stdio.h> -#include <stdlib.h> -#include <stdio.h> -#include <string.h> -#include <unistd.h> - -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> - -#include "conf.h" -#include "ipsec_num.h" -#include "isakmp_fld.h" -#include "libcrypto.h" -#include "log.h" -#include "math_mp.h" -#include "x509.h" - -static int x509_check_subjectaltname (u_char *, u_int, X509 *); - -u_int32_t file_sz; - -#if 0 -/* XXX Currently unused. */ -static u_int8_t * -open_file (char *name) -{ - int fd; - struct stat st; - u_int8_t *addr; - - if (stat (name, &st) == -1) - log_fatal ("stat (\"%s\", &st)", name); - file_sz = st.st_size; - fd = open (name, O_RDONLY); - if (fd == -1) - log_fatal ("open (\"%s\", O_RDONLY)", name); - addr = mmap (0, file_sz, PROT_READ | PROT_WRITE, MAP_FILE | MAP_PRIVATE, - fd, 0); - if (addr == MAP_FAILED) - log_fatal ("mmap (0, %d, PROT_READ | PROT_WRITE, MAP_FILE | MAP_PRIVATE," - "%d, 0)", file_sz, fd); - close (fd); - - return addr; -} -#endif - -/* - * Check that a certificate has a subjectAltName and that it matches our ID. - */ -static int -x509_check_subjectaltname (u_char *id, u_int id_len, X509 *scert) -{ - u_int8_t *altname; - u_int32_t altlen; - int type, idtype, ret; - - type = x509_cert_subjectaltname (scert, &altname, &altlen); - if (!type) - { - log_print ("x509_check_subjectaltname: can't access subjectAltName"); - return 0; - } - - /* - * Now that we have the X509 certicate in native form, get the - * subjectAltName extension and verify that it matches our ID. - */ - - /* XXX Get type of ID. */ - idtype = id[0]; - id += ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; - id_len -= ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; - - ret = 0; - switch (idtype) - { - case IPSEC_ID_IPV4_ADDR: - if (type == X509v3_IP_ADDR) - ret = 1; - break; - case IPSEC_ID_FQDN: - if (type == X509v3_DNS_NAME) - ret = 1; - break; - case IPSEC_ID_USER_FQDN: - if (type == X509v3_RFC_NAME) - ret = 1; - break; - default: - ret = 0; - break; - } - - if (!ret) - { - LOG_DBG ((LOG_CRYPTO, 50, - "x509_check_subjectaltname: " - "our ID type (%d) does not match X509 cert ID type (%d)", - idtype, type)); - return 0; - } - - if (altlen != id_len || memcmp (altname, id, id_len) != 0) - { - LOG_DBG ((LOG_CRYPTO, 50, - "x509_check_subjectaltname: " - "our ID does not match X509 cert ID")); - return 0; - } - - return 1; -} - -int -main (int argc, char *argv[]) -{ - RSA *pub_key, *priv_key; - X509 *cert; - BIO *certfile, *keyfile; - EVP_PKEY *pkey_pub; - u_char ipaddr[6]; - struct in_addr saddr; - char enc[256], dec[256]; - u_int8_t idpayload[8]; - int err, len; - - if (argc < 3 || argc > 4) - { - fprintf (stderr, "usage: x509test private-key certificate ip-address\n"); - exit (1); - } - - /* - * X509_verify will fail, as will all other functions that call - * EVP_get_digest_byname. - */ - - libcrypto_init (); - - printf ("Reading private key %s\n", argv[1]); - keyfile = BIO_new (BIO_s_file ()); - if (BIO_read_filename (keyfile, argv[1]) == -1) - { - perror ("read"); - exit (1); - } -#if SSLEAY_VERSION_NUMBER >= 0x00904100L - priv_key = PEM_read_bio_RSAPrivateKey (keyfile, NULL, NULL, NULL); -#else - priv_key = PEM_read_bio_RSAPrivateKey (keyfile, NULL, NULL); -#endif - BIO_free (keyfile); - if (priv_key == NULL) - { - printf("PEM_read_bio_RSAPrivateKey () failed\n"); - exit (1); - } - - /* Use a certificate created by ssleay. */ - printf ("Reading ssleay created certificate %s\n", argv[2]); - certfile = BIO_new (BIO_s_file ()); - if (BIO_read_filename (certfile, argv[2]) == -1) - { - perror ("read"); - exit (1); - } -#if SSLEAY_VERSION_NUMBER >= 0x00904100L - cert = PEM_read_bio_X509 (certfile, NULL, NULL, NULL); -#else - cert = PEM_read_bio_X509 (certfile, NULL, NULL); -#endif - BIO_free (certfile); - if (cert == NULL) - { - printf("PEM_read_bio_X509 () failed\n"); - exit (1); - } - - pkey_pub = X509_get_pubkey (cert); - /* XXX Violation of the interface? */ - pub_key = pkey_pub->pkey.rsa; - if (pub_key == NULL) - { - exit (1); - } - - printf ("Testing RSA keys: "); - - err = 0; - strlcpy (dec, "Eine kleine Testmeldung", 256); - if ((len = RSA_private_encrypt (strlen (dec), dec, enc, priv_key, - RSA_PKCS1_PADDING)) == -1) - - printf ("SIGN FAILED "); - else - err = RSA_public_decrypt (len, enc, dec, pub_key, RSA_PKCS1_PADDING); - - if (err == -1 || strcmp (dec, "Eine kleine Testmeldung")) - printf ("SIGN/VERIFY FAILED"); - else - printf ("OKAY"); - printf ("\n"); - - - printf ("Validate SIGNED: "); - err = X509_verify (cert, pkey_pub); - printf ("X509 verify: %d ", err); - if (err == -1) - printf ("FAILED "); - else - printf ("OKAY "); - printf ("\n"); - - if (argc == 4) - { - printf ("Verifying extension: "); - if (inet_aton (argv[3], &saddr) == 0) - { - printf ("inet_aton () failed\n"); - exit (1); - } - - saddr.s_addr = htonl (saddr.s_addr); - ipaddr[0] = 0x87; - ipaddr[1] = 0x04; - ipaddr[2] = saddr.s_addr >> 24; - ipaddr[3] = (saddr.s_addr >> 16) & 0xff; - ipaddr[4] = (saddr.s_addr >> 8) & 0xff; - ipaddr[5] = saddr.s_addr & 0xff; - bzero (idpayload, sizeof idpayload); - idpayload[0] = IPSEC_ID_IPV4_ADDR; - bcopy (ipaddr + 2, idpayload + 4, 4); - - if (!x509_check_subjectaltname (idpayload, sizeof idpayload, cert)) - printf("FAILED "); - else - printf("OKAY "); - printf ("\n"); - } - - return 1; -} diff --git a/keyexchange/isakmpd-20041012/sa.c b/keyexchange/isakmpd-20041012/sa.c deleted file mode 100644 index 14c7857..0000000 --- a/keyexchange/isakmpd-20041012/sa.c +++ /dev/null @@ -1,1247 +0,0 @@ -/* $OpenBSD: sa.c,v 1.86 2004/08/10 15:59:10 ho Exp $ */ -/* $EOM: sa.c,v 1.112 2000/12/12 00:22:52 niklas Exp $ */ - -/* - * Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. - * Copyright (c) 1999, 2001 Angelos D. Keromytis. All rights reserved. - * Copyright (c) 2003, 2004 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/types.h> -#include <stdlib.h> -#include <string.h> - -#if defined (USE_KEYNOTE) || defined (USE_POLICY) -#include <regex.h> -#include <keynote.h> -#endif /* USE_KEYNOTE || USE_POLICY */ - -#include "sysdep.h" - -#include "attribute.h" -#include "conf.h" -#include "connection.h" -#include "cookie.h" -#include "doi.h" -#include "exchange.h" -#include "isakmp.h" -#include "log.h" -#include "message.h" -#include "monitor.h" -#include "sa.h" -#include "timer.h" -#include "transport.h" -#include "util.h" -#include "cert.h" -#include "policy.h" -#include "key.h" -#include "ipsec.h" -#include "ipsec_num.h" - -/* Initial number of bits from the cookies used as hash. */ -#define INITIAL_BUCKET_BITS 6 - -/* - * Don't try to use more bits than this as a hash. - * We only XOR 16 bits so going above that means changing the code below - * too. - */ -#define MAX_BUCKET_BITS 16 - -#if 0 -static void sa_resize(void); -#endif -static void sa_soft_expire(void *); -static void sa_hard_expire(void *); - -static LIST_HEAD(sa_list, sa) *sa_tab; - -/* Works both as a maximum index and a mask. */ -static int bucket_mask; - -void -sa_init(void) -{ - int i; - - bucket_mask = (1 << INITIAL_BUCKET_BITS) - 1; - sa_tab = malloc((bucket_mask + 1) * sizeof(struct sa_list)); - if (!sa_tab) - log_fatal("sa_init: malloc (%lu) failed", - (bucket_mask + 1) * (unsigned long)sizeof(struct sa_list)); - for (i = 0; i <= bucket_mask; i++) - LIST_INIT(&sa_tab[i]); -} - -#if 0 -/* XXX We don't yet resize. */ -static void -sa_resize(void) -{ - int new_mask = (bucket_mask + 1) * 2 - 1; - int i; - struct sa_list *new_tab; - - new_tab = realloc(sa_tab, (new_mask + 1) * sizeof(struct sa_list)); - if (!new_tab) - return; - sa_tab = new_tab; - for (i = bucket_mask + 1; i <= new_mask; i++) - LIST_INIT(&sa_tab[i]); - bucket_mask = new_mask; - - /* XXX Rehash existing entries. */ -} -#endif - -/* Lookup an SA with the help from a user-supplied checking function. */ -struct sa * -sa_find(int (*check) (struct sa*, void *), void *arg) -{ - int i; - struct sa *sa; - - for (i = 0; i <= bucket_mask; i++) - for (sa = LIST_FIRST(&sa_tab[i]); sa; sa = LIST_NEXT(sa, link)) - if (check(sa, arg)) { - LOG_DBG((LOG_SA, 90, "sa_find: return SA %p", - sa)); - return sa; - } - LOG_DBG((LOG_SA, 90, "sa_find: no SA matched query")); - return 0; -} - -/* Check if SA is an ISAKMP SA with an initiator cookie equal to ICOOKIE. */ -static int -sa_check_icookie(struct sa *sa, void *icookie) -{ - return sa->phase == 1 && - memcmp(sa->cookies, icookie, ISAKMP_HDR_ICOOKIE_LEN) == 0; -} - -/* Lookup an ISAKMP SA out of just the initiator cookie. */ -struct sa * -sa_lookup_from_icookie(u_int8_t *cookie) -{ - return sa_find(sa_check_icookie, cookie); -} - -struct name_phase_arg { - char *name; - u_int8_t phase; -}; - -/* Check if SA has the name and phase given by V_ARG. */ -static int -sa_check_name_phase(struct sa *sa, void *v_arg) -{ - struct name_phase_arg *arg = v_arg; - - return sa->name && strcasecmp(sa->name, arg->name) == 0 && - sa->phase == arg->phase && !(sa->flags & SA_FLAG_REPLACED); -} - -/* Lookup an SA by name, case-independent, and phase. */ -struct sa * -sa_lookup_by_name(char *name, int phase) -{ - struct name_phase_arg arg; - - arg.name = name; - arg.phase = phase; - return sa_find(sa_check_name_phase, &arg); -} - -struct addr_arg { - struct sockaddr *addr; - socklen_t len; - int phase; - int flags; -}; - -/* - * Check if SA is ready and has a peer with an address equal the one given - * by V_ADDR. Furthermore if we are searching for a specific phase, check - * that too. - */ -static int -sa_check_peer(struct sa *sa, void *v_addr) -{ - struct addr_arg *addr = v_addr; - struct sockaddr *dst; - - if (!sa->transport || (sa->flags & SA_FLAG_READY) == 0 || - (addr->phase && addr->phase != sa->phase)) - return 0; - - sa->transport->vtbl->get_dst(sa->transport, &dst); - return sysdep_sa_len(dst) == addr->len && - memcmp(dst, addr->addr, sysdep_sa_len(dst)) == 0; -} - -struct dst_isakmpspi_arg { - struct sockaddr *dst; - u_int8_t *spi; /* must be ISAKMP_SPI_SIZE octets */ -}; - -/* - * Check if SA matches what we are asking for through V_ARG. It has to - * be a finished phaes 1 (ISAKMP) SA. - */ -static int -isakmp_sa_check(struct sa *sa, void *v_arg) -{ - struct dst_isakmpspi_arg *arg = v_arg; - struct sockaddr *dst, *src; - - if (sa->phase != 1 || !(sa->flags & SA_FLAG_READY)) - return 0; - - /* verify address is either src or dst for this sa */ - sa->transport->vtbl->get_dst(sa->transport, &dst); - sa->transport->vtbl->get_src(sa->transport, &src); - if (memcmp(src, arg->dst, sysdep_sa_len(src)) && - memcmp(dst, arg->dst, sysdep_sa_len(dst))) - return 0; - - /* match icookie+rcookie against spi */ - if (memcmp(sa->cookies, arg->spi, ISAKMP_HDR_COOKIES_LEN) == 0) - return 1; - - return 0; -} - -/* - * Find an ISAKMP SA with a "name" of DST & SPI. - */ -struct sa * -sa_lookup_isakmp_sa(struct sockaddr *dst, u_int8_t *spi) -{ - struct dst_isakmpspi_arg arg; - - arg.dst = dst; - arg.spi = spi; - - return sa_find(isakmp_sa_check, &arg); -} - -/* Lookup a ready SA by the peer's address. */ -struct sa * -sa_lookup_by_peer(struct sockaddr *dst, socklen_t dstlen) -{ - struct addr_arg arg; - - arg.addr = dst; - arg.len = dstlen; - arg.phase = 0; - - return sa_find(sa_check_peer, &arg); -} - -/* Lookup a ready ISAKMP SA given its peer address. */ -struct sa * -sa_isakmp_lookup_by_peer(struct sockaddr *dst, socklen_t dstlen) -{ - struct addr_arg arg; - - arg.addr = dst; - arg.len = dstlen; - arg.phase = 1; - - return sa_find(sa_check_peer, &arg); -} - -int -sa_enter(struct sa *sa) -{ - u_int16_t bucket = 0; - int i; - u_int8_t *cp; - - /* XXX We might resize if we are crossing a certain threshold */ - - for (i = 0; i < ISAKMP_HDR_COOKIES_LEN; i += 2) { - cp = sa->cookies + i; - /* Doing it this way avoids alignment problems. */ - bucket ^= cp[0] | cp[1] << 8; - } - for (i = 0; i < ISAKMP_HDR_MESSAGE_ID_LEN; i += 2) { - cp = sa->message_id + i; - /* Doing it this way avoids alignment problems. */ - bucket ^= cp[0] | cp[1] << 8; - } - bucket &= bucket_mask; - LIST_INSERT_HEAD(&sa_tab[bucket], sa, link); - sa_reference(sa); - LOG_DBG((LOG_SA, 70, "sa_enter: SA %p added to SA list", sa)); - return 1; -} - -/* - * Lookup the SA given by the header fields MSG. PHASE2 is false when - * looking for phase 1 SAa and true otherwise. - */ -struct sa * -sa_lookup_by_header(u_int8_t *msg, int phase2) -{ - return sa_lookup(msg + ISAKMP_HDR_COOKIES_OFF, - phase2 ? msg + ISAKMP_HDR_MESSAGE_ID_OFF : 0); -} - -/* - * Lookup the SA given by the COOKIES and possibly the MESSAGE_ID unless - * a null pointer, meaning we are looking for phase 1 SAs. - */ -struct sa * -sa_lookup(u_int8_t *cookies, u_int8_t *message_id) -{ - u_int16_t bucket = 0; - int i; - struct sa *sa; - u_int8_t *cp; - - /* - * We use the cookies to get bits to use as an index into sa_tab, as at - * least one (our cookie) is a good hash, xoring all the bits, 16 at a - * time, and then masking, should do. Doing it this way means we can - * validate cookies very fast thus delimiting the effects of "Denial of - * service"-attacks using packet flooding. - */ - for (i = 0; i < ISAKMP_HDR_COOKIES_LEN; i += 2) { - cp = cookies + i; - /* Doing it this way avoids alignment problems. */ - bucket ^= cp[0] | cp[1] << 8; - } - if (message_id) - for (i = 0; i < ISAKMP_HDR_MESSAGE_ID_LEN; i += 2) { - cp = message_id + i; - /* Doing it this way avoids alignment problems. */ - bucket ^= cp[0] | cp[1] << 8; - } - bucket &= bucket_mask; - for (sa = LIST_FIRST(&sa_tab[bucket]); - sa && (memcmp(cookies, sa->cookies, ISAKMP_HDR_COOKIES_LEN) != 0 - || (message_id && memcmp(message_id, sa->message_id, - ISAKMP_HDR_MESSAGE_ID_LEN) != 0) - || (!message_id && !zero_test(sa->message_id, - ISAKMP_HDR_MESSAGE_ID_LEN))); - sa = LIST_NEXT(sa, link)) - ; - - return sa; -} - -/* Create an SA. */ -int -sa_create(struct exchange *exchange, struct transport *t) -{ - struct sa *sa; - - /* - * We want the SA zeroed for sa_free to be able to find out what fields - * have been filled-in. - */ - sa = calloc(1, sizeof *sa); - if (!sa) { - log_error("sa_create: calloc (1, %lu) failed", - (unsigned long)sizeof *sa); - return -1; - } - sa->transport = t; - if (t) - transport_reference(t); - sa->phase = exchange->phase; - memcpy(sa->cookies, exchange->cookies, ISAKMP_HDR_COOKIES_LEN); - memcpy(sa->message_id, exchange->message_id, - ISAKMP_HDR_MESSAGE_ID_LEN); - sa->doi = exchange->doi; - sa->policy_id = -1; - - if (sa->doi->sa_size) { - /* - * Allocate the DOI-specific structure and initialize it to - * zeroes. - */ - sa->data = calloc(1, sa->doi->sa_size); - if (!sa->data) { - log_error("sa_create: calloc (1, %lu) failed", - (unsigned long)sa->doi->sa_size); - free(sa); - return -1; - } - } - TAILQ_INIT(&sa->protos); - - sa_enter(sa); - TAILQ_INSERT_TAIL(&exchange->sa_list, sa, next); - sa_reference(sa); - - LOG_DBG((LOG_SA, 60, - "sa_create: sa %p phase %d added to exchange %p (%s)", sa, - sa->phase, exchange, - exchange->name ? exchange->name : "<unnamed>")); - return 0; -} - -/* - * Dump the internal state of SA to the report channel, with HEADER - * prepended to each line. - */ -void -sa_dump(int cls, int level, char *header, struct sa *sa) -{ - struct proto *proto; - char spi_header[80]; - int i; - - LOG_DBG((cls, level, "%s: %p %s phase %d doi %d flags 0x%x", header, - sa, sa->name ? sa->name : "<unnamed>", sa->phase, sa->doi->id, - sa->flags)); - LOG_DBG((cls, level, "%s: icookie %08x%08x rcookie %08x%08x", header, - decode_32(sa->cookies), decode_32(sa->cookies + 4), - decode_32(sa->cookies + 8), decode_32(sa->cookies + 12))); - LOG_DBG((cls, level, "%s: msgid %08x refcnt %d", header, - decode_32(sa->message_id), sa->refcnt)); - LOG_DBG((cls, level, "%s: life secs %llu kb %llu", header, sa->seconds, - sa->kilobytes)); - for (proto = TAILQ_FIRST(&sa->protos); proto; - proto = TAILQ_NEXT(proto, link)) { - LOG_DBG((cls, level, "%s: suite %d proto %d", header, - proto->no, proto->proto)); - LOG_DBG((cls, level, - "%s: spi_sz[0] %d spi[0] %p spi_sz[1] %d spi[1] %p", - header, proto->spi_sz[0], proto->spi[0], proto->spi_sz[1], - proto->spi[1])); - LOG_DBG((cls, level, "%s: %s, %s", header, - !sa->doi ? "<nodoi>" : - sa->doi->decode_ids("initiator id: %s, responder id: %s", - sa->id_i, sa->id_i_len, - sa->id_r, sa->id_r_len, 0), - !sa->transport ? "<no transport>" : - sa->transport->vtbl->decode_ids(sa->transport))); - for (i = 0; i < 2; i++) - if (proto->spi[i]) { - snprintf(spi_header, sizeof spi_header, - "%s: spi[%d]", header, i); - LOG_DBG_BUF((cls, level, spi_header, - proto->spi[i], proto->spi_sz[i])); - } - } -} - -/* - * Display the SA's two SPI values. - */ -static void -report_spi(FILE *fd, const u_int8_t *buf, size_t sz, int spi) -{ -#define SBUFSZ (2 * 32 + 9) - char s[SBUFSZ]; - size_t i, j; - - for (i = j = 0; i < sz;) { - snprintf(s + j, sizeof s - j, "%02x", buf[i++]); - j += 2; - if (i % 4 == 0) { - if (i % 32 == 0) { - s[j] = '\0'; - fprintf(fd, "%s", s); - j = 0; - } else - s[j++] = ' '; - } - } - - if (j) { - s[j] = '\0'; - fprintf(fd, "SPI %d: %s\n", spi, s); - } -} - -/* - * Display the transform names to file. - * Structure is taken from pf_key_v2.c, pf_key_v2_set_spi. - * Transform names are taken from /usr/src/sys/crypto/xform.c. - */ -static void -report_proto(FILE *fd, struct proto *proto) -{ - struct ipsec_proto *iproto = proto->data; - int keylen, hashlen; - - switch (proto->proto) { - case IPSEC_PROTO_IPSEC_ESP: - keylen = ipsec_esp_enckeylength(proto); - hashlen = ipsec_esp_authkeylength(proto); - fprintf(fd, "Transform: IPsec ESP\n"); - fprintf(fd, "Encryption key length: %d\n", keylen); - fprintf(fd, "Authentication key length: %d\n", hashlen); - - fprintf(fd, "Encryption algorithm: "); - switch (proto->id) { - case IPSEC_ESP_DES: - case IPSEC_ESP_DES_IV32: - case IPSEC_ESP_DES_IV64: - fprintf(fd, "DES\n"); - break; - - case IPSEC_ESP_3DES: - fprintf(fd, "3DES\n"); - break; - - case IPSEC_ESP_AES: - fprintf(fd, "AES-128 (CBC)\n"); - break; - - case IPSEC_ESP_AES_128_CTR: - fprintf(fd, "AES-128 (CTR)\n"); - break; - - case IPSEC_ESP_CAST: - fprintf(fd, "Cast-128\n"); - break; - - case IPSEC_ESP_BLOWFISH: - fprintf(fd, "Blowfish\n"); - break; - - default: - fprintf(fd, "unknown (%d)\n", proto->id); - } - - fprintf(fd, "Authentication algorithm: "); - switch (iproto->auth) { - case IPSEC_AUTH_HMAC_MD5: - fprintf(fd, "HMAC-MD5\n"); - break; - - case IPSEC_AUTH_HMAC_SHA: - fprintf(fd, "HMAC-SHA1\n"); - break; - - case IPSEC_AUTH_HMAC_RIPEMD: - fprintf(fd, "HMAC-RIPEMD-160\n"); - break; - - case IPSEC_AUTH_HMAC_SHA2_256: - fprintf(fd, "HMAC-SHA2-256\n"); - break; - - case IPSEC_AUTH_HMAC_SHA2_384: - fprintf(fd, "HMAC-SHA2-384\n"); - break; - - case IPSEC_AUTH_HMAC_SHA2_512: - fprintf(fd, "HMAC-SHA2-512\n"); - break; - - case IPSEC_AUTH_DES_MAC: - case IPSEC_AUTH_KPDK: - /* XXX We should be supporting KPDK */ - fprintf(fd, "unknown (%d)", iproto->auth); - break; - - default: - fprintf(fd, "none\n"); - } - break; - - case IPSEC_PROTO_IPSEC_AH: - hashlen = ipsec_ah_keylength(proto); - fprintf(fd, "Transform: IPsec AH\n"); - fprintf(fd, "Encryption not used.\n"); - fprintf(fd, "Authentication key length: %d\n", hashlen); - - fprintf(fd, "Authentication algorithm: "); - switch (proto->id) { - case IPSEC_AH_MD5: - fprintf(fd, "HMAC-MD5\n"); - break; - - case IPSEC_AH_SHA: - fprintf(fd, "HMAC-SHA1\n"); - break; - - case IPSEC_AH_RIPEMD: - fprintf(fd, "HMAC-RIPEMD-160\n"); - break; - - case IPSEC_AH_SHA2_256: - fprintf(fd, "HMAC-SHA2-256\n"); - break; - - case IPSEC_AH_SHA2_384: - fprintf(fd, "HMAC-SHA2-384\n"); - break; - - case IPSEC_AH_SHA2_512: - fprintf(fd, "HMAC-SHA2-512\n"); - break; - - default: - fprintf(fd, "unknown (%d)", proto->id); - } - break; - - default: - fprintf(fd, "report_proto: invalid proto %d\n", proto->proto); - } -} - -/* Report all the SAs to the report channel. */ -void -sa_report(void) -{ - struct sa *sa; - int i; - - for (i = 0; i <= bucket_mask; i++) - for (sa = LIST_FIRST(&sa_tab[i]); sa; sa = LIST_NEXT(sa, link)) - sa_dump(LOG_REPORT, 0, "sa_report", sa); -} - - -/* - * Print an SA's connection details to file SA_FILE. - */ -static void -sa_dump_all(FILE *fd, struct sa *sa) -{ - struct proto *proto; - int i; - - /* SA name and phase. */ - fprintf(fd, "SA name: %s", sa->name ? sa->name : "<unnamed>"); - fprintf(fd, " (Phase %d)\n", sa->phase); - - /* Source and destination IPs. */ - fprintf(fd, sa->transport == NULL ? "<no transport>" : - sa->transport->vtbl->decode_ids(sa->transport)); - fprintf(fd, "\n"); - - /* Transform information. */ - for (proto = TAILQ_FIRST(&sa->protos); proto; - proto = TAILQ_NEXT(proto, link)) { - /* SPI values. */ - for (i = 0; i < 2; i++) - if (proto->spi[i]) - report_spi(fd, proto->spi[i], proto->spi_sz[i], - i); - else - fprintf(fd, "SPI %d not defined.", i); - - /* Proto values. */ - report_proto(fd, proto); - - /* SA separator. */ - fprintf(fd, "\n"); - } -} - -/* Report info of all SAs to file 'fd'. */ -void -sa_report_all(FILE *fd) -{ - struct sa *sa; - int i; - - for (i = 0; i <= bucket_mask; i++) - for (sa = LIST_FIRST(&sa_tab[i]); sa; sa = LIST_NEXT(sa, link)) - if (sa->phase == 1) - fprintf(fd, "SA name: none (phase 1)\n\n"); - else - sa_dump_all(fd, sa); -} - -/* Free the protocol structure pointed to by PROTO. */ -void -proto_free(struct proto *proto) -{ - struct proto_attr *pa; - struct sa *sa = proto->sa; - int i; - - for (i = 0; i < 2; i++) - if (proto->spi[i]) { - if (sa->doi->delete_spi) - sa->doi->delete_spi(sa, proto, i); - free(proto->spi[i]); - } - TAILQ_REMOVE(&sa->protos, proto, link); - if (proto->data) { - if (sa->doi && sa->doi->free_proto_data) - sa->doi->free_proto_data(proto->data); - free(proto->data); - } - if (proto->xf_cnt) - while ((pa = TAILQ_FIRST(&proto->xfs)) != NULL) { - if (pa->attrs) - free(pa->attrs); - TAILQ_REMOVE(&proto->xfs, pa, next); - free(pa); - } - - LOG_DBG((LOG_SA, 90, "proto_free: freeing %p", proto)); - free(proto); -} - -/* Release all resources this SA is using. */ -void -sa_free(struct sa *sa) -{ - if (sa->death) { - timer_remove_event(sa->death); - sa->death = 0; - sa->refcnt--; - } - if (sa->soft_death) { - timer_remove_event(sa->soft_death); - sa->soft_death = 0; - sa->refcnt--; - } - sa_remove(sa); -} - -/* Remove the SA from the hash table of live SAs. */ -void -sa_remove(struct sa *sa) -{ - LIST_REMOVE(sa, link); - LOG_DBG((LOG_SA, 70, "sa_remove: SA %p removed from SA list", sa)); - sa_release(sa); -} - -/* Raise the reference count of SA. */ -void -sa_reference(struct sa *sa) -{ - sa->refcnt++; - LOG_DBG((LOG_SA, 80, "sa_reference: SA %p now has %d references", - sa, sa->refcnt)); -} - -/* Release a reference to SA. */ -void -sa_release(struct sa *sa) -{ - struct cert_handler *handler; - struct proto *proto; - - LOG_DBG((LOG_SA, 80, "sa_release: SA %p had %d references", - sa, sa->refcnt)); - - if (--sa->refcnt) - return; - - LOG_DBG((LOG_SA, 60, "sa_release: freeing SA %p", sa)); - - while ((proto = TAILQ_FIRST(&sa->protos)) != 0) - proto_free(proto); - if (sa->data) { - if (sa->doi && sa->doi->free_sa_data) - sa->doi->free_sa_data(sa->data); - free(sa->data); - } - if (sa->id_i) - free(sa->id_i); - if (sa->id_r) - free(sa->id_r); - if (sa->recv_cert) { - handler = cert_get(sa->recv_certtype); - if (handler) - handler->cert_free(sa->recv_cert); - } - if (sa->sent_cert) { - handler = cert_get(sa->sent_certtype); - if (handler) - handler->cert_free(sa->sent_cert); - } - if (sa->recv_key) - key_free(sa->recv_keytype, ISAKMP_KEYTYPE_PUBLIC, - sa->recv_key); - if (sa->keynote_key) - free(sa->keynote_key); /* This is just a string */ -#if defined (USE_POLICY) || defined (USE_KEYNOTE) - if (sa->policy_id != -1) - kn_close(sa->policy_id); -#endif - if (sa->name) - free(sa->name); - if (sa->keystate) - free(sa->keystate); -#if defined (USE_NAT_TRAVERSAL) - if (sa->nat_t_keepalive) - timer_remove_event(sa->nat_t_keepalive); -#endif -#if defined (USE_DPD) - if (sa->dpd_event) - timer_remove_event(sa->dpd_event); -#endif - if (sa->transport) - transport_release(sa->transport); - free(sa); -} - -/* - * Rehash the ISAKMP SA this MSG is negotiating with the responder cookie - * filled in. - */ -void -sa_isakmp_upgrade(struct message *msg) -{ - struct sa *sa = TAILQ_FIRST(&msg->exchange->sa_list); - - sa_remove(sa); - GET_ISAKMP_HDR_RCOOKIE(msg->iov[0].iov_base, - sa->cookies + ISAKMP_HDR_ICOOKIE_LEN); - - /* - * We don't install a transport in the initiator case as we don't know - * what local address will be chosen. Do it now instead. - */ - sa->transport = msg->transport; - transport_reference(sa->transport); - sa_enter(sa); -} - -#define ATTRS_SIZE (IKE_ATTR_BLOCK_SIZE + 1) /* XXX Should be dynamic. */ - -struct attr_validation_state { - u_int8_t *attrp[ATTRS_SIZE]; - u_int8_t checked[ATTRS_SIZE]; - int phase; /* IKE (1) or IPSEC (2) attrs? */ - int mode; /* 0 = 'load', 1 = check */ -}; - -/* Validate an attribute. Return 0 on match. */ -static int -sa_validate_xf_attrs(u_int16_t type, u_int8_t *value, u_int16_t len, - void *arg) -{ - struct attr_validation_state *avs = - (struct attr_validation_state *)arg; - - LOG_DBG((LOG_SA, 95, "sa_validate_xf_attrs: phase %d mode %d type %d " - "len %d", avs->phase, avs->mode, type, len)); - - /* Make sure the phase and type are valid. */ - if (avs->phase == 1) { - if (type < IKE_ATTR_ENCRYPTION_ALGORITHM || - type > IKE_ATTR_BLOCK_SIZE) - return 1; - } else if (avs->phase == 2) { - if (type < IPSEC_ATTR_SA_LIFE_TYPE || - type > IPSEC_ATTR_ECN_TUNNEL) - return 1; - } else - return 1; - - if (avs->mode == 0) { /* Load attrs. */ - avs->attrp[type] = value; - return 0; - } - /* Checking for a missing attribute is an immediate failure. */ - if (!avs->attrp[type]) - return 1; - - /* Match the loaded attribute against this one, mark it as checked. */ - avs->checked[type]++; - return memcmp(avs->attrp[type], value, len); -} - -/* - * This function is used to validate the returned proposal (protection suite) - * we get from the responder against a proposal we sent. Only run as initiator. - * We return 0 if a match is found (in any transform of this proposal), 1 - * otherwise. Also see note in sa_add_transform() below. - */ -static int -sa_validate_proto_xf(struct proto *match, struct payload *xf, int phase) -{ - struct attr_validation_state *avs; - struct proto_attr *pa; - int found = 0; - size_t i; - u_int8_t xf_id; - - if (!match->xf_cnt) - return 0; - - if (match->proto != GET_ISAKMP_PROP_PROTO(xf->context->p)) { - LOG_DBG((LOG_SA, 70, "sa_validate_proto_xf: proto %p (#%d) " - "protocol mismatch", match, match->no)); - return 1; - } - avs = (struct attr_validation_state *)calloc(1, sizeof *avs); - if (!avs) { - log_error("sa_validate_proto_xf: calloc (1, %lu)", - (unsigned long)sizeof *avs); - return 1; - } - avs->phase = phase; - - /* Load the "proposal candidate" attribute set. */ - (void) attribute_map(xf->p + ISAKMP_TRANSFORM_SA_ATTRS_OFF, - GET_ISAKMP_GEN_LENGTH(xf->p) - ISAKMP_TRANSFORM_SA_ATTRS_OFF, - sa_validate_xf_attrs, avs); - xf_id = GET_ISAKMP_TRANSFORM_ID(xf->p); - - /* Check against the transforms we suggested. */ - avs->mode++; - for (pa = TAILQ_FIRST(&match->xfs); pa && !found; - pa = TAILQ_NEXT(pa, next)) { - if (xf_id != GET_ISAKMP_TRANSFORM_ID(pa->attrs)) - continue; - - memset(avs->checked, 0, sizeof avs->checked); - if (attribute_map(pa->attrs + ISAKMP_TRANSFORM_SA_ATTRS_OFF, - pa->len - ISAKMP_TRANSFORM_SA_ATTRS_OFF, - sa_validate_xf_attrs, avs) == 0) - found++; - - LOG_DBG((LOG_SA, 80, "sa_validate_proto_xf: attr_map " - "xf %p proto %p pa %p found %d", xf, match, pa, found)); - - if (!found) - continue; - - /* - * Require all attributes present and checked. XXX perhaps - * not? - */ - for (i = 0; i < sizeof avs->checked; i++) - if (avs->attrp[i] && !avs->checked[i]) - found = 0; - - LOG_DBG((LOG_SA, 80, "sa_validate_proto_xf: req_attr " - "xf %p proto %p pa %p found %d", xf, match, pa, found)); - } - free(avs); - return found ? 0 : 1; -} - -/* - * Register the chosen transform XF into SA. As a side effect set PROTOP - * to point at the corresponding proto structure. INITIATOR is true if we - * are the initiator. - */ -int -sa_add_transform(struct sa *sa, struct payload *xf, int initiator, - struct proto **protop) -{ - struct proto *proto; - struct payload *prop = xf->context; - - *protop = 0; - if (!initiator) { - proto = calloc(1, sizeof *proto); - if (!proto) - log_error("sa_add_transform: calloc (1, %lu) failed", - (unsigned long)sizeof *proto); - } else { - /* - * RFC 2408, section 4.2 states the responder SHOULD use the - * proposal number from the initiator (i.e us), in it's - * selected proposal to make this lookup easier. Most vendors - * follow this. One noted exception is the CiscoPIX (and - * perhaps other Cisco products). - * - * We start by matching on the proposal number, as before. - */ - for (proto = TAILQ_FIRST(&sa->protos); - proto && proto->no != GET_ISAKMP_PROP_NO(prop->p); - proto = TAILQ_NEXT(proto, link)) - ; - /* - * If we did not find a match, search through all proposals - * and xforms. - */ - if (!proto || sa_validate_proto_xf(proto, xf, sa->phase) != 0) - for (proto = TAILQ_FIRST(&sa->protos); - proto && sa_validate_proto_xf(proto, xf, - sa->phase) != 0; - proto = TAILQ_NEXT(proto, link)) - ; - } - if (!proto) - return -1; - *protop = proto; - - /* Allocate DOI-specific part. */ - if (!initiator) { - proto->data = calloc(1, sa->doi->proto_size); - if (!proto->data) { - log_error("sa_add_transform: calloc (1, %lu) failed", - (unsigned long)sa->doi->proto_size); - goto cleanup; - } - } - proto->no = GET_ISAKMP_PROP_NO(prop->p); - proto->proto = GET_ISAKMP_PROP_PROTO(prop->p); - proto->spi_sz[0] = GET_ISAKMP_PROP_SPI_SZ(prop->p); - if (proto->spi_sz[0]) { - proto->spi[0] = malloc(proto->spi_sz[0]); - if (!proto->spi[0]) - goto cleanup; - memcpy(proto->spi[0], prop->p + ISAKMP_PROP_SPI_OFF, - proto->spi_sz[0]); - } - proto->chosen = xf; - proto->sa = sa; - proto->id = GET_ISAKMP_TRANSFORM_ID(xf->p); - if (!initiator) - TAILQ_INSERT_TAIL(&sa->protos, proto, link); - - /* Let the DOI get at proto for initializing its own data. */ - if (sa->doi->proto_init) - sa->doi->proto_init(proto, 0); - - LOG_DBG((LOG_SA, 80, - "sa_add_transform: " - "proto %p no %d proto %d chosen %p sa %p id %d", - proto, proto->no, proto->proto, proto->chosen, proto->sa, - proto->id)); - - return 0; - -cleanup: - if (!initiator) { - if (proto->data) - free(proto->data); - free(proto); - } - *protop = 0; - return -1; -} - -/* Delete an SA. Tell the peer if NOTIFY is set. */ -void -sa_delete(struct sa *sa, int notify) -{ - /* Don't bother notifying of Phase 1 SA deletes. */ - if (sa->phase != 1 && notify) - message_send_delete(sa); - sa_free(sa); -} - - -/* Teardown all SAs. */ -void -sa_teardown_all(void) -{ - int i; - struct sa *sa, *next = 0; - - LOG_DBG((LOG_SA, 70, "sa_teardown_all:")); - /* Get Phase 2 SAs. */ - for (i = 0; i <= bucket_mask; i++) - for (sa = LIST_FIRST(&sa_tab[i]); sa; sa = next) { - next = LIST_NEXT(sa, link); - if (sa->phase == 2) { - /* - * Teardown the phase 2 SAs by name, similar - * to ui_teardown. - */ - LOG_DBG((LOG_SA, 70, - "sa_teardown_all: tearing down SA %s", - sa->name)); - connection_teardown(sa->name); - sa_delete(sa, 1); - } - } -} - -/* - * This function will get called when we are closing in on the death time of SA - */ -static void -sa_soft_expire(void *v_sa) -{ - struct sa *sa = v_sa; - - sa->soft_death = 0; - sa_release(sa); - - if ((sa->flags & (SA_FLAG_STAYALIVE | SA_FLAG_REPLACED)) == - SA_FLAG_STAYALIVE) - exchange_establish(sa->name, 0, 0); - else - /* - * Start to watch the use of this SA, so a renegotiation can - * happen as soon as it is shown to be alive. - */ - sa->flags |= SA_FLAG_FADING; -} - -/* SA has passed its best before date. */ -static void -sa_hard_expire(void *v_sa) -{ - struct sa *sa = v_sa; - - sa->death = 0; - sa_release(sa); - - if ((sa->flags & (SA_FLAG_STAYALIVE | SA_FLAG_REPLACED)) == - SA_FLAG_STAYALIVE) - exchange_establish(sa->name, 0, 0); - - sa_delete(sa, 1); -} - -void -sa_reinit(void) -{ - struct sa *sa; - char *tag; - int i; - - /* For now; only do this if we have the proper tag configured. */ - tag = conf_get_str("General", "Renegotiate-on-HUP"); - if (!tag) - return; - - LOG_DBG((LOG_SA, 30, "sa_reinit: renegotiating active connections")); - - /* - * Get phase 2 SAs. Soft expire those without active exchanges. Do - * not touch a phase 2 SA where the soft expiration is not set, ie. - * the SA is not yet established. - */ - for (i = 0; i <= bucket_mask; i++) - for (sa = LIST_FIRST(&sa_tab[i]); sa; sa = LIST_NEXT(sa, link)) - if (sa->phase == 2) - if (exchange_lookup_by_name(sa->name, - sa->phase) == 0 && sa->soft_death) { - timer_remove_event(sa->soft_death); - sa_soft_expire(sa); - } -} - -/* - * Get an SA attribute's flag value out of textual description. - */ -int -sa_flag(char *attr) -{ - static struct sa_flag_map { - char *name; - int flag; - } sa_flag_map[] = { - { - "active-only", SA_FLAG_ACTIVE_ONLY - }, - - /* - * Below this point are flags that are internal to the - * implementation. - */ - { - "__ondemand", SA_FLAG_ONDEMAND - }, - { - "ikecfg", SA_FLAG_IKECFG - }, - }; - size_t i; - - for (i = 0; i < sizeof sa_flag_map / sizeof sa_flag_map[0]; i++) - if (strcasecmp(attr, sa_flag_map[i].name) == 0) - return sa_flag_map[i].flag; - log_print("sa_flag: attribute \"%s\" unknown", attr); - return 0; -} - -/* Mark SA as replaced. */ -void -sa_mark_replaced(struct sa *sa) -{ - LOG_DBG((LOG_SA, 60, "sa_mark_replaced: SA %p (%s) marked as replaced", - sa, sa->name ? sa->name : "unnamed")); - sa->flags |= SA_FLAG_REPLACED; -} - -/* - * Setup expiration timers for SA. This is used for ISAKMP SAs, but also - * possible to use for application SAs if the application does not deal - * with expirations itself. An example is the Linux FreeS/WAN KLIPS IPsec - * stack. - */ -int -sa_setup_expirations(struct sa *sa) -{ - struct timeval expiration; - u_int64_t seconds = sa->seconds; - - /* - * Set the soft timeout to a random percentage between 85 & 95 of - * the negotiated lifetime to break strictly synchronized - * renegotiations. This works better when the randomization is on the - * order of processing plus network-roundtrip times, or larger. - * I.e. it depends on configuration and negotiated lifetimes. - * It is not good to do the decrease on the hard timeout, because then - * we may drop our SA before our peer. - * XXX Better scheme to come? - */ - if (!sa->soft_death) { - gettimeofday(&expiration, 0); - /* - * XXX This should probably be configuration controlled - * somehow. - */ - seconds = sa->seconds * (850 + sysdep_random() % 100) / 1000; - LOG_DBG((LOG_TIMER, 95, - "sa_setup_expirations: SA %p soft timeout in %llu seconds", - sa, seconds)); - expiration.tv_sec += seconds; - sa->soft_death = timer_add_event("sa_soft_expire", - sa_soft_expire, sa, &expiration); - if (!sa->soft_death) { - /* If we don't give up we might start leaking... */ - sa_delete(sa, 1); - return -1; - } - sa_reference(sa); - } - if (!sa->death) { - gettimeofday(&expiration, 0); - LOG_DBG((LOG_TIMER, 95, - "sa_setup_expirations: SA %p hard timeout in %llu seconds", - sa, sa->seconds)); - expiration.tv_sec += sa->seconds; - sa->death = timer_add_event("sa_hard_expire", sa_hard_expire, - sa, &expiration); - if (!sa->death) { - /* If we don't give up we might start leaking... */ - sa_delete(sa, 1); - return -1; - } - sa_reference(sa); - } - return 0; -} diff --git a/keyexchange/isakmpd-20041012/sa.h b/keyexchange/isakmpd-20041012/sa.h deleted file mode 100644 index 4f6100f..0000000 --- a/keyexchange/isakmpd-20041012/sa.h +++ /dev/null @@ -1,318 +0,0 @@ -/* $OpenBSD: sa.h,v 1.41 2004/08/10 15:59:10 ho Exp $ */ -/* $EOM: sa.h,v 1.58 2000/10/10 12:39:01 provos Exp $ */ - -/* - * Copyright (c) 1998, 1999, 2001 Niklas Hallqvist. All rights reserved. - * Copyright (c) 1999, 2001 Angelos D. Keromytis. All rights reserved. - * Copyright (c) 2004 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _SA_H_ -#define _SA_H_ - -#include <sys/param.h> -#include <sys/types.h> -#include <sys/queue.h> -#include <sys/socket.h> - -#include "isakmp.h" - -/* Remove a SA if it has not been fully negotiated in this time. */ -#define SA_NEGOTIATION_MAX_TIME 120 - -struct crypto_xf; -struct doi; -struct event; -struct exchange; -struct keystate; -struct message; -struct payload; -struct proto_attr; -struct sa; -struct transport; - -/* A protection suite consists of a set of protocol descriptions like this. */ -struct proto { - /* Link to the next protocol in the suite. */ - TAILQ_ENTRY(proto) link; - - /* The SA we belong to. */ - struct sa *sa; - - /* The protocol number as found in the proposal payload. */ - u_int8_t no; - - /* The protocol this SA is for. */ - u_int8_t proto; - - /* - * Security parameter index info. Element 0 - outgoing, 1 - - * incoming. - */ - u_int8_t spi_sz[2]; - u_int8_t *spi[2]; - - /* - * The chosen transform, only valid while the incoming SA payload that - * held it is available for duplicate testing. - */ - struct payload *chosen; - - /* The chosen transform's ID. */ - u_int8_t id; - - /* DOI-specific data. */ - void *data; - - /* Proposal transforms data, for validating the responders selection. */ - TAILQ_HEAD(proto_attr_head, proto_attr) xfs; - size_t xf_cnt; -}; - -struct proto_attr { - /* Link to next transform. */ - TAILQ_ENTRY(proto_attr) next; - - /* Transform attribute data and size, suitable for attribute_map(). */ - u_int8_t *attrs; - size_t len; -}; - -struct sa { - /* Link to SAs with the same hash value. */ - LIST_ENTRY(sa) link; - - /* - * When several SA's are being negotiated in one message we connect - * them through this link. - */ - TAILQ_ENTRY(sa) next; - - /* - * A name of the major policy deciding offers and acceptable - * proposals. - */ - char *name; - - /* The transport this SA got negotiated over. */ - struct transport *transport; - - /* Both initiator and responder cookies. */ - u_int8_t cookies[ISAKMP_HDR_COOKIES_LEN]; - - /* The message ID signifying non-ISAKMP SAs. */ - u_int8_t message_id[ISAKMP_HDR_MESSAGE_ID_LEN]; - - /* The protection suite chosen. */ - TAILQ_HEAD(proto_head, proto) protos; - - /* The exchange type we should use when rekeying. */ - u_int8_t exch_type; - - /* Phase is 1 for ISAKMP SAs, and 2 for application ones. */ - u_int8_t phase; - - /* A reference counter for this structure. */ - u_int16_t refcnt; - - /* Various flags, look below for descriptions. */ - u_int32_t flags; - - /* The DOI that is to handle DOI-specific issues for this SA. */ - struct doi *doi; - - /* - * Crypto info needed to encrypt/decrypt packets protected by this - * SA. - */ - struct crypto_xf *crypto; - int key_length; - struct keystate *keystate; - - /* IDs from Phase 1 */ - u_int8_t *id_i; - size_t id_i_len; - u_int8_t *id_r; - size_t id_r_len; - - /* Set if we were the initiator of the SA/exchange in Phase 1 */ - int initiator; - - /* Policy session ID, where applicable, copied over from the exchange */ - int policy_id; - - /* - * The key used to authenticate phase 1, in printable format, used - * only by KeyNote. - */ - char *keynote_key; - - /* - * Certificates or other information from Phase 1; these are copied - * from the exchange, so look at exchange.h for an explanation of - * their use. - */ - int recv_certtype, recv_keytype; - /* Certificate received from peer, native format. */ - void *recv_cert; - /* Key peer used to authenticate, native format. */ - void *recv_key; - - /* - * Certificates or other information we used to authenticate to the - * peer, Phase 1. - */ - int sent_certtype; - /* Certificate (to be) sent to peer, native format. */ - void *sent_cert; - - /* DOI-specific opaque data. */ - void *data; - - /* Lifetime data. */ - u_int64_t seconds; - u_int64_t kilobytes; - - /* ACQUIRE sequence number */ - u_int32_t seq; - - /* The events that will occur when an SA has timed out. */ - struct event *soft_death; - struct event *death; - -#if defined (USE_NAT_TRAVERSAL) - struct event *nat_t_keepalive; -#endif - -#if defined (USE_DPD) - /* IKE DPD (RFC3706) message sequence number. */ - u_int32_t dpd_seq; /* sent */ - u_int32_t dpd_rseq; /* recieved */ - u_int32_t dpd_failcount; /* # of subsequent failures */ - struct event *dpd_event; /* time of next event */ -#endif -}; - -/* This SA is alive. */ -#define SA_FLAG_READY 0x01 - -/* Renegotiate the SA at each expiry. */ -#define SA_FLAG_STAYALIVE 0x02 - -/* Establish the SA when it is needed. */ -#define SA_FLAG_ONDEMAND 0x04 - -/* This SA has been replaced by another newer one. */ -#define SA_FLAG_REPLACED 0x08 - -/* This SA has seen a soft timeout and wants to be renegotiated on use. */ -#define SA_FLAG_FADING 0x10 - -/* This SA should always be actively renegotiated (with us as initiator). */ -#define SA_FLAG_ACTIVE_ONLY 0x20 - -/* This SA flag is a placeholder for a TRANSACTION exchange "SA flag". */ -#define SA_FLAG_IKECFG 0x40 - -/* This SA flag indicates if we should do DPD with the phase 1 SA peer. */ -#define SA_FLAG_DPD 0x80 - -/* NAT-T encapsulation state. Kept in isakmp_sa for the new p2 exchange. */ -#define SA_FLAG_NAT_T_ENABLE 0x100 -#define SA_FLAG_NAT_T_KEEPALIVE 0x200 - -extern void proto_free(struct proto * proto); -extern int sa_add_transform(struct sa *, struct payload *, int, - struct proto **); -extern int sa_create(struct exchange *, struct transport *); -extern int sa_enter(struct sa *); -extern void sa_delete(struct sa *, int); -extern void sa_teardown_all(void); -extern struct sa *sa_find(int (*) (struct sa *, void *), void *); -extern int sa_flag(char *); -extern void sa_free(struct sa *); -extern void sa_init(void); -extern void sa_reinit(void); -extern struct sa *sa_isakmp_lookup_by_peer(struct sockaddr *, socklen_t); -extern void sa_isakmp_upgrade(struct message *); -extern struct sa *sa_lookup(u_int8_t *, u_int8_t *); -extern struct sa *sa_lookup_by_peer(struct sockaddr *, socklen_t); -extern struct sa *sa_lookup_by_header(u_int8_t *, int); -extern struct sa *sa_lookup_by_name(char *, int); -extern struct sa *sa_lookup_from_icookie(u_int8_t *); -extern struct sa *sa_lookup_isakmp_sa(struct sockaddr *, u_int8_t *); -extern void sa_mark_replaced(struct sa *); -extern void sa_reference(struct sa *); -extern void sa_release(struct sa *); -extern void sa_remove(struct sa *); -extern void sa_report(void); -extern void sa_dump(int, int, char *, struct sa *); -extern void sa_report_all(FILE *); -extern int sa_setup_expirations(struct sa *); - -/* - * This structure contains most of the data of the in-kernel SA. - * Currently only used to collect the tdb_last_used time for DPD. - */ -struct sa_kinfo { - u_int32_t flags; /* /usr/include/netinet/ip_ipsp.h */ - - u_int32_t exp_allocations; - u_int32_t soft_allocations; - u_int32_t cur_allocations; - - u_int64_t exp_bytes; - u_int64_t soft_bytes; - u_int64_t cur_bytes; - - u_int64_t exp_timeout; - u_int64_t soft_timeout; - - u_int64_t first_use; - u_int64_t established; - u_int64_t soft_first_use; - u_int64_t exp_first_use; - - u_int64_t last_used; - u_int64_t last_marked; - - struct sockaddr_storage dst; - struct sockaddr_storage src; - struct sockaddr_storage proxy; - - u_int32_t spi; - u_int32_t rpl; - u_int16_t udpencap_port; - u_int16_t amxkeylen; - u_int16_t emxkeylen; - u_int16_t ivlen; - u_int8_t sproto; - u_int8_t wnd; - u_int8_t satype; -}; - -#endif /* _SA_H_ */ diff --git a/keyexchange/isakmpd-20041012/samples/Makefile b/keyexchange/isakmpd-20041012/samples/Makefile deleted file mode 100644 index 558bd23..0000000 --- a/keyexchange/isakmpd-20041012/samples/Makefile +++ /dev/null @@ -1,34 +0,0 @@ -# $OpenBSD: Makefile,v 1.2 2003/06/03 14:39:50 ho Exp $ -# $EOM: Makefile,v 1.1 2000/05/01 20:04:53 niklas Exp $ - -# -# Copyright (c) 2000 Niklas Hallqvist. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -FILES= VPN-* policy singlehost-* -TARGETDIR= /usr/share/ipsec/isakmpd - -# The mkdir below is for installation on OpenBSD pre 2.7 -install: - @-mkdir -p ${DESTDIR}${TARGETDIR} - $(INSTALL) -c -m 0444 ${FILES} ${DESTDIR}${TARGETDIR} diff --git a/keyexchange/isakmpd-20041012/samples/VPN-3way-template.conf b/keyexchange/isakmpd-20041012/samples/VPN-3way-template.conf deleted file mode 100644 index b64c801..0000000 --- a/keyexchange/isakmpd-20041012/samples/VPN-3way-template.conf +++ /dev/null @@ -1,116 +0,0 @@ -# $OpenBSD: VPN-3way-template.conf,v 1.11 2004/02/11 08:55:22 jmc Exp $ -# $EOM: VPN-3way-template.conf,v 1.8 2000/10/09 22:08:30 angelos Exp $ -# -# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon. -# -# This is a template file of a VPN setup between three nodes in -# a fully meshed 'three-way' configuration. Suggested use is to copy -# this file to all three nodes and then edit them accordingly. -# -# These nodes are initially called XXX, YYY and ZZZ. -# -# In pseudographics: XXX --- YYY -# \ / -# ZZZ -# -# In cases where IP/network addresses should be defined values like -# 192.168.XXX.nnn have been used. -# - -# Incoming phase 1 negotiations are multiplexed on the source IP -# address. In the three-way VPN, we have two possible peers. - -[Phase 1] -192.168.YYY.nnn= ISAKMP-peer-node-YYY -192.168.ZZZ.nnn= ISAKMP-peer-node-ZZZ - -# These connections are walked over after config file parsing and -# told to the application layer so that it will inform us when -# traffic wants to pass over them. This means we can do on-demand -# keying. In the three-way VPN, each node knows two connections. - -[Phase 2] -Connections= IPsec-Conn-XXX-YYY,IPsec-Conn-XXX-ZZZ - -# ISAKMP Phase 1 peer sections -############################## - -[ISAKMP-peer-node-YYY] -Phase= 1 -Transport= udp -Address= 192.168.YYY.nnn -Configuration= Default-main-mode -Authentication= yoursharedsecretwithYYY - -[ISAKMP-peer-node-ZZZ] -Phase= 1 -Transport= udp -Address= 192.168.ZZZ.nnn -Configuration= Default-main-mode -Authentication= yoursharedsecretwithZZZ - -# IPsec Phase 2 sections -######################## - -[IPsec-Conn-XXX-YYY] -Phase= 2 -ISAKMP-peer= ISAKMP-peer-node-YYY -Configuration= Default-quick-mode -Local-ID= MyNet-XXX -Remote-ID= OtherNet-YYY - -[IPsec-Conn-XXX-ZZZ] -Phase= 2 -ISAKMP-peer= ISAKMP-peer-node-ZZZ -Configuration= Default-quick-mode -Local-ID= MyNet-XXX -Remote-ID= OtherNet-ZZZ - -# Client ID sections -#################### - -[MyNet-XXX] -ID-type= IPV4_ADDR_SUBNET -Network= 192.168.XXX.0 -Netmask= 255.255.255.0 - -[OtherNet-YYY] -ID-type= IPV4_ADDR_SUBNET -Network= 192.168.YYY.0 -Netmask= 255.255.255.0 - -[OtherNet-ZZZ] -ID-type= IPV4_ADDR_SUBNET -Network= 192.168.ZZZ.0 -Netmask= 255.255.255.0 - -# -# There is no more node-specific configuration below this point. -# - -# Main mode descriptions - -[Default-main-mode] -DOI= IPSEC -EXCHANGE_TYPE= ID_PROT -Transforms= 3DES-SHA,3DES-MD5 - -[Blowfish-main-mode] -DOI= IPSEC -EXCHANGE_TYPE= ID_PROT -Transforms= BLF-SHA-M1024 - -# Quick mode description -######################## - -[Default-quick-mode] -DOI= IPSEC -EXCHANGE_TYPE= QUICK_MODE -Suites= QM-ESP-AES-SHA-PFS-SUITE - -[Blowfish-quick-mode] -DOI= IPSEC -EXCHANGE_TYPE= QUICK_MODE -Suites= QM-ESP-BLF-SHA-PFS-SUITE -#Suites= QM-ESP-BLF-SHA-SUITE - diff --git a/keyexchange/isakmpd-20041012/samples/VPN-east.conf b/keyexchange/isakmpd-20041012/samples/VPN-east.conf deleted file mode 100644 index 04d0bb9..0000000 --- a/keyexchange/isakmpd-20041012/samples/VPN-east.conf +++ /dev/null @@ -1,50 +0,0 @@ -# $OpenBSD: VPN-east.conf,v 1.13 2003/03/16 08:13:02 matthieu Exp $ -# $EOM: VPN-east.conf,v 1.12 2000/10/09 22:08:30 angelos Exp $ - -# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon. -# -# The network topology of the example net is like this: -# -# 192.168.11.0/24 - west [.11] - 10.1.0.0/24 - [.12] east - 192.168.12.0/24 -# -# "west" and "east" are the respective security gateways (aka VPN-nodes). - -[Phase 1] -10.1.0.11= ISAKMP-peer-west - -[Phase 2] -Connections= IPsec-east-west - -[ISAKMP-peer-west] -Phase= 1 -Transport= udp -Address= 10.1.0.11 -Configuration= Default-main-mode -Authentication= mekmitasdigoat - -[IPsec-east-west] -Phase= 2 -ISAKMP-peer= ISAKMP-peer-west -Configuration= Default-quick-mode -Local-ID= Net-east -Remote-ID= Net-west - -[Net-west] -ID-type= IPV4_ADDR_SUBNET -Network= 192.168.11.0 -Netmask= 255.255.255.0 - -[Net-east] -ID-type= IPV4_ADDR_SUBNET -Network= 192.168.12.0 -Netmask= 255.255.255.0 - -[Default-main-mode] -DOI= IPSEC -EXCHANGE_TYPE= ID_PROT -Transforms= 3DES-SHA - -[Default-quick-mode] -DOI= IPSEC -EXCHANGE_TYPE= QUICK_MODE -Suites= QM-ESP-AES-SHA-PFS-SUITE diff --git a/keyexchange/isakmpd-20041012/samples/VPN-west.conf b/keyexchange/isakmpd-20041012/samples/VPN-west.conf deleted file mode 100644 index 5b3a8f6..0000000 --- a/keyexchange/isakmpd-20041012/samples/VPN-west.conf +++ /dev/null @@ -1,50 +0,0 @@ -# $OpenBSD: VPN-west.conf,v 1.14 2003/03/16 08:13:02 matthieu Exp $ -# $EOM: VPN-west.conf,v 1.13 2000/10/09 22:08:30 angelos Exp $ - -# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon. -# -# The network topology of the example net is like this: -# -# 192.168.11.0/24 - west [.11] - 10.1.0.0/24 - [.12] east - 192.168.12.0/24 -# -# "west" and "east" are the respective security gateways (aka VPN-nodes). - -[Phase 1] -10.1.0.12= ISAKMP-peer-east - -[Phase 2] -Connections= IPsec-west-east - -[ISAKMP-peer-east] -Phase= 1 -Transport= udp -Address= 10.1.0.12 -Configuration= Default-main-mode -Authentication= mekmitasdigoat - -[IPsec-west-east] -Phase= 2 -ISAKMP-peer= ISAKMP-peer-east -Configuration= Default-quick-mode -Local-ID= Net-west -Remote-ID= Net-east - -[Net-west] -ID-type= IPV4_ADDR_SUBNET -Network= 192.168.11.0 -Netmask= 255.255.255.0 - -[Net-east] -ID-type= IPV4_ADDR_SUBNET -Network= 192.168.12.0 -Netmask= 255.255.255.0 - -[Default-main-mode] -DOI= IPSEC -EXCHANGE_TYPE= ID_PROT -Transforms= 3DES-SHA - -[Default-quick-mode] -DOI= IPSEC -EXCHANGE_TYPE= QUICK_MODE -Suites= QM-ESP-AES-SHA-PFS-SUITE diff --git a/keyexchange/isakmpd-20041012/samples/policy b/keyexchange/isakmpd-20041012/samples/policy deleted file mode 100644 index 0e194aa..0000000 --- a/keyexchange/isakmpd-20041012/samples/policy +++ /dev/null @@ -1,10 +0,0 @@ -KeyNote-Version: 2 -Comment: This policy accepts ESP SAs from a remote that uses the right password - $OpenBSD: policy,v 1.6 2001/06/20 16:36:19 angelos Exp $ - $EOM: policy,v 1.6 2000/10/09 22:08:30 angelos Exp $ -Authorizer: "POLICY" -Licensees: "passphrase:mekmitasdigoat" -Conditions: app_domain == "IPsec policy" && - esp_present == "yes" && - esp_enc_alg == "aes" && - esp_auth_alg == "hmac-sha" -> "true"; diff --git a/keyexchange/isakmpd-20041012/samples/singlehost-east.conf b/keyexchange/isakmpd-20041012/samples/singlehost-east.conf deleted file mode 100644 index f0afc46..0000000 --- a/keyexchange/isakmpd-20041012/samples/singlehost-east.conf +++ /dev/null @@ -1,64 +0,0 @@ -# $OpenBSD: singlehost-east.conf,v 1.10 2000/11/23 12:56:25 niklas Exp $ -# $EOM: singlehost-east.conf,v 1.10 2000/11/23 12:24:43 niklas Exp $ - -# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon. - -[General] -Listen-on= 10.1.0.12 -Shared-SADB= Defined -Policy-File= policy - -[Phase 1] -10.1.0.11= ISAKMP-peer-west -Default= ISAKMP-peer-west-aggressive - -[Phase 2] -Connections= IPsec-east-west - -[ISAKMP-peer-west] -Phase= 1 -Transport= udp -Local-address= 10.1.0.12 -Address= 10.1.0.11 -Configuration= Default-main-mode -Authentication= mekmitasdigoat - -[ISAKMP-peer-west-aggressive] -Phase= 1 -Transport= udp -Local-address= 10.1.0.12 -Address= 10.1.0.11 -Configuration= Default-aggressive-mode -Authentication= mekmitasdigoat - -[IPsec-east-west] -Phase= 2 -ISAKMP-peer= ISAKMP-peer-west -Configuration= Default-quick-mode -Local-ID= Net-east -Remote-ID= Net-west - -[Net-west] -ID-type= IPV4_ADDR_SUBNET -Network= 192.168.11.0 -Netmask= 255.255.255.0 - -[Net-east] -ID-type= IPV4_ADDR_SUBNET -Network= 192.168.12.0 -Netmask= 255.255.255.0 - -[Default-main-mode] -DOI= IPSEC -EXCHANGE_TYPE= ID_PROT -Transforms= 3DES-SHA - -[Default-aggressive-mode] -DOI= IPSEC -EXCHANGE_TYPE= AGGRESSIVE -Transforms= 3DES-SHA-RSA - -[Default-quick-mode] -DOI= IPSEC -EXCHANGE_TYPE= QUICK_MODE -Suites= QM-ESP-AES-SHA-PFS-SUITE diff --git a/keyexchange/isakmpd-20041012/samples/singlehost-east.gdb b/keyexchange/isakmpd-20041012/samples/singlehost-east.gdb deleted file mode 100644 index a41df0d..0000000 --- a/keyexchange/isakmpd-20041012/samples/singlehost-east.gdb +++ /dev/null @@ -1 +0,0 @@ -r -d -D0=99 -D1=99 -D2=99 -D3=99 -D4=99 -D5=99 -feast.fifo -c../samples/singlehost-east.conf diff --git a/keyexchange/isakmpd-20041012/samples/singlehost-setup.sh b/keyexchange/isakmpd-20041012/samples/singlehost-setup.sh deleted file mode 100644 index 818ce2d..0000000 --- a/keyexchange/isakmpd-20041012/samples/singlehost-setup.sh +++ /dev/null @@ -1,84 +0,0 @@ -#!/bin/sh -# $OpenBSD: singlehost-setup.sh,v 1.5 2003/08/18 09:41:40 markus Exp $ -# $EOM: singlehost-setup.sh,v 1.3 2000/11/23 12:24:43 niklas Exp $ - -# A script to test single-host VPNs - -# For the 'pf' variable -. /etc/rc.conf - -# Default paths -PFCTL=/sbin/pfctl -ISAKMPD=/sbin/isakmpd - -do_routes() -{ - /sbin/route $1 -net 192.168.11.0/24 192.168.11.1 -iface >/dev/null - /sbin/route $1 -net 192.168.12.0/24 192.168.12.1 -iface >/dev/null - /sbin/route $1 -net 10.1.0.0/16 10.1.0.11 -iface >/dev/null -} - -# Called on script exit -cleanup () { - if [ "x${pf}" = "xYES" -a -f ${pf_rules} ]; then - ${PFCTL} -R -f ${pf_rules} - else - ${PFCTL} -qd - fi - - USER=`id -p | grep ^login | cut -f2` - chown $USER singlehost-east.conf singlehost-west.conf policy - chmod 644 singlehost-east.conf singlehost-west.conf policy - - [ -p east.fifo ] && echo "Q" >> east.fifo - [ -p west.fifo ] && echo "Q" >> west.fifo - rm -f east.fifo west.fifo - - do_routes delete -} - -# Start by initializing interfaces -/sbin/ifconfig lo2 192.168.11.1 netmask 0xffffff00 up -/sbin/ifconfig lo3 192.168.12.1 netmask 0xffffff00 up -/sbin/ifconfig lo4 10.1.0.11 netmask 0xffff0000 up -/sbin/ifconfig lo5 10.1.0.12 netmask 0xffff0000 up -# ... and by adding the required routes -do_routes add - -# Add rules -( - cat <<EOF -pass out quick on lo2 proto 50 all -pass out quick on lo2 from 192.168.11.0/24 to any -pass out quick on lo3 proto 50 all -pass out quick on lo3 from 192.168.12.0/24 to any -block out on lo2 all -block out on lo3 all -EOF - if [ "x${pf}" = "xYES" -a -f ${pf_rules} ]; then - cat ${pf_rules} | egrep -v '^(scrub|rdr|binat|nat)' - else - pfctl -qe >/dev/null - fi -) | pfctl -R -f - - -trap cleanup 1 2 3 15 - -# The configuration files needs proper owners and modes -USER=`id -p | grep ^uid | cut -f2` -chown $USER singlehost-east.conf singlehost-west.conf policy -chmod 600 singlehost-east.conf singlehost-west.conf policy - -# Start the daemons -rm -f east.fifo west.fifo -${ISAKMPD} -c singlehost-east.conf -f east.fifo "$@" -${ISAKMPD} -c singlehost-west.conf -f west.fifo "$@" - -# Give them some time to negotiate their stuff... -SECS=3 -echo "Waiting $SECS seconds..." -sleep $SECS -echo "Running 'ping', using the tunnel..." -ping -I 192.168.11.1 -c 5 192.168.12.1 - -cleanup diff --git a/keyexchange/isakmpd-20041012/samples/singlehost-west.conf b/keyexchange/isakmpd-20041012/samples/singlehost-west.conf deleted file mode 100644 index 40538a3..0000000 --- a/keyexchange/isakmpd-20041012/samples/singlehost-west.conf +++ /dev/null @@ -1,64 +0,0 @@ -# $OpenBSD: singlehost-west.conf,v 1.11 2003/08/20 14:43:36 ho Exp $ -# $EOM: singlehost-west.conf,v 1.10 2000/11/23 12:24:43 niklas Exp $ - -# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon. - -[General] -Listen-on= 10.1.0.11 -Shared-SADB= Defined -Policy-File= policy - -[Phase 1] -10.1.0.12= ISAKMP-peer-east -Default= ISAKMP-peer-east-aggressive - -[Phase 2] -Connections= IPsec-west-east - -[ISAKMP-peer-east] -Phase= 1 -Transport= udp -Local-address= 10.1.0.11 -Address= 10.1.0.12 -Configuration= Default-main-mode -Authentication= mekmitasdigoat - -[ISAKMP-peer-east-aggressive] -Phase= 1 -Transport= udp -Local-address= 10.1.0.11 -Address= 10.1.0.12 -Configuration= Default-aggressive-mode -Authentication= mekmitasdigoat - -[IPsec-west-east] -Phase= 2 -ISAKMP-peer= ISAKMP-peer-east -Configuration= Default-quick-mode -Local-ID= Net-west -Remote-ID= Net-east - -[Net-west] -ID-type= IPV4_ADDR_SUBNET -Network= 192.168.11.0 -Netmask= 255.255.255.0 - -[Net-east] -ID-type= IPV4_ADDR_SUBNET -Network= 192.168.12.0 -Netmask= 255.255.255.0 - -[Default-main-mode] -DOI= IPSEC -EXCHANGE_TYPE= ID_PROT -Transforms= 3DES-SHA - -[Default-aggressive-mode] -DOI= IPSEC -EXCHANGE_TYPE= AGGRESSIVE -Transforms= 3DES-SHA-RSA - -[Default-quick-mode] -DOI= IPSEC -EXCHANGE_TYPE= QUICK_MODE -Suites= QM-ESP-AES-SHA-PFS-SUITE diff --git a/keyexchange/isakmpd-20041012/samples/singlehost-west.gdb b/keyexchange/isakmpd-20041012/samples/singlehost-west.gdb deleted file mode 100644 index 5315e46..0000000 --- a/keyexchange/isakmpd-20041012/samples/singlehost-west.gdb +++ /dev/null @@ -1 +0,0 @@ -r -d -D0=99 -D1=99 -D2=99 -D3=99 -D4=99 -D5=99 -fwest.fifo -c../samples/singlehost-west.conf diff --git a/keyexchange/isakmpd-20041012/sysdep.h b/keyexchange/isakmpd-20041012/sysdep.h deleted file mode 100644 index 50de819..0000000 --- a/keyexchange/isakmpd-20041012/sysdep.h +++ /dev/null @@ -1,84 +0,0 @@ -/* $OpenBSD: sysdep.h,v 1.19 2004/08/10 15:59:10 ho Exp $ */ -/* $EOM: sysdep.h,v 1.17 2000/12/04 04:46:35 angelos Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _SYSDEP_H_ -#define _SYSDEP_H_ - -#include <sys/types.h> -#if defined (USE_BOEHM_GC) -#include <stdlib.h> -#include <string.h> -#endif - -#include "sysdep-os.h" - -struct proto; -struct sa; -struct sockaddr; - -extern void sysdep_app_handler(int); -extern int sysdep_app_open(void); -extern int sysdep_cleartext(int, int); -extern void sysdep_connection_check(char *); -extern int sysdep_ipsec_delete_spi(struct sa *, struct proto *, int); -extern int sysdep_ipsec_enable_sa(struct sa *, struct sa *); -extern u_int8_t *sysdep_ipsec_get_spi(size_t *, u_int8_t, struct sockaddr *, - struct sockaddr *, u_int32_t); -extern struct sa_kinfo *sysdep_ipsec_get_kernel_sa(u_int8_t *, size_t, - u_int8_t, struct sockaddr *); -extern int sysdep_ipsec_group_spis(struct sa *, struct proto *, - struct proto *, int); -extern int sysdep_ipsec_set_spi(struct sa *, struct proto *, int, - struct sa *); -extern char *sysdep_progname(void); -extern u_int32_t sysdep_random(void); -extern u_int8_t sysdep_sa_len(struct sockaddr *); - -#if defined (USE_BOEHM_GC) -/* - * Use Boehm's garbage collector as a means to find leaks. - * XXX The defines below are GCC-specific. I think it is OK to require - * XXX GCC if you are debugging isakmpd in this way. - */ -void *GC_debug_malloc(size_t, char *, int); -void *GC_debug_realloc(void *, size_t, char *, int); -void GC_debug_free(void *); -char *gc_strdup(const char *); - -#define malloc(x) GC_debug_malloc ((x), __FILE__, __LINE__) -#define realloc(x,y) GC_debug_realloc ((x), (y), __FILE__, __LINE__) -#define free(x) GC_debug_free (x) -#define calloc(x,y) malloc((x) * (y)) -#define strdup(x) gc_strdup((x)) - -#endif /* WITH_BOEHM_GC */ - -#endif /* _SYSDEP_H_ */ diff --git a/keyexchange/isakmpd-20041012/sysdep/bsdi/GNUmakefile.sysdep b/keyexchange/isakmpd-20041012/sysdep/bsdi/GNUmakefile.sysdep deleted file mode 100644 index cc7b8cc..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/bsdi/GNUmakefile.sysdep +++ /dev/null @@ -1,64 +0,0 @@ -# $OpenBSD: GNUmakefile.sysdep,v 1.3 2003/06/03 14:53:11 ho Exp $ -# -# XXX UNTESTED - -# -# Copyright (c) 1999 Niklas Hallqvist. All rights reserved. -# Copyright (c) 2000 Håkan Olsson. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -LIBGMP:= -LIBCRYPTO:= /usr/contrib/lib/libcrypto.a - -LIBSYSDEPDIR:= ${.CURDIR}/sysdep/common/libsysdep -LIBSYSDEP:= ${LIBSYSDEPDIR}/libsysdep.a - -LDADD+= ${LIBGMP} ${LIBSYSDEP} -DPADD+= ${LIBGMP} ${LIBSYSDEP} - -FEATURES= debug tripledes blowfish cast ec aggressive -# Not yet -#FEATURES+= policy x509 - -CFLAGS+= -DNO_RSA -DNO_RC5 -DNO_IDEA \ - -I${.CURDIR}/sysdep/common -I/usr/contrib/include \ - -IPSEC_SRCS= pf_key_v2.c -IPSEC_CFLAGS= -DUSE_PF_KEY_V2 - -USE_LIBCRYPTO= defined - -# -# hack libsysdep.a dependency -# -${LIBSYSDEPDIR}/.depend ${LIBSYSDEP}: - @cd ${LIBSYSDEPDIR} && \ - ${MAKE} --no-print-directory ${MAKEFLAGS} \ - CFLAGS="${CFLAGS}" MKDEP="${MKDEP}" ${MAKECMDGOALS} - -depend: ${LIBSYSDEPDIR}/.depend - -ifeq ($(findstring clean, $(MAKECMDGOALS)), clean) -SUBDIR+= sysdep/common/libsysdep -MAKEFLAGS+= --no-print-directory -endif diff --git a/keyexchange/isakmpd-20041012/sysdep/bsdi/Makefile.sysdep b/keyexchange/isakmpd-20041012/sysdep/bsdi/Makefile.sysdep deleted file mode 100644 index 3840fec..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/bsdi/Makefile.sysdep +++ /dev/null @@ -1,79 +0,0 @@ -# $OpenBSD: Makefile.sysdep,v 1.6 2004/06/26 03:40:57 mcbride Exp $ - -# -# Copyright (c) 1999 Niklas Hallqvist. All rights reserved. -# Copyright (c) 2000 H\xe5kan Olsson. All rights reserved. -# Copyright (c) 2001 Markus Friedl. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER INN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# Override default features -FEATURES= tripledes des blowfish cast ec aggressive debug x509 -FEATURES+= rawkey -# Not yet -#FEATURES+= policy isakmp_cfg - -LIBCRYPTO= /usr/contrib/lib/libcrypto.a -LIBSYSDEPDIR= ${.CURDIR}/sysdep/common/libsysdep - -CFLAGS+= -DHAVE_PCAP - -LDADD+= ${LIBGMP} ${LIBSYSDEPDIR}/libsysdep.a -lipsec -DPADD+= ${LIBGMP} ${LIBSYSDEPDIR}/libsysdep.a ${LIBIPSEC} - -SYSSRC=/usr/build/kame/bsdi4/sys - -.if exists(${SYSSRC}/net/pfkeyv2.h) -CFLAGS+= -I${SYSSRC} -.endif - -.if exists(/usr/build/keynote/keynote.h) -CFLAGS+= -I/usr/build/keynote -LDFLAGS+= -L/usr/build/keynote -.endif - -CFLAGS+= -DNO_IDEA -DNO_RC5 -DHAVE_GETIFADDRS \ - -I${.CURDIR}/sysdep/common -CFLAGS+= -I/usr/include -I/usr/contrib/include - -LDADD+= -L/usr/contrib/lib - -IPSEC_SRCS= pf_key_v2.c -IPSEC_CFLAGS= -DUSE_PF_KEY_V2 - -USE_LIBCRYPTO= defined -USE_GMP= defined -USE_KEYNOTE= defined - -# This is a hack in order to make sure libsysdep is built before the -# linkstage of isakmpd. As a side effect the link is always done even if -# not necessary. Well, I just don't care. -GENERATED+= sysdep-target -sysdep-target: - cd ${.CURDIR}/sysdep/common/libsysdep; ${MAKE} ${.MAKEFLAGS} - -.if make(clean) || make(cleandir) -SUBDIR+= sysdep/common/libsysdep -.endif - -# Kludge around bug in /usr/share/mk/bsd.subdir.mk -NO_REGRESS= defined diff --git a/keyexchange/isakmpd-20041012/sysdep/bsdi/sysdep-os.h b/keyexchange/isakmpd-20041012/sysdep/bsdi/sysdep-os.h deleted file mode 100644 index 710ab82..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/bsdi/sysdep-os.h +++ /dev/null @@ -1,66 +0,0 @@ -/* $OpenBSD: sysdep-os.h,v 1.5 2003/08/06 11:20:00 markus Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. - * Copyright (c) 2000 H\xe5kan Olsson. All rights reserved. - * Copyright (c) 2001 Markus Friedl. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#ifndef _SYSDEP_OS_H_ - -#define _SYSDEP_OS_H_ - -#define KAME - -#include <netinet6/ipsec.h> - -/* in_port_t */ -#include <netinet/in.h> - -#define timersub(tvp, uvp, vvp) \ - do { \ - (vvp)->tv_sec = (tvp)->tv_sec - (uvp)->tv_sec; \ - (vvp)->tv_usec = (tvp)->tv_usec - (uvp)->tv_usec; \ - if ((vvp)->tv_usec < 0) { \ - (vvp)->tv_sec--; \ - (vvp)->tv_usec += 1000000; \ - } \ - } while (0) - -#ifndef CPI_RESERVED_MIN -/* Reserved CPI numbers */ -#define CPI_RESERVED_MIN 1 -#define CPI_RESERVED_MAX 255 -#define CPI_PRIVATE_MIN 61440 -#define CPI_PRIVATE_MAX 65535 -#endif - -#if !defined(SADB_X_EALG_CAST) && defined(SADB_X_EALG_CAST128CBC) -#define SADB_X_EALG_CAST SADB_X_EALG_CAST128CBC -#endif - -#if !defined(SADB_X_EALG_BLF) && defined(SADB_X_EALG_BLOWFISHCBC) -#define SADB_X_EALG_BLF SADB_X_EALG_BLOWFISHCBC -#endif - -#endif /* _SYSDEP_OS_H_ */ diff --git a/keyexchange/isakmpd-20041012/sysdep/bsdi/sysdep.c b/keyexchange/isakmpd-20041012/sysdep/bsdi/sysdep.c deleted file mode 100644 index 99715d5..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/bsdi/sysdep.c +++ /dev/null @@ -1,225 +0,0 @@ -/* $OpenBSD: sysdep.c,v 1.12 2004/08/10 15:59:10 ho Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. - * Copyright (c) 2000 H\xe5kan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include <sys/types.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <stdlib.h> -#include <string.h> - -#include "sysdep.h" - -#include "util.h" - -#ifdef NEED_SYSDEP_APP -#include "app.h" -#include "conf.h" -#include "ipsec.h" - -#ifdef USE_PF_KEY_V2 -#include "pf_key_v2.h" -#define KEY_API(x) pf_key_v2_##x -#endif - -#endif /* NEED_SYSDEP_APP */ -#include "log.h" - -extern char *__progname; - -/* - * An as strong as possible random number generator, reverting to a - * deterministic pseudo-random one if regrand is set. - */ -u_int32_t -sysdep_random () -{ - return random(); -} - -/* Return the basename of the command used to invoke us. */ -char * -sysdep_progname () -{ - return __progname; -} - -/* Return the length of the sockaddr struct. */ -u_int8_t -sysdep_sa_len (struct sockaddr *sa) -{ - return sa->sa_len; -} - -/* As regress/ use this file I protect the sysdep_app_* stuff like this. */ -#ifdef NEED_SYSDEP_APP -/* - * Prepare the application we negotiate SAs for (i.e. the IPsec stack) - * for communication. We return a file descriptor useable to select(2) on. - */ -int -sysdep_app_open () -{ - return KEY_API(open) (); -} - -/* - * When select(2) has noticed our application needs attendance, this is what - * gets called. FD is the file descriptor causing the alarm. - */ -void -sysdep_app_handler (int fd) -{ - KEY_API (handler) (fd); -} - -/* Check that the connection named NAME is active, or else make it active. */ -void -sysdep_connection_check (char *name) -{ - KEY_API (connection_check) (name); -} - -/* - * Generate a SPI for protocol PROTO and the source/destination pair given by - * SRC, SRCLEN, DST & DSTLEN. Stash the SPI size in SZ. - */ -u_int8_t * -sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src, - struct sockaddr *dst, u_int32_t seq) -{ - if (app_none) - { - *sz = IPSEC_SPI_SIZE; - /* XXX should be random instead I think. */ - return strdup ("\x12\x34\x56\x78"); - } - return KEY_API (get_spi) (sz, proto, src, dst, seq); -} - -struct sa_kinfo * -sysdep_ipsec_get_kernel_sa(u_int8_t *spi, size_t spi_sz, u_int8_t proto, - struct sockaddr *dst) -{ - if (app_none) - return 0; - /* XXX return KEY_API(get_kernel_sa)(spi, spi_sz, proto, dst); */ - return 0; -} - -/* Force communication on socket FD to go in the clear. */ -int -sysdep_cleartext (int fd, int af) -{ - char *buf; - char *policy[] = { "in bypass", "out bypass", NULL }; - char **p; - int ipp; - int opt; - char *msgstr; - - if (app_none) - return 0; - - switch (af) - { - case AF_INET: - ipp = IPPROTO_IP; - opt = IP_IPSEC_POLICY; - msgstr = ""; - break; - case AF_INET6: - ipp = IPPROTO_IPV6; - opt = IPV6_IPSEC_POLICY; - msgstr = "V6"; - break; - default: - log_print ("sysdep_cleartext: unsupported protocol family %d", af); - return -1; - } - - /* - * Need to bypass system security policy, so I can send and - * receive key management datagrams in the clear. - */ - - for (p = policy; p && *p; p++) - { - buf = ipsec_set_policy (*p, strlen(*p)); - if (buf == NULL) - { - log_error ("sysdep_cleartext: %s: %s", *p, ipsec_strerror()); - return -1; - } - - if (setsockopt(fd, ipp, opt, buf, ipsec_get_policylen(buf)) < 0) - { - log_error ("sysdep_cleartext: " - "setsockopt (%d, IPPROTO_IP%s, IP%s_IPSEC_POLICY, ...) " - "failed", fd, msgstr, msgstr); - return -1; - } - free(buf); - } - - return 0; -} - -int -sysdep_ipsec_delete_spi (struct sa *sa, struct proto *proto, int incoming) -{ - if (app_none) - return 0; - return KEY_API (delete_spi) (sa, proto, incoming); -} - -int -sysdep_ipsec_enable_sa (struct sa *sa, struct sa *isakmp_sa) -{ - if (app_none) - return 0; - return KEY_API (enable_sa) (sa, isakmp_sa); -} - -int -sysdep_ipsec_group_spis (struct sa *sa, struct proto *proto1, - struct proto *proto2, int incoming) -{ - if (app_none) - return 0; - return KEY_API (group_spis) (sa, proto1, proto2, incoming); -} - -int -sysdep_ipsec_set_spi (struct sa *sa, struct proto *proto, int incoming, - struct sa *isakmp_sa) -{ - if (app_none) - return 0; - return KEY_API (set_spi) (sa, proto, incoming, isakmp_sa); -} -#endif diff --git a/keyexchange/isakmpd-20041012/sysdep/common/blf.h b/keyexchange/isakmpd-20041012/sysdep/common/blf.h deleted file mode 100644 index 97eec89..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/common/blf.h +++ /dev/null @@ -1,70 +0,0 @@ -/* $OpenBSD: blf.h,v 1.5 2003/06/03 14:52:06 ho Exp $ */ -/* - * Blowfish - a fast block cipher designed by Bruce Schneier - * - * Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de> - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#ifndef _BLF_H_ -#define _BLF_H_ - -/* Schneier states the maximum key length to be 56 bytes. - * The way how the subkeys are initialized by the key up - * to (N+2)*4 i.e. 72 bytes are utilized. - * Warning: For normal blowfish encryption only 56 bytes - * of the key affect all cipherbits. - */ - -#define BLF_N 16 /* Number of Subkeys */ -#define BLF_MAXKEYLEN ((BLF_N-2)*4) /* 448 bits */ - -/* Blowfish context */ -typedef struct BlowfishContext { - u_int32_t S[4][256]; /* S-Boxes */ - u_int32_t P[BLF_N + 2]; /* Subkeys */ -} blf_ctx; - -/* Raw access to customized Blowfish - * blf_key is just: - * Blowfish_initstate( state ) - * Blowfish_expand0state( state, key, keylen ) - */ - -void Blowfish_encipher(blf_ctx *, u_int32_t *, u_int32_t *); -void Blowfish_decipher(blf_ctx *, u_int32_t *, u_int32_t *); -void Blowfish_initstate(blf_ctx *); -void Blowfish_expand0state(blf_ctx *, const u_int8_t *, u_int16_t); -void Blowfish_expandstate -(blf_ctx *, const u_int8_t *, u_int16_t, const u_int8_t *, u_int16_t); - -/* Standard Blowfish */ - -void blf_key(blf_ctx *, const u_int8_t *, u_int16_t); -void blf_enc(blf_ctx *, u_int32_t *, u_int16_t); -void blf_dec(blf_ctx *, u_int32_t *, u_int16_t); - -/* Converts u_int8_t to u_int32_t */ -u_int32_t Blowfish_stream2word(const u_int8_t *, u_int16_t , u_int16_t *); - -#endif diff --git a/keyexchange/isakmpd-20041012/sysdep/common/cast.h b/keyexchange/isakmpd-20041012/sysdep/common/cast.h deleted file mode 100644 index c130986..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/common/cast.h +++ /dev/null @@ -1,22 +0,0 @@ -/* $OpenBSD: cast.h,v 1.1 2001/01/26 11:34:00 niklas Exp $ */ -/* - * CAST-128 in C - * Written by Steve Reid <sreid@sea-to-sky.net> - * 100% Public Domain - no warranty - * Released 1997.10.11 - */ - -#ifndef _CAST_H_ -#define _CAST_H_ - -typedef struct { - u_int32_t xkey[32]; /* Key, after expansion */ - int rounds; /* Number of rounds to use, 12 or 16 */ -} cast_key; - -void cast_setkey(cast_key* key, u_int8_t* rawkey, int keybytes); -void cast_encrypt(cast_key* key, u_int8_t* inblock, u_int8_t* outblock); -void cast_decrypt(cast_key* key, u_int8_t* inblock, u_int8_t* outblock); - -#endif /* ifndef _CAST_H_ */ - diff --git a/keyexchange/isakmpd-20041012/sysdep/common/libsysdep/GNUmakefile b/keyexchange/isakmpd-20041012/sysdep/common/libsysdep/GNUmakefile deleted file mode 100644 index 3b62328..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/common/libsysdep/GNUmakefile +++ /dev/null @@ -1,57 +0,0 @@ -# $OpenBSD: GNUmakefile,v 1.4 2003/06/03 14:52:06 ho Exp $ - -# -# Copyright (c) 1999 Niklas Hallqvist. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Ericsson Radio Systems. -# - -.CURDIR:= $(shell pwd) - -LIB= sysdep -SRCS= arc4random.c blowfish.c cast.c md5.c sha1.c strlcat.c strlcpy.c -NOMAN= -CFLAGS+= -I${.CURDIR}/.. -I/usr/include/machine - -lib${LIB}.a: ${SRCS:%.c=%.o} - ar cq $@ ${SRCS:%.c=%.o} - -clean: - rm -f lib${LIB}.a ${SRCS:%.c=%.o} - -cleandir: clean cleandepend - -depend: .depend - -.depend: ${SRCS} - @rm -f .depend - ${MKDEP} ${CFLAGS} ${SRCS} > .depend - -cleandepend: - rm -f .depend - -ifneq ($(findstring clean,$(MAKECMDGOALS)),clean) --include .depend -endif diff --git a/keyexchange/isakmpd-20041012/sysdep/common/libsysdep/Makefile b/keyexchange/isakmpd-20041012/sysdep/common/libsysdep/Makefile deleted file mode 100644 index fce68d3..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/common/libsysdep/Makefile +++ /dev/null @@ -1,43 +0,0 @@ -# $OpenBSD: Makefile,v 1.4 2003/06/03 14:52:06 ho Exp $ - -# -# Copyright (c) 1999 Niklas Hallqvist. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Ericsson Radio Systems. -# -OPSYS!= uname -s - -LIB= sysdep -SRCS= arc4random.c blowfish.c cast.c md5.c sha1.c strlcat.c strlcpy.c -NOPROFILE= -NOPIC= -NOMAN= -.if ${OPSYS} == "NetBSD" -CPPFLAGS+= -I${.CURDIR}/.. -I/usr/include/machine -.else -CFLAGS+= -I${.CURDIR}/.. -I/usr/include/machine -.endif - -.include <bsd.lib.mk> diff --git a/keyexchange/isakmpd-20041012/sysdep/common/libsysdep/arc4random.c b/keyexchange/isakmpd-20041012/sysdep/common/libsysdep/arc4random.c deleted file mode 100644 index afd5bb6..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/common/libsysdep/arc4random.c +++ /dev/null @@ -1,178 +0,0 @@ -/* $OpenBSD: arc4random.c,v 1.6 2004/10/08 15:18:26 hshoexer Exp $ */ - -/* - * Arc4 random number generator for OpenBSD. - * Copyright 1996 David Mazieres <dm@lcs.mit.edu>. - * - * Modification and redistribution in source and binary forms is - * permitted provided that due credit is given to the author and the - * OpenBSD project by leaving this copyright notice intact. - */ - -/* - * This code is derived from section 17.1 of Applied Cryptography, - * second edition, which describes a stream cipher allegedly - * compatible with RSA Labs "RC4" cipher (the actual description of - * which is a trade secret). The same algorithm is used as a stream - * cipher called "arcfour" in Tatu Ylonen's ssh package. - * - * Here the stream cipher has been modified always to include the time - * when initializing the state. That makes it impossible to - * regenerate the same random sequence twice, so this can't be used - * for encryption, but will generate good random numbers. - * - * RC4 is a registered trademark of RSA Laboratories. - */ - -#include <fcntl.h> -#include <stdlib.h> -#include <unistd.h> -#include <sys/types.h> -#include <sys/time.h> - -#ifdef __GNUC__ -#define inline __inline -#else /* !__GNUC__ */ -#define inline -#endif /* !__GNUC__ */ - -struct arc4_stream { - u_int8_t i; - u_int8_t j; - u_int8_t s[256]; -}; - -int rs_initialized; -static struct arc4_stream rs; - -static inline u_int8_t arc4_getbyte(struct arc4_stream *); - -static inline void -arc4_init(struct arc4_stream *as) -{ - int n; - - for (n = 0; n < 256; n++) - as->s[n] = n; - as->i = 0; - as->j = 0; -} - -static inline void -arc4_addrandom(struct arc4_stream *as, u_char *dat, int datlen) -{ - int n; - u_int8_t si; - - as->i--; - for (n = 0; n < 256; n++) { - as->i = (as->i + 1); - si = as->s[as->i]; - as->j = (as->j + si + dat[n % datlen]); - as->s[as->i] = as->s[as->j]; - as->s[as->j] = si; - } - as->j = as->i; -} - -static void -arc4_stir(struct arc4_stream *as) -{ - int fd, i; - struct { - struct timeval tv; - u_int8_t rnd[128 - sizeof(struct timeval)]; - } rdat; - - gettimeofday(&rdat.tv, NULL); - fd = open("/dev/arandom", O_RDONLY); - if (fd < 0) - fd = open("/dev/random", O_RDONLY); - if (fd >= 0) { - read(fd, rdat.rnd, sizeof(rdat.rnd)); - close(fd); - } - /* fd < 0? Ah, what the heck. We'll just take whatever was on the - * stack... */ - - arc4_addrandom(as, (void *)&rdat, sizeof(rdat)); - - /* - * Discard early keystream, as per recommendations in: - * http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps - */ - for (i = 0; i < 256; i++) - (void)arc4_getbyte(as); -} - -static inline u_int8_t -arc4_getbyte(struct arc4_stream *as) -{ - u_int8_t si, sj; - - as->i = (as->i + 1); - si = as->s[as->i]; - as->j = (as->j + si); - sj = as->s[as->j]; - as->s[as->i] = sj; - as->s[as->j] = si; - return (as->s[(si + sj) & 0xff]); -} - -static inline u_int32_t -arc4_getword(struct arc4_stream *as) -{ - u_int32_t val; - val = arc4_getbyte(as) << 24; - val |= arc4_getbyte(as) << 16; - val |= arc4_getbyte(as) << 8; - val |= arc4_getbyte(as); - return val; -} - -void -arc4random_stir(void) -{ - if (!rs_initialized) { - arc4_init(&rs); - rs_initialized = 1; - } - arc4_stir(&rs); -} - -void -arc4random_addrandom(u_char *dat, int datlen) -{ - if (!rs_initialized) - arc4random_stir(); - arc4_addrandom(&rs, dat, datlen); -} - -u_int32_t -arc4random(void) -{ - if (!rs_initialized) - arc4random_stir(); - return arc4_getword(&rs); -} - -#if 0 -/*-------- Test code for i386 --------*/ -#include <stdio.h> -#include <machine/pctr.h> -int -main(int argc, char **argv) -{ - const int iter = 1000000; - int i; - pctrval v; - - v = rdtsc(); - for (i = 0; i < iter; i++) - arc4random(); - v = rdtsc() - v; - v /= iter; - - printf("%qd cycles\n", v); -} -#endif diff --git a/keyexchange/isakmpd-20041012/sysdep/common/libsysdep/blowfish.c b/keyexchange/isakmpd-20041012/sysdep/common/libsysdep/blowfish.c deleted file mode 100644 index 5c59f4b..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/common/libsysdep/blowfish.c +++ /dev/null @@ -1,685 +0,0 @@ -/* $OpenBSD: blowfish.c,v 1.4 2003/06/03 14:52:06 ho Exp $ */ -/* - * Blowfish block cipher for OpenBSD - * Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de> - * All rights reserved. - * - * Implementation advice by David Mazieres <dm@lcs.mit.edu>. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code is derived from section 14.3 and the given source - * in section V of Applied Cryptography, second edition. - * Blowfish is an unpatented fast block cipher designed by - * Bruce Schneier. - */ - -#if 0 -#include <stdio.h> /* used for debugging */ -#include <string.h> -#endif - -#include <sys/types.h> -#include <blf.h> - -#undef inline -#ifdef __GNUC__ -#define inline __inline -#else /* !__GNUC__ */ -#define inline -#endif /* !__GNUC__ */ - -/* Function for Feistel Networks */ - -#define F(bc, x) ((((bc)->S[0][((x) & 0xFF000000) >> 24] \ - + (bc)->S[1][((x) &0xFF0000 ) >> 16]) \ - ^ (bc)->S[2][((x) & 0xFF00) >> 8]) \ - + (bc)->S[3][(x) & 0x00FF]) - -#define BLFRND(bc,i,j,n) (i ^= F(bc,j) ^ (bc)->P[n]) - -void -Blowfish_encipher(c, xl, xr) - blf_ctx *c; - u_int32_t *xl; - u_int32_t *xr; -{ - u_int32_t Xl; - u_int32_t Xr; - - Xl = *xl; - Xr = *xr; - - Xl ^= c->P[0]; - BLFRND(c, Xr, Xl, 1); BLFRND(c, Xl, Xr, 2); - BLFRND(c, Xr, Xl, 3); BLFRND(c, Xl, Xr, 4); - BLFRND(c, Xr, Xl, 5); BLFRND(c, Xl, Xr, 6); - BLFRND(c, Xr, Xl, 7); BLFRND(c, Xl, Xr, 8); - BLFRND(c, Xr, Xl, 9); BLFRND(c, Xl, Xr, 10); - BLFRND(c, Xr, Xl, 11); BLFRND(c, Xl, Xr, 12); - BLFRND(c, Xr, Xl, 13); BLFRND(c, Xl, Xr, 14); - BLFRND(c, Xr, Xl, 15); BLFRND(c, Xl, Xr, 16); - - *xl = Xr ^ c->P[17]; - *xr = Xl; -} - -void -Blowfish_decipher(c, xl, xr) - blf_ctx *c; - u_int32_t *xl; - u_int32_t *xr; -{ - u_int32_t Xl; - u_int32_t Xr; - - Xl = *xl; - Xr = *xr; - - Xl ^= c->P[17]; - BLFRND(c, Xr, Xl, 16); BLFRND(c, Xl, Xr, 15); - BLFRND(c, Xr, Xl, 14); BLFRND(c, Xl, Xr, 13); - BLFRND(c, Xr, Xl, 12); BLFRND(c, Xl, Xr, 11); - BLFRND(c, Xr, Xl, 10); BLFRND(c, Xl, Xr, 9); - BLFRND(c, Xr, Xl, 8); BLFRND(c, Xl, Xr, 7); - BLFRND(c, Xr, Xl, 6); BLFRND(c, Xl, Xr, 5); - BLFRND(c, Xr, Xl, 4); BLFRND(c, Xl, Xr, 3); - BLFRND(c, Xr, Xl, 2); BLFRND(c, Xl, Xr, 1); - - *xl = Xr ^ c->P[0]; - *xr = Xl; -} - -void -Blowfish_initstate(c) - blf_ctx *c; -{ - -/* P-box and S-box tables initialized with digits of Pi */ - - const blf_ctx initstate = - - { { - { - 0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7, - 0xb8e1afed, 0x6a267e96, 0xba7c9045, 0xf12c7f99, - 0x24a19947, 0xb3916cf7, 0x0801f2e2, 0x858efc16, - 0x636920d8, 0x71574e69, 0xa458fea3, 0xf4933d7e, - 0x0d95748f, 0x728eb658, 0x718bcd58, 0x82154aee, - 0x7b54a41d, 0xc25a59b5, 0x9c30d539, 0x2af26013, - 0xc5d1b023, 0x286085f0, 0xca417918, 0xb8db38ef, - 0x8e79dcb0, 0x603a180e, 0x6c9e0e8b, 0xb01e8a3e, - 0xd71577c1, 0xbd314b27, 0x78af2fda, 0x55605c60, - 0xe65525f3, 0xaa55ab94, 0x57489862, 0x63e81440, - 0x55ca396a, 0x2aab10b6, 0xb4cc5c34, 0x1141e8ce, - 0xa15486af, 0x7c72e993, 0xb3ee1411, 0x636fbc2a, - 0x2ba9c55d, 0x741831f6, 0xce5c3e16, 0x9b87931e, - 0xafd6ba33, 0x6c24cf5c, 0x7a325381, 0x28958677, - 0x3b8f4898, 0x6b4bb9af, 0xc4bfe81b, 0x66282193, - 0x61d809cc, 0xfb21a991, 0x487cac60, 0x5dec8032, - 0xef845d5d, 0xe98575b1, 0xdc262302, 0xeb651b88, - 0x23893e81, 0xd396acc5, 0x0f6d6ff3, 0x83f44239, - 0x2e0b4482, 0xa4842004, 0x69c8f04a, 0x9e1f9b5e, - 0x21c66842, 0xf6e96c9a, 0x670c9c61, 0xabd388f0, - 0x6a51a0d2, 0xd8542f68, 0x960fa728, 0xab5133a3, - 0x6eef0b6c, 0x137a3be4, 0xba3bf050, 0x7efb2a98, - 0xa1f1651d, 0x39af0176, 0x66ca593e, 0x82430e88, - 0x8cee8619, 0x456f9fb4, 0x7d84a5c3, 0x3b8b5ebe, - 0xe06f75d8, 0x85c12073, 0x401a449f, 0x56c16aa6, - 0x4ed3aa62, 0x363f7706, 0x1bfedf72, 0x429b023d, - 0x37d0d724, 0xd00a1248, 0xdb0fead3, 0x49f1c09b, - 0x075372c9, 0x80991b7b, 0x25d479d8, 0xf6e8def7, - 0xe3fe501a, 0xb6794c3b, 0x976ce0bd, 0x04c006ba, - 0xc1a94fb6, 0x409f60c4, 0x5e5c9ec2, 0x196a2463, - 0x68fb6faf, 0x3e6c53b5, 0x1339b2eb, 0x3b52ec6f, - 0x6dfc511f, 0x9b30952c, 0xcc814544, 0xaf5ebd09, - 0xbee3d004, 0xde334afd, 0x660f2807, 0x192e4bb3, - 0xc0cba857, 0x45c8740f, 0xd20b5f39, 0xb9d3fbdb, - 0x5579c0bd, 0x1a60320a, 0xd6a100c6, 0x402c7279, - 0x679f25fe, 0xfb1fa3cc, 0x8ea5e9f8, 0xdb3222f8, - 0x3c7516df, 0xfd616b15, 0x2f501ec8, 0xad0552ab, - 0x323db5fa, 0xfd238760, 0x53317b48, 0x3e00df82, - 0x9e5c57bb, 0xca6f8ca0, 0x1a87562e, 0xdf1769db, - 0xd542a8f6, 0x287effc3, 0xac6732c6, 0x8c4f5573, - 0x695b27b0, 0xbbca58c8, 0xe1ffa35d, 0xb8f011a0, - 0x10fa3d98, 0xfd2183b8, 0x4afcb56c, 0x2dd1d35b, - 0x9a53e479, 0xb6f84565, 0xd28e49bc, 0x4bfb9790, - 0xe1ddf2da, 0xa4cb7e33, 0x62fb1341, 0xcee4c6e8, - 0xef20cada, 0x36774c01, 0xd07e9efe, 0x2bf11fb4, - 0x95dbda4d, 0xae909198, 0xeaad8e71, 0x6b93d5a0, - 0xd08ed1d0, 0xafc725e0, 0x8e3c5b2f, 0x8e7594b7, - 0x8ff6e2fb, 0xf2122b64, 0x8888b812, 0x900df01c, - 0x4fad5ea0, 0x688fc31c, 0xd1cff191, 0xb3a8c1ad, - 0x2f2f2218, 0xbe0e1777, 0xea752dfe, 0x8b021fa1, - 0xe5a0cc0f, 0xb56f74e8, 0x18acf3d6, 0xce89e299, - 0xb4a84fe0, 0xfd13e0b7, 0x7cc43b81, 0xd2ada8d9, - 0x165fa266, 0x80957705, 0x93cc7314, 0x211a1477, - 0xe6ad2065, 0x77b5fa86, 0xc75442f5, 0xfb9d35cf, - 0xebcdaf0c, 0x7b3e89a0, 0xd6411bd3, 0xae1e7e49, - 0x00250e2d, 0x2071b35e, 0x226800bb, 0x57b8e0af, - 0x2464369b, 0xf009b91e, 0x5563911d, 0x59dfa6aa, - 0x78c14389, 0xd95a537f, 0x207d5ba2, 0x02e5b9c5, - 0x83260376, 0x6295cfa9, 0x11c81968, 0x4e734a41, - 0xb3472dca, 0x7b14a94a, 0x1b510052, 0x9a532915, - 0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400, - 0x08ba6fb5, 0x571be91f, 0xf296ec6b, 0x2a0dd915, - 0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664, - 0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a}, - { - 0x4b7a70e9, 0xb5b32944, 0xdb75092e, 0xc4192623, - 0xad6ea6b0, 0x49a7df7d, 0x9cee60b8, 0x8fedb266, - 0xecaa8c71, 0x699a17ff, 0x5664526c, 0xc2b19ee1, - 0x193602a5, 0x75094c29, 0xa0591340, 0xe4183a3e, - 0x3f54989a, 0x5b429d65, 0x6b8fe4d6, 0x99f73fd6, - 0xa1d29c07, 0xefe830f5, 0x4d2d38e6, 0xf0255dc1, - 0x4cdd2086, 0x8470eb26, 0x6382e9c6, 0x021ecc5e, - 0x09686b3f, 0x3ebaefc9, 0x3c971814, 0x6b6a70a1, - 0x687f3584, 0x52a0e286, 0xb79c5305, 0xaa500737, - 0x3e07841c, 0x7fdeae5c, 0x8e7d44ec, 0x5716f2b8, - 0xb03ada37, 0xf0500c0d, 0xf01c1f04, 0x0200b3ff, - 0xae0cf51a, 0x3cb574b2, 0x25837a58, 0xdc0921bd, - 0xd19113f9, 0x7ca92ff6, 0x94324773, 0x22f54701, - 0x3ae5e581, 0x37c2dadc, 0xc8b57634, 0x9af3dda7, - 0xa9446146, 0x0fd0030e, 0xecc8c73e, 0xa4751e41, - 0xe238cd99, 0x3bea0e2f, 0x3280bba1, 0x183eb331, - 0x4e548b38, 0x4f6db908, 0x6f420d03, 0xf60a04bf, - 0x2cb81290, 0x24977c79, 0x5679b072, 0xbcaf89af, - 0xde9a771f, 0xd9930810, 0xb38bae12, 0xdccf3f2e, - 0x5512721f, 0x2e6b7124, 0x501adde6, 0x9f84cd87, - 0x7a584718, 0x7408da17, 0xbc9f9abc, 0xe94b7d8c, - 0xec7aec3a, 0xdb851dfa, 0x63094366, 0xc464c3d2, - 0xef1c1847, 0x3215d908, 0xdd433b37, 0x24c2ba16, - 0x12a14d43, 0x2a65c451, 0x50940002, 0x133ae4dd, - 0x71dff89e, 0x10314e55, 0x81ac77d6, 0x5f11199b, - 0x043556f1, 0xd7a3c76b, 0x3c11183b, 0x5924a509, - 0xf28fe6ed, 0x97f1fbfa, 0x9ebabf2c, 0x1e153c6e, - 0x86e34570, 0xeae96fb1, 0x860e5e0a, 0x5a3e2ab3, - 0x771fe71c, 0x4e3d06fa, 0x2965dcb9, 0x99e71d0f, - 0x803e89d6, 0x5266c825, 0x2e4cc978, 0x9c10b36a, - 0xc6150eba, 0x94e2ea78, 0xa5fc3c53, 0x1e0a2df4, - 0xf2f74ea7, 0x361d2b3d, 0x1939260f, 0x19c27960, - 0x5223a708, 0xf71312b6, 0xebadfe6e, 0xeac31f66, - 0xe3bc4595, 0xa67bc883, 0xb17f37d1, 0x018cff28, - 0xc332ddef, 0xbe6c5aa5, 0x65582185, 0x68ab9802, - 0xeecea50f, 0xdb2f953b, 0x2aef7dad, 0x5b6e2f84, - 0x1521b628, 0x29076170, 0xecdd4775, 0x619f1510, - 0x13cca830, 0xeb61bd96, 0x0334fe1e, 0xaa0363cf, - 0xb5735c90, 0x4c70a239, 0xd59e9e0b, 0xcbaade14, - 0xeecc86bc, 0x60622ca7, 0x9cab5cab, 0xb2f3846e, - 0x648b1eaf, 0x19bdf0ca, 0xa02369b9, 0x655abb50, - 0x40685a32, 0x3c2ab4b3, 0x319ee9d5, 0xc021b8f7, - 0x9b540b19, 0x875fa099, 0x95f7997e, 0x623d7da8, - 0xf837889a, 0x97e32d77, 0x11ed935f, 0x16681281, - 0x0e358829, 0xc7e61fd6, 0x96dedfa1, 0x7858ba99, - 0x57f584a5, 0x1b227263, 0x9b83c3ff, 0x1ac24696, - 0xcdb30aeb, 0x532e3054, 0x8fd948e4, 0x6dbc3128, - 0x58ebf2ef, 0x34c6ffea, 0xfe28ed61, 0xee7c3c73, - 0x5d4a14d9, 0xe864b7e3, 0x42105d14, 0x203e13e0, - 0x45eee2b6, 0xa3aaabea, 0xdb6c4f15, 0xfacb4fd0, - 0xc742f442, 0xef6abbb5, 0x654f3b1d, 0x41cd2105, - 0xd81e799e, 0x86854dc7, 0xe44b476a, 0x3d816250, - 0xcf62a1f2, 0x5b8d2646, 0xfc8883a0, 0xc1c7b6a3, - 0x7f1524c3, 0x69cb7492, 0x47848a0b, 0x5692b285, - 0x095bbf00, 0xad19489d, 0x1462b174, 0x23820e00, - 0x58428d2a, 0x0c55f5ea, 0x1dadf43e, 0x233f7061, - 0x3372f092, 0x8d937e41, 0xd65fecf1, 0x6c223bdb, - 0x7cde3759, 0xcbee7460, 0x4085f2a7, 0xce77326e, - 0xa6078084, 0x19f8509e, 0xe8efd855, 0x61d99735, - 0xa969a7aa, 0xc50c06c2, 0x5a04abfc, 0x800bcadc, - 0x9e447a2e, 0xc3453484, 0xfdd56705, 0x0e1e9ec9, - 0xdb73dbd3, 0x105588cd, 0x675fda79, 0xe3674340, - 0xc5c43465, 0x713e38d8, 0x3d28f89e, 0xf16dff20, - 0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7}, - { - 0xe93d5a68, 0x948140f7, 0xf64c261c, 0x94692934, - 0x411520f7, 0x7602d4f7, 0xbcf46b2e, 0xd4a20068, - 0xd4082471, 0x3320f46a, 0x43b7d4b7, 0x500061af, - 0x1e39f62e, 0x97244546, 0x14214f74, 0xbf8b8840, - 0x4d95fc1d, 0x96b591af, 0x70f4ddd3, 0x66a02f45, - 0xbfbc09ec, 0x03bd9785, 0x7fac6dd0, 0x31cb8504, - 0x96eb27b3, 0x55fd3941, 0xda2547e6, 0xabca0a9a, - 0x28507825, 0x530429f4, 0x0a2c86da, 0xe9b66dfb, - 0x68dc1462, 0xd7486900, 0x680ec0a4, 0x27a18dee, - 0x4f3ffea2, 0xe887ad8c, 0xb58ce006, 0x7af4d6b6, - 0xaace1e7c, 0xd3375fec, 0xce78a399, 0x406b2a42, - 0x20fe9e35, 0xd9f385b9, 0xee39d7ab, 0x3b124e8b, - 0x1dc9faf7, 0x4b6d1856, 0x26a36631, 0xeae397b2, - 0x3a6efa74, 0xdd5b4332, 0x6841e7f7, 0xca7820fb, - 0xfb0af54e, 0xd8feb397, 0x454056ac, 0xba489527, - 0x55533a3a, 0x20838d87, 0xfe6ba9b7, 0xd096954b, - 0x55a867bc, 0xa1159a58, 0xcca92963, 0x99e1db33, - 0xa62a4a56, 0x3f3125f9, 0x5ef47e1c, 0x9029317c, - 0xfdf8e802, 0x04272f70, 0x80bb155c, 0x05282ce3, - 0x95c11548, 0xe4c66d22, 0x48c1133f, 0xc70f86dc, - 0x07f9c9ee, 0x41041f0f, 0x404779a4, 0x5d886e17, - 0x325f51eb, 0xd59bc0d1, 0xf2bcc18f, 0x41113564, - 0x257b7834, 0x602a9c60, 0xdff8e8a3, 0x1f636c1b, - 0x0e12b4c2, 0x02e1329e, 0xaf664fd1, 0xcad18115, - 0x6b2395e0, 0x333e92e1, 0x3b240b62, 0xeebeb922, - 0x85b2a20e, 0xe6ba0d99, 0xde720c8c, 0x2da2f728, - 0xd0127845, 0x95b794fd, 0x647d0862, 0xe7ccf5f0, - 0x5449a36f, 0x877d48fa, 0xc39dfd27, 0xf33e8d1e, - 0x0a476341, 0x992eff74, 0x3a6f6eab, 0xf4f8fd37, - 0xa812dc60, 0xa1ebddf8, 0x991be14c, 0xdb6e6b0d, - 0xc67b5510, 0x6d672c37, 0x2765d43b, 0xdcd0e804, - 0xf1290dc7, 0xcc00ffa3, 0xb5390f92, 0x690fed0b, - 0x667b9ffb, 0xcedb7d9c, 0xa091cf0b, 0xd9155ea3, - 0xbb132f88, 0x515bad24, 0x7b9479bf, 0x763bd6eb, - 0x37392eb3, 0xcc115979, 0x8026e297, 0xf42e312d, - 0x6842ada7, 0xc66a2b3b, 0x12754ccc, 0x782ef11c, - 0x6a124237, 0xb79251e7, 0x06a1bbe6, 0x4bfb6350, - 0x1a6b1018, 0x11caedfa, 0x3d25bdd8, 0xe2e1c3c9, - 0x44421659, 0x0a121386, 0xd90cec6e, 0xd5abea2a, - 0x64af674e, 0xda86a85f, 0xbebfe988, 0x64e4c3fe, - 0x9dbc8057, 0xf0f7c086, 0x60787bf8, 0x6003604d, - 0xd1fd8346, 0xf6381fb0, 0x7745ae04, 0xd736fccc, - 0x83426b33, 0xf01eab71, 0xb0804187, 0x3c005e5f, - 0x77a057be, 0xbde8ae24, 0x55464299, 0xbf582e61, - 0x4e58f48f, 0xf2ddfda2, 0xf474ef38, 0x8789bdc2, - 0x5366f9c3, 0xc8b38e74, 0xb475f255, 0x46fcd9b9, - 0x7aeb2661, 0x8b1ddf84, 0x846a0e79, 0x915f95e2, - 0x466e598e, 0x20b45770, 0x8cd55591, 0xc902de4c, - 0xb90bace1, 0xbb8205d0, 0x11a86248, 0x7574a99e, - 0xb77f19b6, 0xe0a9dc09, 0x662d09a1, 0xc4324633, - 0xe85a1f02, 0x09f0be8c, 0x4a99a025, 0x1d6efe10, - 0x1ab93d1d, 0x0ba5a4df, 0xa186f20f, 0x2868f169, - 0xdcb7da83, 0x573906fe, 0xa1e2ce9b, 0x4fcd7f52, - 0x50115e01, 0xa70683fa, 0xa002b5c4, 0x0de6d027, - 0x9af88c27, 0x773f8641, 0xc3604c06, 0x61a806b5, - 0xf0177a28, 0xc0f586e0, 0x006058aa, 0x30dc7d62, - 0x11e69ed7, 0x2338ea63, 0x53c2dd94, 0xc2c21634, - 0xbbcbee56, 0x90bcb6de, 0xebfc7da1, 0xce591d76, - 0x6f05e409, 0x4b7c0188, 0x39720a3d, 0x7c927c24, - 0x86e3725f, 0x724d9db9, 0x1ac15bb4, 0xd39eb8fc, - 0xed545578, 0x08fca5b5, 0xd83d7cd3, 0x4dad0fc4, - 0x1e50ef5e, 0xb161e6f8, 0xa28514d9, 0x6c51133c, - 0x6fd5c7e7, 0x56e14ec4, 0x362abfce, 0xddc6c837, - 0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0}, - { - 0x3a39ce37, 0xd3faf5cf, 0xabc27737, 0x5ac52d1b, - 0x5cb0679e, 0x4fa33742, 0xd3822740, 0x99bc9bbe, - 0xd5118e9d, 0xbf0f7315, 0xd62d1c7e, 0xc700c47b, - 0xb78c1b6b, 0x21a19045, 0xb26eb1be, 0x6a366eb4, - 0x5748ab2f, 0xbc946e79, 0xc6a376d2, 0x6549c2c8, - 0x530ff8ee, 0x468dde7d, 0xd5730a1d, 0x4cd04dc6, - 0x2939bbdb, 0xa9ba4650, 0xac9526e8, 0xbe5ee304, - 0xa1fad5f0, 0x6a2d519a, 0x63ef8ce2, 0x9a86ee22, - 0xc089c2b8, 0x43242ef6, 0xa51e03aa, 0x9cf2d0a4, - 0x83c061ba, 0x9be96a4d, 0x8fe51550, 0xba645bd6, - 0x2826a2f9, 0xa73a3ae1, 0x4ba99586, 0xef5562e9, - 0xc72fefd3, 0xf752f7da, 0x3f046f69, 0x77fa0a59, - 0x80e4a915, 0x87b08601, 0x9b09e6ad, 0x3b3ee593, - 0xe990fd5a, 0x9e34d797, 0x2cf0b7d9, 0x022b8b51, - 0x96d5ac3a, 0x017da67d, 0xd1cf3ed6, 0x7c7d2d28, - 0x1f9f25cf, 0xadf2b89b, 0x5ad6b472, 0x5a88f54c, - 0xe029ac71, 0xe019a5e6, 0x47b0acfd, 0xed93fa9b, - 0xe8d3c48d, 0x283b57cc, 0xf8d56629, 0x79132e28, - 0x785f0191, 0xed756055, 0xf7960e44, 0xe3d35e8c, - 0x15056dd4, 0x88f46dba, 0x03a16125, 0x0564f0bd, - 0xc3eb9e15, 0x3c9057a2, 0x97271aec, 0xa93a072a, - 0x1b3f6d9b, 0x1e6321f5, 0xf59c66fb, 0x26dcf319, - 0x7533d928, 0xb155fdf5, 0x03563482, 0x8aba3cbb, - 0x28517711, 0xc20ad9f8, 0xabcc5167, 0xccad925f, - 0x4de81751, 0x3830dc8e, 0x379d5862, 0x9320f991, - 0xea7a90c2, 0xfb3e7bce, 0x5121ce64, 0x774fbe32, - 0xa8b6e37e, 0xc3293d46, 0x48de5369, 0x6413e680, - 0xa2ae0810, 0xdd6db224, 0x69852dfd, 0x09072166, - 0xb39a460a, 0x6445c0dd, 0x586cdecf, 0x1c20c8ae, - 0x5bbef7dd, 0x1b588d40, 0xccd2017f, 0x6bb4e3bb, - 0xdda26a7e, 0x3a59ff45, 0x3e350a44, 0xbcb4cdd5, - 0x72eacea8, 0xfa6484bb, 0x8d6612ae, 0xbf3c6f47, - 0xd29be463, 0x542f5d9e, 0xaec2771b, 0xf64e6370, - 0x740e0d8d, 0xe75b1357, 0xf8721671, 0xaf537d5d, - 0x4040cb08, 0x4eb4e2cc, 0x34d2466a, 0x0115af84, - 0xe1b00428, 0x95983a1d, 0x06b89fb4, 0xce6ea048, - 0x6f3f3b82, 0x3520ab82, 0x011a1d4b, 0x277227f8, - 0x611560b1, 0xe7933fdc, 0xbb3a792b, 0x344525bd, - 0xa08839e1, 0x51ce794b, 0x2f32c9b7, 0xa01fbac9, - 0xe01cc87e, 0xbcc7d1f6, 0xcf0111c3, 0xa1e8aac7, - 0x1a908749, 0xd44fbd9a, 0xd0dadecb, 0xd50ada38, - 0x0339c32a, 0xc6913667, 0x8df9317c, 0xe0b12b4f, - 0xf79e59b7, 0x43f5bb3a, 0xf2d519ff, 0x27d9459c, - 0xbf97222c, 0x15e6fc2a, 0x0f91fc71, 0x9b941525, - 0xfae59361, 0xceb69ceb, 0xc2a86459, 0x12baa8d1, - 0xb6c1075e, 0xe3056a0c, 0x10d25065, 0xcb03a442, - 0xe0ec6e0e, 0x1698db3b, 0x4c98a0be, 0x3278e964, - 0x9f1f9532, 0xe0d392df, 0xd3a0342b, 0x8971f21e, - 0x1b0a7441, 0x4ba3348c, 0xc5be7120, 0xc37632d8, - 0xdf359f8d, 0x9b992f2e, 0xe60b6f47, 0x0fe3f11d, - 0xe54cda54, 0x1edad891, 0xce6279cf, 0xcd3e7e6f, - 0x1618b166, 0xfd2c1d05, 0x848fd2c5, 0xf6fb2299, - 0xf523f357, 0xa6327623, 0x93a83531, 0x56cccd02, - 0xacf08162, 0x5a75ebb5, 0x6e163697, 0x88d273cc, - 0xde966292, 0x81b949d0, 0x4c50901b, 0x71c65614, - 0xe6c6c7bd, 0x327a140a, 0x45e1d006, 0xc3f27b9a, - 0xc9aa53fd, 0x62a80f00, 0xbb25bfe2, 0x35bdd2f6, - 0x71126905, 0xb2040222, 0xb6cbcf7c, 0xcd769c2b, - 0x53113ec0, 0x1640e3d3, 0x38abbd60, 0x2547adf0, - 0xba38209c, 0xf746ce76, 0x77afa1c5, 0x20756060, - 0x85cbfe4e, 0x8ae88dd8, 0x7aaaf9b0, 0x4cf9aa7e, - 0x1948c25c, 0x02fb8a8c, 0x01c36ae4, 0xd6ebe1f9, - 0x90d4f869, 0xa65cdea0, 0x3f09252d, 0xc208e69f, - 0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6} - }, - { - 0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344, - 0xa4093822, 0x299f31d0, 0x082efa98, 0xec4e6c89, - 0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c, - 0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917, - 0x9216d5d9, 0x8979fb1b - } }; - - *c = initstate; - -} - -u_int32_t -Blowfish_stream2word(const u_int8_t *data, u_int16_t databytes, u_int16_t *current) -{ - u_int8_t i; - u_int16_t j; - u_int32_t temp; - - temp = 0x00000000; - j = *current; - - for (i = 0; i < 4; i++, j++) { - if (j >= databytes) - j = 0; - temp = (temp << 8) | data[j]; - } - - *current = j; - return temp; -} - -void -Blowfish_expand0state(blf_ctx *c, const u_int8_t *key, u_int16_t keybytes) -{ - u_int16_t i; - u_int16_t j; - u_int16_t k; - u_int32_t temp; - u_int32_t datal; - u_int32_t datar; - - j = 0; - for (i = 0; i < BLF_N + 2; i++) { - /* Extract 4 int8 to 1 int32 from keystream */ - temp = Blowfish_stream2word(key, keybytes, &j); - c->P[i] = c->P[i] ^ temp; - } - - j = 0; - datal = 0x00000000; - datar = 0x00000000; - for (i = 0; i < BLF_N + 2; i += 2) { - Blowfish_encipher(c, &datal, &datar); - - c->P[i] = datal; - c->P[i + 1] = datar; - } - - for (i = 0; i < 4; i++) { - for (k = 0; k < 256; k += 2) { - Blowfish_encipher(c, &datal, &datar); - - c->S[i][k] = datal; - c->S[i][k + 1] = datar; - } - } -} - - -void -Blowfish_expandstate(blf_ctx *c, const u_int8_t *data, u_int16_t databytes, - const u_int8_t *key, u_int16_t keybytes) -{ - u_int16_t i; - u_int16_t j; - u_int16_t k; - u_int32_t temp; - u_int32_t datal; - u_int32_t datar; - - j = 0; - for (i = 0; i < BLF_N + 2; i++) { - /* Extract 4 int8 to 1 int32 from keystream */ - temp = Blowfish_stream2word(key, keybytes, &j); - c->P[i] = c->P[i] ^ temp; - } - - j = 0; - datal = 0x00000000; - datar = 0x00000000; - for (i = 0; i < BLF_N + 2; i += 2) { - datal ^= Blowfish_stream2word(data, databytes, &j); - datar ^= Blowfish_stream2word(data, databytes, &j); - Blowfish_encipher(c, &datal, &datar); - - c->P[i] = datal; - c->P[i + 1] = datar; - } - - for (i = 0; i < 4; i++) { - for (k = 0; k < 256; k += 2) { - datal ^= Blowfish_stream2word(data, databytes, &j); - datar ^= Blowfish_stream2word(data, databytes, &j); - Blowfish_encipher(c, &datal, &datar); - - c->S[i][k] = datal; - c->S[i][k + 1] = datar; - } - } - -} - -void -blf_key(blf_ctx *c, const u_int8_t *k, u_int16_t len) -{ - /* Initialize S-boxes and subkeys with Pi */ - Blowfish_initstate(c); - - /* Transform S-boxes and subkeys with key */ - Blowfish_expand0state(c, k, len); -} - -void -blf_enc(blf_ctx *c, u_int32_t *data, u_int16_t blocks) -{ - u_int32_t *d; - u_int16_t i; - - d = data; - for (i = 0; i < blocks; i++) { - Blowfish_encipher(c, d, d + 1); - d += 2; - } -} - -void -blf_dec(blf_ctx *c, u_int32_t *data, u_int16_t blocks) -{ - u_int32_t *d; - u_int16_t i; - - d = data; - for (i = 0; i < blocks; i++) { - Blowfish_decipher(c, d, d + 1); - d += 2; - } -} - -void -blf_ecb_encrypt(blf_ctx *c, u_int8_t *data, u_int32_t len) -{ - u_int32_t l, r; - u_int32_t i; - - for (i = 0; i < len; i += 8) { - l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3]; - r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7]; - Blowfish_encipher(c, &l, &r); - data[0] = l >> 24 & 0xff; - data[1] = l >> 16 & 0xff; - data[2] = l >> 8 & 0xff; - data[3] = l & 0xff; - data[4] = r >> 24 & 0xff; - data[5] = r >> 16 & 0xff; - data[6] = r >> 8 & 0xff; - data[7] = r & 0xff; - data += 8; - } -} - -void -blf_ecb_decrypt(blf_ctx *c, u_int8_t *data, u_int32_t len) -{ - u_int32_t l, r; - u_int32_t i; - - for (i = 0; i < len; i += 8) { - l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3]; - r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7]; - Blowfish_decipher(c, &l, &r); - data[0] = l >> 24 & 0xff; - data[1] = l >> 16 & 0xff; - data[2] = l >> 8 & 0xff; - data[3] = l & 0xff; - data[4] = r >> 24 & 0xff; - data[5] = r >> 16 & 0xff; - data[6] = r >> 8 & 0xff; - data[7] = r & 0xff; - data += 8; - } -} - -void -blf_cbc_encrypt(blf_ctx *c, u_int8_t *iv, u_int8_t *data, u_int32_t len) -{ - u_int32_t l, r; - u_int32_t i, j; - - for (i = 0; i < len; i += 8) { - for (j = 0; j < 8; j++) - data[j] ^= iv[j]; - l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3]; - r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7]; - Blowfish_encipher(c, &l, &r); - data[0] = l >> 24 & 0xff; - data[1] = l >> 16 & 0xff; - data[2] = l >> 8 & 0xff; - data[3] = l & 0xff; - data[4] = r >> 24 & 0xff; - data[5] = r >> 16 & 0xff; - data[6] = r >> 8 & 0xff; - data[7] = r & 0xff; - iv = data; - data += 8; - } -} - -void -blf_cbc_decrypt(blf_ctx *c, u_int8_t *iva, u_int8_t *data, u_int32_t len) -{ - u_int32_t l, r; - u_int8_t *iv; - u_int32_t i, j; - - iv = data + len - 16; - data = data + len - 8; - for (i = len - 8; i >= 8; i -= 8) { - l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3]; - r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7]; - Blowfish_decipher(c, &l, &r); - data[0] = l >> 24 & 0xff; - data[1] = l >> 16 & 0xff; - data[2] = l >> 8 & 0xff; - data[3] = l & 0xff; - data[4] = r >> 24 & 0xff; - data[5] = r >> 16 & 0xff; - data[6] = r >> 8 & 0xff; - data[7] = r & 0xff; - for (j = 0; j < 8; j++) - data[j] ^= iv[j]; - iv -= 8; - data -= 8; - } - l = data[0] << 24 | data[1] << 16 | data[2] << 8 | data[3]; - r = data[4] << 24 | data[5] << 16 | data[6] << 8 | data[7]; - Blowfish_decipher(c, &l, &r); - data[0] = l >> 24 & 0xff; - data[1] = l >> 16 & 0xff; - data[2] = l >> 8 & 0xff; - data[3] = l & 0xff; - data[4] = r >> 24 & 0xff; - data[5] = r >> 16 & 0xff; - data[6] = r >> 8 & 0xff; - data[7] = r & 0xff; - for (j = 0; j < 8; j++) - data[j] ^= iva[j]; -} - -#if 0 -void -report(u_int32_t data[], u_int16_t len) -{ - u_int16_t i; - for (i = 0; i < len; i += 2) - printf("Block %0hd: %08lx %08lx.\n", - i / 2, data[i], data[i + 1]); -} -void -main(void) -{ - - blf_ctx c; - char key[] = "AAAAA"; - char key2[] = "abcdefghijklmnopqrstuvwxyz"; - - u_int32_t data[10]; - u_int32_t data2[] = - {0x424c4f57l, 0x46495348l}; - - u_int16_t i; - - /* First test */ - for (i = 0; i < 10; i++) - data[i] = i; - - blf_key(&c, (u_int8_t *) key, 5); - blf_enc(&c, data, 5); - blf_dec(&c, data, 1); - blf_dec(&c, data + 2, 4); - printf("Should read as 0 - 9.\n"); - report(data, 10); - - /* Second test */ - blf_key(&c, (u_int8_t *) key2, strlen(key2)); - blf_enc(&c, data2, 1); - printf("\nShould read as: 0x324ed0fe 0xf413a203.\n"); - report(data2, 2); - blf_dec(&c, data2, 1); - report(data2, 2); -} -#endif diff --git a/keyexchange/isakmpd-20041012/sysdep/common/libsysdep/cast.c b/keyexchange/isakmpd-20041012/sysdep/common/libsysdep/cast.c deleted file mode 100644 index dc21610..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/common/libsysdep/cast.c +++ /dev/null @@ -1,778 +0,0 @@ -/* $OpenBSD: cast.c,v 1.3 2001/06/05 00:12:51 niklas Exp $ */ -/* - * CAST-128 in C - * Written by Steve Reid <sreid@sea-to-sky.net> - * 100% Public Domain - no warranty - * Released 1997.10.11 - */ - -#include <sys/types.h> - -#include <cast.h> - -/* CAST S-Boxes */ - -static const u_int32_t cast_sbox1[256] = { - 0x30FB40D4, 0x9FA0FF0B, 0x6BECCD2F, 0x3F258C7A, - 0x1E213F2F, 0x9C004DD3, 0x6003E540, 0xCF9FC949, - 0xBFD4AF27, 0x88BBBDB5, 0xE2034090, 0x98D09675, - 0x6E63A0E0, 0x15C361D2, 0xC2E7661D, 0x22D4FF8E, - 0x28683B6F, 0xC07FD059, 0xFF2379C8, 0x775F50E2, - 0x43C340D3, 0xDF2F8656, 0x887CA41A, 0xA2D2BD2D, - 0xA1C9E0D6, 0x346C4819, 0x61B76D87, 0x22540F2F, - 0x2ABE32E1, 0xAA54166B, 0x22568E3A, 0xA2D341D0, - 0x66DB40C8, 0xA784392F, 0x004DFF2F, 0x2DB9D2DE, - 0x97943FAC, 0x4A97C1D8, 0x527644B7, 0xB5F437A7, - 0xB82CBAEF, 0xD751D159, 0x6FF7F0ED, 0x5A097A1F, - 0x827B68D0, 0x90ECF52E, 0x22B0C054, 0xBC8E5935, - 0x4B6D2F7F, 0x50BB64A2, 0xD2664910, 0xBEE5812D, - 0xB7332290, 0xE93B159F, 0xB48EE411, 0x4BFF345D, - 0xFD45C240, 0xAD31973F, 0xC4F6D02E, 0x55FC8165, - 0xD5B1CAAD, 0xA1AC2DAE, 0xA2D4B76D, 0xC19B0C50, - 0x882240F2, 0x0C6E4F38, 0xA4E4BFD7, 0x4F5BA272, - 0x564C1D2F, 0xC59C5319, 0xB949E354, 0xB04669FE, - 0xB1B6AB8A, 0xC71358DD, 0x6385C545, 0x110F935D, - 0x57538AD5, 0x6A390493, 0xE63D37E0, 0x2A54F6B3, - 0x3A787D5F, 0x6276A0B5, 0x19A6FCDF, 0x7A42206A, - 0x29F9D4D5, 0xF61B1891, 0xBB72275E, 0xAA508167, - 0x38901091, 0xC6B505EB, 0x84C7CB8C, 0x2AD75A0F, - 0x874A1427, 0xA2D1936B, 0x2AD286AF, 0xAA56D291, - 0xD7894360, 0x425C750D, 0x93B39E26, 0x187184C9, - 0x6C00B32D, 0x73E2BB14, 0xA0BEBC3C, 0x54623779, - 0x64459EAB, 0x3F328B82, 0x7718CF82, 0x59A2CEA6, - 0x04EE002E, 0x89FE78E6, 0x3FAB0950, 0x325FF6C2, - 0x81383F05, 0x6963C5C8, 0x76CB5AD6, 0xD49974C9, - 0xCA180DCF, 0x380782D5, 0xC7FA5CF6, 0x8AC31511, - 0x35E79E13, 0x47DA91D0, 0xF40F9086, 0xA7E2419E, - 0x31366241, 0x051EF495, 0xAA573B04, 0x4A805D8D, - 0x548300D0, 0x00322A3C, 0xBF64CDDF, 0xBA57A68E, - 0x75C6372B, 0x50AFD341, 0xA7C13275, 0x915A0BF5, - 0x6B54BFAB, 0x2B0B1426, 0xAB4CC9D7, 0x449CCD82, - 0xF7FBF265, 0xAB85C5F3, 0x1B55DB94, 0xAAD4E324, - 0xCFA4BD3F, 0x2DEAA3E2, 0x9E204D02, 0xC8BD25AC, - 0xEADF55B3, 0xD5BD9E98, 0xE31231B2, 0x2AD5AD6C, - 0x954329DE, 0xADBE4528, 0xD8710F69, 0xAA51C90F, - 0xAA786BF6, 0x22513F1E, 0xAA51A79B, 0x2AD344CC, - 0x7B5A41F0, 0xD37CFBAD, 0x1B069505, 0x41ECE491, - 0xB4C332E6, 0x032268D4, 0xC9600ACC, 0xCE387E6D, - 0xBF6BB16C, 0x6A70FB78, 0x0D03D9C9, 0xD4DF39DE, - 0xE01063DA, 0x4736F464, 0x5AD328D8, 0xB347CC96, - 0x75BB0FC3, 0x98511BFB, 0x4FFBCC35, 0xB58BCF6A, - 0xE11F0ABC, 0xBFC5FE4A, 0xA70AEC10, 0xAC39570A, - 0x3F04442F, 0x6188B153, 0xE0397A2E, 0x5727CB79, - 0x9CEB418F, 0x1CACD68D, 0x2AD37C96, 0x0175CB9D, - 0xC69DFF09, 0xC75B65F0, 0xD9DB40D8, 0xEC0E7779, - 0x4744EAD4, 0xB11C3274, 0xDD24CB9E, 0x7E1C54BD, - 0xF01144F9, 0xD2240EB1, 0x9675B3FD, 0xA3AC3755, - 0xD47C27AF, 0x51C85F4D, 0x56907596, 0xA5BB15E6, - 0x580304F0, 0xCA042CF1, 0x011A37EA, 0x8DBFAADB, - 0x35BA3E4A, 0x3526FFA0, 0xC37B4D09, 0xBC306ED9, - 0x98A52666, 0x5648F725, 0xFF5E569D, 0x0CED63D0, - 0x7C63B2CF, 0x700B45E1, 0xD5EA50F1, 0x85A92872, - 0xAF1FBDA7, 0xD4234870, 0xA7870BF3, 0x2D3B4D79, - 0x42E04198, 0x0CD0EDE7, 0x26470DB8, 0xF881814C, - 0x474D6AD7, 0x7C0C5E5C, 0xD1231959, 0x381B7298, - 0xF5D2F4DB, 0xAB838653, 0x6E2F1E23, 0x83719C9E, - 0xBD91E046, 0x9A56456E, 0xDC39200C, 0x20C8C571, - 0x962BDA1C, 0xE1E696FF, 0xB141AB08, 0x7CCA89B9, - 0x1A69E783, 0x02CC4843, 0xA2F7C579, 0x429EF47D, - 0x427B169C, 0x5AC9F049, 0xDD8F0F00, 0x5C8165BF -}; - -static const u_int32_t cast_sbox2[256] = { - 0x1F201094, 0xEF0BA75B, 0x69E3CF7E, 0x393F4380, - 0xFE61CF7A, 0xEEC5207A, 0x55889C94, 0x72FC0651, - 0xADA7EF79, 0x4E1D7235, 0xD55A63CE, 0xDE0436BA, - 0x99C430EF, 0x5F0C0794, 0x18DCDB7D, 0xA1D6EFF3, - 0xA0B52F7B, 0x59E83605, 0xEE15B094, 0xE9FFD909, - 0xDC440086, 0xEF944459, 0xBA83CCB3, 0xE0C3CDFB, - 0xD1DA4181, 0x3B092AB1, 0xF997F1C1, 0xA5E6CF7B, - 0x01420DDB, 0xE4E7EF5B, 0x25A1FF41, 0xE180F806, - 0x1FC41080, 0x179BEE7A, 0xD37AC6A9, 0xFE5830A4, - 0x98DE8B7F, 0x77E83F4E, 0x79929269, 0x24FA9F7B, - 0xE113C85B, 0xACC40083, 0xD7503525, 0xF7EA615F, - 0x62143154, 0x0D554B63, 0x5D681121, 0xC866C359, - 0x3D63CF73, 0xCEE234C0, 0xD4D87E87, 0x5C672B21, - 0x071F6181, 0x39F7627F, 0x361E3084, 0xE4EB573B, - 0x602F64A4, 0xD63ACD9C, 0x1BBC4635, 0x9E81032D, - 0x2701F50C, 0x99847AB4, 0xA0E3DF79, 0xBA6CF38C, - 0x10843094, 0x2537A95E, 0xF46F6FFE, 0xA1FF3B1F, - 0x208CFB6A, 0x8F458C74, 0xD9E0A227, 0x4EC73A34, - 0xFC884F69, 0x3E4DE8DF, 0xEF0E0088, 0x3559648D, - 0x8A45388C, 0x1D804366, 0x721D9BFD, 0xA58684BB, - 0xE8256333, 0x844E8212, 0x128D8098, 0xFED33FB4, - 0xCE280AE1, 0x27E19BA5, 0xD5A6C252, 0xE49754BD, - 0xC5D655DD, 0xEB667064, 0x77840B4D, 0xA1B6A801, - 0x84DB26A9, 0xE0B56714, 0x21F043B7, 0xE5D05860, - 0x54F03084, 0x066FF472, 0xA31AA153, 0xDADC4755, - 0xB5625DBF, 0x68561BE6, 0x83CA6B94, 0x2D6ED23B, - 0xECCF01DB, 0xA6D3D0BA, 0xB6803D5C, 0xAF77A709, - 0x33B4A34C, 0x397BC8D6, 0x5EE22B95, 0x5F0E5304, - 0x81ED6F61, 0x20E74364, 0xB45E1378, 0xDE18639B, - 0x881CA122, 0xB96726D1, 0x8049A7E8, 0x22B7DA7B, - 0x5E552D25, 0x5272D237, 0x79D2951C, 0xC60D894C, - 0x488CB402, 0x1BA4FE5B, 0xA4B09F6B, 0x1CA815CF, - 0xA20C3005, 0x8871DF63, 0xB9DE2FCB, 0x0CC6C9E9, - 0x0BEEFF53, 0xE3214517, 0xB4542835, 0x9F63293C, - 0xEE41E729, 0x6E1D2D7C, 0x50045286, 0x1E6685F3, - 0xF33401C6, 0x30A22C95, 0x31A70850, 0x60930F13, - 0x73F98417, 0xA1269859, 0xEC645C44, 0x52C877A9, - 0xCDFF33A6, 0xA02B1741, 0x7CBAD9A2, 0x2180036F, - 0x50D99C08, 0xCB3F4861, 0xC26BD765, 0x64A3F6AB, - 0x80342676, 0x25A75E7B, 0xE4E6D1FC, 0x20C710E6, - 0xCDF0B680, 0x17844D3B, 0x31EEF84D, 0x7E0824E4, - 0x2CCB49EB, 0x846A3BAE, 0x8FF77888, 0xEE5D60F6, - 0x7AF75673, 0x2FDD5CDB, 0xA11631C1, 0x30F66F43, - 0xB3FAEC54, 0x157FD7FA, 0xEF8579CC, 0xD152DE58, - 0xDB2FFD5E, 0x8F32CE19, 0x306AF97A, 0x02F03EF8, - 0x99319AD5, 0xC242FA0F, 0xA7E3EBB0, 0xC68E4906, - 0xB8DA230C, 0x80823028, 0xDCDEF3C8, 0xD35FB171, - 0x088A1BC8, 0xBEC0C560, 0x61A3C9E8, 0xBCA8F54D, - 0xC72FEFFA, 0x22822E99, 0x82C570B4, 0xD8D94E89, - 0x8B1C34BC, 0x301E16E6, 0x273BE979, 0xB0FFEAA6, - 0x61D9B8C6, 0x00B24869, 0xB7FFCE3F, 0x08DC283B, - 0x43DAF65A, 0xF7E19798, 0x7619B72F, 0x8F1C9BA4, - 0xDC8637A0, 0x16A7D3B1, 0x9FC393B7, 0xA7136EEB, - 0xC6BCC63E, 0x1A513742, 0xEF6828BC, 0x520365D6, - 0x2D6A77AB, 0x3527ED4B, 0x821FD216, 0x095C6E2E, - 0xDB92F2FB, 0x5EEA29CB, 0x145892F5, 0x91584F7F, - 0x5483697B, 0x2667A8CC, 0x85196048, 0x8C4BACEA, - 0x833860D4, 0x0D23E0F9, 0x6C387E8A, 0x0AE6D249, - 0xB284600C, 0xD835731D, 0xDCB1C647, 0xAC4C56EA, - 0x3EBD81B3, 0x230EABB0, 0x6438BC87, 0xF0B5B1FA, - 0x8F5EA2B3, 0xFC184642, 0x0A036B7A, 0x4FB089BD, - 0x649DA589, 0xA345415E, 0x5C038323, 0x3E5D3BB9, - 0x43D79572, 0x7E6DD07C, 0x06DFDF1E, 0x6C6CC4EF, - 0x7160A539, 0x73BFBE70, 0x83877605, 0x4523ECF1 -}; - -static const u_int32_t cast_sbox3[256] = { - 0x8DEFC240, 0x25FA5D9F, 0xEB903DBF, 0xE810C907, - 0x47607FFF, 0x369FE44B, 0x8C1FC644, 0xAECECA90, - 0xBEB1F9BF, 0xEEFBCAEA, 0xE8CF1950, 0x51DF07AE, - 0x920E8806, 0xF0AD0548, 0xE13C8D83, 0x927010D5, - 0x11107D9F, 0x07647DB9, 0xB2E3E4D4, 0x3D4F285E, - 0xB9AFA820, 0xFADE82E0, 0xA067268B, 0x8272792E, - 0x553FB2C0, 0x489AE22B, 0xD4EF9794, 0x125E3FBC, - 0x21FFFCEE, 0x825B1BFD, 0x9255C5ED, 0x1257A240, - 0x4E1A8302, 0xBAE07FFF, 0x528246E7, 0x8E57140E, - 0x3373F7BF, 0x8C9F8188, 0xA6FC4EE8, 0xC982B5A5, - 0xA8C01DB7, 0x579FC264, 0x67094F31, 0xF2BD3F5F, - 0x40FFF7C1, 0x1FB78DFC, 0x8E6BD2C1, 0x437BE59B, - 0x99B03DBF, 0xB5DBC64B, 0x638DC0E6, 0x55819D99, - 0xA197C81C, 0x4A012D6E, 0xC5884A28, 0xCCC36F71, - 0xB843C213, 0x6C0743F1, 0x8309893C, 0x0FEDDD5F, - 0x2F7FE850, 0xD7C07F7E, 0x02507FBF, 0x5AFB9A04, - 0xA747D2D0, 0x1651192E, 0xAF70BF3E, 0x58C31380, - 0x5F98302E, 0x727CC3C4, 0x0A0FB402, 0x0F7FEF82, - 0x8C96FDAD, 0x5D2C2AAE, 0x8EE99A49, 0x50DA88B8, - 0x8427F4A0, 0x1EAC5790, 0x796FB449, 0x8252DC15, - 0xEFBD7D9B, 0xA672597D, 0xADA840D8, 0x45F54504, - 0xFA5D7403, 0xE83EC305, 0x4F91751A, 0x925669C2, - 0x23EFE941, 0xA903F12E, 0x60270DF2, 0x0276E4B6, - 0x94FD6574, 0x927985B2, 0x8276DBCB, 0x02778176, - 0xF8AF918D, 0x4E48F79E, 0x8F616DDF, 0xE29D840E, - 0x842F7D83, 0x340CE5C8, 0x96BBB682, 0x93B4B148, - 0xEF303CAB, 0x984FAF28, 0x779FAF9B, 0x92DC560D, - 0x224D1E20, 0x8437AA88, 0x7D29DC96, 0x2756D3DC, - 0x8B907CEE, 0xB51FD240, 0xE7C07CE3, 0xE566B4A1, - 0xC3E9615E, 0x3CF8209D, 0x6094D1E3, 0xCD9CA341, - 0x5C76460E, 0x00EA983B, 0xD4D67881, 0xFD47572C, - 0xF76CEDD9, 0xBDA8229C, 0x127DADAA, 0x438A074E, - 0x1F97C090, 0x081BDB8A, 0x93A07EBE, 0xB938CA15, - 0x97B03CFF, 0x3DC2C0F8, 0x8D1AB2EC, 0x64380E51, - 0x68CC7BFB, 0xD90F2788, 0x12490181, 0x5DE5FFD4, - 0xDD7EF86A, 0x76A2E214, 0xB9A40368, 0x925D958F, - 0x4B39FFFA, 0xBA39AEE9, 0xA4FFD30B, 0xFAF7933B, - 0x6D498623, 0x193CBCFA, 0x27627545, 0x825CF47A, - 0x61BD8BA0, 0xD11E42D1, 0xCEAD04F4, 0x127EA392, - 0x10428DB7, 0x8272A972, 0x9270C4A8, 0x127DE50B, - 0x285BA1C8, 0x3C62F44F, 0x35C0EAA5, 0xE805D231, - 0x428929FB, 0xB4FCDF82, 0x4FB66A53, 0x0E7DC15B, - 0x1F081FAB, 0x108618AE, 0xFCFD086D, 0xF9FF2889, - 0x694BCC11, 0x236A5CAE, 0x12DECA4D, 0x2C3F8CC5, - 0xD2D02DFE, 0xF8EF5896, 0xE4CF52DA, 0x95155B67, - 0x494A488C, 0xB9B6A80C, 0x5C8F82BC, 0x89D36B45, - 0x3A609437, 0xEC00C9A9, 0x44715253, 0x0A874B49, - 0xD773BC40, 0x7C34671C, 0x02717EF6, 0x4FEB5536, - 0xA2D02FFF, 0xD2BF60C4, 0xD43F03C0, 0x50B4EF6D, - 0x07478CD1, 0x006E1888, 0xA2E53F55, 0xB9E6D4BC, - 0xA2048016, 0x97573833, 0xD7207D67, 0xDE0F8F3D, - 0x72F87B33, 0xABCC4F33, 0x7688C55D, 0x7B00A6B0, - 0x947B0001, 0x570075D2, 0xF9BB88F8, 0x8942019E, - 0x4264A5FF, 0x856302E0, 0x72DBD92B, 0xEE971B69, - 0x6EA22FDE, 0x5F08AE2B, 0xAF7A616D, 0xE5C98767, - 0xCF1FEBD2, 0x61EFC8C2, 0xF1AC2571, 0xCC8239C2, - 0x67214CB8, 0xB1E583D1, 0xB7DC3E62, 0x7F10BDCE, - 0xF90A5C38, 0x0FF0443D, 0x606E6DC6, 0x60543A49, - 0x5727C148, 0x2BE98A1D, 0x8AB41738, 0x20E1BE24, - 0xAF96DA0F, 0x68458425, 0x99833BE5, 0x600D457D, - 0x282F9350, 0x8334B362, 0xD91D1120, 0x2B6D8DA0, - 0x642B1E31, 0x9C305A00, 0x52BCE688, 0x1B03588A, - 0xF7BAEFD5, 0x4142ED9C, 0xA4315C11, 0x83323EC5, - 0xDFEF4636, 0xA133C501, 0xE9D3531C, 0xEE353783 -}; - -static const u_int32_t cast_sbox4[256] = { - 0x9DB30420, 0x1FB6E9DE, 0xA7BE7BEF, 0xD273A298, - 0x4A4F7BDB, 0x64AD8C57, 0x85510443, 0xFA020ED1, - 0x7E287AFF, 0xE60FB663, 0x095F35A1, 0x79EBF120, - 0xFD059D43, 0x6497B7B1, 0xF3641F63, 0x241E4ADF, - 0x28147F5F, 0x4FA2B8CD, 0xC9430040, 0x0CC32220, - 0xFDD30B30, 0xC0A5374F, 0x1D2D00D9, 0x24147B15, - 0xEE4D111A, 0x0FCA5167, 0x71FF904C, 0x2D195FFE, - 0x1A05645F, 0x0C13FEFE, 0x081B08CA, 0x05170121, - 0x80530100, 0xE83E5EFE, 0xAC9AF4F8, 0x7FE72701, - 0xD2B8EE5F, 0x06DF4261, 0xBB9E9B8A, 0x7293EA25, - 0xCE84FFDF, 0xF5718801, 0x3DD64B04, 0xA26F263B, - 0x7ED48400, 0x547EEBE6, 0x446D4CA0, 0x6CF3D6F5, - 0x2649ABDF, 0xAEA0C7F5, 0x36338CC1, 0x503F7E93, - 0xD3772061, 0x11B638E1, 0x72500E03, 0xF80EB2BB, - 0xABE0502E, 0xEC8D77DE, 0x57971E81, 0xE14F6746, - 0xC9335400, 0x6920318F, 0x081DBB99, 0xFFC304A5, - 0x4D351805, 0x7F3D5CE3, 0xA6C866C6, 0x5D5BCCA9, - 0xDAEC6FEA, 0x9F926F91, 0x9F46222F, 0x3991467D, - 0xA5BF6D8E, 0x1143C44F, 0x43958302, 0xD0214EEB, - 0x022083B8, 0x3FB6180C, 0x18F8931E, 0x281658E6, - 0x26486E3E, 0x8BD78A70, 0x7477E4C1, 0xB506E07C, - 0xF32D0A25, 0x79098B02, 0xE4EABB81, 0x28123B23, - 0x69DEAD38, 0x1574CA16, 0xDF871B62, 0x211C40B7, - 0xA51A9EF9, 0x0014377B, 0x041E8AC8, 0x09114003, - 0xBD59E4D2, 0xE3D156D5, 0x4FE876D5, 0x2F91A340, - 0x557BE8DE, 0x00EAE4A7, 0x0CE5C2EC, 0x4DB4BBA6, - 0xE756BDFF, 0xDD3369AC, 0xEC17B035, 0x06572327, - 0x99AFC8B0, 0x56C8C391, 0x6B65811C, 0x5E146119, - 0x6E85CB75, 0xBE07C002, 0xC2325577, 0x893FF4EC, - 0x5BBFC92D, 0xD0EC3B25, 0xB7801AB7, 0x8D6D3B24, - 0x20C763EF, 0xC366A5FC, 0x9C382880, 0x0ACE3205, - 0xAAC9548A, 0xECA1D7C7, 0x041AFA32, 0x1D16625A, - 0x6701902C, 0x9B757A54, 0x31D477F7, 0x9126B031, - 0x36CC6FDB, 0xC70B8B46, 0xD9E66A48, 0x56E55A79, - 0x026A4CEB, 0x52437EFF, 0x2F8F76B4, 0x0DF980A5, - 0x8674CDE3, 0xEDDA04EB, 0x17A9BE04, 0x2C18F4DF, - 0xB7747F9D, 0xAB2AF7B4, 0xEFC34D20, 0x2E096B7C, - 0x1741A254, 0xE5B6A035, 0x213D42F6, 0x2C1C7C26, - 0x61C2F50F, 0x6552DAF9, 0xD2C231F8, 0x25130F69, - 0xD8167FA2, 0x0418F2C8, 0x001A96A6, 0x0D1526AB, - 0x63315C21, 0x5E0A72EC, 0x49BAFEFD, 0x187908D9, - 0x8D0DBD86, 0x311170A7, 0x3E9B640C, 0xCC3E10D7, - 0xD5CAD3B6, 0x0CAEC388, 0xF73001E1, 0x6C728AFF, - 0x71EAE2A1, 0x1F9AF36E, 0xCFCBD12F, 0xC1DE8417, - 0xAC07BE6B, 0xCB44A1D8, 0x8B9B0F56, 0x013988C3, - 0xB1C52FCA, 0xB4BE31CD, 0xD8782806, 0x12A3A4E2, - 0x6F7DE532, 0x58FD7EB6, 0xD01EE900, 0x24ADFFC2, - 0xF4990FC5, 0x9711AAC5, 0x001D7B95, 0x82E5E7D2, - 0x109873F6, 0x00613096, 0xC32D9521, 0xADA121FF, - 0x29908415, 0x7FBB977F, 0xAF9EB3DB, 0x29C9ED2A, - 0x5CE2A465, 0xA730F32C, 0xD0AA3FE8, 0x8A5CC091, - 0xD49E2CE7, 0x0CE454A9, 0xD60ACD86, 0x015F1919, - 0x77079103, 0xDEA03AF6, 0x78A8565E, 0xDEE356DF, - 0x21F05CBE, 0x8B75E387, 0xB3C50651, 0xB8A5C3EF, - 0xD8EEB6D2, 0xE523BE77, 0xC2154529, 0x2F69EFDF, - 0xAFE67AFB, 0xF470C4B2, 0xF3E0EB5B, 0xD6CC9876, - 0x39E4460C, 0x1FDA8538, 0x1987832F, 0xCA007367, - 0xA99144F8, 0x296B299E, 0x492FC295, 0x9266BEAB, - 0xB5676E69, 0x9BD3DDDA, 0xDF7E052F, 0xDB25701C, - 0x1B5E51EE, 0xF65324E6, 0x6AFCE36C, 0x0316CC04, - 0x8644213E, 0xB7DC59D0, 0x7965291F, 0xCCD6FD43, - 0x41823979, 0x932BCDF6, 0xB657C34D, 0x4EDFD282, - 0x7AE5290C, 0x3CB9536B, 0x851E20FE, 0x9833557E, - 0x13ECF0B0, 0xD3FFB372, 0x3F85C5C1, 0x0AEF7ED2 -}; - -static const u_int32_t cast_sbox5[256] = { - 0x7EC90C04, 0x2C6E74B9, 0x9B0E66DF, 0xA6337911, - 0xB86A7FFF, 0x1DD358F5, 0x44DD9D44, 0x1731167F, - 0x08FBF1FA, 0xE7F511CC, 0xD2051B00, 0x735ABA00, - 0x2AB722D8, 0x386381CB, 0xACF6243A, 0x69BEFD7A, - 0xE6A2E77F, 0xF0C720CD, 0xC4494816, 0xCCF5C180, - 0x38851640, 0x15B0A848, 0xE68B18CB, 0x4CAADEFF, - 0x5F480A01, 0x0412B2AA, 0x259814FC, 0x41D0EFE2, - 0x4E40B48D, 0x248EB6FB, 0x8DBA1CFE, 0x41A99B02, - 0x1A550A04, 0xBA8F65CB, 0x7251F4E7, 0x95A51725, - 0xC106ECD7, 0x97A5980A, 0xC539B9AA, 0x4D79FE6A, - 0xF2F3F763, 0x68AF8040, 0xED0C9E56, 0x11B4958B, - 0xE1EB5A88, 0x8709E6B0, 0xD7E07156, 0x4E29FEA7, - 0x6366E52D, 0x02D1C000, 0xC4AC8E05, 0x9377F571, - 0x0C05372A, 0x578535F2, 0x2261BE02, 0xD642A0C9, - 0xDF13A280, 0x74B55BD2, 0x682199C0, 0xD421E5EC, - 0x53FB3CE8, 0xC8ADEDB3, 0x28A87FC9, 0x3D959981, - 0x5C1FF900, 0xFE38D399, 0x0C4EFF0B, 0x062407EA, - 0xAA2F4FB1, 0x4FB96976, 0x90C79505, 0xB0A8A774, - 0xEF55A1FF, 0xE59CA2C2, 0xA6B62D27, 0xE66A4263, - 0xDF65001F, 0x0EC50966, 0xDFDD55BC, 0x29DE0655, - 0x911E739A, 0x17AF8975, 0x32C7911C, 0x89F89468, - 0x0D01E980, 0x524755F4, 0x03B63CC9, 0x0CC844B2, - 0xBCF3F0AA, 0x87AC36E9, 0xE53A7426, 0x01B3D82B, - 0x1A9E7449, 0x64EE2D7E, 0xCDDBB1DA, 0x01C94910, - 0xB868BF80, 0x0D26F3FD, 0x9342EDE7, 0x04A5C284, - 0x636737B6, 0x50F5B616, 0xF24766E3, 0x8ECA36C1, - 0x136E05DB, 0xFEF18391, 0xFB887A37, 0xD6E7F7D4, - 0xC7FB7DC9, 0x3063FCDF, 0xB6F589DE, 0xEC2941DA, - 0x26E46695, 0xB7566419, 0xF654EFC5, 0xD08D58B7, - 0x48925401, 0xC1BACB7F, 0xE5FF550F, 0xB6083049, - 0x5BB5D0E8, 0x87D72E5A, 0xAB6A6EE1, 0x223A66CE, - 0xC62BF3CD, 0x9E0885F9, 0x68CB3E47, 0x086C010F, - 0xA21DE820, 0xD18B69DE, 0xF3F65777, 0xFA02C3F6, - 0x407EDAC3, 0xCBB3D550, 0x1793084D, 0xB0D70EBA, - 0x0AB378D5, 0xD951FB0C, 0xDED7DA56, 0x4124BBE4, - 0x94CA0B56, 0x0F5755D1, 0xE0E1E56E, 0x6184B5BE, - 0x580A249F, 0x94F74BC0, 0xE327888E, 0x9F7B5561, - 0xC3DC0280, 0x05687715, 0x646C6BD7, 0x44904DB3, - 0x66B4F0A3, 0xC0F1648A, 0x697ED5AF, 0x49E92FF6, - 0x309E374F, 0x2CB6356A, 0x85808573, 0x4991F840, - 0x76F0AE02, 0x083BE84D, 0x28421C9A, 0x44489406, - 0x736E4CB8, 0xC1092910, 0x8BC95FC6, 0x7D869CF4, - 0x134F616F, 0x2E77118D, 0xB31B2BE1, 0xAA90B472, - 0x3CA5D717, 0x7D161BBA, 0x9CAD9010, 0xAF462BA2, - 0x9FE459D2, 0x45D34559, 0xD9F2DA13, 0xDBC65487, - 0xF3E4F94E, 0x176D486F, 0x097C13EA, 0x631DA5C7, - 0x445F7382, 0x175683F4, 0xCDC66A97, 0x70BE0288, - 0xB3CDCF72, 0x6E5DD2F3, 0x20936079, 0x459B80A5, - 0xBE60E2DB, 0xA9C23101, 0xEBA5315C, 0x224E42F2, - 0x1C5C1572, 0xF6721B2C, 0x1AD2FFF3, 0x8C25404E, - 0x324ED72F, 0x4067B7FD, 0x0523138E, 0x5CA3BC78, - 0xDC0FD66E, 0x75922283, 0x784D6B17, 0x58EBB16E, - 0x44094F85, 0x3F481D87, 0xFCFEAE7B, 0x77B5FF76, - 0x8C2302BF, 0xAAF47556, 0x5F46B02A, 0x2B092801, - 0x3D38F5F7, 0x0CA81F36, 0x52AF4A8A, 0x66D5E7C0, - 0xDF3B0874, 0x95055110, 0x1B5AD7A8, 0xF61ED5AD, - 0x6CF6E479, 0x20758184, 0xD0CEFA65, 0x88F7BE58, - 0x4A046826, 0x0FF6F8F3, 0xA09C7F70, 0x5346ABA0, - 0x5CE96C28, 0xE176EDA3, 0x6BAC307F, 0x376829D2, - 0x85360FA9, 0x17E3FE2A, 0x24B79767, 0xF5A96B20, - 0xD6CD2595, 0x68FF1EBF, 0x7555442C, 0xF19F06BE, - 0xF9E0659A, 0xEEB9491D, 0x34010718, 0xBB30CAB8, - 0xE822FE15, 0x88570983, 0x750E6249, 0xDA627E55, - 0x5E76FFA8, 0xB1534546, 0x6D47DE08, 0xEFE9E7D4 -}; - -static const u_int32_t cast_sbox6[256] = { - 0xF6FA8F9D, 0x2CAC6CE1, 0x4CA34867, 0xE2337F7C, - 0x95DB08E7, 0x016843B4, 0xECED5CBC, 0x325553AC, - 0xBF9F0960, 0xDFA1E2ED, 0x83F0579D, 0x63ED86B9, - 0x1AB6A6B8, 0xDE5EBE39, 0xF38FF732, 0x8989B138, - 0x33F14961, 0xC01937BD, 0xF506C6DA, 0xE4625E7E, - 0xA308EA99, 0x4E23E33C, 0x79CBD7CC, 0x48A14367, - 0xA3149619, 0xFEC94BD5, 0xA114174A, 0xEAA01866, - 0xA084DB2D, 0x09A8486F, 0xA888614A, 0x2900AF98, - 0x01665991, 0xE1992863, 0xC8F30C60, 0x2E78EF3C, - 0xD0D51932, 0xCF0FEC14, 0xF7CA07D2, 0xD0A82072, - 0xFD41197E, 0x9305A6B0, 0xE86BE3DA, 0x74BED3CD, - 0x372DA53C, 0x4C7F4448, 0xDAB5D440, 0x6DBA0EC3, - 0x083919A7, 0x9FBAEED9, 0x49DBCFB0, 0x4E670C53, - 0x5C3D9C01, 0x64BDB941, 0x2C0E636A, 0xBA7DD9CD, - 0xEA6F7388, 0xE70BC762, 0x35F29ADB, 0x5C4CDD8D, - 0xF0D48D8C, 0xB88153E2, 0x08A19866, 0x1AE2EAC8, - 0x284CAF89, 0xAA928223, 0x9334BE53, 0x3B3A21BF, - 0x16434BE3, 0x9AEA3906, 0xEFE8C36E, 0xF890CDD9, - 0x80226DAE, 0xC340A4A3, 0xDF7E9C09, 0xA694A807, - 0x5B7C5ECC, 0x221DB3A6, 0x9A69A02F, 0x68818A54, - 0xCEB2296F, 0x53C0843A, 0xFE893655, 0x25BFE68A, - 0xB4628ABC, 0xCF222EBF, 0x25AC6F48, 0xA9A99387, - 0x53BDDB65, 0xE76FFBE7, 0xE967FD78, 0x0BA93563, - 0x8E342BC1, 0xE8A11BE9, 0x4980740D, 0xC8087DFC, - 0x8DE4BF99, 0xA11101A0, 0x7FD37975, 0xDA5A26C0, - 0xE81F994F, 0x9528CD89, 0xFD339FED, 0xB87834BF, - 0x5F04456D, 0x22258698, 0xC9C4C83B, 0x2DC156BE, - 0x4F628DAA, 0x57F55EC5, 0xE2220ABE, 0xD2916EBF, - 0x4EC75B95, 0x24F2C3C0, 0x42D15D99, 0xCD0D7FA0, - 0x7B6E27FF, 0xA8DC8AF0, 0x7345C106, 0xF41E232F, - 0x35162386, 0xE6EA8926, 0x3333B094, 0x157EC6F2, - 0x372B74AF, 0x692573E4, 0xE9A9D848, 0xF3160289, - 0x3A62EF1D, 0xA787E238, 0xF3A5F676, 0x74364853, - 0x20951063, 0x4576698D, 0xB6FAD407, 0x592AF950, - 0x36F73523, 0x4CFB6E87, 0x7DA4CEC0, 0x6C152DAA, - 0xCB0396A8, 0xC50DFE5D, 0xFCD707AB, 0x0921C42F, - 0x89DFF0BB, 0x5FE2BE78, 0x448F4F33, 0x754613C9, - 0x2B05D08D, 0x48B9D585, 0xDC049441, 0xC8098F9B, - 0x7DEDE786, 0xC39A3373, 0x42410005, 0x6A091751, - 0x0EF3C8A6, 0x890072D6, 0x28207682, 0xA9A9F7BE, - 0xBF32679D, 0xD45B5B75, 0xB353FD00, 0xCBB0E358, - 0x830F220A, 0x1F8FB214, 0xD372CF08, 0xCC3C4A13, - 0x8CF63166, 0x061C87BE, 0x88C98F88, 0x6062E397, - 0x47CF8E7A, 0xB6C85283, 0x3CC2ACFB, 0x3FC06976, - 0x4E8F0252, 0x64D8314D, 0xDA3870E3, 0x1E665459, - 0xC10908F0, 0x513021A5, 0x6C5B68B7, 0x822F8AA0, - 0x3007CD3E, 0x74719EEF, 0xDC872681, 0x073340D4, - 0x7E432FD9, 0x0C5EC241, 0x8809286C, 0xF592D891, - 0x08A930F6, 0x957EF305, 0xB7FBFFBD, 0xC266E96F, - 0x6FE4AC98, 0xB173ECC0, 0xBC60B42A, 0x953498DA, - 0xFBA1AE12, 0x2D4BD736, 0x0F25FAAB, 0xA4F3FCEB, - 0xE2969123, 0x257F0C3D, 0x9348AF49, 0x361400BC, - 0xE8816F4A, 0x3814F200, 0xA3F94043, 0x9C7A54C2, - 0xBC704F57, 0xDA41E7F9, 0xC25AD33A, 0x54F4A084, - 0xB17F5505, 0x59357CBE, 0xEDBD15C8, 0x7F97C5AB, - 0xBA5AC7B5, 0xB6F6DEAF, 0x3A479C3A, 0x5302DA25, - 0x653D7E6A, 0x54268D49, 0x51A477EA, 0x5017D55B, - 0xD7D25D88, 0x44136C76, 0x0404A8C8, 0xB8E5A121, - 0xB81A928A, 0x60ED5869, 0x97C55B96, 0xEAEC991B, - 0x29935913, 0x01FDB7F1, 0x088E8DFA, 0x9AB6F6F5, - 0x3B4CBF9F, 0x4A5DE3AB, 0xE6051D35, 0xA0E1D855, - 0xD36B4CF1, 0xF544EDEB, 0xB0E93524, 0xBEBB8FBD, - 0xA2D762CF, 0x49C92F54, 0x38B5F331, 0x7128A454, - 0x48392905, 0xA65B1DB8, 0x851C97BD, 0xD675CF2F -}; - -static const u_int32_t cast_sbox7[256] = { - 0x85E04019, 0x332BF567, 0x662DBFFF, 0xCFC65693, - 0x2A8D7F6F, 0xAB9BC912, 0xDE6008A1, 0x2028DA1F, - 0x0227BCE7, 0x4D642916, 0x18FAC300, 0x50F18B82, - 0x2CB2CB11, 0xB232E75C, 0x4B3695F2, 0xB28707DE, - 0xA05FBCF6, 0xCD4181E9, 0xE150210C, 0xE24EF1BD, - 0xB168C381, 0xFDE4E789, 0x5C79B0D8, 0x1E8BFD43, - 0x4D495001, 0x38BE4341, 0x913CEE1D, 0x92A79C3F, - 0x089766BE, 0xBAEEADF4, 0x1286BECF, 0xB6EACB19, - 0x2660C200, 0x7565BDE4, 0x64241F7A, 0x8248DCA9, - 0xC3B3AD66, 0x28136086, 0x0BD8DFA8, 0x356D1CF2, - 0x107789BE, 0xB3B2E9CE, 0x0502AA8F, 0x0BC0351E, - 0x166BF52A, 0xEB12FF82, 0xE3486911, 0xD34D7516, - 0x4E7B3AFF, 0x5F43671B, 0x9CF6E037, 0x4981AC83, - 0x334266CE, 0x8C9341B7, 0xD0D854C0, 0xCB3A6C88, - 0x47BC2829, 0x4725BA37, 0xA66AD22B, 0x7AD61F1E, - 0x0C5CBAFA, 0x4437F107, 0xB6E79962, 0x42D2D816, - 0x0A961288, 0xE1A5C06E, 0x13749E67, 0x72FC081A, - 0xB1D139F7, 0xF9583745, 0xCF19DF58, 0xBEC3F756, - 0xC06EBA30, 0x07211B24, 0x45C28829, 0xC95E317F, - 0xBC8EC511, 0x38BC46E9, 0xC6E6FA14, 0xBAE8584A, - 0xAD4EBC46, 0x468F508B, 0x7829435F, 0xF124183B, - 0x821DBA9F, 0xAFF60FF4, 0xEA2C4E6D, 0x16E39264, - 0x92544A8B, 0x009B4FC3, 0xABA68CED, 0x9AC96F78, - 0x06A5B79A, 0xB2856E6E, 0x1AEC3CA9, 0xBE838688, - 0x0E0804E9, 0x55F1BE56, 0xE7E5363B, 0xB3A1F25D, - 0xF7DEBB85, 0x61FE033C, 0x16746233, 0x3C034C28, - 0xDA6D0C74, 0x79AAC56C, 0x3CE4E1AD, 0x51F0C802, - 0x98F8F35A, 0x1626A49F, 0xEED82B29, 0x1D382FE3, - 0x0C4FB99A, 0xBB325778, 0x3EC6D97B, 0x6E77A6A9, - 0xCB658B5C, 0xD45230C7, 0x2BD1408B, 0x60C03EB7, - 0xB9068D78, 0xA33754F4, 0xF430C87D, 0xC8A71302, - 0xB96D8C32, 0xEBD4E7BE, 0xBE8B9D2D, 0x7979FB06, - 0xE7225308, 0x8B75CF77, 0x11EF8DA4, 0xE083C858, - 0x8D6B786F, 0x5A6317A6, 0xFA5CF7A0, 0x5DDA0033, - 0xF28EBFB0, 0xF5B9C310, 0xA0EAC280, 0x08B9767A, - 0xA3D9D2B0, 0x79D34217, 0x021A718D, 0x9AC6336A, - 0x2711FD60, 0x438050E3, 0x069908A8, 0x3D7FEDC4, - 0x826D2BEF, 0x4EEB8476, 0x488DCF25, 0x36C9D566, - 0x28E74E41, 0xC2610ACA, 0x3D49A9CF, 0xBAE3B9DF, - 0xB65F8DE6, 0x92AEAF64, 0x3AC7D5E6, 0x9EA80509, - 0xF22B017D, 0xA4173F70, 0xDD1E16C3, 0x15E0D7F9, - 0x50B1B887, 0x2B9F4FD5, 0x625ABA82, 0x6A017962, - 0x2EC01B9C, 0x15488AA9, 0xD716E740, 0x40055A2C, - 0x93D29A22, 0xE32DBF9A, 0x058745B9, 0x3453DC1E, - 0xD699296E, 0x496CFF6F, 0x1C9F4986, 0xDFE2ED07, - 0xB87242D1, 0x19DE7EAE, 0x053E561A, 0x15AD6F8C, - 0x66626C1C, 0x7154C24C, 0xEA082B2A, 0x93EB2939, - 0x17DCB0F0, 0x58D4F2AE, 0x9EA294FB, 0x52CF564C, - 0x9883FE66, 0x2EC40581, 0x763953C3, 0x01D6692E, - 0xD3A0C108, 0xA1E7160E, 0xE4F2DFA6, 0x693ED285, - 0x74904698, 0x4C2B0EDD, 0x4F757656, 0x5D393378, - 0xA132234F, 0x3D321C5D, 0xC3F5E194, 0x4B269301, - 0xC79F022F, 0x3C997E7E, 0x5E4F9504, 0x3FFAFBBD, - 0x76F7AD0E, 0x296693F4, 0x3D1FCE6F, 0xC61E45BE, - 0xD3B5AB34, 0xF72BF9B7, 0x1B0434C0, 0x4E72B567, - 0x5592A33D, 0xB5229301, 0xCFD2A87F, 0x60AEB767, - 0x1814386B, 0x30BCC33D, 0x38A0C07D, 0xFD1606F2, - 0xC363519B, 0x589DD390, 0x5479F8E6, 0x1CB8D647, - 0x97FD61A9, 0xEA7759F4, 0x2D57539D, 0x569A58CF, - 0xE84E63AD, 0x462E1B78, 0x6580F87E, 0xF3817914, - 0x91DA55F4, 0x40A230F3, 0xD1988F35, 0xB6E318D2, - 0x3FFA50BC, 0x3D40F021, 0xC3C0BDAE, 0x4958C24C, - 0x518F36B2, 0x84B1D370, 0x0FEDCE83, 0x878DDADA, - 0xF2A279C7, 0x94E01BE8, 0x90716F4B, 0x954B8AA3 -}; - -static const u_int32_t cast_sbox8[256] = { - 0xE216300D, 0xBBDDFFFC, 0xA7EBDABD, 0x35648095, - 0x7789F8B7, 0xE6C1121B, 0x0E241600, 0x052CE8B5, - 0x11A9CFB0, 0xE5952F11, 0xECE7990A, 0x9386D174, - 0x2A42931C, 0x76E38111, 0xB12DEF3A, 0x37DDDDFC, - 0xDE9ADEB1, 0x0A0CC32C, 0xBE197029, 0x84A00940, - 0xBB243A0F, 0xB4D137CF, 0xB44E79F0, 0x049EEDFD, - 0x0B15A15D, 0x480D3168, 0x8BBBDE5A, 0x669DED42, - 0xC7ECE831, 0x3F8F95E7, 0x72DF191B, 0x7580330D, - 0x94074251, 0x5C7DCDFA, 0xABBE6D63, 0xAA402164, - 0xB301D40A, 0x02E7D1CA, 0x53571DAE, 0x7A3182A2, - 0x12A8DDEC, 0xFDAA335D, 0x176F43E8, 0x71FB46D4, - 0x38129022, 0xCE949AD4, 0xB84769AD, 0x965BD862, - 0x82F3D055, 0x66FB9767, 0x15B80B4E, 0x1D5B47A0, - 0x4CFDE06F, 0xC28EC4B8, 0x57E8726E, 0x647A78FC, - 0x99865D44, 0x608BD593, 0x6C200E03, 0x39DC5FF6, - 0x5D0B00A3, 0xAE63AFF2, 0x7E8BD632, 0x70108C0C, - 0xBBD35049, 0x2998DF04, 0x980CF42A, 0x9B6DF491, - 0x9E7EDD53, 0x06918548, 0x58CB7E07, 0x3B74EF2E, - 0x522FFFB1, 0xD24708CC, 0x1C7E27CD, 0xA4EB215B, - 0x3CF1D2E2, 0x19B47A38, 0x424F7618, 0x35856039, - 0x9D17DEE7, 0x27EB35E6, 0xC9AFF67B, 0x36BAF5B8, - 0x09C467CD, 0xC18910B1, 0xE11DBF7B, 0x06CD1AF8, - 0x7170C608, 0x2D5E3354, 0xD4DE495A, 0x64C6D006, - 0xBCC0C62C, 0x3DD00DB3, 0x708F8F34, 0x77D51B42, - 0x264F620F, 0x24B8D2BF, 0x15C1B79E, 0x46A52564, - 0xF8D7E54E, 0x3E378160, 0x7895CDA5, 0x859C15A5, - 0xE6459788, 0xC37BC75F, 0xDB07BA0C, 0x0676A3AB, - 0x7F229B1E, 0x31842E7B, 0x24259FD7, 0xF8BEF472, - 0x835FFCB8, 0x6DF4C1F2, 0x96F5B195, 0xFD0AF0FC, - 0xB0FE134C, 0xE2506D3D, 0x4F9B12EA, 0xF215F225, - 0xA223736F, 0x9FB4C428, 0x25D04979, 0x34C713F8, - 0xC4618187, 0xEA7A6E98, 0x7CD16EFC, 0x1436876C, - 0xF1544107, 0xBEDEEE14, 0x56E9AF27, 0xA04AA441, - 0x3CF7C899, 0x92ECBAE6, 0xDD67016D, 0x151682EB, - 0xA842EEDF, 0xFDBA60B4, 0xF1907B75, 0x20E3030F, - 0x24D8C29E, 0xE139673B, 0xEFA63FB8, 0x71873054, - 0xB6F2CF3B, 0x9F326442, 0xCB15A4CC, 0xB01A4504, - 0xF1E47D8D, 0x844A1BE5, 0xBAE7DFDC, 0x42CBDA70, - 0xCD7DAE0A, 0x57E85B7A, 0xD53F5AF6, 0x20CF4D8C, - 0xCEA4D428, 0x79D130A4, 0x3486EBFB, 0x33D3CDDC, - 0x77853B53, 0x37EFFCB5, 0xC5068778, 0xE580B3E6, - 0x4E68B8F4, 0xC5C8B37E, 0x0D809EA2, 0x398FEB7C, - 0x132A4F94, 0x43B7950E, 0x2FEE7D1C, 0x223613BD, - 0xDD06CAA2, 0x37DF932B, 0xC4248289, 0xACF3EBC3, - 0x5715F6B7, 0xEF3478DD, 0xF267616F, 0xC148CBE4, - 0x9052815E, 0x5E410FAB, 0xB48A2465, 0x2EDA7FA4, - 0xE87B40E4, 0xE98EA084, 0x5889E9E1, 0xEFD390FC, - 0xDD07D35B, 0xDB485694, 0x38D7E5B2, 0x57720101, - 0x730EDEBC, 0x5B643113, 0x94917E4F, 0x503C2FBA, - 0x646F1282, 0x7523D24A, 0xE0779695, 0xF9C17A8F, - 0x7A5B2121, 0xD187B896, 0x29263A4D, 0xBA510CDF, - 0x81F47C9F, 0xAD1163ED, 0xEA7B5965, 0x1A00726E, - 0x11403092, 0x00DA6D77, 0x4A0CDD61, 0xAD1F4603, - 0x605BDFB0, 0x9EEDC364, 0x22EBE6A8, 0xCEE7D28A, - 0xA0E736A0, 0x5564A6B9, 0x10853209, 0xC7EB8F37, - 0x2DE705CA, 0x8951570F, 0xDF09822B, 0xBD691A6C, - 0xAA12E4F2, 0x87451C0F, 0xE0F6A27A, 0x3ADA4819, - 0x4CF1764F, 0x0D771C2B, 0x67CDB156, 0x350D8384, - 0x5938FA0F, 0x42399EF3, 0x36997B07, 0x0E84093D, - 0x4AA93E61, 0x8360D87B, 0x1FA98B0C, 0x1149382C, - 0xE97625A5, 0x0614D1B7, 0x0E25244B, 0x0C768347, - 0x589E8D82, 0x0D2059D1, 0xA466BB1E, 0xF8DA0A82, - 0x04F19130, 0xBA6E4EC0, 0x99265164, 0x1EE7230D, - 0x50B2AD80, 0xEAEE6801, 0x8DB2A283, 0xEA8BF59E -}; - -/* Macros to access 8-bit bytes out of a 32-bit word */ -#define U8a(x) ( (u_int8_t) (x>>24) ) -#define U8b(x) ( (u_int8_t) ((x>>16)&255) ) -#define U8c(x) ( (u_int8_t) ((x>>8)&255) ) -#define U8d(x) ( (u_int8_t) ((x)&255) ) - -/* Circular left shift */ -#define ROL(x, n) ( ((x)<<(n)) | ((x)>>(32-(n))) ) - -/* CAST-128 uses three different round functions */ -#define F1(l, r, i) \ - t = ROL(key->xkey[i] + r, key->xkey[i+16]); \ - l ^= ((cast_sbox1[U8a(t)] ^ cast_sbox2[U8b(t)]) - \ - cast_sbox3[U8c(t)]) + cast_sbox4[U8d(t)]; -#define F2(l, r, i) \ - t = ROL(key->xkey[i] ^ r, key->xkey[i+16]); \ - l ^= ((cast_sbox1[U8a(t)] - cast_sbox2[U8b(t)]) + \ - cast_sbox3[U8c(t)]) ^ cast_sbox4[U8d(t)]; -#define F3(l, r, i) \ - t = ROL(key->xkey[i] - r, key->xkey[i+16]); \ - l ^= ((cast_sbox1[U8a(t)] + cast_sbox2[U8b(t)]) ^ \ - cast_sbox3[U8c(t)]) - cast_sbox4[U8d(t)]; - - -/***** Encryption Function *****/ - -void cast_encrypt(cast_key* key, u_int8_t* inblock, u_int8_t* outblock) -{ -u_int32_t t, l, r; - - /* Get inblock into l,r */ - l = ((u_int32_t)inblock[0] << 24) | ((u_int32_t)inblock[1] << 16) | - ((u_int32_t)inblock[2] << 8) | (u_int32_t)inblock[3]; - r = ((u_int32_t)inblock[4] << 24) | ((u_int32_t)inblock[5] << 16) | - ((u_int32_t)inblock[6] << 8) | (u_int32_t)inblock[7]; - /* Do the work */ - F1(l, r, 0); - F2(r, l, 1); - F3(l, r, 2); - F1(r, l, 3); - F2(l, r, 4); - F3(r, l, 5); - F1(l, r, 6); - F2(r, l, 7); - F3(l, r, 8); - F1(r, l, 9); - F2(l, r, 10); - F3(r, l, 11); - /* Only do full 16 rounds if key length > 80 bits */ - if (key->rounds > 12) { - F1(l, r, 12); - F2(r, l, 13); - F3(l, r, 14); - F1(r, l, 15); - } - /* Put l,r into outblock */ - outblock[0] = U8a(r); - outblock[1] = U8b(r); - outblock[2] = U8c(r); - outblock[3] = U8d(r); - outblock[4] = U8a(l); - outblock[5] = U8b(l); - outblock[6] = U8c(l); - outblock[7] = U8d(l); - /* Wipe clean */ - t = l = r = 0; -} - - -/***** Decryption Function *****/ - -void cast_decrypt(cast_key* key, u_int8_t* inblock, u_int8_t* outblock) -{ -u_int32_t t, l, r; - - /* Get inblock into l,r */ - r = ((u_int32_t)inblock[0] << 24) | ((u_int32_t)inblock[1] << 16) | - ((u_int32_t)inblock[2] << 8) | (u_int32_t)inblock[3]; - l = ((u_int32_t)inblock[4] << 24) | ((u_int32_t)inblock[5] << 16) | - ((u_int32_t)inblock[6] << 8) | (u_int32_t)inblock[7]; - /* Do the work */ - /* Only do full 16 rounds if key length > 80 bits */ - if (key->rounds > 12) { - F1(r, l, 15); - F3(l, r, 14); - F2(r, l, 13); - F1(l, r, 12); - } - F3(r, l, 11); - F2(l, r, 10); - F1(r, l, 9); - F3(l, r, 8); - F2(r, l, 7); - F1(l, r, 6); - F3(r, l, 5); - F2(l, r, 4); - F1(r, l, 3); - F3(l, r, 2); - F2(r, l, 1); - F1(l, r, 0); - /* Put l,r into outblock */ - outblock[0] = U8a(l); - outblock[1] = U8b(l); - outblock[2] = U8c(l); - outblock[3] = U8d(l); - outblock[4] = U8a(r); - outblock[5] = U8b(r); - outblock[6] = U8c(r); - outblock[7] = U8d(r); - /* Wipe clean */ - t = l = r = 0; -} - - -/***** Key Schedual *****/ - -void cast_setkey(cast_key* key, u_int8_t* rawkey, int keybytes) -{ -u_int32_t t[4], z[4], x[4]; -int i; - - /* Set number of rounds to 12 or 16, depending on key length */ - key->rounds = (keybytes <= 10 ? 12 : 16); - - /* Copy key to workspace x */ - for (i = 0; i < 4; i++) { - x[i] = 0; - if ((i*4+0) < keybytes) x[i] = (u_int32_t)rawkey[i*4+0] << 24; - if ((i*4+1) < keybytes) x[i] |= (u_int32_t)rawkey[i*4+1] << 16; - if ((i*4+2) < keybytes) x[i] |= (u_int32_t)rawkey[i*4+2] << 8; - if ((i*4+3) < keybytes) x[i] |= (u_int32_t)rawkey[i*4+3]; - } - /* Generate 32 subkeys, four at a time */ - for (i = 0; i < 32; i+=4) { - switch (i & 4) { - case 0: - t[0] = z[0] = x[0] ^ cast_sbox5[U8b(x[3])] ^ - cast_sbox6[U8d(x[3])] ^ cast_sbox7[U8a(x[3])] ^ - cast_sbox8[U8c(x[3])] ^ cast_sbox7[U8a(x[2])]; - t[1] = z[1] = x[2] ^ cast_sbox5[U8a(z[0])] ^ - cast_sbox6[U8c(z[0])] ^ cast_sbox7[U8b(z[0])] ^ - cast_sbox8[U8d(z[0])] ^ cast_sbox8[U8c(x[2])]; - t[2] = z[2] = x[3] ^ cast_sbox5[U8d(z[1])] ^ - cast_sbox6[U8c(z[1])] ^ cast_sbox7[U8b(z[1])] ^ - cast_sbox8[U8a(z[1])] ^ cast_sbox5[U8b(x[2])]; - t[3] = z[3] = x[1] ^ cast_sbox5[U8c(z[2])] ^ - cast_sbox6[U8b(z[2])] ^ cast_sbox7[U8d(z[2])] ^ - cast_sbox8[U8a(z[2])] ^ cast_sbox6[U8d(x[2])]; - break; - case 4: - t[0] = x[0] = z[2] ^ cast_sbox5[U8b(z[1])] ^ - cast_sbox6[U8d(z[1])] ^ cast_sbox7[U8a(z[1])] ^ - cast_sbox8[U8c(z[1])] ^ cast_sbox7[U8a(z[0])]; - t[1] = x[1] = z[0] ^ cast_sbox5[U8a(x[0])] ^ - cast_sbox6[U8c(x[0])] ^ cast_sbox7[U8b(x[0])] ^ - cast_sbox8[U8d(x[0])] ^ cast_sbox8[U8c(z[0])]; - t[2] = x[2] = z[1] ^ cast_sbox5[U8d(x[1])] ^ - cast_sbox6[U8c(x[1])] ^ cast_sbox7[U8b(x[1])] ^ - cast_sbox8[U8a(x[1])] ^ cast_sbox5[U8b(z[0])]; - t[3] = x[3] = z[3] ^ cast_sbox5[U8c(x[2])] ^ - cast_sbox6[U8b(x[2])] ^ cast_sbox7[U8d(x[2])] ^ - cast_sbox8[U8a(x[2])] ^ cast_sbox6[U8d(z[0])]; - break; - } - switch (i & 12) { - case 0: - case 12: - key->xkey[i+0] = cast_sbox5[U8a(t[2])] ^ cast_sbox6[U8b(t[2])] ^ - cast_sbox7[U8d(t[1])] ^ cast_sbox8[U8c(t[1])]; - key->xkey[i+1] = cast_sbox5[U8c(t[2])] ^ cast_sbox6[U8d(t[2])] ^ - cast_sbox7[U8b(t[1])] ^ cast_sbox8[U8a(t[1])]; - key->xkey[i+2] = cast_sbox5[U8a(t[3])] ^ cast_sbox6[U8b(t[3])] ^ - cast_sbox7[U8d(t[0])] ^ cast_sbox8[U8c(t[0])]; - key->xkey[i+3] = cast_sbox5[U8c(t[3])] ^ cast_sbox6[U8d(t[3])] ^ - cast_sbox7[U8b(t[0])] ^ cast_sbox8[U8a(t[0])]; - break; - case 4: - case 8: - key->xkey[i+0] = cast_sbox5[U8d(t[0])] ^ cast_sbox6[U8c(t[0])] ^ - cast_sbox7[U8a(t[3])] ^ cast_sbox8[U8b(t[3])]; - key->xkey[i+1] = cast_sbox5[U8b(t[0])] ^ cast_sbox6[U8a(t[0])] ^ - cast_sbox7[U8c(t[3])] ^ cast_sbox8[U8d(t[3])]; - key->xkey[i+2] = cast_sbox5[U8d(t[1])] ^ cast_sbox6[U8c(t[1])] ^ - cast_sbox7[U8a(t[2])] ^ cast_sbox8[U8b(t[2])]; - key->xkey[i+3] = cast_sbox5[U8b(t[1])] ^ cast_sbox6[U8a(t[1])] ^ - cast_sbox7[U8c(t[2])] ^ cast_sbox8[U8d(t[2])]; - break; - } - switch (i & 12) { - case 0: - key->xkey[i+0] ^= cast_sbox5[U8c(z[0])]; - key->xkey[i+1] ^= cast_sbox6[U8c(z[1])]; - key->xkey[i+2] ^= cast_sbox7[U8b(z[2])]; - key->xkey[i+3] ^= cast_sbox8[U8a(z[3])]; - break; - case 4: - key->xkey[i+0] ^= cast_sbox5[U8a(x[2])]; - key->xkey[i+1] ^= cast_sbox6[U8b(x[3])]; - key->xkey[i+2] ^= cast_sbox7[U8d(x[0])]; - key->xkey[i+3] ^= cast_sbox8[U8d(x[1])]; - break; - case 8: - key->xkey[i+0] ^= cast_sbox5[U8b(z[2])]; - key->xkey[i+1] ^= cast_sbox6[U8a(z[3])]; - key->xkey[i+2] ^= cast_sbox7[U8c(z[0])]; - key->xkey[i+3] ^= cast_sbox8[U8c(z[1])]; - break; - case 12: - key->xkey[i+0] ^= cast_sbox5[U8d(x[0])]; - key->xkey[i+1] ^= cast_sbox6[U8d(x[1])]; - key->xkey[i+2] ^= cast_sbox7[U8a(x[2])]; - key->xkey[i+3] ^= cast_sbox8[U8b(x[3])]; - break; - } - if (i >= 16) { - key->xkey[i+0] &= 31; - key->xkey[i+1] &= 31; - key->xkey[i+2] &= 31; - key->xkey[i+3] &= 31; - } - } - /* Wipe clean */ - for (i = 0; i < 4; i++) { - t[i] = x[i] = z[i] = 0; - } -} - -/* Made in Canada */ diff --git a/keyexchange/isakmpd-20041012/sysdep/common/libsysdep/md5.c b/keyexchange/isakmpd-20041012/sysdep/common/libsysdep/md5.c deleted file mode 100644 index 8a7a483..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/common/libsysdep/md5.c +++ /dev/null @@ -1,392 +0,0 @@ -/* $OpenBSD: md5.c,v 1.3 2002/06/14 21:34:58 todd Exp $ */ - -/* - * The rest of the code is derived from MD5C.C by RSADSI. Minor cosmetic - * changes to accommodate it in the kernel by ji. - */ - -/* MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm - */ - -/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All -rights reserved. - -License to copy and use this software is granted provided that it -is identified as the "RSA Data Security, Inc. MD5 Message-Digest -Algorithm" in all material mentioning or referencing this software -or this function. - -License is also granted to make and use derivative works provided -that such works are identified as "derived from the RSA Data -Security, Inc. MD5 Message-Digest Algorithm" in all material -mentioning or referencing the derived work. - -RSA Data Security, Inc. makes no representations concerning either -the merchantability of this software or the suitability of this -software for any particular purpose. It is provided "as is" -without express or implied warranty of any kind. - -These notices must be retained in any copies of any part of this -documentation and/or software. - */ - -/* - * Additions by JI - * - * HAVEMEMCOPY is defined if mem* routines are available - * - * HAVEHTON is defined if htons() and htonl() can be used - * for big/little endian conversions - * - */ - -#include <stddef.h> -#include <string.h> - -#include "md5.h" - -#ifndef WIN32 -#include "endian.h" /* sets BYTE_ORDER, LITTLE_ENDIAN, and BIG_ENDIAN */ -#endif - -#define HAVEMEMCOPY 1 /* use ISO C's memcpy and memset */ - -/* Constants for MD5Transform routine. - */ - -#define S11 7 -#define S12 12 -#define S13 17 -#define S14 22 -#define S21 5 -#define S22 9 -#define S23 14 -#define S24 20 -#define S31 4 -#define S32 11 -#define S33 16 -#define S34 23 -#define S41 6 -#define S42 10 -#define S43 15 -#define S44 21 - -#define MD5Transform _MD5Transform - -static void MD5Transform PROTO_LIST ((UINT4 [4], unsigned char [64])); - -#if BYTE_ORDER == LITTLE_ENDIAN -#define Encode MD5_memcpy -#define Decode MD5_memcpy -#else -static void Encode PROTO_LIST - ((unsigned char *, UINT4 *, unsigned int)); -static void Decode PROTO_LIST - ((UINT4 *, unsigned char *, unsigned int)); -#endif - -#ifdef HAVEMEMCOPY -#include <memory.h> -#define MD5_memcpy memcpy -#define MD5_memset memset -#else -#ifdef HAVEBCOPY -#define MD5_memcpy(_a,_b,_c) memcpy((_a), (_b),(_c)) -#define MD5_memset(_a,_b,_c) memset((_a), '\0',(_c)) -#else -static void MD5_memcpy PROTO_LIST ((POINTER, POINTER, unsigned int)); -static void MD5_memset PROTO_LIST ((POINTER, int, unsigned int)); -#endif -#endif -static unsigned char PADDING[64] = { - 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 -}; - -/* F, G, H and I are basic MD5 functions. - */ -#define F(x, y, z) (((x) & (y)) | ((~x) & (z))) -#define G(x, y, z) (((x) & (z)) | ((y) & (~z))) -#define H(x, y, z) ((x) ^ (y) ^ (z)) -#define I(x, y, z) ((y) ^ ((x) | (~z))) - -/* ROTATE_LEFT rotates x left n bits. - */ -#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n)))) - -/* FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4. -Rotation is separate from addition to prevent recomputation. - */ -#define FF(a, b, c, d, x, s, ac) { \ - (a) += F ((b), (c), (d)) + (x) + (UINT4)(ac); \ - (a) = ROTATE_LEFT ((a), (s)); \ - (a) += (b); \ - } -#define GG(a, b, c, d, x, s, ac) { \ - (a) += G ((b), (c), (d)) + (x) + (UINT4)(ac); \ - (a) = ROTATE_LEFT ((a), (s)); \ - (a) += (b); \ - } -#define HH(a, b, c, d, x, s, ac) { \ - (a) += H ((b), (c), (d)) + (x) + (UINT4)(ac); \ - (a) = ROTATE_LEFT ((a), (s)); \ - (a) += (b); \ - } -#define II(a, b, c, d, x, s, ac) { \ - (a) += I ((b), (c), (d)) + (x) + (UINT4)(ac); \ - (a) = ROTATE_LEFT ((a), (s)); \ - (a) += (b); \ - } - -/* MD5 initialization. Begins an MD5 operation, writing a new context. - */ -void MD5Init (context) -MD5_CTX *context; /* context */ -{ - context->count[0] = context->count[1] = 0; - /* Load magic initialization constants. -*/ - context->state[0] = 0x67452301; - context->state[1] = 0xefcdab89; - context->state[2] = 0x98badcfe; - context->state[3] = 0x10325476; -} - -/* MD5 block update operation. Continues an MD5 message-digest - operation, processing another message block, and updating the - context. - */ -void MD5Update (context, input, inputLen) -MD5_CTX *context; /* context */ -unsigned char *input; /* input block */ -unsigned int inputLen; /* length of input block */ -{ - unsigned int i, index, partLen; - - /* Compute number of bytes mod 64 */ - index = (unsigned int)((context->count[0] >> 3) & 0x3F); - - /* Update number of bits */ - if ((context->count[0] += ((UINT4)inputLen << 3)) - < ((UINT4)inputLen << 3)) - context->count[1]++; - context->count[1] += ((UINT4)inputLen >> 29); - - partLen = 64 - index; - - /* Transform as many times as possible. -*/ - if (inputLen >= partLen) { - MD5_memcpy - ((POINTER)&context->buffer[index], (POINTER)input, partLen); - MD5Transform (context->state, context->buffer); - - for (i = partLen; i + 63 < inputLen; i += 64) - MD5Transform (context->state, &input[i]); - - index = 0; - } - else - i = 0; - - /* Buffer remaining input */ - MD5_memcpy - ((POINTER)&context->buffer[index], (POINTER)&input[i], - inputLen-i); -} - -/* MD5 finalization. Ends an MD5 message-digest operation, writing the - the message digest and zeroizing the context. - */ -void MD5Final (digest, context) -unsigned char digest[16]; /* message digest */ -MD5_CTX *context; /* context */ -{ - unsigned char bits[8]; - unsigned int index, padLen; - - /* Save number of bits */ - Encode (bits, context->count, 8); - - /* Pad out to 56 mod 64. -*/ - index = (unsigned int)((context->count[0] >> 3) & 0x3f); - padLen = (index < 56) ? (56 - index) : (120 - index); - MD5Update (context, PADDING, padLen); - - /* Append length (before padding) */ - MD5Update (context, bits, 8); - - if (digest != NULL) /* Bill Simpson's padding */ - { - /* store state in digest */ - Encode (digest, context->state, 16); - - /* Zeroize sensitive information. - */ - MD5_memset ((POINTER)context, 0, sizeof (*context)); - } -} - -/* MD5 basic transformation. Transforms state based on block. - */ -static void MD5Transform (state, block) -UINT4 state[4]; -unsigned char block[64]; -{ - UINT4 a = state[0], b = state[1], c = state[2], d = state[3], x[16]; - - Decode (x, block, 64); - - /* Round 1 */ - FF (a, b, c, d, x[ 0], S11, 0xd76aa478); /* 1 */ - FF (d, a, b, c, x[ 1], S12, 0xe8c7b756); /* 2 */ - FF (c, d, a, b, x[ 2], S13, 0x242070db); /* 3 */ - FF (b, c, d, a, x[ 3], S14, 0xc1bdceee); /* 4 */ - FF (a, b, c, d, x[ 4], S11, 0xf57c0faf); /* 5 */ - FF (d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */ - FF (c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */ - FF (b, c, d, a, x[ 7], S14, 0xfd469501); /* 8 */ - FF (a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */ - FF (d, a, b, c, x[ 9], S12, 0x8b44f7af); /* 10 */ - FF (c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */ - FF (b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */ - FF (a, b, c, d, x[12], S11, 0x6b901122); /* 13 */ - FF (d, a, b, c, x[13], S12, 0xfd987193); /* 14 */ - FF (c, d, a, b, x[14], S13, 0xa679438e); /* 15 */ - FF (b, c, d, a, x[15], S14, 0x49b40821); /* 16 */ - - /* Round 2 */ - GG (a, b, c, d, x[ 1], S21, 0xf61e2562); /* 17 */ - GG (d, a, b, c, x[ 6], S22, 0xc040b340); /* 18 */ - GG (c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */ - GG (b, c, d, a, x[ 0], S24, 0xe9b6c7aa); /* 20 */ - GG (a, b, c, d, x[ 5], S21, 0xd62f105d); /* 21 */ - GG (d, a, b, c, x[10], S22, 0x2441453); /* 22 */ - GG (c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */ - GG (b, c, d, a, x[ 4], S24, 0xe7d3fbc8); /* 24 */ - GG (a, b, c, d, x[ 9], S21, 0x21e1cde6); /* 25 */ - GG (d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */ - GG (c, d, a, b, x[ 3], S23, 0xf4d50d87); /* 27 */ - GG (b, c, d, a, x[ 8], S24, 0x455a14ed); /* 28 */ - GG (a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */ - GG (d, a, b, c, x[ 2], S22, 0xfcefa3f8); /* 30 */ - GG (c, d, a, b, x[ 7], S23, 0x676f02d9); /* 31 */ - GG (b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */ - - /* Round 3 */ - HH (a, b, c, d, x[ 5], S31, 0xfffa3942); /* 33 */ - HH (d, a, b, c, x[ 8], S32, 0x8771f681); /* 34 */ - HH (c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */ - HH (b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */ - HH (a, b, c, d, x[ 1], S31, 0xa4beea44); /* 37 */ - HH (d, a, b, c, x[ 4], S32, 0x4bdecfa9); /* 38 */ - HH (c, d, a, b, x[ 7], S33, 0xf6bb4b60); /* 39 */ - HH (b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */ - HH (a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */ - HH (d, a, b, c, x[ 0], S32, 0xeaa127fa); /* 42 */ - HH (c, d, a, b, x[ 3], S33, 0xd4ef3085); /* 43 */ - HH (b, c, d, a, x[ 6], S34, 0x4881d05); /* 44 */ - HH (a, b, c, d, x[ 9], S31, 0xd9d4d039); /* 45 */ - HH (d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */ - HH (c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */ - HH (b, c, d, a, x[ 2], S34, 0xc4ac5665); /* 48 */ - - /* Round 4 */ - II (a, b, c, d, x[ 0], S41, 0xf4292244); /* 49 */ - II (d, a, b, c, x[ 7], S42, 0x432aff97); /* 50 */ - II (c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */ - II (b, c, d, a, x[ 5], S44, 0xfc93a039); /* 52 */ - II (a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */ - II (d, a, b, c, x[ 3], S42, 0x8f0ccc92); /* 54 */ - II (c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */ - II (b, c, d, a, x[ 1], S44, 0x85845dd1); /* 56 */ - II (a, b, c, d, x[ 8], S41, 0x6fa87e4f); /* 57 */ - II (d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */ - II (c, d, a, b, x[ 6], S43, 0xa3014314); /* 59 */ - II (b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */ - II (a, b, c, d, x[ 4], S41, 0xf7537e82); /* 61 */ - II (d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */ - II (c, d, a, b, x[ 2], S43, 0x2ad7d2bb); /* 63 */ - II (b, c, d, a, x[ 9], S44, 0xeb86d391); /* 64 */ - - state[0] += a; - state[1] += b; - state[2] += c; - state[3] += d; - - /* Zeroize sensitive information. -*/ - MD5_memset ((POINTER)x, 0, sizeof (x)); -} - -#if BYTE_ORDER != LITTLE_ENDIAN - -/* Encodes input (UINT4) into output (unsigned char). Assumes len is - a multiple of 4. - */ -static void Encode (output, input, len) -unsigned char *output; -UINT4 *input; -unsigned int len; -{ - unsigned int i, j; - - for (i = 0, j = 0; j < len; i++, j += 4) { - output[j] = (unsigned char)(input[i] & 0xff); - output[j+1] = (unsigned char)((input[i] >> 8) & 0xff); - output[j+2] = (unsigned char)((input[i] >> 16) & 0xff); - output[j+3] = (unsigned char)((input[i] >> 24) & 0xff); - } -} - -/* Decodes input (unsigned char) into output (UINT4). Assumes len is - a multiple of 4. - */ -static void Decode (output, input, len) -UINT4 *output; -unsigned char *input; -unsigned int len; -{ - unsigned int i, j; - - for (i = 0, j = 0; j < len; i++, j += 4) - output[i] = ((UINT4)input[j]) | (((UINT4)input[j+1]) << 8) | - (((UINT4)input[j+2]) << 16) | (((UINT4)input[j+3]) << 24); -} - -#endif - -#ifndef HAVEMEMCOPY -#ifndef HAVEBCOPY -/* Note: Replace "for loop" with standard memcpy if possible. - */ - -static void MD5_memcpy (output, input, len) -POINTER output; -POINTER input; -unsigned int len; -{ - unsigned int i; - - for (i = 0; i < len; i++) - - output[i] = input[i]; -} - -/* Note: Replace "for loop" with standard memset if possible. - */ -static void MD5_memset (output, value, len) -POINTER output; -int value; -unsigned int len; -{ - unsigned int i; - - for (i = 0; i < len; i++) - ((char *)output)[i] = (char)value; -} -#endif -#endif - diff --git a/keyexchange/isakmpd-20041012/sysdep/common/libsysdep/sha1.c b/keyexchange/isakmpd-20041012/sysdep/common/libsysdep/sha1.c deleted file mode 100644 index da63563..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/common/libsysdep/sha1.c +++ /dev/null @@ -1,173 +0,0 @@ -/* $OpenBSD: sha1.c,v 1.2 2001/01/28 22:38:48 niklas Exp $ */ - -/* -SHA-1 in C -By Steve Reid <steve@edmweb.com> -100% Public Domain - -Test Vectors (from FIPS PUB 180-1) -"abc" - A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D -"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" - 84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1 -A million repetitions of "a" - 34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F -*/ - -/* #define LITTLE_ENDIAN * This should be #define'd already, if true. */ -/* #define SHA1HANDSOFF * Copies data before messing with it. */ - -#define SHA1HANDSOFF - -#include <string.h> - -#include "sha1.h" -#ifndef WIN32 - #include "endian.h" /* sets BYTE_ORDER, LITTLE_ENDIAN, and BIG_ENDIAN */ -#endif - -#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits)))) - -/* blk0() and blk() perform the initial expand. */ -/* I got the idea of expanding during the round function from SSLeay */ -#if BYTE_ORDER == LITTLE_ENDIAN -#define blk0(i) (block->l[i] = (rol(block->l[i],24)&0xFF00FF00) \ - |(rol(block->l[i],8)&0x00FF00FF)) -#elif BYTE_ORDER == BIG_ENDIAN -#define blk0(i) block->l[i] -#else -#error "Endianness not defined!" -#endif -#define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] \ - ^block->l[(i+2)&15]^block->l[i&15],1)) - -/* (R0+R1), R2, R3, R4 are the different operations used in SHA1 */ -#define R0(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk0(i)+0x5A827999+rol(v,5);w=rol(w,30); -#define R1(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk(i)+0x5A827999+rol(v,5);w=rol(w,30); -#define R2(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0x6ED9EBA1+rol(v,5);w=rol(w,30); -#define R3(v,w,x,y,z,i) z+=(((w|x)&y)|(w&x))+blk(i)+0x8F1BBCDC+rol(v,5);w=rol(w,30); -#define R4(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0xCA62C1D6+rol(v,5);w=rol(w,30); - - -/* Hash a single 512-bit block. This is the core of the algorithm. */ - -void SHA1Transform(unsigned long state[5], unsigned char buffer[64]) -{ -unsigned long a, b, c, d, e; -typedef union { - unsigned char c[64]; - unsigned long l[16]; -} CHAR64LONG16; -CHAR64LONG16* block; -#ifdef SHA1HANDSOFF -static CHAR64LONG16 workspace; - block = &workspace; - memcpy(block, buffer, 64); -#else - block = (CHAR64LONG16*)buffer; -#endif - /* Copy context->state[] to working vars */ - a = state[0]; - b = state[1]; - c = state[2]; - d = state[3]; - e = state[4]; - /* 4 rounds of 20 operations each. Loop unrolled. */ - R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3); - R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7); - R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11); - R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15); - R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19); - R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23); - R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27); - R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31); - R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35); - R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39); - R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43); - R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47); - R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51); - R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55); - R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59); - R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63); - R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67); - R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71); - R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75); - R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79); - /* Add the working vars back into context.state[] */ - state[0] += a; - state[1] += b; - state[2] += c; - state[3] += d; - state[4] += e; - /* Wipe variables */ - a = b = c = d = e = 0; -} - - -/* SHA1Init - Initialize new context */ - -void SHA1Init(SHA1_CTX* context) -{ - /* SHA1 initialization constants */ - context->state[0] = 0x67452301; - context->state[1] = 0xEFCDAB89; - context->state[2] = 0x98BADCFE; - context->state[3] = 0x10325476; - context->state[4] = 0xC3D2E1F0; - context->count[0] = context->count[1] = 0; -} - - -/* Run your data through this. */ - -void SHA1Update(SHA1_CTX* context, unsigned char* data, unsigned int len) -{ -unsigned int i; -unsigned long j; - - j = context->count[0]; - if ((context->count[0] += len << 3) < j) context->count[1] += (len>>29)+1; - j = (j >> 3) & 63; - if ((j + len) > 63) { - memcpy(&context->buffer[j], data, (i = 64-j)); - SHA1Transform(context->state, context->buffer); - for ( ; i + 63 < len; i += 64) { - SHA1Transform(context->state, &data[i]); - } - j = 0; - } - else i = 0; - memcpy(&context->buffer[j], &data[i], len - i); -} - - -/* Add padding and return the message digest. */ - -void SHA1Final(unsigned char digest[20], SHA1_CTX* context) -{ -unsigned long i, j; -unsigned char finalcount[8]; - - for (i = 0; i < 8; i++) { - finalcount[i] = (unsigned char)((context->count[(i >= 4 ? 0 : 1)] - >> ((3-(i & 3)) * 8) ) & 255); /* Endian independent */ - } - SHA1Update(context, (unsigned char *)"\200", 1); - while ((context->count[0] & 504) != 448) { - SHA1Update(context, (unsigned char *)"\0", 1); - } - SHA1Update(context, finalcount, 8); /* Should cause a SHA1Transform() */ - for (i = 0; i < 20; i++) { - digest[i] = (unsigned char) - ((context->state[i>>2] >> ((3-(i & 3)) * 8) ) & 255); - } - /* Wipe variables */ - i = j = 0; - memset(context->buffer, '\0', 64); - memset(context->state, '\0', 20); - memset(context->count, '\0', 8); - memset(&finalcount, '\0', 8); -#ifdef SHA1HANDSOFF /* make SHA1Transform overwrite it's own static vars */ - SHA1Transform(context->state, context->buffer); -#endif -} diff --git a/keyexchange/isakmpd-20041012/sysdep/common/libsysdep/strlcat.c b/keyexchange/isakmpd-20041012/sysdep/common/libsysdep/strlcat.c deleted file mode 100644 index 3b55428..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/common/libsysdep/strlcat.c +++ /dev/null @@ -1,62 +0,0 @@ -/* $OpenBSD: strlcat.c,v 1.3 2003/06/17 21:56:24 millert Exp $ */ - -/* - * Copyright (c) 1998 Todd C. Miller <Todd.Miller@courtesan.com> - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#if defined(LIBC_SCCS) && !defined(lint) -static char *rcsid = "$OpenBSD: strlcat.c,v 1.3 2003/06/17 21:56:24 millert Exp $"; -#endif /* LIBC_SCCS and not lint */ - -#include <sys/types.h> -#include <string.h> - -/* - * Appends src to string dst of size siz (unlike strncat, siz is the - * full size of dst, not space left). At most siz-1 characters - * will be copied. Always NUL terminates (unless siz <= strlen(dst)). - * Returns strlen(src) + MIN(siz, strlen(initial dst)). - * If retval >= siz, truncation occurred. - */ -size_t -strlcat(dst, src, siz) - char *dst; - const char *src; - size_t siz; -{ - register char *d = dst; - register const char *s = src; - register size_t n = siz; - size_t dlen; - - /* Find the end of dst and adjust bytes left but don't go past end */ - while (n-- != 0 && *d != '\0') - d++; - dlen = d - dst; - n = siz - dlen; - - if (n == 0) - return(dlen + strlen(s)); - while (*s != '\0') { - if (n != 1) { - *d++ = *s; - n--; - } - s++; - } - *d = '\0'; - - return(dlen + (s - src)); /* count does not include NUL */ -} diff --git a/keyexchange/isakmpd-20041012/sysdep/common/libsysdep/strlcpy.c b/keyexchange/isakmpd-20041012/sysdep/common/libsysdep/strlcpy.c deleted file mode 100644 index ef7db13..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/common/libsysdep/strlcpy.c +++ /dev/null @@ -1,58 +0,0 @@ -/* $OpenBSD: strlcpy.c,v 1.3 2003/06/17 21:56:24 millert Exp $ */ - -/* - * Copyright (c) 1998 Todd C. Miller <Todd.Miller@courtesan.com> - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#if defined(LIBC_SCCS) && !defined(lint) -static char *rcsid = "$OpenBSD: strlcpy.c,v 1.3 2003/06/17 21:56:24 millert Exp $"; -#endif /* LIBC_SCCS and not lint */ - -#include <sys/types.h> -#include <string.h> - -/* - * Copy src to string dst of size siz. At most siz-1 characters - * will be copied. Always NUL terminates (unless siz == 0). - * Returns strlen(src); if retval >= siz, truncation occurred. - */ -size_t -strlcpy(dst, src, siz) - char *dst; - const char *src; - size_t siz; -{ - register char *d = dst; - register const char *s = src; - register size_t n = siz; - - /* Copy as many bytes as will fit */ - if (n != 0 && --n != 0) { - do { - if ((*d++ = *s++) == 0) - break; - } while (--n != 0); - } - - /* Not enough room in dst, add NUL and traverse rest of src */ - if (n == 0) { - if (siz != 0) - *d = '\0'; /* NUL-terminate dst */ - while (*s++) - ; - } - - return(s - src - 1); /* count does not include NUL */ -} diff --git a/keyexchange/isakmpd-20041012/sysdep/common/md5.h b/keyexchange/isakmpd-20041012/sysdep/common/md5.h deleted file mode 100644 index ea703c3..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/common/md5.h +++ /dev/null @@ -1,73 +0,0 @@ -/* $OpenBSD: md5.h,v 1.2 2001/01/28 22:38:47 niklas Exp $ */ - -/* GLOBAL.H - RSAREF types and constants - */ - -/* PROTOTYPES should be set to one if and only if the compiler supports - function argument prototyping. - The following makes PROTOTYPES default to 0 if it has not already - been defined with C compiler flags. - */ -#ifndef PROTOTYPES -#define PROTOTYPES 1 -#endif - -/* POINTER defines a generic pointer type */ -typedef unsigned char *POINTER; - -/* UINT2 defines a two byte word */ -typedef unsigned short int UINT2; - -/* UINT4 defines a four byte word */ -typedef unsigned long int UINT4; - -/* PROTO_LIST is defined depending on how PROTOTYPES is defined above. - If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it - returns an empty list. - */ - -#if PROTOTYPES -#define PROTO_LIST(list) list -#else -#define PROTO_LIST(list) () -#endif - - -/* MD5.H - header file for MD5C.C - */ - -/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All -rights reserved. - -License to copy and use this software is granted provided that it -is identified as the "RSA Data Security, Inc. MD5 Message-Digest -Algorithm" in all material mentioning or referencing this software -or this function. - -License is also granted to make and use derivative works provided -that such works are identified as "derived from the RSA Data -Security, Inc. MD5 Message-Digest Algorithm" in all material -mentioning or referencing the derived work. - -RSA Data Security, Inc. makes no representations concerning either -the merchantability of this software or the suitability of this -software for any particular purpose. It is provided "as is" -without express or implied warranty of any kind. - -These notices must be retained in any copies of any part of this -documentation and/or software. - */ - -/* MD5 context. */ -typedef struct { - UINT4 state[4]; /* state (ABCD) */ - UINT4 count[2]; /* number of bits, modulo 2^64 (lsb first) */ - unsigned char buffer[64]; /* input buffer */ -} MD5_CTX; - -void MD5Init PROTO_LIST ((MD5_CTX *)); -void MD5Update PROTO_LIST - ((MD5_CTX *, unsigned char *, unsigned int)); -void MD5Final PROTO_LIST ((unsigned char [16], MD5_CTX *)); - -#define _MD5_H_ diff --git a/keyexchange/isakmpd-20041012/sysdep/common/pcap.h b/keyexchange/isakmpd-20041012/sysdep/common/pcap.h deleted file mode 100644 index 21117d8..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/common/pcap.h +++ /dev/null @@ -1,69 +0,0 @@ -/* $OpenBSD: pcap.h,v 1.2 2002/05/10 15:09:00 ho Exp $ */ - -/* - * Copyright (c) 1993, 1994, 1995, 1996, 1997 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the Computer Systems - * Engineering Group at Lawrence Berkeley Laboratory. - * 4. Neither the name of the University nor of the Laboratory may be used - * to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#) $Header: /cvs/src/sbin/isakmpd/sysdep/common/pcap.h,v 1.2 2002/05/10 15:09:00 ho Exp $ (LBL) - */ - -#ifndef lib_pcap_h -#define lib_pcap_h - -#include <sys/types.h> -#include <sys/time.h> - -#define PCAP_VERSION_MAJOR 2 -#define PCAP_VERSION_MINOR 4 -#define DLT_LOOP 12 /* from /usr/include/net/bpf.h */ - -struct pcap_file_header { - u_int32_t magic; - u_int16_t version_major; - u_int16_t version_minor; - int32_t thiszone; /* gmt to local correction */ - u_int32_t sigfigs; /* accuracy of timestamps */ - u_int32_t snaplen; /* max length saved portion of each pkt */ - u_int32_t linktype; /* data link type (DLT_*) */ -}; - -struct pcap_timeval { - int32_t tv_sec; /* seconds */ - int32_t tv_usec; /* microseconds */ -}; - -struct pcap_pkthdr { - struct pcap_timeval ts; /* time stamp */ - u_int32_t caplen; /* length of portion present */ - u_int32_t len; /* length this packet (off wire) */ -}; - -#endif /* lib_pcap_h */ diff --git a/keyexchange/isakmpd-20041012/sysdep/common/sha1.h b/keyexchange/isakmpd-20041012/sysdep/common/sha1.h deleted file mode 100644 index c706c6e..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/common/sha1.h +++ /dev/null @@ -1,18 +0,0 @@ -/* $OpenBSD: sha1.h,v 1.2 2001/01/28 22:38:47 niklas Exp $ */ - -/* -SHA-1 in C -By Steve Reid <steve@edmweb.com> -100% Public Domain -*/ - -typedef struct { - unsigned long state[5]; - unsigned long count[2]; - unsigned char buffer[64]; -} SHA1_CTX; - -void SHA1Transform(unsigned long state[5], unsigned char buffer[64]); -void SHA1Init(SHA1_CTX* context); -void SHA1Update(SHA1_CTX* context, unsigned char* data, unsigned int len); -void SHA1Final(unsigned char digest[20], SHA1_CTX* context); diff --git a/keyexchange/isakmpd-20041012/sysdep/darwin/GNUmakefile.sysdep b/keyexchange/isakmpd-20041012/sysdep/darwin/GNUmakefile.sysdep deleted file mode 100644 index 09f888d..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/darwin/GNUmakefile.sysdep +++ /dev/null @@ -1,48 +0,0 @@ -# $OpenBSD: GNUmakefile.sysdep,v 1.3 2004/06/26 03:40:57 mcbride Exp $ - -# -# Copyright (c) 1999,2002 Håkan Olsson. All rights reserved. -# Copyright (c) 1999 Niklas Hallqvist. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Ericsson Radio Systems. -# - -LDADD+= -lipsec - -# gcc under MacOS X does not seem to like building things -static -LDSTATIC= - -CFLAGS+= -DMP_FLAVOUR=MP_FLAVOUR_OPENSSL -CFLAGS+= -DHAVE_GETIFADDRS - -FEATURES= debug tripledes des blowdish cast ec aggressive x509 -FEATURES+= rawkey isakmp_cfg -# Not yet -#FEATURES+= policy - -IPSEC_SRCS= pf_key_v2.c -IPSEC_CFLAGS= -DUSE_PF_KEY_V2 - -USE_LIBCRYPTO= defined diff --git a/keyexchange/isakmpd-20041012/sysdep/darwin/Makefile.sysdep b/keyexchange/isakmpd-20041012/sysdep/darwin/Makefile.sysdep deleted file mode 100644 index 834347d..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/darwin/Makefile.sysdep +++ /dev/null @@ -1,45 +0,0 @@ -# $OpenBSD: Makefile.sysdep,v 1.3 2004/06/26 03:40:57 mcbride Exp $ - -# -# Copyright (c) 1999 Niklas Hallqvist. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER INN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Ericsson Radio Systems. -# - -# Override default features -FEATURES= tripledes des blowfish cast x509 ec aggressive debug -FEATURES+= rawkey isakmp_cfg - -LDADD+= -lipsec - -CFLAGS+= -DHAVE_GETIFADDRS -DMP_FLAVOUR=MP_FLAVOUR_OPENSSL - -IPSEC_SRCS= pf_key_v2.c -IPSEC_CFLAGS= -DUSE_PF_KEY_V2 - -USE_LIBCRYPTO= defined - -obj: - mkdir obj diff --git a/keyexchange/isakmpd-20041012/sysdep/darwin/sysdep-os.h b/keyexchange/isakmpd-20041012/sysdep/darwin/sysdep-os.h deleted file mode 100644 index 28755bc..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/darwin/sysdep-os.h +++ /dev/null @@ -1,81 +0,0 @@ -/* $OpenBSD: sysdep-os.h,v 1.3 2003/08/06 11:23:11 markus Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. - * Copyright (c) 2002 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _SYSDEP_OS_H_ - -#define _SYSDEP_OS_H_ - -#define KAME - -#include <netinet6/ipsec.h> - -typedef u_int32_t socklen_t; - -#ifndef CPI_RESERVED_MAX -#define CPI_RESERVED_MIN 1 -#define CPI_RESERVED_MAX 255 -#define CPI_PRIVATE_MIN 61440 -#define CPI_PRIVATE_MAX 65536 -#endif - -#if !defined(SADB_X_EALG_CAST) && defined(SADB_X_EALG_CAST128CBC) -#define SADB_X_EALG_CAST SADB_X_EALG_CAST128CBC -#endif - -#if !defined(SADB_X_EALG_BLF) && defined(SADB_X_EALG_BLOWFISHCBC) -#define SADB_X_EALG_BLF SADB_X_EALG_BLOWFISHCBC -#endif - -#if 1 -/* OpenSSL differs from OpenBSD very slightly... */ - -#define MD5Init MD5_Init -#define MD5Update MD5_Update -#define MD5Final MD5_Final - -#define SHA1Init SHA1_Init -#define SHA1Update SHA1_Update -#define SHA1Final SHA1_Final -#define SHA1_CTX SHA_CTX - -#define cast_key CAST_KEY -#define cast_setkey(k, d, l) CAST_set_key ((k), (l), (d)) -#define cast_encrypt(k, i, o) do { \ - memcpy ((o), (i), BLOCKSIZE); \ - CAST_encrypt ((CAST_LONG *)(o), (k)); \ -} while (0) -#define cast_decrypt(k, i, o) do { \ - memcpy ((o), (i), BLOCKSIZE); \ - CAST_decrypt ((CAST_LONG *)(o), (k)); \ -} while (0) -#endif - -#endif /* _SYSDEP_OS_H_ */ diff --git a/keyexchange/isakmpd-20041012/sysdep/darwin/sysdep.c b/keyexchange/isakmpd-20041012/sysdep/darwin/sysdep.c deleted file mode 100644 index cd61d5a..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/darwin/sysdep.c +++ /dev/null @@ -1,223 +0,0 @@ -/* $OpenBSD: sysdep.c,v 1.3 2004/08/10 15:59:10 ho Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/types.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <stdlib.h> -#include <string.h> - -#include "sysdep.h" - -#include "util.h" - -#ifdef NEED_SYSDEP_APP -#include "app.h" -#include "conf.h" -#include "ipsec.h" - -#ifdef USE_PF_KEY_V2 -#include "pf_key_v2.h" -#define KEY_API(x) pf_key_v2_##x -#endif - -#endif /* NEED_SYSDEP_APP */ -#include "log.h" - -extern char *__progname; - -/* - * An as strong as possible random number generator, reverting to a - * deterministic pseudo-random one if regrand is set. - */ -u_int32_t -sysdep_random () -{ - return random(); -} - -/* Return the basename of the command used to invoke us. */ -char * -sysdep_progname () -{ - return __progname; -} - -/* Return the length of the sockaddr struct. */ -u_int8_t -sysdep_sa_len (struct sockaddr *sa) -{ - return sa->sa_len; -} - -/* As regress/ use this file I protect the sysdep_app_* stuff like this. */ -#ifdef NEED_SYSDEP_APP -/* - * Prepare the application we negotiate SAs for (i.e. the IPsec stack) - * for communication. We return a file descriptor useable to select(2) on. - */ -int -sysdep_app_open () -{ - return KEY_API(open) (); -} - -/* - * When select(2) has noticed our application needs attendance, this is what - * gets called. FD is the file descriptor causing the alarm. - */ -void -sysdep_app_handler (int fd) -{ - KEY_API (handler) (fd); -} - -/* Check that the connection named NAME is active, or else make it active. */ -void -sysdep_connection_check (char *name) -{ - KEY_API (connection_check) (name); -} - -/* - * Generate a SPI for protocol PROTO and the source/destination pair given by - * SRC, SRCLEN, DST & DSTLEN. Stash the SPI size in SZ. - */ -u_int8_t * -sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src, - struct sockaddr *dst, u_int32_t seq) -{ - if (app_none) - { - *sz = IPSEC_SPI_SIZE; - /* XXX should be random instead I think. */ - return strdup ("\x12\x34\x56\x78"); - } - return KEY_API (get_spi) (sz, proto, src, dst, seq); -} - -struct sa_kinfo * -sysdep_ipsec_get_kernel_sa(u_int8_t *spi, size_t spi_sz, u_int8_t proto, - struct sockaddr *dst) -{ - if (app_none) - return 0; - /* XXX return KEY_API(get_kernel_sa)(spi, spi_sz, proto, dst); */ - return 0; -} - -/* Force communication on socket FD to go in the clear. */ -int -sysdep_cleartext (int fd, int af) -{ - char *buf; - char *policy[] = { "in bypass", "out bypass", NULL }; - char **p; - int ipp; - - if (app_none) - return 0; - - switch (af) - { - case AF_INET: - ipp = IPPROTO_IP; - break; - case AF_INET6: - ipp = IPPROTO_IPV6; - break; - default: - log_print ("sysdep_cleartext: unsupported protocol family %d", af); - return -1; - } - - /* - * Need to bypass system security policy, so I can send and - * receive key management datagrams in the clear. - */ - - for (p = policy; p && *p; p++) - { - buf = ipsec_set_policy (*p, strlen(*p)); - if (buf == NULL) - { - log_error ("sysdep_cleartext: %s: %s", *p, ipsec_strerror()); - return -1; - } - - if (setsockopt(fd, ipp, IP_IPSEC_POLICY, buf, - ipsec_get_policylen(buf)) < 0) - { - log_error ("sysdep_cleartext: " - "setsockopt (%d, IPPROTO_IP, IP_IPSEC_POLICY, ...) failed", - fd); - return -1; - } - free(buf); - } - - return 0; -} - -int -sysdep_ipsec_delete_spi (struct sa *sa, struct proto *proto, int incoming) -{ - if (app_none) - return 0; - return KEY_API (delete_spi) (sa, proto, incoming); -} - -int -sysdep_ipsec_enable_sa (struct sa *sa, struct sa *isakmp_sa) -{ - if (app_none) - return 0; - return KEY_API (enable_sa) (sa, isakmp_sa); -} - -int -sysdep_ipsec_group_spis (struct sa *sa, struct proto *proto1, - struct proto *proto2, int incoming) -{ - if (app_none) - return 0; - return KEY_API (group_spis) (sa, proto1, proto2, incoming); -} - -int -sysdep_ipsec_set_spi (struct sa *sa, struct proto *proto, int incoming, - struct sa *isakmp_sa) -{ - if (app_none) - return 0; - return KEY_API (set_spi) (sa, proto, incoming, isakmp_sa); -} -#endif diff --git a/keyexchange/isakmpd-20041012/sysdep/freebsd/GNUmakefile.sysdep b/keyexchange/isakmpd-20041012/sysdep/freebsd/GNUmakefile.sysdep deleted file mode 100644 index 618ef5f..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/freebsd/GNUmakefile.sysdep +++ /dev/null @@ -1,61 +0,0 @@ -# $OpenBSD: GNUmakefile.sysdep,v 1.6 2004/06/26 03:40:57 mcbride Exp $ - -# -# Copyright (c) 1999 Håkan Olsson. All rights reserved. -# Copyright (c) 1999 Niklas Hallqvist. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Ericsson Radio Systems. -# - -LIBGMP:= /usr/lib/libgmp.a -LIBCRYPTO:= /usr/lib/libcrypto.a -LIBSYSDEPDIR:= ${.CURDIR}/sysdep/common/libsysdep -LIBSYSDEP:= ${LIBSYSDEPDIR}/libsysdep.a - -LDADD+= -lgmp ${LIBSYSDEP} -DPADD+= ${LIBGMP} ${LIBSYSDEP} - -FEATURES= debug tripledes des blowdish cast ec aggressive -# Not yet -#FEATURES+= policy x509 - -IPSEC_SRCS= pf_key_v2.c -IPSEC_CFLAGS= -DUSE_PF_KEY_V2 - -USE_LIBCRYPTO= defined - -# hack libsysdep.a dependency -${LIBSYSDEPDIR}/.depend ${LIBSYSDEP}: - cd ${LIBSYSDEPDIR} && - ${MAKE} --no-print-directory ${MAKEFLAGS} \ - CFLAGS="${CFLAGS}" MKDEP="${MKDEP}" ${MAKECMDGOALS} - -depend: ${LIBSYSDEPDIR}/.depend - -ifeq ($(findstring clean, $(MAKECMDGOALS)), clean) -SUBDIR+= sysdep/common/libsysdep -MAKEFLAGS+= --no-print-directory -endif - diff --git a/keyexchange/isakmpd-20041012/sysdep/freebsd/Makefile.sysdep b/keyexchange/isakmpd-20041012/sysdep/freebsd/Makefile.sysdep deleted file mode 100644 index 03dae50..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/freebsd/Makefile.sysdep +++ /dev/null @@ -1,77 +0,0 @@ -# $OpenBSD: Makefile.sysdep,v 1.10 2004/06/26 03:40:57 mcbride Exp $ - -# -# Copyright (c) 1999 Niklas Hallqvist. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER INN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Ericsson Radio Systems. -# - -# Override default features -FEATURES= tripledes des blowfish cast x509 ec aggressive debug -FEATURES+= rawkey -# Not yet -#FEATURES+= policy isakmp_cfg - -.if defined(TOPDIR) -LIBSYSDEPDIR= ${TOPDIR}/sysdep/common/libsysdep -.else -LIBSYSDEPDIR= ${.CURDIR}/sysdep/common/libsysdep -.endif - -LDADD+= -lgmp ${LIBSYSDEPDIR}/libsysdep.a -lipsec -L/usr/local/lib -DPADD+= ${LIBGMP} ${LIBSYSDEPDIR}/libsysdep.a - -CFLAGS+= -DHAVE_GETIFADDRS \ - -I${.CURDIR}/sysdep/common -I/usr/include \ - -I/usr/local/include -I/usr/local/include/openssl - -IPSEC_SRCS= pf_key_v2.c -IPSEC_CFLAGS= -DUSE_PF_KEY_V2 - -USE_LIBCRYPTO= defined - -# This is a hack in order to make sure libsysdep is built before the -# linkstage of isakmpd. As a side effect the link is always done even if -# not necessary. Well, I just don't care. -GENERATED+= sysdep-target -sysdep-target: - cd ${.CURDIR}/sysdep/common/libsysdep; ${MAKE} ${.MAKEFLAGS} - -# Kludge around much strange behaviour in /usr/share/mk/bsd.*/mk, don't build certpatch -SUBDIR= - -.if make(clean) -SUBDIR+= sysdep/common/libsysdep -.endif - -# Kludge around bug in /usr/share/mk/bsd.subdir.mk -NO_REGRESS= defined - -# Kludge around bug/feature in /usr/share/mk/bsd.man.mk -MAN8= isakmpd.8 -MAN5= isakmpd.conf.5 isakmpd.policy.5 - -obj: - mkdir obj diff --git a/keyexchange/isakmpd-20041012/sysdep/freebsd/sysdep-os.h b/keyexchange/isakmpd-20041012/sysdep/freebsd/sysdep-os.h deleted file mode 100644 index cecc2c2..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/freebsd/sysdep-os.h +++ /dev/null @@ -1,79 +0,0 @@ -/* $OpenBSD: sysdep-os.h,v 1.5 2003/06/03 14:53:11 ho Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _SYSDEP_OS_H_ - -#define _SYSDEP_OS_H_ - -#define KAME - -#include <netinet6/ipsec.h> - -#if ( __FreeBSD_cc_version < 440000 ) -/* We need in_addr_t & in_port_t */ -typedef u_int32_t in_addr_t; -typedef u_int16_t in_port_t; -#endif -#if ( __FreeBSD__ < 4 ) -/* We need socklen_t too. */ -typedef u_int32_t socklen_t; -#endif - -/* Map extensions to values from /usr/include/net/pfkeyv2.h */ -#if ( SADB_EALG_MAX == 7 ) -/* FreeBSD 4.2 */ -#define SADB_X_EALG_BLF SADB_EALG_BLOWFISHCBC -#define SADB_X_EALG_CAST SADB_EALG_CAST128CBC -#else if ( SADB_EALG_MAX == 12 ) -/* FreeBSD 4.4 */ -#define SADB_X_EALG_BLF SADB_X_EALG_BLOWFISHCBC -#define SADB_X_EALG_CAST SADB_X_EALG_CAST128CBC -#endif - -#if 0 -/* OpenSSL differs from OpenBSD very slightly... */ - -#define SHA1Init SHA1_Init -#define SHA1Update SHA1_Update -#define SHA1Final SHA1_Final - -#define cast_key CAST_KEY -#define cast_setkey(k, d, l) CAST_set_key ((k), (l), (d)) -#define cast_encrypt(k, i, o) do { \ - memcpy ((o), (i), BLOCKSIZE); \ - CAST_encrypt ((CAST_LONG *)(o), (k)); \ -} -#define cast_decrypt(k, i, o) do { \ - memcpy ((o), (i), BLOCKSIZE); \ - CAST_decrypt ((CAST_LONG *)(o), (k)); \ -} -#endif - -#endif /* _SYSDEP_OS_H_ */ diff --git a/keyexchange/isakmpd-20041012/sysdep/freebsd/sysdep.c b/keyexchange/isakmpd-20041012/sysdep/freebsd/sysdep.c deleted file mode 100644 index 2679fc8..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/freebsd/sysdep.c +++ /dev/null @@ -1,228 +0,0 @@ -/* $OpenBSD: sysdep.c,v 1.13 2004/08/10 15:59:10 ho Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/types.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <stdlib.h> -#include <string.h> - -#include "sysdep.h" - -#include "util.h" - -#ifdef NEED_SYSDEP_APP -#include "app.h" -#include "conf.h" -#include "ipsec.h" - -#ifdef USE_PF_KEY_V2 -#include "pf_key_v2.h" -#define KEY_API(x) pf_key_v2_##x -#endif - -#endif /* NEED_SYSDEP_APP */ -#include "log.h" - -extern char *__progname; - -/* - * An as strong as possible random number generator, reverting to a - * deterministic pseudo-random one if regrand is set. - */ -u_int32_t -sysdep_random () -{ - return random(); -} - -/* Return the basename of the command used to invoke us. */ -char * -sysdep_progname () -{ - return __progname; -} - -/* Return the length of the sockaddr struct. */ -u_int8_t -sysdep_sa_len (struct sockaddr *sa) -{ - return sa->sa_len; -} - -/* As regress/ use this file I protect the sysdep_app_* stuff like this. */ -#ifdef NEED_SYSDEP_APP -/* - * Prepare the application we negotiate SAs for (i.e. the IPsec stack) - * for communication. We return a file descriptor useable to select(2) on. - */ -int -sysdep_app_open () -{ - return KEY_API(open) (); -} - -/* - * When select(2) has noticed our application needs attendance, this is what - * gets called. FD is the file descriptor causing the alarm. - */ -void -sysdep_app_handler (int fd) -{ - KEY_API (handler) (fd); -} - -/* Check that the connection named NAME is active, or else make it active. */ -void -sysdep_connection_check (char *name) -{ - KEY_API (connection_check) (name); -} - -/* - * Generate a SPI for protocol PROTO and the source/destination pair given by - * SRC, SRCLEN, DST & DSTLEN. Stash the SPI size in SZ. - */ -u_int8_t * -sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src, - struct sockaddr *dst, u_int32_t seq) -{ - if (app_none) - { - *sz = IPSEC_SPI_SIZE; - /* XXX should be random instead I think. */ - return strdup ("\x12\x34\x56\x78"); - } - return KEY_API (get_spi) (sz, proto, src, dst, seq); -} - -struct sa_kinfo * -sysdep_ipsec_get_kernel_sa(u_int8_t *spi, size_t spi_sz, u_int8_t proto, - struct sockaddr *dst) -{ - if (app_none) - return 0; - /* XXX return KEY_API(get_kernel_sa)(spi, spi_sz, proto, dst); */ - return 0; -} - -/* Force communication on socket FD to go in the clear. */ -int -sysdep_cleartext (int fd, int af) -{ - char *buf; - char *policy[] = { "in bypass", "out bypass", NULL }; - char **p; - int ipp; - int opt; - char *msgstr; - - if (app_none) - return 0; - - switch (af) - { - case AF_INET: - ipp = IPPROTO_IP; - opt = IP_IPSEC_POLICY; - msgstr = ""; - break; - case AF_INET6: - ipp = IPPROTO_IPV6; - opt = IPV6_IPSEC_POLICY; - msgstr = "V6"; - break; - default: - log_print ("sysdep_cleartext: unsupported protocol family %d", af); - return -1; - } - - /* - * Need to bypass system security policy, so I can send and - * receive key management datagrams in the clear. - */ - - for (p = policy; p && *p; p++) - { - buf = ipsec_set_policy (*p, strlen(*p)); - if (buf == NULL) - { - log_error ("sysdep_cleartext: %s: %s", *p, ipsec_strerror()); - return -1; - } - - if (setsockopt(fd, ipp, opt, buf, ipsec_get_policylen(buf)) < 0) - { - log_error ("sysdep_cleartext: " - "setsockopt (%d, IPPROTO_IP%s, IP%s_IPSEC_POLICY, ...) " - "failed", fd, msgstr, msgstr); - return -1; - } - free(buf); - } - - return 0; -} - -int -sysdep_ipsec_delete_spi (struct sa *sa, struct proto *proto, int incoming) -{ - if (app_none) - return 0; - return KEY_API (delete_spi) (sa, proto, incoming); -} - -int -sysdep_ipsec_enable_sa (struct sa *sa, struct sa *isakmp_sa) -{ - if (app_none) - return 0; - return KEY_API (enable_sa) (sa, isakmp_sa); -} - -int -sysdep_ipsec_group_spis (struct sa *sa, struct proto *proto1, - struct proto *proto2, int incoming) -{ - if (app_none) - return 0; - return KEY_API (group_spis) (sa, proto1, proto2, incoming); -} - -int -sysdep_ipsec_set_spi (struct sa *sa, struct proto *proto, int incoming, - struct sa *isakmp_sa) -{ - if (app_none) - return 0; - return KEY_API (set_spi) (sa, proto, incoming, isakmp_sa); -} -#endif diff --git a/keyexchange/isakmpd-20041012/sysdep/freeswan/GNUmakefile.sysdep b/keyexchange/isakmpd-20041012/sysdep/freeswan/GNUmakefile.sysdep deleted file mode 100644 index 9b9bd18..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/freeswan/GNUmakefile.sysdep +++ /dev/null @@ -1,72 +0,0 @@ -# $OpenBSD: GNUmakefile.sysdep,v 1.2 2003/06/03 14:53:11 ho Exp $ - -# -# Copyright (c) 1999 Niklas Hallqvist. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Ericsson Radio Systems. -# - -# In order for this to work, invocations need to set FREESWAN to the -# directory where FreeS/WAN is installed. - -ifndef FREESWAN -FREESWAN= /usr/src/freeswan -endif - -BINDIR= /usr/local/sbin -# Partly good for RedHat 5.2, but man(1) does not find them so I have it -# disabled for now. -#MANDIR= /var/catman/cat -#MAN5= isakmpd.conf.0 -#MAN8= isakmpd.0 -NOMAN= - -LIBGMP= -lgmp -LIBDES= ${FREESWAN}/libdes/libdes.a -LIBSYSDEPDIR= ${.CURDIR}/sysdep/common/libsysdep -LIBSYSDEP= ${LIBSYSDEPDIR}/libsysdep.a - -FEATURES= tripledes blowfish cast ec aggressive debug - -SRCS+= klips.c - -LDADD+= ${LIBSYSDEP} ${LIBGMP} ${LIBDES} -ldl -DPADD+= ${LIBSYSDEP} ${LIBGMP} ${LIBDES} - -CFLAGS+= -I${FREESWAN}/gmp -I${FREESWAN}/libdes \ - -I${FREESWAN}/klips -I${FREESWAN}/lib -DUSE_OLD_SOCKADDR \ - -I${.CURDIR}/sysdep/common -DSYMBOL_PREFIX='"_"' -CFLAGS+= -DMP_FLAVOUR=MP_FLAVOUR_GMP -CFLAGS+= -D'SALEN(x)=8' - -${LIBSYSDEP}: - cd ${LIBSYSDEPDIR}; \ - ${MAKE} --no-print-directory ${MAKEFLAGS} CFLAGS="${CFLAGS}" MKDEP="${MKDEP}" - -ifneq ($(findstring install,$(MAKECMDGOALS)),install) -SUBDIR+= sysdep/common/libsysdep -# The regress/ subdir is completely broken in the linux environment -SUBDIR:= $(filter-out regress,${SUBDIR}) -endif diff --git a/keyexchange/isakmpd-20041012/sysdep/freeswan/Makefile.sysdep b/keyexchange/isakmpd-20041012/sysdep/freeswan/Makefile.sysdep deleted file mode 100644 index 56bc6df..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/freeswan/Makefile.sysdep +++ /dev/null @@ -1,75 +0,0 @@ -# $OpenBSD: Makefile.sysdep,v 1.2 2003/06/03 14:53:11 ho Exp $ - -# -# Copyright (c) 1999 Niklas Hallqvist. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Ericsson Radio Systems. -# - -# In order for this to work, invocations need to set FREESWAN to the -# directory where FreeS/WAN is installed. - -BINDIR= /usr/local/sbin -# Partly good for RedHat 5.2, but man(1) does not find them so I have it -# disabled for now. -#MANDIR= /var/catman/cat -#MAN5= isakmpd.conf.0 -#MAN8= isakmpd.0 -NOMAN= - -IPSEC_SRCS= klips.c - -LDADD+= ${.CURDIR}/sysdep/common/libsysdep/libsysdep.a \ - ${FREESWAN}/gmp/libgmp.a -DPADD+= ${.CURDIR}/sysdep/common/libsysdep/libsysdep.a \ - ${FREESWAN}/gmp/libgmp.a - -CFLAGS+= ${DEBUG} -I${FREESWAN}/gmp -I${FREESWAN}/libdes \ - -I${FREESWAN}/klips -I${FREESWAN}/lib -DUSE_OLD_SOCKADDR \ - -I${.CURDIR}/sysdep/common - -#USE_LIBCRYPTO= defined -#USE_KEYNOTE= defined - -.ifndef USE_LIBCRYPTO -DESLIB= ${FREESWAN}/libdes/libdes.a -DESLIBDEP= ${FREESWAN}/libdes/libdes.a -.endif - -# This is a hack in order to make sure libsysdep is built before the -# linkstage of isakmpd. As a side effect the link is always done even if -# not necessary. Well, I just don't care. -GENERATED+= sysdep-target -sysdep-target: - cd ${.CURDIR}/sysdep/common/libsysdep; ${MAKE} ${.MAKEFLAGS} - -.if make(clean) -SUBDIR+= sysdep/common/libsysdep -.endif - -# The regress/ subdir is completely broken in the linux environment -.if !make(install) -SUBDIR:= ${SUBDIR:Nregress} -.endif diff --git a/keyexchange/isakmpd-20041012/sysdep/freeswan/README b/keyexchange/isakmpd-20041012/sysdep/freeswan/README deleted file mode 100644 index 3990ab3..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/freeswan/README +++ /dev/null @@ -1,16 +0,0 @@ -$OpenBSD: README,v 1.1 2003/05/14 20:49:37 ho Exp $ - -Currently, you have to manually configure any IPsec interfaces and do the -association betweent these and the physical ones. This is done like -this in FreeS/WAN: - -ipsec tncfg --attach --virtual ipsec0 --physical eth0 -ifconfig ipsec0 A.B.C.D netmask E.F.G.H - -Then there is one special configuration option in the IPsec-connection -sections for Phase 2 of the configuration file, named Next-hop, which -should be set to the next hop's IP address along the way to the peer: - -Next-hop= I.J.K.L - -This is specific to the way FreeS/WAN works. diff --git a/keyexchange/isakmpd-20041012/sysdep/freeswan/klips.c b/keyexchange/isakmpd-20041012/sysdep/freeswan/klips.c deleted file mode 100644 index d362333..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/freeswan/klips.c +++ /dev/null @@ -1,662 +0,0 @@ -/* $OpenBSD: klips.c,v 1.3 2003/09/26 15:59:34 aaron Exp $ */ - -/* - * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <asm/types.h> -#include <sys/types.h> -#include <sys/ioctl.h> -#include <sys/stat.h> -#include <sys/socket.h> -#include <linux/sockios.h> -#include <net/route.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <errno.h> -#include <fcntl.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <ctype.h> -#include <unistd.h> - -#include <freeswan.h> -#include <net/ipsec/radij.h> -#include <net/ipsec/ipsec_encap.h> -#include <net/ipsec/ipsec_netlink.h> -#include <net/ipsec/ipsec_xform.h> -#include <net/ipsec/ipsec_ipe4.h> -#include <net/ipsec/ipsec_ah.h> -#include <net/ipsec/ipsec_esp.h> - -#include "sysdep.h" - -#include "conf.h" -#include "exchange.h" -#include "hash.h" -#include "ipsec.h" -#include "ipsec_doi.h" -#include "ipsec_num.h" -#include "isakmp.h" -#include "log.h" -#include "klips.h" -#include "sa.h" -#include "timer.h" -#include "transport.h" - -#define KLIPS_DEVICE "/dev/ipsec" - -#define PROC_ROUTE_FILE "/proc/net/route" -#define PROC_ROUTE_FMT "%15s %127s %127s %X %d %d %d %127s %d %d %d\n" - -/* XXX Maybe these are available through some system-supplied define? */ -#define AH_NEW_XENCAP_LEN (3 * sizeof(u_short) + 2 * sizeof(u_char)) -#define ESP_NEW_XENCAP_LEN sizeof (struct espblkrply_edata) -#define EMT_GRPSPIS_COMPLEN (sizeof (((struct encap_msghdr *)0)->em_rel[0])) - -/* How often should we check that connections we require to be up, are up? */ -#define KLIPS_CHECK_FREQ 60 - -static int klips_socket; - -/* Open the KLIPS device. */ -int -klips_open () -{ - int fd; - - fd = open (KLIPS_DEVICE, O_RDWR); - if (fd == -1) - { - log_error ("klips_open: open (\"%s\", O_RDWR) failed", KLIPS_DEVICE); - return -1; - } - klips_socket = fd; - return fd; -} - -/* Write a KLIPS request down to the kernel. */ -static int -klips_write (struct encap_msghdr *em) -{ - ssize_t n; - - em->em_magic = EM_MAGIC; - em->em_version = 0; - - LOG_DBG_BUF ((LOG_SYSDEP, 30, "klips_write: em", (u_int8_t *)em, - em->em_msglen)); - n = write (klips_socket, em, em->em_msglen); - if (n == -1) - { - log_error ("write (%d, ...) failed", klips_socket); - return -1; - } - if ((size_t)n != em->em_msglen) - { - log_error ("write (%d, ...) returned prematurely", klips_socket); - return -1; - } - return 0; -} - -/* - * Generate a SPI for protocol PROTO and the source/destination pair given by - * SRC, SRCLEN, DST & DSTLEN. Stash the SPI size in SZ. - */ -u_int8_t * -klips_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src, - struct sockaddr *dst, u_int32_t seq) -{ - u_int8_t *spi; - u_int32_t spinum; - - *sz = IPSEC_SPI_SIZE; - spi = malloc (*sz); - if (!spi) - return 0; - do - spinum = sysdep_random (); - while (spinum < IPSEC_SPI_LOW); - spinum = htonl (spinum); - memcpy (spi, &spinum, *sz); - - LOG_DBG_BUF ((LOG_SYSDEP, 50, "klips_get_spi: spi", spi, *sz)); - - return spi; -} - -/* Group 2 SPIs in a chain. XXX Not fully implemented yet. */ -int -klips_group_spis (struct sa *sa, struct proto *proto1, struct proto *proto2, - int incoming) -{ - struct encap_msghdr *emsg = 0; - struct sockaddr *dst; - - emsg = calloc (1, EMT_GRPSPIS_FLEN + 2 * EMT_GRPSPIS_COMPLEN); - if (!emsg) - return -1; - - emsg->em_msglen = EMT_GRPSPIS_FLEN + 2 * EMT_GRPSPIS_COMPLEN; - emsg->em_type = EMT_GRPSPIS; - - /* - * XXX The code below is wrong if we are in tunnel mode. - * The fix is to reorder stuff so the IP-in-IP SA will always come - * upfront, and if there are two such, one is dropped. - */ - memcpy (&emsg->em_rel[0].emr_spi, proto1->spi[incoming], - sizeof emsg->em_rel[0].emr_spi); - memcpy (&emsg->em_rel[1].emr_spi, proto2->spi[incoming], - sizeof emsg->em_rel[1].emr_spi); - if (incoming) - sa->transport->vtbl->get_src (sa->transport, &dst); - else - sa->transport->vtbl->get_dst (sa->transport, &dst); - emsg->em_rel[0].emr_dst - = emsg->em_rel[1].emr_dst = ((struct sockaddr_in *)dst)->sin_addr; - /* XXX What if IPCOMP etc. comes along? */ - emsg->em_rel[0].emr_proto - = proto1->proto == IPSEC_PROTO_IPSEC_ESP ? IPPROTO_ESP : IPPROTO_AH; - emsg->em_rel[1].emr_proto - = proto2->proto == IPSEC_PROTO_IPSEC_ESP ? IPPROTO_ESP : IPPROTO_AH; - - if (klips_write (emsg)) - goto cleanup; - free (emsg); - - LOG_DBG ((LOG_SYSDEP, 50, "klips_group_spis: done")); - - return 0; - - cleanup: - if (emsg) - free (emsg); - return -1; -} - -/* Store/update a SPI with full information into the kernel. */ -int -klips_set_spi (struct sa *sa, struct proto *proto, int incoming, - struct sa *isakmp_sa) -{ - struct encap_msghdr *emsg = 0; - struct ipsec_proto *iproto = proto->data; - struct sockaddr *dst, *src; - int keylen, hashlen; - size_t len; - struct ipe4_xdata *ip4x; - - /* Actually works for all. */ - struct espblkrply_edata *edx; - - /* Actually works for all. */ - struct ahhmacmd5_edata *amx; - - switch (proto->proto) - { - case IPSEC_PROTO_IPSEC_ESP: - keylen = ipsec_esp_enckeylength (proto); - hashlen = ipsec_esp_authkeylength (proto); - len = EMT_SETSPI_FLEN + ESP_NEW_XENCAP_LEN; - emsg = calloc (1, len); - if (!emsg) - return -1; - - emsg->em_proto = IPPROTO_ESP; - - edx = (struct espblkrply_edata *)emsg->em_dat; - - /* Funny expression due to I just want one switch. */ - switch (proto->id | (iproto->auth << 8)) - { - case IPSEC_ESP_3DES: - emsg->em_alg = XF_ESP3DES; - break; - - case IPSEC_ESP_3DES | (IPSEC_AUTH_HMAC_MD5 << 8): - emsg->em_alg = XF_ESP3DESMD596; - break; - - case IPSEC_ESP_3DES | (IPSEC_AUTH_HMAC_SHA << 8): - emsg->em_alg = XF_ESP3DESSHA196; - break; - - default: - LOG_DBG ((LOG_SYSDEP, 10, - "klips_set_spi: Unsupported enc/auth alg negotiated")); - return -1; - } - - /* XXX What if we have a protocol requiring IV? */ - edx->eme_ivlen = EMT_ESPDES_IV_SZ; - edx->eme_klen = keylen; - edx->ame_klen = hashlen; -#if 0 - /* I have reason to believe Shared-SADB won't work at all in KLIPS. */ - edx->eme_ooowin - = conf_get_str ("General", "Shared-SADB") ? 0 : iproto->replay_window; -#else - edx->eme_ooowin = iproto->replay_window; -#endif - /* - * XXX Pluto sets the unused by KLIPS flag EME_INITIATOR in - * edx->eme_flags, if the party is the initiator. Should we too? - */ - edx->eme_flags = 0; - memcpy (edx->eme_key, iproto->keymat[incoming], keylen); - if (iproto->auth) - memcpy (edx->ame_key, iproto->keymat[incoming] + keylen, hashlen); - break; - - case IPSEC_PROTO_IPSEC_AH: - hashlen = ipsec_ah_keylength (proto); - len = EMT_SETSPI_FLEN + AH_NEW_XENCAP_LEN + hashlen; - emsg = calloc (1, len); - if (!emsg) - return -1; - - emsg->em_proto = IPPROTO_AH; - - amx = (struct ahhmacmd5_edata *)emsg->em_dat; - - switch (proto->id) - { - case IPSEC_AH_MD5: - emsg->em_alg = XF_AHHMACMD5; - break; - - case IPSEC_AH_SHA: - emsg->em_alg = XF_AHHMACSHA1; - break; - - default: - /* XXX Log? */ - goto cleanup; - } - - /* XXX Should we be able to send in different lengths here? */ - amx->ame_alen = amx->ame_klen = hashlen; -#if 0 - /* I have reason to believe Shared-SADB won't work at all in KLIPS. */ - amx->ame_ooowin - = conf_get_str ("General", "Shared-SADB") ? 0 : iproto->replay_window; -#else - amx->ame_ooowin = iproto->replay_window; -#endif - amx->ame_replayp = amx->ame_ooowin > 0; - memcpy (amx->ame_key, iproto->keymat[incoming], hashlen); - break; - - default: - /* XXX Log? */ - goto cleanup; - } - - emsg->em_msglen = len; - emsg->em_type = EMT_SETSPI; - memcpy (&emsg->em_spi, proto->spi[incoming], sizeof emsg->em_spi); - emsg->em_flags = incoming ? EMT_INBOUND : 0; - - /* - * XXX Addresses has to be thought through. Assumes IPv4. - */ - sa->transport->vtbl->get_dst (sa->transport, &dst); - sa->transport->vtbl->get_src (sa->transport, &src); - emsg->em_dst - = ((struct sockaddr_in *)(incoming ? src : dst))->sin_addr; - - /* - * Klips does not know about expirations, thus we need to do them inside - * isakmpd. - */ - if (sa->seconds) - if (sa_setup_expirations (sa)) - goto cleanup; - - LOG_DBG ((LOG_SYSDEP, 10, "klips_set_spi: proto %d dst %s SPI 0x%x", - emsg->em_proto, inet_ntoa (emsg->em_dst), htonl (emsg->em_spi))); - if (klips_write (emsg)) - goto cleanup; - free (emsg); - - /* If we are tunneling we have to setup an IP in IP tunnel too. */ - if (iproto->encap_mode == IPSEC_ENCAP_TUNNEL) - { - len = EMT_SETSPI_FLEN + EMT_IPE4_ULEN; - emsg = calloc (1, len); - if (!emsg) - goto cleanup; - - emsg->em_proto = IPPROTO_IPIP; - emsg->em_msglen = len; - emsg->em_type = EMT_SETSPI; - /* - * XXX Code in Pluto suggests this is not possible, but that we have - * to have a unique SPI for the IP4 SA. - */ - memcpy (&emsg->em_spi, proto->spi[incoming], sizeof emsg->em_spi); - emsg->em_flags = 0; - emsg->em_alg = XF_IP4; - - ip4x = (struct ipe4_xdata *)emsg->em_dat; - ip4x->i4_dst = emsg->em_dst - = ((struct sockaddr_in *)(incoming ? src : dst))->sin_addr; - ip4x->i4_src - = ((struct sockaddr_in *)(incoming ? dst : src))->sin_addr; - - LOG_DBG ((LOG_SYSDEP, 10, "klips_set_spi: proto %d dst %s SPI 0x%x", - emsg->em_proto, inet_ntoa (emsg->em_dst), - htonl (emsg->em_spi))); - if (klips_write (emsg)) - goto cleanup; - free (emsg); - - /* - * Grouping the IP-in-IP SA with the IPsec one means we must be careful - * in klips_group_spis so that we'll remove duplicate IP-in-IP SAs - * and get everything grouped in the right order. - * - * XXX Could we not share code with klips_group_spis here? - */ - emsg = calloc (1, EMT_GRPSPIS_FLEN + 2 * EMT_GRPSPIS_COMPLEN); - if (!emsg) - goto cleanup; - - emsg->em_msglen = EMT_GRPSPIS_FLEN + 2 * EMT_GRPSPIS_COMPLEN; - emsg->em_type = EMT_GRPSPIS; - - memcpy (&emsg->em_rel[0].emr_spi, proto->spi[incoming], - sizeof emsg->em_rel[0].emr_spi); - memcpy (&emsg->em_rel[1].emr_spi, proto->spi[incoming], - sizeof emsg->em_rel[1].emr_spi); - emsg->em_rel[0].emr_dst = emsg->em_rel[1].emr_dst - = ((struct sockaddr_in *)(incoming ? src : dst))->sin_addr; - - emsg->em_rel[0].emr_proto = IPPROTO_IPIP; - /* XXX What if IPCOMP etc. comes along? */ - emsg->em_rel[1].emr_proto - = proto->proto == IPSEC_PROTO_IPSEC_ESP ? IPPROTO_ESP : IPPROTO_AH; - - if (klips_write (emsg)) - goto cleanup; - free (emsg); - } - - LOG_DBG ((LOG_SYSDEP, 50, "klips_set_spi: done")); - - return 0; - - cleanup: - /* XXX Cleanup the potential SAs we have setup. */ - if (emsg) - free (emsg); - return -1; -} - -/* - * Delete the IPsec SA represented by the INCOMING direction in protocol PROTO - * of the IKE security association SA. - */ -int -klips_delete_spi (struct sa *sa, struct proto *proto, int incoming) -{ - struct encap_msghdr *emsg = 0; - struct sockaddr *dst; - struct ipsec_proto *iproto = proto->data; - - emsg = calloc (1, EMT_SETSPI_FLEN); - if (!emsg) - return -1; - - emsg->em_msglen = EMT_SETSPI_FLEN; - emsg->em_type = EMT_DELSPI; - - memcpy (&emsg->em_spi, proto->spi[incoming], sizeof emsg->em_spi); - if (incoming) - sa->transport->vtbl->get_src (sa->transport, &dst); - else - sa->transport->vtbl->get_dst (sa->transport, &dst); - emsg->em_dst = ((struct sockaddr_in *)dst)->sin_addr; - /* XXX What if IPCOMP etc. comes along? */ - emsg->em_proto - = (iproto->encap_mode == IPSEC_ENCAP_TUNNEL ? IPPROTO_IPIP - : proto->proto == IPSEC_PROTO_IPSEC_ESP ? IPPROTO_ESP : IPPROTO_AH); - - if (klips_write (emsg)) - goto cleanup; - free (emsg); - - LOG_DBG ((LOG_SYSDEP, 50, "klips_delete_spi: done")); - - return 0; - - cleanup: - if (emsg) - free (emsg); - return -1; -} - -int -klips_hex_decode (char *src, u_char *dst, int dstsize) -{ - char *p, *pe; - u_char *q, *qe, ch, cl; - - pe = src + strlen (src); - qe = dst + dstsize; - - for (p = src, q = dst; p < pe && q < qe && isxdigit ((int)*p); p += 2) - { - ch = tolower (p[0]); - cl = tolower (p[1]); - - if ((ch >= '0') && (ch <= '9')) - ch -= '0'; - else if ((ch >= 'a') && (ch <= 'f')) - ch -= 'a' - 10; - else - return -1; - - if ((cl >= '0') && (cl <= '9')) - cl -= '0'; - else if ((cl >= 'a') && (cl <= 'f')) - cl -= 'a' - 10; - else - return -1; - - *q++ = (ch << 4) | cl; - } - - return (int)(q - dst); -} - -/* Consult kernel routing table for next-hop lookup. From dugsong@monkey.org */ -u_long -klips_route_get (u_long dst) -{ - FILE *f; - char buf[BUFSIZ]; - char ifbuf[16], netbuf[128], gatebuf[128], maskbuf[128]; - int i, iflags, refcnt, use, metric, mss, win, irtt; - u_long ret, gate, net, mask; - - if ((f = fopen (PROC_ROUTE_FILE, "r")) == NULL) - return dst; - - ret = dst; - - while (fgets (buf, sizeof buf, f) != NULL) - { - i = sscanf (buf, PROC_ROUTE_FMT, ifbuf, netbuf, gatebuf, &iflags, - &refcnt, &use, &metric, maskbuf, &mss, &win, &irtt); - if (i < 10 || !(iflags & RTF_UP)) - continue; - - klips_hex_decode (netbuf, (u_char *)&net, sizeof net); - klips_hex_decode (gatebuf, (u_char *)&gate, sizeof gate); - klips_hex_decode (maskbuf, (u_char *)&mask, sizeof mask); - - net = htonl (net); - gate = htonl (gate); - mask = htonl (mask); - - if ((dst & mask) == net) - { - if (gate != INADDR_ANY) - ret = gate; - break; - } - } - - fclose (f); - return ret; -} - -/* Enable a flow given a SA. */ -int -klips_enable_sa (struct sa *sa, struct sa *isakmp_sa) -{ - struct ipsec_sa *isa = sa->data; - struct sockaddr *dst; - struct proto *proto = TAILQ_FIRST (&sa->protos); - struct ipsec_proto *iproto = proto->data; - struct encap_msghdr emsg; - int s = -1; - struct rtentry rt; - - sa->transport->vtbl->get_dst (sa->transport, &dst); - - /* XXX Is this needed? */ - memset (&emsg, '\0', sizeof emsg); - - emsg.em_msglen = sizeof emsg; - emsg.em_type = EMT_RPLACEROUTE; - - memcpy (&emsg.em_erspi, proto->spi[0], sizeof emsg.em_erspi); - emsg.em_erdst = ((struct sockaddr_in *)dst)->sin_addr; - - LOG_DBG ((LOG_SYSDEP, 50, "klips_enable_sa: src %x %x dst %x %x", - ntohl (isa->src_net), ntohl (isa->src_mask), ntohl (isa->dst_net), - ntohl (isa->dst_mask))); - - /* XXX Magic constant from Pluto (26 = AF_ISDN in BSD). */ - emsg.em_eaddr.sen_family = emsg.em_emask.sen_family = 26; - emsg.em_eaddr.sen_type = SENT_IP4; - /* XXX Magic constant from Pluto. */ - emsg.em_emask.sen_type = 255; - emsg.em_eaddr.sen_len = emsg.em_emask.sen_len - = sizeof (struct sockaddr_encap); - - emsg.em_eaddr.sen_ip_src.s_addr = isa->src_net; - emsg.em_emask.sen_ip_src.s_addr = isa->src_mask; - emsg.em_eaddr.sen_ip_dst.s_addr = isa->dst_net; - emsg.em_emask.sen_ip_dst.s_addr = isa->dst_mask; - - /* XXX What if IPCOMP etc. comes along? */ - emsg.em_erproto - = (iproto->encap_mode == IPSEC_ENCAP_TUNNEL ? IPPROTO_IPIP - : proto->proto == IPSEC_PROTO_IPSEC_ESP ? IPPROTO_ESP : IPPROTO_AH); - - if (klips_write (&emsg)) - { - emsg.em_type = EMT_SETEROUTE; - if (klips_write (&emsg)) - goto cleanup; - } - - s = socket (PF_INET, SOCK_DGRAM, AF_UNSPEC); - if (s == -1) - { - log_error ("klips_enable_sa: " - "socket(PF_INET, SOCK_DGRAM, AF_UNSPEC) failed"); - goto cleanup; - } - - memset (&rt, '\0', sizeof rt); - rt.rt_dst.sa_family = AF_INET; - ((struct sockaddr_in *)&rt.rt_dst)->sin_addr.s_addr = isa->dst_net; - rt.rt_genmask.sa_family = AF_INET; - ((struct sockaddr_in *)&rt.rt_genmask)->sin_addr.s_addr = isa->dst_mask; - rt.rt_gateway.sa_family = AF_INET; - - ((struct sockaddr_in *)&rt.rt_gateway)->sin_addr.s_addr - = klips_route_get (emsg.em_erdst.s_addr); - - rt.rt_flags = RTF_UP | RTF_GATEWAY; - /* XXX What if we have multiple interfaces? */ - rt.rt_dev = "ipsec0"; - - if (ioctl (s, SIOCDELRT, &rt) == -1 && errno != ESRCH) - { - log_error ("klips_enable_sa: ioctl (%d, SIOCDELRT, %p) failed", s, &rt); - goto cleanup; - } - - if (ioctl (s, SIOCADDRT, &rt) == -1) - { - log_error ("klips_enable_sa: ioctl (%d, SIOCADDRT, %p) failed", s, &rt); - goto cleanup; - } - - close (s); - return 0; - - cleanup: - if (s != -1) - close (s); - return -1; -} - -static void -klips_stayalive (struct exchange *exchange, void *vconn, int fail) -{ - char *conn = vconn; - struct sa *sa; - - /* XXX What if it is phase 1? */ - sa = sa_lookup_by_name (conn, 2); - if (sa) - sa->flags |= SA_FLAG_STAYALIVE; -} - -/* Establish the connection in VCONN and set the stayalive flag for it. */ -void -klips_connection_check (char *conn) -{ - if (!sa_lookup_by_name (conn, 2)) - { - LOG_DBG ((LOG_SYSDEP, 70, "klips_connection_check: SA for %s missing", - conn)); - exchange_establish (conn, klips_stayalive, conn); - } - else - LOG_DBG ((LOG_SYSDEP, 70, "klips_connection_check: SA for %s exists", - conn)); -} diff --git a/keyexchange/isakmpd-20041012/sysdep/freeswan/klips.h b/keyexchange/isakmpd-20041012/sysdep/freeswan/klips.h deleted file mode 100644 index a786dcb..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/freeswan/klips.h +++ /dev/null @@ -1,51 +0,0 @@ -/* $OpenBSD: klips.h,v 1.2 2003/06/03 14:53:11 ho Exp $ */ - -/* - * Copyright (c) 1999 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _KLIPS_H_ -#define _KLIPS_H_ - -#include <sys/types.h> -#include <sys/queue.h> - -struct proto; -struct sa; -struct sockaddr; - -extern void klips_connection_check (char *); -extern int klips_delete_spi (struct sa *, struct proto *, int); -extern int klips_enable_sa (struct sa *, struct sa *); -extern u_int8_t *klips_get_spi (size_t *, u_int8_t, struct sockaddr *, int, - struct sockaddr *, int, u_int32_t); -extern int klips_group_spis (struct sa *, struct proto *, struct proto *, - int); -extern int klips_open (void); -extern int klips_set_spi (struct sa *, struct proto *, int); - -#endif /* _KLIPS_H_ */ diff --git a/keyexchange/isakmpd-20041012/sysdep/freeswan/sys/queue.h b/keyexchange/isakmpd-20041012/sysdep/freeswan/sys/queue.h deleted file mode 100644 index ae555ee..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/freeswan/sys/queue.h +++ /dev/null @@ -1,333 +0,0 @@ -/* $OpenBSD: queue.h,v 1.2 2003/06/02 20:06:15 millert Exp $ */ -/* $NetBSD: queue.h,v 1.11 1996/05/16 05:17:14 mycroft Exp $ */ - -/* - * Copyright (c) 1991, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)queue.h 8.5 (Berkeley) 8/20/94 - */ - -#ifndef _SYS_QUEUE_H_ -#define _SYS_QUEUE_H_ - -#ifndef NULL -#define NULL ((void *)0) -#endif - -/* - * This file defines four types of data structures: lists, simple queues, - * tail queues, and circular queues. - * - * A list is headed by a single forward pointer (or an array of forward - * pointers for a hash table header). The elements are doubly linked - * so that an arbitrary element can be removed without a need to - * traverse the list. New elements can be added to the list before - * or after an existing element or at the head of the list. A list - * may only be traversed in the forward direction. - * - * A simple queue is headed by a pair of pointers, one the head of the - * list and the other to the tail of the list. The elements are singly - * linked to save space, so only elements can only be removed from the - * head of the list. New elements can be added to the list before or after - * an existing element, at the head of the list, or at the end of the - * list. A simple queue may only be traversed in the forward direction. - * - * A tail queue is headed by a pair of pointers, one to the head of the - * list and the other to the tail of the list. The elements are doubly - * linked so that an arbitrary element can be removed without a need to - * traverse the list. New elements can be added to the list before or - * after an existing element, at the head of the list, or at the end of - * the list. A tail queue may be traversed in either direction. - * - * A circle queue is headed by a pair of pointers, one to the head of the - * list and the other to the tail of the list. The elements are doubly - * linked so that an arbitrary element can be removed without a need to - * traverse the list. New elements can be added to the list before or after - * an existing element, at the head of the list, or at the end of the list. - * A circle queue may be traversed in either direction, but has a more - * complex end of list detection. - * - * For details on the use of these macros, see the queue(3) manual page. - */ - -/* - * List definitions. - */ -#define LIST_HEAD(name, type) \ -struct name { \ - struct type *lh_first; /* first element */ \ -} - -#define LIST_ENTRY(type) \ -struct { \ - struct type *le_next; /* next element */ \ - struct type **le_prev; /* address of previous next element */ \ -} - -#define LIST_FIRST(head) ((head)->lh_first) -#define LIST_NEXT(elm, field) ((elm)->field.le_next) -#define LIST_END(head) NULL - -/* - * List functions. - */ -#define LIST_INIT(head) do { \ - (head)->lh_first = NULL; \ -} while (0) - -#define LIST_INSERT_AFTER(listelm, elm, field) do { \ - if (((elm)->field.le_next = (listelm)->field.le_next) != NULL) \ - (listelm)->field.le_next->field.le_prev = \ - &(elm)->field.le_next; \ - (listelm)->field.le_next = (elm); \ - (elm)->field.le_prev = &(listelm)->field.le_next; \ -} while (0) - -#define LIST_INSERT_BEFORE(listelm, elm, field) do { \ - (elm)->field.le_prev = (listelm)->field.le_prev; \ - (elm)->field.le_next = (listelm); \ - *(listelm)->field.le_prev = (elm); \ - (listelm)->field.le_prev = &(elm)->field.le_next; \ -} while (0) - -#define LIST_INSERT_HEAD(head, elm, field) do { \ - if (((elm)->field.le_next = (head)->lh_first) != NULL) \ - (head)->lh_first->field.le_prev = &(elm)->field.le_next;\ - (head)->lh_first = (elm); \ - (elm)->field.le_prev = &(head)->lh_first; \ -} while (0) - -#define LIST_REMOVE(elm, field) do { \ - if ((elm)->field.le_next != NULL) \ - (elm)->field.le_next->field.le_prev = \ - (elm)->field.le_prev; \ - *(elm)->field.le_prev = (elm)->field.le_next; \ -} while (0) - -/* - * Simple queue definitions. - */ -#define SIMPLEQ_HEAD(name, type) \ -struct name { \ - struct type *sqh_first; /* first element */ \ - struct type **sqh_last; /* addr of last next element */ \ -} - -#define SIMPLEQ_ENTRY(type) \ -struct { \ - struct type *sqe_next; /* next element */ \ -} - -/* - * Simple queue functions. - */ -#define SIMPLEQ_INIT(head) do { \ - (head)->sqh_first = NULL; \ - (head)->sqh_last = &(head)->sqh_first; \ -} while (0) - -#define SIMPLEQ_INSERT_HEAD(head, elm, field) do { \ - if (((elm)->field.sqe_next = (head)->sqh_first) == NULL) \ - (head)->sqh_last = &(elm)->field.sqe_next; \ - (head)->sqh_first = (elm); \ -} while (0) - -#define SIMPLEQ_INSERT_TAIL(head, elm, field) do { \ - (elm)->field.sqe_next = NULL; \ - *(head)->sqh_last = (elm); \ - (head)->sqh_last = &(elm)->field.sqe_next; \ -} while (0) - -#define SIMPLEQ_INSERT_AFTER(head, listelm, elm, field) do { \ - if (((elm)->field.sqe_next = (listelm)->field.sqe_next) == NULL)\ - (head)->sqh_last = &(elm)->field.sqe_next; \ - (listelm)->field.sqe_next = (elm); \ -} while (0) - -#define SIMPLEQ_REMOVE_HEAD(head, elm, field) do { \ - if (((head)->sqh_first = (elm)->field.sqe_next) == NULL) \ - (head)->sqh_last = &(head)->sqh_first; \ -} while (0) - -/* - * Tail queue definitions. - */ -#define TAILQ_HEAD(name, type) \ -struct name { \ - struct type *tqh_first; /* first element */ \ - struct type **tqh_last; /* addr of last next element */ \ -} - -#define TAILQ_ENTRY(type) \ -struct { \ - struct type *tqe_next; /* next element */ \ - struct type **tqe_prev; /* address of previous next element */ \ -} - - -#define TAILQ_FIRST(head) ((head)->tqh_first) -#define TAILQ_NEXT(elm, field) ((elm)->field.tqe_next) -#define TAILQ_END(head) NULL -#define TAILQ_LAST(head, headname) \ - (*(((struct headname *)((head)->tqh_last))->tqh_last)) -#define TAILQ_PREV(elm, headname, field) \ - (*(((struct headname *)((elm)->field.tqe_prev))->tqh_last)) - -/* - * Tail queue functions. - */ -#define TAILQ_INIT(head) do { \ - (head)->tqh_first = NULL; \ - (head)->tqh_last = &(head)->tqh_first; \ -} while (0) - -#define TAILQ_INSERT_HEAD(head, elm, field) do { \ - if (((elm)->field.tqe_next = (head)->tqh_first) != NULL) \ - (head)->tqh_first->field.tqe_prev = \ - &(elm)->field.tqe_next; \ - else \ - (head)->tqh_last = &(elm)->field.tqe_next; \ - (head)->tqh_first = (elm); \ - (elm)->field.tqe_prev = &(head)->tqh_first; \ -} while (0) - -#define TAILQ_INSERT_TAIL(head, elm, field) do { \ - (elm)->field.tqe_next = NULL; \ - (elm)->field.tqe_prev = (head)->tqh_last; \ - *(head)->tqh_last = (elm); \ - (head)->tqh_last = &(elm)->field.tqe_next; \ -} while (0) - -#define TAILQ_INSERT_AFTER(head, listelm, elm, field) do { \ - if (((elm)->field.tqe_next = (listelm)->field.tqe_next) != NULL)\ - (elm)->field.tqe_next->field.tqe_prev = \ - &(elm)->field.tqe_next; \ - else \ - (head)->tqh_last = &(elm)->field.tqe_next; \ - (listelm)->field.tqe_next = (elm); \ - (elm)->field.tqe_prev = &(listelm)->field.tqe_next; \ -} while (0) - -#define TAILQ_INSERT_BEFORE(listelm, elm, field) do { \ - (elm)->field.tqe_prev = (listelm)->field.tqe_prev; \ - (elm)->field.tqe_next = (listelm); \ - *(listelm)->field.tqe_prev = (elm); \ - (listelm)->field.tqe_prev = &(elm)->field.tqe_next; \ -} while (0) - -#define TAILQ_REMOVE(head, elm, field) do { \ - if (((elm)->field.tqe_next) != NULL) \ - (elm)->field.tqe_next->field.tqe_prev = \ - (elm)->field.tqe_prev; \ - else \ - (head)->tqh_last = (elm)->field.tqe_prev; \ - *(elm)->field.tqe_prev = (elm)->field.tqe_next; \ -} while (0) - -/* - * Circular queue definitions. - */ -#define CIRCLEQ_HEAD(name, type) \ -struct name { \ - struct type *cqh_first; /* first element */ \ - struct type *cqh_last; /* last element */ \ -} - -#define CIRCLEQ_ENTRY(type) \ -struct { \ - struct type *cqe_next; /* next element */ \ - struct type *cqe_prev; /* previous element */ \ -} - -#define CIRCLEQ_FIRST(head) ((head)->cqh_first) -#define CIRCLEQ_LAST(head) ((head)->cqh_last) -#define CIRCLEQ_END(head) ((void *)(head)) -#define CIRCLEQ_NEXT(elm, field) ((elm)->field.cqe_next) -#define CIRCLEQ_PREV(elm, field) ((elm)->field.cqe_prev) - -/* - * Circular queue functions. - */ -#define CIRCLEQ_INIT(head) do { \ - (head)->cqh_first = (void *)(head); \ - (head)->cqh_last = (void *)(head); \ -} while (0) - -#define CIRCLEQ_INSERT_AFTER(head, listelm, elm, field) do { \ - (elm)->field.cqe_next = (listelm)->field.cqe_next; \ - (elm)->field.cqe_prev = (listelm); \ - if ((listelm)->field.cqe_next == (void *)(head)) \ - (head)->cqh_last = (elm); \ - else \ - (listelm)->field.cqe_next->field.cqe_prev = (elm); \ - (listelm)->field.cqe_next = (elm); \ -} while (0) - -#define CIRCLEQ_INSERT_BEFORE(head, listelm, elm, field) do { \ - (elm)->field.cqe_next = (listelm); \ - (elm)->field.cqe_prev = (listelm)->field.cqe_prev; \ - if ((listelm)->field.cqe_prev == (void *)(head)) \ - (head)->cqh_first = (elm); \ - else \ - (listelm)->field.cqe_prev->field.cqe_next = (elm); \ - (listelm)->field.cqe_prev = (elm); \ -} while (0) - -#define CIRCLEQ_INSERT_HEAD(head, elm, field) do { \ - (elm)->field.cqe_next = (head)->cqh_first; \ - (elm)->field.cqe_prev = (void *)(head); \ - if ((head)->cqh_last == (void *)(head)) \ - (head)->cqh_last = (elm); \ - else \ - (head)->cqh_first->field.cqe_prev = (elm); \ - (head)->cqh_first = (elm); \ -} while (0) - -#define CIRCLEQ_INSERT_TAIL(head, elm, field) do { \ - (elm)->field.cqe_next = (void *)(head); \ - (elm)->field.cqe_prev = (head)->cqh_last; \ - if ((head)->cqh_first == (void *)(head)) \ - (head)->cqh_first = (elm); \ - else \ - (head)->cqh_last->field.cqe_next = (elm); \ - (head)->cqh_last = (elm); \ -} while (0) - -#define CIRCLEQ_REMOVE(head, elm, field) do { \ - if ((elm)->field.cqe_next == (void *)(head)) \ - (head)->cqh_last = (elm)->field.cqe_prev; \ - else \ - (elm)->field.cqe_next->field.cqe_prev = \ - (elm)->field.cqe_prev; \ - if ((elm)->field.cqe_prev == (void *)(head)) \ - (head)->cqh_first = (elm)->field.cqe_next; \ - else \ - (elm)->field.cqe_prev->field.cqe_next = \ - (elm)->field.cqe_next; \ -} while (0) -#endif /* !_SYS_QUEUE_H_ */ diff --git a/keyexchange/isakmpd-20041012/sysdep/freeswan/sysdep-os.h b/keyexchange/isakmpd-20041012/sysdep/freeswan/sysdep-os.h deleted file mode 100644 index 72e9d08..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/freeswan/sysdep-os.h +++ /dev/null @@ -1,46 +0,0 @@ -/* $OpenBSD: sysdep-os.h,v 1.2 2003/06/03 14:53:11 ho Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _SYSDEP_OS_H_ -#define _SYSDEP_OS_H_ - -typedef u_int16_t in_port_t; -typedef u_int32_t in_addr_t; - -#if 0 -/* - * Why -D__USE_GNU does not work in order to get this from stdio.h beats me. - */ -extern int asprintf(char **, const char *, ...); -#endif - -#define DL_LAZY RTLD_LAZY - -#endif /* _SYSDEP_OS_H_ */ diff --git a/keyexchange/isakmpd-20041012/sysdep/freeswan/sysdep.c b/keyexchange/isakmpd-20041012/sysdep/freeswan/sysdep.c deleted file mode 100644 index 9e99d7e..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/freeswan/sysdep.c +++ /dev/null @@ -1,186 +0,0 @@ -/* $OpenBSD: sysdep.c,v 1.3 2004/08/10 15:59:10 ho Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/types.h> -#include <sys/socket.h> -#include <sys/time.h> -#include <netinet/in.h> -#include <stdlib.h> -#include <string.h> -#include <fcntl.h> -#include <md5.h> -#include <unistd.h> - -#include "sysdep.h" - -#ifdef NEED_SYSDEP_APP -#include "app.h" -#include "conf.h" -#include "ipsec.h" -#include "klips.h" -#endif /* NEED_SYSDEP_APP */ -#include "log.h" -#include "sysdep.h" - -extern char *__progname; - -u_int32_t -sysdep_random () -{ - u_int32_t rndval; - u_char sig[16]; - MD5_CTX ctx; - int fd, i; - struct { - struct timeval tv; - u_int rnd[(128 - sizeof (struct timeval)) / sizeof (u_int)]; - } rdat; - - fd = open ("/dev/urandom", O_RDONLY); - if (fd != -1) - { - read (fd, rdat.rnd, sizeof(rdat.rnd)); - close (fd); - } - MD5Init (&ctx); - MD5Update (&ctx, (char *)&rdat, sizeof(rdat)); - MD5Final (sig, &ctx); - - rndval = 0; - for (i = 0; i < 4; i++) - { - u_int32_t *tmp = (u_int32_t *)&sig[i * 4]; - rndval ^= *tmp; - } - - return rndval; -} - -char * -sysdep_progname () -{ - return __progname; -} - -/* Return the length of the sockaddr struct. */ -u_int8_t -sysdep_sa_len (struct sockaddr *sa) -{ - switch (sa->sa_family) - { - case AF_INET: - return sizeof (struct sockaddr_in); - case AF_INET6: - return sizeof (struct sockaddr_in6); - } - log_print ("sysdep_sa_len: unknown sa family %d", sa->sa_family); - return sizeof (struct sockaddr_in); -} - -/* As regress/ use this file I protect the sysdep_app_* stuff like this. */ -#ifdef NEED_SYSDEP_APP -int -sysdep_app_open () -{ - return klips_open (); -} - -void -sysdep_app_handler (int fd) -{ -} - -/* Check that the connection named NAME is active, or else make it active. */ -void -sysdep_connection_check (char *name) -{ - klips_connection_check (name); -} - -/* - * Generate a SPI for protocol PROTO and the source/destination pair given by - * SRC, SRCLEN, DST & DSTLEN. Stash the SPI size in SZ. - */ -u_int8_t * -sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src, - struct sockaddr *dst, u_int32_t seq) -{ - if (app_none) - { - *sz = IPSEC_SPI_SIZE; - /* XXX should be random instead I think. */ - return strdup ("\x12\x34\x56\x78"); - } - - return klips_get_spi (sz, proto, src, dst, seq); -} - -struct sa_kinfo * -sysdep_ipsec_get_kernel_sa(u_int8_t *spi, size_t spi_sz, u_int8_t proto, - struct sockaddr *dst) -{ - if (app_none) - return 0; - /* XXX return KEY_API(get_kernel_sa)(spi, spi_sz, proto, dst); */ - return 0; -} - -int -sysdep_cleartext (int fd, int af) -{ - return 0; -} - -int -sysdep_ipsec_delete_spi (struct sa *sa, struct proto *proto, int incoming) -{ - return klips_delete_spi (sa, proto, incoming); -} - -int -sysdep_ipsec_enable_sa (struct sa *sa, struct sa *isakmp_sa) -{ - return klips_enable_sa (sa, isakmp_sa); -} - -int -sysdep_ipsec_group_spis (struct sa *sa, struct proto *proto1, - struct proto *proto2, int incoming) -{ - return klips_group_spis (sa, proto1, proto2, incoming); -} - -int -sysdep_ipsec_set_spi (struct sa *sa, struct proto *proto, int incoming, - struct sa *isakmp_sa) -{ - return klips_set_spi (sa, proto, incoming, isakmp_sa); -} -#endif diff --git a/keyexchange/isakmpd-20041012/sysdep/linux/GNUmakefile.sysdep b/keyexchange/isakmpd-20041012/sysdep/linux/GNUmakefile.sysdep deleted file mode 100644 index 6c0fa10..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/linux/GNUmakefile.sysdep +++ /dev/null @@ -1,60 +0,0 @@ -# $OpenBSD: GNUmakefile.sysdep,v 1.9 2004/08/10 09:49:51 ho Exp $ - -# -# Copyright (c) 1999 Niklas Hallqvist. All rights reserved. -# Copyright (c) 2003 Thomas Walpuski. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -LIBGMP:= /usr/lib/libgmp.a -LIBCRYPTO:= /usr/lib/libcrypto.a -LIBSYSDEPDIR:= ${.CURDIR}/sysdep/common/libsysdep -LIBSYSDEP:= ${LIBSYSDEPDIR}/libsysdep.a - -LDADD+= -lgmp ${LIBSYSDEP} ${LIBCRYPTO} -DPADD+= ${LIBGMP} ${LIBSYSDEP} - -CFLAGS+= -DHAVE_GETNAMEINFO -DUSE_OLD_SOCKADDR -DHAVE_PCAP \ - -DNEED_SYSDEP_APP -DMP_FLAVOUR=MP_FLAVOUR_GMP -DUSE_AES \ - -I${.CURDIR}/sysdep/linux/include -I${.CURDIR}/sysdep/common \ - -I/usr/include/openssl - -FEATURES= debug tripledes blowfish cast ec aggressive x509 policy -FEATURES+= dpd nat_traversal isakmp_cfg des aes - -IPSEC_SRCS= pf_key_v2.c -IPSEC_CFLAGS= -DUSE_PF_KEY_V2 - -USE_LIBCRYPO= defined -HAVE_DLOPEN= defined -USE_KEYNOTE= defined - -# hack libsysdep.a dependenc -${LIBSYSDEPDIR}/.depend ${LIBSYSDEP}: - cd ${LIBSYSDEPDIR} && \ - ${MAKE} --no-print-directory \ - CFLAGS="${CFLAGS}" MKDEP="${MKDEP}" ${MAKECMDGOALS} - -ifeq ($(findstring clean,$(MAKECMDGOALS)),clean) -SUBDIR+= sysdep/common/libsysdep -MAKEFLAGS+= --no-print-directory -endif diff --git a/keyexchange/isakmpd-20041012/sysdep/linux/bitstring.h b/keyexchange/isakmpd-20041012/sysdep/linux/bitstring.h deleted file mode 100644 index ce20dd9..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/linux/bitstring.h +++ /dev/null @@ -1,128 +0,0 @@ -/* $OpenBSD: bitstring.h,v 1.1 2003/09/02 18:11:15 ho Exp $ */ -/* $NetBSD: bitstring.h,v 1.5 1997/05/14 15:49:55 pk Exp $ */ - -/* - * Copyright (c) 1989, 1993 - * The Regents of the University of California. All rights reserved. - * - * This code is derived from software contributed to Berkeley by - * Paul Vixie. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)bitstring.h 8.1 (Berkeley) 7/19/93 - */ - -#ifndef _BITSTRING_H_ -#define _BITSTRING_H_ - -/* modified for SV/AT and bitstring bugfix by M.R.Murphy, 11oct91 - * bitstr_size changed gratuitously, but shorter - * bit_alloc spelling error fixed - * the following were efficient, but didn't work, they've been made to - * work, but are no longer as efficient :-) - * bit_nclear, bit_nset, bit_ffc, bit_ffs - */ -typedef unsigned char bitstr_t; - -/* internal macros */ - /* byte of the bitstring bit is in */ -#define _bit_byte(bit) \ - ((bit) >> 3) - - /* mask for the bit within its byte */ -#define _bit_mask(bit) \ - (1 << ((bit)&0x7)) - -/* external macros */ - /* bytes in a bitstring of nbits bits */ -#define bitstr_size(nbits) \ - (((nbits) + 7) >> 3) - - /* allocate a bitstring */ -#define bit_alloc(nbits) \ - (bitstr_t *)calloc((size_t)bitstr_size(nbits), sizeof(bitstr_t)) - - /* allocate a bitstring on the stack */ -#define bit_decl(name, nbits) \ - ((name)[bitstr_size(nbits)]) - - /* is bit N of bitstring name set? */ -#define bit_test(name, bit) \ - ((name)[_bit_byte(bit)] & _bit_mask(bit)) - - /* set bit N of bitstring name */ -#define bit_set(name, bit) \ - ((name)[_bit_byte(bit)] |= _bit_mask(bit)) - - /* clear bit N of bitstring name */ -#define bit_clear(name, bit) \ - ((name)[_bit_byte(bit)] &= ~_bit_mask(bit)) - - /* clear bits start ... stop in bitstring */ -#define bit_nclear(name, start, stop) do { \ - register bitstr_t *_name = name; \ - register int _start = start, _stop = stop; \ - while (_start <= _stop) { \ - bit_clear(_name, _start); \ - _start++; \ - } \ -} while(0) - - /* set bits start ... stop in bitstring */ -#define bit_nset(name, start, stop) do { \ - register bitstr_t *_name = name; \ - register int _start = start, _stop = stop; \ - while (_start <= _stop) { \ - bit_set(_name, _start); \ - _start++; \ - } \ -} while(0) - - /* find first bit clear in name */ -#define bit_ffc(name, nbits, value) do { \ - register bitstr_t *_name = name; \ - register int _bit, _nbits = nbits, _value = -1; \ - for (_bit = 0; _bit < _nbits; ++_bit) \ - if (!bit_test(_name, _bit)) { \ - _value = _bit; \ - break; \ - } \ - *(value) = _value; \ -} while(0) - - /* find first bit set in name */ -#define bit_ffs(name, nbits, value) do { \ - register bitstr_t *_name = name; \ - register int _bit, _nbits = nbits, _value = -1; \ - for (_bit = 0; _bit < _nbits; ++_bit) \ - if (bit_test(_name, _bit)) { \ - _value = _bit; \ - break; \ - } \ - *(value) = _value; \ -} while(0) - -#endif /* !_BITSTRING_H_ */ diff --git a/keyexchange/isakmpd-20041012/sysdep/linux/include/bitstring.h b/keyexchange/isakmpd-20041012/sysdep/linux/include/bitstring.h deleted file mode 100644 index 1939615..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/linux/include/bitstring.h +++ /dev/null @@ -1,132 +0,0 @@ -/* $OpenBSD: bitstring.h,v 1.4 2002/06/19 02:50:10 millert Exp $ */ -/* $NetBSD: bitstring.h,v 1.5 1997/05/14 15:49:55 pk Exp $ */ - -/* - * Copyright (c) 1989, 1993 - * The Regents of the University of California. All rights reserved. - * - * This code is derived from software contributed to Berkeley by - * Paul Vixie. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)bitstring.h 8.1 (Berkeley) 7/19/93 - */ - -#ifndef _BITSTRING_H_ -#define _BITSTRING_H_ - -/* modified for SV/AT and bitstring bugfix by M.R.Murphy, 11oct91 - * bitstr_size changed gratuitously, but shorter - * bit_alloc spelling error fixed - * the following were efficient, but didn't work, they've been made to - * work, but are no longer as efficient :-) - * bit_nclear, bit_nset, bit_ffc, bit_ffs - */ -typedef unsigned char bitstr_t; - -/* internal macros */ - /* byte of the bitstring bit is in */ -#define _bit_byte(bit) \ - ((bit) >> 3) - - /* mask for the bit within its byte */ -#define _bit_mask(bit) \ - (1 << ((bit)&0x7)) - -/* external macros */ - /* bytes in a bitstring of nbits bits */ -#define bitstr_size(nbits) \ - (((nbits) + 7) >> 3) - - /* allocate a bitstring */ -#define bit_alloc(nbits) \ - (bitstr_t *)calloc((size_t)bitstr_size(nbits), sizeof(bitstr_t)) - - /* allocate a bitstring on the stack */ -#define bit_decl(name, nbits) \ - ((name)[bitstr_size(nbits)]) - - /* is bit N of bitstring name set? */ -#define bit_test(name, bit) \ - ((name)[_bit_byte(bit)] & _bit_mask(bit)) - - /* set bit N of bitstring name */ -#define bit_set(name, bit) \ - ((name)[_bit_byte(bit)] |= _bit_mask(bit)) - - /* clear bit N of bitstring name */ -#define bit_clear(name, bit) \ - ((name)[_bit_byte(bit)] &= ~_bit_mask(bit)) - - /* clear bits start ... stop in bitstring */ -#define bit_nclear(name, start, stop) do { \ - register bitstr_t *_name = name; \ - register int _start = start, _stop = stop; \ - while (_start <= _stop) { \ - bit_clear(_name, _start); \ - _start++; \ - } \ -} while(0) - - /* set bits start ... stop in bitstring */ -#define bit_nset(name, start, stop) do { \ - register bitstr_t *_name = name; \ - register int _start = start, _stop = stop; \ - while (_start <= _stop) { \ - bit_set(_name, _start); \ - _start++; \ - } \ -} while(0) - - /* find first bit clear in name */ -#define bit_ffc(name, nbits, value) do { \ - register bitstr_t *_name = name; \ - register int _bit, _nbits = nbits, _value = -1; \ - for (_bit = 0; _bit < _nbits; ++_bit) \ - if (!bit_test(_name, _bit)) { \ - _value = _bit; \ - break; \ - } \ - *(value) = _value; \ -} while(0) - - /* find first bit set in name */ -#define bit_ffs(name, nbits, value) do { \ - register bitstr_t *_name = name; \ - register int _bit, _nbits = nbits, _value = -1; \ - for (_bit = 0; _bit < _nbits; ++_bit) \ - if (bit_test(_name, _bit)) { \ - _value = _bit; \ - break; \ - } \ - *(value) = _value; \ -} while(0) - -#endif /* !_BITSTRING_H_ */ diff --git a/keyexchange/isakmpd-20041012/sysdep/linux/include/sys/queue.h b/keyexchange/isakmpd-20041012/sysdep/linux/include/sys/queue.h deleted file mode 100644 index c4ac33d..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/linux/include/sys/queue.h +++ /dev/null @@ -1,453 +0,0 @@ -/* - * Copyright (c) 1991, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)queue.h 8.5 (Berkeley) 8/20/94 - * $FreeBSD: src/sys/sys/queue.h,v 1.45 2001/12/11 11:49:58 sheldonh Exp $ - */ - -#ifndef _SYS_QUEUE_H_ -#define _SYS_QUEUE_H_ - -//#include <machine/ansi.h> /* for __offsetof */ - -/* - * This file defines four types of data structures: singly-linked lists, - * singly-linked tail queues, lists and tail queues. - * - * A singly-linked list is headed by a single forward pointer. The elements - * are singly linked for minimum space and pointer manipulation overhead at - * the expense of O(n) removal for arbitrary elements. New elements can be - * added to the list after an existing element or at the head of the list. - * Elements being removed from the head of the list should use the explicit - * macro for this purpose for optimum efficiency. A singly-linked list may - * only be traversed in the forward direction. Singly-linked lists are ideal - * for applications with large datasets and few or no removals or for - * implementing a LIFO queue. - * - * A singly-linked tail queue is headed by a pair of pointers, one to the - * head of the list and the other to the tail of the list. The elements are - * singly linked for minimum space and pointer manipulation overhead at the - * expense of O(n) removal for arbitrary elements. New elements can be added - * to the list after an existing element, at the head of the list, or at the - * end of the list. Elements being removed from the head of the tail queue - * should use the explicit macro for this purpose for optimum efficiency. - * A singly-linked tail queue may only be traversed in the forward direction. - * Singly-linked tail queues are ideal for applications with large datasets - * and few or no removals or for implementing a FIFO queue. - * - * A list is headed by a single forward pointer (or an array of forward - * pointers for a hash table header). The elements are doubly linked - * so that an arbitrary element can be removed without a need to - * traverse the list. New elements can be added to the list before - * or after an existing element or at the head of the list. A list - * may only be traversed in the forward direction. - * - * A tail queue is headed by a pair of pointers, one to the head of the - * list and the other to the tail of the list. The elements are doubly - * linked so that an arbitrary element can be removed without a need to - * traverse the list. New elements can be added to the list before or - * after an existing element, at the head of the list, or at the end of - * the list. A tail queue may be traversed in either direction. - * - * For details on the use of these macros, see the queue(3) manual page. - * - * - * SLIST LIST STAILQ TAILQ - * _HEAD + + + + - * _HEAD_INITIALIZER + + + + - * _ENTRY + + + + - * _INIT + + + + - * _EMPTY + + + + - * _FIRST + + + + - * _NEXT + + + + - * _PREV - - - + - * _LAST - - + + - * _FOREACH + + + + - * _FOREACH_REVERSE - - - + - * _INSERT_HEAD + + + + - * _INSERT_BEFORE - + - + - * _INSERT_AFTER + + + + - * _INSERT_TAIL - - + + - * _REMOVE_HEAD + - + - - * _REMOVE + + + + - * - */ - -/* - * Singly-linked List declarations. - */ -#define SLIST_HEAD(name, type) \ -struct name { \ - struct type *slh_first; /* first element */ \ -} - -#define SLIST_HEAD_INITIALIZER(head) \ - { NULL } - -#define SLIST_ENTRY(type) \ -struct { \ - struct type *sle_next; /* next element */ \ -} - -/* - * Singly-linked List functions. - */ -#define SLIST_EMPTY(head) ((head)->slh_first == NULL) - -#define SLIST_FIRST(head) ((head)->slh_first) - -#define SLIST_FOREACH(var, head, field) \ - for ((var) = SLIST_FIRST((head)); \ - (var); \ - (var) = SLIST_NEXT((var), field)) - -#define SLIST_INIT(head) do { \ - SLIST_FIRST((head)) = NULL; \ -} while (0) - -#define SLIST_INSERT_AFTER(slistelm, elm, field) do { \ - SLIST_NEXT((elm), field) = SLIST_NEXT((slistelm), field); \ - SLIST_NEXT((slistelm), field) = (elm); \ -} while (0) - -#define SLIST_INSERT_HEAD(head, elm, field) do { \ - SLIST_NEXT((elm), field) = SLIST_FIRST((head)); \ - SLIST_FIRST((head)) = (elm); \ -} while (0) - -#define SLIST_NEXT(elm, field) ((elm)->field.sle_next) - -#define SLIST_REMOVE(head, elm, type, field) do { \ - if (SLIST_FIRST((head)) == (elm)) { \ - SLIST_REMOVE_HEAD((head), field); \ - } \ - else { \ - struct type *curelm = SLIST_FIRST((head)); \ - while (SLIST_NEXT(curelm, field) != (elm)) \ - curelm = SLIST_NEXT(curelm, field); \ - SLIST_NEXT(curelm, field) = \ - SLIST_NEXT(SLIST_NEXT(curelm, field), field); \ - } \ -} while (0) - -#define SLIST_REMOVE_HEAD(head, field) do { \ - SLIST_FIRST((head)) = SLIST_NEXT(SLIST_FIRST((head)), field); \ -} while (0) - -/* - * Singly-linked Tail queue declarations. - */ -#define STAILQ_HEAD(name, type) \ -struct name { \ - struct type *stqh_first;/* first element */ \ - struct type **stqh_last;/* addr of last next element */ \ -} - -#define STAILQ_HEAD_INITIALIZER(head) \ - { NULL, &(head).stqh_first } - -#define STAILQ_ENTRY(type) \ -struct { \ - struct type *stqe_next; /* next element */ \ -} - -/* - * Singly-linked Tail queue functions. - */ -#define STAILQ_EMPTY(head) ((head)->stqh_first == NULL) - -#define STAILQ_FIRST(head) ((head)->stqh_first) - -#define STAILQ_FOREACH(var, head, field) \ - for((var) = STAILQ_FIRST((head)); \ - (var); \ - (var) = STAILQ_NEXT((var), field)) - -#define STAILQ_INIT(head) do { \ - STAILQ_FIRST((head)) = NULL; \ - (head)->stqh_last = &STAILQ_FIRST((head)); \ -} while (0) - -#define STAILQ_INSERT_AFTER(head, tqelm, elm, field) do { \ - if ((STAILQ_NEXT((elm), field) = STAILQ_NEXT((tqelm), field)) == NULL)\ - (head)->stqh_last = &STAILQ_NEXT((elm), field); \ - STAILQ_NEXT((tqelm), field) = (elm); \ -} while (0) - -#define STAILQ_INSERT_HEAD(head, elm, field) do { \ - if ((STAILQ_NEXT((elm), field) = STAILQ_FIRST((head))) == NULL) \ - (head)->stqh_last = &STAILQ_NEXT((elm), field); \ - STAILQ_FIRST((head)) = (elm); \ -} while (0) - -#define STAILQ_INSERT_TAIL(head, elm, field) do { \ - STAILQ_NEXT((elm), field) = NULL; \ - *(head)->stqh_last = (elm); \ - (head)->stqh_last = &STAILQ_NEXT((elm), field); \ -} while (0) - -#define STAILQ_LAST(head, type, field) \ - (STAILQ_EMPTY(head) ? \ - NULL : \ - ((struct type *) \ - ((char *)((head)->stqh_last) - __offsetof(struct type, field)))) - -#define STAILQ_NEXT(elm, field) ((elm)->field.stqe_next) - -#define STAILQ_REMOVE(head, elm, type, field) do { \ - if (STAILQ_FIRST((head)) == (elm)) { \ - STAILQ_REMOVE_HEAD(head, field); \ - } \ - else { \ - struct type *curelm = STAILQ_FIRST((head)); \ - while (STAILQ_NEXT(curelm, field) != (elm)) \ - curelm = STAILQ_NEXT(curelm, field); \ - if ((STAILQ_NEXT(curelm, field) = \ - STAILQ_NEXT(STAILQ_NEXT(curelm, field), field)) == NULL)\ - (head)->stqh_last = &STAILQ_NEXT((curelm), field);\ - } \ -} while (0) - -#define STAILQ_REMOVE_HEAD(head, field) do { \ - if ((STAILQ_FIRST((head)) = \ - STAILQ_NEXT(STAILQ_FIRST((head)), field)) == NULL) \ - (head)->stqh_last = &STAILQ_FIRST((head)); \ -} while (0) - -#define STAILQ_REMOVE_HEAD_UNTIL(head, elm, field) do { \ - if ((STAILQ_FIRST((head)) = STAILQ_NEXT((elm), field)) == NULL) \ - (head)->stqh_last = &STAILQ_FIRST((head)); \ -} while (0) - -/* - * List declarations. - */ -#define LIST_HEAD(name, type) \ -struct name { \ - struct type *lh_first; /* first element */ \ -} - -#define LIST_HEAD_INITIALIZER(head) \ - { NULL } - -#define LIST_ENTRY(type) \ -struct { \ - struct type *le_next; /* next element */ \ - struct type **le_prev; /* address of previous next element */ \ -} - -/* - * List functions. - */ - -#define LIST_EMPTY(head) ((head)->lh_first == NULL) - -#define LIST_FIRST(head) ((head)->lh_first) - -#define LIST_FOREACH(var, head, field) \ - for ((var) = LIST_FIRST((head)); \ - (var); \ - (var) = LIST_NEXT((var), field)) - -#define LIST_INIT(head) do { \ - LIST_FIRST((head)) = NULL; \ -} while (0) - -#define LIST_INSERT_AFTER(listelm, elm, field) do { \ - if ((LIST_NEXT((elm), field) = LIST_NEXT((listelm), field)) != NULL)\ - LIST_NEXT((listelm), field)->field.le_prev = \ - &LIST_NEXT((elm), field); \ - LIST_NEXT((listelm), field) = (elm); \ - (elm)->field.le_prev = &LIST_NEXT((listelm), field); \ -} while (0) - -#define LIST_INSERT_BEFORE(listelm, elm, field) do { \ - (elm)->field.le_prev = (listelm)->field.le_prev; \ - LIST_NEXT((elm), field) = (listelm); \ - *(listelm)->field.le_prev = (elm); \ - (listelm)->field.le_prev = &LIST_NEXT((elm), field); \ -} while (0) - -#define LIST_INSERT_HEAD(head, elm, field) do { \ - if ((LIST_NEXT((elm), field) = LIST_FIRST((head))) != NULL) \ - LIST_FIRST((head))->field.le_prev = &LIST_NEXT((elm), field);\ - LIST_FIRST((head)) = (elm); \ - (elm)->field.le_prev = &LIST_FIRST((head)); \ -} while (0) - -#define LIST_NEXT(elm, field) ((elm)->field.le_next) - -#define LIST_REMOVE(elm, field) do { \ - if (LIST_NEXT((elm), field) != NULL) \ - LIST_NEXT((elm), field)->field.le_prev = \ - (elm)->field.le_prev; \ - *(elm)->field.le_prev = LIST_NEXT((elm), field); \ -} while (0) - -/* - * Tail queue declarations. - */ -#define TAILQ_HEAD(name, type) \ -struct name { \ - struct type *tqh_first; /* first element */ \ - struct type **tqh_last; /* addr of last next element */ \ -} - -#define TAILQ_HEAD_INITIALIZER(head) \ - { NULL, &(head).tqh_first } - -#define TAILQ_ENTRY(type) \ -struct { \ - struct type *tqe_next; /* next element */ \ - struct type **tqe_prev; /* address of previous next element */ \ -} - -/* - * Tail queue functions. - */ -#define TAILQ_EMPTY(head) ((head)->tqh_first == NULL) - -#define TAILQ_FIRST(head) ((head)->tqh_first) - -#define TAILQ_FOREACH(var, head, field) \ - for ((var) = TAILQ_FIRST((head)); \ - (var); \ - (var) = TAILQ_NEXT((var), field)) - -#define TAILQ_FOREACH_REVERSE(var, head, headname, field) \ - for ((var) = TAILQ_LAST((head), headname); \ - (var); \ - (var) = TAILQ_PREV((var), headname, field)) - -#define TAILQ_INIT(head) do { \ - TAILQ_FIRST((head)) = NULL; \ - (head)->tqh_last = &TAILQ_FIRST((head)); \ -} while (0) - -#define TAILQ_INSERT_AFTER(head, listelm, elm, field) do { \ - if ((TAILQ_NEXT((elm), field) = TAILQ_NEXT((listelm), field)) != NULL)\ - TAILQ_NEXT((elm), field)->field.tqe_prev = \ - &TAILQ_NEXT((elm), field); \ - else \ - (head)->tqh_last = &TAILQ_NEXT((elm), field); \ - TAILQ_NEXT((listelm), field) = (elm); \ - (elm)->field.tqe_prev = &TAILQ_NEXT((listelm), field); \ -} while (0) - -#define TAILQ_INSERT_BEFORE(listelm, elm, field) do { \ - (elm)->field.tqe_prev = (listelm)->field.tqe_prev; \ - TAILQ_NEXT((elm), field) = (listelm); \ - *(listelm)->field.tqe_prev = (elm); \ - (listelm)->field.tqe_prev = &TAILQ_NEXT((elm), field); \ -} while (0) - -#define TAILQ_INSERT_HEAD(head, elm, field) do { \ - if ((TAILQ_NEXT((elm), field) = TAILQ_FIRST((head))) != NULL) \ - TAILQ_FIRST((head))->field.tqe_prev = \ - &TAILQ_NEXT((elm), field); \ - else \ - (head)->tqh_last = &TAILQ_NEXT((elm), field); \ - TAILQ_FIRST((head)) = (elm); \ - (elm)->field.tqe_prev = &TAILQ_FIRST((head)); \ -} while (0) - -#define TAILQ_INSERT_TAIL(head, elm, field) do { \ - TAILQ_NEXT((elm), field) = NULL; \ - (elm)->field.tqe_prev = (head)->tqh_last; \ - *(head)->tqh_last = (elm); \ - (head)->tqh_last = &TAILQ_NEXT((elm), field); \ -} while (0) - -#define TAILQ_LAST(head, headname) \ - (*(((struct headname *)((head)->tqh_last))->tqh_last)) - -#define TAILQ_NEXT(elm, field) ((elm)->field.tqe_next) - -#define TAILQ_PREV(elm, headname, field) \ - (*(((struct headname *)((elm)->field.tqe_prev))->tqh_last)) - -#define TAILQ_REMOVE(head, elm, field) do { \ - if ((TAILQ_NEXT((elm), field)) != NULL) \ - TAILQ_NEXT((elm), field)->field.tqe_prev = \ - (elm)->field.tqe_prev; \ - else \ - (head)->tqh_last = (elm)->field.tqe_prev; \ - *(elm)->field.tqe_prev = TAILQ_NEXT((elm), field); \ -} while (0) - - -#ifdef _KERNEL - -/* - * XXX insque() and remque() are an old way of handling certain queues. - * They bogusly assumes that all queue heads look alike. - */ - -struct quehead { - struct quehead *qh_link; - struct quehead *qh_rlink; -}; - -#ifdef __GNUC__ - -static __inline void -insque(void *a, void *b) -{ - struct quehead *element = (struct quehead *)a, - *head = (struct quehead *)b; - - element->qh_link = head->qh_link; - element->qh_rlink = head; - head->qh_link = element; - element->qh_link->qh_rlink = element; -} - -static __inline void -remque(void *a) -{ - struct quehead *element = (struct quehead *)a; - - element->qh_link->qh_rlink = element->qh_rlink; - element->qh_rlink->qh_link = element->qh_link; - element->qh_rlink = 0; -} - -#else /* !__GNUC__ */ - -void insque __P((void *a, void *b)); -void remque __P((void *a)); - -#endif /* __GNUC__ */ - -#endif /* _KERNEL */ - -#endif /* !_SYS_QUEUE_H_ */ diff --git a/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h b/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h deleted file mode 100644 index 3f0be6c..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/linux/sys/queue.h +++ /dev/null @@ -1,499 +0,0 @@ -/* $OpenBSD: queue.h,v 1.7 2004/04/08 16:08:21 henning Exp $ */ -/* $NetBSD: queue.h,v 1.11 1996/05/16 05:17:14 mycroft Exp $ */ - -/* - * Copyright (c) 1991, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)queue.h 8.5 (Berkeley) 8/20/94 - */ - -#ifndef _SYS_QUEUE_H_ -#define _SYS_QUEUE_H_ - -/* - * This file defines five types of data structures: singly-linked lists, - * lists, simple queues, tail queues, and circular queues. - * - * - * A singly-linked list is headed by a single forward pointer. The elements - * are singly linked for minimum space and pointer manipulation overhead at - * the expense of O(n) removal for arbitrary elements. New elements can be - * added to the list after an existing element or at the head of the list. - * Elements being removed from the head of the list should use the explicit - * macro for this purpose for optimum efficiency. A singly-linked list may - * only be traversed in the forward direction. Singly-linked lists are ideal - * for applications with large datasets and few or no removals or for - * implementing a LIFO queue. - * - * A list is headed by a single forward pointer (or an array of forward - * pointers for a hash table header). The elements are doubly linked - * so that an arbitrary element can be removed without a need to - * traverse the list. New elements can be added to the list before - * or after an existing element or at the head of the list. A list - * may only be traversed in the forward direction. - * - * A simple queue is headed by a pair of pointers, one the head of the - * list and the other to the tail of the list. The elements are singly - * linked to save space, so elements can only be removed from the - * head of the list. New elements can be added to the list before or after - * an existing element, at the head of the list, or at the end of the - * list. A simple queue may only be traversed in the forward direction. - * - * A tail queue is headed by a pair of pointers, one to the head of the - * list and the other to the tail of the list. The elements are doubly - * linked so that an arbitrary element can be removed without a need to - * traverse the list. New elements can be added to the list before or - * after an existing element, at the head of the list, or at the end of - * the list. A tail queue may be traversed in either direction. - * - * A circle queue is headed by a pair of pointers, one to the head of the - * list and the other to the tail of the list. The elements are doubly - * linked so that an arbitrary element can be removed without a need to - * traverse the list. New elements can be added to the list before or after - * an existing element, at the head of the list, or at the end of the list. - * A circle queue may be traversed in either direction, but has a more - * complex end of list detection. - * - * For details on the use of these macros, see the queue(3) manual page. - */ - -/* - * Singly-linked List definitions. - */ -#define SLIST_HEAD(name, type) \ -struct name { \ - struct type *slh_first; /* first element */ \ -} - -#define SLIST_HEAD_INITIALIZER(head) \ - { NULL } - -#define SLIST_ENTRY(type) \ -struct { \ - struct type *sle_next; /* next element */ \ -} - -/* - * Singly-linked List access methods. - */ -#define SLIST_FIRST(head) ((head)->slh_first) -#define SLIST_END(head) NULL -#define SLIST_EMPTY(head) (SLIST_FIRST(head) == SLIST_END(head)) -#define SLIST_NEXT(elm, field) ((elm)->field.sle_next) - -#define SLIST_FOREACH(var, head, field) \ - for((var) = SLIST_FIRST(head); \ - (var) != SLIST_END(head); \ - (var) = SLIST_NEXT(var, field)) - -/* - * Singly-linked List functions. - */ -#define SLIST_INIT(head) { \ - SLIST_FIRST(head) = SLIST_END(head); \ -} - -#define SLIST_INSERT_AFTER(slistelm, elm, field) do { \ - (elm)->field.sle_next = (slistelm)->field.sle_next; \ - (slistelm)->field.sle_next = (elm); \ -} while (0) - -#define SLIST_INSERT_HEAD(head, elm, field) do { \ - (elm)->field.sle_next = (head)->slh_first; \ - (head)->slh_first = (elm); \ -} while (0) - -#define SLIST_REMOVE_HEAD(head, field) do { \ - (head)->slh_first = (head)->slh_first->field.sle_next; \ -} while (0) - -#define SLIST_REMOVE(head, elm, type, field) do { \ - if ((head)->slh_first == (elm)) { \ - SLIST_REMOVE_HEAD((head), field); \ - } \ - else { \ - struct type *curelm = (head)->slh_first; \ - while( curelm->field.sle_next != (elm) ) \ - curelm = curelm->field.sle_next; \ - curelm->field.sle_next = \ - curelm->field.sle_next->field.sle_next; \ - } \ -} while (0) - -/* - * List definitions. - */ -#define LIST_HEAD(name, type) \ -struct name { \ - struct type *lh_first; /* first element */ \ -} - -#define LIST_HEAD_INITIALIZER(head) \ - { NULL } - -#define LIST_ENTRY(type) \ -struct { \ - struct type *le_next; /* next element */ \ - struct type **le_prev; /* address of previous next element */ \ -} - -/* - * List access methods - */ -#define LIST_FIRST(head) ((head)->lh_first) -#define LIST_END(head) NULL -#define LIST_EMPTY(head) (LIST_FIRST(head) == LIST_END(head)) -#define LIST_NEXT(elm, field) ((elm)->field.le_next) - -#define LIST_FOREACH(var, head, field) \ - for((var) = LIST_FIRST(head); \ - (var)!= LIST_END(head); \ - (var) = LIST_NEXT(var, field)) - -/* - * List functions. - */ -#define LIST_INIT(head) do { \ - LIST_FIRST(head) = LIST_END(head); \ -} while (0) - -#define LIST_INSERT_AFTER(listelm, elm, field) do { \ - if (((elm)->field.le_next = (listelm)->field.le_next) != NULL) \ - (listelm)->field.le_next->field.le_prev = \ - &(elm)->field.le_next; \ - (listelm)->field.le_next = (elm); \ - (elm)->field.le_prev = &(listelm)->field.le_next; \ -} while (0) - -#define LIST_INSERT_BEFORE(listelm, elm, field) do { \ - (elm)->field.le_prev = (listelm)->field.le_prev; \ - (elm)->field.le_next = (listelm); \ - *(listelm)->field.le_prev = (elm); \ - (listelm)->field.le_prev = &(elm)->field.le_next; \ -} while (0) - -#define LIST_INSERT_HEAD(head, elm, field) do { \ - if (((elm)->field.le_next = (head)->lh_first) != NULL) \ - (head)->lh_first->field.le_prev = &(elm)->field.le_next;\ - (head)->lh_first = (elm); \ - (elm)->field.le_prev = &(head)->lh_first; \ -} while (0) - -#define LIST_REMOVE(elm, field) do { \ - if ((elm)->field.le_next != NULL) \ - (elm)->field.le_next->field.le_prev = \ - (elm)->field.le_prev; \ - *(elm)->field.le_prev = (elm)->field.le_next; \ -} while (0) - -#define LIST_REPLACE(elm, elm2, field) do { \ - if (((elm2)->field.le_next = (elm)->field.le_next) != NULL) \ - (elm2)->field.le_next->field.le_prev = \ - &(elm2)->field.le_next; \ - (elm2)->field.le_prev = (elm)->field.le_prev; \ - *(elm2)->field.le_prev = (elm2); \ -} while (0) - -/* - * Simple queue definitions. - */ -#define SIMPLEQ_HEAD(name, type) \ -struct name { \ - struct type *sqh_first; /* first element */ \ - struct type **sqh_last; /* addr of last next element */ \ -} - -#define SIMPLEQ_HEAD_INITIALIZER(head) \ - { NULL, &(head).sqh_first } - -#define SIMPLEQ_ENTRY(type) \ -struct { \ - struct type *sqe_next; /* next element */ \ -} - -/* - * Simple queue access methods. - */ -#define SIMPLEQ_FIRST(head) ((head)->sqh_first) -#define SIMPLEQ_END(head) NULL -#define SIMPLEQ_EMPTY(head) (SIMPLEQ_FIRST(head) == SIMPLEQ_END(head)) -#define SIMPLEQ_NEXT(elm, field) ((elm)->field.sqe_next) - -#define SIMPLEQ_FOREACH(var, head, field) \ - for((var) = SIMPLEQ_FIRST(head); \ - (var) != SIMPLEQ_END(head); \ - (var) = SIMPLEQ_NEXT(var, field)) - -/* - * Simple queue functions. - */ -#define SIMPLEQ_INIT(head) do { \ - (head)->sqh_first = NULL; \ - (head)->sqh_last = &(head)->sqh_first; \ -} while (0) - -#define SIMPLEQ_INSERT_HEAD(head, elm, field) do { \ - if (((elm)->field.sqe_next = (head)->sqh_first) == NULL) \ - (head)->sqh_last = &(elm)->field.sqe_next; \ - (head)->sqh_first = (elm); \ -} while (0) - -#define SIMPLEQ_INSERT_TAIL(head, elm, field) do { \ - (elm)->field.sqe_next = NULL; \ - *(head)->sqh_last = (elm); \ - (head)->sqh_last = &(elm)->field.sqe_next; \ -} while (0) - -#define SIMPLEQ_INSERT_AFTER(head, listelm, elm, field) do { \ - if (((elm)->field.sqe_next = (listelm)->field.sqe_next) == NULL)\ - (head)->sqh_last = &(elm)->field.sqe_next; \ - (listelm)->field.sqe_next = (elm); \ -} while (0) - -#define SIMPLEQ_REMOVE_HEAD(head, elm, field) do { \ - if (((head)->sqh_first = (elm)->field.sqe_next) == NULL) \ - (head)->sqh_last = &(head)->sqh_first; \ -} while (0) - -/* - * Tail queue definitions. - */ -#define TAILQ_HEAD(name, type) \ -struct name { \ - struct type *tqh_first; /* first element */ \ - struct type **tqh_last; /* addr of last next element */ \ -} - -#define TAILQ_HEAD_INITIALIZER(head) \ - { NULL, &(head).tqh_first } - -#define TAILQ_ENTRY(type) \ -struct { \ - struct type *tqe_next; /* next element */ \ - struct type **tqe_prev; /* address of previous next element */ \ -} - -/* - * tail queue access methods - */ -#define TAILQ_FIRST(head) ((head)->tqh_first) -#define TAILQ_END(head) NULL -#define TAILQ_NEXT(elm, field) ((elm)->field.tqe_next) -#define TAILQ_LAST(head, headname) \ - (*(((struct headname *)((head)->tqh_last))->tqh_last)) -/* XXX */ -#define TAILQ_PREV(elm, headname, field) \ - (*(((struct headname *)((elm)->field.tqe_prev))->tqh_last)) -#define TAILQ_EMPTY(head) \ - (TAILQ_FIRST(head) == TAILQ_END(head)) - -#define TAILQ_FOREACH(var, head, field) \ - for((var) = TAILQ_FIRST(head); \ - (var) != TAILQ_END(head); \ - (var) = TAILQ_NEXT(var, field)) - -#define TAILQ_FOREACH_REVERSE(var, head, headname, field) \ - for((var) = TAILQ_LAST(head, headname); \ - (var) != TAILQ_END(head); \ - (var) = TAILQ_PREV(var, headname, field)) - -/* - * Tail queue functions. - */ -#define TAILQ_INIT(head) do { \ - (head)->tqh_first = NULL; \ - (head)->tqh_last = &(head)->tqh_first; \ -} while (0) - -#define TAILQ_INSERT_HEAD(head, elm, field) do { \ - if (((elm)->field.tqe_next = (head)->tqh_first) != NULL) \ - (head)->tqh_first->field.tqe_prev = \ - &(elm)->field.tqe_next; \ - else \ - (head)->tqh_last = &(elm)->field.tqe_next; \ - (head)->tqh_first = (elm); \ - (elm)->field.tqe_prev = &(head)->tqh_first; \ -} while (0) - -#define TAILQ_INSERT_TAIL(head, elm, field) do { \ - (elm)->field.tqe_next = NULL; \ - (elm)->field.tqe_prev = (head)->tqh_last; \ - *(head)->tqh_last = (elm); \ - (head)->tqh_last = &(elm)->field.tqe_next; \ -} while (0) - -#define TAILQ_INSERT_AFTER(head, listelm, elm, field) do { \ - if (((elm)->field.tqe_next = (listelm)->field.tqe_next) != NULL)\ - (elm)->field.tqe_next->field.tqe_prev = \ - &(elm)->field.tqe_next; \ - else \ - (head)->tqh_last = &(elm)->field.tqe_next; \ - (listelm)->field.tqe_next = (elm); \ - (elm)->field.tqe_prev = &(listelm)->field.tqe_next; \ -} while (0) - -#define TAILQ_INSERT_BEFORE(listelm, elm, field) do { \ - (elm)->field.tqe_prev = (listelm)->field.tqe_prev; \ - (elm)->field.tqe_next = (listelm); \ - *(listelm)->field.tqe_prev = (elm); \ - (listelm)->field.tqe_prev = &(elm)->field.tqe_next; \ -} while (0) - -#define TAILQ_REMOVE(head, elm, field) do { \ - if (((elm)->field.tqe_next) != NULL) \ - (elm)->field.tqe_next->field.tqe_prev = \ - (elm)->field.tqe_prev; \ - else \ - (head)->tqh_last = (elm)->field.tqe_prev; \ - *(elm)->field.tqe_prev = (elm)->field.tqe_next; \ -} while (0) - -#define TAILQ_REPLACE(head, elm, elm2, field) do { \ - if (((elm2)->field.tqe_next = (elm)->field.tqe_next) != NULL) \ - (elm2)->field.tqe_next->field.tqe_prev = \ - &(elm2)->field.tqe_next; \ - else \ - (head)->tqh_last = &(elm2)->field.tqe_next; \ - (elm2)->field.tqe_prev = (elm)->field.tqe_prev; \ - *(elm2)->field.tqe_prev = (elm2); \ -} while (0) - -/* - * Circular queue definitions. - */ -#define CIRCLEQ_HEAD(name, type) \ -struct name { \ - struct type *cqh_first; /* first element */ \ - struct type *cqh_last; /* last element */ \ -} - -#define CIRCLEQ_HEAD_INITIALIZER(head) \ - { CIRCLEQ_END(&head), CIRCLEQ_END(&head) } - -#define CIRCLEQ_ENTRY(type) \ -struct { \ - struct type *cqe_next; /* next element */ \ - struct type *cqe_prev; /* previous element */ \ -} - -/* - * Circular queue access methods - */ -#define CIRCLEQ_FIRST(head) ((head)->cqh_first) -#define CIRCLEQ_LAST(head) ((head)->cqh_last) -#define CIRCLEQ_END(head) ((void *)(head)) -#define CIRCLEQ_NEXT(elm, field) ((elm)->field.cqe_next) -#define CIRCLEQ_PREV(elm, field) ((elm)->field.cqe_prev) -#define CIRCLEQ_EMPTY(head) \ - (CIRCLEQ_FIRST(head) == CIRCLEQ_END(head)) - -#define CIRCLEQ_FOREACH(var, head, field) \ - for((var) = CIRCLEQ_FIRST(head); \ - (var) != CIRCLEQ_END(head); \ - (var) = CIRCLEQ_NEXT(var, field)) - -#define CIRCLEQ_FOREACH_REVERSE(var, head, field) \ - for((var) = CIRCLEQ_LAST(head); \ - (var) != CIRCLEQ_END(head); \ - (var) = CIRCLEQ_PREV(var, field)) - -/* - * Circular queue functions. - */ -#define CIRCLEQ_INIT(head) do { \ - (head)->cqh_first = CIRCLEQ_END(head); \ - (head)->cqh_last = CIRCLEQ_END(head); \ -} while (0) - -#define CIRCLEQ_INSERT_AFTER(head, listelm, elm, field) do { \ - (elm)->field.cqe_next = (listelm)->field.cqe_next; \ - (elm)->field.cqe_prev = (listelm); \ - if ((listelm)->field.cqe_next == CIRCLEQ_END(head)) \ - (head)->cqh_last = (elm); \ - else \ - (listelm)->field.cqe_next->field.cqe_prev = (elm); \ - (listelm)->field.cqe_next = (elm); \ -} while (0) - -#define CIRCLEQ_INSERT_BEFORE(head, listelm, elm, field) do { \ - (elm)->field.cqe_next = (listelm); \ - (elm)->field.cqe_prev = (listelm)->field.cqe_prev; \ - if ((listelm)->field.cqe_prev == CIRCLEQ_END(head)) \ - (head)->cqh_first = (elm); \ - else \ - (listelm)->field.cqe_prev->field.cqe_next = (elm); \ - (listelm)->field.cqe_prev = (elm); \ -} while (0) - -#define CIRCLEQ_INSERT_HEAD(head, elm, field) do { \ - (elm)->field.cqe_next = (head)->cqh_first; \ - (elm)->field.cqe_prev = CIRCLEQ_END(head); \ - if ((head)->cqh_last == CIRCLEQ_END(head)) \ - (head)->cqh_last = (elm); \ - else \ - (head)->cqh_first->field.cqe_prev = (elm); \ - (head)->cqh_first = (elm); \ -} while (0) - -#define CIRCLEQ_INSERT_TAIL(head, elm, field) do { \ - (elm)->field.cqe_next = CIRCLEQ_END(head); \ - (elm)->field.cqe_prev = (head)->cqh_last; \ - if ((head)->cqh_first == CIRCLEQ_END(head)) \ - (head)->cqh_first = (elm); \ - else \ - (head)->cqh_last->field.cqe_next = (elm); \ - (head)->cqh_last = (elm); \ -} while (0) - -#define CIRCLEQ_REMOVE(head, elm, field) do { \ - if ((elm)->field.cqe_next == CIRCLEQ_END(head)) \ - (head)->cqh_last = (elm)->field.cqe_prev; \ - else \ - (elm)->field.cqe_next->field.cqe_prev = \ - (elm)->field.cqe_prev; \ - if ((elm)->field.cqe_prev == CIRCLEQ_END(head)) \ - (head)->cqh_first = (elm)->field.cqe_next; \ - else \ - (elm)->field.cqe_prev->field.cqe_next = \ - (elm)->field.cqe_next; \ -} while (0) - -#define CIRCLEQ_REPLACE(head, elm, elm2, field) do { \ - if (((elm2)->field.cqe_next = (elm)->field.cqe_next) == \ - CIRCLEQ_END(head)) \ - (head).cqh_last = (elm2); \ - else \ - (elm2)->field.cqe_next->field.cqe_prev = (elm2); \ - if (((elm2)->field.cqe_prev = (elm)->field.cqe_prev) == \ - CIRCLEQ_END(head)) \ - (head).cqh_first = (elm2); \ - else \ - (elm2)->field.cqe_prev->field.cqe_next = (elm2); \ -} while (0) - -#endif /* !_SYS_QUEUE_H_ */ diff --git a/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h b/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h deleted file mode 100644 index 4bd5dfd..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/linux/sysdep-os.h +++ /dev/null @@ -1,64 +0,0 @@ -/* $OpenBSD: sysdep-os.h,v 1.8 2003/06/03 15:20:41 ho Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. - * Copyright (c) 2003 Thomas Walpuski. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#ifndef _SYSDEP_OS_H_ -#define _SYSDEP_OS_H_ - -#include <netinet/in.h> -#include <time.h> -#include <sys/types.h> -#include <linux/ipsec.h> - -#define KAME - -#define LINUX_IPSEC - -#define uh_sport source -#define uh_dport dest -#define uh_ulen len -#define uh_sum check - -#ifndef CPI_RESERVED_MAX -#define CPI_RESERVED_MIN 1 -#define CPI_RESERVED_MAX 255 -#define CPI_PRIVATE_MIN 61440 -#define CPI_PRIVATE_MAX 65536 -#endif - -#define SADB_X_EALG_AES SADB_X_EALG_AESCBC -#define SADB_X_EALG_CAST SADB_X_EALG_CASTCBC -#define SADB_X_EALG_BLF SADB_X_EALG_BLOWFISHCBC - -#define IP_IPSEC_POLICY 16 -#define IPV6_IPSEC_POLICY 34 - -#define IPV6_VERSION 0x1 - -size_t strlcat(char *dst, const char *src, size_t siz); -size_t strlcpy(char *dst, const char *src, size_t siz); - -#endif diff --git a/keyexchange/isakmpd-20041012/sysdep/linux/sysdep.c b/keyexchange/isakmpd-20041012/sysdep/linux/sysdep.c deleted file mode 100644 index fc3b362..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/linux/sysdep.c +++ /dev/null @@ -1,226 +0,0 @@ -/* $OpenBSD: sysdep.c,v 1.16 2004/08/10 15:59:10 ho Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. - * Copyright (c) 2003 Thomas Walpuski. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include <sys/types.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <stdlib.h> -#include <string.h> - -#include "sysdep.h" - -#include "util.h" - -#ifdef NEED_SYSDEP_APP -#include "app.h" -#include "conf.h" -#include "ipsec.h" -#include <linux/pfkeyv2.h> -#include <linux/ipsec.h> - -#ifdef USE_PF_KEY_V2 -#include "pf_key_v2.h" -#define KEY_API(x) pf_key_v2_##x -#endif - -#endif /* NEED_SYSDEP_APP */ -#include "log.h" - -extern char *__progname; - -/* - * An as strong as possible random number generator, reverting to a - * deterministic pseudo-random one if regrand is set. - */ -u_int32_t -sysdep_random () -{ - return arc4random(); -} - -/* Return the basename of the command used to invoke us. */ -char * -sysdep_progname () -{ - return __progname; -} - -/* Return the length of the sockaddr struct. */ -u_int8_t -sysdep_sa_len (struct sockaddr *sa) -{ - switch (sa->sa_family) - { - case AF_INET: - return sizeof (struct sockaddr_in); - case AF_INET6: - return sizeof (struct sockaddr_in6); - default: - log_print ("sysdep_sa_len: unknown sa family %d", sa->sa_family); - } - return sizeof (struct sockaddr_in); -} - -/* As regress/ use this file I protect the sysdep_app_* stuff like this. */ -#ifdef NEED_SYSDEP_APP -/* - * Prepare the application we negotiate SAs for (i.e. the IPsec stack) - * for communication. We return a file descriptor useable to select(2) on. - */ -int -sysdep_app_open () -{ - return KEY_API(open) (); -} - -/* - * When select(2) has noticed our application needs attendance, this is what - * gets called. FD is the file descriptor causing the alarm. - */ -void -sysdep_app_handler (int fd) -{ - KEY_API (handler) (fd); -} - -/* Check that the connection named NAME is active, or else make it active. */ -void -sysdep_connection_check (char *name) -{ - KEY_API (connection_check) (name); -} - -/* - * Generate a SPI for protocol PROTO and the source/destination pair given by - * SRC, SRCLEN, DST & DSTLEN. Stash the SPI size in SZ. - */ -u_int8_t * -sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src, - struct sockaddr *dst, u_int32_t seq) -{ - if (app_none) - { - *sz = IPSEC_SPI_SIZE; - /* XXX should be random instead I think. */ - return strdup ("\x12\x34\x56\x78"); - } - return KEY_API (get_spi) (sz, proto, src, dst, seq); -} - -struct sa_kinfo * -sysdep_ipsec_get_kernel_sa(u_int8_t *spi, size_t spi_sz, u_int8_t proto, - struct sockaddr *dst) -{ - if (app_none) - return 0; - /* XXX return KEY_API(get_kernel_sa)(spi, spi_sz, proto, dst); */ - return 0; -} - -/* Force communication on socket FD to go in the clear. */ -int -sysdep_cleartext (int fd, int af) -{ - struct sadb_x_policy pol_in = { - SADB_UPDATE, - SADB_EXT_SENSITIVITY, - IPSEC_POLICY_BYPASS, - IPSEC_DIR_INBOUND, - 0, - 0, - 0 - }; - struct sadb_x_policy pol_out = { - SADB_UPDATE, - SADB_EXT_SENSITIVITY, - IPSEC_POLICY_BYPASS, - IPSEC_DIR_OUTBOUND, - 0, - 0, - 0 - }; - - if (app_none) - return 0; - - if (!(af == AF_INET || af == AF_INET6)) - { - log_print ("sysdep_cleartext: unsupported protocol family %d", af); - return -1; - } - - if (setsockopt (fd, af == AF_INET ? IPPROTO_IP : IPPROTO_IPV6, - af == AF_INET ? IP_IPSEC_POLICY : IPV6_IPSEC_POLICY, - &pol_in, sizeof pol_in) < 0 || - setsockopt (fd, af == AF_INET ? IPPROTO_IP : IPPROTO_IPV6, - af == AF_INET ? IP_IPSEC_POLICY : IPV6_IPSEC_POLICY, - &pol_out, sizeof pol_out) < 0) - { - log_error ("sysdep_cleartext: " - "setsockopt (%d, IPPROTO_IP%s, IP%s_IPSEC_POLICY, ...) " - "failed", fd, af == AF_INET ? "" : "V6", - af == AF_INET ? "" : "V6"); - return -1; - } - return 0; -} - -int -sysdep_ipsec_delete_spi (struct sa *sa, struct proto *proto, int incoming) -{ - if (app_none) - return 0; - return KEY_API (delete_spi) (sa, proto, incoming); -} - -int -sysdep_ipsec_enable_sa (struct sa *sa, struct sa *isakmp_sa) -{ - if (app_none) - return 0; - return KEY_API (enable_sa) (sa, isakmp_sa); -} - -int -sysdep_ipsec_group_spis (struct sa *sa, struct proto *proto1, - struct proto *proto2, int incoming) -{ - if (app_none) - return 0; - return KEY_API (group_spis) (sa, proto1, proto2, incoming); -} - -int -sysdep_ipsec_set_spi (struct sa *sa, struct proto *proto, int incoming, - struct sa *isakmp_sa) -{ - if (app_none) - return 0; - return KEY_API (set_spi) (sa, proto, incoming, isakmp_sa); -} -#endif diff --git a/keyexchange/isakmpd-20041012/sysdep/netbsd/GNUmakefile.sysdep b/keyexchange/isakmpd-20041012/sysdep/netbsd/GNUmakefile.sysdep deleted file mode 100644 index e506ddc..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/netbsd/GNUmakefile.sysdep +++ /dev/null @@ -1,63 +0,0 @@ -# $OpenBSD: GNUmakefile.sysdep,v 1.8 2004/06/26 03:40:57 mcbride Exp $ - -# -# Copyright (c) 1999 Niklas Hallqvist. All rights reserved. -# Copyright (c) 2000 Håkan Olsson. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -LIBGMP:= /usr/pkg/lib/libgmp.a -LIBCRYPTO:= /usr/lib/libcrypto.a - -LIBSYSDEPDIR:= ${.CURDIR}/sysdep/common/libsysdep -LIBSYSDEP:= ${LIBSYSDEPDIR}/libsysdep.a - -LDADD+= ${LIBGMP} ${LIBSYSDEP} -DPADD+= ${LIBGMP} ${LIBSYSDEP} - -FEATURES= debug tripledes des blowfish cast ec aggressive x509 -# Not yet -#FEATURES+= policy - -CFLAGS+= -DNO_RSA -DNO_RC5 -DNO_IDEA \ - -I${.CURDIR}/sysdep/common -I/usr/include/openssl \ - -I/usr/include/machine -I/usr/pkg/include - -IPSEC_SRCS= pf_key_v2.c -IPSEC_CFLAGS= -DUSE_PF_KEY_V2 - -USE_LIBCRYPTO= defined - -# -# hack libsysdep.a dependency -# -${LIBSYSDEPDIR}/.depend ${LIBSYSDEP}: - @cd ${LIBSYSDEPDIR} && \ - ${MAKE} --no-print-directory ${MAKEFLAGS} \ - CFLAGS="${CFLAGS}" MKDEP="${MKDEP}" ${MAKECMDGOALS} - -depend: ${LIBSYSDEPDIR}/.depend - -ifeq ($(findstring clean, $(MAKECMDGOALS)), clean) -SUBDIR+= sysdep/common/libsysdep -MAKEFLAGS+= --no-print-directory -endif diff --git a/keyexchange/isakmpd-20041012/sysdep/netbsd/Makefile.sysdep b/keyexchange/isakmpd-20041012/sysdep/netbsd/Makefile.sysdep deleted file mode 100644 index fbc75cc..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/netbsd/Makefile.sysdep +++ /dev/null @@ -1,79 +0,0 @@ -# $OpenBSD: Makefile.sysdep,v 1.10 2004/06/26 03:40:57 mcbride Exp $ - -# -# Copyright (c) 1999 Niklas Hallqvist. All rights reserved. -# Copyright (c) 2000 Håkan Olsson. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER INN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# Override default features -FEATURES= tripledes des blowfish cast ec aggressive debug x509 -FEATURES+= rawkey -# Not yet -#FEATURES+= policy isakmp_cfg - -LIBGMP= /usr/pkg/lib/libgmp.a -LIBCRYPTO= /usr/lib/libcrypto.a -LIBSYSDEPDIR= ${.CURDIR}/sysdep/common/libsysdep - -LDADD+= ${LIBGMP} ${LIBSYSDEPDIR}/libsysdep.a -lipsec -DPADD+= ${LIBGMP} ${LIBSYSDEPDIR}/libsysdep.a ${LIBIPSEC} - -CFLAGS+= -DNO_RSA -DNO_IDEA -DNO_RC5 \ - -DHAVE_GETIFADDRS \ - -I${.CURDIR}/sysdep/common -.if exists(/usr/pkg/include/openssl/rsa.h) -CFLAGS+= -I/usr/pkg/include/openssl -.elif exists(/usr/include/openssl/rsa.h) -CFLAGS+= -I/usr/include -I/usr/include/openssl -.endif -# mandatory for gmp -CFLAGS+= -I/usr/pkg/include -LDADD+= -L/usr/pkg/lib - -IPSEC_SRCS= pf_key_v2.c -IPSEC_CFLAGS= -DUSE_PF_KEY_V2 - -USE_LIBCRYPTO= defined -USE_GMP= defined - -# This is a hack in order to make sure libsysdep is built before the -# linkstage of isakmpd. As a side effect the link is always done even if -# not necessary. Well, I just don't care. -GENERATED+= sysdep-target -sysdep-target: - cd ${.CURDIR}/sysdep/common/libsysdep; ${MAKE} ${.MAKEFLAGS} - -.if make(clean) || make(cleandir) -SUBDIR+= sysdep/common/libsysdep -.endif - -# Kludge around bug in /usr/share/mk/bsd.subdir.mk -NO_REGRESS= defined - -beforedepend: - rm -f ssl -.if exists(/usr/pkg/include/openssl/rsa.h) - ln -sf /usr/pkg/include/openssl ssl -.elif exists(/usr/include/openssl/rsa.h) - ln -sf /usr/include/openssl ssl -.endif diff --git a/keyexchange/isakmpd-20041012/sysdep/netbsd/sysdep-os.h b/keyexchange/isakmpd-20041012/sysdep/netbsd/sysdep-os.h deleted file mode 100644 index b401bb1..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/netbsd/sysdep-os.h +++ /dev/null @@ -1,51 +0,0 @@ -/* $OpenBSD: sysdep-os.h,v 1.5 2003/08/06 11:20:00 markus Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. - * Copyright (c) 2000 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#ifndef _SYSDEP_OS_H_ - -#define _SYSDEP_OS_H_ - -#define KAME - -#include <netinet6/ipsec.h> - -#ifndef CPI_RESERVED_MAX -#define CPI_RESERVED_MIN 1 -#define CPI_RESERVED_MAX 255 -#define CPI_PRIVATE_MIN 61440 -#define CPI_PRIVATE_MAX 65536 -#endif - -#if !defined(SADB_X_EALG_CAST) && defined(SADB_X_EALG_CAST128CBC) -#define SADB_X_EALG_CAST SADB_X_EALG_CAST128CBC -#endif - -#if !defined(SADB_X_EALG_BLF) && defined(SADB_X_EALG_BLOWFISHCBC) -#define SADB_X_EALG_BLF SADB_X_EALG_BLOWFISHCBC -#endif - -#endif /* _SYSDEP_OS_H_ */ diff --git a/keyexchange/isakmpd-20041012/sysdep/netbsd/sysdep.c b/keyexchange/isakmpd-20041012/sysdep/netbsd/sysdep.c deleted file mode 100644 index 2720715..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/netbsd/sysdep.c +++ /dev/null @@ -1,225 +0,0 @@ -/* $OpenBSD: sysdep.c,v 1.13 2004/08/10 15:59:10 ho Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. - * Copyright (c) 2000 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include <sys/types.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <stdlib.h> -#include <string.h> - -#include "sysdep.h" - -#include "util.h" - -#ifdef NEED_SYSDEP_APP -#include "app.h" -#include "conf.h" -#include "ipsec.h" - -#ifdef USE_PF_KEY_V2 -#include "pf_key_v2.h" -#define KEY_API(x) pf_key_v2_##x -#endif - -#endif /* NEED_SYSDEP_APP */ -#include "log.h" - -extern char *__progname; - -/* - * An as strong as possible random number generator, reverting to a - * deterministic pseudo-random one if regrand is set. - */ -u_int32_t -sysdep_random () -{ - return random(); -} - -/* Return the basename of the command used to invoke us. */ -char * -sysdep_progname () -{ - return __progname; -} - -/* Return the length of the sockaddr struct. */ -u_int8_t -sysdep_sa_len (struct sockaddr *sa) -{ - return sa->sa_len; -} - -/* As regress/ use this file I protect the sysdep_app_* stuff like this. */ -#ifdef NEED_SYSDEP_APP -/* - * Prepare the application we negotiate SAs for (i.e. the IPsec stack) - * for communication. We return a file descriptor useable to select(2) on. - */ -int -sysdep_app_open () -{ - return KEY_API(open) (); -} - -/* - * When select(2) has noticed our application needs attendance, this is what - * gets called. FD is the file descriptor causing the alarm. - */ -void -sysdep_app_handler (int fd) -{ - KEY_API (handler) (fd); -} - -/* Check that the connection named NAME is active, or else make it active. */ -void -sysdep_connection_check (char *name) -{ - KEY_API (connection_check) (name); -} - -/* - * Generate a SPI for protocol PROTO and the source/destination pair given by - * SRC, SRCLEN, DST & DSTLEN. Stash the SPI size in SZ. - */ -u_int8_t * -sysdep_ipsec_get_spi (size_t *sz, u_int8_t proto, struct sockaddr *src, - struct sockaddr *dst, u_int32_t seq) -{ - if (app_none) - { - *sz = IPSEC_SPI_SIZE; - /* XXX should be random instead I think. */ - return strdup ("\x12\x34\x56\x78"); - } - return KEY_API (get_spi) (sz, proto, src, dst, seq); -} - -struct sa_kinfo * -sysdep_ipsec_get_kernel_sa(u_int8_t *spi, size_t spi_sz, u_int8_t proto, - struct sockaddr *dst) -{ - if (app_none) - return 0; - /* XXX return KEY_API(get_kernel_sa)(spi, spi_sz, proto, dst); */ - return 0; -} - -/* Force communication on socket FD to go in the clear. */ -int -sysdep_cleartext (int fd, int af) -{ - char *buf; - char *policy[] = { "in bypass", "out bypass", NULL }; - char **p; - int ipp; - int opt; - char *msgstr; - - if (app_none) - return 0; - - switch (af) - { - case AF_INET: - ipp = IPPROTO_IP; - opt = IP_IPSEC_POLICY; - msgstr = ""; - break; - case AF_INET6: - ipp = IPPROTO_IPV6; - opt = IPV6_IPSEC_POLICY; - msgstr = "V6"; - break; - default: - log_print ("sysdep_cleartext: unsupported protocol family %d", af); - return -1; - } - - /* - * Need to bypass system security policy, so I can send and - * receive key management datagrams in the clear. - */ - - for (p = policy; p && *p; p++) - { - buf = ipsec_set_policy (*p, strlen(*p)); - if (buf == NULL) - { - log_error ("sysdep_cleartext: %s: %s", *p, ipsec_strerror()); - return -1; - } - - if (setsockopt(fd, ipp, opt, buf, ipsec_get_policylen(buf)) < 0) - { - log_error ("sysdep_cleartext: " - "setsockopt (%d, IPPROTO_IP%s, IP%s_IPSEC_POLICY, ...) " - "failed", fd, msgstr, msgstr); - return -1; - } - free(buf); - } - - return 0; -} - -int -sysdep_ipsec_delete_spi (struct sa *sa, struct proto *proto, int incoming) -{ - if (app_none) - return 0; - return KEY_API (delete_spi) (sa, proto, incoming); -} - -int -sysdep_ipsec_enable_sa (struct sa *sa, struct sa *isakmp_sa) -{ - if (app_none) - return 0; - return KEY_API (enable_sa) (sa, isakmp_sa); -} - -int -sysdep_ipsec_group_spis (struct sa *sa, struct proto *proto1, - struct proto *proto2, int incoming) -{ - if (app_none) - return 0; - return KEY_API (group_spis) (sa, proto1, proto2, incoming); -} - -int -sysdep_ipsec_set_spi (struct sa *sa, struct proto *proto, int incoming, - struct sa *isakmp_sa) -{ - if (app_none) - return 0; - return KEY_API (set_spi) (sa, proto, incoming, isakmp_sa); -} -#endif diff --git a/keyexchange/isakmpd-20041012/sysdep/openbsd/GNUmakefile.sysdep b/keyexchange/isakmpd-20041012/sysdep/openbsd/GNUmakefile.sysdep deleted file mode 100644 index 8a46424..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/openbsd/GNUmakefile.sysdep +++ /dev/null @@ -1,52 +0,0 @@ -# $OpenBSD: GNUmakefile.sysdep,v 1.5 2004/06/26 03:40:57 mcbride Exp $ - -# -# Copyright (c) 1999 Håkan Olsson. All rights reserved. -# Copyright (c) 1999, 2000 Niklas Hallqvist. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Ericsson Radio Systems. -# - - -LIBGMP:= /usr/lib/libgmp.a -LIBCRYPTO:= /usr/lib/libcrypto.a - -IPSEC_SRCS= pf_key_v2.c -IPSEC_CFLAGS= -DUSE_PF_KEY_V2 - -USE_LIBCRYPTO= defined -ifneq (${MACHINE_ARCH},alpha) -ifneq (${MACHINE_ARCH},vax) -ifneq (${MACHINE_ARCH},m88k) -SRCS+= keynote_compat.c -endif -endif -endif -USE_KEYNOTE= defined - -ifndef USE_LIBCRYPTO -DESLIB= -ldes -DESLIBDEP= ${LIBDES} -endif diff --git a/keyexchange/isakmpd-20041012/sysdep/openbsd/Makefile.sysdep b/keyexchange/isakmpd-20041012/sysdep/openbsd/Makefile.sysdep deleted file mode 100644 index 86688bd..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/openbsd/Makefile.sysdep +++ /dev/null @@ -1,52 +0,0 @@ -# $OpenBSD: Makefile.sysdep,v 1.24 2004/06/26 03:40:57 mcbride Exp $ -# $EOM: Makefile.sysdep,v 1.18 2001/01/26 10:55:22 niklas Exp $ - -# -# Copyright (c) 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -# THEORY OF LIABILITY, WHETHER INN CONTRACT, STRICT LIABILITY, OR TORT -# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# - -# -# This code was written under funding by Ericsson Radio Systems. -# - -IPSEC_SRCS= pf_key_v2.c -IPSEC_CFLAGS= -DUSE_PF_KEY_V2 - -CFLAGS+= -DHAVE_GETIFADDRS -DHAVE_PCAP -CFLAGS+= -DHAVE_CLOSEFROM - -USE_LIBCRYPTO= defined - -.ifdef FEATURES -.if ${FEATURES:Mpolicy} == "policy" -.if ${MACHINE_ARCH} != "alpha" && ${MACHINE_ARCH} != "vax" && ${MACHINE_ARCH} != "m88k" -POLICY+= keynote_compat.c -.endif -USE_KEYNOTE= defined -.endif -.endif - -.ifndef USE_LIBCRYPTO -DESLIB= -ldes -DESLIBDEP= ${LIBDES} -.endif diff --git a/keyexchange/isakmpd-20041012/sysdep/openbsd/keynote_compat.c b/keyexchange/isakmpd-20041012/sysdep/openbsd/keynote_compat.c deleted file mode 100644 index a464375..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/openbsd/keynote_compat.c +++ /dev/null @@ -1,82 +0,0 @@ -/* $OpenBSD: keynote_compat.c,v 1.6 2004/04/15 18:39:30 deraadt Exp $ */ -/* $EOM: keynote_compat.c,v 1.1 2000/10/15 19:18:26 niklas Exp $ */ - -/* - * Copyright (c) 2000 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * By mistake these functions were introduced into libkeynote without - * updating some kind of version preprocessor symbol we can test. - * Provide weak functions that can be used if the libkeynote version - * we link against miss them. - */ - -#pragma weak kn_get_string=_kn_get_string -#pragma weak kn_free_key=_kn_free_key - -/* - * The author of this code is Angelos D. Keromytis (angelos@dsl.cis.upenn.edu) - * - * This code was written by Angelos D. Keromytis in Philadelphia, PA, USA, - * in April-May 1998 - * - * Copyright (C) 1998, 1999 by Angelos D. Keromytis. - * - * Permission to use, copy, and modify this software without fee - * is hereby granted, provided that this entire notice is included in - * all copies of any software which is or includes a copy or - * modification of this software. - * - * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTY. IN PARTICULAR, THE AUTHORS MAKES NO - * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE - * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR - * PURPOSE. - */ - -#include <sys/types.h> -#include <regex.h> -#include <keynote.h> - -extern void keynote_free_key(void *, int); -extern char *keynote_get_private_key(char *); - -/* - * Exportable front-end to keynote_get_private_key(). - */ -char * -_kn_get_string(char *buf) -{ - return keynote_get_private_key(buf); -} - -/* - * Free a key. - */ -void -_kn_free_key(struct keynote_deckey *dc) -{ - if (dc) - keynote_free_key(dc->dec_key, dc->dec_algorithm); -} diff --git a/keyexchange/isakmpd-20041012/sysdep/openbsd/sysdep-os.h b/keyexchange/isakmpd-20041012/sysdep/openbsd/sysdep-os.h deleted file mode 100644 index 05200c6..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/openbsd/sysdep-os.h +++ /dev/null @@ -1,89 +0,0 @@ -/* $OpenBSD: sysdep-os.h,v 1.6 2003/06/03 14:53:11 ho Exp $ */ -/* $EOM: sysdep-os.h,v 1.3 1999/07/08 16:48:40 niklas Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _SYSDEP_OS_H_ -#define _SYSDEP_OS_H_ - -/* - * OpenBSD has at various times had non-conformant PF_KEYv2 definitions. - * Here we transform them into being conformant. - */ - -#ifdef SADB_EXT_X_SRC_MASK -#define SADB_X_EXT_SRC_MASK SADB_EXT_X_SRC_MASK -#define SADB_X_EXT_DST_MASK SADB_EXT_X_DST_MASK -#define SADB_X_EXT_PROTOCOL SADB_EXT_X_PROTOCOL -#define SADB_X_EXT_SA2 SADB_EXT_X_SA2 -#define SADB_X_EXT_SRC_FLOW SADB_EXT_X_SRC_FLOW -#define SADB_X_EXT_DST_FLOW SADB_EXT_X_DST_FLOW -#define SADB_X_EXT_DST2 SADB_EXT_X_DST2 - -#define SADB_X_SATYPE_AH_OLD SADB_SATYPE_X_AH_OLD -#define SADB_X_SATYPE_ESP_OLD SADB_SATYPE_X_ESP_OLD -#define SADB_X_SATYPE_IPIP SADB_SATYPE_X_IPIP - -#define SADB_X_AALG_RIPEMD160HMAC96 SADB_AALG_X_RIPEMD160HMAC96 -#define SADB_X_AALG_MD5 SADB_AALG_X_MD5 -#define SADB_X_AALG_SHA1 SADB_AALG_X_SHA1 - -#define SADB_X_EALG_BLF SADB_EALG_X_BLF -#define SADB_X_EALG_CAST SADB_EALG_X_CAST -#define SADB_X_EALG_SKIPJACK SADB_EALG_X_SKIPJACK - -#define SADB_X_SAFLAGS_HALFIV SADB_SAFLAGS_X_HALFIV -#define SADB_X_SAFLAGS_TUNNEL SADB_SAFLAGS_X_TUNNEL -#define SADB_X_SAFLAGS_CHAINDEL SADB_SAFLAGS_X_CHAINDEL -#define SADB_X_SAFLAGS_LOCALFLOW SADB_SAFLAGS_X_LOCALFLOW -#define SADB_X_SAFLAGS_REPLACEFLOW SADB_SAFLAGS_X_REPLACEFLOW - -#endif /* SADB_EXT_X_SRC_MASK */ - -#if defined (SADB_IDENTTYPE_MBOX) && !defined (SADB_IDENTTYPE_USERFQDN) -#define SADB_IDENTTYPE_USERFQDN SADB_IDENTTYPE_MBOX -#endif - -#ifdef FLOW_X_TYPE_USE -#define SADB_X_FLOW_TYPE_USE FLOW_X_TYPE_USE -#define SADB_X_FLOW_TYPE_ACQUIRE FLOW_X_TYPE_ACQUIRE -#define SADB_X_FLOW_TYPE_REQUIRE FLOW_X_TYPE_REQUIRE -#define SADB_X_FLOW_TYPE_BYPASS FLOW_X_TYPE_BYPASS -#define SADB_X_FLOW_TYPE_DENY FLOW_X_TYPE_DENY -#define SADB_X_FLOW_TYPE_DONTACQ FLOW_X_TYPE_DONTACQ -#endif - -#if OPENBSD_IPSEC_API_VERSION == 1 -#define sadb_x_policy sadb_policy -#define sadb_x_policy_len sadb_policy_len -#define sadb_x_policy_exttype sadb_policy_exttype -#define sadb_x_policy_seq sadb_policy_seq -#endif - -#endif /* _SYSDEP_OS_H_ */ diff --git a/keyexchange/isakmpd-20041012/sysdep/openbsd/sysdep.c b/keyexchange/isakmpd-20041012/sysdep/openbsd/sysdep.c deleted file mode 100644 index f59922f..0000000 --- a/keyexchange/isakmpd-20041012/sysdep/openbsd/sysdep.c +++ /dev/null @@ -1,266 +0,0 @@ -/* $OpenBSD: sysdep.c,v 1.28 2004/08/10 15:59:11 ho Exp $ */ -/* $EOM: sysdep.c,v 1.9 2000/12/04 04:46:35 angelos Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/errno.h> -#include <sys/types.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <stdlib.h> -#include <string.h> - -#include "sysdep.h" - -#include "monitor.h" -#include "util.h" - -#ifdef NEED_SYSDEP_APP -#include "app.h" -#include "conf.h" -#include "ipsec.h" - -#ifdef USE_PF_KEY_V2 -#include "pf_key_v2.h" -#define KEY_API(x) pf_key_v2_##x -#endif - -#endif /* NEED_SYSDEP_APP */ -#include "log.h" - -extern char *__progname; - -/* - * An as strong as possible random number generator, reverting to a - * deterministic pseudo-random one if regrand is set. - */ -u_int32_t -sysdep_random() -{ - if (!regrand) - return arc4random(); - else - return random(); -} - -/* Return the basename of the command used to invoke us. */ -char * -sysdep_progname() -{ - return __progname; -} - -/* Return the length of the sockaddr struct. */ -u_int8_t -sysdep_sa_len(struct sockaddr *sa) -{ - return sa->sa_len; -} - -/* As regress/ use this file I protect the sysdep_app_* stuff like this. */ -#ifdef NEED_SYSDEP_APP -/* - * Prepare the application we negotiate SAs for (i.e. the IPsec stack) - * for communication. We return a file descriptor useable to select(2) on. - */ -int -sysdep_app_open() -{ -#ifdef USE_PRIVSEP - return monitor_pf_key_v2_open(); -#else - return KEY_API(open)(); -#endif -} - -/* - * When select(2) has noticed our application needs attendance, this is what - * gets called. FD is the file descriptor causing the alarm. - */ -void -sysdep_app_handler(int fd) -{ - KEY_API(handler)(fd); -} - -/* Check that the connection named NAME is active, or else make it active. */ -void -sysdep_connection_check(char *name) -{ - KEY_API(connection_check)(name); -} - -/* - * Generate a SPI for protocol PROTO and the source/destination pair given by - * SRC, SRCLEN, DST & DSTLEN. Stash the SPI size in SZ. - */ -u_int8_t * -sysdep_ipsec_get_spi(size_t *sz, u_int8_t proto, struct sockaddr *src, - struct sockaddr *dst, u_int32_t seq) -{ - if (app_none) { - *sz = IPSEC_SPI_SIZE; - /* XXX should be random instead I think. */ - return (u_int8_t *)strdup("\x12\x34\x56\x78"); - } - return KEY_API(get_spi)(sz, proto, src, dst, seq); -} - -struct sa_kinfo * -sysdep_ipsec_get_kernel_sa(u_int8_t *spi, size_t spi_sz, u_int8_t proto, - struct sockaddr *dst) -{ - if (app_none) - return 0; - return KEY_API(get_kernel_sa)(spi, spi_sz, proto, dst); -} - -/* Force communication on socket FD to go in the clear. */ -int -sysdep_cleartext(int fd, int af) -{ - int level, sw; - struct { - int ip_proto; /* IP protocol */ - int auth_level; - int esp_trans_level; - int esp_network_level; - int ipcomp_level; - } optsw[] = { - { - IPPROTO_IP, - IP_AUTH_LEVEL, - IP_ESP_TRANS_LEVEL, - IP_ESP_NETWORK_LEVEL, -#ifdef IP_IPCOMP_LEVEL - IP_IPCOMP_LEVEL -#else - 0 -#endif - }, { - IPPROTO_IPV6, - IPV6_AUTH_LEVEL, - IPV6_ESP_TRANS_LEVEL, - IPV6_ESP_NETWORK_LEVEL, -#ifdef IPV6_IPCOMP_LEVEL - IPV6_IPCOMP_LEVEL -#else - 0 -#endif - }, - }; - - if (app_none) - return 0; - - switch (af) { - case AF_INET: - sw = 0; - break; - case AF_INET6: - sw = 1; - break; - default: - log_print("sysdep_cleartext: unsupported protocol family %d", af); - return -1; - } - - /* - * Need to bypass system security policy, so I can send and - * receive key management datagrams in the clear. - */ - level = IPSEC_LEVEL_BYPASS; - if (monitor_setsockopt(fd, optsw[sw].ip_proto, optsw[sw].auth_level, - (char *) &level, sizeof level) == -1) { - log_error("sysdep_cleartext: " - "setsockopt (%d, %d, IP_AUTH_LEVEL, ...) failed", fd, - optsw[sw].ip_proto); - return -1; - } - if (monitor_setsockopt(fd, optsw[sw].ip_proto, optsw[sw].esp_trans_level, - (char *) &level, sizeof level) == -1) { - log_error("sysdep_cleartext: " - "setsockopt (%d, %d, IP_ESP_TRANS_LEVEL, ...) failed", fd, - optsw[sw].ip_proto); - return -1; - } - if (monitor_setsockopt(fd, optsw[sw].ip_proto, optsw[sw].esp_network_level, - (char *) &level, sizeof level) == -1) { - log_error("sysdep_cleartext: " - "setsockopt (%d, %d, IP_ESP_NETWORK_LEVEL, ...) failed", fd, - optsw[sw].ip_proto); - return -1; - } - if (optsw[sw].ipcomp_level && - monitor_setsockopt(fd, optsw[sw].ip_proto, optsw[sw].ipcomp_level, - (char *) &level, sizeof level) == -1 && - errno != ENOPROTOOPT) { - log_error("sysdep_cleartext: " - "setsockopt (%d, %d, IP_IPCOMP_LEVEL, ...) failed,", fd, - optsw[sw].ip_proto); - return -1; - } - return 0; -} - -int -sysdep_ipsec_delete_spi(struct sa *sa, struct proto *proto, int incoming) -{ - if (app_none) - return 0; - return KEY_API(delete_spi)(sa, proto, incoming); -} - -int -sysdep_ipsec_enable_sa(struct sa *sa, struct sa *isakmp_sa) -{ - if (app_none) - return 0; - return KEY_API(enable_sa)(sa, isakmp_sa); -} - -int -sysdep_ipsec_group_spis(struct sa *sa, struct proto *proto1, - struct proto *proto2, int incoming) -{ - if (app_none) - return 0; - return KEY_API(group_spis)(sa, proto1, proto2, incoming); -} - -int -sysdep_ipsec_set_spi(struct sa *sa, struct proto *proto, int incoming, - struct sa *isakmp_sa) -{ - if (app_none) - return 0; - return KEY_API(set_spi) (sa,proto, incoming, isakmp_sa); -} -#endif diff --git a/keyexchange/isakmpd-20041012/timer.c b/keyexchange/isakmpd-20041012/timer.c deleted file mode 100644 index 45bcc49..0000000 --- a/keyexchange/isakmpd-20041012/timer.c +++ /dev/null @@ -1,139 +0,0 @@ -/* $OpenBSD: timer.c,v 1.14 2004/06/14 09:55:42 ho Exp $ */ -/* $EOM: timer.c,v 1.13 2000/02/20 19:58:42 niklas Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/queue.h> -#include <stdlib.h> -#include <string.h> - -#include "sysdep.h" - -#include "log.h" -#include "timer.h" - -static TAILQ_HEAD(event_list, event) events; - -void -timer_init(void) -{ - TAILQ_INIT(&events); -} - -void -timer_next_event(struct timeval **timeout) -{ - struct timeval now; - - if (TAILQ_FIRST(&events)) { - gettimeofday(&now, 0); - if (timercmp(&now, &TAILQ_FIRST(&events)->expiration, >=)) - timerclear(*timeout); - else - timersub(&TAILQ_FIRST(&events)->expiration, &now, - *timeout); - } else - *timeout = 0; -} - -void -timer_handle_expirations(void) -{ - struct timeval now; - struct event *n; - - gettimeofday(&now, 0); - for (n = TAILQ_FIRST(&events); n && timercmp(&now, &n->expiration, >=); - n = TAILQ_FIRST(&events)) { - LOG_DBG((LOG_TIMER, 10, - "timer_handle_expirations: event %s(%p)", n->name, - n->arg)); - TAILQ_REMOVE(&events, n, link); - (*n->func)(n->arg); - free(n); - } -} - -struct event * -timer_add_event(char *name, void (*func)(void *), void *arg, - struct timeval *expiration) -{ - struct event *ev = (struct event *) malloc(sizeof *ev); - struct event *n; - struct timeval now; - - if (!ev) - return 0; - ev->name = name; - ev->func = func; - ev->arg = arg; - gettimeofday(&now, 0); - memcpy(&ev->expiration, expiration, sizeof *expiration); - for (n = TAILQ_FIRST(&events); - n && timercmp(expiration, &n->expiration, >=); - n = TAILQ_NEXT(n, link)) - ; - if (n) { - LOG_DBG((LOG_TIMER, 10, - "timer_add_event: event %s(%p) added before %s(%p), " - "expiration in %lds", name, - arg, n->name, n->arg, expiration->tv_sec - now.tv_sec)); - TAILQ_INSERT_BEFORE(n, ev, link); - } else { - LOG_DBG((LOG_TIMER, 10, "timer_add_event: event %s(%p) added " - "last, expiration in %lds", name, arg, - expiration->tv_sec - now.tv_sec)); - TAILQ_INSERT_TAIL(&events, ev, link); - } - return ev; -} - -void -timer_remove_event(struct event *ev) -{ - LOG_DBG((LOG_TIMER, 10, "timer_remove_event: removing event %s(%p)", - ev->name, ev->arg)); - TAILQ_REMOVE(&events, ev, link); - free(ev); -} - -void -timer_report(void) -{ - struct event *ev; - struct timeval now; - - gettimeofday(&now, 0); - - for (ev = TAILQ_FIRST(&events); ev; ev = TAILQ_NEXT(ev, link)) - LOG_DBG((LOG_REPORT, 0, - "timer_report: event %s(%p) scheduled in %d seconds", - (ev->name ? ev->name : "<unknown>"), ev, - (int) (ev->expiration.tv_sec - now.tv_sec))); -} diff --git a/keyexchange/isakmpd-20041012/timer.h b/keyexchange/isakmpd-20041012/timer.h deleted file mode 100644 index 2e890a3..0000000 --- a/keyexchange/isakmpd-20041012/timer.h +++ /dev/null @@ -1,55 +0,0 @@ -/* $OpenBSD: timer.h,v 1.7 2004/05/23 18:17:56 hshoexer Exp $ */ -/* $EOM: timer.h,v 1.6 1999/04/11 22:35:55 ho Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _TIMER_H_ -#define _TIMER_H_ - -#include <sys/param.h> -#include <sys/queue.h> -#include <sys/time.h> - -struct event { - TAILQ_ENTRY(event) link; - char *name; - void (*func) (void *); - void *arg; - struct timeval expiration; -}; - -extern void timer_init(void); -extern void timer_next_event(struct timeval **); -extern void timer_handle_expirations(void); -extern struct event *timer_add_event(char *, void (*) (void *), void *, - struct timeval *); -extern void timer_remove_event(struct event *); -extern void timer_report(void); - -#endif /* _TIMER_H_ */ diff --git a/keyexchange/isakmpd-20041012/transport.c b/keyexchange/isakmpd-20041012/transport.c deleted file mode 100644 index 023e819..0000000 --- a/keyexchange/isakmpd-20041012/transport.c +++ /dev/null @@ -1,431 +0,0 @@ -/* $OpenBSD: transport.c,v 1.30 2004/08/08 19:11:06 deraadt Exp $ */ -/* $EOM: transport.c,v 1.43 2000/10/10 12:36:39 provos Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. - * Copyright (c) 2001, 2004 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/param.h> -#include <sys/queue.h> -#include <string.h> - -#include "sysdep.h" - -#include "conf.h" -#include "exchange.h" -#include "log.h" -#include "message.h" -#include "sa.h" -#include "timer.h" -#include "transport.h" -#include "virtual.h" - -/* If no retransmit limit is given, use this as a default. */ -#define RETRANSMIT_DEFAULT 10 - -LIST_HEAD(transport_list, transport) transport_list; -LIST_HEAD(transport_method_list, transport_vtbl) transport_method_list; - -/* Call the reinit function of the various transports. */ -void -transport_reinit(void) -{ - struct transport_vtbl *method; - - for (method = LIST_FIRST(&transport_method_list); method; - method = LIST_NEXT(method, link)) - if (method->reinit) - method->reinit(); -} - -/* Initialize the transport maintenance module. */ -void -transport_init(void) -{ - LIST_INIT(&transport_list); - LIST_INIT(&transport_method_list); -} - -/* Register another transport T. */ -void -transport_setup(struct transport *t, int toplevel) -{ - if (toplevel) { - /* Only the toplevel (virtual) transport has sendqueues. */ - LOG_DBG((LOG_TRANSPORT, 70, - "transport_setup: virtual transport %p", t)); - TAILQ_INIT(&t->sendq); - TAILQ_INIT(&t->prio_sendq); - t->refcnt = 0; - } else { - /* udp and udp_encap trp goes into the transport list. */ - LOG_DBG((LOG_TRANSPORT, 70, - "transport_setup: added %p to transport list", t)); - LIST_INSERT_HEAD(&transport_list, t, link); - t->refcnt = 1; - } - t->flags = 0; -} - -/* Add a referer to transport T. */ -void -transport_reference(struct transport *t) -{ - t->refcnt++; - LOG_DBG((LOG_TRANSPORT, 95, - "transport_reference: transport %p now has %d references", t, - t->refcnt)); -} - -/* - * Remove a referer from transport T, removing all of T when no referers left. - */ -void -transport_release(struct transport *t) -{ - LOG_DBG((LOG_TRANSPORT, 95, - "transport_release: transport %p had %d references", t, - t->refcnt)); - if (--t->refcnt) - return; - - LOG_DBG((LOG_TRANSPORT, 70, "transport_release: freeing %p", t)); - t->vtbl->remove(t); -} - -void -transport_report(void) -{ - struct virtual_transport *v; - struct transport *t; - struct message *msg; - - for (t = LIST_FIRST(&transport_list); t; t = LIST_NEXT(t, link)) { - LOG_DBG((LOG_REPORT, 0, - "transport_report: transport %p flags %x refcnt %d", t, - t->flags, t->refcnt)); - - /* XXX Report sth on the virtual transport? */ - t->vtbl->report(t); - - /* - * This is the reason message_dump_raw lives outside - * message.c. - */ - v = (struct virtual_transport *)t->virtual; - if ((v->encap_is_active && v->encap == t) || - (!v->encap_is_active && v->main == t)) { - for (msg = TAILQ_FIRST(&t->virtual->prio_sendq); msg; - msg = TAILQ_NEXT(msg, link)) - message_dump_raw("udp_report(prio)", msg, - LOG_REPORT); - - for (msg = TAILQ_FIRST(&t->virtual->sendq); msg; - msg = TAILQ_NEXT(msg, link)) - message_dump_raw("udp_report", msg, - LOG_REPORT); - } - } -} - -int -transport_prio_sendqs_empty(void) -{ - struct transport *t; - - for (t = LIST_FIRST(&transport_list); t; t = LIST_NEXT(t, link)) - if (TAILQ_FIRST(&t->virtual->prio_sendq)) - return 0; - return 1; -} - -/* Register another transport method T. */ -void -transport_method_add(struct transport_vtbl *t) -{ - LIST_INSERT_HEAD(&transport_method_list, t, link); -} - -/* Apply a function FUNC on all registered (non-toplevel) transports. */ -void -transport_map(void (*func) (struct transport *)) -{ - struct transport *t; - - for (t = LIST_FIRST(&transport_list); t; t = LIST_NEXT(t, link)) - (*func) (t); -} - -/* - * Build up a file descriptor set FDS with all transport descriptors we want - * to read from. Return the number of file descriptors select(2) needs to - * check in order to cover the ones we setup in here. - */ -int -transport_fd_set(fd_set * fds) -{ - struct transport *t; - int n; - int max = -1; - - for (t = LIST_FIRST(&transport_list); t; t = LIST_NEXT(t, link)) - if (t->virtual->flags & TRANSPORT_LISTEN) { - n = t->vtbl->fd_set(t, fds, 1); - if (n > max) - max = n; - - LOG_DBG((LOG_TRANSPORT, 95, "transport_fd_set: " - "transport %p (virtual %p) fd %d", t, - t->virtual, n)); - } - return max + 1; -} - -/* - * Build up a file descriptor set FDS with all the descriptors belonging to - * transport where messages are queued for transmittal. Return the number - * of file descriptors select(2) needs to check in order to cover the ones - * we setup in here. - */ -int -transport_pending_wfd_set(fd_set * fds) -{ - struct transport *t; - int n; - int max = -1; - - for (t = LIST_FIRST(&transport_list); t; t = LIST_NEXT(t, link)) { - if (TAILQ_FIRST(&t->virtual->sendq) || - TAILQ_FIRST(&t->virtual->prio_sendq)) { - n = t->vtbl->fd_set(t, fds, 1); - LOG_DBG((LOG_TRANSPORT, 95, - "transport_pending_wfd_set: " - "transport %p (virtual %p) fd %d pending", t, - t->virtual, n)); - if (n > max) - max = n; - } - } - return max + 1; -} - -/* - * For each transport with a file descriptor in FDS, try to get an - * incoming message and start processing it. - */ -void -transport_handle_messages(fd_set *fds) -{ - struct transport *t; - - for (t = LIST_FIRST(&transport_list); t; t = LIST_NEXT(t, link)) { - if ((t->flags & TRANSPORT_LISTEN) && - (*t->vtbl->fd_isset)(t, fds)) { - (*t->virtual->vtbl->handle_message)(t); - (*t->vtbl->fd_set)(t, fds, 0); - } - } -} - -/* - * Send the first queued message on the transports found whose file - * descriptor is in FDS and has messages queued. Remove the fd bit from - * FDS as soon as one message has been sent on it so other transports - * sharing the socket won't get service without an intervening select - * call. Perhaps a fairness strategy should be implemented between - * such transports. Now early transports in the list will potentially - * be favoured to later ones sharing the file descriptor. - */ -void -transport_send_messages(fd_set * fds) -{ - struct transport *t, *next; - struct message *msg; - struct exchange *exchange; - struct timeval expiration; - int expiry, ok_to_drop_message; - - /* - * Reference all transports first so noone will disappear while in - * use. - */ - for (t = LIST_FIRST(&transport_list); t; t = LIST_NEXT(t, link)) - transport_reference(t->virtual); - - for (t = LIST_FIRST(&transport_list); t; t = LIST_NEXT(t, link)) { - if ((TAILQ_FIRST(&t->virtual->sendq) || - TAILQ_FIRST(&t->virtual->prio_sendq)) && - t->vtbl->fd_isset(t, fds)) { - /* Remove fd bit. */ - t->vtbl->fd_set(t, fds, 0); - - /* Prefer a message from the prioritized sendq. */ - if (TAILQ_FIRST(&t->virtual->prio_sendq)) { - msg = TAILQ_FIRST(&t->virtual->prio_sendq); - TAILQ_REMOVE(&t->virtual->prio_sendq, msg, - link); - } else { - msg = TAILQ_FIRST(&t->virtual->sendq); - TAILQ_REMOVE(&t->virtual->sendq, msg, link); - } - - msg->flags &= ~MSG_IN_TRANSIT; - exchange = msg->exchange; - exchange->in_transit = 0; - - /* - * We disregard the potential error message here, - * hoping that the retransmit will go better. - * XXX Consider a retry/fatal error discriminator. - */ - t->virtual->vtbl->send_message(msg, 0); - msg->xmits++; - - /* - * This piece of code has been proven to be quite - * delicate. Think twice for before altering. - * Here's an outline: - * - * If this message is not the one which finishes an - * exchange, check if we have reached the number of - * retransmit before queuing it up for another. - * - * If it is a finishing message we still may have to - * keep it around for an on-demand retransmit when - * seeing a duplicate of our peer's previous message. - * - */ - if ((msg->flags & MSG_LAST) == 0) { - if (msg->xmits > conf_get_num("General", - "retransmits", RETRANSMIT_DEFAULT)) { - log_print("transport_send_messages: " - "giving up on message %p, " - "exchange %s", msg, - exchange->name ? exchange->name : - "<unnamed>"); - /* Be more verbose here. */ - if (exchange->phase == 1) { - log_print( - "transport_send_messages: " - "either this message did " - "not reach the other " - "peer"); - if (exchange->initiator) - log_print("transport_send_messages: " - "or the response" - "message did not " - "reach us back"); - else - log_print("transport_send_messages: " - "or this is an " - "attempted IKE " - "scan"); - } - exchange->last_sent = 0; -#ifdef notyet - exchange_free(exchange); - exchange = 0; -#endif - } else { - gettimeofday(&expiration, 0); - - /* - * XXX Calculate from round trip - * timings and a backoff func. - */ - expiry = msg->xmits * 2 + 5; - expiration.tv_sec += expiry; - LOG_DBG((LOG_TRANSPORT, 30, - "transport_send_messages: " - "message %p scheduled for " - "retransmission %d in %d secs", - msg, msg->xmits, expiry)); - if (msg->retrans) - timer_remove_event(msg->retrans); - msg->retrans - = timer_add_event("message_send_expire", - (void (*) (void *)) message_send_expire, - msg, &expiration); - /* - * If we cannot retransmit, we - * cannot... - */ - exchange->last_sent = - msg->retrans ? msg : 0; - } - } else - exchange->last_sent = - exchange->last_received ? msg : 0; - - /* - * If this message is not referred to for later - * retransmission it will be ok for us to drop it - * after the post-send function. But as the post-send - * function may remove the exchange, we need to - * remember this fact here. - */ - ok_to_drop_message = exchange->last_sent == 0; - - /* - * If this is not a retransmit call post-send - * functions that allows parallel work to be done - * while the network and peer does their share of - * the job. Note that a post-send function may take - * away the exchange we belong to, but only if no - * retransmits are possible. - */ - if (msg->xmits == 1) - message_post_send(msg); - - if (ok_to_drop_message) - message_free(msg); - } - } - - for (t = LIST_FIRST(&transport_list); t; t = next) { - next = LIST_NEXT(t, link); - transport_release(t->virtual); - } -} - -/* - * Textual search after the transport method denoted by NAME, then create - * a transport connected to the peer with address ADDR, given in a transport- - * specific string format. - */ -struct transport * -transport_create(char *name, char *addr) -{ - struct transport_vtbl *method; - - for (method = LIST_FIRST(&transport_method_list); method; - method = LIST_NEXT(method, link)) - if (strcmp(method->name, name) == 0) - return (*method->create) (addr); - return 0; -} diff --git a/keyexchange/isakmpd-20041012/transport.h b/keyexchange/isakmpd-20041012/transport.h deleted file mode 100644 index 0a68c73..0000000 --- a/keyexchange/isakmpd-20041012/transport.h +++ /dev/null @@ -1,159 +0,0 @@ -/* $OpenBSD: transport.h,v 1.15 2004/06/20 15:24:05 ho Exp $ */ -/* $EOM: transport.h,v 1.16 2000/07/17 18:57:59 provos Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niklas Hallqvist. All rights reserved. - * Copyright (c) 2001, 2004 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -/* - * The transport module tries to separate out details concerning the - * actual transferral of ISAKMP messages to other parties. - */ - -#ifndef _TRANSPORT_H_ -#define _TRANSPORT_H_ - -#include <sys/param.h> -#include <sys/queue.h> -#include <sys/types.h> -#include <sys/socket.h> - -#include "message.h" - -struct transport; - -/* This describes a tranport "method" like UDP or similar. */ -struct transport_vtbl { - /* All transport methods are linked together. */ - LIST_ENTRY(transport_vtbl) link; - - /* A textual name of the transport method. */ - char *name; - - /* Create a transport instance of this method. */ - struct transport *(*create) (char *); - - /* Reinitialize specific transport. */ - void (*reinit) (void); - - /* Remove a transport instance of this method. */ - void (*remove) (struct transport *); - - /* Report status of given transport */ - void (*report) (struct transport *); - - /* Let the given transport set it's bit in the fd_set passed in. */ - int (*fd_set) (struct transport *, fd_set *, int); - - /* Is the given transport ready for I/O? */ - int (*fd_isset) (struct transport *, fd_set *); - - /* - * Read a message from the transport's incoming pipe and start - * handling it. - */ - void (*handle_message) (struct transport *); - - /* Send a message through the outgoing pipe. */ - int (*send_message) (struct message *, struct transport *); - - /* - * Fill out a sockaddr structure with the transport's destination end's - * address info. - */ - void (*get_dst) (struct transport *, struct sockaddr **); - - /* - * Fill out a sockaddr structure with the transport's source end's - * address info. - */ - void (*get_src) (struct transport *, struct sockaddr **); - - /* - * Return a string with decoded src and dst information - */ - char *(*decode_ids) (struct transport *); - - /* - * Clone a transport for outbound use. - */ - struct transport *(*clone) (struct transport *, struct sockaddr *); - - /* - * Locate the correct sendq to use for outbound messages. - */ - struct msg_head *(*get_queue) (struct message *); -}; - -struct transport { - /* All transports used are linked together. */ - LIST_ENTRY(transport) link; - - /* What transport method is this an instance of? */ - struct transport_vtbl *vtbl; - - /* The queue holding messages to send on this transport. */ - struct msg_head sendq; - - /* - * Prioritized send queue. Messages in this queue will be transmitted - * before the normal sendq, they will also all be transmitted prior - * to a daemon shutdown. Currently only used for DELETE notifications. - */ - struct msg_head prio_sendq; - - /* Flags describing the transport. */ - int flags; - - /* Reference counter. */ - int refcnt; - - /* Pointer to parent virtual transport, if any. */ - struct transport *virtual; -}; - -/* Set if this is a transport we want to listen on. */ -#define TRANSPORT_LISTEN 1 -/* Used for mark-and-sweep-type garbage collection of transports */ -#define TRANSPORT_MARK 2 - -extern struct transport *transport_create(char *, char *); -extern int transport_fd_set(fd_set *); -extern void transport_handle_messages(fd_set *); -extern void transport_init(void); -extern void transport_map(void (*) (struct transport *)); -extern void transport_method_add(struct transport_vtbl *); -extern int transport_pending_wfd_set(fd_set *); -extern int transport_prio_sendqs_empty(void); -extern void transport_reference(struct transport *); -extern void transport_reinit(void); -extern void transport_release(struct transport *); -extern void transport_report(void); -extern void transport_send_messages(fd_set *); -extern void transport_setup(struct transport *, int); -#endif /* _TRANSPORT_H_ */ diff --git a/keyexchange/isakmpd-20041012/udp.c b/keyexchange/isakmpd-20041012/udp.c deleted file mode 100644 index 090297b..0000000 --- a/keyexchange/isakmpd-20041012/udp.c +++ /dev/null @@ -1,573 +0,0 @@ -/* $OpenBSD: udp.c,v 1.79 2004/08/08 19:11:06 deraadt Exp $ */ -/* $EOM: udp.c,v 1.57 2001/01/26 10:09:57 niklas Exp $ */ - -/* - * Copyright (c) 1998, 1999, 2001 Niklas Hallqvist. All rights reserved. - * Copyright (c) 2000 Angelos D. Keromytis. All rights reserved. - * Copyright (c) 2003, 2004 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/types.h> -#include <sys/ioctl.h> -#include <sys/socket.h> -#ifndef linux -#include <sys/sockio.h> -#endif -#include <net/if.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <ctype.h> -#include <err.h> -#include <limits.h> -#include <netdb.h> -#include <stdlib.h> -#include <string.h> -#include <unistd.h> - -#include "sysdep.h" - -#include "conf.h" -#include "if.h" -#include "isakmp.h" -#include "log.h" -#include "message.h" -#include "monitor.h" -#include "sysdep.h" -#include "transport.h" -#include "udp.h" -#include "util.h" -#include "virtual.h" - -#define UDP_SIZE 65536 - -/* If a system doesn't have SO_REUSEPORT, SO_REUSEADDR will have to do. */ -#ifndef SO_REUSEPORT -#define SO_REUSEPORT SO_REUSEADDR -#endif - -/* These are reused by udp_encap.c, thus not 'static' here. */ -struct transport *udp_clone(struct transport *, struct sockaddr *); -int udp_fd_set(struct transport *, fd_set *, int); -int udp_fd_isset(struct transport *, fd_set *); -void udp_get_dst(struct transport *, struct sockaddr **); -void udp_get_src(struct transport *, struct sockaddr **); -char *udp_decode_ids(struct transport *); -void udp_remove(struct transport *); - -static struct transport *udp_create(char *); -static void udp_report(struct transport *); -static void udp_handle_message(struct transport *); -static struct transport *udp_make(struct sockaddr *); -static int udp_send_message(struct message *, struct transport *); -#if 0 -static in_port_t udp_decode_port(char *); -#endif - -static struct transport_vtbl udp_transport_vtbl = { - {0}, "udp_physical", - udp_create, - 0, - udp_remove, - udp_report, - udp_fd_set, - udp_fd_isset, - udp_handle_message, - udp_send_message, - udp_get_dst, - udp_get_src, - udp_decode_ids, - udp_clone, - 0 -}; - -char *udp_default_port = 0; -char *udp_bind_port = 0; -int bind_family = 0; - -void -udp_init(void) -{ - transport_method_add(&udp_transport_vtbl); -} - -/* Create a UDP transport structure bound to LADDR just for listening. */ -static struct transport * -udp_make(struct sockaddr *laddr) -{ - struct udp_transport *t = 0; - int s, on, wildcardaddress = 0; - char *tstr; - - t = calloc(1, sizeof *t); - if (!t) { - log_print("udp_make: calloc (1, %lu) failed", - (unsigned long)sizeof *t); - free(laddr); - return 0; - } - t->src = laddr; - - s = socket(laddr->sa_family, SOCK_DGRAM, IPPROTO_UDP); - if (s == -1) { - log_error("udp_make: socket (%d, %d, %d)", laddr->sa_family, - SOCK_DGRAM, IPPROTO_UDP); - goto err; - } - /* Make sure we don't get our traffic encrypted. */ - if (sysdep_cleartext(s, laddr->sa_family) == -1) - goto err; - - /* Wildcard address ? */ - switch (laddr->sa_family) { - case AF_INET: - if (((struct sockaddr_in *)laddr)->sin_addr.s_addr == - INADDR_ANY) - wildcardaddress = 1; - break; - case AF_INET6: - if (IN6_IS_ADDR_UNSPECIFIED(&((struct sockaddr_in6 *)laddr)->sin6_addr)) - wildcardaddress = 1; - break; - } - - /* - * In order to have several bound specific address-port combinations - * with the same port SO_REUSEADDR is needed. If this is a wildcard - * socket and we are not listening there, but only sending from it - * make sure it is entirely reuseable with SO_REUSEPORT. - */ - on = 1; - if (setsockopt(s, SOL_SOCKET, - wildcardaddress ? SO_REUSEPORT : SO_REUSEADDR, - (void *)&on, sizeof on) == -1) { - log_error("udp_make: setsockopt (%d, %d, %d, %p, %lu)", s, - SOL_SOCKET, wildcardaddress ? SO_REUSEPORT : SO_REUSEADDR, - &on, (unsigned long)sizeof on); - goto err; - } - t->transport.vtbl = &udp_transport_vtbl; - if (monitor_bind(s, t->src, sysdep_sa_len(t->src))) { - if (sockaddr2text(t->src, &tstr, 0)) - log_error("udp_make: bind (%d, %p, %lu)", s, &t->src, - (unsigned long)sizeof t->src); - else { - log_error("udp_make: bind (%d, %s, %lu)", s, tstr, - (unsigned long)sizeof t->src); - free(tstr); - } - goto err; - } - t->s = s; - if (sockaddr2text(t->src, &tstr, 0)) - LOG_DBG((LOG_MISC, 20, "udp_make: " - "transport %p socket %d family %d", t, s, - t->src->sa_family == AF_INET ? 4 : 6)); - else { - LOG_DBG((LOG_MISC, 20, "udp_make: " - "transport %p socket %d ip %s port %d", t, s, - tstr, ntohs(sockaddr_port(t->src)))); - free (tstr); - } - transport_setup(&t->transport, 0); - t->transport.flags |= TRANSPORT_LISTEN; - return &t->transport; - -err: - if (s >= 0) - close(s); - if (t) { - /* Already closed. */ - t->s = -1; - udp_remove(&t->transport); - } - return 0; -} - -/* Clone a listen transport U, record a destination RADDR for outbound use. */ -struct transport * -udp_clone(struct transport *ut, struct sockaddr *raddr) -{ - struct udp_transport *u = (struct udp_transport *)ut; - struct udp_transport *u2; - struct transport *t; - - t = malloc(sizeof *u); - if (!t) { - log_error("udp_clone: malloc (%lu) failed", - (unsigned long)sizeof *u); - return 0; - } - u2 = (struct udp_transport *)t; - - memcpy(u2, u, sizeof *u); - - u2->src = malloc(sysdep_sa_len(u->src)); - if (!u2->src) { - log_error("udp_clone: malloc (%d) failed", - sysdep_sa_len(u->src)); - free(t); - return 0; - } - memcpy(u2->src, u->src, sysdep_sa_len(u->src)); - - u2->dst = malloc(sysdep_sa_len(raddr)); - if (!u2->dst) { - log_error("udp_clone: malloc (%d) failed", - sysdep_sa_len(raddr)); - free(u2->src); - free(t); - return 0; - } - memcpy(u2->dst, raddr, sysdep_sa_len(raddr)); - - t->flags &= ~TRANSPORT_LISTEN; - transport_setup(t, 0); - return t; -} - -/* - * Initialize an object of the UDP transport class. Fill in the local - * IP address and port information and create a server socket bound to - * that specific port. Add the polymorphic transport structure to the - * system-wide pools of known ISAKMP transports. - */ -struct transport * -udp_bind(const struct sockaddr *addr) -{ - struct sockaddr *src; - - src = malloc(sysdep_sa_len((struct sockaddr *)addr)); - if (!src) - return 0; - - memcpy(src, addr, sysdep_sa_len((struct sockaddr *)addr)); - return udp_make(src); -} - -/* - * NAME is a section name found in the config database. Setup and return - * a transport useable to talk to the peer specified by that name. - */ -static struct transport * -udp_create(char *name) -{ - struct virtual_transport *v; - struct udp_transport *u; - struct transport *rv, *t; - struct sockaddr *dst, *addr; - char *addr_str, *port_str; - struct conf_list *addr_list = 0; - struct conf_list_node *addr_node; - - port_str = conf_get_str(name, "Port"); - if (!port_str) - port_str = udp_default_port; - if (!port_str) - port_str = UDP_DEFAULT_PORT_STR; - - addr_str = conf_get_str(name, "Address"); - if (!addr_str) { - log_print("udp_create: no address configured for \"%s\"", - name); - return 0; - } - if (text2sockaddr(addr_str, port_str, &dst)) { - log_print("udp_create: address \"%s\" not understood", - addr_str); - return 0; - } - addr_str = conf_get_str(name, "Local-address"); - if (!addr_str) - addr_list = conf_get_list("General", "Listen-on"); - if (!addr_str && !addr_list) { - v = virtual_get_default(dst->sa_family); - u = (struct udp_transport *)v->main; - - if (!u) { - log_print("udp_create: no default transport"); - rv = 0; - goto ret; - } else { - rv = udp_clone((struct transport *)u, dst); - if (rv) - rv->vtbl = &udp_transport_vtbl; - goto ret; - } - } - - if (addr_list) { - for (addr_node = TAILQ_FIRST(&addr_list->fields); - addr_node; addr_node = TAILQ_NEXT(addr_node, link)) - if (text2sockaddr(addr_node->field, port_str, &addr) - == 0) { - v = virtual_listen_lookup(addr); - free(addr); - if (v) { - addr_str = addr_node->field; - break; - } - } - if (!addr_str) { - log_print("udp_create: no matching listener found"); - rv = 0; - goto ret; - } - } - if (text2sockaddr(addr_str, port_str, &addr)) { - log_print("udp_create: address \"%s\" not understood", - addr_str); - rv = 0; - goto ret; - } - - v = virtual_listen_lookup(addr); - free(addr); - if (!v) { - log_print("udp_create: %s:%s must exist as a listener too", - addr_str, port_str); - rv = 0; - goto ret; - } - t = (struct transport *)v; - rv = udp_clone(v->main, dst); - if (rv) - rv->vtbl = &udp_transport_vtbl; - -ret: - if (addr_list) - conf_free_list(addr_list); - free(dst); - return rv; -} - -void -udp_remove(struct transport *t) -{ - struct udp_transport *u = (struct udp_transport *)t; - - if (u->src) - free(u->src); - if (u->dst) - free(u->dst); - if ((t->flags & TRANSPORT_LISTEN) && u->s >= 0) - close(u->s); - if (t->link.le_prev) - LIST_REMOVE(t, link); - - LOG_DBG((LOG_TRANSPORT, 90, "udp_remove: removed transport %p", t)); - free(t); -} - -/* Report transport-method specifics of the T transport. */ -void -udp_report(struct transport *t) -{ - struct udp_transport *u = (struct udp_transport *)t; - char *src = NULL, *dst = NULL; - in_port_t sport, dport; - - if (sockaddr2text(u->src, &src, 0)) - goto ret; - sport = sockaddr_port(u->src); - - if (!u->dst || sockaddr2text(u->dst, &dst, 0)) - dst = 0; - dport = dst ? sockaddr_port(u->dst) : 0; - - LOG_DBG((LOG_REPORT, 0, "udp_report: fd %d src %s:%u dst %s:%u", u->s, - src, ntohs(sport), dst ? dst : "<none>", ntohs(dport))); - -ret: - if (dst) - free(dst); - if (src) - free(src); -} - -/* - * A message has arrived on transport T's socket. If T is single-ended, - * clone it into a double-ended transport which we will use from now on. - * Package the message as we want it and continue processing in the message - * module. - */ -static void -udp_handle_message(struct transport *t) -{ - struct udp_transport *u = (struct udp_transport *)t; - u_int8_t buf[UDP_SIZE]; - struct sockaddr_storage from; - u_int32_t len = sizeof from; - ssize_t n; - struct message *msg; - - n = recvfrom(u->s, buf, UDP_SIZE, 0, (struct sockaddr *)&from, &len); - if (n == -1) { - log_error("recvfrom (%d, %p, %d, %d, %p, %p)", u->s, buf, - UDP_SIZE, 0, &from, &len); - return; - } - /* - * Make a specialized UDP transport structure out of the incoming - * transport and the address information we got from recvfrom(2). - */ - t = t->virtual->vtbl->clone(t->virtual, (struct sockaddr *)&from); - if (!t) - return; - - msg = message_alloc(t, buf, n); - if (!msg) { - log_error("failed to allocate message structure, dropping " - "packet received on transport %p", u); - t->vtbl->remove(t); - return; - } - message_recv(msg); -} - -/* Physically send the message MSG over its associated transport. */ -static int -udp_send_message(struct message *msg, struct transport *t) -{ - struct udp_transport *u = (struct udp_transport *)t; - ssize_t n; - struct msghdr m; - - /* - * Sending on connected sockets requires that no destination address is - * given, or else EISCONN will occur. - */ - m.msg_name = (caddr_t) u->dst; - m.msg_namelen = sysdep_sa_len(u->dst); - m.msg_iov = msg->iov; - m.msg_iovlen = msg->iovlen; - m.msg_control = 0; - m.msg_controllen = 0; - m.msg_flags = 0; - n = sendmsg(u->s, &m, 0); - if (n == -1) { - /* XXX We should check whether the address has gone away */ - log_error("sendmsg (%d, %p, %d)", u->s, &m, 0); - return -1; - } - return 0; -} - -int -udp_fd_set(struct transport *t, fd_set *fds, int bit) -{ - struct udp_transport *u = (struct udp_transport *)t; - - if (bit) - FD_SET(u->s, fds); - else - FD_CLR(u->s, fds); - - return u->s + 1; -} - -int -udp_fd_isset(struct transport *t, fd_set *fds) -{ - struct udp_transport *u = (struct udp_transport *)t; - - return FD_ISSET(u->s, fds); -} - -/* - * Get transport T's peer address and stuff it into the sockaddr pointed - * to by DST. - */ -void -udp_get_dst(struct transport *t, struct sockaddr **dst) -{ - *dst = ((struct udp_transport *)t)->dst; -} - -/* - * Get transport T's local address and stuff it into the sockaddr pointed - * to by SRC. Put its length into SRC_LEN. - */ -void -udp_get_src(struct transport *t, struct sockaddr **src) -{ - *src = ((struct udp_transport *)t)->src; -} - -char * -udp_decode_ids(struct transport *t) -{ - struct sockaddr *src, *dst; - static char result[1024]; - char idsrc[256], iddst[256]; - - t->vtbl->get_src(t, &src); - t->vtbl->get_dst(t, &dst); - - if (getnameinfo(src, sysdep_sa_len(src), idsrc, sizeof idsrc, NULL, 0, - NI_NUMERICHOST) != 0) { - log_print("udp_decode_ids: getnameinfo () failed for 'src'"); - strlcpy(idsrc, "<error>", 256); - } - if (getnameinfo(dst, sysdep_sa_len(dst), iddst, sizeof iddst, NULL, 0, - NI_NUMERICHOST) != 0) { - log_print("udp_decode_ids: getnameinfo () failed for 'dst'"); - strlcpy(iddst, "<error>", 256); - } - - snprintf(result, sizeof result, "src: %s dst: %s", idsrc, iddst); - return result; -} - -#if 0 -/* - * Take a string containing an ext representation of port and return a - * binary port number in host byte order. Return zero if anything goes wrong. - * XXX Currently unused. - */ -static in_port_t -udp_decode_port(char *port_str) -{ - char *port_str_end; - long port_long; - struct servent *service; - - port_long = ntohl(strtol(port_str, &port_str_end, 0)); - if (port_str == port_str_end) { - service = getservbyname(port_str, "udp"); - if (!service) { - log_print("udp_decode_port: service \"%s\" unknown", - port_str); - return 0; - } - return ntohs(service->s_port); - } else if (port_long < 1 || port_long > 65535) { - log_print("udp_decode_port: port %ld out of range", port_long); - return 0; - } - return port_long; -} -#endif diff --git a/keyexchange/isakmpd-20041012/udp.h b/keyexchange/isakmpd-20041012/udp.h deleted file mode 100644 index dd91a6c..0000000 --- a/keyexchange/isakmpd-20041012/udp.h +++ /dev/null @@ -1,52 +0,0 @@ -/* $OpenBSD: udp.h,v 1.10 2004/08/03 10:54:09 ho Exp $ */ -/* $EOM: udp.h,v 1.4 1998/12/22 02:23:43 niklas Exp $ */ - -/* - * Copyright (c) 1998 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _UDP_H_ -#define _UDP_H_ - -extern char *udp_default_port; -extern char *udp_bind_port; -extern int bind_family; - -#define BIND_FAMILY_INET4 0x0001 -#define BIND_FAMILY_INET6 0x0002 - -struct transport *udp_bind(const struct sockaddr *); -void udp_init(void); - -struct udp_transport { - struct transport transport; - struct sockaddr *src; - struct sockaddr *dst; - int s; -}; - -#endif /* _UDP_H_ */ diff --git a/keyexchange/isakmpd-20041012/udp_encap.c b/keyexchange/isakmpd-20041012/udp_encap.c deleted file mode 100644 index 92f6404..0000000 --- a/keyexchange/isakmpd-20041012/udp_encap.c +++ /dev/null @@ -1,473 +0,0 @@ -/* $OpenBSD: udp_encap.c,v 1.8 2004/09/24 13:31:04 ho Exp $ */ - -/* - * Copyright (c) 1998, 1999, 2001 Niklas Hallqvist. All rights reserved. - * Copyright (c) 2000 Angelos D. Keromytis. All rights reserved. - * Copyright (c) 2004 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include <sys/types.h> -#include <sys/ioctl.h> -#include <sys/socket.h> -#ifndef linux -#include <sys/sockio.h> -#endif -#include <net/if.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <ctype.h> -#include <err.h> -#include <limits.h> -#include <netdb.h> -#include <stdlib.h> -#include <string.h> -#include <unistd.h> - -#include "sysdep.h" - -#include "conf.h" -#include "if.h" -#include "ipsec_doi.h" -#include "isakmp.h" -#include "log.h" -#include "message.h" -#include "monitor.h" -#include "sysdep.h" -#include "transport.h" -#include "udp.h" -#include "udp_encap.h" -#include "util.h" -#include "virtual.h" - -#define UDP_SIZE 65536 - -#if defined(USE_NAT_TRAVERSAL) && defined (LINUX_IPSEC) -#include <linux/socket.h> -#include <linux/udp.h> -#endif - -/* If a system doesn't have SO_REUSEPORT, SO_REUSEADDR will have to do. */ -#ifndef SO_REUSEPORT -#define SO_REUSEPORT SO_REUSEADDR -#endif - -/* Reused, from udp.c */ -struct transport *udp_clone(struct transport *, struct sockaddr *); -int udp_fd_set(struct transport *, fd_set *, int); -int udp_fd_isset(struct transport *, fd_set *); -void udp_get_dst(struct transport *, struct sockaddr **); -void udp_get_src(struct transport *, struct sockaddr **); -char *udp_decode_ids(struct transport *); -void udp_remove(struct transport *); - -static struct transport *udp_encap_create(char *); -static void udp_encap_report(struct transport *); -static void udp_encap_handle_message(struct transport *); -static struct transport *udp_encap_make(struct sockaddr *); -static int udp_encap_send_message(struct message *, - struct transport *); - -static struct transport_vtbl udp_encap_transport_vtbl = { - { 0 }, "udp_encap", - udp_encap_create, - 0, - udp_remove, - udp_encap_report, - udp_fd_set, - udp_fd_isset, - udp_encap_handle_message, - udp_encap_send_message, - udp_get_dst, - udp_get_src, - udp_decode_ids, - udp_clone, - 0 -}; - -char *udp_encap_default_port = 0; -char *udp_encap_bind_port = 0; - -void -udp_encap_init(void) -{ - transport_method_add(&udp_encap_transport_vtbl); -} - -/* Create a UDP transport structure bound to LADDR just for listening. */ -static struct transport * -udp_encap_make(struct sockaddr *laddr) -{ - struct udp_transport *t = 0; - int s, on, wildcardaddress = 0; - char *tstr; - - t = calloc(1, sizeof *t); - if (!t) { - log_print("udp_encap_make: malloc (%lu) failed", - (unsigned long)sizeof *t); - return 0; - } - - s = socket(laddr->sa_family, SOCK_DGRAM, IPPROTO_UDP); - if (s == -1) { - log_error("udp_encap_make: socket (%d, %d, %d)", - laddr->sa_family, SOCK_DGRAM, IPPROTO_UDP); - goto err; - } - - /* Make sure we don't get our traffic encrypted. */ - if (sysdep_cleartext(s, laddr->sa_family) == -1) - goto err; - -#if defined(USE_NAT_TRAVERSAL) && defined (LINUX_IPSEC) - { -#ifndef SOL_UDP -#define SOL_UDP 17 -#endif - int option = UDP_ENCAP_ESPINUDP; - if(setsockopt(s, SOL_UDP, UDP_ENCAP, &option, - sizeof (option)) < 0) - goto err; - } -#endif - - /* Wildcard address ? */ - switch (laddr->sa_family) { - case AF_INET: - if (((struct sockaddr_in *)laddr)->sin_addr.s_addr - == INADDR_ANY) - wildcardaddress = 1; - break; - case AF_INET6: - if (IN6_IS_ADDR_UNSPECIFIED(&((struct sockaddr_in6 *)laddr)->sin6_addr)) - wildcardaddress = 1; - break; - } - - /* - * In order to have several bound specific address-port combinations - * with the same port SO_REUSEADDR is needed. - * If this is a wildcard socket and we are not listening there, but - * only sending from it make sure it is entirely reuseable with - * SO_REUSEPORT. - */ - on = 1; - if (setsockopt(s, SOL_SOCKET, - wildcardaddress ? SO_REUSEPORT : SO_REUSEADDR, - (void *)&on, sizeof on) == -1) { - log_error("udp_encap_make: setsockopt (%d, %d, %d, %p, %lu)", - s, SOL_SOCKET, - wildcardaddress ? SO_REUSEPORT : SO_REUSEADDR, &on, - (unsigned long)sizeof on); - goto err; - } - - t->transport.vtbl = &udp_encap_transport_vtbl; - t->src = laddr; - if (monitor_bind(s, t->src, sysdep_sa_len (t->src))) { - if (sockaddr2text(t->src, &tstr, 0)) - log_error("udp_encap_make: bind (%d, %p, %lu)", s, - &t->src, (unsigned long)sizeof t->src); - else { - log_error("udp_encap_make: bind (%d, %s, %lu)", s, - tstr, (unsigned long)sizeof t->src); - free(tstr); - } - goto err; - } - - t->s = s; - if (sockaddr2text(t->src, &tstr, 0)) - LOG_DBG((LOG_MISC, 20, "udp_encap_make: " - "transport %p socket %d family %d", t, s, - t->src->sa_family == AF_INET ? 4 : 6)); - else { - LOG_DBG((LOG_MISC, 20, "udp_encap_make: " - "transport %p socket %d ip %s port %d", t, s, - tstr, ntohs(sockaddr_port(t->src)))); - free(tstr); - } - transport_setup(&t->transport, 0); - t->transport.flags |= TRANSPORT_LISTEN; - return &t->transport; - -err: - if (s >= 0) - close (s); - if (t) { - /* Already closed. */ - t->s = -1; - udp_remove(&t->transport); - } - return 0; -} - -/* - * Initialize an object of the UDP transport class. Fill in the local - * IP address and port information and create a server socket bound to - * that specific port. Add the polymorphic transport structure to the - * system-wide pools of known ISAKMP transports. - */ -struct transport * -udp_encap_bind(const struct sockaddr *addr) -{ - struct sockaddr *src = - malloc(sysdep_sa_len((struct sockaddr *)addr)); - - if (!src) - return 0; - - memcpy(src, addr, sysdep_sa_len((struct sockaddr *)addr)); - return udp_encap_make(src); -} - -/* - * NAME is a section name found in the config database. Setup and return - * a transport useable to talk to the peer specified by that name. - */ -static struct transport * -udp_encap_create(char *name) -{ - struct virtual_transport *v; - struct udp_transport *u; - struct transport *rv, *t; - struct sockaddr *dst, *addr; - struct conf_list *addr_list = 0; - struct conf_list_node *addr_node; - char *addr_str, *port_str; - - port_str = conf_get_str(name, "Port"); /* XXX "Encap-port" ? */ - if (!port_str) - port_str = udp_encap_default_port; - if (!port_str) - port_str = UDP_ENCAP_DEFAULT_PORT_STR; - - addr_str = conf_get_str(name, "Address"); - if (!addr_str) { - log_print("udp_encap_create: no address configured " - "for \"%s\"", name); - return 0; - } - if (text2sockaddr(addr_str, port_str, &dst)) { - log_print("udp_encap_create: address \"%s\" not understood", - addr_str); - return 0; - } - - addr_str = conf_get_str(name, "Local-address"); - if (!addr_str) - addr_list = conf_get_list("General", "Listen-on"); - if (!addr_str && !addr_list) { - v = virtual_get_default(dst->sa_family); - u = (struct udp_transport *)v->encap; - - if (!u) { - log_print("udp_encap_create: no default transport"); - rv = 0; - goto ret; - } else { - rv = udp_clone((struct transport *)u, dst); - if (rv) - rv->vtbl = &udp_encap_transport_vtbl; - goto ret; - } - } - - if (addr_list) { - for (addr_node = TAILQ_FIRST(&addr_list->fields); - addr_node; addr_node = TAILQ_NEXT(addr_node, link)) - if (text2sockaddr(addr_node->field, port_str, - &addr) == 0) { - v = virtual_listen_lookup(addr); - free(addr); - if (v) { - addr_str = addr_node->field; - break; - } - } - if (!addr_str) { - log_print("udp_encap_create: " - "no matching listener found"); - rv = 0; - goto ret; - } - } - if (text2sockaddr(addr_str, port_str, &addr)) { - log_print("udp_encap_create: " - "address \"%s\" not understood", addr_str); - rv = 0; - goto ret; - } - v = virtual_listen_lookup(addr); - free(addr); - if (!v) { - log_print("udp_encap_create: " - "%s:%s must exist as a listener too", addr_str, port_str); - rv = 0; - goto ret; - } - t = (struct transport *)v; - rv = udp_clone(v->encap, dst); - if (rv) - rv->vtbl = &udp_encap_transport_vtbl; - -ret: - if (addr_list) - conf_free_list(addr_list); - free(dst); - return rv; -} - -/* Report transport-method specifics of the T transport. */ -void -udp_encap_report(struct transport *t) -{ - struct udp_transport *u = (struct udp_transport *)t; - char *src, *dst; - in_port_t sport, dport; - - if (sockaddr2text(u->src, &src, 0)) - goto ret; - sport = sockaddr_port(u->src); - - if (!u->dst || sockaddr2text(u->dst, &dst, 0)) - dst = 0; - dport = dst ? sockaddr_port(u->dst) : 0; - - LOG_DBG ((LOG_REPORT, 0, "udp_encap_report: fd %d src %s:%u dst %s:%u", - u->s, src, ntohs(sport), dst ? dst : "*", ntohs(dport))); - - ret: - if (dst) - free(dst); - if (src) - free(src); -} - -/* - * A message has arrived on transport T's socket. If T is single-ended, - * clone it into a double-ended transport which we will use from now on. - * Package the message as we want it and continue processing in the message - * module. - */ -static void -udp_encap_handle_message(struct transport *t) -{ - struct udp_transport *u = (struct udp_transport *)t; - struct sockaddr_storage from; - struct message *msg; - u_int32_t len = sizeof from; - ssize_t n; - u_int8_t buf[UDP_SIZE]; - - n = recvfrom(u->s, buf, UDP_SIZE, 0, (struct sockaddr *)&from, &len); - if (n == -1) { - log_error("recvfrom (%d, %p, %d, %d, %p, %p)", u->s, buf, - UDP_SIZE, 0, &from, &len); - return; - } - - /* - * Make a specialized UDP transport structure out of the incoming - * transport and the address information we got from recvfrom(2). - */ - t = t->virtual->vtbl->clone(t->virtual, (struct sockaddr *)&from); - if (!t) - return; - - /* Check NULL-ESP marker. */ - if (n < (ssize_t)sizeof(u_int32_t) || *(u_int32_t *)buf != 0) { - /* Should never happen. */ - log_print("udp_encap_handle_message: " - "Null-ESP marker not NULL or short message"); - return; - } - - /* NAT-Keepalive messages should not be processed further. */ - n -= sizeof(u_int32_t); - if (n == 1 && buf[sizeof(u_int32_t)] == 0xFF) - return; - - msg = message_alloc(t, buf + sizeof (u_int32_t), n); - if (!msg) { - log_error("failed to allocate message structure, dropping " - "packet received on transport %p", u); - return; - } - message_recv(msg); -} - -/* - * Physically send the message MSG over its associated transport. - * Special: if 'msg' is NULL, send a NAT-T keepalive message. - */ -static int -udp_encap_send_message(struct message *msg, struct transport *t) -{ - struct udp_transport *u = (struct udp_transport *)t; - struct msghdr m; - struct iovec *new_iov = 0, keepalive; - ssize_t n; - u_int32_t marker = 0; /* NULL-ESP Marker */ - - if (msg) { - /* Construct new iov array, prefixing NULL-ESP Marker. */ - new_iov = (struct iovec *)calloc (msg->iovlen + 1, - sizeof *new_iov); - if (!new_iov) { - log_error ("udp_encap_send_message: " - "calloc (%lu, %lu) failed", - (unsigned long)msg->iovlen + 1, - (unsigned long)sizeof *new_iov); - return -1; - } - new_iov[0].iov_base = ▮ - new_iov[0].iov_len = IPSEC_SPI_SIZE; - memcpy (new_iov + 1, msg->iov, msg->iovlen * sizeof *new_iov); - } else { - marker = ~marker; - keepalive.iov_base = ▮ - keepalive.iov_len = 1; - } - - /* - * Sending on connected sockets requires that no destination address is - * given, or else EISCONN will occur. - */ - m.msg_name = (caddr_t)u->dst; - m.msg_namelen = sysdep_sa_len (u->dst); - m.msg_iov = msg ? new_iov : &keepalive; - m.msg_iovlen = msg ? msg->iovlen + 1 : 1; - m.msg_control = 0; - m.msg_controllen = 0; - m.msg_flags = 0; - n = sendmsg (u->s, &m, 0); - if (msg) - free (new_iov); - if (n == -1) { - /* XXX We should check whether the address has gone away */ - log_error ("sendmsg (%d, %p, %d)", u->s, &m, 0); - return -1; - } - return 0; -} diff --git a/keyexchange/isakmpd-20041012/udp_encap.h b/keyexchange/isakmpd-20041012/udp_encap.h deleted file mode 100644 index bb08db2..0000000 --- a/keyexchange/isakmpd-20041012/udp_encap.h +++ /dev/null @@ -1,37 +0,0 @@ -/* $OpenBSD: udp_encap.h,v 1.1 2004/06/20 15:24:05 ho Exp $ */ - -/* - * Copyright (c) 1998 Niklas Hallqvist. All rights reserved. - * Copyright (c) 2004 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#ifndef _UDP_ENCAP_H_ -#define _UDP_ENCAP_H_ - -struct transport *udp_encap_bind (const struct sockaddr *); -void udp_encap_init (void); - -extern char *udp_encap_default_port; -extern char *udp_encap_bind_port; - -#endif /* _UDP_H_ */ diff --git a/keyexchange/isakmpd-20041012/ui.c b/keyexchange/isakmpd-20041012/ui.c deleted file mode 100644 index 7167873..0000000 --- a/keyexchange/isakmpd-20041012/ui.c +++ /dev/null @@ -1,528 +0,0 @@ -/* $OpenBSD: ui.c,v 1.42 2004/08/08 19:11:06 deraadt Exp $ */ -/* $EOM: ui.c,v 1.43 2000/10/05 09:25:12 niklas Exp $ */ - -/* - * Copyright (c) 1998, 1999, 2000 Niklas Hallqvist. All rights reserved. - * Copyright (c) 1999, 2000, 2001, 2002 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/types.h> -#include <sys/stat.h> -#include <fcntl.h> -#include <stdlib.h> -#include <string.h> -#include <unistd.h> -#include <errno.h> - -#include "sysdep.h" - -#include "conf.h" -#include "connection.h" -#include "doi.h" -#include "exchange.h" -#include "init.h" -#include "isakmp.h" -#include "log.h" -#include "monitor.h" -#include "sa.h" -#include "timer.h" -#include "transport.h" -#include "ui.h" -#include "util.h" - -#define BUF_SZ 256 - -/* from isakmpd.c */ -void daemon_shutdown_now(int); - -/* Report all SA configuration information. */ -void ui_report_sa(char *); - -static FILE *ui_open_result(void); - -char *ui_fifo = FIFO; -int ui_socket; -struct event *ui_cr_event = NULL; - -/* Create and open the FIFO used for user control. */ -void -ui_init(void) -{ - struct stat st; - - /* -f- means control messages comes in via stdin. */ - if (strcmp(ui_fifo, "-") == 0) { - ui_socket = 0; - return; - } - - /* Don't overwrite a file, i.e '-f /etc/isakmpd/isakmpd.conf'. */ - if (lstat(ui_fifo, &st) == 0) { - if ((st.st_mode & S_IFMT) == S_IFREG) { - errno = EEXIST; - log_fatal("ui_init: could not create FIFO \"%s\"", - ui_fifo); - } - } - - /* No need to know about errors. */ - unlink(ui_fifo); - if (mkfifo(ui_fifo, 0600) == -1) - log_fatal("ui_init: mkfifo (\"%s\", 0600) failed", ui_fifo); - - ui_socket = open(ui_fifo, O_RDWR | O_NONBLOCK, 0); - if (ui_socket == -1) - log_fatal("ui_init: open (\"%s\", O_RDWR | O_NONBLOCK, 0) " - "failed", ui_fifo); -} - -/* - * Setup a phase 2 connection. - * XXX Maybe phase 1 works too, but teardown won't work then, fix? - */ -static void -ui_connect(char *cmd) -{ - char name[81]; - - if (sscanf(cmd, "c %80s", name) != 1) { - log_print("ui_connect: command \"%s\" malformed", cmd); - return; - } - LOG_DBG((LOG_UI, 10, "ui_connect: setup connection \"%s\"", name)); - connection_setup(name); -} - -/* Tear down a phase 2 connection. */ -static void -ui_teardown(char *cmd) -{ - char name[81]; - struct sa *sa; - - if (sscanf(cmd, "t %80s", name) != 1) { - log_print("ui_teardown: command \"%s\" malformed", cmd); - return; - } - LOG_DBG((LOG_UI, 10, "ui_teardown: teardown connection \"%s\"", name)); - connection_teardown(name); - while ((sa = sa_lookup_by_name(name, 2)) != 0) - sa_delete(sa, 1); -} - -/* Tear down all phase 2 connections. */ -static void -ui_teardown_all(char *cmd) -{ - /* Skip 'cmd' as arg. */ - sa_teardown_all(); -} - -static void -ui_conn_reinit_event(void *v) -{ - /* - * This event is required for isakmpd to reinitialize the connection - * and passive-connection lists. Otherwise a change to the - * "[Phase 2]:Connections" tag will not have any effect. - */ - connection_reinit(); - - ui_cr_event = NULL; -} - -static void -ui_conn_reinit(void) -{ - struct timeval tv; - - if (ui_cr_event) - timer_remove_event(ui_cr_event); - - gettimeofday(&tv, 0); - tv.tv_sec += 5; - - ui_cr_event = timer_add_event("ui_conn_reinit", ui_conn_reinit_event, - 0, &tv); - if (!ui_cr_event) - log_print("ui_conn_reinit: timer_add_event() failed. " - "Connections will not be updated."); -} - -/* - * Call the configuration API. - * XXX Error handling! How to do multi-line transactions? Too short arbitrary - * limit on the parameters? - */ -static void -ui_config(char *cmd) -{ - char subcmd[81], section[81], tag[81], value[81], tmp[81]; - char *v, *nv; - int trans = 0, items, nvlen; - FILE *fd; - - if (sscanf(cmd, "C %80s", subcmd) != 1) - goto fail; - - if (strcasecmp(subcmd, "get") == 0) { - if (sscanf(cmd, "C %*s [%80[^]]]:%80s", section, tag) != 2) - goto fail; - v = conf_get_str(section, tag); - fd = ui_open_result(); - if (fd) { - if (v) - fprintf(fd, "%s\n", v); - fclose(fd); - } - LOG_DBG((LOG_UI, 30, "ui_config: \"%s\"", cmd)); - return; - } - - trans = conf_begin(); - if (strcasecmp(subcmd, "set") == 0) { - items = sscanf(cmd, "C %*s [%80[^]]]:%80[^=]=%80s %80s", - section, tag, value, tmp); - if (!(items == 3 || items == 4)) - goto fail; - conf_set(trans, section, tag, value, items == 4 ? 1 : 0, 0); - if (strcasecmp(section, "Phase 2") == 0 && - (strcasecmp(tag, "Connections") == 0 || - strcasecmp(tag, "Passive-connections") == 0)) - ui_conn_reinit(); - } else if (strcasecmp(subcmd, "add") == 0) { - items = sscanf(cmd, "C %*s [%80[^]]]:%80[^=]=%80s %80s", - section, tag, value, tmp); - if (!(items == 3 || items == 4)) - goto fail; - v = conf_get_str(section, tag); - if (!v) - conf_set(trans, section, tag, value, 1, 0); - else { - /* Add the new value to the end of the 'v' list. */ - nvlen = strlen(v) + strlen(value) + 2; - nv = (char *)malloc(nvlen); - if (!nv) { - log_error("ui_config: malloc(%d) failed", - nvlen); - if (trans) - conf_end(trans, 0); - return; - } - snprintf(nv, nvlen, - v[strlen(v) - 1] == ',' ? "%s%s" : "%s,%s", v, - value); - conf_set(trans, section, tag, nv, 1, 0); - free(nv); - } - if (strcasecmp(section, "Phase 2") == 0 && - (strcasecmp(tag, "Connections") == 0 || - strcasecmp(tag, "Passive-connections") == 0)) - ui_conn_reinit(); - } else if (strcasecmp(subcmd, "rm") == 0) { - if (sscanf(cmd, "C %*s [%80[^]]]:%80s", section, tag) != 2) - goto fail; - conf_remove(trans, section, tag); - } else if (strcasecmp(subcmd, "rms") == 0) { - if (sscanf(cmd, "C %*s [%80[^]]]", section) != 1) - goto fail; - conf_remove_section(trans, section); - } else - goto fail; - - LOG_DBG((LOG_UI, 30, "ui_config: \"%s\"", cmd)); - conf_end(trans, 1); - return; - -fail: - if (trans) - conf_end(trans, 0); - log_print("ui_config: command \"%s\" malformed", cmd); -} - -static void -ui_delete(char *cmd) -{ - char cookies_str[ISAKMP_HDR_COOKIES_LEN * 2 + 1]; - char message_id_str[ISAKMP_HDR_MESSAGE_ID_LEN * 2 + 1]; - u_int8_t cookies[ISAKMP_HDR_COOKIES_LEN]; - u_int8_t message_id_buf[ISAKMP_HDR_MESSAGE_ID_LEN]; - u_int8_t *message_id = message_id_buf; - struct sa *sa; - - if (sscanf(cmd, "d %32s %8s", cookies_str, message_id_str) != 2) { - log_print("ui_delete: command \"%s\" malformed", cmd); - return; - } - if (strcmp(message_id_str, "-") == 0) - message_id = 0; - - if (hex2raw(cookies_str, cookies, ISAKMP_HDR_COOKIES_LEN) == -1 || - (message_id && hex2raw(message_id_str, message_id_buf, - ISAKMP_HDR_MESSAGE_ID_LEN) == -1)) { - log_print("ui_delete: command \"%s\" has bad arguments", cmd); - return; - } - sa = sa_lookup(cookies, message_id); - if (!sa) { - log_print("ui_delete: command \"%s\" found no SA", cmd); - return; - } - LOG_DBG((LOG_UI, 20, - "ui_delete: deleting SA for cookie \"%s\" msgid \"%s\"", - cookies_str, message_id_str)); - sa_delete(sa, 1); -} - -#ifdef USE_DEBUG -/* Parse the debug command found in CMD. */ -static void -ui_debug(char *cmd) -{ - int cls, level; - char subcmd[3]; - - if (sscanf(cmd, "D %d %d", &cls, &level) == 2) { - log_debug_cmd(cls, level); - return; - } else if (sscanf(cmd, "D %2s %d", subcmd, &level) == 2) { - switch (subcmd[0]) { - case 'A': - for (cls = 0; cls < LOG_ENDCLASS; cls++) - log_debug_cmd(cls, level); - return; - } - } else if (sscanf(cmd, "D %2s", subcmd) == 1) { - switch (subcmd[0]) { - case 'T': - log_debug_toggle(); - return; - } - } - log_print("ui_debug: command \"%s\" malformed", cmd); - return; -} - -static void -ui_packetlog(char *cmd) -{ - char subcmd[81]; - - if (sscanf(cmd, "p %80s", subcmd) != 1) - goto fail; - - if (strncasecmp(subcmd, "on=", 3) == 0) { - /* Start capture to a new file. */ - if (subcmd[strlen(subcmd) - 1] == '\n') - subcmd[strlen(subcmd) - 1] = 0; - log_packet_restart(subcmd + 3); - } else if (strcasecmp(subcmd, "on") == 0) - log_packet_restart(NULL); - else if (strcasecmp(subcmd, "off") == 0) - log_packet_stop(); - return; - -fail: - log_print("ui_packetlog: command \"%s\" malformed", cmd); -} -#endif /* USE_DEBUG */ - -static void -ui_shutdown_daemon(char *cmd) -{ - if (strlen(cmd) == 1) { - log_print("ui_shutdown_daemon: received shutdown command"); - daemon_shutdown_now(0); - } else - log_print("ui_shutdown_daemon: command \"%s\" malformed", cmd); -} - -/* Report SAs and ongoing exchanges. */ -void -ui_report(char *cmd) -{ - /* XXX Skip 'cmd' as arg? */ - sa_report(); - exchange_report(); - transport_report(); - connection_report(); - timer_report(); - conf_report(); -} - -/* Report all SA configuration information. */ -void -ui_report_sa(char *cmd) -{ - /* Skip 'cmd' as arg? */ - - FILE *fd = ui_open_result(); - if (!fd) - return; - - sa_report_all(fd); - - fclose(fd); -} - -/* - * Call the relevant command handler based on the first character of the - * line (the command). - */ -static void -ui_handle_command(char *line) -{ - /* Find out what one-letter command was sent. */ - switch (line[0]) { - case 'c': - ui_connect(line); - break; - - case 'C': - ui_config(line); - break; - - case 'd': - ui_delete(line); - break; - -#ifdef USE_DEBUG - case 'D': - ui_debug(line); - break; - - case 'p': - ui_packetlog(line); - break; -#endif - - case 'Q': - ui_shutdown_daemon(line); - break; - - case 'R': - reinit(); - break; - - case 'S': - ui_report_sa(line); - break; - - case 'r': - ui_report(line); - break; - - case 't': - ui_teardown(line); - break; - - case 'T': - ui_teardown_all(line); - break; - - default: - log_print("ui_handle_messages: unrecognized command: '%c'", - line[0]); - } -} - -/* - * A half-complex implementation of reading from a file descriptor - * line by line without resorting to stdio which apparently have - * troubles with non-blocking fifos. - */ -void -ui_handler(void) -{ - static char *buf = 0; - static char *p; - static size_t sz; - static size_t resid; - ssize_t n; - char *new_buf; - - /* If no buffer, set it up. */ - if (!buf) { - sz = BUF_SZ; - buf = malloc(sz); - if (!buf) { - log_print("ui_handler: malloc (%lu) failed", - (unsigned long)sz); - return; - } - p = buf; - resid = sz; - } - /* If no place left in the buffer reallocate twice as large. */ - if (!resid) { - new_buf = realloc(buf, sz * 2); - if (!new_buf) { - log_print("ui_handler: realloc (%p, %lu) failed", buf, - (unsigned long)sz * 2); - free(buf); - buf = 0; - return; - } - buf = new_buf; - p = buf + sz; - resid = sz; - sz *= 2; - } - n = read(ui_socket, p, resid); - if (n == -1) { - log_error("ui_handler: read (%d, %p, %lu)", ui_socket, p, - (unsigned long)resid); - return; - } - if (!n) - return; - resid -= n; - while (n--) { - /* - * When we find a newline, cut off the line and feed it to the - * command processor. Then move the rest up-front. - */ - if (*p == '\n') { - *p = '\0'; - ui_handle_command(buf); - memcpy(buf, p + 1, n); - p = buf; - resid = sz - n; - continue; - } - p++; - } -} - -static FILE * -ui_open_result(void) -{ - FILE *fd = monitor_fopen(RESULT_FILE, "w"); - if (!fd) - log_error("ui_open_result: fopen() failed"); - return fd; -} diff --git a/keyexchange/isakmpd-20041012/ui.h b/keyexchange/isakmpd-20041012/ui.h deleted file mode 100644 index db9de7f..0000000 --- a/keyexchange/isakmpd-20041012/ui.h +++ /dev/null @@ -1,45 +0,0 @@ -/* $OpenBSD: ui.h,v 1.7 2004/05/13 06:56:34 ho Exp $ */ -/* $EOM: ui.h,v 1.5 1998/12/01 10:20:12 niklas Exp $ */ - -/* - * Copyright (c) 1998 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _UI_H_ -#define _UI_H_ - -#define FIFO "/var/run/isakmpd.fifo" -#define RESULT_FILE "/var/run/isakmpd.result" - -extern char *ui_fifo; -extern int ui_socket; - -extern void ui_handler(void); -extern void ui_init(void); -extern void ui_report(char *); - -#endif /* _UI_H_ */ diff --git a/keyexchange/isakmpd-20041012/util.c b/keyexchange/isakmpd-20041012/util.c deleted file mode 100644 index 6504cb2..0000000 --- a/keyexchange/isakmpd-20041012/util.c +++ /dev/null @@ -1,485 +0,0 @@ -/* $OpenBSD: util.c,v 1.48 2004/08/08 19:11:06 deraadt Exp $ */ -/* $EOM: util.c,v 1.23 2000/11/23 12:22:08 niklas Exp $ */ - -/* - * Copyright (c) 1998, 1999, 2001 Niklas Hallqvist. All rights reserved. - * Copyright (c) 2000, 2001, 2004 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#include <sys/types.h> -#include <sys/socket.h> -#include <sys/stat.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <limits.h> -#include <netdb.h> -#include <stdlib.h> -#include <string.h> -#include <unistd.h> -#include <errno.h> - -#include "sysdep.h" - -#include "log.h" -#include "message.h" -#include "monitor.h" -#include "sysdep.h" -#include "transport.h" -#include "util.h" - -/* - * Set if -N is given, allowing name lookups to be done, possibly stalling - * the daemon for quite a while. - */ -int allow_name_lookups = 0; - -/* - * This is set to true in case of regression-test mode, when it will - * cause predictable random numbers be generated. - */ -int regrand = 0; - -/* - * If in regression-test mode, this is the seed used. - */ -u_long seed; - -/* - * XXX These might be turned into inlines or macros, maybe even - * machine-dependent ones, for performance reasons. - */ -u_int16_t -decode_16(u_int8_t *cp) -{ - return cp[0] << 8 | cp[1]; -} - -u_int32_t -decode_32(u_int8_t *cp) -{ - return cp[0] << 24 | cp[1] << 16 | cp[2] << 8 | cp[3]; -} - -u_int64_t -decode_64(u_int8_t *cp) -{ - return (u_int64_t) cp[0] << 56 | (u_int64_t) cp[1] << 48 | - (u_int64_t) cp[2] << 40 | (u_int64_t) cp[3] << 32 | - cp[4] << 24 | cp[5] << 16 | cp[6] << 8 | cp[7]; -} - -#if 0 -/* - * XXX I severly doubt that we will need this. IPv6 does not have the legacy - * of representation in host byte order, AFAIK. - */ - -void -decode_128(u_int8_t *cp, u_int8_t *cpp) -{ -#if BYTE_ORDER == LITTLE_ENDIAN - int i; - - for (i = 0; i < 16; i++) - cpp[i] = cp[15 - i]; -#elif BYTE_ORDER == BIG_ENDIAN - bcopy(cp, cpp, 16); -#else -#error "Byte order unknown!" -#endif -} -#endif - -void -encode_16(u_int8_t *cp, u_int16_t x) -{ - *cp++ = x >> 8; - *cp = x & 0xff; -} - -void -encode_32(u_int8_t *cp, u_int32_t x) -{ - *cp++ = x >> 24; - *cp++ = (x >> 16) & 0xff; - *cp++ = (x >> 8) & 0xff; - *cp = x & 0xff; -} - -void -encode_64(u_int8_t *cp, u_int64_t x) -{ - *cp++ = x >> 56; - *cp++ = (x >> 48) & 0xff; - *cp++ = (x >> 40) & 0xff; - *cp++ = (x >> 32) & 0xff; - *cp++ = (x >> 24) & 0xff; - *cp++ = (x >> 16) & 0xff; - *cp++ = (x >> 8) & 0xff; - *cp = x & 0xff; -} - -#if 0 -/* - * XXX I severly doubt that we will need this. IPv6 does not have the legacy - * of representation in host byte order, AFAIK. - */ - -void -encode_128(u_int8_t *cp, u_int8_t *cpp) -{ - decode_128(cpp, cp); -} -#endif - -/* Check a buffer for all zeroes. */ -int -zero_test(const u_int8_t *p, size_t sz) -{ - while (sz-- > 0) - if (*p++ != 0) - return 0; - return 1; -} - -/* Check a buffer for all ones. */ -int -ones_test(const u_int8_t *p, size_t sz) -{ - while (sz-- > 0) - if (*p++ != 0xff) - return 0; - return 1; -} - -/* - * Generate a random data, len bytes long. - */ -u_int8_t * -getrandom(u_int8_t *buf, size_t len) -{ - u_int32_t tmp = 0; - size_t i; - - for (i = 0; i < len; i++) { - if (i % sizeof tmp == 0) - tmp = sysdep_random(); - - buf[i] = tmp & 0xff; - tmp >>= 8; - } - - return buf; -} - -static __inline int -hex2nibble(char c) -{ - if (c >= '0' && c <= '9') - return c - '0'; - if (c >= 'a' && c <= 'f') - return c - 'a' + 10; - if (c >= 'A' && c <= 'F') - return c - 'A' + 10; - return -1; -} - -/* - * Convert hexadecimal string in S to raw binary buffer at BUF sized SZ - * bytes. Return 0 if everything is OK, -1 otherwise. - */ -int -hex2raw(char *s, u_int8_t *buf, size_t sz) -{ - u_int8_t *bp; - char *p; - int tmp; - - if (strlen(s) > sz * 2) - return -1; - for (p = s + strlen(s) - 1, bp = &buf[sz - 1]; bp >= buf; bp--) { - *bp = 0; - if (p >= s) { - tmp = hex2nibble(*p--); - if (tmp == -1) - return -1; - *bp = tmp; - } - if (p >= s) { - tmp = hex2nibble(*p--); - if (tmp == -1) - return -1; - *bp |= tmp << 4; - } - } - return 0; -} - -int -text2sockaddr(char *address, char *port, struct sockaddr **sa) -{ - struct addrinfo *ai, hints; - - memset(&hints, 0, sizeof hints); - if (!allow_name_lookups) - hints.ai_flags = AI_NUMERICHOST; - hints.ai_family = PF_UNSPEC; - hints.ai_socktype = SOCK_DGRAM; - hints.ai_protocol = IPPROTO_UDP; - - if (getaddrinfo(address, port, &hints, &ai)) - return -1; - - *sa = malloc(sysdep_sa_len(ai->ai_addr)); - if (!*sa) { - freeaddrinfo(ai); - return -1; - } - - memcpy(*sa, ai->ai_addr, sysdep_sa_len(ai->ai_addr)); - freeaddrinfo(ai); - return 0; -} - -/* - * Convert a sockaddr to text. With zflag non-zero fill out with zeroes, - * i.e 10.0.0.10 --> "010.000.000.010" - */ -int -sockaddr2text(struct sockaddr *sa, char **address, int zflag) -{ - char buf[NI_MAXHOST], *token, *bstart, *ep; - int addrlen, i, j; - long val; - - if (getnameinfo(sa, sysdep_sa_len(sa), buf, sizeof buf, 0, 0, - allow_name_lookups ? 0 : NI_NUMERICHOST)) - return -1; - - if (zflag == 0) { - *address = strdup(buf); - if (!*address) - return -1; - } else - switch (sa->sa_family) { - case AF_INET: - addrlen = sizeof "000.000.000.000"; - *address = malloc(addrlen); - if (!*address) - return -1; - buf[addrlen] = '\0'; - bstart = buf; - **address = '\0'; - while ((token = strsep(&bstart, ".")) != NULL) { - if (strlen(*address) > 12) { - free(*address); - return -1; - } - val = strtol(token, &ep, 10); - if (ep == token || val < (long)0 || - val > (long)UCHAR_MAX) { - free(*address); - return -1; - } - snprintf(*address + strlen(*address), - addrlen - strlen(*address), "%03ld", val); - if (bstart) - strlcat(*address, ".", addrlen); - } - break; - - case AF_INET6: - /* - * XXX In the algorithm below there are some magic - * numbers we probably could give explaining names. - */ - addrlen = - sizeof "0000:0000:0000:0000:0000:0000:0000:0000"; - *address = malloc(addrlen); - if (!*address) - return -1; - - for (i = 0, j = 0; i < 8; i++) { - snprintf((*address) + j, addrlen - j, - "%02x%02x", - ((struct sockaddr_in6 *)sa)->sin6_addr.s6_addr[2*i], - ((struct sockaddr_in6 *)sa)->sin6_addr.s6_addr[2*i + 1]); - j += 4; - (*address)[j] = - (j < (addrlen - 1)) ? ':' : '\0'; - j++; - } - break; - - default: - *address = strdup("<error>"); - if (!*address) - return -1; - } - - return 0; -} - -/* - * sockaddr_addrlen and sockaddr_addrdata return the relevant sockaddr info - * depending on address family. Useful to keep other code shorter(/clearer?). - */ -int -sockaddr_addrlen(struct sockaddr *sa) -{ - switch (sa->sa_family) { - case AF_INET6: - return sizeof((struct sockaddr_in6 *)sa)->sin6_addr.s6_addr; - case AF_INET: - return sizeof((struct sockaddr_in *)sa)->sin_addr.s_addr; - default: - log_print("sockaddr_addrlen: unsupported protocol family %d", - sa->sa_family); - return 0; - } -} - -u_int8_t * -sockaddr_addrdata(struct sockaddr *sa) -{ - switch (sa->sa_family) { - case AF_INET6: - return (u_int8_t *)&((struct sockaddr_in6 *)sa)->sin6_addr.s6_addr; - case AF_INET: - return (u_int8_t *)&((struct sockaddr_in *)sa)->sin_addr.s_addr; - default: - log_print("sockaddr_addrdata: unsupported protocol family %d", - sa->sa_family); - return 0; - } -} - -in_port_t -sockaddr_port(struct sockaddr *sa) -{ - switch (sa->sa_family) { - case AF_INET6: - return ((struct sockaddr_in6 *)sa)->sin6_port; - case AF_INET: - return ((struct sockaddr_in *)sa)->sin_port; - default: - log_print("sockaddr_port: unsupported protocol family %d", - sa->sa_family); - return 0; - } -} - -/* Utility function used to set the port of a sockaddr. */ -void -sockaddr_set_port(struct sockaddr *sa, in_port_t port) -{ - switch (sa->sa_family) { - case AF_INET: - ((struct sockaddr_in *)sa)->sin_port = htons (port); - break; - - case AF_INET6: - ((struct sockaddr_in6 *)sa)->sin6_port = htons (port); - break; - } -} - -/* - * Convert network address to text. The network address does not need - * to be properly aligned. - */ -void -util_ntoa(char **buf, int af, u_int8_t *addr) -{ - struct sockaddr_storage from; - struct sockaddr *sfrom = (struct sockaddr *) & from; - socklen_t fromlen = sizeof from; - - memset(&from, 0, fromlen); - sfrom->sa_family = af; -#ifndef USE_OLD_SOCKADDR - switch (af) { - case AF_INET: - sfrom->sa_len = sizeof(struct sockaddr_in); - break; - case AF_INET6: - sfrom->sa_len = sizeof(struct sockaddr_in6); - break; - } -#endif - memcpy(sockaddr_addrdata(sfrom), addr, sockaddr_addrlen(sfrom)); - - if (sockaddr2text(sfrom, buf, 0)) { - log_print("util_ntoa: could not make printable address out " - "of sockaddr %p", sfrom); - *buf = 0; - } -} - -/* - * Perform sanity check on files containing secret information. - * Returns -1 on failure, 0 otherwise. - * Also, if FILE_SIZE is a not a null pointer, store file size here. - */ - -int -check_file_secrecy_fd(int fd, char *name, size_t *file_size) -{ - struct stat st; - - if (fstat(fd, &st) == -1) { - log_error("check_file_secrecy: stat (\"%s\") failed", name); - return -1; - } - if (st.st_uid != 0 && st.st_uid != getuid()) { - log_print("check_file_secrecy_fd: " - "not loading %s - file owner is not process user", name); - errno = EPERM; - return -1; - } - if ((st.st_mode & (S_IRWXG | S_IRWXO)) != 0) { - log_print("check_file_secrecy_fd: not loading %s - too open " - "permissions", name); - errno = EPERM; - return -1; - } - if (file_size) - *file_size = (size_t)st.st_size; - - return 0; -} - -/* Special for compiling with Boehms GC. See Makefile and sysdep.h */ -#if defined (USE_BOEHM_GC) -char * -gc_strdup(const char *x) -{ - char *strcpy(char *,const char *); - char *y = malloc(strlen(x) + 1); - return strcpy(y,x); -} -#endif diff --git a/keyexchange/isakmpd-20041012/util.h b/keyexchange/isakmpd-20041012/util.h deleted file mode 100644 index b370ff2..0000000 --- a/keyexchange/isakmpd-20041012/util.h +++ /dev/null @@ -1,70 +0,0 @@ -/* $OpenBSD: util.h,v 1.21 2004/06/23 03:01:53 hshoexer Exp $ */ -/* $EOM: util.h,v 1.10 2000/10/24 13:33:39 niklas Exp $ */ - -/* - * Copyright (c) 1998 Niklas Hallqvist. All rights reserved. - * Copyright (c) 2001, 2004 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _UTIL_H_ -#define _UTIL_H_ - -#include <sys/types.h> - -extern int allow_name_lookups; -extern int regrand; -extern unsigned long seed; - -struct message; -struct sockaddr; - -extern int check_file_secrecy_fd(int, char *, size_t *); -extern u_int16_t decode_16(u_int8_t *); -extern u_int32_t decode_32(u_int8_t *); -extern u_int64_t decode_64(u_int8_t *); -#if 0 -extern void decode_128(u_int8_t *, u_int8_t *); -#endif -extern void encode_16(u_int8_t *, u_int16_t); -extern void encode_32(u_int8_t *, u_int32_t); -extern void encode_64(u_int8_t *, u_int64_t); -#if 0 -extern void encode_128(u_int8_t *, u_int8_t *); -#endif -extern u_int8_t *getrandom(u_int8_t *, size_t); -extern int hex2raw(char *, u_int8_t *, size_t); -extern int ones_test(const u_int8_t *, size_t); -extern int sockaddr2text(struct sockaddr *, char **, int); -extern u_int8_t *sockaddr_addrdata(struct sockaddr *); -extern int sockaddr_addrlen(struct sockaddr *); -extern in_port_t sockaddr_port(struct sockaddr *); -extern void sockaddr_set_port(struct sockaddr *, in_port_t); -extern int text2sockaddr(char *, char *, struct sockaddr **); -extern void util_ntoa(char **, int, u_int8_t *); -extern int zero_test(const u_int8_t *, size_t); - -#endif /* _UTIL_H_ */ diff --git a/keyexchange/isakmpd-20041012/virtual.c b/keyexchange/isakmpd-20041012/virtual.c deleted file mode 100644 index d6132fe..0000000 --- a/keyexchange/isakmpd-20041012/virtual.c +++ /dev/null @@ -1,722 +0,0 @@ -/* $OpenBSD: virtual.c,v 1.9 2004/09/20 21:36:50 hshoexer Exp $ */ - -/* - * Copyright (c) 2004 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include <sys/types.h> -#include <sys/ioctl.h> -#include <sys/socket.h> -#ifndef linux -#include <sys/sockio.h> -#endif -#include <net/if.h> -#include <netinet/in.h> -#include <arpa/inet.h> -#include <ctype.h> -#include <err.h> -#include <limits.h> -#include <netdb.h> -#include <stdlib.h> -#include <string.h> -#include <unistd.h> - -#include "conf.h" -#include "if.h" -#include "exchange.h" -#include "log.h" -#include "transport.h" -#include "virtual.h" -#include "udp.h" -#include "util.h" - -#if defined (USE_NAT_TRAVERSAL) -#include "udp_encap.h" -#endif - -static struct transport *virtual_bind(const struct sockaddr *); -static struct transport *virtual_bind_ADDR_ANY(sa_family_t); -static int virtual_bind_if(char *, struct sockaddr *, void *); -static struct transport *virtual_clone(struct transport *, struct sockaddr *); -static struct transport *virtual_create(char *); -static char *virtual_decode_ids (struct transport *); -static void virtual_get_dst(struct transport *, - struct sockaddr **); -static struct msg_head *virtual_get_queue(struct message *); -static void virtual_get_src(struct transport *, - struct sockaddr **); -static void virtual_handle_message(struct transport *); -static void virtual_reinit(void); -static void virtual_remove(struct transport *); -static void virtual_report(struct transport *); -static int virtual_send_message(struct message *, - struct transport *); - -static struct transport_vtbl virtual_transport_vtbl = { - { 0 }, "udp", - virtual_create, - virtual_reinit, - virtual_remove, - virtual_report, - 0, - 0, - virtual_handle_message, - virtual_send_message, - virtual_get_dst, - virtual_get_src, - virtual_decode_ids, - virtual_clone, - virtual_get_queue -}; - -static LIST_HEAD (virtual_listen_list, virtual_transport) virtual_listen_list; -static struct transport *default_transport, *default_transport6; - -void -virtual_init(void) -{ - struct conf_list *listen_on; - - LIST_INIT(&virtual_listen_list); - - transport_method_add(&virtual_transport_vtbl); - - /* Bind the ISAKMP port(s) on all network interfaces we have. */ - if (if_map(virtual_bind_if, 0) == -1) - log_fatal("virtual_init: " - "could not bind the ISAKMP port(s) on all interfaces"); - - /* Only listen to the specified address if Listen-on is configured */ - listen_on = conf_get_list("General", "Listen-on"); - if (listen_on) { - LOG_DBG((LOG_TRANSPORT, 50, - "virtual_init: not binding ISAKMP port(s) to ADDR_ANY")); - conf_free_list(listen_on); - return; - } - - /* - * Bind to INADDR_ANY in case of new addresses popping up. - * Packet reception on this transport is taken as a hint to reprobe the - * interface list. - */ - if (!bind_family || (bind_family & BIND_FAMILY_INET4)) { - default_transport = virtual_bind_ADDR_ANY(AF_INET); - if (!default_transport) - return; - LIST_INSERT_HEAD(&virtual_listen_list, - (struct virtual_transport *)default_transport, link); - transport_reference(default_transport); - } - - if (!bind_family || (bind_family & BIND_FAMILY_INET6)) { - default_transport6 = virtual_bind_ADDR_ANY(AF_INET6); - if (!default_transport6) - return; - LIST_INSERT_HEAD(&virtual_listen_list, - (struct virtual_transport *)default_transport6, link); - transport_reference(default_transport6); - } - - return; -} - -struct virtual_transport * -virtual_get_default(sa_family_t af) -{ - switch (af) { - case AF_INET: - return (struct virtual_transport *)default_transport; - case AF_INET6: - return (struct virtual_transport *)default_transport6; - default: - return 0; - } -} - -/* - * Probe the interface list and determine what new interfaces have - * appeared. - * - * At the same time, we try to determine whether existing interfaces have - * been rendered invalid; we do this by marking all virtual transports before - * we call virtual_bind_if () through if_map (), and then releasing those - * transports that have not been unmarked. - */ -void -virtual_reinit(void) -{ - struct virtual_transport *v, *v2; - - /* Mark all UDP transports, except the default ones. */ - for (v = LIST_FIRST(&virtual_listen_list); v; v = LIST_NEXT(v, link)) - if (&v->transport != default_transport - && &v->transport != default_transport6) - v->transport.flags |= TRANSPORT_MARK; - - /* Re-probe interface list. */ - if (if_map(virtual_bind_if, 0) == -1) - log_print("virtual_init: " - "could not bind the ISAKMP port(s) on all interfaces"); - - /* - * Release listening transports for local addresses that no - * longer exist. virtual_bind_if () will have left those still marked. - */ - v = LIST_FIRST(&virtual_listen_list); - while (v) { - v2 = LIST_NEXT(v, link); - if (v->transport.flags & TRANSPORT_MARK) { - LIST_REMOVE(v, link); - transport_release(&v->transport); - } - v = v2; - } -} - -struct virtual_transport * -virtual_listen_lookup(struct sockaddr *addr) -{ - struct virtual_transport *v; - struct udp_transport *u; - - for (v = LIST_FIRST(&virtual_listen_list); v; - v = LIST_NEXT(v, link)) { - if (!(u = (struct udp_transport *)v->main)) - if (!(u = (struct udp_transport *)v->encap)) { - log_print("virtual_listen_lookup: " - "virtual %p has no low-level transports", - v); - continue; - } - - if (u->src->sa_family == addr->sa_family - && sockaddr_addrlen(u->src) == sockaddr_addrlen(addr) - && memcmp(sockaddr_addrdata (u->src), - sockaddr_addrdata(addr), - sockaddr_addrlen(addr)) == 0) - return v; - } - - LOG_DBG((LOG_TRANSPORT, 40, "virtual_listen_lookup: no match")); - return 0; -} - -/* - * Initialize an object of the VIRTUAL transport class. - */ -static struct transport * -virtual_bind(const struct sockaddr *addr) -{ - struct virtual_transport *v; - struct sockaddr_storage tmp_sa; - char *port; - char *ep; - long lport; - - v = (struct virtual_transport *)calloc(1, sizeof *v); - if (!v) { - log_error("virtual_bind: calloc(1, %lu) failed", - (unsigned long)sizeof *v); - return 0; - } - - v->transport.vtbl = &virtual_transport_vtbl; - - memcpy(&tmp_sa, addr, sysdep_sa_len((struct sockaddr *)addr)); - - /* - * Get port. - * XXX Use getservbyname too. - */ - port = udp_default_port ? udp_default_port : UDP_DEFAULT_PORT_STR; - lport = strtol(port, &ep, 10); - if (*ep != '\0' || lport < 0 || lport > (long)USHRT_MAX) { - log_print("virtual_bind: " - "port string \"%s\" not convertible to in_port_t", port); - free(v); - return 0; - } - - sockaddr_set_port((struct sockaddr *)&tmp_sa, (in_port_t)lport); - v->main = udp_bind((struct sockaddr *)&tmp_sa); - if (!v->main) { - free(v); - return 0; - } - ((struct transport *)v->main)->virtual = (struct transport *)v; - -#if defined (USE_NAT_TRAVERSAL) - memcpy(&tmp_sa, addr, sysdep_sa_len((struct sockaddr *)addr)); - - /* - * Get port. - * XXX Use getservbyname too. - */ - port = udp_encap_default_port - ? udp_encap_default_port : UDP_ENCAP_DEFAULT_PORT_STR; - lport = strtol(port, &ep, 10); - if (*ep != '\0' || lport < 0 || lport > (long)USHRT_MAX) { - log_print("virtual_bind: " - "port string \"%s\" not convertible to in_port_t", port); - v->main->vtbl->remove(v->main); - free(v); - return 0; - } - - sockaddr_set_port((struct sockaddr *)&tmp_sa, (in_port_t)lport); - v->encap = udp_encap_bind((struct sockaddr *)&tmp_sa); - if (!v->encap) { - v->main->vtbl->remove(v->main); - free(v); - return 0; - } - ((struct transport *)v->encap)->virtual = (struct transport *)v; -#endif - v->encap_is_active = 0; - - transport_setup(&v->transport, 1); - v->transport.flags |= TRANSPORT_LISTEN; - - return (struct transport *)v; -} - -static struct transport * -virtual_bind_ADDR_ANY(sa_family_t af) -{ - struct sockaddr_storage dflt_stor; - struct sockaddr_in *d4 = (struct sockaddr_in *)&dflt_stor; - struct sockaddr_in6 *d6 = (struct sockaddr_in6 *)&dflt_stor; - struct transport *t; - struct in6_addr in6addr_any = IN6ADDR_ANY_INIT; - - memset(&dflt_stor, 0, sizeof dflt_stor); - switch (af) { - case AF_INET: - d4->sin_family = af; -#if !defined (LINUX_IPSEC) - d4->sin_len = sizeof(struct sockaddr_in); -#endif - d4->sin_addr.s_addr = INADDR_ANY; - break; - - case AF_INET6: - d6->sin6_family = af; -#if !defined (LINUX_IPSEC) - d6->sin6_len = sizeof(struct sockaddr_in6); -#endif - memcpy(&d6->sin6_addr.s6_addr, &in6addr_any, - sizeof in6addr_any); - break; - } - - t = virtual_bind((struct sockaddr *)&dflt_stor); - if (!t) - log_error("virtual_bind_ADDR_ANY: " - "could not allocate default IPv%s ISAKMP port(s)", - af == AF_INET ? "4" : "6"); - return t; -} - -static int -virtual_bind_if(char *ifname, struct sockaddr *if_addr, void *arg) -{ - struct conf_list *listen_on; - struct virtual_transport *v; - struct conf_list_node *address; - struct sockaddr *addr; - struct transport *t; - struct ifreq flags_ifr; - char *addr_str; - int s, error; - -#if defined (USE_DEBUG) - if (sockaddr2text(if_addr, &addr_str, 0)) - addr_str = 0; - - LOG_DBG((LOG_TRANSPORT, 90, - "virtual_bind_if: interface %s family %s address %s", - ifname ? ifname : "<unknown>", - if_addr->sa_family == AF_INET ? "v4" : - (if_addr->sa_family == AF_INET6 ? "v6" : "<unknown>"), - addr_str ? addr_str : "<invalid>")); - if (addr_str) - free(addr_str); -#endif - - /* - * Drop non-Internet stuff. - */ - if ((if_addr->sa_family != AF_INET - || sysdep_sa_len(if_addr) != sizeof (struct sockaddr_in)) - && (if_addr->sa_family != AF_INET6 - || sysdep_sa_len(if_addr) != sizeof (struct sockaddr_in6))) - return 0; - - /* - * Only create sockets for families we should listen to. - */ - if (bind_family) - switch (if_addr->sa_family) { - case AF_INET: - if ((bind_family & BIND_FAMILY_INET4) == 0) - return 0; - break; - case AF_INET6: - if ((bind_family & BIND_FAMILY_INET6) == 0) - return 0; - break; - default: - return 0; - } - - /* - * These special addresses are not useable as they have special meaning - * in the IP stack. - */ - if (if_addr->sa_family == AF_INET - && (((struct sockaddr_in *)if_addr)->sin_addr.s_addr == INADDR_ANY - || (((struct sockaddr_in *)if_addr)->sin_addr.s_addr - == INADDR_NONE))) - return 0; - - /* - * Go through the list of transports and see if we already have this - * address bound. If so, unmark the transport and skip it; this allows - * us to call this function when we suspect a new address has appeared. - */ - if ((v = virtual_listen_lookup(if_addr)) != 0) { - LOG_DBG ((LOG_TRANSPORT, 90, "virtual_bind_if: " - "already bound")); - v->transport.flags &= ~TRANSPORT_MARK; - return 0; - } - - /* - * Don't bother with interfaces that are down. - * Note: This socket is only used to collect the interface status. - */ - s = socket(if_addr->sa_family, SOCK_DGRAM, 0); - if (s == -1) { - log_error("virtual_bind_if: " - "socket (%d, SOCK_DGRAM, 0) failed", if_addr->sa_family); - return -1; - } - strlcpy(flags_ifr.ifr_name, ifname, sizeof flags_ifr.ifr_name); - if (ioctl(s, SIOCGIFFLAGS, (caddr_t)&flags_ifr) == -1) { - log_error("virtual_bind_if: " - "ioctl (%d, SIOCGIFFLAGS, ...) failed", s); - close(s); - return -1; - } - close(s); - if (!(flags_ifr.ifr_flags & IFF_UP)) - return 0; - - /* Set the port number to zero. */ - switch (if_addr->sa_family) { - case AF_INET: - ((struct sockaddr_in *)if_addr)->sin_port = htons(0); - break; - case AF_INET6: - ((struct sockaddr_in6 *)if_addr)->sin6_port = htons(0); - break; - default: - log_print("virtual_bind_if: unsupported protocol family %d", - if_addr->sa_family); - break; - } - - /* - * If we are explicit about what addresses we can listen to, be sure - * to respect that option. - * This is quite wasteful redoing the list-run for every interface, - * but who cares? This is not an operation that needs to be fast. - */ - listen_on = conf_get_list("General", "Listen-on"); - if (listen_on) { - for (address = TAILQ_FIRST(&listen_on->fields); address; - address = TAILQ_NEXT(address, link)) { - if (text2sockaddr(address->field, 0, &addr)) { - log_print("virtual_bind_if: " - "invalid address %s in \"Listen-on\"", - address->field); - continue; - } - - /* If found, take the easy way out. */ - if (memcmp(addr, if_addr, - sysdep_sa_len(addr)) == 0) { - free(addr); - break; - } - free(addr); - } - conf_free_list(listen_on); - - /* - * If address is zero then we did not find the address among - * the ones we should listen to. - * XXX We do not discover if we do not find our listen - * addresses. Maybe this should be the other way round. - */ - if (!address) - return 0; - } - - t = virtual_bind(if_addr); - if (!t) { - error = sockaddr2text(if_addr, &addr_str, 0); - log_print("virtual_bind_if: failed to create a socket on %s", - error ? "unknown" : addr_str); - if (!error) - free(addr_str); - return -1; - } - LIST_INSERT_HEAD(&virtual_listen_list, (struct virtual_transport *)t, - link); - transport_reference(t); - return 0; -} - -static struct transport * -virtual_clone(struct transport *vt, struct sockaddr *raddr) -{ - struct virtual_transport *v = (struct virtual_transport *)vt; - struct virtual_transport *v2; - struct transport *t; - - t = malloc(sizeof *v); - if (!t) { - log_error("virtual_clone: malloc(%lu) failed", - (unsigned long)sizeof *v); - return 0; - } - v2 = (struct virtual_transport *)t; - - memcpy(v2, v, sizeof *v); - /* Remove the copy's links into virtual_listen_list. */ - v2->link.le_next = 0; - v2->link.le_prev = 0; - - if (v->encap_is_active) - v2->main = 0; /* No need to clone this. */ - else { - v2->main = v->main->vtbl->clone(v->main, raddr); - v2->main->virtual = (struct transport *)v2; - } -#if defined (USE_NAT_TRAVERSAL) - /* XXX fix strtol() call */ - sockaddr_set_port(raddr, udp_encap_default_port ? - strtol(udp_encap_default_port, NULL, 10) : UDP_ENCAP_DEFAULT_PORT); - v2->encap = v->encap->vtbl->clone(v->encap, raddr); - v2->encap->virtual = (struct transport *)v2; -#endif - LOG_DBG((LOG_TRANSPORT, 50, "virtual_clone: old %p new %p (%s is %p)", - v, t, v->encap_is_active ? "encap" : "main", - v->encap_is_active ? v2->encap : v2->main)); - - t->flags &= ~TRANSPORT_LISTEN; - transport_setup(t, 1); - return t; -} - -static struct transport * -virtual_create(char *name) -{ - struct virtual_transport *v; - struct transport *t, *t2; - - t = transport_create("udp_physical", name); - if (!t) - return 0; - -#if defined (USE_NAT_TRAVERSAL) - t2 = transport_create("udp_encap", name); - if (!t2) { - t->vtbl->remove(t); - return 0; - } -#else - t2 = 0; -#endif - - v = (struct virtual_transport *)calloc(1, sizeof *v); - if (!v) { - log_error("virtual_create: calloc(1, %lu) failed", - (unsigned long)sizeof *v); - t->vtbl->remove(t); - if (t2) - t2->vtbl->remove(t2); - return 0; - } - - memcpy(v, t, sizeof *t); - v->transport.virtual = 0; - v->main = t; - v->encap = t2; - v->transport.vtbl = &virtual_transport_vtbl; - t->virtual = (struct transport *)v; - if (t2) - t2->virtual = (struct transport *)v; - transport_setup(&v->transport, 1); - return (struct transport *)v; -} - -static void -virtual_remove(struct transport *t) -{ - struct virtual_transport *v = (struct virtual_transport *)t; - - if (v->encap) - v->encap->vtbl->remove(v->encap); - if (v->main) - v->main->vtbl->remove(v->main); - if (v->link.le_prev) - LIST_REMOVE(v, link); - - LOG_DBG((LOG_TRANSPORT, 90, "virtual_remove: removed %p", v)); - free(t); -} - -static void -virtual_report(struct transport *t) -{ - return; -} - -static void -virtual_handle_message(struct transport *t) -{ - if (t->virtual == default_transport || - t->virtual == default_transport6) { - /* XXX drain pending message. See udp_handle_message(). */ - - virtual_reinit(); - - /* - * As we don't know the actual destination address of the - * packet, we can't really deal with it. So, just ignore it - * and hope we catch the retransmission. - */ - return; - } - - /* - * As per the NAT-T draft, in case we have already switched ports, - * any messages recieved on the old (500) port SHOULD be discarded. - * (Actually, while phase 1 messages should be discarded, - * informational exchanges MAY be processed normally. For now, we - * discard them all.) - */ - if (((struct virtual_transport *)t->virtual)->encap_is_active && - ((struct virtual_transport *)t->virtual)->main == t) { - LOG_DBG((LOG_MESSAGE, 10, "virtual_handle_message: " - "message on old port discarded")); - return; - } - - t->vtbl->handle_message(t); -} - -static int -virtual_send_message(struct message *msg, struct transport *t) -{ - struct virtual_transport *v = - (struct virtual_transport *)msg->transport; -#if defined (USE_NAT_TRAVERSAL) - struct sockaddr *dst; - in_port_t port; - - /* - * Activate NAT-T Encapsulation if - * - the exchange says we can, and - * - in ID_PROT, after step 4 (draft-ietf-ipsec-nat-t-ike-03), or - * - in other exchange (Aggressive, ), asap - * XXX ISAKMP_EXCH_BASE etc? - */ - if (v->encap_is_active == 0 && - (msg->exchange->flags & EXCHANGE_FLAG_NAT_T_ENABLE) && - (msg->exchange->type != ISAKMP_EXCH_ID_PROT || - msg->exchange->step > 4)) { - LOG_DBG((LOG_MESSAGE, 10, "virtual_send_message: " - "enabling NAT-T encapsulation for this exchange")); - v->encap_is_active++; - - /* Copy destination port if it is translated (NAT). */ - v->main->vtbl->get_dst(v->main, &dst); - port = ntohs(sockaddr_port(dst)); - if (port != UDP_DEFAULT_PORT) { - v->main->vtbl->get_dst(v->encap, &dst); - sockaddr_set_port(dst, port); - } - } -#endif /* USE_NAT_TRAVERSAL */ - - if (v->encap_is_active) - return v->encap->vtbl->send_message(msg, v->encap); - else - return v->main->vtbl->send_message(msg, v->main); -} - -static void -virtual_get_src(struct transport *t, struct sockaddr **s) -{ - struct virtual_transport *v = (struct virtual_transport *)t; - - if (v->encap_is_active) - v->encap->vtbl->get_src(v->encap, s); - else - v->main->vtbl->get_src(v->main, s); -} - -static void -virtual_get_dst(struct transport *t, struct sockaddr **s) -{ - struct virtual_transport *v = (struct virtual_transport *)t; - - if (v->encap_is_active) - v->encap->vtbl->get_dst(v->encap, s); - else - v->main->vtbl->get_dst(v->main, s); -} - -static char * -virtual_decode_ids(struct transport *t) -{ - struct virtual_transport *v = (struct virtual_transport *)t; - - if (v->encap_is_active) - return v->encap->vtbl->decode_ids(t); - else - return v->main->vtbl->decode_ids(t); -} - -static struct msg_head * -virtual_get_queue(struct message *msg) -{ - if (msg->flags & MSG_PRIORITIZED) - return &msg->transport->prio_sendq; - else - return &msg->transport->sendq; -} diff --git a/keyexchange/isakmpd-20041012/virtual.h b/keyexchange/isakmpd-20041012/virtual.h deleted file mode 100644 index 7a3bd21..0000000 --- a/keyexchange/isakmpd-20041012/virtual.h +++ /dev/null @@ -1,42 +0,0 @@ -/* $OpenBSD: virtual.h,v 1.1 2004/06/20 15:24:05 ho Exp $ */ - -/* - * Copyright (c) 2004 Håkan Olsson. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#ifndef _TRP_VIRTUAL_H_ -#define _TRP_VIRTUAL_H_ - -struct virtual_transport { - struct transport transport; - struct transport *main; /* Normally this transport is used. */ - struct transport *encap; /* Or this, depending on 'encap_is_active'. */ - int encap_is_active; - LIST_ENTRY (virtual_transport) link; -}; - -void virtual_init(void); -struct virtual_transport *virtual_get_default(sa_family_t); -struct virtual_transport *virtual_listen_lookup(struct sockaddr *); - -#endif /* _TRP_VIRTUAL_H_ */ diff --git a/keyexchange/isakmpd-20041012/x509.c b/keyexchange/isakmpd-20041012/x509.c deleted file mode 100644 index 0897557..0000000 --- a/keyexchange/isakmpd-20041012/x509.c +++ /dev/null @@ -1,1439 +0,0 @@ -/* $OpenBSD: x509.c,v 1.95 2004/08/10 19:21:01 deraadt Exp $ */ -/* $EOM: x509.c,v 1.54 2001/01/16 18:42:16 ho Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niels Provos. All rights reserved. - * Copyright (c) 1999, 2000, 2001 Niklas Hallqvist. All rights reserved. - * Copyright (c) 1999, 2000, 2001 Angelos D. Keromytis. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifdef USE_X509 - -#include <sys/param.h> -#include <sys/types.h> -#include <sys/stat.h> -#include <dirent.h> -#include <errno.h> -#include <fcntl.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <unistd.h> - -#ifdef USE_POLICY -#include <regex.h> -#include <keynote.h> -#endif /* USE_POLICY */ - -#include "sysdep.h" - -#include "cert.h" -#include "conf.h" -#include "exchange.h" -#include "hash.h" -#include "ike_auth.h" -#include "ipsec.h" -#include "log.h" -#include "math_mp.h" -#include "monitor.h" -#include "policy.h" -#include "sa.h" -#include "util.h" -#include "x509.h" - -static u_int16_t x509_hash(u_int8_t *, size_t); -static void x509_hash_init(void); -static X509 *x509_hash_find(u_int8_t *, size_t); -static int x509_hash_enter(X509 *); - -/* - * X509_STOREs do not support subjectAltNames, so we have to build - * our own hash table. - */ - -/* - * XXX Actually this store is not really useful, we never use it as we have - * our own hash table. It also gets collisons if we have several certificates - * only differing in subjectAltName. - */ -static X509_STORE *x509_certs = 0; -static X509_STORE *x509_cas = 0; - -/* Initial number of bits used as hash. */ -#define INITIAL_BUCKET_BITS 6 - -struct x509_hash { - LIST_ENTRY(x509_hash) link; - - X509 *cert; -}; - -static LIST_HEAD(x509_list, x509_hash) *x509_tab = 0; - -/* Works both as a maximum index and a mask. */ -static int bucket_mask; - -#ifdef USE_POLICY -/* - * Given an X509 certificate, create a KeyNote assertion where - * Issuer/Subject -> Authorizer/Licensees. - * XXX RSA-specific. - */ -int -x509_generate_kn(int id, X509 *cert) -{ - char *fmt = "Authorizer: \"rsa-hex:%s\"\nLicensees: \"rsa-hex:%s" - "\"\nConditions: %s >= \"%s\" && %s <= \"%s\";\n"; - char *ikey, *skey, *buf, isname[256], subname[256]; - char *fmt2 = "Authorizer: \"DN:%s\"\nLicensees: \"DN:%s\"\n" - "Conditions: %s >= \"%s\" && %s <= \"%s\";\n"; - X509_NAME *issuer, *subject; - struct keynote_deckey dc; - X509_STORE_CTX csc; - X509_OBJECT obj; - X509 *icert; - RSA *key; - time_t tt; - char before[15], after[15], *timecomp, *timecomp2; - ASN1_TIME *tm; - int i, buf_len; - - LOG_DBG((LOG_POLICY, 90, - "x509_generate_kn: generating KeyNote policy for certificate %p", - cert)); - - issuer = X509_get_issuer_name(cert); - subject = X509_get_subject_name(cert); - - /* Missing or self-signed, ignore cert but don't report failure. */ - if (!issuer || !subject || !X509_name_cmp(issuer, subject)) - return 1; - - if (!x509_cert_get_key(cert, &key)) { - LOG_DBG((LOG_POLICY, 30, - "x509_generate_kn: failed to get public key from cert")); - return 0; - } - dc.dec_algorithm = KEYNOTE_ALGORITHM_RSA; - dc.dec_key = key; - ikey = kn_encode_key(&dc, INTERNAL_ENC_PKCS1, ENCODING_HEX, - KEYNOTE_PUBLIC_KEY); - if (keynote_errno == ERROR_MEMORY) { - log_print("x509_generate_kn: failed to get memory for " - "public key"); - RSA_free(key); - LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get " - "subject key")); - return 0; - } - if (!ikey) { - RSA_free(key); - LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get " - "subject key")); - return 0; - } - RSA_free(key); - - /* Now find issuer's certificate so we can get the public key. */ - X509_STORE_CTX_init(&csc, x509_cas, cert, NULL); - if (X509_STORE_get_by_subject(&csc, X509_LU_X509, issuer, &obj) != - X509_LU_X509) { - X509_STORE_CTX_cleanup(&csc); - X509_STORE_CTX_init(&csc, x509_certs, cert, NULL); - if (X509_STORE_get_by_subject(&csc, X509_LU_X509, issuer, &obj) - != X509_LU_X509) { - X509_STORE_CTX_cleanup(&csc); - LOG_DBG((LOG_POLICY, 30, - "x509_generate_kn: no certificate found for " - "issuer")); - return 0; - } - } - X509_STORE_CTX_cleanup(&csc); - icert = obj.data.x509; - - if (icert == NULL) { - LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: " - "missing certificates, cannot construct X509 chain")); - free(ikey); - return 0; - } - if (!x509_cert_get_key(icert, &key)) { - LOG_DBG((LOG_POLICY, 30, - "x509_generate_kn: failed to get public key from cert")); - free(ikey); - return 0; - } - X509_OBJECT_free_contents(&obj); - - dc.dec_algorithm = KEYNOTE_ALGORITHM_RSA; - dc.dec_key = key; - skey = kn_encode_key(&dc, INTERNAL_ENC_PKCS1, ENCODING_HEX, - KEYNOTE_PUBLIC_KEY); - if (keynote_errno == ERROR_MEMORY) { - log_error("x509_generate_kn: failed to get memory for public " - "key"); - free(ikey); - RSA_free(key); - LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get issuer " - "key")); - return 0; - } - if (!skey) { - free(ikey); - RSA_free(key); - LOG_DBG((LOG_POLICY, 30, "x509_generate_kn: cannot get issuer " - "key")); - return 0; - } - RSA_free(key); - - buf_len = strlen(fmt) + strlen(ikey) + strlen(skey) + 56; - buf = calloc(buf_len, sizeof(char)); - buf_len *= sizeof(char); - if (!buf) { - log_error("x509_generate_kn: " - "failed to allocate memory for KeyNote credential"); - free(ikey); - free(skey); - return 0; - } - if (((tm = X509_get_notBefore(cert)) == NULL) || - (tm->type != V_ASN1_UTCTIME && - tm->type != V_ASN1_GENERALIZEDTIME)) { - tt = time(0); - strftime(before, 14, "%Y%m%d%H%M%S", localtime(&tt)); - timecomp = "LocalTimeOfDay"; - } else { - if (tm->data[tm->length - 1] == 'Z') { - timecomp = "GMTTimeOfDay"; - i = tm->length - 2; - } else { - timecomp = "LocalTimeOfDay"; - i = tm->length - 1; - } - - for (; i >= 0; i--) { - if (tm->data[i] < '0' || tm->data[i] > '9') { - LOG_DBG((LOG_POLICY, 30, - "x509_generate_kn: invalid data in " - "NotValidBefore time field")); - free(ikey); - free(skey); - free(buf); - return 0; - } - } - - if (tm->type == V_ASN1_UTCTIME) { - if ((tm->length < 10) || (tm->length > 13)) { - LOG_DBG((LOG_POLICY, 30, - "x509_generate_kn: invalid length " - "of NotValidBefore time field (%d)", - tm->length)); - free(ikey); - free(skey); - free(buf); - return 0; - } - /* Validity checks. */ - if ((tm->data[2] != '0' && tm->data[2] != '1') || - (tm->data[2] == '0' && tm->data[3] == '0') || - (tm->data[2] == '1' && tm->data[3] > '2') || - (tm->data[4] > '3') || - (tm->data[4] == '0' && tm->data[5] == '0') || - (tm->data[4] == '3' && tm->data[5] > '1') || - (tm->data[6] > '2') || - (tm->data[6] == '2' && tm->data[7] > '3') || - (tm->data[8] > '5')) { - LOG_DBG((LOG_POLICY, 30, - "x509_generate_kn: invalid value in " - "NotValidBefore time field")); - free(ikey); - free(skey); - free(buf); - return 0; - } - /* Stupid UTC tricks. */ - if (tm->data[0] < '5') - snprintf(before, sizeof before, "20%s", - tm->data); - else - snprintf(before, sizeof before, "19%s", - tm->data); - } else { /* V_ASN1_GENERICTIME */ - if ((tm->length < 12) || (tm->length > 15)) { - LOG_DBG((LOG_POLICY, 30, - "x509_generate_kn: invalid length of " - "NotValidBefore time field (%d)", - tm->length)); - free(ikey); - free(skey); - free(buf); - return 0; - } - /* Validity checks. */ - if ((tm->data[4] != '0' && tm->data[4] != '1') || - (tm->data[4] == '0' && tm->data[5] == '0') || - (tm->data[4] == '1' && tm->data[5] > '2') || - (tm->data[6] > '3') || - (tm->data[6] == '0' && tm->data[7] == '0') || - (tm->data[6] == '3' && tm->data[7] > '1') || - (tm->data[8] > '2') || - (tm->data[8] == '2' && tm->data[9] > '3') || - (tm->data[10] > '5')) { - LOG_DBG((LOG_POLICY, 30, - "x509_generate_kn: invalid value in " - "NotValidBefore time field")); - free(ikey); - free(skey); - free(buf); - return 0; - } - snprintf(before, sizeof before, "%s", tm->data); - } - - /* Fix missing seconds. */ - if (tm->length < 12) { - before[12] = '0'; - before[13] = '0'; - } - /* This will overwrite trailing 'Z'. */ - before[14] = '\0'; - } - - tm = X509_get_notAfter(cert); - if (tm == NULL && - (tm->type != V_ASN1_UTCTIME && - tm->type != V_ASN1_GENERALIZEDTIME)) { - tt = time(0); - strftime(after, 14, "%Y%m%d%H%M%S", localtime(&tt)); - timecomp2 = "LocalTimeOfDay"; - } else { - if (tm->data[tm->length - 1] == 'Z') { - timecomp2 = "GMTTimeOfDay"; - i = tm->length - 2; - } else { - timecomp2 = "LocalTimeOfDay"; - i = tm->length - 1; - } - - for (; i >= 0; i--) { - if (tm->data[i] < '0' || tm->data[i] > '9') { - LOG_DBG((LOG_POLICY, 30, - "x509_generate_kn: invalid data in " - "NotValidAfter time field")); - free(ikey); - free(skey); - free(buf); - return 0; - } - } - - if (tm->type == V_ASN1_UTCTIME) { - if ((tm->length < 10) || (tm->length > 13)) { - LOG_DBG((LOG_POLICY, 30, - "x509_generate_kn: invalid length of " - "NotValidAfter time field (%d)", - tm->length)); - free(ikey); - free(skey); - free(buf); - return 0; - } - /* Validity checks. */ - if ((tm->data[2] != '0' && tm->data[2] != '1') || - (tm->data[2] == '0' && tm->data[3] == '0') || - (tm->data[2] == '1' && tm->data[3] > '2') || - (tm->data[4] > '3') || - (tm->data[4] == '0' && tm->data[5] == '0') || - (tm->data[4] == '3' && tm->data[5] > '1') || - (tm->data[6] > '2') || - (tm->data[6] == '2' && tm->data[7] > '3') || - (tm->data[8] > '5')) { - LOG_DBG((LOG_POLICY, 30, - "x509_generate_kn: invalid value in " - "NotValidAfter time field")); - free(ikey); - free(skey); - free(buf); - return 0; - } - /* Stupid UTC tricks. */ - if (tm->data[0] < '5') - snprintf(after, sizeof after, "20%s", - tm->data); - else - snprintf(after, sizeof after, "19%s", - tm->data); - } else { /* V_ASN1_GENERICTIME */ - if ((tm->length < 12) || (tm->length > 15)) { - LOG_DBG((LOG_POLICY, 30, - "x509_generate_kn: invalid length of " - "NotValidAfter time field (%d)", - tm->length)); - free(ikey); - free(skey); - free(buf); - return 0; - } - /* Validity checks. */ - if ((tm->data[4] != '0' && tm->data[4] != '1') || - (tm->data[4] == '0' && tm->data[5] == '0') || - (tm->data[4] == '1' && tm->data[5] > '2') || - (tm->data[6] > '3') || - (tm->data[6] == '0' && tm->data[7] == '0') || - (tm->data[6] == '3' && tm->data[7] > '1') || - (tm->data[8] > '2') || - (tm->data[8] == '2' && tm->data[9] > '3') || - (tm->data[10] > '5')) { - LOG_DBG((LOG_POLICY, 30, - "x509_generate_kn: invalid value in " - "NotValidAfter time field")); - free(ikey); - free(skey); - free(buf); - return 0; - } - snprintf(after, sizeof after, "%s", tm->data); - } - - /* Fix missing seconds. */ - if (tm->length < 12) { - after[12] = '0'; - after[13] = '0'; - } - after[14] = '\0'; /* This will overwrite trailing 'Z' */ - } - - snprintf(buf, buf_len, fmt, skey, ikey, timecomp, before, timecomp2, - after); - free(ikey); - free(skey); - - if (kn_add_assertion(id, buf, strlen(buf), ASSERT_FLAG_LOCAL) == -1) { - LOG_DBG((LOG_POLICY, 30, - "x509_generate_kn: failed to add new KeyNote credential")); - free(buf); - return 0; - } - /* We could print the assertion here, but log_print() truncates... */ - LOG_DBG((LOG_POLICY, 60, "x509_generate_kn: added credential")); - - free(buf); - - if (!X509_NAME_oneline(issuer, isname, 256)) { - LOG_DBG((LOG_POLICY, 50, - "x509_generate_kn: " - "X509_NAME_oneline (issuer, ...) failed")); - return 0; - } - if (!X509_NAME_oneline(subject, subname, 256)) { - LOG_DBG((LOG_POLICY, 50, - "x509_generate_kn: " - "X509_NAME_oneline (subject, ...) failed")); - return 0; - } - buf_len = strlen(fmt2) + strlen(isname) + strlen(subname) + 56; - buf = malloc(buf_len); - if (!buf) { - log_error("x509_generate_kn: malloc (%d) failed", buf_len); - return 0; - } - snprintf(buf, buf_len, fmt2, isname, subname, timecomp, before, - timecomp2, after); - - if (kn_add_assertion(id, buf, strlen(buf), ASSERT_FLAG_LOCAL) == -1) { - LOG_DBG((LOG_POLICY, 30, - "x509_generate_kn: failed to add new KeyNote credential")); - free(buf); - return 0; - } - LOG_DBG((LOG_POLICY, 80, "x509_generate_kn: added credential:\n%s", - buf)); - - free(buf); - return 1; -} -#endif /* USE_POLICY */ - -static u_int16_t -x509_hash(u_int8_t *id, size_t len) -{ - u_int16_t bucket = 0; - size_t i; - - /* XXX We might resize if we are crossing a certain threshold. */ - for (i = 4; i < (len & ~1); i += 2) { - /* Doing it this way avoids alignment problems. */ - bucket ^= (id[i] + 1) * (id[i + 1] + 257); - } - /* Hash in the last character of odd length IDs too. */ - if (i < len) - bucket ^= (id[i] + 1) * (id[i] + 257); - - bucket &= bucket_mask; - return bucket; -} - -static void -x509_hash_init(void) -{ - struct x509_hash *certh; - int i; - - bucket_mask = (1 << INITIAL_BUCKET_BITS) - 1; - - /* If reinitializing, free existing entries. */ - if (x509_tab) { - for (i = 0; i <= bucket_mask; i++) - for (certh = LIST_FIRST(&x509_tab[i]); certh; - certh = LIST_FIRST(&x509_tab[i])) { - LIST_REMOVE(certh, link); - free(certh); - } - free(x509_tab); - } - x509_tab = malloc((bucket_mask + 1) * sizeof(struct x509_list)); - if (!x509_tab) - log_fatal("x509_hash_init: malloc (%lu) failed", - (bucket_mask + 1) * - (unsigned long)sizeof(struct x509_list)); - for (i = 0; i <= bucket_mask; i++) { - LIST_INIT(&x509_tab[i]); - } -} - -/* Lookup a certificate by an ID blob. */ -static X509 * -x509_hash_find(u_int8_t *id, size_t len) -{ - struct x509_hash *cert; - u_int8_t **cid; - u_int32_t *clen; - int n, i, id_found; - - for (cert = LIST_FIRST(&x509_tab[x509_hash(id, len)]); cert; - cert = LIST_NEXT(cert, link)) { - if (!x509_cert_get_subjects(cert->cert, &n, &cid, &clen)) - continue; - - id_found = 0; - for (i = 0; i < n; i++) { - LOG_DBG_BUF((LOG_CRYPTO, 70, "cert_cmp", id, len)); - LOG_DBG_BUF((LOG_CRYPTO, 70, "cert_cmp", cid[i], - clen[i])); - /* - * XXX This identity predicate needs to be - * understood. - */ - if (clen[i] == len && id[0] == cid[i][0] && - memcmp(id + 4, cid[i] + 4, len - 4) == 0) { - id_found++; - break; - } - } - cert_free_subjects(n, cid, clen); - if (!id_found) - continue; - - LOG_DBG((LOG_CRYPTO, 70, "x509_hash_find: return X509 %p", - cert->cert)); - return cert->cert; - } - - LOG_DBG((LOG_CRYPTO, 70, - "x509_hash_find: no certificate matched query")); - return 0; -} - -static int -x509_hash_enter(X509 *cert) -{ - u_int16_t bucket = 0; - u_int8_t **id; - u_int32_t *len; - struct x509_hash *certh; - int n, i; - - if (!x509_cert_get_subjects(cert, &n, &id, &len)) { - log_print("x509_hash_enter: cannot retrieve subjects"); - return 0; - } - for (i = 0; i < n; i++) { - certh = calloc(1, sizeof *certh); - if (!certh) { - cert_free_subjects(n, id, len); - log_error("x509_hash_enter: calloc (1, %lu) failed", - (unsigned long)sizeof *certh); - return 0; - } - certh->cert = cert; - - bucket = x509_hash(id[i], len[i]); - - LIST_INSERT_HEAD(&x509_tab[bucket], certh, link); - LOG_DBG((LOG_CRYPTO, 70, - "x509_hash_enter: cert %p added to bucket %d", - cert, bucket)); - } - cert_free_subjects(n, id, len); - - return 1; -} - -/* X509 Certificate Handling functions. */ - -int -x509_read_from_dir(X509_STORE *ctx, char *name, int hash) -{ - struct dirent *file; -#if defined (USE_PRIVSEP) - struct monitor_dirents *dir; -#else - DIR *dir; -#endif - FILE *certfp; - X509 *cert; - struct stat sb; - char fullname[PATH_MAX]; - int fd, off, size; - - if (strlen(name) >= sizeof fullname - 1) { - log_print("x509_read_from_dir: directory name too long"); - return 0; - } - LOG_DBG((LOG_CRYPTO, 40, "x509_read_from_dir: reading certs from %s", - name)); - - dir = monitor_opendir(name); - if (!dir) { - LOG_DBG((LOG_CRYPTO, 10, - "x509_read_from_dir: opendir (\"%s\") failed: %s", - name, strerror(errno))); - return 0; - } - strlcpy(fullname, name, sizeof fullname); - off = strlen(fullname); - size = sizeof fullname - off; - - while ((file = monitor_readdir(dir)) != NULL) { - strlcpy(fullname + off, file->d_name, size); - - if (file->d_type != DT_UNKNOWN) { - if (file->d_type != DT_REG && file->d_type != DT_LNK) - continue; - } - - LOG_DBG((LOG_CRYPTO, 60, - "x509_read_from_dir: reading certificate %s", - file->d_name)); - - if ((fd = monitor_open(fullname, O_RDONLY, 0)) == -1) { - log_error("x509_read_from_dir: monitor_open" - "(\"%s\", O_RDONLY, 0) failed", fullname); - continue; - } - - if (fstat(fd, &sb) == -1) { - log_error("x509_read_from_dir: fstat failed"); - close(fd); - continue; - } - - if (!(sb.st_mode & S_IFREG)) { - close(fd); - continue; - } - - if ((certfp = fdopen(fd, "r")) == NULL) { - log_error("x509_read_from_dir: fdopen failed"); - close(fd); - continue; - } - -#if SSLEAY_VERSION_NUMBER >= 0x00904100L - cert = PEM_read_X509(certfp, NULL, NULL, NULL); -#else - cert = PEM_read_X509(certfp, NULL, NULL); -#endif - fclose(certfp); - - if (cert == NULL) { - log_print("x509_read_from_dir: PEM_read_bio_X509 " - "failed for %s", file->d_name); - continue; - } - if (!X509_STORE_add_cert(ctx, cert)) { - /* - * This is actually expected if we have several - * certificates only differing in subjectAltName, - * which is not an something that is strange. - * Consider multi-homed machines. - */ - LOG_DBG((LOG_CRYPTO, 50, - "x509_read_from_dir: X509_STORE_add_cert failed " - "for %s", file->d_name)); - } - if (hash) - if (!x509_hash_enter(cert)) - log_print("x509_read_from_dir: " - "x509_hash_enter (%s) failed", - file->d_name); - } - - monitor_closedir(dir); - - return 1; -} - -/* XXX share code with x509_read_from_dir() ? */ -int -x509_read_crls_from_dir(X509_STORE *ctx, char *name) -{ -#if OPENSSL_VERSION_NUMBER >= 0x00907000L - struct dirent *file; -#if defined (USE_PRIVSEP) - struct monitor_dirents *dir; -#else - DIR *dir; -#endif - FILE *crlfp; - X509_CRL *crl; - struct stat sb; - char fullname[PATH_MAX]; - int fd, off, size; - - if (strlen(name) >= sizeof fullname - 1) { - log_print("x509_read_crls_from_dir: directory name too long"); - return 0; - } - LOG_DBG((LOG_CRYPTO, 40, "x509_read_crls_from_dir: reading CRLs " - "from %s", name)); - - dir = monitor_opendir(name); - if (!dir) { - LOG_DBG((LOG_CRYPTO, 10, "x509_read_crls_from_dir: opendir " - "(\"%s\") failed: %s", name, strerror(errno))); - return 0; - } - strlcpy(fullname, name, sizeof fullname); - off = strlen(fullname); - size = sizeof fullname - off; - - while ((file = monitor_readdir(dir)) != NULL) { - strlcpy(fullname + off, file->d_name, size); - - if (file->d_type != DT_UNKNOWN) { - if (file->d_type != DT_REG && file->d_type != DT_LNK) - continue; - } - - LOG_DBG((LOG_CRYPTO, 60, "x509_read_crls_from_dir: reading " - "CRL %s", file->d_name)); - - if ((fd = monitor_open(fullname, O_RDONLY, 0)) == -1) { - log_error("x509_read_crls_from_dir: monitor_open" - "(\"%s\", O_RDONLY, 0) failed", fullname); - continue; - } - - if (fstat(fd, &sb) == -1) { - log_error("x509_read_crls_from_dir: fstat failed"); - close(fd); - continue; - } - - if (!(sb.st_mode & S_IFREG)) { - close(fd); - continue; - } - - if ((crlfp = fdopen(fd, "r")) == NULL) { - log_error("x509_read_crls_from_dir: fdopen failed"); - close(fd); - continue; - } - - crl = PEM_read_X509_CRL(crlfp, NULL, NULL, NULL); - - fclose(crlfp); - - if (crl == NULL) { - log_print("x509_read_crls_from_dir: " - "PEM_read_X509_CRL failed for %s", - file->d_name); - continue; - } - if (!X509_STORE_add_crl(ctx, crl)) { - LOG_DBG((LOG_CRYPTO, 50, "x509_read_crls_from_dir: " - "X509_STORE_add_crl failed for %s", file->d_name)); - continue; - } - /* - * XXX This is to make x509_cert_validate set this (and - * XXX another) flag when validating certificates. Currently, - * XXX OpenSSL defaults to reject an otherwise valid - * XXX certificate (chain) if these flags are set but there - * XXX are no CRLs to check. The current workaround is to only - * XXX set the flags if we actually loaded some CRL data. - */ - X509_STORE_set_flags(ctx, X509_V_FLAG_CRL_CHECK); - } - - monitor_closedir(dir); -#endif /* OPENSSL_VERSION_NUMBER >= 0x00907000L */ - - return 1; -} - -/* Initialize our databases and load our own certificates. */ -int -x509_cert_init(void) -{ - char *dirname; - - x509_hash_init(); - - /* Process CA certificates we will trust. */ - dirname = conf_get_str("X509-certificates", "CA-directory"); - if (!dirname) { - log_print("x509_cert_init: no CA-directory"); - return 0; - } - /* Free if already initialized. */ - if (x509_cas) - X509_STORE_free(x509_cas); - - x509_cas = X509_STORE_new(); - if (!x509_cas) { - log_print("x509_cert_init: creating new X509_STORE failed"); - return 0; - } - if (!x509_read_from_dir(x509_cas, dirname, 0)) { - log_print("x509_cert_init: x509_read_from_dir failed"); - return 0; - } - /* Process client certificates we will accept. */ - dirname = conf_get_str("X509-certificates", "Cert-directory"); - if (!dirname) { - log_print("x509_cert_init: no Cert-directory"); - return 0; - } - /* Free if already initialized. */ - if (x509_certs) - X509_STORE_free(x509_certs); - - x509_certs = X509_STORE_new(); - if (!x509_certs) { - log_print("x509_cert_init: creating new X509_STORE failed"); - return 0; - } - if (!x509_read_from_dir(x509_certs, dirname, 1)) { - log_print("x509_cert_init: x509_read_from_dir failed"); - return 0; - } - return 1; -} - -int -x509_crl_init(void) -{ - /* - * XXX I'm not sure if the method to use CRLs in certificate validation - * is valid for OpenSSL versions prior to 0.9.7. For now, simply do not - * support it. - */ -#if OPENSSL_VERSION_NUMBER >= 0x00907000L - char *dirname; - dirname = conf_get_str("X509-certificates", "CRL-directory"); - if (!dirname) { - log_print("x509_crl_init: no CRL-directory"); - return 0; - } - if (!x509_read_crls_from_dir(x509_cas, dirname)) { - LOG_DBG((LOG_MISC, 10, - "x509_crl_init: x509_read_crls_from_dir failed")); - return 0; - } -#else - LOG_DBG((LOG_CRYPTO, 10, "x509_crl_init: CRL support only " - "with OpenSSL v0.9.7 or later")); -#endif - - return 1; -} - -void * -x509_cert_get(u_int8_t *asn, u_int32_t len) -{ - return x509_from_asn(asn, len); -} - -int -x509_cert_validate(void *scert) -{ - X509_STORE_CTX csc; - X509_NAME *issuer, *subject; - X509 *cert = (X509 *) scert; - EVP_PKEY *key; - int res, err; - - /* - * Validate the peer certificate by checking with the CA certificates - * we trust. - */ - X509_STORE_CTX_init(&csc, x509_cas, cert, NULL); -#if OPENSSL_VERSION_NUMBER >= 0x00907000L - /* XXX See comment in x509_read_crls_from_dir. */ -#if OPENSSL_VERSION_NUMBER >= 0x00908000L - if (x509_cas->param->flags & X509_V_FLAG_CRL_CHECK) { -#else - if (x509_cas->flags & X509_V_FLAG_CRL_CHECK) { -#endif - X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK); - X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK_ALL); - } -#endif - res = X509_verify_cert(&csc); - err = csc.error; - X509_STORE_CTX_cleanup(&csc); - - /* - * Return if validation succeeded or self-signed certs are not - * accepted. - * - * XXX X509_verify_cert seems to return -1 if the validation should be - * retried somehow. We take this as an error and give up. - */ - if (res > 0) - return 1; - else if (res < 0 || - (res == 0 && err != X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)) { - if (err) - log_print("x509_cert_validate: %.100s", - X509_verify_cert_error_string(err)); - return 0; - } else if (!conf_get_str("X509-certificates", "Accept-self-signed")) { - if (err) - log_print("x509_cert_validate: %.100s", - X509_verify_cert_error_string(err)); - return 0; - } - issuer = X509_get_issuer_name(cert); - subject = X509_get_subject_name(cert); - - if (!issuer || !subject || X509_name_cmp(issuer, subject)) - return 0; - - key = X509_get_pubkey(cert); - if (!key) { - log_print("x509_cert_validate: could not get public key from " - "self-signed cert"); - return 0; - } - if (X509_verify(cert, key) == -1) { - log_print("x509_cert_validate: self-signed cert is bad"); - return 0; - } - return 1; -} - -int -x509_cert_insert(int id, void *scert) -{ - X509 *cert; - int res; - - cert = X509_dup((X509 *)scert); - if (!cert) { - log_print("x509_cert_insert: X509_dup failed"); - return 0; - } -#ifdef USE_POLICY - if (x509_generate_kn(id, cert) == 0) { - LOG_DBG((LOG_POLICY, 50, - "x509_cert_insert: x509_generate_kn failed")); - X509_free(cert); - return 0; - } -#endif /* USE_POLICY */ - - res = x509_hash_enter(cert); - if (!res) - X509_free(cert); - - return res; -} - -static struct x509_hash * -x509_hash_lookup(X509 *cert) -{ - struct x509_hash *certh; - int i; - - for (i = 0; i <= bucket_mask; i++) - for (certh = LIST_FIRST(&x509_tab[i]); certh; - certh = LIST_NEXT(certh, link)) - if (certh->cert == cert) - return certh; - return 0; -} - -void -x509_cert_free(void *cert) -{ - struct x509_hash *certh = x509_hash_lookup((X509 *) cert); - - if (certh) - LIST_REMOVE(certh, link); - X509_free((X509 *) cert); -} - -/* Validate the BER Encoding of a RDNSequence in the CERT_REQ payload. */ -int -x509_certreq_validate(u_int8_t *asn, u_int32_t len) -{ - int res = 1; -#if 0 - struct norm_type name = SEQOF("issuer", RDNSequence); - - if (!asn_template_clone(&name, 1) || - (asn = asn_decode_sequence(asn, len, &name)) == 0) { - log_print("x509_certreq_validate: can not decode 'acceptable " - "CA' info"); - res = 0; - } - asn_free(&name); -#endif - - /* XXX - not supported directly in SSL - later. */ - - return res; -} - -/* Decode the BER Encoding of a RDNSequence in the CERT_REQ payload. */ -void * -x509_certreq_decode(u_int8_t *asn, u_int32_t len) -{ -#if 0 - /* XXX This needs to be done later. */ - struct norm_type aca = SEQOF("aca", RDNSequence); - struct norm_type *tmp; - struct x509_aca naca, *ret; - - if (!asn_template_clone(&aca, 1) || - (asn = asn_decode_sequence(asn, len, &aca)) == 0) { - log_print("x509_certreq_decode: can not decode 'acceptable " - "CA' info"); - goto fail; - } - memset(&naca, 0, sizeof(naca)); - - tmp = asn_decompose("aca.RelativeDistinguishedName." - "AttributeValueAssertion", &aca); - if (!tmp) - goto fail; - x509_get_attribval(tmp, &naca.name1); - - tmp = asn_decompose("aca.RelativeDistinguishedName[1]" - ".AttributeValueAssertion", &aca); - if (tmp) - x509_get_attribval(tmp, &naca.name2); - - asn_free(&aca); - - ret = malloc(sizeof(struct x509_aca)); - if (ret) - memcpy(ret, &naca, sizeof(struct x509_aca)); - else { - log_error("x509_certreq_decode: malloc (%lu) failed", - (unsigned long) sizeof(struct x509_aca)); - x509_free_aca(&aca); - } - - return ret; - -fail: - asn_free(&aca); -#endif - return 0; -} - -void -x509_free_aca(void *blob) -{ - struct x509_aca *aca = blob; - - if (aca->name1.type) - free(aca->name1.type); - if (aca->name1.val) - free(aca->name1.val); - - if (aca->name2.type) - free(aca->name2.type); - if (aca->name2.val) - free(aca->name2.val); -} - -X509 * -x509_from_asn(u_char *asn, u_int len) -{ - BIO *certh; - X509 *scert = 0; - - certh = BIO_new(BIO_s_mem()); - if (!certh) { - log_error("x509_from_asn: BIO_new (BIO_s_mem ()) failed"); - return 0; - } - if (BIO_write(certh, asn, len) == -1) { - log_error("x509_from_asn: BIO_write failed\n"); - goto end; - } - scert = d2i_X509_bio(certh, NULL); - if (!scert) { - log_print("x509_from_asn: d2i_X509_bio failed\n"); - goto end; - } -end: - BIO_free(certh); - return scert; -} - -/* - * Obtain a certificate from an acceptable CA. - * XXX We don't check if the certificate we find is from an accepted CA. - */ -int -x509_cert_obtain(u_int8_t *id, size_t id_len, void *data, u_int8_t **cert, - u_int32_t *certlen) -{ - struct x509_aca *aca = data; - X509 *scert; - - if (aca) - LOG_DBG((LOG_CRYPTO, 60, "x509_cert_obtain: " - "acceptable certificate authorities here")); - - /* We need our ID to find a certificate. */ - if (!id) { - log_print("x509_cert_obtain: ID is missing"); - return 0; - } - scert = x509_hash_find(id, id_len); - if (!scert) - return 0; - - x509_serialize(scert, cert, certlen); - if (!*cert) - return 0; - return 1; -} - -/* Returns a pointer to the subjectAltName information of X509 certificate. */ -int -x509_cert_subjectaltname(X509 *scert, u_int8_t **altname, u_int32_t *len) -{ - X509_EXTENSION *subjectaltname; - u_int8_t *sandata; - int extpos, santype, sanlen; - - extpos = X509_get_ext_by_NID(scert, NID_subject_alt_name, -1); - if (extpos == -1) { - log_print("x509_cert_subjectaltname: " - "certificate does not contain subjectAltName"); - return 0; - } - subjectaltname = X509_get_ext(scert, extpos); - - if (!subjectaltname || !subjectaltname->value || - !subjectaltname->value->data || - subjectaltname->value->length < 4) { - log_print("x509_cert_subjectaltname: invalid " - "subjectaltname extension"); - return 0; - } - /* SSL does not handle unknown ASN stuff well, do it by hand. */ - sandata = subjectaltname->value->data; - santype = sandata[2] & 0x3f; - sanlen = sandata[3]; - sandata += 4; - - if (sanlen + 4 != subjectaltname->value->length) { - log_print("x509_cert_subjectaltname: subjectaltname invalid " - "length"); - return 0; - } - *len = sanlen; - *altname = sandata; - return santype; -} - -int -x509_cert_get_subjects(void *scert, int *cnt, u_int8_t ***id, - u_int32_t **id_len) -{ - X509 *cert = scert; - X509_NAME *subject; - int type; - u_int8_t *altname; - u_int32_t altlen; - u_int8_t *buf = 0; - unsigned char *ubuf; - int i; - - *id = 0; - *id_len = 0; - - /* - * XXX There can be a collection of subjectAltNames, but for now I - * only return the subjectName and a single subjectAltName, if - * present. - */ - type = x509_cert_subjectaltname(cert, &altname, &altlen); - if (!type) { - *cnt = 1; - altlen = 0; - } else - *cnt = 2; - - *id = calloc(*cnt, sizeof **id); - if (!*id) { - log_print("x509_cert_get_subject: malloc (%lu) failed", - *cnt * (unsigned long)sizeof **id); - goto fail; - } - *id_len = malloc(*cnt * sizeof **id_len); - if (!*id_len) { - log_print("x509_cert_get_subject: malloc (%lu) failed", - *cnt * (unsigned long)sizeof **id_len); - goto fail; - } - /* Stash the subjectName into the first slot. */ - subject = X509_get_subject_name(cert); - if (!subject) - goto fail; - - (*id_len)[0] = - ISAKMP_ID_DATA_OFF + i2d_X509_NAME(subject, NULL) - - ISAKMP_GEN_SZ; - (*id)[0] = malloc((*id_len)[0]); - if (!(*id)[0]) { - log_print("x509_cert_get_subject: malloc (%d) failed", - (*id_len)[0]); - goto fail; - } - SET_ISAKMP_ID_TYPE((*id)[0] - ISAKMP_GEN_SZ, IPSEC_ID_DER_ASN1_DN); - ubuf = (*id)[0] + ISAKMP_ID_DATA_OFF - ISAKMP_GEN_SZ; - i2d_X509_NAME(subject, &ubuf); - - if (altlen) { - /* Stash the subjectAltName into the second slot. */ - buf = malloc(altlen + ISAKMP_ID_DATA_OFF); - if (!buf) { - log_print("x509_cert_get_subject: malloc (%d) failed", - altlen + ISAKMP_ID_DATA_OFF); - goto fail; - } - switch (type) { - case X509v3_DNS_NAME: - SET_ISAKMP_ID_TYPE(buf, IPSEC_ID_FQDN); - break; - - case X509v3_RFC_NAME: - SET_ISAKMP_ID_TYPE(buf, IPSEC_ID_USER_FQDN); - break; - - case X509v3_IP_ADDR: - /* - * XXX I dislike the numeric constants, but I don't - * know what we should use otherwise. - */ - switch (altlen) { - case 4: - SET_ISAKMP_ID_TYPE(buf, IPSEC_ID_IPV4_ADDR); - break; - - case 16: - SET_ISAKMP_ID_TYPE(buf, IPSEC_ID_IPV6_ADDR); - break; - - default: - log_print("x509_cert_get_subject: invalid " - "subjectAltName IPaddress length %d ", - altlen); - goto fail; - } - break; - } - - SET_IPSEC_ID_PROTO(buf + ISAKMP_ID_DOI_DATA_OFF, 0); - SET_IPSEC_ID_PORT(buf + ISAKMP_ID_DOI_DATA_OFF, 0); - memcpy(buf + ISAKMP_ID_DATA_OFF, altname, altlen); - - (*id_len)[1] = ISAKMP_ID_DATA_OFF + altlen - ISAKMP_GEN_SZ; - (*id)[1] = malloc((*id_len)[1]); - if (!(*id)[1]) { - log_print("x509_cert_get_subject: malloc (%d) failed", - (*id_len)[1]); - goto fail; - } - memcpy((*id)[1], buf + ISAKMP_GEN_SZ, (*id_len)[1]); - - free(buf); - buf = 0; - } - return 1; - -fail: - for (i = 0; i < *cnt; i++) - if ((*id)[i]) - free((*id)[i]); - if (*id) - free(*id); - if (*id_len) - free(*id_len); - if (buf) - free(buf); - return 0; -} - -int -x509_cert_get_key(void *scert, void *keyp) -{ - X509 *cert = scert; - EVP_PKEY *key; - - key = X509_get_pubkey(cert); - - /* Check if we got the right key type. */ - if (key->type != EVP_PKEY_RSA) { - log_print("x509_cert_get_key: public key is not a RSA key"); - X509_free(cert); - return 0; - } - *(RSA **)keyp = RSAPublicKey_dup(key->pkey.rsa); - - return *(RSA **)keyp == NULL ? 0 : 1; -} - -void * -x509_cert_dup(void *scert) -{ - return X509_dup(scert); -} - -void -x509_serialize(void *scert, u_int8_t **data, u_int32_t *datalen) -{ - u_int8_t *p; - - *datalen = i2d_X509((X509 *)scert, NULL); - *data = p = malloc(*datalen); - if (!p) { - log_error("x509_serialize: malloc (%d) failed", *datalen); - return; - } - *datalen = i2d_X509((X509 *)scert, &p); -} - -/* From cert to printable */ -char * -x509_printable(void *cert) -{ - char *s; - u_int8_t *data; - u_int32_t datalen, i; - - x509_serialize(cert, &data, &datalen); - if (!data) - return 0; - - s = malloc(datalen * 2 + 1); - if (!s) { - free(data); - log_error("x509_printable: malloc (%d) failed", - datalen * 2 + 1); - return 0; - } - for (i = 0; i < datalen; i++) - snprintf(s + (2 * i), 2 * (datalen - i) + 1, "%02x", data[i]); - free(data); - return s; -} - -/* From printable to cert */ -void * -x509_from_printable(char *cert) -{ - u_int8_t *buf; - int plen, ret; - void *foo; - - plen = (strlen(cert) + 1) / 2; - buf = malloc(plen); - if (!buf) { - log_error("x509_from_printable: malloc (%d) failed", plen); - return 0; - } - ret = hex2raw(cert, buf, plen); - if (ret == -1) { - free(buf); - log_print("x509_from_printable: badly formatted cert"); - return 0; - } - foo = x509_cert_get(buf, plen); - free(buf); - if (!foo) - log_print("x509_from_printable: " - "could not retrieve certificate"); - return foo; -} - -char * -x509_DN_string(u_int8_t *asn1, size_t sz) -{ - X509_NAME *name; - u_int8_t *p = asn1; - char buf[256]; /* XXX Just a guess at a maximum length. */ - - name = d2i_X509_NAME(NULL, &p, sz); - if (!name) { - log_print("x509_DN_string: d2i_X509_NAME failed"); - return 0; - } - if (!X509_NAME_oneline(name, buf, sizeof buf - 1)) { - log_print("x509_DN_string: X509_NAME_oneline failed"); - X509_NAME_free(name); - return 0; - } - X509_NAME_free(name); - buf[sizeof buf - 1] = '\0'; - return strdup(buf); -} -#endif /* USE_X509 */ diff --git a/keyexchange/isakmpd-20041012/x509.h b/keyexchange/isakmpd-20041012/x509.h deleted file mode 100644 index adba74e..0000000 --- a/keyexchange/isakmpd-20041012/x509.h +++ /dev/null @@ -1,90 +0,0 @@ -/* $OpenBSD: x509.h,v 1.21 2004/05/23 18:17:56 hshoexer Exp $ */ -/* $EOM: x509.h,v 1.11 2000/09/28 12:53:27 niklas Exp $ */ - -/* - * Copyright (c) 1998, 1999 Niels Provos. All rights reserved. - * Copyright (c) 1999 Angelos D. Keromytis. All rights reserved. - * Copyright (c) 2000, 2001 Niklas Hallqvist. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* - * This code was written under funding by Ericsson Radio Systems. - */ - -#ifndef _X509_H_ -#define _X509_H_ - -#include "libcrypto.h" - -#define X509v3_RFC_NAME 1 -#define X509v3_DNS_NAME 2 -#define X509v3_IP_ADDR 7 - -struct x509_attribval { - char *type; - char *val; -}; - -/* - * The acceptable certification authority. - * XXX We only support two names at the moment, as of ASN this can - * be dynamic but we don't care for now. - */ -struct x509_aca { - struct x509_attribval name1; - struct x509_attribval name2; -}; - -struct X509; -struct X509_STORE; - -/* Functions provided by cert handler. */ - -int x509_certreq_validate(u_int8_t *, u_int32_t); -void *x509_certreq_decode(u_int8_t *, u_int32_t); -void x509_cert_free(void *); -void *x509_cert_get(u_int8_t *, u_int32_t); -int x509_cert_get_key(void *, void *); -int x509_cert_get_subjects(void *, int *, u_int8_t ***, u_int32_t **); -int x509_cert_init(void); -int x509_crl_init(void); -int x509_cert_obtain(u_int8_t *, size_t, void *, u_int8_t **, - u_int32_t *); -int x509_cert_validate(void *); -void x509_free_aca(void *); -void *x509_cert_dup(void *); -void x509_serialize(void *, u_int8_t **, u_int32_t *); -char *x509_printable(void *); -void *x509_from_printable(char *); - -/* Misc. X509 certificate functions. */ - -char *x509_DN_string(u_int8_t *, size_t); -int x509_cert_insert(int, void *); -int x509_cert_subjectaltname(X509 * cert, u_char **, u_int *); -X509 *x509_from_asn(u_char *, u_int); -int x509_generate_kn(int, X509 *); -int x509_read_from_dir(X509_STORE *, char *, int); -int x509_read_crls_from_dir(X509_STORE *, char *); - -#endif /* _X509_H_ */ diff --git a/keyexchange/isakmpd-20041012/x509v3.cnf b/keyexchange/isakmpd-20041012/x509v3.cnf deleted file mode 100644 index 1e98444..0000000 --- a/keyexchange/isakmpd-20041012/x509v3.cnf +++ /dev/null @@ -1,26 +0,0 @@ -# default settings -CERTPATHLEN = 1 -CERTUSAGE = digitalSignature,keyCertSign -CERTIP = 0.0.0.0 -CERTFQDN = nohost.nodomain - -# This section should be referenced when building an x509v3 CA -# Certificate. -# The default path length and the key usage can be overriden -# modified by setting the CERTPATHLEN and CERTUSAGE environment -# variables. -[x509v3_CA] -basicConstraints=critical,CA:true,pathlen:$ENV::CERTPATHLEN -keyUsage=$ENV::CERTUSAGE - -# This section should be referenced to add an IP Address -# as an alternate subject name, needed by isakmpd -# The address must be provided in the CERTIP environment variable -[x509v3_IPAddr] -subjectAltName=IP:$ENV::CERTIP - -# This section should be referenced to add a FQDN hostname -# as an alternate subject name, needed by isakmpd -# The address must be provided in the CERTFQDN environment variable -[x509v3_FQDN] -subjectAltName=DNS:$ENV::CERTFQDN |