diff --git a/kame/kame/racoon/.cvsignore b/kame/kame/racoon/.cvsignore deleted file mode 100644 index 4201d7e3be..0000000000 --- a/kame/kame/racoon/.cvsignore +++ /dev/null @@ -1,6 +0,0 @@ -y.tab.h -Makefile -config.status -config.cache -config.log -.depend diff --git a/kame/kame/racoon/Makefile.in b/kame/kame/racoon/Makefile.in deleted file mode 100644 index 712f7b8d3a..0000000000 --- a/kame/kame/racoon/Makefile.in +++ /dev/null @@ -1,108 +0,0 @@ -# $KAME: Makefile.in,v 1.43 2004/06/17 02:42:53 itojun Exp $ - -@SET_MAKE@ -srcdir= @srcdir@ -VPATH= @srcdir@ -CC= @CC@ -LDFLAGS=@LDFLAGS@ -CPPFLAGS= @CPPFLAGS@ -OPTFLAG=@OPTFLAG@ -CFLAGS= @CFLAGS@ $(CPPFLAGS) @DEFS@ $(CPPFLAGS) $(OPTFLAG) -DIPSEC -I. -I$(srcdir) -DSYSCONFDIR=\"${sysconfdir}\" -CFLAGS+=-DYY_NO_UNPUT -CFLAGS+=-I${srcdir}/../libipsec -LIBS= @LIBS@ -YFLAGS+=-d - -prefix= @prefix@ -bindir= @bindir@ -sbindir=@sbindir@ -mandir= @mandir@ -exec_prefix= @exec_prefix@ -sysconfdir= @sysconfdir@ -INSTALL=@INSTALL@ - -PROG= racoon racoonctl eaytest -#PROG+= pfkey -OBJS= main.o session.o isakmp.o handler.o \ - isakmp_ident.o isakmp_agg.o isakmp_base.o \ - isakmp_quick.o isakmp_inf.o isakmp_newg.o \ - gssapi.o dnssec.o getcertsbyname.o \ - pfkey.o admin.o ipsec_doi.o oakley.o grabmyaddr.o vendorid.o \ - policy.o localconf.o remoteconf.o crypto_openssl.o algorithm.o \ - proposal.o sainfo.o cfparse.o cftoken.o strnames.o \ - vmbuf.o plog.o logger.o schedule.o str2val.o misc.o sockmisc.o \ - safefile.o backupsa.o @LIBOBJS@ @CRYPTOBJS@ @DEBUGRMOBJS@ - -EAYTESTOBJS= eaytest.o crypto_openssl_test.o misc.o vmbuf.o str2val.o \ - @CRYPTOBJS@ @DEBUGRMOBJS@ - -# under samples -CONF= psk.txt racoon.conf - -all: $(PROG) - -racoon: $(OBJS) - $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) - -racoonctl: kmpstat.o misc.o vmbuf.o str2val.o - $(CC) $(LDFLAGS) -o $@ kmpstat.o misc.o vmbuf.o str2val.o \ - $(LIBS) @DEBUGRMOBJS@ - -pfkey: dummy.o - $(CC) $(LDFLAGS) -o $@ dummy.o - -eaytest: $(EAYTESTOBJS) - $(CC) $(LDFLAGS) -o $@ $(EAYTESTOBJS) $(LIBS) - -# special object rules -crypto_openssl_test.o: crypto_openssl.c - $(CC) $(CFLAGS) -DEAYDEBUG -o crypto_openssl_test.o -c crypto_openssl.c - -# missing/*.c -strdup.o: $(srcdir)/missing/strdup.c - $(CC) $(CFLAGS) -c $(srcdir)/missing/$*.c -getaddrinfo.o: $(srcdir)/missing/getaddrinfo.c - $(CC) $(CFLAGS) -c $(srcdir)/missing/$*.c -getnameinfo.o: $(srcdir)/missing/getnameinfo.c - $(CC) $(CFLAGS) -c $(srcdir)/missing/$*.c -rijndael-api-fst.o: $(srcdir)/missing/crypto/rijndael/$*.c - $(CC) $(CFLAGS) -c $(srcdir)/missing/crypto/rijndael/$*.c -rijndael-alg-fst.o: $(srcdir)/missing/crypto/rijndael/$*.c - $(CC) $(CFLAGS) -c $(srcdir)/missing/crypto/rijndael/$*.c -sha2.o: $(srcdir)/missing/crypto/sha2/$*.c - $(CC) $(CFLAGS) -c $(srcdir)/missing/crypto/sha2/$*.c -arc4random.o: $(srcdir)/missing/$*.c - $(CC) $(CFLAGS) -c $(srcdir)/missing/$*.c - -.c.o: - $(CC) $(CFLAGS) -c $< - -tag: - ctags -dtw $(srcdir)/*.[chly] - -install: - $(INSTALL) -s -o bin -g bin -m 555 racoon $(sbindir) - $(INSTALL) -o bin -g bin -m 444 racoon.8 $(mandir)/man8 - $(INSTALL) -o bin -g bin -m 444 racoon.conf.5 $(mandir)/man5 - -mkdir -p ${sysconfdir}/racoon - for i in $(CONF); do \ - if test ! -f ${sysconfdir}/racoon/$$i; then \ - $(INSTALL) -o bin -g bin -m 444 samples/$$i \ - ${sysconfdir}/racoon; \ - fi; \ - $(INSTALL) -o bin -g bin -m 444 samples/$$i \ - ${sysconfdir}/racoon/$$i.dist; \ - done - -clean: - -rm -f $(PROG) *.o *.core y.tab.h cftoken.c cfparse.c cftoken.h cfparse.h - -distclean: clean - -rm -f Makefile config.cache config.status config.log - -for i in $(CONF); do \ - rm -f samples/$$i; \ - done - - -depend: - mkdep ${CFLAGS:M-[ID]*} $(srcdir)/*.c diff --git a/kame/kame/racoon/TODO b/kame/kame/racoon/TODO deleted file mode 100644 index 1507167e68..0000000000 --- a/kame/kame/racoon/TODO +++ /dev/null @@ -1,131 +0,0 @@ -$KAME: TODO,v 1.36 2001/09/19 09:41:39 sakane Exp $ - -Please send any questions or bug reports to snap-users@kame.net. - -TODO list - -URGENT -o The documents for users convenience. -o split log file based on client. printf-like config directive, i.e. - "logfile racoon.%s.log", should be useful here. - -> beware of possible security issue, don't use sprintf() directly! - make validation before giving a string to sprintf(). -o save decrypted IKE packet in tcpdump format -o IPComp SA with wellknown CPI in CPI field. how to handle it? -o better rekey - -MUST -o multiple certificate payload handling. -o To consider the use with certificate infrastructure. PXIX ??? -o kmstat should be improved. -o Informational Exchange processing properly. -o require less configuration. phase 2 is easier (as kernel presents racoon - some hints), phase 1 is harder. for example, - - grab phase 2 lifetime and algorith configuration from sadb_comb payloads in - ACQUIRE message. - - give reasonable default behavior when no configuration file is present. - - difficult items: - how to guess a reasonable phase 1 SA lifetime - (hardcoded default? guess from phase 2 lifetime?) - guess what kind of ID payload to use - guess what kind of authentication to be used - guess phase 1 DH group (for aggressive mode, we cannot negotiate it) - guess if we need phase 2 PFS or not (we cannot negotiate it. so - we may need to pick from "no PFS" or "same as phase 1 DH group") - guess how we should negotiate lifetime - (is "strict" a reasonable default?) - guess which mode to use for phase 1 negotiation (is main mode useful? - is base mode popular enough?) -o more acceptable check. - -SHOULD -o psk.txt should be a database? (psk.db?) psk_mkdb? -o Dynamically retry to exchange and resend the packet per nodes. -o To make the list of supported algorithm by sadb_supported payload - in the SADB_REGISTER message which happens asynchronously. -o fix the structure of ph2handle. - We can handle the below case. - - node A node B - +--------------SA1----------------+ - +--------------SA2----------------+ - - at node A: - kernel - acquire(A-B) ------> ph2handle(A=B) -----> ph1handle - | - policy - A=B - A=B - - But we can not handle the below case because there is no x?handle. - - node A node B node C - +--------------SA1----------------+ - +------------------------------------------------SA2---------------+ - - at node A: - kernel - acquire(A-C) ---+---> x?handle ---+---> ph2handle(A=B) -------> ph1handle - | | | - acquire(A-B) ---+ policy +---> ph2handle(A=C) -------> ph1handle - A=B - A=C - -o consistency of function name. -o deep copy configuration entry to hander. It's easy to reload configuration. -o don't keep to hold keymat values, do it ? -o local address's field in isakmpsa handler must be kicked out to rmconf. -o responder policy and initiator policy should be separated. -o for lifetime and key length, something like this should be useful. - - propose N - - accept between X and Y -o wildcard "accept any proposal" policy should be allowed. -o replay prevention - - limited total number of session - - limited session per peer - - number of proposal -o full support for variable length SPI. quickhack support for IPComp is done. - -MAY -o Effective code. -o interaction between IKE/IPsec and socket layer. - at this moment, IKE/IPsec failure is modeled as total packet loss to other - part of network subsystem, including socket layer. this presents the - following behaviors: - - annoyingly long timeouts on tcp connection attempt, and IKE failure; - need to wait till tcp socket timeouts. - - blackhole if there's mismatching SAs. - we may be able to give socket layer some feedback from IKE/IPsec layer. - still not sure if those make sense or not. - for example: - - send PRU_HOSTDEAD to sockets if IKE negotiation failed - (sys/netkey/key.c:key_acquire2) - to do this, we need to remember which ACQUIRE was caused by which socket, - possibly into larval SAs. - - PRU_QUENCH on "no SA found on output" - - kick tcp retransmission timer on first SA establishment -o IKE daemon should handle situations where peer does not run IKE daemon - (UDP port unreach for port 500) better. - should use connected UDP sockets for sending IKE datagrams. -o rate-limit log messages from kernel IPsec errors, like "no SA found". - -TO BE TESTED. -o IKE retransmit behavior - see, draft-*-ipsec-rekeying*.txt -o Reboot recovery (peer reboot losing it's security associations) - see, draft-*-ipsec-rekeying*.txt -o Scenarios - - End-to-End transport long lived security associations - (over night, data transfer >1Gb) with frequent dynamic rekey - - End-to-GW tunnel long lived security associations - (over night, data transfer >1Gb) with frequent dynamic rekey - - Policy change events while under SA load - - End-to-End SA through IPsec tunnels, initiation both ways - - Client End-to-End through client-to-GW tunnel SA, initiate from - client for tunnel, then initiation both ways for end-to-end - - Client-to-GW transport SA for secure management -o behavior to receive multiple auth method proposals and AND proposal - -and to be written many many. - diff --git a/kame/kame/racoon/aclocal.m4 b/kame/kame/racoon/aclocal.m4 deleted file mode 100644 index 5d50b4578e..0000000000 --- a/kame/kame/racoon/aclocal.m4 +++ /dev/null @@ -1,87 +0,0 @@ -dnl RACOON_PATH_LIBS(FUNCTION, LIB, SEARCH-PATHS [, ACTION-IF-FOUND -dnl [, ACTION-IF-NOT-FOUND [, OTHER-LIBRARIES]]]) -dnl Search for a library defining FUNC, if it's not already available. - -AC_DEFUN(RACOON_PATH_LIBS, -[AC_PREREQ([2.13]) -AC_CACHE_CHECK([for $2 containing $1], [ac_cv_search_$1], -[ac_func_search_save_LIBS="$LIBS" -ac_cv_search_$1="no" -AC_TRY_LINK_FUNC([$1], [ac_cv_search_$1="none required"], - [LIBS="-l$2 $LIBS" - AC_TRY_LINK_FUNC([$1], [ac_cv_search_$1="-l$2"], [])]) -LIBS="$ac_func_search_save_LIBS" -test "$ac_cv_search_$1" = "no" && for i in $3; do -LIBS="-L$i -l$2 $ac_func_search_save_LIBS" -AC_TRY_LINK_FUNC([$1], -[ac_cv_search_$1="-L$i -l$2" -break]) -done -LIBS="$ac_func_search_save_LIBS"]) -if test "$ac_cv_search_$1" != "no"; then - test "$ac_cv_search_$1" = "none required" || LIBS="$ac_cv_search_$1 $LIBS" - $4 -else : - $5 -fi]) - -AC_DEFUN(RACOON_SEARCH_HEADER, -[AC_PREREQ([2.13]) -AC_MSG_CHECKING(for $1) -AC_TRY_CPP([#include <$1>], [], [ -ac_func_search_save_CPPFLAGS="$CPPFLAGS" -ac_add_path="no" -for i in $2; do - CPPFLAGS="-I$i $CPPFLAGS" - AC_TRY_CPP([#include <$1>], - [ac_add_path=$i]) - CPPFLAGS="$ac_func_search_save_CPPFLAGS" - if test "$ac_add_path" != "no"; then - break - fi -done -if test "$ac_add_path" != "no"; then - CPPFLAGS="-I$ac_add_path $CPPFLAGS" -fi -AC_MSG_RESULT($ac_add_path) -])]) - -dnl -dnl openssl 0.94 or higher recommends user to include header files as -dnl openssl/foo.h, not foo.h with -Ipath/openssl. -dnl RACOON_SEARCH_OPENSSL copes with this. -dnl -AC_DEFUN(RACOON_SEARCH_OPENSSL, -[AC_PREREQ([2.13]) -AC_MSG_CHECKING(for openssl include path) -AC_TRY_CPP([#include ], - [AC_EGREP_CPP(yes, [#include -#if OPENSSL_VERSION_NUMBER >= 0x00904100L -yes -#endif], [include_path_openssl=yes])], [ -ac_func_search_save_CPPFLAGS="$CPPFLAGS" -ac_add_path="no" -for i in $1; do - CPPFLAGS="-I$i $CPPFLAGS" - AC_TRY_CPP([#include ], - [AC_EGREP_CPP(yes, [#include -#if OPENSSL_VERSION_NUMBER >= 0x00904100L -yes -#endif], [ac_add_path=$i])]) - CPPFLAGS="$ac_func_search_save_CPPFLAGS" - if test "$ac_add_path" != "no"; then - break - fi -done -if test "$ac_add_path" != "no"; then - CPPFLAGS="-I$ac_add_path $CPPFLAGS" - include_path_openssl=yes -fi -]) -if test "x$include_path_openssl" = "xyes"; then - AC_MSG_RESULT(include path needs openssl) - AC_DEFINE(INCLUDE_PATH_OPENSSL) -else - AC_MSG_RESULT(pre-0.94 include path) -fi -]) diff --git a/kame/kame/racoon/admin.c b/kame/kame/racoon/admin.c deleted file mode 100644 index 020d571ffb..0000000000 --- a/kame/kame/racoon/admin.c +++ /dev/null @@ -1,486 +0,0 @@ -/* $KAME: admin.c,v 1.24 2003/05/29 08:59:51 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include -#include -#include - -#include -#include - -#include - -#include -#include -#include -#include -#include -#ifdef HAVE_UNISTD_H -#include -#endif - -#include "var.h" -#include "misc.h" -#include "vmbuf.h" -#include "plog.h" -#include "sockmisc.h" -#include "debug.h" - -#include "schedule.h" -#include "localconf.h" -#include "remoteconf.h" -#include "grabmyaddr.h" -#include "isakmp_var.h" -#include "isakmp.h" -#include "oakley.h" -#include "handler.h" -#include "pfkey.h" -#include "admin.h" -#include "admin_var.h" -#include "session.h" -#include "gcmalloc.h" - -static struct sockaddr_un sunaddr; -static int admin_process __P((int, char *)); -static int admin_reply __P((int, struct admin_com *, vchar_t *)); - -int -admin_handler() -{ - int so2; - struct sockaddr_storage from; - int fromlen = sizeof(from); - struct admin_com com; - char *combuf = NULL; - pid_t pid = -1; - int len, error = -1; - - so2 = accept(lcconf->sock_admin, (struct sockaddr *)&from, &fromlen); - if (so2 < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to accept admin command: %s\n", - strerror(errno)); - return -1; - } - - /* get buffer length */ - while ((len = recv(so2, (char *)&com, sizeof(com), MSG_PEEK)) < 0) { - if (errno == EINTR) - continue; - plog(LLV_ERROR, LOCATION, NULL, - "failed to recv admin command: %s\n", - strerror(errno)); - goto end; - } - - /* sanity check */ - if (len < sizeof(com)) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid header length of admin command\n"); - goto end; - } - - /* get buffer to receive */ - if ((combuf = racoon_malloc(com.ac_len)) == 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to alloc buffer for admin command\n"); - goto end; - } - - /* get real data */ - while ((len = recv(so2, combuf, com.ac_len, 0)) < 0) { - if (errno == EINTR) - continue; - plog(LLV_ERROR, LOCATION, NULL, - "failed to recv admin command: %s\n", - strerror(errno)); - goto end; - } - - /* don't fork() because of reloading config. */ - if (com.ac_cmd == ADMIN_RELOAD_CONF) { - /* reload does not work at all! */ - signal_handler(SIGHUP); - goto end; - } - - /* fork for processing */ - if (!f_foreground) { - if ((pid = fork()) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to fork for admin processing: %s\n", - strerror(errno)); - goto end; - } - - /* parant's process. */ - if (pid != 0) { - error = 0; - goto end; - } - - /* child's process */ - admin_close(); - } - - /* exit in this function. */ - error = admin_process(so2, combuf); - - end: - (void)close(so2); - if (combuf) - racoon_free(combuf); - - /* exit if child's process. */ - if (pid == 0 && !f_foreground) - exit(error); - - return error; -} - -/* - * main child's process. - */ -static int -admin_process(so2, combuf) - int so2; - char *combuf; -{ - struct admin_com *com = (struct admin_com *)combuf; - vchar_t *buf = NULL; - int error = 0; - - com->ac_errno = 0; - - switch (com->ac_cmd) { - case ADMIN_RELOAD_CONF: - /* don't entered because of proccessing it in other place. */ - plog(LLV_ERROR, LOCATION, NULL, "should never reach here\n"); - goto bad; - - case ADMIN_SHOW_SCHED: - { - caddr_t p; - int len; - if (sched_dump(&p, &len) == -1) - com->ac_errno = -1; - buf = vmalloc(len); - if (buf == NULL) - com->ac_errno = -1; - memcpy(buf->v, p, len); - } - break; - case ADMIN_SHOW_SA: - case ADMIN_FLUSH_SA: - { - switch (com->ac_proto) { - case ADMIN_PROTO_ISAKMP: - switch (com->ac_cmd) { - case ADMIN_SHOW_SA: - buf = dumpph1(); - if (buf == NULL) - com->ac_errno = -1; - break; - case ADMIN_FLUSH_SA: - flushph1(); - break; - } - break; - case ADMIN_PROTO_IPSEC: - case ADMIN_PROTO_AH: - case ADMIN_PROTO_ESP: - switch (com->ac_cmd) { - case ADMIN_SHOW_SA: - { - u_int p; - p = admin2pfkey_proto(com->ac_proto); - if (p == -1) - goto bad; - buf = pfkey_dump_sadb(p); - if (buf == NULL) - com->ac_errno = -1; - } - break; - case ADMIN_FLUSH_SA: - pfkey_flush_sadb(com->ac_proto); - break; - } - break; - - case ADMIN_PROTO_INTERNAL: - switch (com->ac_cmd) { - case ADMIN_SHOW_SA: - buf = NULL; /*XXX dumpph2(&error);*/ - if (buf == NULL) - com->ac_errno = error; - break; - case ADMIN_FLUSH_SA: - /*XXX flushph2();*/ - com->ac_errno = 0; - break; - } - break; - - default: - /* ignore */ - com->ac_errno = -1; - } - } - break; - - case ADMIN_DELETE_SA: - break; - - case ADMIN_ESTABLISH_SA: - { - struct sockaddr *dst; - struct sockaddr *src; - src = (struct sockaddr *) - &((struct admin_com_indexes *) - ((caddr_t)com + sizeof(*com)))->src; - dst = (struct sockaddr *) - &((struct admin_com_indexes *) - ((caddr_t)com + sizeof(*com)))->dst; - - switch (com->ac_proto) { - case ADMIN_PROTO_ISAKMP: - { - struct remoteconf *rmconf; - struct sockaddr *remote; - struct sockaddr *local; - - /* search appropreate configuration */ - rmconf = getrmconf(dst); - if (rmconf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "no configuration found " - "for %s\n", saddrwop2str(dst)); - com->ac_errno = -1; - break; - } - - /* get remote IP address and port number. */ - remote = dupsaddr(dst); - if (remote == NULL) { - com->ac_errno = -1; - break; - } - switch (remote->sa_family) { - case AF_INET: - ((struct sockaddr_in *)remote)->sin_port = - ((struct sockaddr_in *)rmconf->remote)->sin_port; - break; -#ifdef INET6 - case AF_INET6: - ((struct sockaddr_in6 *)remote)->sin6_port = - ((struct sockaddr_in6 *)rmconf->remote)->sin6_port; - break; -#endif - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid family: %d\n", - remote->sa_family); - com->ac_errno = -1; - break; - } - - /* get local address */ - local = dupsaddr(src); - if (local == NULL) { - com->ac_errno = -1; - break; - } - switch (local->sa_family) { - case AF_INET: - ((struct sockaddr_in *)local)->sin_port = - getmyaddrsport(local); - break; -#ifdef INET6 - case AF_INET6: - ((struct sockaddr_in6 *)local)->sin6_port = - getmyaddrsport(local); - break; -#endif - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid family: %d\n", - local->sa_family); - com->ac_errno = -1; - break; - } - - - plog(LLV_INFO, LOCATION, NULL, - "accept a request to establish IKE-SA: " - "%s\n", saddrwop2str(remote)); - - /* begin ident mode */ - if (isakmp_ph1begin_i(rmconf, remote, local) < 0) { - com->ac_errno = -1; - break; - } - } - break; - case ADMIN_PROTO_AH: - case ADMIN_PROTO_ESP: - break; - default: - /* ignore */ - com->ac_errno = -1; - } - } - break; - - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid command: %d\n", com->ac_cmd); - com->ac_errno = -1; - } - - if (admin_reply(so2, com, buf) < 0) - goto bad; - - if (buf != NULL) - vfree(buf); - - return 0; - - bad: - if (buf != NULL) - vfree(buf); - return -1; -} - -static int -admin_reply(so, combuf, buf) - int so; - struct admin_com *combuf; - vchar_t *buf; -{ - int tlen; - char *retbuf = NULL; - - if (buf != NULL) - tlen = sizeof(*combuf) + buf->l; - else - tlen = sizeof(*combuf); - - retbuf = racoon_calloc(1, tlen); - if (retbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate admin buffer\n"); - return -1; - } - - memcpy(retbuf, combuf, sizeof(*combuf)); - ((struct admin_com *)retbuf)->ac_len = tlen; - - if (buf != NULL) - memcpy(retbuf + sizeof(*combuf), buf->v, buf->l); - - tlen = send(so, retbuf, tlen, 0); - racoon_free(retbuf); - if (tlen < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to send admin command: %s\n", - strerror(errno)); - return -1; - } - - return 0; -} - -/* ADMIN_PROTO -> SADB_SATYPE */ -int -admin2pfkey_proto(proto) - u_int proto; -{ - switch (proto) { - case ADMIN_PROTO_IPSEC: - return SADB_SATYPE_UNSPEC; - case ADMIN_PROTO_AH: - return SADB_SATYPE_AH; - case ADMIN_PROTO_ESP: - return SADB_SATYPE_ESP; - default: - plog(LLV_ERROR, LOCATION, NULL, - "unsupported proto for admin: %d\n", proto); - return -1; - } - /*NOTREACHED*/ -} - -int -admin_init() -{ - memset(&sunaddr, 0, sizeof(sunaddr)); - sunaddr.sun_family = AF_UNIX; - snprintf(sunaddr.sun_path, sizeof(sunaddr.sun_path), - "%s", PORT_ADMIN); - - lcconf->sock_admin = socket(AF_UNIX, SOCK_STREAM, 0); - if (lcconf->sock_admin < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "socket: %s\n", strerror(errno)); - return -1; - } - - if (bind(lcconf->sock_admin, (struct sockaddr *)&sunaddr, - sizeof(sunaddr)) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "bind(sockname:%s): %s\n", - sunaddr.sun_path, strerror(errno)); - (void)close(lcconf->sock_admin); - return -1; - } - - if (listen(lcconf->sock_admin, 5) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "listen(sockname:%s): %s\n", - sunaddr.sun_path, strerror(errno)); - (void)close(lcconf->sock_admin); - return -1; - } - plog(LLV_DEBUG, LOCATION, NULL, - "open %s as racoon management.\n", sunaddr.sun_path); - - return 0; -} - -int -admin_close() -{ - close(lcconf->sock_admin); - unlink(sunaddr.sun_path); - return 0; -} diff --git a/kame/kame/racoon/admin.h b/kame/kame/racoon/admin.h deleted file mode 100644 index ef0b3efa7c..0000000000 --- a/kame/kame/racoon/admin.h +++ /dev/null @@ -1,77 +0,0 @@ -/* $KAME: admin.h,v 1.8 2000/10/04 17:40:58 itojun Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* command for administration. */ -/* NOTE: host byte order. */ -struct admin_com { - u_int16_t ac_len; /* total packet length including data */ - u_int16_t ac_cmd; - int16_t ac_errno; - u_int16_t ac_proto; -}; - -/* - * No data follows as the data. - * These don't use proto field. - */ -#define ADMIN_RELOAD_CONF 0x0001 -#define ADMIN_SHOW_SCHED 0x0002 - -/* - * No data follows as the data. - * These use proto field. - */ -#define ADMIN_SHOW_SA 0x0101 -#define ADMIN_FLUSH_SA 0x0102 - -/* - * The admin_com_indexes follows, see below. - */ -#define ADMIN_DELETE_SA 0x0201 -#define ADMIN_ESTABLISH_SA 0x0202 - -/* the value of proto */ -#define ADMIN_PROTO_ISAKMP 0x01ff -#define ADMIN_PROTO_IPSEC 0x02ff -#define ADMIN_PROTO_AH 0x0201 -#define ADMIN_PROTO_ESP 0x0202 -#define ADMIN_PROTO_INTERNAL 0x0301 - -struct admin_com_indexes { - u_int8_t prefs; - u_int8_t prefd; - u_int8_t ul_proto; - u_int8_t reserved; - struct sockaddr_storage src; - struct sockaddr_storage dst; -}; - -extern int admin2pfkey_proto __P((u_int)); diff --git a/kame/kame/racoon/admin_var.h b/kame/kame/racoon/admin_var.h deleted file mode 100644 index 60d88ac71b..0000000000 --- a/kame/kame/racoon/admin_var.h +++ /dev/null @@ -1,36 +0,0 @@ -/* $KAME: admin_var.h,v 1.4 2001/06/01 10:12:55 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#define PORT_ADMIN "/tmp/.racoon" - -extern int admin_handler __P((void)); -extern int admin_init __P((void)); -extern int admin_close __P((void)); diff --git a/kame/kame/racoon/algorithm.c b/kame/kame/racoon/algorithm.c deleted file mode 100644 index ce2ab8595b..0000000000 --- a/kame/kame/racoon/algorithm.c +++ /dev/null @@ -1,850 +0,0 @@ -/* $KAME: algorithm.c,v 1.29 2003/10/21 07:18:03 itojun Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include - -#include "var.h" -#include "misc.h" -#include "vmbuf.h" -#include "plog.h" -#include "debug.h" - -#include "crypto_openssl.h" -#include "dhgroup.h" -#include "algorithm.h" -#include "oakley.h" -#include "isakmp_var.h" -#include "isakmp.h" -#include "ipsec_doi.h" -#include "gcmalloc.h" - -static struct hash_algorithm oakley_hashdef[] = { -{ "md5", algtype_md5, OAKLEY_ATTR_HASH_ALG_MD5, - eay_md5_init, eay_md5_update, - eay_md5_final, eay_md5_hashlen, - eay_md5_one, }, -{ "sha1", algtype_sha1, OAKLEY_ATTR_HASH_ALG_SHA, - eay_sha1_init, eay_sha1_update, - eay_sha1_final, eay_sha1_hashlen, - eay_sha1_one, }, -#ifdef WITH_SHA2 -{ "sha2_256", algtype_sha2_256, OAKLEY_ATTR_HASH_ALG_SHA2_256, - eay_sha2_256_init, eay_sha2_256_update, - eay_sha2_256_final, eay_sha2_256_hashlen, - eay_sha2_256_one, }, -{ "sha2_384", algtype_sha2_384, OAKLEY_ATTR_HASH_ALG_SHA2_384, - eay_sha2_384_init, eay_sha2_384_update, - eay_sha2_384_final, eay_sha2_384_hashlen, - eay_sha2_384_one, }, -{ "sha2_512", algtype_sha2_512, OAKLEY_ATTR_HASH_ALG_SHA2_512, - eay_sha2_512_init, eay_sha2_512_update, - eay_sha2_512_final, eay_sha2_512_hashlen, - eay_sha2_512_one, }, -#endif -}; - -static struct hmac_algorithm oakley_hmacdef[] = { -{ "hmac_md5", algtype_md5, OAKLEY_ATTR_HASH_ALG_MD5, - eay_hmacmd5_init, eay_hmacmd5_update, - eay_hmacmd5_final, NULL, - eay_hmacmd5_one, }, -{ "hmac_sha1", algtype_sha1, OAKLEY_ATTR_HASH_ALG_SHA, - eay_hmacsha1_init, eay_hmacsha1_update, - eay_hmacsha1_final, NULL, - eay_hmacsha1_one, }, -#ifdef WITH_SHA2 -{ "hmac_sha2_256", algtype_sha2_256, OAKLEY_ATTR_HASH_ALG_SHA2_256, - eay_hmacsha2_256_init, eay_hmacsha2_256_update, - eay_hmacsha2_256_final, NULL, - eay_hmacsha2_256_one, }, -{ "hmac_sha2_384", algtype_sha2_384, OAKLEY_ATTR_HASH_ALG_SHA2_384, - eay_hmacsha2_384_init, eay_hmacsha2_384_update, - eay_hmacsha2_384_final, NULL, - eay_hmacsha2_384_one, }, -{ "hmac_sha2_512", algtype_sha2_512, OAKLEY_ATTR_HASH_ALG_SHA2_512, - eay_hmacsha2_512_init, eay_hmacsha2_512_update, - eay_hmacsha2_512_final, NULL, - eay_hmacsha2_512_one, }, -#endif -}; - -static struct enc_algorithm oakley_encdef[] = { -{ "des", algtype_des, OAKLEY_ATTR_ENC_ALG_DES, 8, - eay_des_encrypt, eay_des_decrypt, - eay_des_weakkey, eay_des_keylen, }, -#ifdef HAVE_OPENSSL_IDEA_H -{ "idea", algtype_idea, OAKLEY_ATTR_ENC_ALG_IDEA, 8, - eay_idea_encrypt, eay_idea_decrypt, - eay_idea_weakkey, eay_idea_keylen, }, -#endif -{ "blowfish", algtype_blowfish, OAKLEY_ATTR_ENC_ALG_BLOWFISH, 8, - eay_bf_encrypt, eay_bf_decrypt, - eay_bf_weakkey, eay_bf_keylen, }, -#ifdef HAVE_OPENSSL_RC5_H -{ "rc5", algtype_rc5, OAKLEY_ATTR_ENC_ALG_RC5, 8, - eay_rc5_encrypt, eay_rc5_decrypt, - eay_rc5_weakkey, eay_rc5_keylen, }, -#endif -{ "3des", algtype_3des, OAKLEY_ATTR_ENC_ALG_3DES, 8, - eay_3des_encrypt, eay_3des_decrypt, - eay_3des_weakkey, eay_3des_keylen, }, -{ "cast", algtype_cast128, OAKLEY_ATTR_ENC_ALG_CAST, 8, - eay_cast_encrypt, eay_cast_decrypt, - eay_cast_weakkey, eay_cast_keylen, }, -{ "aes", algtype_rijndael, OAKLEY_ATTR_ENC_ALG_AES, 16, - eay_aes_encrypt, eay_aes_decrypt, - eay_aes_weakkey, eay_aes_keylen, }, -}; - -static struct enc_algorithm ipsec_encdef[] = { -{ "des-iv64", algtype_des_iv64, IPSECDOI_ESP_DES_IV64, 8, - NULL, NULL, - NULL, eay_des_keylen, }, -{ "des", algtype_des, IPSECDOI_ESP_DES, 8, - NULL, NULL, - NULL, eay_des_keylen, }, -{ "3des", algtype_3des, IPSECDOI_ESP_3DES, 8, - NULL, NULL, - NULL, eay_3des_keylen, }, -#ifdef HAVE_OPENSSL_RC5_H -{ "rc5", algtype_rc5, IPSECDOI_ESP_RC5, 8, - NULL, NULL, - NULL, eay_rc5_keylen, }, -#endif -{ "cast", algtype_cast128, IPSECDOI_ESP_CAST, 8, - NULL, NULL, - NULL, eay_cast_keylen, }, -{ "blowfish", algtype_blowfish, IPSECDOI_ESP_BLOWFISH, 8, - NULL, NULL, - NULL, eay_bf_keylen, }, -{ "des-iv32", algtype_des_iv32, IPSECDOI_ESP_DES_IV32, 8, - NULL, NULL, - NULL, eay_des_keylen, }, -{ "null", algtype_null_enc, IPSECDOI_ESP_NULL, 8, - NULL, NULL, - NULL, eay_null_keylen, }, -{ "rijndael", algtype_rijndael, IPSECDOI_ESP_RIJNDAEL, 16, - NULL, NULL, - NULL, eay_aes_keylen, }, -{ "twofish", algtype_twofish, IPSECDOI_ESP_TWOFISH, 16, - NULL, NULL, - NULL, eay_twofish_keylen, }, -#ifdef HAVE_OPENSSL_IDEA_H -{ "3idea", algtype_3idea, IPSECDOI_ESP_3IDEA, 8, - NULL, NULL, - NULL, NULL, }, -{ "idea", algtype_idea, IPSECDOI_ESP_IDEA, 8, - NULL, NULL, - NULL, NULL, }, -#endif -{ "rc4", algtype_rc4, IPSECDOI_ESP_RC4, 8, - NULL, NULL, - NULL, NULL, }, -}; - -static struct hmac_algorithm ipsec_hmacdef[] = { -{ "md5", algtype_hmac_md5, IPSECDOI_ATTR_AUTH_HMAC_MD5, - NULL, NULL, - NULL, eay_md5_hashlen, - NULL, }, -{ "sha1", algtype_hmac_sha1, IPSECDOI_ATTR_AUTH_HMAC_SHA1, - NULL, NULL, - NULL, eay_sha1_hashlen, - NULL, }, -{ "kpdk", algtype_kpdk, IPSECDOI_ATTR_AUTH_KPDK, - NULL, NULL, - NULL, eay_kpdk_hashlen, - NULL, }, -{ "null", algtype_non_auth, IPSECDOI_ATTR_AUTH_NONE, - NULL, NULL, - NULL, eay_null_hashlen, - NULL, }, -{ "hmac_sha2_256", algtype_hmac_sha2_256, IPSECDOI_ATTR_SHA2_256, - NULL, NULL, - NULL, eay_sha2_256_hashlen, - NULL, }, -{ "hmac_sha2_384", algtype_hmac_sha2_384, IPSECDOI_ATTR_SHA2_384, - NULL, NULL, - NULL, eay_sha2_384_hashlen, - NULL, }, -{ "hmac_sha2_512", algtype_hmac_sha2_512, IPSECDOI_ATTR_SHA2_512, - NULL, NULL, - NULL, eay_sha2_512_hashlen, - NULL, }, -}; - -static struct misc_algorithm ipsec_compdef[] = { -{ "oui", algtype_oui, IPSECDOI_IPCOMP_OUI, }, -{ "deflate", algtype_deflate, IPSECDOI_IPCOMP_DEFLATE, }, -{ "lzs", algtype_lzs, IPSECDOI_IPCOMP_LZS, }, -}; - -static struct misc_algorithm oakley_authdef[] = { -{ "psk", algtype_psk, OAKLEY_ATTR_AUTH_METHOD_PSKEY, }, -{ "dsssig", algtype_dsssig, OAKLEY_ATTR_AUTH_METHOD_DSSSIG, }, -{ "rsasig", algtype_rsasig, OAKLEY_ATTR_AUTH_METHOD_RSASIG, }, -{ "rsaenc", algtype_rsaenc, OAKLEY_ATTR_AUTH_METHOD_RSAENC, }, -{ "rsarev", algtype_rsarev, OAKLEY_ATTR_AUTH_METHOD_RSAREV, }, -{ "gssapi_krb", algtype_gssapikrb, OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB, }, -}; - -static struct dh_algorithm oakley_dhdef[] = { -{ "modp768", algtype_modp768, OAKLEY_ATTR_GRP_DESC_MODP768, - &dh_modp768, }, -{ "modp1024", algtype_modp1024, OAKLEY_ATTR_GRP_DESC_MODP1024, - &dh_modp1024, }, -{ "modp1536", algtype_modp1536, OAKLEY_ATTR_GRP_DESC_MODP1536, - &dh_modp1536, }, -{ "modp2048", algtype_modp2048, OAKLEY_ATTR_GRP_DESC_MODP2048, - &dh_modp2048, }, -{ "modp3072", algtype_modp3072, OAKLEY_ATTR_GRP_DESC_MODP3072, - &dh_modp3072, }, -{ "modp4096", algtype_modp4096, OAKLEY_ATTR_GRP_DESC_MODP4096, - &dh_modp4096, }, -{ "modp6144", algtype_modp6144, OAKLEY_ATTR_GRP_DESC_MODP6144, - &dh_modp6144, }, -{ "modp8192", algtype_modp8192, OAKLEY_ATTR_GRP_DESC_MODP8192, - &dh_modp8192, }, -}; - -static struct hash_algorithm *alg_oakley_hashdef __P((int)); -static struct hmac_algorithm *alg_oakley_hmacdef __P((int)); -static struct enc_algorithm *alg_oakley_encdef __P((int)); -static struct enc_algorithm *alg_ipsec_encdef __P((int)); -static struct hmac_algorithm *alg_ipsec_hmacdef __P((int)); -static struct dh_algorithm *alg_oakley_dhdef __P((int)); - -/* oakley hash algorithm */ -static struct hash_algorithm * -alg_oakley_hashdef(doi) - int doi; -{ - int i; - - for (i = 0; i < ARRAYLEN(oakley_hashdef); i++) - if (doi == oakley_hashdef[i].doi) { - plog(LLV_DEBUG, LOCATION, NULL, "hash(%s)\n", - oakley_hashdef[i].name); - return &oakley_hashdef[i]; - } - return NULL; -} - -int -alg_oakley_hashdef_ok(doi) - int doi; -{ - struct hash_algorithm *f; - - f = alg_oakley_hashdef(doi); - if (f == NULL) - return 0; - - return 1; -} - -int -alg_oakley_hashdef_doi(type) - int type; -{ - int i, res = -1; - - for (i = 0; i < ARRAYLEN(oakley_hashdef); i++) - if (type == oakley_hashdef[i].type) { - res = oakley_hashdef[i].doi; - break; - } - return res; -} - -int -alg_oakley_hashdef_hashlen(doi) - int doi; -{ - struct hash_algorithm *f; - - f = alg_oakley_hashdef(doi); - if (f == NULL || f->hashlen == NULL) - return 0; - - return (f->hashlen)(); -} - -vchar_t * -alg_oakley_hashdef_one(doi, buf) - int doi; - vchar_t *buf; -{ - struct hash_algorithm *f; - - f = alg_oakley_hashdef(doi); - if (f == NULL || f->hashlen == NULL) - return NULL; - - return (f->one)(buf); -} - -/* oakley hmac algorithm */ -static struct hmac_algorithm * -alg_oakley_hmacdef(doi) - int doi; -{ - int i; - - for (i = 0; i < ARRAYLEN(oakley_hmacdef); i++) - if (doi == oakley_hmacdef[i].doi) { - plog(LLV_DEBUG, LOCATION, NULL, "hmac(%s)\n", - oakley_hmacdef[i].name); - return &oakley_hmacdef[i]; - } - return NULL; -} - -int -alg_oakley_hmacdef_doi(type) - int type; -{ - int i, res = -1; - - for (i = 0; i < ARRAYLEN(oakley_hmacdef); i++) - if (type == oakley_hmacdef[i].type) { - res = oakley_hmacdef[i].doi; - break; - } - return res; -} - -vchar_t * -alg_oakley_hmacdef_one(doi, key, buf) - int doi; - vchar_t *key, *buf; -{ - struct hmac_algorithm *f; - vchar_t *res; -#ifdef ENABLE_STATS - struct timeval start, end; -#endif - - f = alg_oakley_hmacdef(doi); - if (f == NULL || f->one == NULL) - return NULL; - -#ifdef ENABLE_STATS - gettimeofday(&start, NULL); -#endif - - res = (f->one)(key, buf); - -#ifdef ENABLE_STATS - gettimeofday(&end, NULL); - syslog(LOG_NOTICE, "%s(%s size=%d): %8.6f", __func__, - f->name, buf->l, timedelta(&start, &end)); -#endif - - return res; -} - -/* oakley encryption algorithm */ -static struct enc_algorithm * -alg_oakley_encdef(doi) - int doi; -{ - int i; - - for (i = 0; i < ARRAYLEN(oakley_encdef); i++) - if (doi == oakley_encdef[i].doi) { - plog(LLV_DEBUG, LOCATION, NULL, "encription(%s)\n", - oakley_encdef[i].name); - return &oakley_encdef[i]; - } - return NULL; -} - -int -alg_oakley_encdef_ok(doi) - int doi; -{ - struct enc_algorithm *f; - - f = alg_oakley_encdef(doi); - if (f == NULL) - return 0; - - return 1; -} - -int -alg_oakley_encdef_doi(type) - int type; -{ - int i, res = -1; - - for (i = 0; i < ARRAYLEN(oakley_encdef); i++) - if (type == oakley_encdef[i].type) { - res = oakley_encdef[i].doi; - break; - } - return res; -} - -int -alg_oakley_encdef_keylen(doi, len) - int doi, len; -{ - struct enc_algorithm *f; - - f = alg_oakley_encdef(doi); - if (f == NULL || f->keylen == NULL) - return -1; - - return (f->keylen)(len); -} - -int -alg_oakley_encdef_blocklen(doi) - int doi; -{ - struct enc_algorithm *f; - - f = alg_oakley_encdef(doi); - if (f == NULL) - return -1; - - return f->blocklen; -} - -vchar_t * -alg_oakley_encdef_decrypt(doi, buf, key, iv) - int doi; - vchar_t *buf, *key, *iv; -{ - vchar_t *res; - struct enc_algorithm *f; -#ifdef ENABLE_STATS - struct timeval start, end; -#endif - - f = alg_oakley_encdef(doi); - if (f == NULL || f->decrypt == NULL) - return NULL; - -#ifdef ENABLE_STATS - gettimeofday(&start, NULL); -#endif - - res = (f->decrypt)(buf, key, iv); - -#ifdef ENABLE_STATS - gettimeofday(&end, NULL); - syslog(LOG_NOTICE, "%s(%s klen=%d size=%d): %8.6f", __func__, - f->name, key->l << 3, buf->l, timedelta(&start, &end)); -#endif - return res; -} - -vchar_t * -alg_oakley_encdef_encrypt(doi, buf, key, iv) - int doi; - vchar_t *buf, *key, *iv; -{ - vchar_t *res; - struct enc_algorithm *f; -#ifdef ENABLE_STATS - struct timeval start, end; -#endif - - f = alg_oakley_encdef(doi); - if (f == NULL || f->encrypt == NULL) - return NULL; - -#ifdef ENABLE_STATS - gettimeofday(&start, NULL); -#endif - - res = (f->encrypt)(buf, key, iv); - -#ifdef ENABLE_STATS - gettimeofday(&end, NULL); - syslog(LOG_NOTICE, "%s(%s klen=%d size=%d): %8.6f", __func__, - f->name, key->l << 3, buf->l, timedelta(&start, &end)); -#endif - return res; -} - -/* ipsec encryption algorithm */ -static struct enc_algorithm * -alg_ipsec_encdef(doi) - int doi; -{ - int i; - - for (i = 0; i < ARRAYLEN(ipsec_encdef); i++) - if (doi == ipsec_encdef[i].doi) { - plog(LLV_DEBUG, LOCATION, NULL, "encription(%s)\n", - ipsec_encdef[i].name); - return &ipsec_encdef[i]; - } - return NULL; -} - -int -alg_ipsec_encdef_doi(type) - int type; -{ - int i, res = -1; - - for (i = 0; i < ARRAYLEN(ipsec_encdef); i++) - if (type == ipsec_encdef[i].type) { - res = ipsec_encdef[i].doi; - break; - } - return res; -} - -int -alg_ipsec_encdef_keylen(doi, len) - int doi, len; -{ - struct enc_algorithm *f; - - f = alg_ipsec_encdef(doi); - if (f == NULL || f->keylen == NULL) - return -1; - - return (f->keylen)(len); -} - -/* ipsec hmac algorithm */ -static struct hmac_algorithm * -alg_ipsec_hmacdef(doi) - int doi; -{ - int i; - - for (i = 0; i < ARRAYLEN(ipsec_hmacdef); i++) - if (doi == ipsec_hmacdef[i].doi) { - plog(LLV_DEBUG, LOCATION, NULL, "hmac(%s)\n", - oakley_hmacdef[i].name); - return &ipsec_hmacdef[i]; - } - return NULL; -} - -int -alg_ipsec_hmacdef_doi(type) - int type; -{ - int i, res = -1; - - for (i = 0; i < ARRAYLEN(ipsec_hmacdef); i++) - if (type == ipsec_hmacdef[i].type) { - res = ipsec_hmacdef[i].doi; - break; - } - return res; -} - -int -alg_ipsec_hmacdef_hashlen(doi) - int doi; -{ - struct hmac_algorithm *f; - - f = alg_ipsec_hmacdef(doi); - if (f == NULL || f->hashlen == NULL) - return -1; - - return (f->hashlen)(); -} - -/* ip compression */ -int -alg_ipsec_compdef_doi(type) - int type; -{ - int i, res = -1; - - for (i = 0; i < ARRAYLEN(ipsec_compdef); i++) - if (type == ipsec_compdef[i].type) { - res = ipsec_compdef[i].doi; - break; - } - return res; -} - -/* dh algorithm */ -static struct dh_algorithm * -alg_oakley_dhdef(doi) - int doi; -{ - int i; - - for (i = 0; i < ARRAYLEN(oakley_dhdef); i++) - if (doi == oakley_dhdef[i].doi) { - plog(LLV_DEBUG, LOCATION, NULL, "hmac(%s)\n", - oakley_dhdef[i].name); - return &oakley_dhdef[i]; - } - return NULL; -} - -int -alg_oakley_dhdef_ok(doi) - int doi; -{ - struct dh_algorithm *f; - - f = alg_oakley_dhdef(doi); - if (f == NULL) - return 0; - - return 1; -} - -int -alg_oakley_dhdef_doi(type) - int type; -{ - int i, res = -1; - - for (i = 0; i < ARRAYLEN(oakley_dhdef); i++) - if (type == oakley_dhdef[i].type) { - res = oakley_dhdef[i].doi; - break; - } - return res; -} - -struct dhgroup * -alg_oakley_dhdef_group(doi) - int doi; -{ - struct dh_algorithm *f; - - f = alg_oakley_dhdef(doi); - if (f == NULL || f->dhgroup == NULL) - return NULL; - - return f->dhgroup; -} - -/* authentication method */ -int -alg_oakley_authdef_doi(type) - int type; -{ - int i, res = -1; - - for (i = 0; i < ARRAYLEN(oakley_authdef); i++) - if (type == oakley_authdef[i].type) { - res = oakley_authdef[i].doi; - break; - } - return res; -} - -/* - * give the default key length - * OUT: -1: NG - * 0: fixed key cipher, key length not allowed - * positive: default key length - */ -int -default_keylen(class, type) - int class, type; -{ - - switch (class) { - case algclass_isakmp_enc: - case algclass_ipsec_enc: - break; - default: - return 0; - } - - switch (type) { - case algtype_blowfish: - case algtype_rc5: - case algtype_cast128: - case algtype_rijndael: - case algtype_twofish: - return 128; - default: - return 0; - } -} - -/* - * check key length - * OUT: -1: NG - * 0: OK - */ -int -check_keylen(class, type, len) - int class, type, len; -{ - int badrange; - - switch (class) { - case algclass_isakmp_enc: - case algclass_ipsec_enc: - break; - default: - /* unknown class, punt */ - plog(LLV_ERROR, LOCATION, NULL, - "unknown algclass %d\n", class); - return -1; - } - - /* key length must be multiple of 8 bytes - RFC2451 2.2 */ - switch (type) { - case algtype_blowfish: - case algtype_rc5: - case algtype_cast128: - case algtype_rijndael: - case algtype_twofish: - if (len % 8 != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "key length %d is not multiple of 8\n", len); - return -1; - } - break; - } - - /* key length range */ - badrange = 0; - switch (type) { - case algtype_blowfish: - if (len < 40 || 448 < len) - badrange++; - break; - case algtype_rc5: - if (len < 40 || 2040 < len) - badrange++; - break; - case algtype_cast128: - if (len < 40 || 128 < len) - badrange++; - break; - case algtype_rijndael: - if (!(len == 128 || len == 192 || len == 256)) - badrange++; - break; - case algtype_twofish: - if (len < 40 || 256 < len) - badrange++; - break; - default: - if (len) { - plog(LLV_ERROR, LOCATION, NULL, - "key length is not allowed"); - return -1; - } - break; - } - if (badrange) { - plog(LLV_ERROR, LOCATION, NULL, - "key length out of range\n"); - return -1; - } - - return 0; -} - -/* - * convert algorithm type to DOI value. - * OUT -1 : NG - * other: converted. - */ -int -algtype2doi(class, type) - int class, type; -{ - int res = -1; - - switch (class) { - case algclass_ipsec_enc: - res = alg_ipsec_encdef_doi(type); - break; - case algclass_ipsec_auth: - res = alg_ipsec_hmacdef_doi(type); - break; - case algclass_ipsec_comp: - res = alg_ipsec_compdef_doi(type); - break; - case algclass_isakmp_enc: - res = alg_oakley_encdef_doi(type); - break; - case algclass_isakmp_hash: - res = alg_oakley_hashdef_doi(type); - break; - case algclass_isakmp_dh: - res = alg_oakley_dhdef_doi(type); - break; - case algclass_isakmp_ameth: - res = alg_oakley_authdef_doi(type); - break; - } - return res; -} - -/* - * convert algorithm class to DOI value. - * OUT -1 : NG - * other: converted. - */ -int -algclass2doi(class) - int class; -{ - switch (class) { - case algclass_ipsec_enc: - return IPSECDOI_PROTO_IPSEC_ESP; - case algclass_ipsec_auth: - return IPSECDOI_ATTR_AUTH; - case algclass_ipsec_comp: - return IPSECDOI_PROTO_IPCOMP; - case algclass_isakmp_enc: - return OAKLEY_ATTR_ENC_ALG; - case algclass_isakmp_hash: - return OAKLEY_ATTR_HASH_ALG; - case algclass_isakmp_dh: - return OAKLEY_ATTR_GRP_DESC; - case algclass_isakmp_ameth: - return OAKLEY_ATTR_AUTH_METHOD; - default: - return -1; - } - /*NOTREACHED*/ - return -1; -} diff --git a/kame/kame/racoon/algorithm.h b/kame/kame/racoon/algorithm.h deleted file mode 100644 index 0e7bd2bb43..0000000000 --- a/kame/kame/racoon/algorithm.h +++ /dev/null @@ -1,191 +0,0 @@ -/* $KAME: algorithm.h,v 1.20 2001/12/12 18:23:41 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* algorithm class */ -enum { - algclass_ipsec_enc, - algclass_ipsec_auth, - algclass_ipsec_comp, - algclass_isakmp_enc, - algclass_isakmp_hash, - algclass_isakmp_dh, - algclass_isakmp_ameth, /* authentication method. */ -#define MAXALGCLASS 7 -}; - -#define ALG_DEFAULT_KEYLEN 64 - -#define ALGTYPE_NOTHING 0 - -/* algorithm type */ -enum { - algtype_nothing = 0, - - /* enc */ - algtype_des_iv64, - algtype_des, - algtype_3des, - algtype_rc5, - algtype_idea, - algtype_cast128, - algtype_blowfish, - algtype_3idea, - algtype_des_iv32, - algtype_rc4, - algtype_null_enc, - algtype_rijndael, - algtype_twofish, - - /* ipsec auth */ - algtype_hmac_md5, - algtype_hmac_sha1, - algtype_des_mac, - algtype_kpdk, - algtype_non_auth, - algtype_hmac_sha2_256, - algtype_hmac_sha2_384, - algtype_hmac_sha2_512, - - /* ipcomp */ - algtype_oui, - algtype_deflate, - algtype_lzs, - - /* hash */ - algtype_md5, - algtype_sha1, - algtype_tiger, - algtype_sha2_256, - algtype_sha2_384, - algtype_sha2_512, - - /* dh_group */ - algtype_modp768, - algtype_modp1024, - algtype_ec2n155, - algtype_ec2n185, - algtype_modp1536, - algtype_modp2048, - algtype_modp3072, - algtype_modp4096, - algtype_modp6144, - algtype_modp8192, - - /* authentication method. */ - algtype_psk, - algtype_dsssig, - algtype_rsasig, - algtype_rsaenc, - algtype_rsarev, - algtype_gssapikrb -}; - -struct hmac_algorithm { - char *name; - int type; - int doi; - caddr_t (*init) __P((vchar_t *)); - void (*update) __P((caddr_t, vchar_t *)); - vchar_t *(*final) __P((caddr_t)); - int (*hashlen) __P((void)); - vchar_t *(*one) __P((vchar_t *, vchar_t *)); -}; - -struct hash_algorithm { - char *name; - int type; - int doi; - caddr_t (*init) __P((void)); - void (*update) __P((caddr_t, vchar_t *)); - vchar_t *(*final) __P((caddr_t)); - int (*hashlen) __P((void)); - vchar_t *(*one) __P((vchar_t *)); -}; - -struct enc_algorithm { - char *name; - int type; - int doi; - int blocklen; - vchar_t *(*encrypt) __P((vchar_t *, vchar_t *, vchar_t *)); - vchar_t *(*decrypt) __P((vchar_t *, vchar_t *, vchar_t *)); - int (*weakkey) __P((vchar_t *)); - int (*keylen) __P((int)); -}; - -/* dh group */ -struct dh_algorithm { - char *name; - int type; - int doi; - struct dhgroup *dhgroup; -}; - -/* ipcomp, auth meth, dh group */ -struct misc_algorithm { - char *name; - int type; - int doi; -}; - -extern int alg_oakley_hashdef_ok __P((int)); -extern int alg_oakley_hashdef_doi __P((int)); -extern int alg_oakley_hashdef_hashlen __P((int)); -extern vchar_t *alg_oakley_hashdef_one __P((int, vchar_t *)); - -extern int alg_oakley_hmacdef_doi __P((int)); -extern vchar_t *alg_oakley_hmacdef_one __P((int, vchar_t *, vchar_t *)); - -extern int alg_oakley_encdef_ok __P((int)); -extern int alg_oakley_encdef_doi __P((int)); -extern int alg_oakley_encdef_keylen __P((int, int)); -extern int alg_oakley_encdef_blocklen __P((int)); -extern vchar_t *alg_oakley_encdef_decrypt __P((int, vchar_t *, vchar_t *, vchar_t *)); -extern vchar_t *alg_oakley_encdef_encrypt __P((int, vchar_t *, vchar_t *, vchar_t *)); - -extern int alg_ipsec_encdef_doi __P((int)); -extern int alg_ipsec_encdef_keylen __P((int, int)); - -extern int alg_ipsec_hmacdef_doi __P((int)); -extern int alg_ipsec_hmacdef_hashlen __P((int)); - -extern int alg_ipsec_compdef_doi __P((int)); - -extern int alg_oakley_dhdef_doi __P((int)); -extern int alg_oakley_dhdef_ok __P((int)); -extern struct dhgroup *alg_oakley_dhdef_group __P((int)); - -extern int alg_oakley_authdef_doi __P((int)); - -extern int default_keylen __P((int, int)); -extern int check_keylen __P((int, int, int)); -extern int algtype2doi __P((int, int)); -extern int algclass2doi __P((int)); diff --git a/kame/kame/racoon/arc4random.h b/kame/kame/racoon/arc4random.h deleted file mode 100644 index f89e9249bb..0000000000 --- a/kame/kame/racoon/arc4random.h +++ /dev/null @@ -1,32 +0,0 @@ -/* $KAME: arc4random.h,v 1.1 2002/06/04 05:23:26 itojun Exp $ */ - -/* - * Copyright (C) 2000 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -extern u_int32_t arc4random __P((void)); diff --git a/kame/kame/racoon/auth_gssapi.h b/kame/kame/racoon/auth_gssapi.h deleted file mode 100644 index 93fe0b803d..0000000000 --- a/kame/kame/racoon/auth_gssapi.h +++ /dev/null @@ -1,92 +0,0 @@ -/* $KAME: auth_gssapi.h,v 1.1 2004/03/18 00:27:56 sakane Exp $ */ - -/* - * Copyright 2000 Wasabi Systems, Inc. - * All rights reserved. - * - * This software was written by Frank van der Linden of Wasabi Systems - * for Zembu Labs, Inc. http://www.zembu.com/ - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Wasabi Systems for - * Zembu Labs, Inc. http://www.zembu.com/ - * 4. The name of Wasabi Systems, Inc. may not be used to endorse - * or promote products derived from this software without specific prior - * written permission. - * - * THIS SOFTWARE IS PROVIDED BY WASABI SYSTEMS, INC. ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL WASABI SYSTEMS, INC - * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#ifdef __FreeBSD__ -#include -#else -#include -#endif - -#define GSSAPI_DEF_NAME "ike" - -struct ph1handle; -struct isakmpsa; - -struct gssapi_ph1_state { - int gsscnt; /* # of token we're working on */ - int gsscnt_p; /* # of token we're working on */ - - gss_buffer_desc gss[3]; /* gss-api tokens. */ - /* NOTE: XXX this restricts the max # */ - /* to 3. More should never happen */ - - gss_buffer_desc gss_p[3]; - - gss_ctx_id_t gss_context; /* context for gss_init_sec_context */ - - OM_uint32 gss_status; /* retval from gss_init_sec_context */ - gss_cred_id_t gss_cred; /* acquired credentials */ - - int gss_flags; -#define GSSFLAG_ID_SENT 0x0001 -#define GSSFLAG_ID_RCVD 0x0001 -}; - -#define gssapi_get_state(ph) \ - ((struct gssapi_ph1_state *)((ph)->gssapi_state)) - -#define gssapi_set_state(ph, st) \ - (ph)->gssapi_state = (st) - -#define gssapi_more_tokens(ph) \ - ((gssapi_get_state(ph)->gss_status & GSS_S_CONTINUE_NEEDED) != 0) - -int gssapi_get_itoken __P((struct ph1handle *, int *)); -int gssapi_get_rtoken __P((struct ph1handle *, int *)); -int gssapi_save_received_token __P((struct ph1handle *, vchar_t *)); -int gssapi_get_token_to_send __P((struct ph1handle *, vchar_t **)); -int gssapi_get_itokens __P((struct ph1handle *, vchar_t **)); -int gssapi_get_rtokens __P((struct ph1handle *, vchar_t **)); -vchar_t *gssapi_wraphash __P((struct ph1handle *)); -vchar_t *gssapi_unwraphash __P((struct ph1handle *)); -void gssapi_set_id_sent __P((struct ph1handle *)); -int gssapi_id_sent __P((struct ph1handle *)); -void gssapi_set_id_rcvd __P((struct ph1handle *)); -int gssapi_id_rcvd __P((struct ph1handle *)); -void gssapi_free_state __P((struct ph1handle *)); -vchar_t *gssapi_get_default_id __P((struct ph1handle *)); diff --git a/kame/kame/racoon/backupsa.c b/kame/kame/racoon/backupsa.c deleted file mode 100644 index c0ef9ee36c..0000000000 --- a/kame/kame/racoon/backupsa.c +++ /dev/null @@ -1,485 +0,0 @@ -/* $KAME: backupsa.c,v 1.16 2001/12/31 20:13:40 thorpej Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include - -#include -#include -#include -#include - -#include -#ifdef IPV6_INRIA_VERSION -#include -#else -#include -#endif - -#if TIME_WITH_SYS_TIME -# include -# include -#else -# if HAVE_SYS_TIME_H -# include -# else -# include -# endif -#endif - -#include "var.h" -#include "misc.h" -#include "vmbuf.h" -#include "str2val.h" -#include "plog.h" -#include "debug.h" - -#include "localconf.h" -#include "sockmisc.h" -#include "safefile.h" -#include "backupsa.h" -#include "libpfkey.h" - -/* - * (time string)%(sa parameter) - * (time string) := ex. Nov 24 18:22:48 1986 - * (sa parameter) := - * src dst satype spi mode reqid wsize \ - * e_type e_keylen a_type a_keylen flags \ - * l_alloc l_bytes l_addtime l_usetime seq keymat - */ -static char *format = "%b %d %T %Y"; /* time format */ -static char *strmon[12] = { - "Jan", "Feb", "Mar", "Apr", "May", "Jun", - "Jul", "Aug", "Sep", "Oct", "Nov", "Dec" -}; - -static char *str2tmx __P((char *, struct tm *)); -static int str2num __P((char *, int)); - -/* - * output the sa parameter. - */ -int -backupsa_to_file(satype, mode, src, dst, spi, reqid, wsize, - keymat, e_type, e_keylen, a_type, a_keylen, flags, - l_alloc, l_bytes, l_addtime, l_usetime, seq) - u_int satype, mode, wsize; - struct sockaddr *src, *dst; - u_int32_t spi, reqid; - caddr_t keymat; - u_int e_type, e_keylen, a_type, a_keylen, flags; - u_int32_t l_alloc; - u_int64_t l_bytes, l_addtime, l_usetime; - u_int32_t seq; -{ - char buf[1024]; - struct tm *tm; - time_t t; - char *p, *k; - int len, l, i; - FILE *fp; - - p = buf; - len = sizeof(buf); - - t = time(NULL); - tm = localtime(&t); - l = strftime(p, len, format, tm); - p += l; - len -= l; - if (len < 0) - goto err; - - l = snprintf(p, len, "%%"); - if (l < 0 || l >= len) - goto err; - p += l; - len -= l; - if (len < 0) - goto err; - - i = getnameinfo(src, src->sa_len, p, len, NULL, 0, NIFLAGS); - if (i != 0) - goto err; - l = strlen(p); - p += l; - len -= l; - if (len < 0) - goto err; - - l = snprintf(p, len, " "); - if (l < 0 || l >= len) - goto err; - p += l; - len -= l; - if (len < 0) - goto err; - - i = getnameinfo(dst, dst->sa_len, p, len, NULL, 0, NIFLAGS); - if (i != 0) - goto err; - l = strlen(p); - p += l; - len -= l; - if (len < 0) - goto err; - - l = snprintf(p, len, - " %u %lu %u %u %u " - "%u %u %u %u %u " - "%u %llu %llu %llu %u", - satype, (unsigned long)ntohl(spi), mode, reqid, wsize, - e_type, e_keylen, a_type, a_keylen, flags, - l_alloc, (unsigned long long)l_bytes, - (unsigned long long)l_addtime, (unsigned long long)l_usetime, - seq); - if (l < 0 || l >= len) - goto err; - p += l; - len -= l; - if (len < 0) - goto err; - - k = val2str(keymat, e_keylen + a_keylen); - l = snprintf(p, len, " %s", k); - if (l < 0 || l >= len) - goto err; - racoon_free(k); - p += l; - len -= l; - if (len < 0) - goto err; - - /* open the file and write the SA parameter */ - if (safefile(lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], 1) != 0 || - (fp = fopen(lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], "a")) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to open the backup file %s.\n", - lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]); - return -1; - } - fprintf(fp, "%s\n", buf); - fclose(fp); - - return 0; - -err: - plog(LLV_ERROR, LOCATION, NULL, - "SA cannot be saved to a file.\n"); - return -1; -} - -int -backupsa_from_file() -{ - FILE *fp; - char buf[512]; - struct tm tm; - time_t created, current; - char *p, *q; - u_int satype, mode; - struct sockaddr *src, *dst; - u_int32_t spi, reqid; - caddr_t keymat; - size_t keymatlen; - u_int wsize, e_type, e_keylen, a_type, a_keylen, flags; - u_int32_t l_alloc; - u_int64_t l_bytes, l_addtime, l_usetime; - u_int32_t seq; - int line; - - if (safefile(lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], 1) == 0) - fp = fopen(lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], "r"); - else - fp = NULL; - if (fp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to open the backup file %s.\n", - lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]); - return -1; - } - - current = time(NULL); - - for(line = 1; fgets(buf, sizeof(buf), fp) != NULL; line++) { - /* comment line */ - if (buf[0] == '#') - continue; - - memset(&tm, 0, sizeof(tm)); - p = str2tmx(buf, &tm); - if (*p != '%') { - err: - plog(LLV_ERROR, LOCATION, NULL, - "illegal format line#%d in %s: %s\n", - line, lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], buf); - continue; - } - created = mktime(&tm); - p++; - - for (q = p; *q != '\0' && !isspace(*q); q++) - ; - *q = '\0'; - src = str2saddr(p, NULL); - if (src == NULL) - goto err; - p = q + 1; - - for (q = p; *q != '\0' && !isspace(*q); q++) - ; - *q = '\0'; - dst = str2saddr(p, NULL); - if (dst == NULL) { - racoon_free(src); - goto err; - } - p = q + 1; - -#define GETNEXTNUM(value, function) \ -do { \ - char *y; \ - for (q = p; *q != '\0' && !isspace(*q); q++) \ - ; \ - *q = '\0'; \ - (value) = function(p, &y, 10); \ - if ((value) == 0 && *y != '\0') \ - goto err; \ - p = q + 1; \ -} while (0); - - GETNEXTNUM(satype, strtoul); - GETNEXTNUM(spi, strtoul); - spi = ntohl(spi); - GETNEXTNUM(mode, strtoul); - GETNEXTNUM(reqid, strtoul); - GETNEXTNUM(wsize, strtoul); - GETNEXTNUM(e_type, strtoul); - GETNEXTNUM(e_keylen, strtoul); - GETNEXTNUM(a_type, strtoul); - GETNEXTNUM(a_keylen, strtoul); - GETNEXTNUM(flags, strtoul); - GETNEXTNUM(l_alloc, strtoul); - GETNEXTNUM(l_bytes, strtouq); - GETNEXTNUM(l_addtime, strtouq); - GETNEXTNUM(l_usetime, strtouq); - GETNEXTNUM(seq, strtoul); - -#undef GETNEXTNUM - - keymat = str2val(p, 16, &keymatlen); - if (keymat == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "illegal format(keymat) line#%d in %s: %s\n", - line, lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], buf); - racoon_free(src); - racoon_free(dst); - continue; - } - - if (created + l_addtime < current) { - plog(LLV_DEBUG, LOCATION, NULL, - "ignore this line#%d in %s due to expiration\n", - line, lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]); - racoon_free(src); - racoon_free(dst); - racoon_free(keymat); - continue; - } - l_addtime -= current - created; - - if (pfkey_send_add( - lcconf->sock_pfkey, - satype, - mode, - src, - dst, - spi, - reqid, - wsize, - keymat, - e_type, e_keylen, a_type, a_keylen, flags, - 0, l_bytes, l_addtime, 0, seq) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "restore SA filed line#%d in %s: %s\n", - line, lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], ipsec_strerror()); - } - racoon_free(src); - racoon_free(dst); - racoon_free(keymat); - } - - fclose(fp); - - /* - * There is a possibility that an abnormal system down will happen - * again before new negotiation will be started. so racoon clears - * the backup file here. it's ok that old SAs are remained in the - * file. any old SA will not be installed because racoon checks the - * lifetime and compare with current time. - */ - - return 0; -} - -int -backupsa_clean() -{ - FILE *fp; - - /* simply return if the file is not defined. */ - if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]) - return 0; - - fp = fopen(lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], "w+"); - if (fp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to clean the backup file %s.\n", - lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]); - return -1; - } - fclose(fp); - return 0; -} - -/* - * convert fixed string into the tm structure. - * The fixed string is like 'Nov 24 18:22:48 1986'. - * static char *format = "%b %d %T %Y"; - */ -static char * -str2tmx(char *p, struct tm *tm) -{ - int i, len; - - /* Month */ - for (i = 0; i < sizeof(strmon)/sizeof(strmon[0]); i++) { - if (strncasecmp(p, strmon[i], strlen(strmon[i])) == 0) { - tm->tm_mon = i; - break; - } - } - if (i == sizeof(strmon)/sizeof(strmon[0])) - return 0; - p += strlen(strmon[i]); - if (*p++ != ' ') - return 0; - - /* Day */ - len = 2; - tm->tm_mday = str2num(p, len); - if (tm->tm_mday == -1 || tm->tm_mday > 31) - return 0; - p += len; - if (*p++ != ' ') - return 0; - - /* Hour */ - len = 2; - tm->tm_hour = str2num(p, len); - if (tm->tm_hour == -1 || tm->tm_hour > 24) - return 0; - p += len; - if (*p++ != ':') - return 0; - - /* Min */ - len = 2; - tm->tm_min = str2num(p, len); - if (tm->tm_min == -1 || tm->tm_min > 60) - return 0; - p += len; - if (*p++ != ':') - return 0; - - /* Sec */ - len = 2; - tm->tm_sec = str2num(p, len); - if (tm->tm_sec == -1 || tm->tm_sec > 60) - return 0; - p += len; - if (*p++ != ' ') - return 0; - - /* Year */ - len = 4; - tm->tm_year = str2num(p, len); - if (tm->tm_year == -1 || tm->tm_year < 1900) - return 0; - tm->tm_year -= 1900; - p += len; - - return p; -} - -static int -str2num(p, len) - char *p; - int len; -{ - int res, i; - - res = 0; - for (i = len; i > 0; i--) { - if (!isdigit(*p)) - return -1; - res *= 10; - res += *p - '0'; - p++; - } - - return res; -} - -#ifdef TEST -#include -int -main() -{ - struct tm tm; - time_t t; - char *buf = "Nov 24 18:22:48 1986 "; - char *p; - - memset(&tm, 0, sizeof(tm)); - p = str2tmx(buf, &tm); - printf("[%x]\n", *p); - t = mktime(&tm); - if (t == -1) - printf("mktime failed."); - p = ctime(&t); - printf("[%s]\n", p); - - exit(0); -} -#endif diff --git a/kame/kame/racoon/backupsa.h b/kame/kame/racoon/backupsa.h deleted file mode 100644 index c3b253355a..0000000000 --- a/kame/kame/racoon/backupsa.h +++ /dev/null @@ -1,37 +0,0 @@ -/* $KAME: backupsa.h,v 1.2 2001/01/31 05:38:44 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -extern int backupsa_to_file __P((u_int, u_int, - struct sockaddr *, struct sockaddr *, u_int32_t, u_int32_t, u_int, - caddr_t, u_int, u_int, u_int, u_int, u_int, - u_int32_t, u_int64_t, u_int64_t, u_int64_t, u_int32_t)); -extern int backupsa_from_file __P((void)); -extern int backupsa_clean __P((void)); diff --git a/kame/kame/racoon/cfparse.y b/kame/kame/racoon/cfparse.y deleted file mode 100644 index 6736d4dd0b..0000000000 --- a/kame/kame/racoon/cfparse.y +++ /dev/null @@ -1,1450 +0,0 @@ -/* $KAME: cfparse.y,v 1.121 2004/03/27 03:27:45 suz Exp $ */ - -%{ -/* - * Copyright (C) 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 and 2003 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include -#include - -#include -#include -#include - -#include -#include -#include -#include -#include -#if !defined(HAVE_GETADDRINFO) || !defined(HAVE_GETNAMEINFO) -#include "addrinfo.h" -#endif - -#include "var.h" -#include "misc.h" -#include "vmbuf.h" -#include "plog.h" -#include "sockmisc.h" -#include "str2val.h" -#include "debug.h" - -#include "cfparse_proto.h" -#include "cftoken_proto.h" -#include "algorithm.h" -#include "localconf.h" -#include "policy.h" -#include "sainfo.h" -#include "oakley.h" -#include "pfkey.h" -#include "remoteconf.h" -#include "grabmyaddr.h" -#include "isakmp_var.h" -#include "handler.h" -#include "isakmp.h" -#include "ipsec_doi.h" -#include "strnames.h" -#include "gcmalloc.h" -#ifdef HAVE_GSSAPI -#include "auth_gssapi.h" -#endif -#include "vendorid.h" - -struct proposalspec { - time_t lifetime; /* for isakmp/ipsec */ - int lifebyte; /* for isakmp/ipsec */ - struct secprotospec *spspec; /* the head is always current spec. */ - struct proposalspec *next; /* the tail is the most prefered. */ - struct proposalspec *prev; -}; - -struct secprotospec { - int prop_no; - int trns_no; - int strength; /* for isakmp/ipsec */ - int encklen; /* for isakmp/ipsec */ - time_t lifetime; /* for isakmp */ - int lifebyte; /* for isakmp */ - int proto_id; /* for ipsec (isakmp?) */ - int ipsec_level; /* for ipsec */ - int encmode; /* for ipsec */ - int vendorid; /* for isakmp */ - char *gssid; - struct sockaddr *remote; - int algclass[MAXALGCLASS]; - - struct secprotospec *next; /* the tail is the most prefiered. */ - struct secprotospec *prev; - struct proposalspec *back; -}; - -static int num2dhgroup[] = { - 0, - OAKLEY_ATTR_GRP_DESC_MODP768, - OAKLEY_ATTR_GRP_DESC_MODP1024, - OAKLEY_ATTR_GRP_DESC_EC2N155, - OAKLEY_ATTR_GRP_DESC_EC2N185, - OAKLEY_ATTR_GRP_DESC_MODP1536, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - 0, - OAKLEY_ATTR_GRP_DESC_MODP2048, - OAKLEY_ATTR_GRP_DESC_MODP3072, - OAKLEY_ATTR_GRP_DESC_MODP4096, - OAKLEY_ATTR_GRP_DESC_MODP6144, - OAKLEY_ATTR_GRP_DESC_MODP8192 -}; - -static struct remoteconf *cur_rmconf; -static int tmpalgtype[MAXALGCLASS]; -static struct sainfo *cur_sainfo; -static int cur_algclass; - -static struct proposalspec *prhead; /* the head is always current. */ - -static struct proposalspec *newprspec __P((void)); -static void cleanprhead __P((void)); -static void insprspec __P((struct proposalspec *, struct proposalspec **)); -static struct secprotospec *newspspec __P((void)); -static void insspspec __P((struct secprotospec *, struct proposalspec **)); - -static int set_isakmp_proposal - __P((struct remoteconf *, struct proposalspec *)); -static void clean_tmpalgtype __P((void)); -static int expand_isakmpspec __P((int, int, int *, - int, int, time_t, int, int, int, char *, struct remoteconf *)); - -#if 0 -static int fix_lifebyte __P((u_long)); -#endif -%} - -%union { - unsigned long num; - vchar_t *val; - struct remoteconf *rmconf; - struct sockaddr *saddr; - struct sainfoalg *alg; -} - - /* path */ -%token PATH PATHTYPE - /* include */ -%token INCLUDE - /* self information */ -%token IDENTIFIER VENDORID - /* logging */ -%token LOGGING LOGLEV - /* padding */ -%token PADDING PAD_RANDOMIZE PAD_RANDOMIZELEN PAD_MAXLEN PAD_STRICT PAD_EXCLTAIL - /* listen */ -%token LISTEN X_ISAKMP X_ADMIN STRICT_ADDRESS - /* timer */ -%token RETRY RETRY_COUNTER RETRY_INTERVAL RETRY_PERSEND -%token RETRY_PHASE1 RETRY_PHASE2 - /* algorithm */ -%token ALGORITHM_CLASS ALGORITHMTYPE STRENGTHTYPE - /* sainfo */ -%token SAINFO FROM - /* remote */ -%token REMOTE ANONYMOUS -%token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE -%token CERTIFICATE_TYPE CERTTYPE PEERS_CERTFILE VERIFY_CERT SEND_CERT SEND_CR -%token IDENTIFIERTYPE MY_IDENTIFIER PEERS_IDENTIFIER VERIFY_IDENTIFIER -%token DNSSEC CERT_X509 -%token NONCE_SIZE DH_GROUP KEEPALIVE PASSIVE INITIAL_CONTACT -%token PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL -%token GENERATE_POLICY SUPPORT_PROXY -%token PROPOSAL -%token EXEC_PATH EXEC_COMMAND EXEC_SUCCESS EXEC_FAILURE -%token GSSAPI_ID -%token COMPLEX_BUNDLE - -%token PREFIX PORT PORTANY UL_PROTO ANY -%token PFS_GROUP LIFETIME LIFETYPE_TIME LIFETYPE_BYTE STRENGTH - -%token NUMBER SWITCH BOOLEAN -%token HEXSTRING QUOTEDSTRING ADDRSTRING -%token UNITTYPE_BYTE UNITTYPE_KBYTES UNITTYPE_MBYTES UNITTYPE_TBYTES -%token UNITTYPE_SEC UNITTYPE_MIN UNITTYPE_HOUR -%token EOS BOC EOC COMMA - -%type NUMBER BOOLEAN SWITCH keylength -%type PATHTYPE IDENTIFIERTYPE LOGLEV -%type ALGORITHM_CLASS dh_group_num -%type ALGORITHMTYPE STRENGTHTYPE -%type PREFIX prefix PORT port ike_port -%type ul_proto UL_PROTO -%type EXCHANGETYPE DOITYPE SITUATIONTYPE -%type CERTTYPE CERT_X509 PROPOSAL_CHECK_LEVEL -%type unittype_time unittype_byte -%type QUOTEDSTRING HEXSTRING ADDRSTRING sainfo_id -%type identifierstring -%type remote_index ike_addrinfo_port -%type algorithm - -%% - -statements - : /* nothing */ - | statements statement - ; -statement - : path_statement - | include_statement - | identifier_statement - | logging_statement - | padding_statement - | listen_statement - | timer_statement - | sainfo_statement - | remote_statement - | special_statement - ; - - /* path */ -path_statement - : PATH PATHTYPE QUOTEDSTRING - { - if ($2 > LC_PATHTYPE_MAX) { - yyerror("invalid path type %d", $2); - return -1; - } - - /* free old pathinfo */ - if (lcconf->pathinfo[$2]) - racoon_free(lcconf->pathinfo[$2]); - - /* set new pathinfo */ - lcconf->pathinfo[$2] = strdup($3->v); - vfree($3); - } - EOS - ; - - /* special */ -special_statement - : COMPLEX_BUNDLE SWITCH { lcconf->complex_bundle = $2; } EOS - ; - - /* include */ -include_statement - : INCLUDE QUOTEDSTRING EOS - { - char path[MAXPATHLEN]; - - getpathname(path, sizeof(path), - LC_PATHTYPE_INCLUDE, $2->v); - vfree($2); - if (yycf_switch_buffer(path) != 0) - return -1; - } - ; - - /* self infomation */ -identifier_statement - : IDENTIFIER identifier_stmt - ; -identifier_stmt - : VENDORID - { - /*XXX to be deleted */ - } - QUOTEDSTRING EOS - | IDENTIFIERTYPE QUOTEDSTRING - { - /*XXX to be deleted */ - $2->l--; /* nuke '\0' */ - lcconf->ident[$1] = $2; - if (lcconf->ident[$1] == NULL) { - yyerror("failed to set my ident: %s", - strerror(errno)); - return -1; - } - } - EOS - ; - - /* logging */ -logging_statement - : LOGGING log_level EOS - ; -log_level - : HEXSTRING - { - /* - * XXX ignore it because this specification - * will be obsoleted. - */ - yywarn("see racoon.conf(5), such a log specification will be obsoleted."); - vfree($1); - } - | LOGLEV - { - /* - * set the loglevel by configuration file only when - * the command line did not specify any loglevel. - */ - if (loglevel <= LLV_BASE) - loglevel += $1; - } - ; - - /* padding */ -padding_statement - : PADDING BOC padding_stmts EOC - ; -padding_stmts - : /* nothing */ - | padding_stmts padding_stmt - ; -padding_stmt - : PAD_RANDOMIZE SWITCH { lcconf->pad_random = $2; } EOS - | PAD_RANDOMIZELEN SWITCH { lcconf->pad_randomlen = $2; } EOS - | PAD_MAXLEN NUMBER { lcconf->pad_maxsize = $2; } EOS - | PAD_STRICT SWITCH { lcconf->pad_strict = $2; } EOS - | PAD_EXCLTAIL SWITCH { lcconf->pad_excltail = $2; } EOS - ; - - /* listen */ -listen_statement - : LISTEN BOC listen_stmts EOC - ; -listen_stmts - : /* nothing */ - | listen_stmts listen_stmt - ; -listen_stmt - : X_ISAKMP ike_addrinfo_port - { - struct myaddrs *p; - - p = newmyaddr(); - if (p == NULL) { - yyerror("failed to allocate myaddrs"); - return -1; - } - p->addr = $2; - if (p->addr == NULL) { - yyerror("failed to copy sockaddr "); - delmyaddr(p); - return -1; - } - - insmyaddr(p, &lcconf->myaddrs); - - lcconf->autograbaddr = 0; - } - EOS - | X_ADMIN - { - yyerror("admin directive is obsoleted."); - } - PORT EOS - | STRICT_ADDRESS { lcconf->strict_address = TRUE; } EOS - ; -ike_addrinfo_port - : ADDRSTRING ike_port - { - char portbuf[10]; - - snprintf(portbuf, sizeof(portbuf), "%ld", $2); - $$ = str2saddr($1->v, portbuf); - vfree($1); - if (!$$) - return -1; - } - ; -ike_port - : /* nothing */ { $$ = PORT_ISAKMP; } - | PORT { $$ = $1; } - ; - - /* timer */ -timer_statement - : RETRY BOC timer_stmts EOC - ; -timer_stmts - : /* nothing */ - | timer_stmts timer_stmt - ; -timer_stmt - : RETRY_COUNTER NUMBER - { - lcconf->retry_counter = $2; - } - EOS - | RETRY_INTERVAL NUMBER unittype_time - { - lcconf->retry_interval = $2 * $3; - } - EOS - | RETRY_PERSEND NUMBER - { - lcconf->count_persend = $2; - } - EOS - | RETRY_PHASE1 NUMBER unittype_time - { - lcconf->retry_checkph1 = $2 * $3; - } - EOS - | RETRY_PHASE2 NUMBER unittype_time - { - lcconf->wait_ph2complete = $2 * $3; - } - EOS - ; - - /* sainfo */ -sainfo_statement - : SAINFO - { - cur_sainfo = newsainfo(); - if (cur_sainfo == NULL) { - yyerror("failed to allocate sainfo"); - return -1; - } - } - sainfo_name sainfo_peer BOC sainfo_specs - { - struct sainfo *check; - - /* default */ - if (cur_sainfo->algs[algclass_ipsec_enc] == 0) { - yyerror("no encryption algorithm at %s", - sainfo2str(cur_sainfo)); - return -1; - } - if (cur_sainfo->algs[algclass_ipsec_auth] == 0) { - yyerror("no authentication algorithm at %s", - sainfo2str(cur_sainfo)); - return -1; - } - if (cur_sainfo->algs[algclass_ipsec_comp] == 0) { - yyerror("no compression algorithm at %s", - sainfo2str(cur_sainfo)); - return -1; - } - - /* duplicate check */ - check = getsainfo(cur_sainfo->idsrc, - cur_sainfo->iddst, - cur_sainfo->id_i); - if (check && (!check->idsrc && !cur_sainfo->idsrc)) { - yyerror("duplicated sainfo: %s", - sainfo2str(cur_sainfo)); - return -1; - } - inssainfo(cur_sainfo); - } - EOC - ; -sainfo_name - : ANONYMOUS - { - cur_sainfo->idsrc = NULL; - cur_sainfo->iddst = NULL; - } - | sainfo_id sainfo_id - { - cur_sainfo->idsrc = $1; - cur_sainfo->iddst = $2; - } - ; -sainfo_id - : IDENTIFIERTYPE ADDRSTRING prefix port ul_proto - { - char portbuf[10]; - struct sockaddr *saddr; - - if (($5 == IPPROTO_ICMP || $5 == IPPROTO_ICMPV6) - && ($4 != IPSEC_PORT_ANY || $4 != IPSEC_PORT_ANY)) { - yyerror("port number must be \"any\"."); - return -1; - } - - snprintf(portbuf, sizeof(portbuf), "%lu", $4); - saddr = str2saddr($2->v, portbuf); - vfree($2); - if (saddr == NULL) - return -1; - - switch (saddr->sa_family) { - case AF_INET: - if ($5 == IPPROTO_ICMPV6) { - yyerror("upper layer protocol mismatched.\n"); - racoon_free(saddr); - return -1; - } - $$ = ipsecdoi_sockaddr2id(saddr, - $3 == ~0 ? (sizeof(struct in_addr) << 3): $3, - $5); - break; -#ifdef INET6 - case AF_INET6: - if ($5 == IPPROTO_ICMP) { - yyerror("upper layer protocol mismatched.\n"); - racoon_free(saddr); - return -1; - } - $$ = ipsecdoi_sockaddr2id(saddr, - $3 == ~0 ? (sizeof(struct in6_addr) << 3) : $3, - $5); - break; -#endif - default: - yyerror("invalid family: %d", saddr->sa_family); - break; - } - racoon_free(saddr); - if ($$ == NULL) - return -1; - } - | IDENTIFIERTYPE QUOTEDSTRING - { - struct ipsecdoi_id_b *id_b; - - if ($1 == IDTYPE_ASN1DN) { - yyerror("id type forbidden: %d", $1); - return -1; - } - - $2->l--; - - $$ = vmalloc(sizeof(*id_b) + $2->l); - if ($$ == NULL) { - yyerror("failed to allocate identifier"); - return -1; - } - - id_b = (struct ipsecdoi_id_b *)$$->v; - id_b->type = idtype2doi($1); - - id_b->proto_id = 0; - id_b->port = 0; - - memcpy($$->v + sizeof(*id_b), $2->v, $2->l); - } - ; -sainfo_peer - : /* nothing */ - { - cur_sainfo->id_i = NULL; - } - - | FROM IDENTIFIERTYPE identifierstring - { - struct ipsecdoi_id_b *id_b; - vchar_t *idv; - - if (set_identifier(&idv, $2, $3) != 0) { - yyerror("failed to set identifer.\n"); - return -1; - } - cur_sainfo->id_i = vmalloc(sizeof(*id_b) + idv->l); - if (cur_sainfo->id_i == NULL) { - yyerror("failed to allocate identifier"); - return -1; - } - - id_b = (struct ipsecdoi_id_b *)cur_sainfo->id_i->v; - id_b->type = idtype2doi($2); - - id_b->proto_id = 0; - id_b->port = 0; - - memcpy(cur_sainfo->id_i->v + sizeof(*id_b), - idv->v, idv->l); - vfree(idv); - } - ; -sainfo_specs - : /* nothing */ - | sainfo_specs sainfo_spec - ; -sainfo_spec - : PFS_GROUP dh_group_num - { - cur_sainfo->pfs_group = $2; - } - EOS - | LIFETIME LIFETYPE_TIME NUMBER unittype_time - { - cur_sainfo->lifetime = $3 * $4; - } - EOS - | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte - { -#if 1 - yyerror("byte lifetime support is deprecated"); - return -1; -#else - cur_sainfo->lifebyte = fix_lifebyte($3 * $4); - if (cur_sainfo->lifebyte == 0) - return -1; -#endif - } - EOS - | ALGORITHM_CLASS { - cur_algclass = $1; - } - algorithms EOS - | IDENTIFIER IDENTIFIERTYPE - { - yyerror("it's deprecated to specify a identifier in phase 2"); - } - EOS - | MY_IDENTIFIER IDENTIFIERTYPE QUOTEDSTRING - { - yyerror("it's deprecated to specify a identifier in phase 2"); - } - EOS - ; - -algorithms - : algorithm - { - inssainfoalg(&cur_sainfo->algs[cur_algclass], $1); - } - | algorithm - { - inssainfoalg(&cur_sainfo->algs[cur_algclass], $1); - } - COMMA algorithms - ; -algorithm - : ALGORITHMTYPE keylength - { - int defklen; - - $$ = newsainfoalg(); - if ($$ == NULL) { - yyerror("failed to get algorithm allocation"); - return -1; - } - - $$->alg = algtype2doi(cur_algclass, $1); - if ($$->alg == -1) { - yyerror("algorithm mismatched"); - racoon_free($$); - return -1; - } - - defklen = default_keylen(cur_algclass, $1); - if (defklen == 0) { - if ($2) { - yyerror("keylen not allowed"); - racoon_free($$); - return -1; - } - } else { - if ($2 && check_keylen(cur_algclass, $1, $2) < 0) { - yyerror("invalid keylen %d", $2); - racoon_free($$); - return -1; - } - } - - if ($2) - $$->encklen = $2; - else - $$->encklen = defklen; - - /* check if it's supported algorithm by kernel */ - if (!(cur_algclass == algclass_ipsec_auth && $1 == algtype_non_auth) - && pk_checkalg(cur_algclass, $1, $$->encklen)) { - int a = algclass2doi(cur_algclass); - int b = algtype2doi(cur_algclass, $1); - if (a == IPSECDOI_ATTR_AUTH) - a = IPSECDOI_PROTO_IPSEC_AH; - yyerror("algorithm %s not supported", - s_ipsecdoi_trns(a, b)); - racoon_free($$); - return -1; - } - } - ; -prefix - : /* nothing */ { $$ = ~0; } - | PREFIX { $$ = $1; } - ; -port - : /* nothing */ { $$ = IPSEC_PORT_ANY; } - | PORT { $$ = $1; } - | PORTANY { $$ = IPSEC_PORT_ANY; } - ; -ul_proto - : NUMBER { $$ = $1; } - | UL_PROTO { $$ = $1; } - | ANY { $$ = IPSEC_ULPROTO_ANY; } - ; -keylength - : /* nothing */ { $$ = 0; } - | NUMBER { $$ = $1; } - ; - - /* remote */ -remote_statement - : REMOTE remote_index - { - struct remoteconf *new; - struct proposalspec *prspec; - - new = newrmconf(); - if (new == NULL) { - yyerror("failed to get new remoteconf."); - return -1; - } - - new->remote = $2; - cur_rmconf = new; - - prspec = newprspec(); - if (prspec == NULL) - return -1; - prspec->lifetime = oakley_get_defaultlifetime(); - insprspec(prspec, &prhead); - } - BOC remote_specs - { - /* check a exchange mode */ - if (cur_rmconf->etypes == NULL) { - yyerror("no exchange mode specified.\n"); - return -1; - } - - if (cur_rmconf->idvtype == IDTYPE_ASN1DN - && cur_rmconf->mycertfile == NULL) { - yyerror("id type mismatched due to " - "no CERT defined.\n"); - return -1; - } - - if (set_isakmp_proposal(cur_rmconf, prhead) != 0) - return -1; - - /* DH group settting if aggressive mode is there. */ - if (check_etypeok(cur_rmconf, ISAKMP_ETYPE_AGG) != NULL) { - struct isakmpsa *p; - int b = 0; - - /* DH group */ - for (p = cur_rmconf->proposal; p; p = p->next) { - if (b == 0 || (b && b == p->dh_group)) { - b = p->dh_group; - continue; - } - yyerror("DH group must be equal " - "to each proposals's " - "when aggressive mode is " - "used.\n"); - return -1; - } - cur_rmconf->dh_group = b; - - if (cur_rmconf->dh_group == 0) { - yyerror("DH group must be required.\n"); - return -1; - } - - /* DH group settting if PFS is required. */ - if (oakley_setdhgroup(cur_rmconf->dh_group, - &cur_rmconf->dhgrp) < 0) { - yyerror("failed to set DH value.\n"); - return -1; - } - } - - insrmconf(cur_rmconf); - - cleanprhead(); - } - EOC - ; -remote_index - : ANONYMOUS ike_port - { - $$ = newsaddr(sizeof(struct sockaddr *)); - $$->sa_family = AF_UNSPEC; - ((struct sockaddr_in *)$$)->sin_port = htons($2); - } - | ike_addrinfo_port - { - $$ = $1; - if ($$ == NULL) { - yyerror("failed to allocate sockaddr"); - return -1; - } - } - ; -remote_specs - : /* nothing */ - | remote_specs remote_spec - ; -remote_spec - : EXCHANGE_MODE exchange_types EOS - | DOI DOITYPE { cur_rmconf->doitype = $2; } EOS - | SITUATION SITUATIONTYPE { cur_rmconf->sittype = $2; } EOS - | CERTIFICATE_TYPE cert_spec - | PEERS_CERTFILE QUOTEDSTRING - { -#ifdef HAVE_SIGNING_C - cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE; - cur_rmconf->peerscertfile = strdup($2->v); - vfree($2); -#else - yyerror("directive not supported"); - return -1; -#endif - } - EOS - | PEERS_CERTFILE DNSSEC - { -#ifdef HAVE_SIGNING_C - cur_rmconf->getcert_method = ISAKMP_GETCERT_DNS; - cur_rmconf->peerscertfile = NULL; -#else - yyerror("directive not supported"); - return -1; -#endif - } - EOS - | VERIFY_CERT SWITCH { cur_rmconf->verify_cert = $2; } EOS - | SEND_CERT SWITCH { cur_rmconf->send_cert = $2; } EOS - | SEND_CR SWITCH { cur_rmconf->send_cr = $2; } EOS - | IDENTIFIER IDENTIFIERTYPE - { - /*XXX to be deleted */ - cur_rmconf->idvtype = $2; - } - EOS - | MY_IDENTIFIER IDENTIFIERTYPE identifierstring - { - if (set_identifier(&cur_rmconf->idv, $2, $3) != 0) { - yyerror("failed to set identifer.\n"); - return -1; - } - cur_rmconf->idvtype = $2; - } - EOS - | PEERS_IDENTIFIER IDENTIFIERTYPE identifierstring - { - if (set_identifier(&cur_rmconf->idv_p, $2, $3) != 0) { - yyerror("failed to set identifer.\n"); - return -1; - } - cur_rmconf->idvtype_p = $2; - } - EOS - | VERIFY_IDENTIFIER SWITCH { cur_rmconf->verify_identifier = $2; } EOS - | NONCE_SIZE NUMBER { cur_rmconf->nonce_size = $2; } EOS - | DH_GROUP - { - yyerror("dh_group cannot be defined here."); - return -1; - } - dh_group_num EOS - | KEEPALIVE { cur_rmconf->keepalive = TRUE; } EOS - | PASSIVE SWITCH { cur_rmconf->passive = $2; } EOS - | GENERATE_POLICY SWITCH { cur_rmconf->gen_policy = $2; } EOS - | SUPPORT_PROXY SWITCH { cur_rmconf->support_proxy = $2; } EOS - | INITIAL_CONTACT SWITCH { cur_rmconf->ini_contact = $2; } EOS - | PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL { cur_rmconf->pcheck_level = $2; } EOS - | LIFETIME LIFETYPE_TIME NUMBER unittype_time - { - prhead->lifetime = $3 * $4; - } - EOS - | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte - { -#if 1 - yyerror("byte lifetime support is deprecated"); - return -1; -#else - yywarn("the lifetime of bytes in phase 1 " - "will be ignored at the moment."); - prhead->lifebyte = fix_lifebyte($3 * $4); - if (prhead->lifebyte == 0) - return -1; -#endif - } - EOS - | PROPOSAL - { - struct secprotospec *spspec; - - spspec = newspspec(); - if (spspec == NULL) - return -1; - insspspec(spspec, &prhead); - } - BOC isakmpproposal_specs EOC - ; -exchange_types - : /* nothing */ - | exchange_types EXCHANGETYPE - { - struct etypes *new; - new = racoon_malloc(sizeof(struct etypes)); - if (new == NULL) { - yyerror("filed to allocate etypes"); - return -1; - } - new->type = $2; - new->next = NULL; - if (cur_rmconf->etypes == NULL) - cur_rmconf->etypes = new; - else { - struct etypes *p; - for (p = cur_rmconf->etypes; - p->next != NULL; - p = p->next) - ; - p->next = new; - } - } - ; -cert_spec - : CERT_X509 QUOTEDSTRING QUOTEDSTRING - { -#ifdef HAVE_SIGNING_C - cur_rmconf->certtype = $1; - cur_rmconf->mycertfile = strdup($2->v); - vfree($2); - cur_rmconf->myprivfile = strdup($3->v); - vfree($3); -#else - yyerror("directive not supported"); - return -1; -#endif - } - EOS - ; -dh_group_num - : ALGORITHMTYPE - { - $$ = algtype2doi(algclass_isakmp_dh, $1); - if ($$ == -1) { - yyerror("must be DH group"); - return -1; - } - } - | NUMBER - { - if (ARRAYLEN(num2dhgroup) > $1 && num2dhgroup[$1] != 0) { - $$ = num2dhgroup[$1]; - } else { - yyerror("must be DH group"); - return -1; - } - } - ; -identifierstring - : /* nothing */ { $$ = NULL; } - | ADDRSTRING { $$ = $1; } - | QUOTEDSTRING { $$ = $1; } - ; -isakmpproposal_specs - : /* nothing */ - | isakmpproposal_specs isakmpproposal_spec - ; -isakmpproposal_spec - : STRENGTH - { - yyerror("strength directive is obsoleted."); - } STRENGTHTYPE EOS - | LIFETIME LIFETYPE_TIME NUMBER unittype_time - { - prhead->spspec->lifetime = $3 * $4; - } - EOS - | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte - { -#if 1 - yyerror("byte lifetime support is deprecated"); - return -1; -#else - prhead->spspec->lifebyte = fix_lifebyte($3 * $4); - if (prhead->spspec->lifebyte == 0) - return -1; -#endif - } - EOS - | DH_GROUP dh_group_num - { - prhead->spspec->algclass[algclass_isakmp_dh] = $2; - } - EOS - | GSSAPI_ID QUOTEDSTRING - { - if (prhead->spspec->vendorid != VENDORID_GSSAPI) { - yyerror("wrong Vendor ID for gssapi_id"); - return -1; - } - prhead->spspec->gssid = strdup($2->v); - } - EOS - | ALGORITHM_CLASS ALGORITHMTYPE keylength - { - int doi; - int defklen; - - doi = algtype2doi($1, $2); - if (doi == -1) { - yyerror("algorithm mismatched 1"); - return -1; - } - - switch ($1) { - case algclass_isakmp_enc: - /* reject suppressed algorithms */ -#ifndef HAVE_OPENSSL_RC5_H - if ($2 == algtype_rc5) { - yyerror("algorithm %s not supported", - s_attr_isakmp_enc(doi)); - return -1; - } -#endif -#ifndef HAVE_OPENSSL_IDEA_H - if ($2 == algtype_idea) { - yyerror("algorithm %s not supported", - s_attr_isakmp_enc(doi)); - return -1; - } -#endif - - prhead->spspec->algclass[algclass_isakmp_enc] = doi; - defklen = default_keylen($1, $2); - if (defklen == 0) { - if ($3) { - yyerror("keylen not allowed"); - return -1; - } - } else { - if ($3 && check_keylen($1, $2, $3) < 0) { - yyerror("invalid keylen %d", $3); - return -1; - } - } - if ($3) - prhead->spspec->encklen = $3; - else - prhead->spspec->encklen = defklen; - break; - case algclass_isakmp_hash: - prhead->spspec->algclass[algclass_isakmp_hash] = doi; - break; - case algclass_isakmp_ameth: - prhead->spspec->algclass[algclass_isakmp_ameth] = doi; - /* - * We may have to set the Vendor ID for the - * authentication method we're using. - */ - switch ($2) { - case algtype_gssapikrb: - if (prhead->spspec->vendorid != - VENDORID_UNKNOWN) { - yyerror("Vendor ID mismatch " - "for auth method"); - return -1; - } - /* - * For interoperability with Win2k, - * we set the Vendor ID to "GSSAPI". - */ - prhead->spspec->vendorid = - VENDORID_GSSAPI; - break; - default: - break; - } - break; - default: - yyerror("algorithm mismatched 2"); - return -1; - } - } - EOS - ; - -unittype_time - : UNITTYPE_SEC { $$ = 1; } - | UNITTYPE_MIN { $$ = 60; } - | UNITTYPE_HOUR { $$ = (60 * 60); } - ; -unittype_byte - : UNITTYPE_BYTE { $$ = 1; } - | UNITTYPE_KBYTES { $$ = 1024; } - | UNITTYPE_MBYTES { $$ = (1024 * 1024); } - | UNITTYPE_TBYTES { $$ = (1024 * 1024 * 1024); } - ; -%% - -static struct proposalspec * -newprspec() -{ - struct proposalspec *new; - - new = racoon_calloc(1, sizeof(*new)); - if (new == NULL) - yyerror("failed to allocate proposal"); - - return new; -} - -static void -cleanprhead() -{ - struct proposalspec *p, *next; - - if (prhead == NULL) - return; - - for (p = prhead; p != NULL; p = next) { - next = p->next; - racoon_free(p); - } - - prhead = NULL; -} - -/* - * insert into head of list. - */ -static void -insprspec(prspec, head) - struct proposalspec *prspec; - struct proposalspec **head; -{ - if (*head != NULL) - (*head)->prev = prspec; - prspec->next = *head; - *head = prspec; -} - -static struct secprotospec * -newspspec() -{ - struct secprotospec *new; - - new = racoon_calloc(1, sizeof(*new)); - if (new == NULL) { - yyerror("failed to allocate spproto"); - return NULL; - } - - new->encklen = 0; /*XXX*/ - - /* - * Default to "uknown" vendor -- we will override this - * as necessary. When we send a Vendor ID payload, an - * "unknown" will be translated to a KAME/racoon ID. - */ - new->vendorid = VENDORID_UNKNOWN; - - return new; -} - -/* - * insert into head of list. - */ -static void -insspspec(spspec, head) - struct secprotospec *spspec; - struct proposalspec **head; -{ - spspec->back = *head; - - if ((*head)->spspec != NULL) - (*head)->spspec->prev = spspec; - spspec->next = (*head)->spspec; - (*head)->spspec = spspec; -} - -/* set final acceptable proposal */ -static int -set_isakmp_proposal(rmconf, prspec) - struct remoteconf *rmconf; - struct proposalspec *prspec; -{ - struct proposalspec *p; - struct secprotospec *s; - int prop_no = 1; - int trns_no = 1; - u_int32_t types[MAXALGCLASS]; - - p = prspec; - if (p->next != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "multiple proposal definition.\n"); - return -1; - } - - /* mandatory check */ - if (p->spspec == NULL) { - yyerror("no remote specification found: %s.\n", - rm2str(rmconf)); - return -1; - } - for (s = p->spspec; s != NULL; s = s->next) { - /* XXX need more to check */ - if (s->algclass[algclass_isakmp_enc] == 0) { - yyerror("encryption algorithm required."); - return -1; - } - if (s->algclass[algclass_isakmp_hash] == 0) { - yyerror("hash algorithm required."); - return -1; - } - if (s->algclass[algclass_isakmp_dh] == 0) { - yyerror("DH group required."); - return -1; - } - if (s->algclass[algclass_isakmp_ameth] == 0) { - yyerror("authentication method required."); - return -1; - } - } - - /* skip to last part */ - for (s = p->spspec; s->next != NULL; s = s->next) - ; - - while (s != NULL) { - plog(LLV_DEBUG2, LOCATION, NULL, - "lifetime = %ld\n", (long) - (s->lifetime ? s->lifetime : p->lifetime)); - plog(LLV_DEBUG2, LOCATION, NULL, - "lifebyte = %d\n", - s->lifebyte ? s->lifebyte : p->lifebyte); - plog(LLV_DEBUG2, LOCATION, NULL, - "encklen=%d\n", s->encklen); - - memset(types, 0, ARRAYLEN(types)); - types[algclass_isakmp_enc] = s->algclass[algclass_isakmp_enc]; - types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash]; - types[algclass_isakmp_dh] = s->algclass[algclass_isakmp_dh]; - types[algclass_isakmp_ameth] = - s->algclass[algclass_isakmp_ameth]; - - /* expanding spspec */ - clean_tmpalgtype(); - trns_no = expand_isakmpspec(prop_no, trns_no, types, - algclass_isakmp_enc, algclass_isakmp_ameth + 1, - s->lifetime ? s->lifetime : p->lifetime, - s->lifebyte ? s->lifebyte : p->lifebyte, - s->encklen, s->vendorid, s->gssid, - rmconf); - if (trns_no == -1) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to expand isakmp proposal.\n"); - return -1; - } - - s = s->prev; - } - - if (rmconf->proposal == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "no proposal found.\n"); - return -1; - } - - return 0; -} - -static void -clean_tmpalgtype() -{ - int i; - for (i = 0; i < MAXALGCLASS; i++) - tmpalgtype[i] = 0; /* means algorithm undefined. */ -} - -static int -expand_isakmpspec(prop_no, trns_no, types, - class, last, lifetime, lifebyte, encklen, vendorid, gssid, - rmconf) - int prop_no, trns_no; - int *types, class, last; - time_t lifetime; - int lifebyte; - int encklen; - int vendorid; - char *gssid; - struct remoteconf *rmconf; -{ - struct isakmpsa *new; - - /* debugging */ - { - int j; - char tb[10]; - plog(LLV_DEBUG2, LOCATION, NULL, - "p:%d t:%d\n", prop_no, trns_no); - for (j = class; j < MAXALGCLASS; j++) { - snprintf(tb, sizeof(tb), "%d", types[j]); - plog(LLV_DEBUG2, LOCATION, NULL, - "%s%s%s%s\n", - s_algtype(j, types[j]), - types[j] ? "(" : "", - tb[0] == '0' ? "" : tb, - types[j] ? ")" : ""); - } - plog(LLV_DEBUG2, LOCATION, NULL, "\n"); - } - -#define TMPALGTYPE2STR(n) \ - s_algtype(algclass_isakmp_##n, types[algclass_isakmp_##n]) - /* check mandatory values */ - if (types[algclass_isakmp_enc] == 0 - || types[algclass_isakmp_ameth] == 0 - || types[algclass_isakmp_hash] == 0 - || types[algclass_isakmp_dh] == 0) { - yyerror("few definition of algorithm " - "enc=%s ameth=%s hash=%s dhgroup=%s.\n", - TMPALGTYPE2STR(enc), - TMPALGTYPE2STR(ameth), - TMPALGTYPE2STR(hash), - TMPALGTYPE2STR(dh)); - return -1; - } -#undef TMPALGTYPE2STR - - /* set new sa */ - new = newisakmpsa(); - if (new == NULL) { - yyerror("failed to allocate isakmp sa"); - return -1; - } - new->prop_no = prop_no; - new->trns_no = trns_no++; - new->lifetime = lifetime; - new->lifebyte = lifebyte; - new->enctype = types[algclass_isakmp_enc]; - new->encklen = encklen; - new->authmethod = types[algclass_isakmp_ameth]; - new->hashtype = types[algclass_isakmp_hash]; - new->dh_group = types[algclass_isakmp_dh]; - new->vendorid = vendorid; -#ifdef HAVE_GSSAPI - if (gssid != NULL) { - new->gssid = vmalloc(strlen(gssid) + 1); - memcpy(new->gssid->v, gssid, new->gssid->l); - racoon_free(gssid); - } else - new->gssid = NULL; -#endif - insisakmpsa(new, rmconf); - - return trns_no; -} - -#if 0 -/* - * fix lifebyte. - * Must be more than 1024B because its unit is kilobytes. - * That is defined RFC2407. - */ -static int -fix_lifebyte(t) - unsigned long t; -{ - if (t < 1024) { - yyerror("byte size should be more than 1024B."); - return 0; - } - - return(t / 1024); -} -#endif - -int -cfparse() -{ - int error; - - yycf_init_buffer(); - - if (yycf_switch_buffer(lcconf->racoon_conf) != 0) - return -1; - - prhead = NULL; - - error = yyparse(); - if (error != 0) { - if (yyerrorcount) { - plog(LLV_ERROR, LOCATION, NULL, - "fatal parse failure (%d errors)\n", - yyerrorcount); - } else { - plog(LLV_ERROR, LOCATION, NULL, - "fatal parse failure.\n"); - } - return -1; - } - - if (error == 0 && yyerrorcount) { - plog(LLV_ERROR, LOCATION, NULL, - "parse error is nothing, but yyerrorcount is %d.\n", - yyerrorcount); - exit(1); - } - - yycf_clean_buffer(); - - plog(LLV_DEBUG2, LOCATION, NULL, "parse successed.\n"); - - return 0; -} - -int -cfreparse() -{ - flushph2(); - flushph1(); - flushrmconf(); - cleanprhead(); - flushsainfo(); - clean_tmpalgtype(); - yycf_init_buffer(); - - if (yycf_switch_buffer(lcconf->racoon_conf) != 0) - return -1; - - return(cfparse()); -} - diff --git a/kame/kame/racoon/cfparse_proto.h b/kame/kame/racoon/cfparse_proto.h deleted file mode 100644 index 8868a1a00b..0000000000 --- a/kame/kame/racoon/cfparse_proto.h +++ /dev/null @@ -1,35 +0,0 @@ -/* $KAME: cfparse_proto.h,v 1.1 2002/09/27 05:55:52 itojun Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* cfparse.y */ -extern int yyparse __P((void)); -extern int cfparse __P((void)); -extern int cfreparse __P((void)); diff --git a/kame/kame/racoon/cftoken.l b/kame/kame/racoon/cftoken.l deleted file mode 100644 index 5622fe77f7..0000000000 --- a/kame/kame/racoon/cftoken.l +++ /dev/null @@ -1,607 +0,0 @@ -/* $KAME: cftoken.l,v 1.73 2003/10/21 07:18:03 itojun Exp $ */ - -%{ -/* - * Copyright (C) 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 and 2003 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include - -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#ifdef HAVE_STDARG_H -#include -#else -#include -#endif - -#include "var.h" -#include "misc.h" -#include "vmbuf.h" -#include "plog.h" -#include "debug.h" - -#include "algorithm.h" -#include "cfparse_proto.h" -#include "cftoken_proto.h" -#include "localconf.h" -#include "oakley.h" -#include "isakmp_var.h" -#include "isakmp.h" -#include "ipsec_doi.h" -#include "proposal.h" -#ifdef GC -#include "gcmalloc.h" -#endif - -#ifdef HAVE_CFPARSE_H -#include "cfparse.h" -#else -#include "y.tab.h" -#endif - -int yyerrorcount = 0; - -#if defined(YIPS_DEBUG) -# define YYDB plog(LLV_DEBUG2, LOCATION, NULL, \ - "begin <%d>%s\n", yy_start, yytext); -# define YYD { \ - plog(LLV_DEBUG2, LOCATION, NULL, "<%d>%s", \ - yy_start, loglevel >= LLV_DEBUG2 ? "\n" : ""); \ -} -#else -# define YYDB -# define YYD -#endif /* defined(YIPS_DEBUG) */ - -#define MAX_INCLUDE_DEPTH 10 - -static struct include_stack { - char *path; - FILE *fp; - YY_BUFFER_STATE prevstate; - int lineno; - glob_t matches; - int matchon; -} incstack[MAX_INCLUDE_DEPTH]; -static int incstackp = 0; - -static int yy_first_time = 1; -%} - -/* common seciton */ -nl \n -ws [ \t]+ -digit [0-9] -letter [A-Za-z] -hexdigit [0-9A-Fa-f] -/*octet (([01]?{digit}?{digit})|((2([0-4]{digit}))|(25[0-5]))) */ -special [()+\|\?\*] -comma \, -dot \. -slash \/ -bcl \{ -ecl \} -blcl \[ -elcl \] -percent \% -semi \; -comment \#.* -ccomment "/*" -bracketstring \<[^>]*\> -quotedstring \"[^"]*\" -addrstring [a-fA-F0-9:]([a-fA-F0-9:\.]*|[a-fA-F0-9:\.]*%[a-zA-Z0-9]*) -decstring {digit}+ -hexstring 0x{hexdigit}+ - -%s S_INI S_PTH S_INF S_LOG S_PAD S_LST S_RTRY -%s S_ALGST S_ALGCL -%s S_SAINF S_SAINFS -%s S_RMT S_RMTS S_RMTP -%s S_SA - -%% -%{ - if (yy_first_time) { - BEGIN S_INI; - yy_first_time = 0; - } -%} - - /* path */ -path { BEGIN S_PTH; YYDB; return(PATH); } -include { YYD; yylval.num = LC_PATHTYPE_INCLUDE; - return(PATHTYPE); } -pre_shared_key { YYD; yylval.num = LC_PATHTYPE_PSK; - return(PATHTYPE); } -certificate { YYD; yylval.num = LC_PATHTYPE_CERT; - return(PATHTYPE); } -backupsa { YYD; yylval.num = LC_PATHTYPE_BACKUPSA; - return(PATHTYPE); } -{semi} { BEGIN S_INI; YYDB; return(EOS); } - - /* include */ -include { YYDB; return(INCLUDE); } - - /* self information */ -identifier { BEGIN S_INF; YYDB; yywarn("it is obsoleted. use \"my_identifier\" in each remote directives."); return(IDENTIFIER); } -{semi} { BEGIN S_INI; return(EOS); } - - /* special */ -complex_bundle { YYDB; return(COMPLEX_BUNDLE); } - - /* logging */ -log { BEGIN S_LOG; YYDB; return(LOGGING); } -info { YYD; yywarn("it is obsoleted. use \"notify\""); yylval.num = 0; return(LOGLEV); } -notify { YYD; yylval.num = 0; return(LOGLEV); } -debug { YYD; yylval.num = 1; return(LOGLEV); } -debug2 { YYD; yylval.num = 2; return(LOGLEV); } -debug3 { YYD; yywarn("it is osboleted. use \"debug2\""); yylval.num = 2; return(LOGLEV); } -debug4 { YYD; yywarn("it is obsoleted. use \"debug2\""); yylval.num = 2; return(LOGLEV); } -{semi} { BEGIN S_INI; return(EOS); } - - /* padding */ -padding { BEGIN S_PAD; YYDB; return(PADDING); } -{bcl} { return(BOC); } -randomize { YYD; return(PAD_RANDOMIZE); } -randomize_length { YYD; return(PAD_RANDOMIZELEN); } -maximum_length { YYD; return(PAD_MAXLEN); } -strict_check { YYD; return(PAD_STRICT); } -exclusive_tail { YYD; return(PAD_EXCLTAIL); } -{ecl} { BEGIN S_INI; return(EOC); } - - /* listen */ -listen { BEGIN S_LST; YYDB; return(LISTEN); } -{bcl} { return(BOC); } -isakmp { YYD; return(X_ISAKMP); } -admin { YYD; return(X_ADMIN); } -strict_address { YYD; return(STRICT_ADDRESS); } -{ecl} { BEGIN S_INI; return(EOC); } - - /* timer */ -timer { BEGIN S_RTRY; YYDB; return(RETRY); } -{bcl} { return(BOC); } -counter { YYD; return(RETRY_COUNTER); } -interval { YYD; return(RETRY_INTERVAL); } -persend { YYD; return(RETRY_PERSEND); } -phase1 { YYD; return(RETRY_PHASE1); } -phase2 { YYD; return(RETRY_PHASE2); } -{ecl} { BEGIN S_INI; return(EOC); } - - /* sainfo */ -sainfo { BEGIN S_SAINF; YYDB; return(SAINFO); } -anonymous { YYD; return(ANONYMOUS); } -{blcl}any{elcl} { YYD; return(PORTANY); } -any { YYD; return(ANY); } -from { YYD; return(FROM); } - /* sainfo spec */ -{bcl} { BEGIN S_SAINFS; return(BOC); } -{semi} { BEGIN S_INI; return(EOS); } -{ecl} { BEGIN S_INI; return(EOC); } -pfs_group { YYD; return(PFS_GROUP); } -identifier { YYD; yywarn("it is obsoleted. use \"my_identifier\"."); return(IDENTIFIER); } -my_identifier { YYD; return(MY_IDENTIFIER); } -lifetime { YYD; return(LIFETIME); } -time { YYD; return(LIFETYPE_TIME); } -byte { YYD; return(LIFETYPE_BYTE); } -encryption_algorithm { YYD; yylval.num = algclass_ipsec_enc; return(ALGORITHM_CLASS); } -authentication_algorithm { YYD; yylval.num = algclass_ipsec_auth; return(ALGORITHM_CLASS); } -compression_algorithm { YYD; yylval.num = algclass_ipsec_comp; return(ALGORITHM_CLASS); } -{comma} { YYD; return(COMMA); } - - /* remote */ -remote { BEGIN S_RMT; YYDB; return(REMOTE); } -anonymous { YYD; return(ANONYMOUS); } - /* remote spec */ -{bcl} { BEGIN S_RMTS; return(BOC); } -{ecl} { BEGIN S_INI; return(EOC); } -exchange_mode { YYD; return(EXCHANGE_MODE); } -{comma} { YYD; /* XXX ignored, but to be handled. */ ; } -base { YYD; yylval.num = ISAKMP_ETYPE_BASE; return(EXCHANGETYPE); } -main { YYD; yylval.num = ISAKMP_ETYPE_IDENT; return(EXCHANGETYPE); } -aggressive { YYD; yylval.num = ISAKMP_ETYPE_AGG; return(EXCHANGETYPE); } -doi { YYD; return(DOI); } -ipsec_doi { YYD; yylval.num = IPSEC_DOI; return(DOITYPE); } -situation { YYD; return(SITUATION); } -identity_only { YYD; yylval.num = IPSECDOI_SIT_IDENTITY_ONLY; return(SITUATIONTYPE); } -secrecy { YYD; yylval.num = IPSECDOI_SIT_SECRECY; return(SITUATIONTYPE); } -integrity { YYD; yylval.num = IPSECDOI_SIT_INTEGRITY; return(SITUATIONTYPE); } -identifier { YYD; yywarn("it is obsoleted. use \"my_identifier\"."); return(IDENTIFIER); } -my_identifier { YYD; return(MY_IDENTIFIER); } -peers_identifier { YYD; return(PEERS_IDENTIFIER); } -verify_identifier { YYD; return(VERIFY_IDENTIFIER); } -certificate_type { YYD; return(CERTIFICATE_TYPE); } -x509 { YYD; yylval.num = ISAKMP_CERT_X509SIGN; return(CERT_X509); } -peers_certfile { YYD; return(PEERS_CERTFILE); } -dnssec { YYD; return(DNSSEC); } -verify_cert { YYD; return(VERIFY_CERT); } -send_cert { YYD; return(SEND_CERT); } -send_cr { YYD; return(SEND_CR); } -dh_group { YYD; return(DH_GROUP); } -nonce_size { YYD; return(NONCE_SIZE); } -generate_policy { YYD; return(GENERATE_POLICY); } -support_mip6 { YYD; yywarn("it is obsoleted. use \"support_proxy\"."); return(SUPPORT_PROXY); } -support_proxy { YYD; return(SUPPORT_PROXY); } -initial_contact { YYD; return(INITIAL_CONTACT); } -proposal_check { YYD; return(PROPOSAL_CHECK); } -obey { YYD; yylval.num = PROP_CHECK_OBEY; return(PROPOSAL_CHECK_LEVEL); } -strict { YYD; yylval.num = PROP_CHECK_STRICT; return(PROPOSAL_CHECK_LEVEL); } -exact { YYD; yylval.num = PROP_CHECK_EXACT; return(PROPOSAL_CHECK_LEVEL); } -claim { YYD; yylval.num = PROP_CHECK_CLAIM; return(PROPOSAL_CHECK_LEVEL); } -keepalive { YYD; return(KEEPALIVE); } -passive { YYD; return(PASSIVE); } -lifetime { YYD; return(LIFETIME); } -time { YYD; return(LIFETYPE_TIME); } -byte { YYD; return(LIFETYPE_BYTE); } - /* remote proposal */ -proposal { BEGIN S_RMTP; YYDB; return(PROPOSAL); } -{bcl} { return(BOC); } -{ecl} { BEGIN S_RMTS; return(EOC); } -lifetime { YYD; return(LIFETIME); } -time { YYD; return(LIFETYPE_TIME); } -byte { YYD; return(LIFETYPE_BYTE); } -encryption_algorithm { YYD; yylval.num = algclass_isakmp_enc; return(ALGORITHM_CLASS); } -authentication_method { YYD; yylval.num = algclass_isakmp_ameth; return(ALGORITHM_CLASS); } -hash_algorithm { YYD; yylval.num = algclass_isakmp_hash; return(ALGORITHM_CLASS); } -dh_group { YYD; return(DH_GROUP); } -gssapi_id { YYD; return(GSSAPI_ID); } - - /* parameter */ -on { YYD; yylval.num = TRUE; return(SWITCH); } -off { YYD; yylval.num = FALSE; return(SWITCH); } - - /* prefix */ -{slash}{digit}{1,3} { - YYD; - yytext++; - yylval.num = atoi(yytext); - return(PREFIX); - } - - /* port number */ -{blcl}{decstring}{elcl} { - char *p = yytext; - YYD; - while (*++p != ']') ; - *p = 0; - yytext++; - yylval.num = atoi(yytext); - return(PORT); - } - - /* upper protocol */ -esp { YYD; yylval.num = IPPROTO_ESP; return(UL_PROTO); } -ah { YYD; yylval.num = IPPROTO_AH; return(UL_PROTO); } -ipcomp { YYD; yylval.num = IPPROTO_IPCOMP; return(UL_PROTO); } -icmp { YYD; yylval.num = IPPROTO_ICMP; return(UL_PROTO); } -icmp6 { YYD; yylval.num = IPPROTO_ICMPV6; return(UL_PROTO); } -tcp { YYD; yylval.num = IPPROTO_TCP; return(UL_PROTO); } -udp { YYD; yylval.num = IPPROTO_UDP; return(UL_PROTO); } - - /* algorithm type */ -des_iv64 { YYD; yylval.num = algtype_des_iv64; return(ALGORITHMTYPE); } -des { YYD; yylval.num = algtype_des; return(ALGORITHMTYPE); } -3des { YYD; yylval.num = algtype_3des; return(ALGORITHMTYPE); } -rc5 { YYD; yylval.num = algtype_rc5; return(ALGORITHMTYPE); } -idea { YYD; yylval.num = algtype_idea; return(ALGORITHMTYPE); } -cast128 { YYD; yylval.num = algtype_cast128; return(ALGORITHMTYPE); } -blowfish { YYD; yylval.num = algtype_blowfish; return(ALGORITHMTYPE); } -3idea { YYD; yylval.num = algtype_3idea; return(ALGORITHMTYPE); } -des_iv32 { YYD; yylval.num = algtype_des_iv32; return(ALGORITHMTYPE); } -rc4 { YYD; yylval.num = algtype_rc4; return(ALGORITHMTYPE); } -null_enc { YYD; yylval.num = algtype_null_enc; return(ALGORITHMTYPE); } -rijndael { YYD; yylval.num = algtype_rijndael; return(ALGORITHMTYPE); } -aes { YYD; yylval.num = algtype_rijndael; return(ALGORITHMTYPE); } -twofish { YYD; yylval.num = algtype_twofish; return(ALGORITHMTYPE); } -non_auth { YYD; yylval.num = algtype_non_auth; return(ALGORITHMTYPE); } -hmac_md5 { YYD; yylval.num = algtype_hmac_md5; return(ALGORITHMTYPE); } -hmac_sha1 { YYD; yylval.num = algtype_hmac_sha1; return(ALGORITHMTYPE); } -hmac_sha2_256 { YYD; yylval.num = algtype_hmac_sha2_256; return(ALGORITHMTYPE); } -hmac_sha2_384 { YYD; yylval.num = algtype_hmac_sha2_384; return(ALGORITHMTYPE); } -hmac_sha2_512 { YYD; yylval.num = algtype_hmac_sha2_512; return(ALGORITHMTYPE); } -des_mac { YYD; yylval.num = algtype_des_mac; return(ALGORITHMTYPE); } -kpdk { YYD; yylval.num = algtype_kpdk; return(ALGORITHMTYPE); } -md5 { YYD; yylval.num = algtype_md5; return(ALGORITHMTYPE); } -sha1 { YYD; yylval.num = algtype_sha1; return(ALGORITHMTYPE); } -tiger { YYD; yylval.num = algtype_tiger; return(ALGORITHMTYPE); } -sha2_256 { YYD; yylval.num = algtype_sha2_256; return(ALGORITHMTYPE); } -sha2_384 { YYD; yylval.num = algtype_sha2_384; return(ALGORITHMTYPE); } -sha2_512 { YYD; yylval.num = algtype_sha2_512; return(ALGORITHMTYPE); } -oui { YYD; yylval.num = algtype_oui; return(ALGORITHMTYPE); } -deflate { YYD; yylval.num = algtype_deflate; return(ALGORITHMTYPE); } -lzs { YYD; yylval.num = algtype_lzs; return(ALGORITHMTYPE); } -modp768 { YYD; yylval.num = algtype_modp768; return(ALGORITHMTYPE); } -modp1024 { YYD; yylval.num = algtype_modp1024; return(ALGORITHMTYPE); } -modp1536 { YYD; yylval.num = algtype_modp1536; return(ALGORITHMTYPE); } -ec2n155 { YYD; yylval.num = algtype_ec2n155; return(ALGORITHMTYPE); } -ec2n185 { YYD; yylval.num = algtype_ec2n185; return(ALGORITHMTYPE); } -modp2048 { YYD; yylval.num = algtype_modp2048; return(ALGORITHMTYPE); } -modp3072 { YYD; yylval.num = algtype_modp3072; return(ALGORITHMTYPE); } -modp4096 { YYD; yylval.num = algtype_modp4096; return(ALGORITHMTYPE); } -modp6144 { YYD; yylval.num = algtype_modp6144; return(ALGORITHMTYPE); } -modp8192 { YYD; yylval.num = algtype_modp8192; return(ALGORITHMTYPE); } -pre_shared_key { YYD; yylval.num = algtype_psk; return(ALGORITHMTYPE); } -rsasig { YYD; yylval.num = algtype_rsasig; return(ALGORITHMTYPE); } -dsssig { YYD; yylval.num = algtype_dsssig; return(ALGORITHMTYPE); } -rsaenc { YYD; yylval.num = algtype_rsaenc; return(ALGORITHMTYPE); } -rsarev { YYD; yylval.num = algtype_rsarev; return(ALGORITHMTYPE); } -gssapi_krb { YYD; yylval.num = algtype_gssapikrb; return(ALGORITHMTYPE); } - - /* identifier type */ -vendor_id { YYD; yywarn("it is obsoleted."); return(VENDORID); } -user_fqdn { YYD; yylval.num = IDTYPE_USERFQDN; return(IDENTIFIERTYPE); } -fqdn { YYD; yylval.num = IDTYPE_FQDN; return(IDENTIFIERTYPE); } -keyid { YYD; yylval.num = IDTYPE_KEYID; return(IDENTIFIERTYPE); } -address { YYD; yylval.num = IDTYPE_ADDRESS; return(IDENTIFIERTYPE); } -asn1dn { YYD; yylval.num = IDTYPE_ASN1DN; return(IDENTIFIERTYPE); } -certname { YYD; yywarn("certname will be obsoleted in near future."); yylval.num = IDTYPE_ASN1DN; return(IDENTIFIERTYPE); } - - /* units */ -B|byte|bytes { YYD; return(UNITTYPE_BYTE); } -KB { YYD; return(UNITTYPE_KBYTES); } -MB { YYD; return(UNITTYPE_MBYTES); } -TB { YYD; return(UNITTYPE_TBYTES); } -sec|secs|second|seconds { YYD; return(UNITTYPE_SEC); } -min|mins|minute|minutes { YYD; return(UNITTYPE_MIN); } -hour|hours { YYD; return(UNITTYPE_HOUR); } - - /* boolean */ -yes { YYD; yylval.num = TRUE; return(BOOLEAN); } -no { YYD; yylval.num = FALSE; return(BOOLEAN); } - -{decstring} { - char *bp; - - YYD; - yylval.num = strtol(yytext, &bp, 10); - return(NUMBER); - } - -{hexstring} { - char *p; - - YYD; - yylval.val = vmalloc(yyleng + (yyleng & 1) + 1); - if (yylval.val == NULL) { - yyerror("vmalloc failed"); - return -1; - } - - p = yylval.val->v; - *p++ = '0'; - *p++ = 'x'; - - /* fixed string if length is odd. */ - if (yyleng & 1) - *p++ = '0'; - memcpy(p, &yytext[2], yyleng - 1); - - return(HEXSTRING); - } - -{quotedstring} { - u_char *p = yytext; - - YYD; - while (*++p != '"') ; - *p = '\0'; - - yylval.val = vmalloc(yyleng - 1); - if (yylval.val == NULL) { - yyerror("vmalloc failed"); - return -1; - } - memcpy(yylval.val->v, &yytext[1], yylval.val->l); - - return(QUOTEDSTRING); - } - -{addrstring} { - YYD; - - yylval.val = vmalloc(yyleng + 1); - if (yylval.val == NULL) { - yyerror("vmalloc failed"); - return -1; - } - memcpy(yylval.val->v, yytext, yylval.val->l); - - return(ADDRSTRING); - } - -<> { - yy_delete_buffer(YY_CURRENT_BUFFER); - incstackp--; - nextfile: - if (incstack[incstackp].matchon < - incstack[incstackp].matches.gl_pathc) { - char* filepath = incstack[incstackp].matches.gl_pathv[incstack[incstackp].matchon]; - incstack[incstackp].matchon++; - incstackp++; - if (yycf_set_buffer(filepath) != 0) { - incstackp--; - goto nextfile; - } - yy_switch_to_buffer(yy_create_buffer(yyin, YY_BUF_SIZE)); - BEGIN(S_INI); - } else { - globfree(&incstack[incstackp].matches); - if (incstackp == 0) - yyterminate(); - else - yy_switch_to_buffer(incstack[incstackp].prevstate); - } - } - - /* ... */ -{ws} { ; } -{nl} { incstack[incstackp].lineno++; } -{comment} { YYD; } -{semi} { return(EOS); } -. { yymore(); } - -%% - -void -yyerror(char *s, ...) -{ - char fmt[512]; - - va_list ap; -#ifdef HAVE_STDARG_H - va_start(ap, s); -#else - va_start(ap); -#endif - snprintf(fmt, sizeof(fmt), "%s:%d: \"%s\" %s\n", - incstack[incstackp].path, incstack[incstackp].lineno, - yytext, s); - plogv(LLV_ERROR, LOCATION, NULL, fmt, ap); - va_end(ap); - - yyerrorcount++; -} - -void -yywarn(char *s, ...) -{ - char fmt[512]; - - va_list ap; -#ifdef HAVE_STDARG_H - va_start(ap, s); -#else - va_start(ap); -#endif - snprintf(fmt, sizeof(fmt), "%s:%d: \"%s\" %s\n", - incstack[incstackp].path, incstack[incstackp].lineno, - yytext, s); - plogv(LLV_WARNING, LOCATION, NULL, fmt, ap); - va_end(ap); -} - -int -yycf_switch_buffer(path) - char *path; -{ - char *filepath = NULL; - - /* got the include file name */ - if (incstackp >= MAX_INCLUDE_DEPTH) { - plog(LLV_ERROR, LOCATION, NULL, - "Includes nested too deeply"); - return -1; - } - - if (glob(path, GLOB_TILDE, NULL, &incstack[incstackp].matches) != 0 || - incstack[incstackp].matches.gl_pathc == 0) { - plog(LLV_ERROR, LOCATION, NULL, - "glob found no matches for path"); - return -1; - } - incstack[incstackp].matchon = 0; - incstack[incstackp].prevstate = YY_CURRENT_BUFFER; - - nextmatch: - if (incstack[incstackp].matchon >= incstack[incstackp].matches.gl_pathc) - return -1; - filepath = - incstack[incstackp].matches.gl_pathv[incstack[incstackp].matchon]; - incstack[incstackp].matchon++; - incstackp++; - - if (yycf_set_buffer(filepath) != 0) { - incstackp--; - goto nextmatch; - } - - yy_switch_to_buffer(yy_create_buffer(yyin, YY_BUF_SIZE)); - - BEGIN(S_INI); - - return 0; -} - -int -yycf_set_buffer(path) - char *path; -{ - yyin = fopen(path, "r"); - if (yyin == NULL) { - fprintf(stderr, "failed to open file %s (%s)\n", - path, strerror(errno)); - plog(LLV_ERROR, LOCATION, NULL, - "failed to open file %s (%s)\n", - path, strerror(errno)); - return -1; - } - - /* initialize */ - incstack[incstackp].fp = yyin; - incstack[incstackp].path = strdup(path); - incstack[incstackp].lineno = 1; - plog(LLV_DEBUG, LOCATION, NULL, - "reading config file %s\n", path, 0); - - return 0; -} - -void -yycf_init_buffer() -{ - int i; - - for (i = 0; i < MAX_INCLUDE_DEPTH; i++) - memset(&incstack[i], 0, sizeof(incstack[i])); - incstackp = 0; -} - -void -yycf_clean_buffer() -{ - int i; - - for (i = 0; i < MAX_INCLUDE_DEPTH; i++) { - if (incstack[i].path != NULL) { - fclose(incstack[i].fp); - racoon_free(incstack[i].path); - incstack[i].path = NULL; - } - } -} - diff --git a/kame/kame/racoon/cftoken_proto.h b/kame/kame/racoon/cftoken_proto.h deleted file mode 100644 index 79fb05f91f..0000000000 --- a/kame/kame/racoon/cftoken_proto.h +++ /dev/null @@ -1,41 +0,0 @@ -/* $KAME: cftoken_proto.h,v 1.1 2002/09/27 05:55:52 itojun Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -extern int yyerrorcount; - -extern int yylex __P((void)); -extern void yyerror __P((char *, ...)); -extern void yywarn __P((char *, ...)); - -extern int yycf_switch_buffer __P((char *)); -extern int yycf_set_buffer __P((char *)); -extern void yycf_init_buffer __P((void)); -extern void yycf_clean_buffer __P((void)); diff --git a/kame/kame/racoon/client-puzzle.c b/kame/kame/racoon/client-puzzle.c deleted file mode 100644 index 968a08fb0c..0000000000 --- a/kame/kame/racoon/client-puzzle.c +++ /dev/null @@ -1,222 +0,0 @@ -#include -#include - -#include -#include - -#include "vmbuf.h" -#ifndef HAVE_ARC4RANDOM -#include "arc4random.h" -#endif - -vchar_t *mdx __P((const vchar_t *, int)); -void plusone __P((u_char *, int)); -int islzero __P((char *, int)); - -#ifdef DEBUG -#include -double stats; -double timedelta __P((struct timeval *, struct timeval *)); -double -timedelta(t1, t2) - struct timeval *t1, *t2; -{ - if (t2->tv_usec >= t1->tv_usec) - return t2->tv_sec - t1->tv_sec + - (double)(t2->tv_usec - t1->tv_usec) / 1000000; - - return t2->tv_sec - t1->tv_sec - 1 + - (double)(1000000 + t2->tv_usec - t1->tv_usec) / 1000000; -} -#endif - -#include -int -main(ac, av) - int ac; - char **av; -{ - int k = 0, n = 1; - int datalen = 16; /*XXX*/ - vchar_t *data, *res; - int i, j; - - switch (ac) { - default: - case 3: - n = atoi(*(av + 2)); - case 2: - k = atoi(*(av + 1)); - break; - case 1: - printf("Usage: client-puzzle (size) (times)\n"); - printf("\tsize : the length of MSB to be zero.\n"); - printf("\ttimes: the number of times of testing.\n"); - exit(0); - } - - data = vmalloc(16); /*XXX*/ - if (data == NULL) - return -1; - - for (i = 0; i < n; i++) { - for (j = 0; j < datalen; j++) - data->v[j] = arc4random() & 0xff; - - res = mdx((const vchar_t *)data, k); - if (res == NULL) - return -1; - } - - return 0; -} - -vchar_t * -mdx(data, k) - const vchar_t *data; - int k; -{ - SHA_CTX c; - vchar_t *sub, *res; - u_long n, max = ~0; - int last; - - sub = vmalloc(SHA_DIGEST_LENGTH); - if (sub == NULL) - return NULL; - - /*XXX how many length should be allocated ?*/ - res = vmalloc(SHA_DIGEST_LENGTH); - if (res == NULL) - return NULL; - memset(res->v, 0, res->l); - - last = res->l - 1; - for (n = 0; n < max; n ++) { - - if (n & 1) - res->v[last] |= 1; - -#ifdef DEBUG - { - struct timeval start, end; - gettimeofday(&start, NULL); -#endif - SHA1_Init(&c); - SHA1_Update((SHA_CTX *)&c, data->v, data->l); - SHA1_Update((SHA_CTX *)&c, res->v, res->l); - SHA1_Final(sub->v, (SHA_CTX *)&c); -#ifdef DEBUG - gettimeofday(&end, NULL); - stats += timedelta(&start, &end); - } -#endif - - if (islzero(sub->v, k)) - goto found; - if (n & 1) { -#ifdef DEBUG2 - if (n > 0xfffff0) { - int j; - for (j = 0; j < res->l; j++) - printf("%02x", (u_char)res->v[j]); - printf("\n"); - } -#endif - plusone(res->v, res->l); -#ifdef DEBUG2 - if (n > 0xfffff0) { - int j; - for (j = 0; j < res->l; j++) - printf("%02x", (u_char)res->v[j]); - printf("\n"); - } -#endif - } - } - - found: -#ifdef DEBUG - if (n != max) - { -#ifdef DEBUG2 - int i; - printf("dat="); - for (i = 0; i < data->l; i++) - printf("%02x", (u_char)(data->v[i] & 0xff)); - printf("\n"); - printf("sub="); - for (i = 0; i < sub->l; i++) - printf("%02x", (u_char)(sub->v[i] & 0xff)); - printf("\n"); - printf("res="); - for (i = 0; i < res->l; i++) - printf("%02x", (u_char)(res->v[i] & 0xff)); - printf("\n"); -#endif - printf("k=%d\tn=%ld\ttotal=%9.6f(s)\tavg=%9.6f(s)\n", - k, n + 1, stats, stats/(n + 1)); - } -#endif - vfree(sub); - - return n == max ? NULL : res; -} - -/* - * d: pointer of the data. - * l: the length of bytes. - */ -void -plusone(d, l) - u_char *d; - int l; -{ - int carry = 0; - int i; - - if (l == 0) - return; - - if (d[l - 1] == 0xff) - carry = 1; - d[l - 1]++; - - if (carry && l > 1) { - carry = 0; - for (i = l - 2; i >= 0; i--) { - if (d[i] == 0xff) - carry = 1; - d[i]++; - if (!carry) - break; - carry = 0; - } - } -} - -/* - * d: pointer of the data. - * k: the length of most significant bits to be zero. - * return value: - * 1: match. - * 0: not match. - */ -int -islzero(d, k) - char *d; - int k; -{ - while (k >= 8) { - if (*d++ != 0) - return 0; - k -= 8; - } - - if (k > 0) { - if (*d != (0xff >> k)) - return 0; - } - - return 1; -} diff --git a/kame/kame/racoon/config.guess b/kame/kame/racoon/config.guess deleted file mode 100644 index 2960d6e0d2..0000000000 --- a/kame/kame/racoon/config.guess +++ /dev/null @@ -1,951 +0,0 @@ -#! /bin/sh -# Attempt to guess a canonical system name. -# Copyright (C) 1992, 93, 94, 95, 96, 97, 1998 Free Software Foundation, Inc. -# -# This file is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -# -# As a special exception to the GNU General Public License, if you -# distribute this file as part of a program that contains a -# configuration script generated by Autoconf, you may include it under -# the same distribution terms that you use for the rest of that program. - -# Written by Per Bothner . -# The master version of this file is at the FSF in /home/gd/gnu/lib. -# -# This script attempts to guess a canonical system name similar to -# config.sub. If it succeeds, it prints the system name on stdout, and -# exits with 0. Otherwise, it exits with 1. -# -# The plan is that this can be called by configure scripts if you -# don't specify an explicit system type (host/target name). -# -# Only a few systems have been added to this list; please add others -# (but try to keep the structure clean). -# - -# This is needed to find uname on a Pyramid OSx when run in the BSD universe. -# (ghazi@noc.rutgers.edu 8/24/94.) -if (test -f /.attbin/uname) >/dev/null 2>&1 ; then - PATH=$PATH:/.attbin ; export PATH -fi - -UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown -UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown -UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown -UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown - -trap 'rm -f dummy.c dummy.o dummy; exit 1' 1 2 15 - -# Note: order is significant - the case branches are not exclusive. - -case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in - alpha:OSF1:*:*) - if test $UNAME_RELEASE = "V4.0"; then - UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'` - fi - # A Vn.n version is a released version. - # A Tn.n version is a released field test version. - # A Xn.n version is an unreleased experimental baselevel. - # 1.2 uses "1.2" for uname -r. - cat <dummy.s - .globl main - .ent main -main: - .frame \$30,0,\$26,0 - .prologue 0 - .long 0x47e03d80 # implver $0 - lda \$2,259 - .long 0x47e20c21 # amask $2,$1 - srl \$1,8,\$2 - sll \$2,2,\$2 - sll \$0,3,\$0 - addl \$1,\$0,\$0 - addl \$2,\$0,\$0 - ret \$31,(\$26),1 - .end main -EOF - ${CC-cc} dummy.s -o dummy 2>/dev/null - if test "$?" = 0 ; then - ./dummy - case "$?" in - 7) - UNAME_MACHINE="alpha" - ;; - 15) - UNAME_MACHINE="alphaev5" - ;; - 14) - UNAME_MACHINE="alphaev56" - ;; - 10) - UNAME_MACHINE="alphapca56" - ;; - 16) - UNAME_MACHINE="alphaev6" - ;; - esac - fi - rm -f dummy.s dummy - echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[VTX]//' | tr [[A-Z]] [[a-z]]` - exit 0 ;; - 21064:Windows_NT:50:3) - echo alpha-dec-winnt3.5 - exit 0 ;; - Amiga*:UNIX_System_V:4.0:*) - echo m68k-cbm-sysv4 - exit 0;; - amiga:NetBSD:*:*) - echo m68k-cbm-netbsd${UNAME_RELEASE} - exit 0 ;; - amiga:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - *:[Aa]miga[Oo][Ss]:*:*) - echo ${UNAME_MACHINE}-unknown-amigaos - exit 0 ;; - arc64:OpenBSD:*:*) - echo mips64el-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - arc:OpenBSD:*:*) - echo mipsel-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - hkmips:OpenBSD:*:*) - echo mips-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - pmax:OpenBSD:*:*) - echo mipsel-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - sgi:OpenBSD:*:*) - echo mips-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - wgrisc:OpenBSD:*:*) - echo mipsel-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) - echo arm-acorn-riscix${UNAME_RELEASE} - exit 0;; - arm32:NetBSD:*:*) - echo arm-unknown-netbsd`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` - exit 0 ;; - SR2?01:HI-UX/MPP:*:*) - echo hppa1.1-hitachi-hiuxmpp - exit 0;; - Pyramid*:OSx*:*:*|MIS*:OSx*:*:*|MIS*:SMP_DC-OSx*:*:*) - # akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE. - if test "`(/bin/universe) 2>/dev/null`" = att ; then - echo pyramid-pyramid-sysv3 - else - echo pyramid-pyramid-bsd - fi - exit 0 ;; - NILE:*:*:dcosx) - echo pyramid-pyramid-svr4 - exit 0 ;; - sun4H:SunOS:5.*:*) - echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` - exit 0 ;; - sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*) - echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` - exit 0 ;; - i86pc:SunOS:5.*:*) - echo i386-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` - exit 0 ;; - sun4*:SunOS:6*:*) - # According to config.sub, this is the proper way to canonicalize - # SunOS6. Hard to guess exactly what SunOS6 will be like, but - # it's likely to be more like Solaris than SunOS4. - echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` - exit 0 ;; - sun4*:SunOS:*:*) - case "`/usr/bin/arch -k`" in - Series*|S4*) - UNAME_RELEASE=`uname -v` - ;; - esac - # Japanese Language versions have a version number like `4.1.3-JL'. - echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'` - exit 0 ;; - sun3*:SunOS:*:*) - echo m68k-sun-sunos${UNAME_RELEASE} - exit 0 ;; - sun*:*:4.2BSD:*) - UNAME_RELEASE=`(head -1 /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` - test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3 - case "`/bin/arch`" in - sun3) - echo m68k-sun-sunos${UNAME_RELEASE} - ;; - sun4) - echo sparc-sun-sunos${UNAME_RELEASE} - ;; - esac - exit 0 ;; - aushp:SunOS:*:*) - echo sparc-auspex-sunos${UNAME_RELEASE} - exit 0 ;; - atari*:NetBSD:*:*) - echo m68k-atari-netbsd${UNAME_RELEASE} - exit 0 ;; - atari*:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - sun3*:NetBSD:*:*) - echo m68k-sun-netbsd${UNAME_RELEASE} - exit 0 ;; - sun3*:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - mac68k:NetBSD:*:*) - echo m68k-apple-netbsd${UNAME_RELEASE} - exit 0 ;; - mac68k:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - mvme68k:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - mvme88k:OpenBSD:*:*) - echo m88k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - powerpc:machten:*:*) - echo powerpc-apple-machten${UNAME_RELEASE} - exit 0 ;; - macppc:NetBSD:*:*) - echo powerpc-apple-netbsd${UNAME_RELEASE} - exit 0 ;; - RISC*:Mach:*:*) - echo mips-dec-mach_bsd4.3 - exit 0 ;; - RISC*:ULTRIX:*:*) - echo mips-dec-ultrix${UNAME_RELEASE} - exit 0 ;; - VAX*:ULTRIX*:*:*) - echo vax-dec-ultrix${UNAME_RELEASE} - exit 0 ;; - 2020:CLIX:*:*) - echo clipper-intergraph-clix${UNAME_RELEASE} - exit 0 ;; - mips:*:*:UMIPS | mips:*:*:RISCos) - sed 's/^ //' << EOF >dummy.c - int main (argc, argv) int argc; char **argv; { - #if defined (host_mips) && defined (MIPSEB) - #if defined (SYSTYPE_SYSV) - printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0); - #endif - #if defined (SYSTYPE_SVR4) - printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0); - #endif - #if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD) - printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0); - #endif - #endif - exit (-1); - } -EOF - ${CC-cc} dummy.c -o dummy \ - && ./dummy `echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` \ - && rm dummy.c dummy && exit 0 - rm -f dummy.c dummy - echo mips-mips-riscos${UNAME_RELEASE} - exit 0 ;; - Night_Hawk:Power_UNIX:*:*) - echo powerpc-harris-powerunix - exit 0 ;; - m88k:CX/UX:7*:*) - echo m88k-harris-cxux7 - exit 0 ;; - m88k:*:4*:R4*) - echo m88k-motorola-sysv4 - exit 0 ;; - m88k:*:3*:R3*) - echo m88k-motorola-sysv3 - exit 0 ;; - AViiON:dgux:*:*) - # DG/UX returns AViiON for all architectures - UNAME_PROCESSOR=`/usr/bin/uname -p` - if [ $UNAME_PROCESSOR = mc88100 -o $UNAME_PROCESSOR = mc88110 ] ; then - if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx \ - -o ${TARGET_BINARY_INTERFACE}x = x ] ; then - echo m88k-dg-dgux${UNAME_RELEASE} - else - echo m88k-dg-dguxbcs${UNAME_RELEASE} - fi - else echo i586-dg-dgux${UNAME_RELEASE} - fi - exit 0 ;; - M88*:DolphinOS:*:*) # DolphinOS (SVR3) - echo m88k-dolphin-sysv3 - exit 0 ;; - M88*:*:R3*:*) - # Delta 88k system running SVR3 - echo m88k-motorola-sysv3 - exit 0 ;; - XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3) - echo m88k-tektronix-sysv3 - exit 0 ;; - Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD) - echo m68k-tektronix-bsd - exit 0 ;; - *:IRIX*:*:*) - echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'` - exit 0 ;; - ????????:AIX?:[12].1:2) # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX. - echo romp-ibm-aix # uname -m gives an 8 hex-code CPU id - exit 0 ;; # Note that: echo "'`uname -s`'" gives 'AIX ' - i?86:AIX:*:*) - echo i386-ibm-aix - exit 0 ;; - *:AIX:2:3) - if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then - sed 's/^ //' << EOF >dummy.c - #include - - main() - { - if (!__power_pc()) - exit(1); - puts("powerpc-ibm-aix3.2.5"); - exit(0); - } -EOF - ${CC-cc} dummy.c -o dummy && ./dummy && rm dummy.c dummy && exit 0 - rm -f dummy.c dummy - echo rs6000-ibm-aix3.2.5 - elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then - echo rs6000-ibm-aix3.2.4 - else - echo rs6000-ibm-aix3.2 - fi - exit 0 ;; - *:AIX:*:4) - IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | head -1 | awk '{ print $1 }'` - if /usr/sbin/lsattr -EHl ${IBM_CPU_ID} | grep POWER >/dev/null 2>&1; then - IBM_ARCH=rs6000 - else - IBM_ARCH=powerpc - fi - if [ -x /usr/bin/oslevel ] ; then - IBM_REV=`/usr/bin/oslevel` - else - IBM_REV=4.${UNAME_RELEASE} - fi - echo ${IBM_ARCH}-ibm-aix${IBM_REV} - exit 0 ;; - *:AIX:*:*) - echo rs6000-ibm-aix - exit 0 ;; - ibmrt:4.4BSD:*|romp-ibm:BSD:*) - echo romp-ibm-bsd4.4 - exit 0 ;; - ibmrt:*BSD:*|romp-ibm:BSD:*) # covers RT/PC NetBSD and - echo romp-ibm-bsd${UNAME_RELEASE} # 4.3 with uname added to - exit 0 ;; # report: romp-ibm BSD 4.3 - *:BOSX:*:*) - echo rs6000-bull-bosx - exit 0 ;; - DPX/2?00:B.O.S.:*:*) - echo m68k-bull-sysv3 - exit 0 ;; - 9000/[34]??:4.3bsd:1.*:*) - echo m68k-hp-bsd - exit 0 ;; - hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*) - echo m68k-hp-bsd4.4 - exit 0 ;; - 9000/[34678]??:HP-UX:*:*) - case "${UNAME_MACHINE}" in - 9000/31? ) HP_ARCH=m68000 ;; - 9000/[34]?? ) HP_ARCH=m68k ;; - 9000/6?? | 9000/7?? | 9000/80[24] | 9000/8?[13679] | 9000/892 ) - sed 's/^ //' << EOF >dummy.c - #include - #include - - int main () - { - #if defined(_SC_KERNEL_BITS) - long bits = sysconf(_SC_KERNEL_BITS); - #endif - long cpu = sysconf (_SC_CPU_VERSION); - - switch (cpu) - { - case CPU_PA_RISC1_0: puts ("hppa1.0"); break; - case CPU_PA_RISC1_1: puts ("hppa1.1"); break; - case CPU_PA_RISC2_0: - #if defined(_SC_KERNEL_BITS) - switch (bits) - { - case 64: puts ("hppa2.0w"); break; - case 32: puts ("hppa2.0n"); break; - default: puts ("hppa2.0"); break; - } break; - #else /* !defined(_SC_KERNEL_BITS) */ - puts ("hppa2.0"); break; - #endif - default: puts ("hppa1.0"); break; - } - exit (0); - } -EOF - (${CC-cc} dummy.c -o dummy 2>/dev/null ) && HP_ARCH=`./dummy` - rm -f dummy.c dummy - esac - HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` - echo ${HP_ARCH}-hp-hpux${HPUX_REV} - exit 0 ;; - 3050*:HI-UX:*:*) - sed 's/^ //' << EOF >dummy.c - #include - int - main () - { - long cpu = sysconf (_SC_CPU_VERSION); - /* The order matters, because CPU_IS_HP_MC68K erroneously returns - true for CPU_PA_RISC1_0. CPU_IS_PA_RISC returns correct - results, however. */ - if (CPU_IS_PA_RISC (cpu)) - { - switch (cpu) - { - case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break; - case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break; - case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break; - default: puts ("hppa-hitachi-hiuxwe2"); break; - } - } - else if (CPU_IS_HP_MC68K (cpu)) - puts ("m68k-hitachi-hiuxwe2"); - else puts ("unknown-hitachi-hiuxwe2"); - exit (0); - } -EOF - ${CC-cc} dummy.c -o dummy && ./dummy && rm dummy.c dummy && exit 0 - rm -f dummy.c dummy - echo unknown-hitachi-hiuxwe2 - exit 0 ;; - 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* ) - echo hppa1.1-hp-bsd - exit 0 ;; - 9000/8??:4.3bsd:*:*) - echo hppa1.0-hp-bsd - exit 0 ;; - hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* ) - echo hppa1.1-hp-osf - exit 0 ;; - hp8??:OSF1:*:*) - echo hppa1.0-hp-osf - exit 0 ;; - i?86:OSF1:*:*) - if [ -x /usr/sbin/sysversion ] ; then - echo ${UNAME_MACHINE}-unknown-osf1mk - else - echo ${UNAME_MACHINE}-unknown-osf1 - fi - exit 0 ;; - parisc*:Lites*:*:*) - echo hppa1.1-hp-lites - exit 0 ;; - C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*) - echo c1-convex-bsd - exit 0 ;; - C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*) - if getsysinfo -f scalar_acc - then echo c32-convex-bsd - else echo c2-convex-bsd - fi - exit 0 ;; - C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*) - echo c34-convex-bsd - exit 0 ;; - C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*) - echo c38-convex-bsd - exit 0 ;; - C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*) - echo c4-convex-bsd - exit 0 ;; - CRAY*X-MP:*:*:*) - echo xmp-cray-unicos - exit 0 ;; - CRAY*Y-MP:*:*:*) - echo ymp-cray-unicos${UNAME_RELEASE} - exit 0 ;; - CRAY*[A-Z]90:*:*:*) - echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \ - | sed -e 's/CRAY.*\([A-Z]90\)/\1/' \ - -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ - exit 0 ;; - CRAY*TS:*:*:*) - echo t90-cray-unicos${UNAME_RELEASE} - exit 0 ;; - CRAY-2:*:*:*) - echo cray2-cray-unicos - exit 0 ;; - F300:UNIX_System_V:*:*) - FUJITSU_SYS=`uname -p | tr [A-Z] [a-z] | sed -e 's/\///'` - FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` - echo "f300-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" - exit 0 ;; - F301:UNIX_System_V:*:*) - echo f301-fujitsu-uxpv`echo $UNAME_RELEASE | sed 's/ .*//'` - exit 0 ;; - hp3[0-9][05]:NetBSD:*:*) - echo m68k-hp-netbsd${UNAME_RELEASE} - exit 0 ;; - hp300:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - sparc*:BSD/OS:*:*) - echo sparc-unknown-bsdi${UNAME_RELEASE} - exit 0 ;; - i?86:BSD/386:*:* | *:BSD/OS:*:*) - echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE} - exit 0 ;; - *:FreeBSD:*:*) - echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` - exit 0 ;; - *:NetBSD:*:*) - echo ${UNAME_MACHINE}-unknown-netbsd`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` - exit 0 ;; - *:OpenBSD:*:*) - echo ${UNAME_MACHINE}-unknown-openbsd`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` - exit 0 ;; - i*:CYGWIN*:*) - echo ${UNAME_MACHINE}-pc-cygwin - exit 0 ;; - i*:MINGW*:*) - echo ${UNAME_MACHINE}-pc-mingw32 - exit 0 ;; - p*:CYGWIN*:*) - echo powerpcle-unknown-cygwin - exit 0 ;; - prep*:SunOS:5.*:*) - echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` - exit 0 ;; - *:GNU:*:*) - echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'` - exit 0 ;; - *:Linux:*:*) - # uname on the ARM produces all sorts of strangeness, and we need to - # filter it out. - case "$UNAME_MACHINE" in - arm* | sa110*) UNAME_MACHINE="arm" ;; - esac - - # The BFD linker knows what the default object file format is, so - # first see if it will tell us. - ld_help_string=`ld --help 2>&1` - ld_supported_emulations=`echo $ld_help_string \ - | sed -ne '/supported emulations:/!d - s/[ ][ ]*/ /g - s/.*supported emulations: *// - s/ .*// - p'` - case "$ld_supported_emulations" in - i?86linux) echo "${UNAME_MACHINE}-pc-linux-gnuaout" ; exit 0 ;; - i?86coff) echo "${UNAME_MACHINE}-pc-linux-gnucoff" ; exit 0 ;; - sparclinux) echo "${UNAME_MACHINE}-unknown-linux-gnuaout" ; exit 0 ;; - armlinux) echo "${UNAME_MACHINE}-unknown-linux-gnuaout" ; exit 0 ;; - m68klinux) echo "${UNAME_MACHINE}-unknown-linux-gnuaout" ; exit 0 ;; - elf32ppc) echo "powerpc-unknown-linux-gnu" ; exit 0 ;; - esac - - if test "${UNAME_MACHINE}" = "alpha" ; then - sed 's/^ //' <dummy.s - .globl main - .ent main - main: - .frame \$30,0,\$26,0 - .prologue 0 - .long 0x47e03d80 # implver $0 - lda \$2,259 - .long 0x47e20c21 # amask $2,$1 - srl \$1,8,\$2 - sll \$2,2,\$2 - sll \$0,3,\$0 - addl \$1,\$0,\$0 - addl \$2,\$0,\$0 - ret \$31,(\$26),1 - .end main -EOF - LIBC="" - ${CC-cc} dummy.s -o dummy 2>/dev/null - if test "$?" = 0 ; then - ./dummy - case "$?" in - 7) - UNAME_MACHINE="alpha" - ;; - 15) - UNAME_MACHINE="alphaev5" - ;; - 14) - UNAME_MACHINE="alphaev56" - ;; - 10) - UNAME_MACHINE="alphapca56" - ;; - 16) - UNAME_MACHINE="alphaev6" - ;; - esac - - objdump --private-headers dummy | \ - grep ld.so.1 > /dev/null - if test "$?" = 0 ; then - LIBC="libc1" - fi - fi - rm -f dummy.s dummy - echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} ; exit 0 - elif test "${UNAME_MACHINE}" = "mips" ; then - cat >dummy.c </dev/null && ./dummy "${UNAME_MACHINE}" && rm dummy.c dummy && exit 0 - rm -f dummy.c dummy - else - # Either a pre-BFD a.out linker (linux-gnuoldld) - # or one that does not give us useful --help. - # GCC wants to distinguish between linux-gnuoldld and linux-gnuaout. - # If ld does not provide *any* "supported emulations:" - # that means it is gnuoldld. - echo "$ld_help_string" | grep >/dev/null 2>&1 "supported emulations:" - test $? != 0 && echo "${UNAME_MACHINE}-pc-linux-gnuoldld" && exit 0 - - case "${UNAME_MACHINE}" in - i?86) - VENDOR=pc; - ;; - *) - VENDOR=unknown; - ;; - esac - # Determine whether the default compiler is a.out or elf - cat >dummy.c < -main(argc, argv) - int argc; - char *argv[]; -{ -#ifdef __ELF__ -# ifdef __GLIBC__ -# if __GLIBC__ >= 2 - printf ("%s-${VENDOR}-linux-gnu\n", argv[1]); -# else - printf ("%s-${VENDOR}-linux-gnulibc1\n", argv[1]); -# endif -# else - printf ("%s-${VENDOR}-linux-gnulibc1\n", argv[1]); -# endif -#else - printf ("%s-${VENDOR}-linux-gnuaout\n", argv[1]); -#endif - return 0; -} -EOF - ${CC-cc} dummy.c -o dummy 2>/dev/null && ./dummy "${UNAME_MACHINE}" && rm dummy.c dummy && exit 0 - rm -f dummy.c dummy - fi ;; -# ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. earlier versions -# are messed up and put the nodename in both sysname and nodename. - i?86:DYNIX/ptx:4*:*) - echo i386-sequent-sysv4 - exit 0 ;; - i?86:UNIX_SV:4.2MP:2.*) - # Unixware is an offshoot of SVR4, but it has its own version - # number series starting with 2... - # I am not positive that other SVR4 systems won't match this, - # I just have to hope. -- rms. - # Use sysv4.2uw... so that sysv4* matches it. - echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION} - exit 0 ;; - i?86:*:4.*:* | i?86:SYSTEM_V:4.*:*) - if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then - echo ${UNAME_MACHINE}-univel-sysv${UNAME_RELEASE} - else - echo ${UNAME_MACHINE}-pc-sysv${UNAME_RELEASE} - fi - exit 0 ;; - i?86:*:3.2:*) - if test -f /usr/options/cb.name; then - UNAME_REL=`sed -n 's/.*Version //p' /dev/null >/dev/null ; then - UNAME_REL=`(/bin/uname -X|egrep Release|sed -e 's/.*= //')` - (/bin/uname -X|egrep i80486 >/dev/null) && UNAME_MACHINE=i486 - (/bin/uname -X|egrep '^Machine.*Pentium' >/dev/null) \ - && UNAME_MACHINE=i586 - echo ${UNAME_MACHINE}-pc-sco$UNAME_REL - else - echo ${UNAME_MACHINE}-pc-sysv32 - fi - exit 0 ;; - i?86:UnixWare:*:*) - if /bin/uname -X 2>/dev/null >/dev/null ; then - (/bin/uname -X|egrep '^Machine.*Pentium' >/dev/null) \ - && UNAME_MACHINE=i586 - fi - echo ${UNAME_MACHINE}-unixware-${UNAME_RELEASE}-${UNAME_VERSION} - exit 0 ;; - pc:*:*:*) - # uname -m prints for DJGPP always 'pc', but it prints nothing about - # the processor, so we play safe by assuming i386. - echo i386-pc-msdosdjgpp - exit 0 ;; - Intel:Mach:3*:*) - echo i386-pc-mach3 - exit 0 ;; - paragon:*:*:*) - echo i860-intel-osf1 - exit 0 ;; - i860:*:4.*:*) # i860-SVR4 - if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then - echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4 - else # Add other i860-SVR4 vendors below as they are discovered. - echo i860-unknown-sysv${UNAME_RELEASE} # Unknown i860-SVR4 - fi - exit 0 ;; - mini*:CTIX:SYS*5:*) - # "miniframe" - echo m68010-convergent-sysv - exit 0 ;; - M68*:*:R3V[567]*:*) - test -r /sysV68 && echo 'm68k-motorola-sysv' && exit 0 ;; - 3[34]??:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 4850:*:4.0:3.0) - OS_REL='' - test -r /etc/.relid \ - && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` - /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ - && echo i486-ncr-sysv4.3${OS_REL} && exit 0 - /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ - && echo i586-ncr-sysv4.3${OS_REL} && exit 0 ;; - 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) - /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ - && echo i486-ncr-sysv4 && exit 0 ;; - m68*:LynxOS:2.*:*) - echo m68k-unknown-lynxos${UNAME_RELEASE} - exit 0 ;; - mc68030:UNIX_System_V:4.*:*) - echo m68k-atari-sysv4 - exit 0 ;; - i?86:LynxOS:2.*:*) - echo i386-unknown-lynxos${UNAME_RELEASE} - exit 0 ;; - TSUNAMI:LynxOS:2.*:*) - echo sparc-unknown-lynxos${UNAME_RELEASE} - exit 0 ;; - rs6000:LynxOS:2.*:* | PowerPC:LynxOS:2.*:*) - echo rs6000-unknown-lynxos${UNAME_RELEASE} - exit 0 ;; - SM[BE]S:UNIX_SV:*:*) - echo mips-dde-sysv${UNAME_RELEASE} - exit 0 ;; - RM*:SINIX-*:*:*) - echo mips-sni-sysv4 - exit 0 ;; - *:SINIX-*:*:*) - if uname -p 2>/dev/null >/dev/null ; then - UNAME_MACHINE=`(uname -p) 2>/dev/null` - echo ${UNAME_MACHINE}-sni-sysv4 - else - echo ns32k-sni-sysv - fi - exit 0 ;; - PENTIUM:CPunix:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort - # says - echo i586-unisys-sysv4 - exit 0 ;; - *:UNIX_System_V:4*:FTX*) - # From Gerald Hewes . - # How about differentiating between stratus architectures? -djm - echo hppa1.1-stratus-sysv4 - exit 0 ;; - *:*:*:FTX*) - # From seanf@swdc.stratus.com. - echo i860-stratus-sysv4 - exit 0 ;; - mc68*:A/UX:*:*) - echo m68k-apple-aux${UNAME_RELEASE} - exit 0 ;; - news*:NEWS-OS:*:6*) - echo mips-sony-newsos6 - exit 0 ;; - R3000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R4000:UNIX_SV:*:*) - if [ -d /usr/nec ]; then - echo mips-nec-sysv${UNAME_RELEASE} - else - echo mips-unknown-sysv${UNAME_RELEASE} - fi - exit 0 ;; - BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. - echo powerpc-be-beos - exit 0 ;; - BeMac:BeOS:*:*) # BeOS running on Mac or Mac clone, PPC only. - echo powerpc-apple-beos - exit 0 ;; - BePC:BeOS:*:*) # BeOS running on Intel PC compatible. - echo i586-pc-beos - exit 0 ;; -esac - -#echo '(No uname command or uname output not recognized.)' 1>&2 -#echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2 - -cat >dummy.c < -# include -#endif -main () -{ -#if defined (sony) -#if defined (MIPSEB) - /* BFD wants "bsd" instead of "newsos". Perhaps BFD should be changed, - I don't know.... */ - printf ("mips-sony-bsd\n"); exit (0); -#else -#include - printf ("m68k-sony-newsos%s\n", -#ifdef NEWSOS4 - "4" -#else - "" -#endif - ); exit (0); -#endif -#endif - -#if defined (__arm) && defined (__acorn) && defined (__unix) - printf ("arm-acorn-riscix"); exit (0); -#endif - -#if defined (hp300) && !defined (hpux) - printf ("m68k-hp-bsd\n"); exit (0); -#endif - -#if defined (NeXT) -#if !defined (__ARCHITECTURE__) -#define __ARCHITECTURE__ "m68k" -#endif - int version; - version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`; - printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version); - exit (0); -#endif - -#if defined (MULTIMAX) || defined (n16) -#if defined (UMAXV) - printf ("ns32k-encore-sysv\n"); exit (0); -#else -#if defined (CMU) - printf ("ns32k-encore-mach\n"); exit (0); -#else - printf ("ns32k-encore-bsd\n"); exit (0); -#endif -#endif -#endif - -#if defined (__386BSD__) - printf ("i386-pc-bsd\n"); exit (0); -#endif - -#if defined (sequent) -#if defined (i386) - printf ("i386-sequent-dynix\n"); exit (0); -#endif -#if defined (ns32000) - printf ("ns32k-sequent-dynix\n"); exit (0); -#endif -#endif - -#if defined (_SEQUENT_) - struct utsname un; - - uname(&un); - - if (strncmp(un.version, "V2", 2) == 0) { - printf ("i386-sequent-ptx2\n"); exit (0); - } - if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */ - printf ("i386-sequent-ptx1\n"); exit (0); - } - printf ("i386-sequent-ptx\n"); exit (0); - -#endif - -#if defined (vax) -#if !defined (ultrix) - printf ("vax-dec-bsd\n"); exit (0); -#else - printf ("vax-dec-ultrix\n"); exit (0); -#endif -#endif - -#if defined (alliant) && defined (i860) - printf ("i860-alliant-bsd\n"); exit (0); -#endif - - exit (1); -} -EOF - -${CC-cc} dummy.c -o dummy 2>/dev/null && ./dummy && rm dummy.c dummy && exit 0 -rm -f dummy.c dummy - -# Apollos put the system type in the environment. - -test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit 0; } - -# Convex versions that predate uname can use getsysinfo(1) - -if [ -x /usr/convex/getsysinfo ] -then - case `getsysinfo -f cpu_type` in - c1*) - echo c1-convex-bsd - exit 0 ;; - c2*) - if getsysinfo -f scalar_acc - then echo c32-convex-bsd - else echo c2-convex-bsd - fi - exit 0 ;; - c34*) - echo c34-convex-bsd - exit 0 ;; - c38*) - echo c38-convex-bsd - exit 0 ;; - c4*) - echo c4-convex-bsd - exit 0 ;; - esac -fi - -#echo '(Unable to guess system type)' 1>&2 - -exit 1 diff --git a/kame/kame/racoon/config.sub b/kame/kame/racoon/config.sub deleted file mode 100644 index 00bea6e6aa..0000000000 --- a/kame/kame/racoon/config.sub +++ /dev/null @@ -1,955 +0,0 @@ -#! /bin/sh -# Configuration validation subroutine script, version 1.1. -# Copyright (C) 1991, 92-97, 1998 Free Software Foundation, Inc. -# This file is (in principle) common to ALL GNU software. -# The presence of a machine in this file suggests that SOME GNU software -# can handle that machine. It does not imply ALL GNU software can. -# -# This file is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, -# Boston, MA 02111-1307, USA. - -# As a special exception to the GNU General Public License, if you -# distribute this file as part of a program that contains a -# configuration script generated by Autoconf, you may include it under -# the same distribution terms that you use for the rest of that program. - -# Configuration subroutine to validate and canonicalize a configuration type. -# Supply the specified configuration type as an argument. -# If it is invalid, we print an error message on stderr and exit with code 1. -# Otherwise, we print the canonical config type on stdout and succeed. - -# This file is supposed to be the same for all GNU packages -# and recognize all the CPU types, system types and aliases -# that are meaningful with *any* GNU software. -# Each package is responsible for reporting which valid configurations -# it does not support. The user should be able to distinguish -# a failure to support a valid configuration from a meaningless -# configuration. - -# The goal of this file is to map all the various variations of a given -# machine specification into a single specification in the form: -# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM -# or in some cases, the newer four-part form: -# CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM -# It is wrong to echo any other type of specification. - -if [ x$1 = x ] -then - echo Configuration name missing. 1>&2 - echo "Usage: $0 CPU-MFR-OPSYS" 1>&2 - echo "or $0 ALIAS" 1>&2 - echo where ALIAS is a recognized configuration type. 1>&2 - exit 1 -fi - -# First pass through any local machine types. -case $1 in - *local*) - echo $1 - exit 0 - ;; - *) - ;; -esac - -# Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any). -# Here we must recognize all the valid KERNEL-OS combinations. -maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` -case $maybe_os in - linux-gnu*) - os=-$maybe_os - basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` - ;; - *) - basic_machine=`echo $1 | sed 's/-[^-]*$//'` - if [ $basic_machine != $1 ] - then os=`echo $1 | sed 's/.*-/-/'` - else os=; fi - ;; -esac - -### Let's recognize common machines as not being operating systems so -### that things like config.sub decstation-3100 work. We also -### recognize some manufacturers as not being operating systems, so we -### can provide default operating systems below. -case $os in - -sun*os*) - # Prevent following clause from handling this invalid input. - ;; - -dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \ - -att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \ - -unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \ - -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ - -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ - -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ - -apple) - os= - basic_machine=$1 - ;; - -hiux*) - os=-hiuxwe2 - ;; - -sco5) - os=sco3.2v5 - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -sco4) - os=-sco3.2v4 - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -sco3.2.[4-9]*) - os=`echo $os | sed -e 's/sco3.2./sco3.2v/'` - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -sco3.2v[4-9]*) - # Don't forget version if it is 3.2v4 or newer. - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -sco*) - os=-sco3.2v2 - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -isc) - os=-isc2.2 - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -clix*) - basic_machine=clipper-intergraph - ;; - -isc*) - basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` - ;; - -lynx*) - os=-lynxos - ;; - -ptx*) - basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'` - ;; - -windowsnt*) - os=`echo $os | sed -e 's/windowsnt/winnt/'` - ;; - -psos*) - os=-psos - ;; -esac - -# Decode aliases for certain CPU-COMPANY combinations. -case $basic_machine in - # Recognize the basic CPU types without company name. - # Some are omitted here because they have special meanings below. - tahoe | i860 | m32r | m68k | m68000 | m88k | ns32k | arc | arm \ - | arme[lb] | pyramid | mn10200 | mn10300 | tron | a29k \ - | 580 | i960 | h8300 | hppa | hppa1.0 | hppa1.1 | hppa2.0 \ - | alpha | alphaev5 | alphaev56 | we32k | ns16k | clipper \ - | i370 | sh | powerpc | powerpcle | 1750a | dsp16xx | pdp11 \ - | mips64 | mipsel | mips64el | mips64orion | mips64orionel \ - | mipstx39 | mipstx39el \ - | sparc | sparclet | sparclite | sparc64 | v850) - basic_machine=$basic_machine-unknown - ;; - # We use `pc' rather than `unknown' - # because (1) that's what they normally are, and - # (2) the word "unknown" tends to confuse beginning users. - i[34567]86) - basic_machine=$basic_machine-pc - ;; - # Object if more than one company name word. - *-*-*) - echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 - exit 1 - ;; - # Recognize the basic CPU types with company name. - vax-* | tahoe-* | i[34567]86-* | i860-* | m32r-* | m68k-* | m68000-* \ - | m88k-* | sparc-* | ns32k-* | fx80-* | arc-* | arm-* | c[123]* \ - | mips-* | pyramid-* | tron-* | a29k-* | romp-* | rs6000-* \ - | power-* | none-* | 580-* | cray2-* | h8300-* | i960-* \ - | xmp-* | ymp-* | hppa-* | hppa1.0-* | hppa1.1-* | hppa2.0-* \ - | alpha-* | alphaev5-* | alphaev56-* | we32k-* | cydra-* \ - | ns16k-* | pn-* | np1-* | xps100-* | clipper-* | orion-* \ - | sparclite-* | pdp11-* | sh-* | powerpc-* | powerpcle-* \ - | sparc64-* | mips64-* | mipsel-* \ - | mips64el-* | mips64orion-* | mips64orionel-* \ - | mipstx39-* | mipstx39el-* \ - | f301-*) - ;; - # Recognize the various machine names and aliases which stand - # for a CPU type and a company and sometimes even an OS. - 3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc) - basic_machine=m68000-att - ;; - 3b*) - basic_machine=we32k-att - ;; - alliant | fx80) - basic_machine=fx80-alliant - ;; - altos | altos3068) - basic_machine=m68k-altos - ;; - am29k) - basic_machine=a29k-none - os=-bsd - ;; - amdahl) - basic_machine=580-amdahl - os=-sysv - ;; - amiga | amiga-*) - basic_machine=m68k-cbm - ;; - amigaos | amigados) - basic_machine=m68k-cbm - os=-amigaos - ;; - amigaunix | amix) - basic_machine=m68k-cbm - os=-sysv4 - ;; - apollo68) - basic_machine=m68k-apollo - os=-sysv - ;; - aux) - basic_machine=m68k-apple - os=-aux - ;; - balance) - basic_machine=ns32k-sequent - os=-dynix - ;; - convex-c1) - basic_machine=c1-convex - os=-bsd - ;; - convex-c2) - basic_machine=c2-convex - os=-bsd - ;; - convex-c32) - basic_machine=c32-convex - os=-bsd - ;; - convex-c34) - basic_machine=c34-convex - os=-bsd - ;; - convex-c38) - basic_machine=c38-convex - os=-bsd - ;; - cray | ymp) - basic_machine=ymp-cray - os=-unicos - ;; - cray2) - basic_machine=cray2-cray - os=-unicos - ;; - [ctj]90-cray) - basic_machine=c90-cray - os=-unicos - ;; - crds | unos) - basic_machine=m68k-crds - ;; - da30 | da30-*) - basic_machine=m68k-da30 - ;; - decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn) - basic_machine=mips-dec - ;; - delta | 3300 | motorola-3300 | motorola-delta \ - | 3300-motorola | delta-motorola) - basic_machine=m68k-motorola - ;; - delta88) - basic_machine=m88k-motorola - os=-sysv3 - ;; - dpx20 | dpx20-*) - basic_machine=rs6000-bull - os=-bosx - ;; - dpx2* | dpx2*-bull) - basic_machine=m68k-bull - os=-sysv3 - ;; - ebmon29k) - basic_machine=a29k-amd - os=-ebmon - ;; - elxsi) - basic_machine=elxsi-elxsi - os=-bsd - ;; - encore | umax | mmax) - basic_machine=ns32k-encore - ;; - fx2800) - basic_machine=i860-alliant - ;; - genix) - basic_machine=ns32k-ns - ;; - gmicro) - basic_machine=tron-gmicro - os=-sysv - ;; - h3050r* | hiux*) - basic_machine=hppa1.1-hitachi - os=-hiuxwe2 - ;; - h8300hms) - basic_machine=h8300-hitachi - os=-hms - ;; - harris) - basic_machine=m88k-harris - os=-sysv3 - ;; - hp300-*) - basic_machine=m68k-hp - ;; - hp300bsd) - basic_machine=m68k-hp - os=-bsd - ;; - hp300hpux) - basic_machine=m68k-hp - os=-hpux - ;; - hp9k2[0-9][0-9] | hp9k31[0-9]) - basic_machine=m68000-hp - ;; - hp9k3[2-9][0-9]) - basic_machine=m68k-hp - ;; - hp9k7[0-9][0-9] | hp7[0-9][0-9] | hp9k8[0-9]7 | hp8[0-9]7) - basic_machine=hppa1.1-hp - ;; - hp9k8[0-9][0-9] | hp8[0-9][0-9]) - basic_machine=hppa1.0-hp - ;; - hppa-next) - os=-nextstep3 - ;; - i370-ibm* | ibm*) - basic_machine=i370-ibm - os=-mvs - ;; -# I'm not sure what "Sysv32" means. Should this be sysv3.2? - i[34567]86v32) - basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` - os=-sysv32 - ;; - i[34567]86v4*) - basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` - os=-sysv4 - ;; - i[34567]86v) - basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` - os=-sysv - ;; - i[34567]86sol2) - basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` - os=-solaris2 - ;; - iris | iris4d) - basic_machine=mips-sgi - case $os in - -irix*) - ;; - *) - os=-irix4 - ;; - esac - ;; - isi68 | isi) - basic_machine=m68k-isi - os=-sysv - ;; - m88k-omron*) - basic_machine=m88k-omron - ;; - magnum | m3230) - basic_machine=mips-mips - os=-sysv - ;; - merlin) - basic_machine=ns32k-utek - os=-sysv - ;; - miniframe) - basic_machine=m68000-convergent - ;; - mipsel*-linux*) - basic_machine=mipsel-unknown - os=-linux-gnu - ;; - mips*-linux*) - basic_machine=mips-unknown - os=-linux-gnu - ;; - mips3*-*) - basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'` - ;; - mips3*) - basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown - ;; - ncr3000) - basic_machine=i486-ncr - os=-sysv4 - ;; - news | news700 | news800 | news900) - basic_machine=m68k-sony - os=-newsos - ;; - news1000) - basic_machine=m68030-sony - os=-newsos - ;; - news-3600 | risc-news) - basic_machine=mips-sony - os=-newsos - ;; - next | m*-next ) - basic_machine=m68k-next - case $os in - -nextstep* ) - ;; - -ns2*) - os=-nextstep2 - ;; - *) - os=-nextstep3 - ;; - esac - ;; - nh3000) - basic_machine=m68k-harris - os=-cxux - ;; - nh[45]000) - basic_machine=m88k-harris - os=-cxux - ;; - nindy960) - basic_machine=i960-intel - os=-nindy - ;; - np1) - basic_machine=np1-gould - ;; - pa-hitachi) - basic_machine=hppa1.1-hitachi - os=-hiuxwe2 - ;; - paragon) - basic_machine=i860-intel - os=-osf - ;; - pbd) - basic_machine=sparc-tti - ;; - pbb) - basic_machine=m68k-tti - ;; - pc532 | pc532-*) - basic_machine=ns32k-pc532 - ;; - pentium | p5 | k5 | nexen) - basic_machine=i586-pc - ;; - pentiumpro | p6 | k6 | 6x86) - basic_machine=i686-pc - ;; - pentiumii | pentium2) - basic_machine=i786-pc - ;; - pentium-* | p5-* | k5-* | nexen-*) - basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - pentiumpro-* | p6-* | k6-* | 6x86-*) - basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - pentiumii-* | pentium2-*) - basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - pn) - basic_machine=pn-gould - ;; - power) basic_machine=rs6000-ibm - ;; - ppc) basic_machine=powerpc-unknown - ;; - ppc-*) basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - ppcle | powerpclittle | ppc-le | powerpc-little) - basic_machine=powerpcle-unknown - ;; - ppcle-* | powerpclittle-*) - basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - ps2) - basic_machine=i386-ibm - ;; - rm[46]00) - basic_machine=mips-siemens - ;; - rtpc | rtpc-*) - basic_machine=romp-ibm - ;; - sequent) - basic_machine=i386-sequent - ;; - sh) - basic_machine=sh-hitachi - os=-hms - ;; - sps7) - basic_machine=m68k-bull - os=-sysv2 - ;; - spur) - basic_machine=spur-unknown - ;; - sun2) - basic_machine=m68000-sun - ;; - sun2os3) - basic_machine=m68000-sun - os=-sunos3 - ;; - sun2os4) - basic_machine=m68000-sun - os=-sunos4 - ;; - sun3os3) - basic_machine=m68k-sun - os=-sunos3 - ;; - sun3os4) - basic_machine=m68k-sun - os=-sunos4 - ;; - sun4os3) - basic_machine=sparc-sun - os=-sunos3 - ;; - sun4os4) - basic_machine=sparc-sun - os=-sunos4 - ;; - sun4sol2) - basic_machine=sparc-sun - os=-solaris2 - ;; - sun3 | sun3-*) - basic_machine=m68k-sun - ;; - sun4) - basic_machine=sparc-sun - ;; - sun386 | sun386i | roadrunner) - basic_machine=i386-sun - ;; - symmetry) - basic_machine=i386-sequent - os=-dynix - ;; - tx39) - basic_machine=mipstx39-unknown - ;; - tx39el) - basic_machine=mipstx39el-unknown - ;; - tower | tower-32) - basic_machine=m68k-ncr - ;; - udi29k) - basic_machine=a29k-amd - os=-udi - ;; - ultra3) - basic_machine=a29k-nyu - os=-sym1 - ;; - vaxv) - basic_machine=vax-dec - os=-sysv - ;; - vms) - basic_machine=vax-dec - os=-vms - ;; - vpp*|vx|vx-*) - basic_machine=f301-fujitsu - ;; - vxworks960) - basic_machine=i960-wrs - os=-vxworks - ;; - vxworks68) - basic_machine=m68k-wrs - os=-vxworks - ;; - vxworks29k) - basic_machine=a29k-wrs - os=-vxworks - ;; - xmp) - basic_machine=xmp-cray - os=-unicos - ;; - xps | xps100) - basic_machine=xps100-honeywell - ;; - none) - basic_machine=none-none - os=-none - ;; - -# Here we handle the default manufacturer of certain CPU types. It is in -# some cases the only manufacturer, in others, it is the most popular. - mips) - if [ x$os = x-linux-gnu ]; then - basic_machine=mips-unknown - else - basic_machine=mips-mips - fi - ;; - romp) - basic_machine=romp-ibm - ;; - rs6000) - basic_machine=rs6000-ibm - ;; - vax) - basic_machine=vax-dec - ;; - pdp11) - basic_machine=pdp11-dec - ;; - we32k) - basic_machine=we32k-att - ;; - sparc) - basic_machine=sparc-sun - ;; - cydra) - basic_machine=cydra-cydrome - ;; - orion) - basic_machine=orion-highlevel - ;; - orion105) - basic_machine=clipper-highlevel - ;; - *) - echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 - exit 1 - ;; -esac - -# Here we canonicalize certain aliases for manufacturers. -case $basic_machine in - *-digital*) - basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'` - ;; - *-commodore*) - basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'` - ;; - *) - ;; -esac - -# Decode manufacturer-specific aliases for certain operating systems. - -if [ x"$os" != x"" ] -then -case $os in - # First match some system type aliases - # that might get confused with valid system types. - # -solaris* is a basic system type, with this one exception. - -solaris1 | -solaris1.*) - os=`echo $os | sed -e 's|solaris1|sunos4|'` - ;; - -solaris) - os=-solaris2 - ;; - -svr4*) - os=-sysv4 - ;; - -unixware*) - os=-sysv4.2uw - ;; - -gnu/linux*) - os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'` - ;; - # First accept the basic system types. - # The portable systems comes first. - # Each alternative MUST END IN A *, to match a version number. - # -sysv* is not here because it comes later, after sysvr4. - -gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \ - | -*vms* | -sco* | -esix* | -isc* | -aix* | -sunos | -sunos[34]*\ - | -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \ - | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \ - | -aos* \ - | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ - | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ - | -hiux* | -386bsd* | -netbsd* | -openbsd* | -freebsd* | -riscix* \ - | -lynxos* | -bosx* | -nextstep* | -cxux* | -aout* | -elf* \ - | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ - | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ - | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ - | -mingw32* | -linux-gnu* | -uxpv* | -beos*) - # Remember, each alternative MUST END IN *, to match a version number. - ;; - -linux*) - os=`echo $os | sed -e 's|linux|linux-gnu|'` - ;; - -sunos5*) - os=`echo $os | sed -e 's|sunos5|solaris2|'` - ;; - -sunos6*) - os=`echo $os | sed -e 's|sunos6|solaris3|'` - ;; - -osfrose*) - os=-osfrose - ;; - -osf*) - os=-osf - ;; - -utek*) - os=-bsd - ;; - -dynix*) - os=-bsd - ;; - -acis*) - os=-aos - ;; - -ctix* | -uts*) - os=-sysv - ;; - -ns2 ) - os=-nextstep2 - ;; - # Preserve the version number of sinix5. - -sinix5.*) - os=`echo $os | sed -e 's|sinix|sysv|'` - ;; - -sinix*) - os=-sysv4 - ;; - -triton*) - os=-sysv3 - ;; - -oss*) - os=-sysv3 - ;; - -svr4) - os=-sysv4 - ;; - -svr3) - os=-sysv3 - ;; - -sysvr4) - os=-sysv4 - ;; - # This must come after -sysvr4. - -sysv*) - ;; - -xenix) - os=-xenix - ;; - -none) - ;; - *) - # Get rid of the `-' at the beginning of $os. - os=`echo $os | sed 's/[^-]*-//'` - echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2 - exit 1 - ;; -esac -else - -# Here we handle the default operating systems that come with various machines. -# The value should be what the vendor currently ships out the door with their -# machine or put another way, the most popular os provided with the machine. - -# Note that if you're going to try to match "-MANUFACTURER" here (say, -# "-sun"), then you have to tell the case statement up towards the top -# that MANUFACTURER isn't an operating system. Otherwise, code above -# will signal an error saying that MANUFACTURER isn't an operating -# system, and we'll never get to this point. - -case $basic_machine in - *-acorn) - os=-riscix1.2 - ;; - arm*-semi) - os=-aout - ;; - pdp11-*) - os=-none - ;; - *-dec | vax-*) - os=-ultrix4.2 - ;; - m68*-apollo) - os=-domain - ;; - i386-sun) - os=-sunos4.0.2 - ;; - m68000-sun) - os=-sunos3 - # This also exists in the configure program, but was not the - # default. - # os=-sunos4 - ;; - *-tti) # must be before sparc entry or we get the wrong os. - os=-sysv3 - ;; - sparc-* | *-sun) - os=-sunos4.1.1 - ;; - *-be) - os=-beos - ;; - *-ibm) - os=-aix - ;; - *-hp) - os=-hpux - ;; - *-hitachi) - os=-hiux - ;; - i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent) - os=-sysv - ;; - *-cbm) - os=-amigaos - ;; - *-dg) - os=-dgux - ;; - *-dolphin) - os=-sysv3 - ;; - m68k-ccur) - os=-rtu - ;; - m88k-omron*) - os=-luna - ;; - *-next ) - os=-nextstep - ;; - *-sequent) - os=-ptx - ;; - *-crds) - os=-unos - ;; - *-ns) - os=-genix - ;; - i370-*) - os=-mvs - ;; - *-next) - os=-nextstep3 - ;; - *-gould) - os=-sysv - ;; - *-highlevel) - os=-bsd - ;; - *-encore) - os=-bsd - ;; - *-sgi) - os=-irix - ;; - *-siemens) - os=-sysv4 - ;; - *-masscomp) - os=-rtu - ;; - f301-fujitsu) - os=-uxpv - ;; - *) - os=-none - ;; -esac -fi - -# Here we handle the case where we know the os, and the CPU type, but not the -# manufacturer. We pick the logical manufacturer. -vendor=unknown -case $basic_machine in - *-unknown) - case $os in - -riscix*) - vendor=acorn - ;; - -sunos*) - vendor=sun - ;; - -aix*) - vendor=ibm - ;; - -hpux*) - vendor=hp - ;; - -hiux*) - vendor=hitachi - ;; - -unos*) - vendor=crds - ;; - -dgux*) - vendor=dg - ;; - -luna*) - vendor=omron - ;; - -genix*) - vendor=ns - ;; - -mvs*) - vendor=ibm - ;; - -ptx*) - vendor=sequent - ;; - -vxsim* | -vxworks*) - vendor=wrs - ;; - -aux*) - vendor=apple - ;; - esac - basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"` - ;; -esac - -echo $basic_machine$os diff --git a/kame/kame/racoon/configure b/kame/kame/racoon/configure deleted file mode 100755 index 3f765a4e86..0000000000 --- a/kame/kame/racoon/configure +++ /dev/null @@ -1,4804 +0,0 @@ -#! /bin/sh - -# Guess values for system-dependent variables and create Makefiles. -# Generated automatically using autoconf version 2.13 -# Copyright (C) 1992, 93, 94, 95, 96 Free Software Foundation, Inc. -# -# This configure script is free software; the Free Software Foundation -# gives unlimited permission to copy, distribute and modify it. - -# Defaults: -ac_help= -ac_default_prefix=/usr/local -# Any additions from configure.in: -ac_help="$ac_help - --enable-debug build a debug version" -ac_help="$ac_help - --enable-debugrm build with the memory allocation recorder" -ac_help="$ac_help - --enable-yydebug build a yydebug version" -ac_help="$ac_help - --enable-pedant pedantic compiler options" -ac_help="$ac_help - --enable-adminport enable admin port (INSECURE!)" -ac_help="$ac_help - --enable-rc5 enable RC5 encryption (patented)" -ac_help="$ac_help - --enable-idea enable IDEA encryption (patented)" -ac_help="$ac_help - --enable-gssapi enable GSS-API authentication" -ac_help="$ac_help - --enable-stats enable statistics logging function" -ac_help="$ac_help - --enable-samode-unspec enable to use unspecified a mode of SA" -ac_help="$ac_help - --with-efence=DIR specify ElectricFence directory" -ac_help="$ac_help - --with-gc=DIR specify Bohem GC directory (experimental)" -ac_help="$ac_help - --with-dmalloc=DIR specify Dmalloc directory" -ac_help="$ac_help - --with-tcpdump use tcpdump decoder on debugging" -ac_help="$ac_help - --enable-ipv6 Enable ipv6 (with ipv4) support - --disable-ipv6 Disable ipv6 support" -ac_help="$ac_help - --with-ssleay=DIR specify SSLeay directory" -ac_help="$ac_help - --with-libpfkey=DIR specify libpfkey.a dir" -ac_help="$ac_help - --with-lwres=DIR specify liblwres path (like /usr/pkg)" -ac_help="$ac_help - --with-pkgversion=VERSION specify package version" - -# Initialize some variables set by options. -# The variables have the same names as the options, with -# dashes changed to underlines. -build=NONE -cache_file=./config.cache -exec_prefix=NONE -host=NONE -no_create= -nonopt=NONE -no_recursion= -prefix=NONE -program_prefix=NONE -program_suffix=NONE -program_transform_name=s,x,x, -silent= -site= -srcdir= -target=NONE -verbose= -x_includes=NONE -x_libraries=NONE -bindir='${exec_prefix}/bin' -sbindir='${exec_prefix}/sbin' -libexecdir='${exec_prefix}/libexec' -datadir='${prefix}/share' -sysconfdir='${prefix}/etc' -sharedstatedir='${prefix}/com' -localstatedir='${prefix}/var' -libdir='${exec_prefix}/lib' -includedir='${prefix}/include' -oldincludedir='/usr/include' -infodir='${prefix}/info' -mandir='${prefix}/man' - -# Initialize some other variables. -subdirs= -MFLAGS= MAKEFLAGS= -SHELL=${CONFIG_SHELL-/bin/sh} -# Maximum number of lines to put in a shell here document. -ac_max_here_lines=12 - -ac_prev= -for ac_option -do - - # If the previous option needs an argument, assign it. - if test -n "$ac_prev"; then - eval "$ac_prev=\$ac_option" - ac_prev= - continue - fi - - case "$ac_option" in - -*=*) ac_optarg=`echo "$ac_option" | sed 's/[-_a-zA-Z0-9]*=//'` ;; - *) ac_optarg= ;; - esac - - # Accept the important Cygnus configure options, so we can diagnose typos. - - case "$ac_option" in - - -bindir | --bindir | --bindi | --bind | --bin | --bi) - ac_prev=bindir ;; - -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*) - bindir="$ac_optarg" ;; - - -build | --build | --buil | --bui | --bu) - ac_prev=build ;; - -build=* | --build=* | --buil=* | --bui=* | --bu=*) - build="$ac_optarg" ;; - - -cache-file | --cache-file | --cache-fil | --cache-fi \ - | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c) - ac_prev=cache_file ;; - -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \ - | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*) - cache_file="$ac_optarg" ;; - - -datadir | --datadir | --datadi | --datad | --data | --dat | --da) - ac_prev=datadir ;; - -datadir=* | --datadir=* | --datadi=* | --datad=* | --data=* | --dat=* \ - | --da=*) - datadir="$ac_optarg" ;; - - -disable-* | --disable-*) - ac_feature=`echo $ac_option|sed -e 's/-*disable-//'` - # Reject names that are not valid shell variable names. - if test -n "`echo $ac_feature| sed 's/[-a-zA-Z0-9_]//g'`"; then - { echo "configure: error: $ac_feature: invalid feature name" 1>&2; exit 1; } - fi - ac_feature=`echo $ac_feature| sed 's/-/_/g'` - eval "enable_${ac_feature}=no" ;; - - -enable-* | --enable-*) - ac_feature=`echo $ac_option|sed -e 's/-*enable-//' -e 's/=.*//'` - # Reject names that are not valid shell variable names. - if test -n "`echo $ac_feature| sed 's/[-_a-zA-Z0-9]//g'`"; then - { echo "configure: error: $ac_feature: invalid feature name" 1>&2; exit 1; } - fi - ac_feature=`echo $ac_feature| sed 's/-/_/g'` - case "$ac_option" in - *=*) ;; - *) ac_optarg=yes ;; - esac - eval "enable_${ac_feature}='$ac_optarg'" ;; - - -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \ - | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \ - | --exec | --exe | --ex) - ac_prev=exec_prefix ;; - -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \ - | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \ - | --exec=* | --exe=* | --ex=*) - exec_prefix="$ac_optarg" ;; - - -gas | --gas | --ga | --g) - # Obsolete; use --with-gas. - with_gas=yes ;; - - -help | --help | --hel | --he) - # Omit some internal or obsolete options to make the list less imposing. - # This message is too long to be a string in the A/UX 3.1 sh. - cat << EOF -Usage: configure [options] [host] -Options: [defaults in brackets after descriptions] -Configuration: - --cache-file=FILE cache test results in FILE - --help print this message - --no-create do not create output files - --quiet, --silent do not print \`checking...' messages - --version print the version of autoconf that created configure -Directory and file names: - --prefix=PREFIX install architecture-independent files in PREFIX - [$ac_default_prefix] - --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX - [same as prefix] - --bindir=DIR user executables in DIR [EPREFIX/bin] - --sbindir=DIR system admin executables in DIR [EPREFIX/sbin] - --libexecdir=DIR program executables in DIR [EPREFIX/libexec] - --datadir=DIR read-only architecture-independent data in DIR - [PREFIX/share] - --sysconfdir=DIR read-only single-machine data in DIR [PREFIX/etc] - --sharedstatedir=DIR modifiable architecture-independent data in DIR - [PREFIX/com] - --localstatedir=DIR modifiable single-machine data in DIR [PREFIX/var] - --libdir=DIR object code libraries in DIR [EPREFIX/lib] - --includedir=DIR C header files in DIR [PREFIX/include] - --oldincludedir=DIR C header files for non-gcc in DIR [/usr/include] - --infodir=DIR info documentation in DIR [PREFIX/info] - --mandir=DIR man documentation in DIR [PREFIX/man] - --srcdir=DIR find the sources in DIR [configure dir or ..] - --program-prefix=PREFIX prepend PREFIX to installed program names - --program-suffix=SUFFIX append SUFFIX to installed program names - --program-transform-name=PROGRAM - run sed PROGRAM on installed program names -EOF - cat << EOF -Host type: - --build=BUILD configure for building on BUILD [BUILD=HOST] - --host=HOST configure for HOST [guessed] - --target=TARGET configure for TARGET [TARGET=HOST] -Features and packages: - --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) - --enable-FEATURE[=ARG] include FEATURE [ARG=yes] - --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] - --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) - --x-includes=DIR X include files are in DIR - --x-libraries=DIR X library files are in DIR -EOF - if test -n "$ac_help"; then - echo "--enable and --with options recognized:$ac_help" - fi - exit 0 ;; - - -host | --host | --hos | --ho) - ac_prev=host ;; - -host=* | --host=* | --hos=* | --ho=*) - host="$ac_optarg" ;; - - -includedir | --includedir | --includedi | --included | --include \ - | --includ | --inclu | --incl | --inc) - ac_prev=includedir ;; - -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \ - | --includ=* | --inclu=* | --incl=* | --inc=*) - includedir="$ac_optarg" ;; - - -infodir | --infodir | --infodi | --infod | --info | --inf) - ac_prev=infodir ;; - -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*) - infodir="$ac_optarg" ;; - - -libdir | --libdir | --libdi | --libd) - ac_prev=libdir ;; - -libdir=* | --libdir=* | --libdi=* | --libd=*) - libdir="$ac_optarg" ;; - - -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \ - | --libexe | --libex | --libe) - ac_prev=libexecdir ;; - -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \ - | --libexe=* | --libex=* | --libe=*) - libexecdir="$ac_optarg" ;; - - -localstatedir | --localstatedir | --localstatedi | --localstated \ - | --localstate | --localstat | --localsta | --localst \ - | --locals | --local | --loca | --loc | --lo) - ac_prev=localstatedir ;; - -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \ - | --localstate=* | --localstat=* | --localsta=* | --localst=* \ - | --locals=* | --local=* | --loca=* | --loc=* | --lo=*) - localstatedir="$ac_optarg" ;; - - -mandir | --mandir | --mandi | --mand | --man | --ma | --m) - ac_prev=mandir ;; - -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*) - mandir="$ac_optarg" ;; - - -nfp | --nfp | --nf) - # Obsolete; use --without-fp. - with_fp=no ;; - - -no-create | --no-create | --no-creat | --no-crea | --no-cre \ - | --no-cr | --no-c) - no_create=yes ;; - - -no-recursion | --no-recursion | --no-recursio | --no-recursi \ - | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) - no_recursion=yes ;; - - -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \ - | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \ - | --oldin | --oldi | --old | --ol | --o) - ac_prev=oldincludedir ;; - -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \ - | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \ - | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*) - oldincludedir="$ac_optarg" ;; - - -prefix | --prefix | --prefi | --pref | --pre | --pr | --p) - ac_prev=prefix ;; - -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*) - prefix="$ac_optarg" ;; - - -program-prefix | --program-prefix | --program-prefi | --program-pref \ - | --program-pre | --program-pr | --program-p) - ac_prev=program_prefix ;; - -program-prefix=* | --program-prefix=* | --program-prefi=* \ - | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*) - program_prefix="$ac_optarg" ;; - - -program-suffix | --program-suffix | --program-suffi | --program-suff \ - | --program-suf | --program-su | --program-s) - ac_prev=program_suffix ;; - -program-suffix=* | --program-suffix=* | --program-suffi=* \ - | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*) - program_suffix="$ac_optarg" ;; - - -program-transform-name | --program-transform-name \ - | --program-transform-nam | --program-transform-na \ - | --program-transform-n | --program-transform- \ - | --program-transform | --program-transfor \ - | --program-transfo | --program-transf \ - | --program-trans | --program-tran \ - | --progr-tra | --program-tr | --program-t) - ac_prev=program_transform_name ;; - -program-transform-name=* | --program-transform-name=* \ - | --program-transform-nam=* | --program-transform-na=* \ - | --program-transform-n=* | --program-transform-=* \ - | --program-transform=* | --program-transfor=* \ - | --program-transfo=* | --program-transf=* \ - | --program-trans=* | --program-tran=* \ - | --progr-tra=* | --program-tr=* | --program-t=*) - program_transform_name="$ac_optarg" ;; - - -q | -quiet | --quiet | --quie | --qui | --qu | --q \ - | -silent | --silent | --silen | --sile | --sil) - silent=yes ;; - - -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) - ac_prev=sbindir ;; - -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ - | --sbi=* | --sb=*) - sbindir="$ac_optarg" ;; - - -sharedstatedir | --sharedstatedir | --sharedstatedi \ - | --sharedstated | --sharedstate | --sharedstat | --sharedsta \ - | --sharedst | --shareds | --shared | --share | --shar \ - | --sha | --sh) - ac_prev=sharedstatedir ;; - -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \ - | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \ - | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \ - | --sha=* | --sh=*) - sharedstatedir="$ac_optarg" ;; - - -site | --site | --sit) - ac_prev=site ;; - -site=* | --site=* | --sit=*) - site="$ac_optarg" ;; - - -srcdir | --srcdir | --srcdi | --srcd | --src | --sr) - ac_prev=srcdir ;; - -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*) - srcdir="$ac_optarg" ;; - - -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \ - | --syscon | --sysco | --sysc | --sys | --sy) - ac_prev=sysconfdir ;; - -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \ - | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*) - sysconfdir="$ac_optarg" ;; - - -target | --target | --targe | --targ | --tar | --ta | --t) - ac_prev=target ;; - -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*) - target="$ac_optarg" ;; - - -v | -verbose | --verbose | --verbos | --verbo | --verb) - verbose=yes ;; - - -version | --version | --versio | --versi | --vers) - echo "configure generated by autoconf version 2.13" - exit 0 ;; - - -with-* | --with-*) - ac_package=`echo $ac_option|sed -e 's/-*with-//' -e 's/=.*//'` - # Reject names that are not valid shell variable names. - if test -n "`echo $ac_package| sed 's/[-_a-zA-Z0-9]//g'`"; then - { echo "configure: error: $ac_package: invalid package name" 1>&2; exit 1; } - fi - ac_package=`echo $ac_package| sed 's/-/_/g'` - case "$ac_option" in - *=*) ;; - *) ac_optarg=yes ;; - esac - eval "with_${ac_package}='$ac_optarg'" ;; - - -without-* | --without-*) - ac_package=`echo $ac_option|sed -e 's/-*without-//'` - # Reject names that are not valid shell variable names. - if test -n "`echo $ac_package| sed 's/[-a-zA-Z0-9_]//g'`"; then - { echo "configure: error: $ac_package: invalid package name" 1>&2; exit 1; } - fi - ac_package=`echo $ac_package| sed 's/-/_/g'` - eval "with_${ac_package}=no" ;; - - --x) - # Obsolete; use --with-x. - with_x=yes ;; - - -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \ - | --x-incl | --x-inc | --x-in | --x-i) - ac_prev=x_includes ;; - -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \ - | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*) - x_includes="$ac_optarg" ;; - - -x-libraries | --x-libraries | --x-librarie | --x-librari \ - | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l) - ac_prev=x_libraries ;; - -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \ - | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*) - x_libraries="$ac_optarg" ;; - - -*) { echo "configure: error: $ac_option: invalid option; use --help to show usage" 1>&2; exit 1; } - ;; - - *) - if test -n "`echo $ac_option| sed 's/[-a-z0-9.]//g'`"; then - echo "configure: warning: $ac_option: invalid host type" 1>&2 - fi - if test "x$nonopt" != xNONE; then - { echo "configure: error: can only configure for one host and one target at a time" 1>&2; exit 1; } - fi - nonopt="$ac_option" - ;; - - esac -done - -if test -n "$ac_prev"; then - { echo "configure: error: missing argument to --`echo $ac_prev | sed 's/_/-/g'`" 1>&2; exit 1; } -fi - -trap 'rm -fr conftest* confdefs* core core.* *.core $ac_clean_files; exit 1' 1 2 15 - -# File descriptor usage: -# 0 standard input -# 1 file creation -# 2 errors and warnings -# 3 some systems may open it to /dev/tty -# 4 used on the Kubota Titan -# 6 checking for... messages and results -# 5 compiler messages saved in config.log -if test "$silent" = yes; then - exec 6>/dev/null -else - exec 6>&1 -fi -exec 5>./config.log - -echo "\ -This file contains any messages produced by compilers while -running configure, to aid debugging if configure makes a mistake. -" 1>&5 - -# Strip out --no-create and --no-recursion so they do not pile up. -# Also quote any args containing shell metacharacters. -ac_configure_args= -for ac_arg -do - case "$ac_arg" in - -no-create | --no-create | --no-creat | --no-crea | --no-cre \ - | --no-cr | --no-c) ;; - -no-recursion | --no-recursion | --no-recursio | --no-recursi \ - | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) ;; - *" "*|*" "*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?]*) - ac_configure_args="$ac_configure_args '$ac_arg'" ;; - *) ac_configure_args="$ac_configure_args $ac_arg" ;; - esac -done - -# NLS nuisances. -# Only set these to C if already set. These must not be set unconditionally -# because not all systems understand e.g. LANG=C (notably SCO). -# Fixing LC_MESSAGES prevents Solaris sh from translating var values in `set'! -# Non-C LC_CTYPE values break the ctype check. -if test "${LANG+set}" = set; then LANG=C; export LANG; fi -if test "${LC_ALL+set}" = set; then LC_ALL=C; export LC_ALL; fi -if test "${LC_MESSAGES+set}" = set; then LC_MESSAGES=C; export LC_MESSAGES; fi -if test "${LC_CTYPE+set}" = set; then LC_CTYPE=C; export LC_CTYPE; fi - -# confdefs.h avoids OS command line length limits that DEFS can exceed. -rm -rf conftest* confdefs.h -# AIX cpp loses on an empty file, so make sure it contains at least a newline. -echo > confdefs.h - -# A filename unique to this package, relative to the directory that -# configure is in, which we can look for to find out if srcdir is correct. -ac_unique_file=admin.c - -# Find the source files, if location was not specified. -if test -z "$srcdir"; then - ac_srcdir_defaulted=yes - # Try the directory containing this script, then its parent. - ac_prog=$0 - ac_confdir=`echo $ac_prog|sed 's%/[^/][^/]*$%%'` - test "x$ac_confdir" = "x$ac_prog" && ac_confdir=. - srcdir=$ac_confdir - if test ! -r $srcdir/$ac_unique_file; then - srcdir=.. - fi -else - ac_srcdir_defaulted=no -fi -if test ! -r $srcdir/$ac_unique_file; then - if test "$ac_srcdir_defaulted" = yes; then - { echo "configure: error: can not find sources in $ac_confdir or .." 1>&2; exit 1; } - else - { echo "configure: error: can not find sources in $srcdir" 1>&2; exit 1; } - fi -fi -srcdir=`echo "${srcdir}" | sed 's%\([^/]\)/*$%\1%'` - -# Prefer explicitly selected file to automatically selected ones. -if test -z "$CONFIG_SITE"; then - if test "x$prefix" != xNONE; then - CONFIG_SITE="$prefix/share/config.site $prefix/etc/config.site" - else - CONFIG_SITE="$ac_default_prefix/share/config.site $ac_default_prefix/etc/config.site" - fi -fi -for ac_site_file in $CONFIG_SITE; do - if test -r "$ac_site_file"; then - echo "loading site script $ac_site_file" - . "$ac_site_file" - fi -done - -if test -r "$cache_file"; then - echo "loading cache $cache_file" - . $cache_file -else - echo "creating cache $cache_file" - > $cache_file -fi - -ac_ext=c -# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options. -ac_cpp='$CPP $CPPFLAGS' -ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5' -ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5' -cross_compiling=$ac_cv_prog_cc_cross - -ac_exeext= -ac_objext=o -if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null; then - # Stardent Vistra SVR4 grep lacks -e, says ghazi@caip.rutgers.edu. - if (echo -n testing; echo 1,2,3) | sed s/-n/xn/ | grep xn >/dev/null; then - ac_n= ac_c=' -' ac_t=' ' - else - ac_n=-n ac_c= ac_t= - fi -else - ac_n= ac_c='\c' ac_t= -fi - - - -# Extract the first word of "gcc", so it can be a program name with args. -set dummy gcc; ac_word=$2 -echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:568: checking for $ac_word" >&5 -if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - if test -n "$CC"; then - ac_cv_prog_CC="$CC" # Let the user override the test. -else - IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" - ac_dummy="$PATH" - for ac_dir in $ac_dummy; do - test -z "$ac_dir" && ac_dir=. - if test -f $ac_dir/$ac_word; then - ac_cv_prog_CC="gcc" - break - fi - done - IFS="$ac_save_ifs" -fi -fi -CC="$ac_cv_prog_CC" -if test -n "$CC"; then - echo "$ac_t""$CC" 1>&6 -else - echo "$ac_t""no" 1>&6 -fi - -if test -z "$CC"; then - # Extract the first word of "cc", so it can be a program name with args. -set dummy cc; ac_word=$2 -echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:598: checking for $ac_word" >&5 -if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - if test -n "$CC"; then - ac_cv_prog_CC="$CC" # Let the user override the test. -else - IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" - ac_prog_rejected=no - ac_dummy="$PATH" - for ac_dir in $ac_dummy; do - test -z "$ac_dir" && ac_dir=. - if test -f $ac_dir/$ac_word; then - if test "$ac_dir/$ac_word" = "/usr/ucb/cc"; then - ac_prog_rejected=yes - continue - fi - ac_cv_prog_CC="cc" - break - fi - done - IFS="$ac_save_ifs" -if test $ac_prog_rejected = yes; then - # We found a bogon in the path, so make sure we never use it. - set dummy $ac_cv_prog_CC - shift - if test $# -gt 0; then - # We chose a different compiler from the bogus one. - # However, it has the same basename, so the bogon will be chosen - # first if we set CC to just the basename; use the full file name. - shift - set dummy "$ac_dir/$ac_word" "$@" - shift - ac_cv_prog_CC="$@" - fi -fi -fi -fi -CC="$ac_cv_prog_CC" -if test -n "$CC"; then - echo "$ac_t""$CC" 1>&6 -else - echo "$ac_t""no" 1>&6 -fi - - if test -z "$CC"; then - case "`uname -s`" in - *win32* | *WIN32*) - # Extract the first word of "cl", so it can be a program name with args. -set dummy cl; ac_word=$2 -echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:649: checking for $ac_word" >&5 -if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - if test -n "$CC"; then - ac_cv_prog_CC="$CC" # Let the user override the test. -else - IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" - ac_dummy="$PATH" - for ac_dir in $ac_dummy; do - test -z "$ac_dir" && ac_dir=. - if test -f $ac_dir/$ac_word; then - ac_cv_prog_CC="cl" - break - fi - done - IFS="$ac_save_ifs" -fi -fi -CC="$ac_cv_prog_CC" -if test -n "$CC"; then - echo "$ac_t""$CC" 1>&6 -else - echo "$ac_t""no" 1>&6 -fi - ;; - esac - fi - test -z "$CC" && { echo "configure: error: no acceptable cc found in \$PATH" 1>&2; exit 1; } -fi - -echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works""... $ac_c" 1>&6 -echo "configure:681: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5 - -ac_ext=c -# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options. -ac_cpp='$CPP $CPPFLAGS' -ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5' -ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5' -cross_compiling=$ac_cv_prog_cc_cross - -cat > conftest.$ac_ext << EOF - -#line 692 "configure" -#include "confdefs.h" - -main(){return(0);} -EOF -if { (eval echo configure:697: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - ac_cv_prog_cc_works=yes - # If we can't run a trivial program, we are probably using a cross compiler. - if (./conftest; exit) 2>/dev/null; then - ac_cv_prog_cc_cross=no - else - ac_cv_prog_cc_cross=yes - fi -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - ac_cv_prog_cc_works=no -fi -rm -fr conftest* -ac_ext=c -# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options. -ac_cpp='$CPP $CPPFLAGS' -ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5' -ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5' -cross_compiling=$ac_cv_prog_cc_cross - -echo "$ac_t""$ac_cv_prog_cc_works" 1>&6 -if test $ac_cv_prog_cc_works = no; then - { echo "configure: error: installation or configuration problem: C compiler cannot create executables." 1>&2; exit 1; } -fi -echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6 -echo "configure:723: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5 -echo "$ac_t""$ac_cv_prog_cc_cross" 1>&6 -cross_compiling=$ac_cv_prog_cc_cross - -echo $ac_n "checking whether we are using GNU C""... $ac_c" 1>&6 -echo "configure:728: checking whether we are using GNU C" >&5 -if eval "test \"`echo '$''{'ac_cv_prog_gcc'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.c <&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then - ac_cv_prog_gcc=yes -else - ac_cv_prog_gcc=no -fi -fi - -echo "$ac_t""$ac_cv_prog_gcc" 1>&6 - -if test $ac_cv_prog_gcc = yes; then - GCC=yes -else - GCC= -fi - -ac_test_CFLAGS="${CFLAGS+set}" -ac_save_CFLAGS="$CFLAGS" -CFLAGS= -echo $ac_n "checking whether ${CC-cc} accepts -g""... $ac_c" 1>&6 -echo "configure:756: checking whether ${CC-cc} accepts -g" >&5 -if eval "test \"`echo '$''{'ac_cv_prog_cc_g'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - echo 'void f(){}' > conftest.c -if test -z "`${CC-cc} -g -c conftest.c 2>&1`"; then - ac_cv_prog_cc_g=yes -else - ac_cv_prog_cc_g=no -fi -rm -f conftest* - -fi - -echo "$ac_t""$ac_cv_prog_cc_g" 1>&6 -if test "$ac_test_CFLAGS" = set; then - CFLAGS="$ac_save_CFLAGS" -elif test $ac_cv_prog_cc_g = yes; then - if test "$GCC" = yes; then - CFLAGS="-g -O2" - else - CFLAGS="-g" - fi -else - if test "$GCC" = yes; then - CFLAGS="-O2" - else - CFLAGS= - fi -fi - -echo $ac_n "checking how to run the C preprocessor""... $ac_c" 1>&6 -echo "configure:788: checking how to run the C preprocessor" >&5 -# On Suns, sometimes $CPP names a directory. -if test -n "$CPP" && test -d "$CPP"; then - CPP= -fi -if test -z "$CPP"; then -if eval "test \"`echo '$''{'ac_cv_prog_CPP'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - # This must be in double quotes, not single quotes, because CPP may get - # substituted into the Makefile and "${CC-cc}" will confuse make. - CPP="${CC-cc} -E" - # On the NeXT, cc -E runs the code through the compiler's parser, - # not just through cpp. - cat > conftest.$ac_ext < -Syntax Error -EOF -ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:809: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } -ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` -if test -z "$ac_err"; then - : -else - echo "$ac_err" >&5 - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - CPP="${CC-cc} -E -traditional-cpp" - cat > conftest.$ac_ext < -Syntax Error -EOF -ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:826: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } -ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` -if test -z "$ac_err"; then - : -else - echo "$ac_err" >&5 - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - CPP="${CC-cc} -nologo -E" - cat > conftest.$ac_ext < -Syntax Error -EOF -ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:843: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } -ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` -if test -z "$ac_err"; then - : -else - echo "$ac_err" >&5 - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - CPP=/lib/cpp -fi -rm -f conftest* -fi -rm -f conftest* -fi -rm -f conftest* - ac_cv_prog_CPP="$CPP" -fi - CPP="$ac_cv_prog_CPP" -else - ac_cv_prog_CPP="$CPP" -fi -echo "$ac_t""$CPP" 1>&6 - -# Extract the first word of "flex", so it can be a program name with args. -set dummy flex; ac_word=$2 -echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:870: checking for $ac_word" >&5 -if eval "test \"`echo '$''{'ac_cv_prog_LEX'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - if test -n "$LEX"; then - ac_cv_prog_LEX="$LEX" # Let the user override the test. -else - IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" - ac_dummy="$PATH" - for ac_dir in $ac_dummy; do - test -z "$ac_dir" && ac_dir=. - if test -f $ac_dir/$ac_word; then - ac_cv_prog_LEX="flex" - break - fi - done - IFS="$ac_save_ifs" - test -z "$ac_cv_prog_LEX" && ac_cv_prog_LEX="lex" -fi -fi -LEX="$ac_cv_prog_LEX" -if test -n "$LEX"; then - echo "$ac_t""$LEX" 1>&6 -else - echo "$ac_t""no" 1>&6 -fi - -if test -z "$LEXLIB" -then - case "$LEX" in - flex*) ac_lib=fl ;; - *) ac_lib=l ;; - esac - echo $ac_n "checking for yywrap in -l$ac_lib""... $ac_c" 1>&6 -echo "configure:904: checking for yywrap in -l$ac_lib" >&5 -ac_lib_var=`echo $ac_lib'_'yywrap | sed 'y%./+-%__p_%'` -if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - ac_save_LIBS="$LIBS" -LIBS="-l$ac_lib $LIBS" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - eval "ac_cv_lib_$ac_lib_var=yes" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - eval "ac_cv_lib_$ac_lib_var=no" -fi -rm -f conftest* -LIBS="$ac_save_LIBS" - -fi -if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then - echo "$ac_t""yes" 1>&6 - LEXLIB="-l$ac_lib" -else - echo "$ac_t""no" 1>&6 -fi - -fi - -ac_aux_dir= -for ac_dir in $srcdir $srcdir/.. $srcdir/../..; do - if test -f $ac_dir/install-sh; then - ac_aux_dir=$ac_dir - ac_install_sh="$ac_aux_dir/install-sh -c" - break - elif test -f $ac_dir/install.sh; then - ac_aux_dir=$ac_dir - ac_install_sh="$ac_aux_dir/install.sh -c" - break - fi -done -if test -z "$ac_aux_dir"; then - { echo "configure: error: can not find install-sh or install.sh in $srcdir $srcdir/.. $srcdir/../.." 1>&2; exit 1; } -fi -ac_config_guess=$ac_aux_dir/config.guess -ac_config_sub=$ac_aux_dir/config.sub -ac_configure=$ac_aux_dir/configure # This should be Cygnus configure. - -# Find a good install program. We prefer a C program (faster), -# so one script is as good as another. But avoid the broken or -# incompatible versions: -# SysV /etc/install, /usr/sbin/install -# SunOS /usr/etc/install -# IRIX /sbin/install -# AIX /bin/install -# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag -# AFS /usr/afsws/bin/install, which mishandles nonexistent args -# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff" -# ./install, which can be erroneously created by make from ./install.sh. -echo $ac_n "checking for a BSD compatible install""... $ac_c" 1>&6 -echo "configure:976: checking for a BSD compatible install" >&5 -if test -z "$INSTALL"; then -if eval "test \"`echo '$''{'ac_cv_path_install'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - IFS="${IFS= }"; ac_save_IFS="$IFS"; IFS=":" - for ac_dir in $PATH; do - # Account for people who put trailing slashes in PATH elements. - case "$ac_dir/" in - /|./|.//|/etc/*|/usr/sbin/*|/usr/etc/*|/sbin/*|/usr/afsws/bin/*|/usr/ucb/*) ;; - *) - # OSF1 and SCO ODT 3.0 have their own names for install. - # Don't use installbsd from OSF since it installs stuff as root - # by default. - for ac_prog in ginstall scoinst install; do - if test -f $ac_dir/$ac_prog; then - if test $ac_prog = install && - grep dspmsg $ac_dir/$ac_prog >/dev/null 2>&1; then - # AIX install. It has an incompatible calling convention. - : - else - ac_cv_path_install="$ac_dir/$ac_prog -c" - break 2 - fi - fi - done - ;; - esac - done - IFS="$ac_save_IFS" - -fi - if test "${ac_cv_path_install+set}" = set; then - INSTALL="$ac_cv_path_install" - else - # As a last resort, use the slow shell script. We don't cache a - # path for INSTALL within a source directory, because that will - # break other packages using the cache if that directory is - # removed, or if the path is relative. - INSTALL="$ac_install_sh" - fi -fi -echo "$ac_t""$INSTALL" 1>&6 - -# Use test -z because SunOS4 sh mishandles braces in ${var-val}. -# It thinks the first close brace ends the variable substitution. -test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}' - -test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL_PROGRAM}' - -test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644' - -echo $ac_n "checking whether ${MAKE-make} sets \${MAKE}""... $ac_c" 1>&6 -echo "configure:1029: checking whether ${MAKE-make} sets \${MAKE}" >&5 -set dummy ${MAKE-make}; ac_make=`echo "$2" | sed 'y%./+-%__p_%'` -if eval "test \"`echo '$''{'ac_cv_prog_make_${ac_make}_set'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftestmake <<\EOF -all: - @echo 'ac_maketemp="${MAKE}"' -EOF -# GNU make sometimes prints "make[1]: Entering...", which would confuse us. -eval `${MAKE-make} -f conftestmake 2>/dev/null | grep temp=` -if test -n "$ac_maketemp"; then - eval ac_cv_prog_make_${ac_make}_set=yes -else - eval ac_cv_prog_make_${ac_make}_set=no -fi -rm -f conftestmake -fi -if eval "test \"`echo '$ac_cv_prog_make_'${ac_make}_set`\" = yes"; then - echo "$ac_t""yes" 1>&6 - SET_MAKE= -else - echo "$ac_t""no" 1>&6 - SET_MAKE="MAKE=${MAKE-make}" -fi - - - -# Make sure we can run config.sub. -if ${CONFIG_SHELL-/bin/sh} $ac_config_sub sun4 >/dev/null 2>&1; then : -else { echo "configure: error: can not run $ac_config_sub" 1>&2; exit 1; } -fi - -echo $ac_n "checking host system type""... $ac_c" 1>&6 -echo "configure:1063: checking host system type" >&5 - -host_alias=$host -case "$host_alias" in -NONE) - case $nonopt in - NONE) - if host_alias=`${CONFIG_SHELL-/bin/sh} $ac_config_guess`; then : - else { echo "configure: error: can not guess host type; you must specify one" 1>&2; exit 1; } - fi ;; - *) host_alias=$nonopt ;; - esac ;; -esac - -host=`${CONFIG_SHELL-/bin/sh} $ac_config_sub $host_alias` -host_cpu=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'` -host_vendor=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'` -host_os=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'` -echo "$ac_t""$host" 1>&6 - -case $host in -*netbsd*) - CFLAGS="-Wl,-R/usr/pkg/lib $CFLAGS" ;; -esac - - -OPTFLAG="-O -DYIPS_DEBUG" -echo $ac_n "checking if --enable-debug option is specified""... $ac_c" 1>&6 -echo "configure:1091: checking if --enable-debug option is specified" >&5 -# Check whether --enable-debug or --disable-debug was given. -if test "${enable_debug+set}" = set; then - enableval="$enable_debug" - OPTFLAG="-g $OPTFLAG"; enable_debug=yes -else - enable_debug=no -fi - -echo "$ac_t""$enable_debug" 1>&6 - - -echo $ac_n "checking if --enable-debugrm option is specified""... $ac_c" 1>&6 -echo "configure:1104: checking if --enable-debugrm option is specified" >&5 -# Check whether --enable-debugrm or --disable-debugrm was given. -if test "${enable_debugrm+set}" = set; then - enableval="$enable_debugrm" - OPTFLAG="-DDEBUG_RECORD_MALLOCATION $OPTFLAG"; enable_debugrm=yes -else - enable_debugrm=no -fi - -if test "$enable_debugrm" != "no"; then - DEBUGRMOBJS="debugrm.o" -fi -echo "$ac_t""$enable_debugrm" 1>&6 - -echo $ac_n "checking if --enable-yydebug option is specified""... $ac_c" 1>&6 -echo "configure:1119: checking if --enable-yydebug option is specified" >&5 -# Check whether --enable-yydebug or --disable-yydebug was given. -if test "${enable_yydebug+set}" = set; then - enableval="$enable_yydebug" - cat >> confdefs.h <<\EOF -#define YYDEBUG 1 -EOF - - enable_yydebug=yes -else - enable_yydebug=no -fi - -echo "$ac_t""$enable_yydebug" 1>&6 - -OPTFLAG="-Wall -Wmissing-prototypes -Wmissing-declarations $OPTFLAG" -echo $ac_n "checking if --enable-pedant option is specified""... $ac_c" 1>&6 -echo "configure:1136: checking if --enable-pedant option is specified" >&5 -# Check whether --enable-pedant or --disable-pedant was given. -if test "${enable_pedant+set}" = set; then - enableval="$enable_pedant" - OPTFLAG="-Werror $OPTFLAG"; enable_pedant=yes -else - enable_pedant=no -fi - -echo "$ac_t""$enable_pedant" 1>&6 - -echo $ac_n "checking if --enable-adminport option is specified""... $ac_c" 1>&6 -echo "configure:1148: checking if --enable-adminport option is specified" >&5 -# Check whether --enable-adminport or --disable-adminport was given. -if test "${enable_adminport+set}" = set; then - enableval="$enable_adminport" - : -else - enable_adminport=no -fi - -if test $enable_adminport = "yes"; then - cat >> confdefs.h <<\EOF -#define ENABLE_ADMINPORT 1 -EOF - -fi -echo "$ac_t""$enable_adminport" 1>&6 - -echo $ac_n "checking if --enable-rc5 option is specified""... $ac_c" 1>&6 -echo "configure:1166: checking if --enable-rc5 option is specified" >&5 -# Check whether --enable-rc5 or --disable-rc5 was given. -if test "${enable_rc5+set}" = set; then - enableval="$enable_rc5" - : -else - enable_rc5=no -fi - -echo "$ac_t""$enable_rc5" 1>&6 - -echo $ac_n "checking if --enable-idea option is specified""... $ac_c" 1>&6 -echo "configure:1178: checking if --enable-idea option is specified" >&5 -# Check whether --enable-idea or --disable-idea was given. -if test "${enable_idea+set}" = set; then - enableval="$enable_idea" - : -else - enable_idea=no -fi - -echo "$ac_t""$enable_idea" 1>&6 - -echo $ac_n "checking if --enable-gssapi option is specified""... $ac_c" 1>&6 -echo "configure:1190: checking if --enable-gssapi option is specified" >&5 -# Check whether --enable-rc5 or --disable-rc5 was given. -if test "${enable_rc5+set}" = set; then - enableval="$enable_rc5" - : -else - enable_gssapi=no -fi - -if test "x$enable_gssapi" = "xyes"; then - cat >> confdefs.h <<\EOF -#define HAVE_GSSAPI 1 -EOF - -fi -echo "$ac_t""$enable_gssapi" 1>&6 - -echo $ac_n "checking if --enable-stats option is specified""... $ac_c" 1>&6 -echo "configure:1208: checking if --enable-stats option is specified" >&5 -# Check whether --enable-stats or --disable-stats was given. -if test "${enable_stats+set}" = set; then - enableval="$enable_stats" - : -else - enable_stats=no -fi - -if test "x$enable_stats" = "xyes"; then - cat >> confdefs.h <<\EOF -#define ENABLE_STATS 1 -EOF - -fi -echo "$ac_t""$enable_stats" 1>&6 - -echo $ac_n "checking if --enable-samode-unspec option is specified""... $ac_c" 1>&6 -echo "configure:1226: checking if --enable-samode-unspec option is specified" >&5 -# Check whether --enable-samode-unspec or --disable-samode-unspec was given. -if test "${enable_samode_unspec+set}" = set; then - enableval="$enable_samode_unspec" - : -else - enable_samode_unspec=no -fi - -if test "x$enable_samode_unspec" = "xyes"; then - cat >> confdefs.h <<\EOF -#define ENABLE_SAMODE_UNSPECIFIED 1 -EOF - -fi -echo "$ac_t""$enable_samode_unspec" 1>&6 - -efence_dir= -echo $ac_n "checking if --with-efence option is specified""... $ac_c" 1>&6 -echo "configure:1245: checking if --with-efence option is specified" >&5 -# Check whether --with-efence or --without-efence was given. -if test "${with_efence+set}" = set; then - withval="$with_efence" - efence_dir=$withval -else - efence_dir=no -fi - -echo "$ac_t""${efence_dir}" 1>&6 -if test "$efence_dir" != "no"; then - if test "x$efence_dir" = "x"; then - -echo $ac_n "checking for efence containing EF_Print""... $ac_c" 1>&6 -echo "configure:1259: checking for efence containing EF_Print" >&5 -if eval "test \"`echo '$''{'ac_cv_search_EF_Print'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - ac_func_search_save_LIBS="$LIBS" -ac_cv_search_EF_Print="no" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_EF_Print="none required" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - LIBS="-lefence $LIBS" - cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_EF_Print="-lefence" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 -fi -rm -f conftest* -fi -rm -f conftest* -LIBS="$ac_func_search_save_LIBS" -test "$ac_cv_search_EF_Print" = "no" && for i in ; do -LIBS="-L$i -lefence $ac_func_search_save_LIBS" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_EF_Print="-L$i -lefence" -break -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 -fi -rm -f conftest* -done -LIBS="$ac_func_search_save_LIBS" -fi - -echo "$ac_t""$ac_cv_search_EF_Print" 1>&6 -if test "$ac_cv_search_EF_Print" != "no"; then - test "$ac_cv_search_EF_Print" = "none required" || LIBS="$ac_cv_search_EF_Print $LIBS" - -else : - -fi - else - -echo $ac_n "checking for efence containing EF_Print""... $ac_c" 1>&6 -echo "configure:1345: checking for efence containing EF_Print" >&5 -if eval "test \"`echo '$''{'ac_cv_search_EF_Print'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - ac_func_search_save_LIBS="$LIBS" -ac_cv_search_EF_Print="no" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_EF_Print="none required" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - LIBS="-lefence $LIBS" - cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_EF_Print="-lefence" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 -fi -rm -f conftest* -fi -rm -f conftest* -LIBS="$ac_func_search_save_LIBS" -test "$ac_cv_search_EF_Print" = "no" && for i in $efence_dir; do -LIBS="-L$i -lefence $ac_func_search_save_LIBS" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_EF_Print="-L$i -lefence" -break -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 -fi -rm -f conftest* -done -LIBS="$ac_func_search_save_LIBS" -fi - -echo "$ac_t""$ac_cv_search_EF_Print" 1>&6 -if test "$ac_cv_search_EF_Print" != "no"; then - test "$ac_cv_search_EF_Print" = "none required" || LIBS="$ac_cv_search_EF_Print $LIBS" - -else : - -fi - fi -fi - -gc_dir= -echo $ac_n "checking if --with-gc option is specified""... $ac_c" 1>&6 -echo "configure:1433: checking if --with-gc option is specified" >&5 -# Check whether --with-gc or --without-gc was given. -if test "${with_gc+set}" = set; then - withval="$with_gc" - gc_dir=$withval -else - gc_dir=no -fi - -echo "$ac_t""${gc_dir}" 1>&6 -if test "$gc_dir" != "no"; then - cat >> confdefs.h <<\EOF -#define GC 1 -EOF - - if test "x$gc_dir" = "x"; then - -echo $ac_n "checking for leak containing GC_malloc""... $ac_c" 1>&6 -echo "configure:1451: checking for leak containing GC_malloc" >&5 -if eval "test \"`echo '$''{'ac_cv_search_GC_malloc'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - ac_func_search_save_LIBS="$LIBS" -ac_cv_search_GC_malloc="no" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_GC_malloc="none required" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - LIBS="-lleak $LIBS" - cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_GC_malloc="-lleak" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 -fi -rm -f conftest* -fi -rm -f conftest* -LIBS="$ac_func_search_save_LIBS" -test "$ac_cv_search_GC_malloc" = "no" && for i in ; do -LIBS="-L$i -lleak $ac_func_search_save_LIBS" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_GC_malloc="-L$i -lleak" -break -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 -fi -rm -f conftest* -done -LIBS="$ac_func_search_save_LIBS" -fi - -echo "$ac_t""$ac_cv_search_GC_malloc" 1>&6 -if test "$ac_cv_search_GC_malloc" != "no"; then - test "$ac_cv_search_GC_malloc" = "none required" || LIBS="$ac_cv_search_GC_malloc $LIBS" - -else : - -fi - else - -echo $ac_n "checking for leak containing GC_malloc""... $ac_c" 1>&6 -echo "configure:1537: checking for leak containing GC_malloc" >&5 -if eval "test \"`echo '$''{'ac_cv_search_GC_malloc'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - ac_func_search_save_LIBS="$LIBS" -ac_cv_search_GC_malloc="no" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_GC_malloc="none required" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - LIBS="-lleak $LIBS" - cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_GC_malloc="-lleak" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 -fi -rm -f conftest* -fi -rm -f conftest* -LIBS="$ac_func_search_save_LIBS" -test "$ac_cv_search_GC_malloc" = "no" && for i in $gc_dir; do -LIBS="-L$i -lleak $ac_func_search_save_LIBS" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_GC_malloc="-L$i -lleak" -break -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 -fi -rm -f conftest* -done -LIBS="$ac_func_search_save_LIBS" -fi - -echo "$ac_t""$ac_cv_search_GC_malloc" 1>&6 -if test "$ac_cv_search_GC_malloc" != "no"; then - test "$ac_cv_search_GC_malloc" = "none required" || LIBS="$ac_cv_search_GC_malloc $LIBS" - -else : - -fi - fi -fi - -dmalloc_dir= -echo $ac_n "checking if --with-dmalloc option is specified""... $ac_c" 1>&6 -echo "configure:1625: checking if --with-dmalloc option is specified" >&5 -# Check whether --with-dmalloc or --without-dmalloc was given. -if test "${with_dmalloc+set}" = set; then - withval="$with_dmalloc" - dmalloc_dir=$withval -else - dmalloc_dir=no -fi - -echo "$ac_t""${dmalloc_dir}" 1>&6 -if test "$dmalloc_dir" != "no"; then - cat >> confdefs.h <<\EOF -#define DMALLOC 1 -EOF - - if test "x$dmalloc_dir" = "x"; then - -echo $ac_n "checking for dmalloc containing dmalloc_log_unfreed""... $ac_c" 1>&6 -echo "configure:1643: checking for dmalloc containing dmalloc_log_unfreed" >&5 -if eval "test \"`echo '$''{'ac_cv_search_dmalloc_log_unfreed'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - ac_func_search_save_LIBS="$LIBS" -ac_cv_search_dmalloc_log_unfreed="no" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_dmalloc_log_unfreed="none required" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - LIBS="-ldmalloc $LIBS" - cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_dmalloc_log_unfreed="-ldmalloc" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 -fi -rm -f conftest* -fi -rm -f conftest* -LIBS="$ac_func_search_save_LIBS" -test "$ac_cv_search_dmalloc_log_unfreed" = "no" && for i in ; do -LIBS="-L$i -ldmalloc $ac_func_search_save_LIBS" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_dmalloc_log_unfreed="-L$i -ldmalloc" -break -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 -fi -rm -f conftest* -done -LIBS="$ac_func_search_save_LIBS" -fi - -echo "$ac_t""$ac_cv_search_dmalloc_log_unfreed" 1>&6 -if test "$ac_cv_search_dmalloc_log_unfreed" != "no"; then - test "$ac_cv_search_dmalloc_log_unfreed" = "none required" || LIBS="$ac_cv_search_dmalloc_log_unfreed $LIBS" - -else : - -fi - else - -echo $ac_n "checking for dmalloc containing dmalloc_log_unfreed""... $ac_c" 1>&6 -echo "configure:1729: checking for dmalloc containing dmalloc_log_unfreed" >&5 -if eval "test \"`echo '$''{'ac_cv_search_dmalloc_log_unfreed'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - ac_func_search_save_LIBS="$LIBS" -ac_cv_search_dmalloc_log_unfreed="no" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_dmalloc_log_unfreed="none required" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - LIBS="-ldmalloc $LIBS" - cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_dmalloc_log_unfreed="-ldmalloc" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 -fi -rm -f conftest* -fi -rm -f conftest* -LIBS="$ac_func_search_save_LIBS" -test "$ac_cv_search_dmalloc_log_unfreed" = "no" && for i in $dmalloc_dir; do -LIBS="-L$i -ldmalloc $ac_func_search_save_LIBS" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_dmalloc_log_unfreed="-L$i -ldmalloc" -break -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 -fi -rm -f conftest* -done -LIBS="$ac_func_search_save_LIBS" -fi - -echo "$ac_t""$ac_cv_search_dmalloc_log_unfreed" 1>&6 -if test "$ac_cv_search_dmalloc_log_unfreed" != "no"; then - test "$ac_cv_search_dmalloc_log_unfreed" = "none required" || LIBS="$ac_cv_search_dmalloc_log_unfreed $LIBS" - -else : - -fi - fi -fi - -tcpdump= -echo $ac_n "checking if --with-tcpdump option is specified""... $ac_c" 1>&6 -echo "configure:1817: checking if --with-tcpdump option is specified" >&5 -# Check whether --with-tcpdump or --without-tcpdump was given. -if test "${with_tcpdump+set}" = set; then - withval="$with_tcpdump" - tcpdump=$withval -else - tcpdump=no -fi - -echo "$ac_t""${tcpdump}" 1>&6 -if test "$tcpdump" != "no"; then - LIBOBJS="$LIBOBJS print-isakmp.o" - cat >> confdefs.h <<\EOF -#define HAVE_PRINT_ISAKMP_C 1 -EOF - - CPPFLAGS="$CPPFLAGS -I$(srcdir)" -fi - -echo $ac_n "checking if __func__ is available""... $ac_c" 1>&6 -echo "configure:1837: checking if __func__ is available" >&5 -cat > conftest.$ac_ext < - -int main() { -char *x = __func__; -; return 0; } -EOF -if { (eval echo configure:1847: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then - rm -rf conftest* - cat >> confdefs.h <<\EOF -#define HAVE_FUNC_MACRO 1 -EOF - - echo "$ac_t""yes" 1>&6 -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - echo "$ac_t""no" 1>&6 -fi -rm -f conftest* - -echo $ac_n "checking whether to enable ipv6""... $ac_c" 1>&6 -echo "configure:1863: checking whether to enable ipv6" >&5 -# Check whether --enable-ipv6 or --disable-ipv6 was given. -if test "${enable_ipv6+set}" = set; then - enableval="$enable_ipv6" - case "$enableval" in - no) - echo "$ac_t""no" 1>&6 - ipv6=no - ;; - *) echo "$ac_t""yes" 1>&6 - cat >> confdefs.h <<\EOF -#define INET6 1 -EOF - - ipv6=yes - ;; - esac -else - if test "$cross_compiling" = yes; then - echo "$ac_t""no" 1>&6 - ipv6=no - -else - cat > conftest.$ac_ext < -#include -main() -{ - exit(0); - if (socket(AF_INET6, SOCK_STREAM, 0) < 0) - exit(1); - else - exit(0); -} - -EOF -if { (eval echo configure:1902: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null -then - echo "$ac_t""yes" 1>&6 - cat >> confdefs.h <<\EOF -#define ENABLE_IPV6 1 -EOF - - ipv6=yes -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -fr conftest* - echo "$ac_t""no" 1>&6 - ipv6=no -fi -rm -fr conftest* -fi - -fi - - -ipv6type=unknown -ipv6lib=none -ipv6libdir=none - -if test "$ipv6" = "yes"; then - echo $ac_n "checking ipv6 stack type""... $ac_c" 1>&6 -echo "configure:1929: checking ipv6 stack type" >&5 - for i in inria kame linux toshiba v6d zeta; do - ipv6trylibc=no - case $i in - inria) - cat > conftest.$ac_ext < -#ifdef IPV6_INRIA_VERSION -yes -#endif -EOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - egrep "yes" >/dev/null 2>&1; then - rm -rf conftest* - ipv6type=$i; - ipv6lib=inet6; - ipv6libdir=/usr/lib; - ipv6trylibc=yes - CPPFLAGS="-DINET6 $CPPFLAGS" -fi -rm -f conftest* - - ;; - kame) - cat > conftest.$ac_ext < -#ifdef __KAME__ -yes -#endif -EOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - egrep "yes" >/dev/null 2>&1; then - rm -rf conftest* - ipv6type=$i; - ipv6lib=inet6; - ipv6libdir=/usr/local/v6/lib; - ipv6trylibc=yes - CPPFLAGS="-DINET6 $CPPFLAGS" -fi -rm -f conftest* - - ;; - linux) - if test -d /usr/inet6; then - ipv6type=$i - ipv6lib=inet6 - ipv6libdir=/usr/inet6/lib - CPPFLAGS="-DINET6 -I/usr/inet6/include $CPPFLAGS" - fi - ;; - toshiba) - cat > conftest.$ac_ext < -#ifdef _TOSHIBA_INET6 -yes -#endif -EOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - egrep "yes" >/dev/null 2>&1; then - rm -rf conftest* - ipv6type=$i; - ipv6lib=inet6; - ipv6libdir=/usr/local/v6/lib; - CPPFLAGS="-DINET6 $CPPFLAGS" -fi -rm -f conftest* - - ;; - v6d) - cat > conftest.$ac_ext < -#ifdef __V6D__ -yes -#endif -EOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - egrep "yes" >/dev/null 2>&1; then - rm -rf conftest* - ipv6type=$i; - ipv6lib=v6; - ipv6libdir=/usr/local/v6/lib; - CPPFLAGS="-I/usr/local/v6/include $CPPFLAGS" -fi -rm -f conftest* - - ;; - zeta) - cat > conftest.$ac_ext < -#ifdef _ZETA_MINAMI_INET6 -yes -#endif -EOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - egrep "yes" >/dev/null 2>&1; then - rm -rf conftest* - ipv6type=$i; - ipv6lib=inet6; - ipv6libdir=/usr/local/v6/lib; - CPPFLAGS="-DINET6 $CPPFLAGS" -fi -rm -f conftest* - - ;; - esac - if test "$ipv6type" != "unknown"; then - break - fi - done - echo "$ac_t""$ipv6type" 1>&6 -fi - -if test "$ipv6" = "yes" -a "$ipv6lib" != "none"; then - if test -d $ipv6libdir -a -f $ipv6libdir/lib$ipv6lib.a; then - echo "using lib$ipv6lib for getaddrinfo" - LIBS="$LIBS -L$ipv6libdir -l$ipv6lib" - else - if test "$ipv6trylibc" = "yes"; then - echo 'using libc for getaddrinfo' - else - echo "Fatal: no $ipv6lib library found. " - echo "cannot continue. You need to fetch lib$ipv6lib.a " - echo "from appropriate ipv6 kit and compile beforehand." - exit 1 - fi - fi -fi - -if test "$ipv6" = "yes"; then - echo $ac_n "checking for advanced API support""... $ac_c" 1>&6 -echo "configure:2074: checking for advanced API support" >&5 - if eval "test \"`echo '$''{'racoon_cv_advapi'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.$ac_ext < -#include -int main() { -struct in6_pktinfo a; -; return 0; } -EOF -if { (eval echo configure:2090: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then - rm -rf conftest* - racoon_cv_advapi="yes" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - racoon_cv_advapi="no" -fi -rm -f conftest* -fi - - echo "$ac_t""$racoon_cv_advapi" 1>&6 - if test "$racoon_cv_advapi" = yes; then - cat >> confdefs.h <<\EOF -#define ADVAPI 1 -EOF - - fi -fi - -echo $ac_n "checking getaddrinfo bug""... $ac_c" 1>&6 -echo "configure:2112: checking getaddrinfo bug" >&5 -if test "$cross_compiling" = yes; then - echo "$ac_t""buggy" 1>&6 -buggygetaddrinfo=yes -else - cat > conftest.$ac_ext < -#include -#include -#include -#include - -main() -{ - int passive, gaierr, inet4 = 0, inet6 = 0; - struct addrinfo hints, *ai, *aitop; - char straddr[INET6_ADDRSTRLEN], strport[16]; - - for (passive = 0; passive <= 1; passive++) { - memset(&hints, 0, sizeof(hints)); - hints.ai_family = AF_UNSPEC; - hints.ai_flags = passive ? AI_PASSIVE : 0; - hints.ai_protocol = IPPROTO_TCP; - hints.ai_socktype = SOCK_STREAM; - if ((gaierr = getaddrinfo(NULL, "54321", &hints, &aitop)) != 0) { - (void)gai_strerror(gaierr); - goto bad; - } - for (ai = aitop; ai; ai = ai->ai_next) { - if (ai->ai_addr == NULL || - ai->ai_addrlen == 0 || - getnameinfo(ai->ai_addr, ai->ai_addrlen, - straddr, sizeof(straddr), strport, sizeof(strport), - NI_NUMERICHOST|NI_NUMERICSERV) != 0) { - goto bad; - } - switch (ai->ai_family) { - case AF_INET: - if (strcmp(strport, "54321") != 0) { - goto bad; - } - if (passive) { - if (strcmp(straddr, "0.0.0.0") != 0) { - goto bad; - } - } else { - if (strcmp(straddr, "127.0.0.1") != 0) { - goto bad; - } - } - inet4++; - break; - case AF_INET6: - if (strcmp(strport, "54321") != 0) { - goto bad; - } - if (passive) { - if (strcmp(straddr, "::") != 0) { - goto bad; - } - } else { - if (strcmp(straddr, "::1") != 0) { - goto bad; - } - } - inet6++; - break; - case AF_UNSPEC: - goto bad; - break; - default: - /* another family support? */ - break; - } - } - } - - if (!(inet4 == 0 || inet4 == 2)) - goto bad; - if (!(inet6 == 0 || inet6 == 2)) - goto bad; - - if (aitop) - freeaddrinfo(aitop); - exit(0); - - bad: - if (aitop) - freeaddrinfo(aitop); - exit(1); -} - -EOF -if { (eval echo configure:2208: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null -then - echo "$ac_t""good" 1>&6 -buggygetaddrinfo=no -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -fr conftest* - echo "$ac_t""buggy" 1>&6 -buggygetaddrinfo=yes -fi -rm -fr conftest* -fi - - -if test "$buggygetaddrinfo" = "yes"; then - if test "$ipv6" = "yes"; then - echo 'Fatal: You must get working getaddrinfo() function.' - echo ' or you can specify "--disable-ipv6"'. - exit 1 - else - CPPFLAGS="$CPPFLAGS -I./missing" - fi -fi -for ac_func in getaddrinfo getnameinfo -do -echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:2235: checking for $ac_func" >&5 -if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.$ac_ext < -/* Override any gcc2 internal prototype to avoid an error. */ -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func(); - -int main() { - -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -$ac_func(); -#endif - -; return 0; } -EOF -if { (eval echo configure:2263: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - eval "ac_cv_func_$ac_func=yes" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - eval "ac_cv_func_$ac_func=no" -fi -rm -f conftest* -fi - -if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then - echo "$ac_t""yes" 1>&6 - ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'` - cat >> confdefs.h <&6 -LIBOBJS="$LIBOBJS ${ac_func}.${ac_objext}" -fi -done - - - -echo $ac_n "checking if --with-ssleay option is specified""... $ac_c" 1>&6 -echo "configure:2291: checking if --with-ssleay option is specified" >&5 -# Check whether --with-ssleay or --without-ssleay was given. -if test "${with_ssleay+set}" = set; then - withval="$with_ssleay" - crypto_dir=$withval -fi - -echo "$ac_t""${crypto_dir-"default"}" 1>&6 - - -if test "x$crypto_dir" = "x"; then - case $host_os in - netbsd*) crypto_dir="/usr/pkg";; - freebsd*) - if test -d /usr/local/ssl; then - crypto_dir="/usr/local/ssl" - else - crypto_dir="/usr/local" - fi - ;; - esac -else - LIBS="$LIBS -L${crypto_dir}/lib" - CFLAGS="-I${crypto_dir}/include $CFLAGS" -fi -if test "x$krb5_incdir" = "x"; then - case $host_os in - netbsd*) krb5_incdir="/usr/include/krb5";; - esac -fi -if test "x$krb5_libs" = "x"; then - case $host_os in - netbsd*) krb5_libs="-lgssapi -lkrb5 -lcom_err -lroken -lasn1";; - freebsd*) krb5_libs="-lgssapi -lkrb5 -lcom_err -lroken -lasn1 -lcrypt";; - esac -fi -if test "$enable_gssapi" = "yes"; then - case $host_os in - netbsd*) - LIBS="$LIBS $krb5_libs" - CPPFLAGS="-I$krb5_incdir $CPPFLAGS" - ;; - esac -fi - -echo $ac_n "checking for crypto containing CAST_cfb64_encrypt""... $ac_c" 1>&6 -echo "configure:2337: checking for crypto containing CAST_cfb64_encrypt" >&5 -if eval "test \"`echo '$''{'ac_cv_search_CAST_cfb64_encrypt'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - ac_func_search_save_LIBS="$LIBS" -ac_cv_search_CAST_cfb64_encrypt="no" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_CAST_cfb64_encrypt="none required" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - LIBS="-lcrypto $LIBS" - cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_CAST_cfb64_encrypt="-lcrypto" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 -fi -rm -f conftest* -fi -rm -f conftest* -LIBS="$ac_func_search_save_LIBS" -test "$ac_cv_search_CAST_cfb64_encrypt" = "no" && for i in ${crypto_dir}/lib; do -LIBS="-L$i -lcrypto $ac_func_search_save_LIBS" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_CAST_cfb64_encrypt="-L$i -lcrypto" -break -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 -fi -rm -f conftest* -done -LIBS="$ac_func_search_save_LIBS" -fi - -echo "$ac_t""$ac_cv_search_CAST_cfb64_encrypt" 1>&6 -if test "$ac_cv_search_CAST_cfb64_encrypt" != "no"; then - test "$ac_cv_search_CAST_cfb64_encrypt" = "none required" || LIBS="$ac_cv_search_CAST_cfb64_encrypt $LIBS" - -else : - -fi -cat > conftest.$ac_ext < -#include -#include -#include -#include -#include -#include -int main() { - -; return 0; } -EOF -if { (eval echo configure:2434: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then - : -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - openssl_compile_failed=yes -fi -rm -f conftest* - -if test "x$openssl_compile_failed" = "xyes"; then - echo - echo "Fatal: crypto library and headers not found." - echo Specify proper directory by using --with-ssleay. - if test `uname -s` = FreeBSD; then - echo Use ports/security/SSLeay to install SSLeay, or visit - elif test `uname -s` = NetBSD; then - echo Use pkgsrc/security/SSLeay to install SSLeay, or visit - else - echo -n "Visit " - fi - echo ftp://psych.psy.uq.oz.au/pub/Crypto/SSL/, or visit - echo http://www.openssl.org/ - exit 1 -fi - -echo $ac_n "checking openssl version""... $ac_c" 1>&6 -echo "configure:2461: checking openssl version" >&5 -cat > conftest.$ac_ext < -#if OPENSSL_VERSION_NUMBER >= 0x00904100L -yes -#endif -EOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - egrep "yes" >/dev/null 2>&1; then - rm -rf conftest* - echo "$ac_t""ok" 1>&6 -else - rm -rf conftest* - echo "$ac_t""too old" 1>&6 - echo - echo "FATAL: OpenSSL version must be 0.9.4 or higher." - exit 1 -fi -rm -f conftest* - - -echo $ac_n "checking for ssl_ok in -lssl""... $ac_c" 1>&6 -echo "configure:2485: checking for ssl_ok in -lssl" >&5 -ac_lib_var=`echo ssl'_'ssl_ok | sed 'y%./+-%__p_%'` -if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - ac_save_LIBS="$LIBS" -LIBS="-lssl -lcrypto $LIBS" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - eval "ac_cv_lib_$ac_lib_var=yes" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - eval "ac_cv_lib_$ac_lib_var=no" -fi -rm -f conftest* -LIBS="$ac_save_LIBS" - -fi -if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then - echo "$ac_t""yes" 1>&6 - ac_tr_lib=HAVE_LIB`echo ssl | sed -e 's/[^a-zA-Z0-9_]/_/g' \ - -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` - cat >> confdefs.h <&6 -fi - - -echo $ac_n "checking for des_cbc_encrypt in -lcrypto""... $ac_c" 1>&6 -echo "configure:2533: checking for des_cbc_encrypt in -lcrypto" >&5 -ac_lib_var=`echo crypto'_'des_cbc_encrypt | sed 'y%./+-%__p_%'` -if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - ac_save_LIBS="$LIBS" -LIBS="-lcrypto $LIBS" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - eval "ac_cv_lib_$ac_lib_var=yes" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - eval "ac_cv_lib_$ac_lib_var=no" -fi -rm -f conftest* -LIBS="$ac_save_LIBS" - -fi -if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then - echo "$ac_t""yes" 1>&6 - ac_tr_lib=HAVE_LIB`echo crypto | sed -e 's/[^a-zA-Z0-9_]/_/g' \ - -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` - cat >> confdefs.h <&6 -fi - -echo $ac_n "checking for yywrap in -ll""... $ac_c" 1>&6 -echo "configure:2580: checking for yywrap in -ll" >&5 -ac_lib_var=`echo l'_'yywrap | sed 'y%./+-%__p_%'` -if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - ac_save_LIBS="$LIBS" -LIBS="-ll $LIBS" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - eval "ac_cv_lib_$ac_lib_var=yes" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - eval "ac_cv_lib_$ac_lib_var=no" -fi -rm -f conftest* -LIBS="$ac_save_LIBS" - -fi -if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then - echo "$ac_t""yes" 1>&6 - ac_tr_lib=HAVE_LIB`echo l | sed -e 's/[^a-zA-Z0-9_]/_/g' \ - -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` - cat >> confdefs.h <&6 -fi - -echo $ac_n "checking for yyerror in -ly""... $ac_c" 1>&6 -echo "configure:2627: checking for yyerror in -ly" >&5 -ac_lib_var=`echo y'_'yyerror | sed 'y%./+-%__p_%'` -if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - ac_save_LIBS="$LIBS" -LIBS="-ly $LIBS" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - eval "ac_cv_lib_$ac_lib_var=yes" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - eval "ac_cv_lib_$ac_lib_var=no" -fi -rm -f conftest* -LIBS="$ac_save_LIBS" - -fi -if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then - echo "$ac_t""yes" 1>&6 - ac_tr_lib=HAVE_LIB`echo y | sed -e 's/[^a-zA-Z0-9_]/_/g' \ - -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'` - cat >> confdefs.h <&6 -fi - - -echo $ac_n "checking for PF_KEYv2 support""... $ac_c" 1>&6 -echo "configure:2675: checking for PF_KEYv2 support" >&5 -if eval "test \"`echo '$''{'ac_cv_pfkey'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.$ac_ext < -#include -#include -int main() { -int x = PF_KEY, y = PF_KEY_V2; -; return 0; } -EOF -if { (eval echo configure:2690: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then - rm -rf conftest* - ac_cv_pfkey="yes" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - ac_cv_pfkey="no" -fi -rm -f conftest* -fi - -echo "$ac_t""$ac_cv_pfkey" 1>&6 -if test "$ac_cv_pfkey" = yes; then - OPTFLAG="-DHAVE_PFKEYV2 $OPTFLAG" -fi - -if test "$ac_cv_pfkey" = "yes"; then - echo $ac_n "checking for old KAME PF_KEYv2 header file""... $ac_c" 1>&6 -echo "configure:2709: checking for old KAME PF_KEYv2 header file" >&5 - cat > conftest.$ac_ext < -#include -#include -int main() { -struct sadb_msg m; m.sadb_msg_reserved2 = 0; -; return 0; } -EOF -if { (eval echo configure:2721: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then - rm -rf conftest* - echo "$ac_t""old" 1>&6 - echo "FATAL: obsolete KAME PF_KEYv2 declaration (non-PF_KEY sadb_msg)" - exit 1 -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 -fi -rm -f conftest* - cat > conftest.$ac_ext < -#include -#include -int main() { -struct sadb_x_policy m; m.sadb_x_policy_id = 0; -; return 0; } -EOF -if { (eval echo configure:2742: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then - : -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - echo "$ac_t""old" 1>&6 - echo "FATAL: obsolete KAME PF_KEYv2 declaration (no sadb_x_policy_id)" - exit 1 -fi -rm -f conftest* - cat > conftest.$ac_ext < -#include -#include -int main() { -struct sadb_x_sa2 m; -; return 0; } -EOF -if { (eval echo configure:2764: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then - : -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - echo "$ac_t""old" 1>&6 - echo "FATAL: obsolete KAME PF_KEYv2 declaration (no sadb_x_sa2)" - exit 1 -fi -rm -f conftest* - echo "$ac_t""fine" 1>&6 -fi - -ipsectype=unknown -ipseclib=none -ipseclibdir=none -echo $ac_n "checking ipsec library path""... $ac_c" 1>&6 -echo "configure:2782: checking ipsec library path" >&5 -for i in inria kame; do - ipsectrylibc=no - case $i in - inria) - cat > conftest.$ac_ext < -#ifdef IPV6_INRIA_VERSION -yes -#endif -EOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - egrep "yes" >/dev/null 2>&1; then - rm -rf conftest* - ipsectype=$i; - ipseclib=ipsec; - ipseclibdir=/usr/lib -fi -rm -f conftest* - - ;; - kame) - cat > conftest.$ac_ext < -#ifdef __KAME__ -yes -#endif -EOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - egrep "yes" >/dev/null 2>&1; then - rm -rf conftest* - ipsectype=$i; - ipseclib=ipsec; - ipseclibdir=/usr/local/v6/lib -fi -rm -f conftest* - - ;; - esac - if test "$ipsectype" != "unknown"; then - break - fi -done -echo "$ac_t""$ipseclibdir" 1>&6 - -if test "$ipseclib" != "none"; then - if test "$ipseclibdir" != "none"; then - -echo $ac_n "checking for $ipseclib containing ipsec_strerror""... $ac_c" 1>&6 -echo "configure:2837: checking for $ipseclib containing ipsec_strerror" >&5 -if eval "test \"`echo '$''{'ac_cv_search_ipsec_strerror'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - ac_func_search_save_LIBS="$LIBS" -ac_cv_search_ipsec_strerror="no" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_ipsec_strerror="none required" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - LIBS="-l$ipseclib $LIBS" - cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_ipsec_strerror="-l$ipseclib" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 -fi -rm -f conftest* -fi -rm -f conftest* -LIBS="$ac_func_search_save_LIBS" -test "$ac_cv_search_ipsec_strerror" = "no" && for i in $ipseclibdir; do -LIBS="-L$i -l$ipseclib $ac_func_search_save_LIBS" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_ipsec_strerror="-L$i -l$ipseclib" -break -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 -fi -rm -f conftest* -done -LIBS="$ac_func_search_save_LIBS" -fi - -echo "$ac_t""$ac_cv_search_ipsec_strerror" 1>&6 -if test "$ac_cv_search_ipsec_strerror" != "no"; then - test "$ac_cv_search_ipsec_strerror" = "none required" || LIBS="$ac_cv_search_ipsec_strerror $LIBS" - -else : - -fi - else - -echo $ac_n "checking for $ipseclib containing ipsec_strerror""... $ac_c" 1>&6 -echo "configure:2923: checking for $ipseclib containing ipsec_strerror" >&5 -if eval "test \"`echo '$''{'ac_cv_search_ipsec_strerror'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - ac_func_search_save_LIBS="$LIBS" -ac_cv_search_ipsec_strerror="no" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_ipsec_strerror="none required" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - LIBS="-l$ipseclib $LIBS" - cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_ipsec_strerror="-l$ipseclib" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 -fi -rm -f conftest* -fi -rm -f conftest* -LIBS="$ac_func_search_save_LIBS" -test "$ac_cv_search_ipsec_strerror" = "no" && for i in ; do -LIBS="-L$i -l$ipseclib $ac_func_search_save_LIBS" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_ipsec_strerror="-L$i -l$ipseclib" -break -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 -fi -rm -f conftest* -done -LIBS="$ac_func_search_save_LIBS" -fi - -echo "$ac_t""$ac_cv_search_ipsec_strerror" 1>&6 -if test "$ac_cv_search_ipsec_strerror" != "no"; then - test "$ac_cv_search_ipsec_strerror" = "none required" || LIBS="$ac_cv_search_ipsec_strerror $LIBS" - -else : - -fi - fi -fi - -echo $ac_n "checking if --with-libpfkey option is specified""... $ac_c" 1>&6 -echo "configure:3010: checking if --with-libpfkey option is specified" >&5 -# Check whether --with-libpfkey or --without-libpfkey was given. -if test "${with_libpfkey+set}" = set; then - withval="$with_libpfkey" - libpfkey_dir=$withval -else - libpfkey_dir=no -fi - -echo "$ac_t""${libpfkey_dir}" 1>&6 -if test "$libpfkey_dir" != "no"; then - if test "x$libpfkey_dir" = "x"; then - -echo $ac_n "checking for pfkey containing pfkey_send_spdsetidx""... $ac_c" 1>&6 -echo "configure:3024: checking for pfkey containing pfkey_send_spdsetidx" >&5 -if eval "test \"`echo '$''{'ac_cv_search_pfkey_send_spdsetidx'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - ac_func_search_save_LIBS="$LIBS" -ac_cv_search_pfkey_send_spdsetidx="no" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_pfkey_send_spdsetidx="none required" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - LIBS="-lpfkey $LIBS" - cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_pfkey_send_spdsetidx="-lpfkey" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 -fi -rm -f conftest* -fi -rm -f conftest* -LIBS="$ac_func_search_save_LIBS" -test "$ac_cv_search_pfkey_send_spdsetidx" = "no" && for i in ; do -LIBS="-L$i -lpfkey $ac_func_search_save_LIBS" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_pfkey_send_spdsetidx="-L$i -lpfkey" -break -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 -fi -rm -f conftest* -done -LIBS="$ac_func_search_save_LIBS" -fi - -echo "$ac_t""$ac_cv_search_pfkey_send_spdsetidx" 1>&6 -if test "$ac_cv_search_pfkey_send_spdsetidx" != "no"; then - test "$ac_cv_search_pfkey_send_spdsetidx" = "none required" || LIBS="$ac_cv_search_pfkey_send_spdsetidx $LIBS" - -else : - -fi - else - -echo $ac_n "checking for pfkey containing pfkey_send_spdsetidx""... $ac_c" 1>&6 -echo "configure:3110: checking for pfkey containing pfkey_send_spdsetidx" >&5 -if eval "test \"`echo '$''{'ac_cv_search_pfkey_send_spdsetidx'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - ac_func_search_save_LIBS="$LIBS" -ac_cv_search_pfkey_send_spdsetidx="no" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_pfkey_send_spdsetidx="none required" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - LIBS="-lpfkey $LIBS" - cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_pfkey_send_spdsetidx="-lpfkey" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 -fi -rm -f conftest* -fi -rm -f conftest* -LIBS="$ac_func_search_save_LIBS" -test "$ac_cv_search_pfkey_send_spdsetidx" = "no" && for i in $libpfkey_dir; do -LIBS="-L$i -lpfkey $ac_func_search_save_LIBS" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_pfkey_send_spdsetidx="-L$i -lpfkey" -break -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 -fi -rm -f conftest* -done -LIBS="$ac_func_search_save_LIBS" -fi - -echo "$ac_t""$ac_cv_search_pfkey_send_spdsetidx" 1>&6 -if test "$ac_cv_search_pfkey_send_spdsetidx" != "no"; then - test "$ac_cv_search_pfkey_send_spdsetidx" = "none required" || LIBS="$ac_cv_search_pfkey_send_spdsetidx $LIBS" - -else : - -fi - fi -fi - -echo $ac_n "checking if --with-liblwres option is specified""... $ac_c" 1>&6 -echo "configure:3197: checking if --with-liblwres option is specified" >&5 -# Check whether --with-liblwres or --without-liblwres was given. -if test "${with_liblwres+set}" = set; then - withval="$with_liblwres" - liblwres_dir=$withval -else - liblwres_dir=no -fi - -echo "$ac_t""${liblwres_dir}" 1>&6 -if test "$liblwres_dir" != "no"; then - if test -d "$liblwres_dir/lib" -a -d "$liblwres_dir/lib"; then - if test "x$liblwres_dir" = "x"; then - -echo $ac_n "checking for lwres containing lwres_getrrsetbyname""... $ac_c" 1>&6 -echo "configure:3212: checking for lwres containing lwres_getrrsetbyname" >&5 -if eval "test \"`echo '$''{'ac_cv_search_lwres_getrrsetbyname'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - ac_func_search_save_LIBS="$LIBS" -ac_cv_search_lwres_getrrsetbyname="no" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_lwres_getrrsetbyname="none required" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - LIBS="-llwres $LIBS" - cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_lwres_getrrsetbyname="-llwres" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 -fi -rm -f conftest* -fi -rm -f conftest* -LIBS="$ac_func_search_save_LIBS" -test "$ac_cv_search_lwres_getrrsetbyname" = "no" && for i in ; do -LIBS="-L$i -llwres $ac_func_search_save_LIBS" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_lwres_getrrsetbyname="-L$i -llwres" -break -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 -fi -rm -f conftest* -done -LIBS="$ac_func_search_save_LIBS" -fi - -echo "$ac_t""$ac_cv_search_lwres_getrrsetbyname" 1>&6 -if test "$ac_cv_search_lwres_getrrsetbyname" != "no"; then - test "$ac_cv_search_lwres_getrrsetbyname" = "none required" || LIBS="$ac_cv_search_lwres_getrrsetbyname $LIBS" - -else : - -fi - else - -echo $ac_n "checking for lwres containing lwres_getrrsetbyname""... $ac_c" 1>&6 -echo "configure:3298: checking for lwres containing lwres_getrrsetbyname" >&5 -if eval "test \"`echo '$''{'ac_cv_search_lwres_getrrsetbyname'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - ac_func_search_save_LIBS="$LIBS" -ac_cv_search_lwres_getrrsetbyname="no" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_lwres_getrrsetbyname="none required" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - LIBS="-llwres $LIBS" - cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_lwres_getrrsetbyname="-llwres" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 -fi -rm -f conftest* -fi -rm -f conftest* -LIBS="$ac_func_search_save_LIBS" -test "$ac_cv_search_lwres_getrrsetbyname" = "no" && for i in "$liblwres_dir/lib"; do -LIBS="-L$i -llwres $ac_func_search_save_LIBS" -cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - ac_cv_search_lwres_getrrsetbyname="-L$i -llwres" -break -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 -fi -rm -f conftest* -done -LIBS="$ac_func_search_save_LIBS" -fi - -echo "$ac_t""$ac_cv_search_lwres_getrrsetbyname" 1>&6 -if test "$ac_cv_search_lwres_getrrsetbyname" != "no"; then - test "$ac_cv_search_lwres_getrrsetbyname" = "none required" || LIBS="$ac_cv_search_lwres_getrrsetbyname $LIBS" - -else : - -fi - fi - CFLAGS="$CFLAGS -I$liblwres_dir/include" - for ac_func in lwres_getrrsetbyname -do -echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:3386: checking for $ac_func" >&5 -if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.$ac_ext < -/* Override any gcc2 internal prototype to avoid an error. */ -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func(); - -int main() { - -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -$ac_func(); -#endif - -; return 0; } -EOF -if { (eval echo configure:3414: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - eval "ac_cv_func_$ac_func=yes" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - eval "ac_cv_func_$ac_func=no" -fi -rm -f conftest* -fi - -if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then - echo "$ac_t""yes" 1>&6 - ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'` - cat >> confdefs.h <&6 -fi -done - - else - echo "FATAL: $liblwres_dir/lib or $liblwres_dir/include not found" - exit 1 - fi -fi -for ac_func in getrrsetbyname -do -echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:3446: checking for $ac_func" >&5 -if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.$ac_ext < -/* Override any gcc2 internal prototype to avoid an error. */ -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func(); - -int main() { - -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -$ac_func(); -#endif - -; return 0; } -EOF -if { (eval echo configure:3474: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - eval "ac_cv_func_$ac_func=yes" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - eval "ac_cv_func_$ac_func=no" -fi -rm -f conftest* -fi - -if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then - echo "$ac_t""yes" 1>&6 - ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'` - cat >> confdefs.h <&6 -fi -done - - -echo $ac_n "checking for ANSI C header files""... $ac_c" 1>&6 -echo "configure:3500: checking for ANSI C header files" >&5 -if eval "test \"`echo '$''{'ac_cv_header_stdc'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.$ac_ext < -#include -#include -#include -EOF -ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:3513: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } -ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` -if test -z "$ac_err"; then - rm -rf conftest* - ac_cv_header_stdc=yes -else - echo "$ac_err" >&5 - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - ac_cv_header_stdc=no -fi -rm -f conftest* - -if test $ac_cv_header_stdc = yes; then - # SunOS 4.x string.h does not declare mem*, contrary to ANSI. -cat > conftest.$ac_ext < -EOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - egrep "memchr" >/dev/null 2>&1; then - : -else - rm -rf conftest* - ac_cv_header_stdc=no -fi -rm -f conftest* - -fi - -if test $ac_cv_header_stdc = yes; then - # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI. -cat > conftest.$ac_ext < -EOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - egrep "free" >/dev/null 2>&1; then - : -else - rm -rf conftest* - ac_cv_header_stdc=no -fi -rm -f conftest* - -fi - -if test $ac_cv_header_stdc = yes; then - # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi. -if test "$cross_compiling" = yes; then - : -else - cat > conftest.$ac_ext < -#define ISLOWER(c) ('a' <= (c) && (c) <= 'z') -#define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c)) -#define XOR(e, f) (((e) && !(f)) || (!(e) && (f))) -int main () { int i; for (i = 0; i < 256; i++) -if (XOR (islower (i), ISLOWER (i)) || toupper (i) != TOUPPER (i)) exit(2); -exit (0); } - -EOF -if { (eval echo configure:3580: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null -then - : -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -fr conftest* - ac_cv_header_stdc=no -fi -rm -fr conftest* -fi - -fi -fi - -echo "$ac_t""$ac_cv_header_stdc" 1>&6 -if test $ac_cv_header_stdc = yes; then - cat >> confdefs.h <<\EOF -#define STDC_HEADERS 1 -EOF - -fi - -echo $ac_n "checking for sys/wait.h that is POSIX.1 compatible""... $ac_c" 1>&6 -echo "configure:3604: checking for sys/wait.h that is POSIX.1 compatible" >&5 -if eval "test \"`echo '$''{'ac_cv_header_sys_wait_h'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.$ac_ext < -#include -#ifndef WEXITSTATUS -#define WEXITSTATUS(stat_val) ((unsigned)(stat_val) >> 8) -#endif -#ifndef WIFEXITED -#define WIFEXITED(stat_val) (((stat_val) & 255) == 0) -#endif -int main() { -int s; -wait (&s); -s = WIFEXITED (s) ? WEXITSTATUS (s) : 1; -; return 0; } -EOF -if { (eval echo configure:3625: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then - rm -rf conftest* - ac_cv_header_sys_wait_h=yes -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - ac_cv_header_sys_wait_h=no -fi -rm -f conftest* -fi - -echo "$ac_t""$ac_cv_header_sys_wait_h" 1>&6 -if test $ac_cv_header_sys_wait_h = yes; then - cat >> confdefs.h <<\EOF -#define HAVE_SYS_WAIT_H 1 -EOF - -fi - -for ac_hdr in limits.h sys/time.h unistd.h stdarg.h varargs.h -do -ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` -echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 -echo "configure:3649: checking for $ac_hdr" >&5 -if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.$ac_ext < -EOF -ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:3659: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } -ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` -if test -z "$ac_err"; then - rm -rf conftest* - eval "ac_cv_header_$ac_safe=yes" -else - echo "$ac_err" >&5 - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - eval "ac_cv_header_$ac_safe=no" -fi -rm -f conftest* -fi -if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then - echo "$ac_t""yes" 1>&6 - ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'` - cat >> confdefs.h <&6 -fi -done - -signing=yes -if test "$enable_rc5" = "yes"; then - rc5header=openssl/rc5.h -else - rc5header= -fi -if test "$enable_idea" = "yes"; then - ideaheader=openssl/idea.h -else - ideaheader= -fi -for ac_hdr in $ideaheader $rc5header openssl/rsa.h openssl/pem.h openssl/evp.h openssl/x509.h -do -ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` -echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 -echo "configure:3700: checking for $ac_hdr" >&5 -if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.$ac_ext < -EOF -ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:3710: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } -ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` -if test -z "$ac_err"; then - rm -rf conftest* - eval "ac_cv_header_$ac_safe=yes" -else - echo "$ac_err" >&5 - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - eval "ac_cv_header_$ac_safe=no" -fi -rm -f conftest* -fi -if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then - echo "$ac_t""yes" 1>&6 - ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'` - cat >> confdefs.h <&6 -nosymbol=`echo $ac_hdr | sed -e 's/.h$//' -e 's/^openssl.//' -e 's/^/NO_/' | tr 'a-z' 'A-Z'` - CPPFLAGS="$CPPFLAGS -D$nosymbol=1" - signing=no -fi -done - -if test $signing = "yes"; then - cat >> confdefs.h <<\EOF -#define HAVE_SIGNING_C 1 -EOF - -fi -for ac_hdr in openssl/cversion.h openssl/opensslv.h -do -ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` -echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 -echo "configure:3749: checking for $ac_hdr" >&5 -if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.$ac_ext < -EOF -ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:3759: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } -ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` -if test -z "$ac_err"; then - rm -rf conftest* - eval "ac_cv_header_$ac_safe=yes" -else - echo "$ac_err" >&5 - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - eval "ac_cv_header_$ac_safe=no" -fi -rm -f conftest* -fi -if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then - echo "$ac_t""yes" 1>&6 - ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'` - cat >> confdefs.h <&6 -fi -done - - - - -ac_safe=`echo "openssl/rijndael.h" | sed 'y%./+-%__p_%'` -echo $ac_n "checking for openssl/rijndael.h""... $ac_c" 1>&6 -echo "configure:3790: checking for openssl/rijndael.h" >&5 -if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.$ac_ext < -EOF -ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:3800: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } -ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` -if test -z "$ac_err"; then - rm -rf conftest* - eval "ac_cv_header_$ac_safe=yes" -else - echo "$ac_err" >&5 - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - eval "ac_cv_header_$ac_safe=no" -fi -rm -f conftest* -fi -if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then - echo "$ac_t""yes" 1>&6 - : -else - echo "$ac_t""no" 1>&6 - - CPPFLAGS="$CPPFLAGS -I./missing" - CRYPTOBJS="$CRYPTOBJS rijndael-api-fst.o rijndael-alg-fst.o" - -fi - - -echo $ac_n "checking sha2 support""... $ac_c" 1>&6 -echo "configure:3827: checking sha2 support" >&5 -cat > conftest.$ac_ext < -#if OPENSSL_VERSION_NUMBER >= 0x0090602fL -yes -#endif -EOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - egrep "yes" >/dev/null 2>&1; then - rm -rf conftest* - echo "$ac_t""no" 1>&6 - echo "WARNING: racoon sha2 library is not compatible with recent openssl(0.9.6b or above)." - echo "WARNING: sha2 disabled." -else - rm -rf conftest* - echo "$ac_t""yes" 1>&6 - cat >> confdefs.h <<\EOF -#define WITH_SHA2 1 -EOF - - ac_safe=`echo "openssl/sha2.h" | sed 'y%./+-%__p_%'` -echo $ac_n "checking for openssl/sha2.h""... $ac_c" 1>&6 -echo "configure:3851: checking for openssl/sha2.h" >&5 -if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.$ac_ext < -EOF -ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:3861: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } -ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` -if test -z "$ac_err"; then - rm -rf conftest* - eval "ac_cv_header_$ac_safe=yes" -else - echo "$ac_err" >&5 - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - eval "ac_cv_header_$ac_safe=no" -fi -rm -f conftest* -fi -if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then - echo "$ac_t""yes" 1>&6 - : -else - echo "$ac_t""no" 1>&6 - - CPPFLAGS="$CPPFLAGS -I./missing" - CRYPTOBJS="$CRYPTOBJS sha2.o" -fi - - -fi -rm -f conftest* - - -echo $ac_n "checking for working const""... $ac_c" 1>&6 -echo "configure:3891: checking for working const" >&5 -if eval "test \"`echo '$''{'ac_cv_c_const'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.$ac_ext <j = 5; -} -{ /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */ - const int foo = 10; -} - -; return 0; } -EOF -if { (eval echo configure:3945: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then - rm -rf conftest* - ac_cv_c_const=yes -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - ac_cv_c_const=no -fi -rm -f conftest* -fi - -echo "$ac_t""$ac_cv_c_const" 1>&6 -if test $ac_cv_c_const = no; then - cat >> confdefs.h <<\EOF -#define const -EOF - -fi - -echo $ac_n "checking for pid_t""... $ac_c" 1>&6 -echo "configure:3966: checking for pid_t" >&5 -if eval "test \"`echo '$''{'ac_cv_type_pid_t'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.$ac_ext < -#if STDC_HEADERS -#include -#include -#endif -EOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - egrep "(^|[^a-zA-Z_0-9])pid_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then - rm -rf conftest* - ac_cv_type_pid_t=yes -else - rm -rf conftest* - ac_cv_type_pid_t=no -fi -rm -f conftest* - -fi -echo "$ac_t""$ac_cv_type_pid_t" 1>&6 -if test $ac_cv_type_pid_t = no; then - cat >> confdefs.h <<\EOF -#define pid_t int -EOF - -fi - -echo $ac_n "checking for size_t""... $ac_c" 1>&6 -echo "configure:3999: checking for size_t" >&5 -if eval "test \"`echo '$''{'ac_cv_type_size_t'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.$ac_ext < -#if STDC_HEADERS -#include -#include -#endif -EOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - egrep "(^|[^a-zA-Z_0-9])size_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then - rm -rf conftest* - ac_cv_type_size_t=yes -else - rm -rf conftest* - ac_cv_type_size_t=no -fi -rm -f conftest* - -fi -echo "$ac_t""$ac_cv_type_size_t" 1>&6 -if test $ac_cv_type_size_t = no; then - cat >> confdefs.h <<\EOF -#define size_t unsigned -EOF - -fi - -echo $ac_n "checking whether time.h and sys/time.h may both be included""... $ac_c" 1>&6 -echo "configure:4032: checking whether time.h and sys/time.h may both be included" >&5 -if eval "test \"`echo '$''{'ac_cv_header_time'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.$ac_ext < -#include -#include -int main() { -struct tm *tp; -; return 0; } -EOF -if { (eval echo configure:4046: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then - rm -rf conftest* - ac_cv_header_time=yes -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - ac_cv_header_time=no -fi -rm -f conftest* -fi - -echo "$ac_t""$ac_cv_header_time" 1>&6 -if test $ac_cv_header_time = yes; then - cat >> confdefs.h <<\EOF -#define TIME_WITH_SYS_TIME 1 -EOF - -fi - -echo $ac_n "checking whether struct tm is in sys/time.h or time.h""... $ac_c" 1>&6 -echo "configure:4067: checking whether struct tm is in sys/time.h or time.h" >&5 -if eval "test \"`echo '$''{'ac_cv_struct_tm'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.$ac_ext < -#include -int main() { -struct tm *tp; tp->tm_sec; -; return 0; } -EOF -if { (eval echo configure:4080: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then - rm -rf conftest* - ac_cv_struct_tm=time.h -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - ac_cv_struct_tm=sys/time.h -fi -rm -f conftest* -fi - -echo "$ac_t""$ac_cv_struct_tm" 1>&6 -if test $ac_cv_struct_tm = sys/time.h; then - cat >> confdefs.h <<\EOF -#define TM_IN_SYS_TIME 1 -EOF - -fi - - -echo $ac_n "checking for 8-bit clean memcmp""... $ac_c" 1>&6 -echo "configure:4102: checking for 8-bit clean memcmp" >&5 -if eval "test \"`echo '$''{'ac_cv_func_memcmp_clean'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - if test "$cross_compiling" = yes; then - ac_cv_func_memcmp_clean=no -else - cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null -then - ac_cv_func_memcmp_clean=yes -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -fr conftest* - ac_cv_func_memcmp_clean=no -fi -rm -fr conftest* -fi - -fi - -echo "$ac_t""$ac_cv_func_memcmp_clean" 1>&6 -test $ac_cv_func_memcmp_clean = no && LIBOBJS="$LIBOBJS memcmp.${ac_objext}" - -echo $ac_n "checking return type of signal handlers""... $ac_c" 1>&6 -echo "configure:4138: checking return type of signal handlers" >&5 -if eval "test \"`echo '$''{'ac_cv_type_signal'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.$ac_ext < -#include -#ifdef signal -#undef signal -#endif -#ifdef __cplusplus -extern "C" void (*signal (int, void (*)(int)))(int); -#else -void (*signal ()) (); -#endif - -int main() { -int i; -; return 0; } -EOF -if { (eval echo configure:4160: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then - rm -rf conftest* - ac_cv_type_signal=void -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - ac_cv_type_signal=int -fi -rm -f conftest* -fi - -echo "$ac_t""$ac_cv_type_signal" 1>&6 -cat >> confdefs.h <&6 -echo "configure:4179: checking for vprintf" >&5 -if eval "test \"`echo '$''{'ac_cv_func_vprintf'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.$ac_ext < -/* Override any gcc2 internal prototype to avoid an error. */ -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char vprintf(); - -int main() { - -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_vprintf) || defined (__stub___vprintf) -choke me -#else -vprintf(); -#endif - -; return 0; } -EOF -if { (eval echo configure:4207: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - eval "ac_cv_func_vprintf=yes" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - eval "ac_cv_func_vprintf=no" -fi -rm -f conftest* -fi - -if eval "test \"`echo '$ac_cv_func_'vprintf`\" = yes"; then - echo "$ac_t""yes" 1>&6 - cat >> confdefs.h <<\EOF -#define HAVE_VPRINTF 1 -EOF - -else - echo "$ac_t""no" 1>&6 -fi - -if test "$ac_cv_func_vprintf" != yes; then -echo $ac_n "checking for _doprnt""... $ac_c" 1>&6 -echo "configure:4231: checking for _doprnt" >&5 -if eval "test \"`echo '$''{'ac_cv_func__doprnt'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.$ac_ext < -/* Override any gcc2 internal prototype to avoid an error. */ -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char _doprnt(); - -int main() { - -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub__doprnt) || defined (__stub____doprnt) -choke me -#else -_doprnt(); -#endif - -; return 0; } -EOF -if { (eval echo configure:4259: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - eval "ac_cv_func__doprnt=yes" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - eval "ac_cv_func__doprnt=no" -fi -rm -f conftest* -fi - -if eval "test \"`echo '$ac_cv_func_'_doprnt`\" = yes"; then - echo "$ac_t""yes" 1>&6 - cat >> confdefs.h <<\EOF -#define HAVE_DOPRNT 1 -EOF - -else - echo "$ac_t""no" 1>&6 -fi - -fi - -for ac_func in gettimeofday select socket strerror strtol strtoul -do -echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:4286: checking for $ac_func" >&5 -if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.$ac_ext < -/* Override any gcc2 internal prototype to avoid an error. */ -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func(); - -int main() { - -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -$ac_func(); -#endif - -; return 0; } -EOF -if { (eval echo configure:4314: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - eval "ac_cv_func_$ac_func=yes" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - eval "ac_cv_func_$ac_func=no" -fi -rm -f conftest* -fi - -if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then - echo "$ac_t""yes" 1>&6 - ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'` - cat >> confdefs.h <&6 -fi -done - -for ac_func in strdup -do -echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:4341: checking for $ac_func" >&5 -if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.$ac_ext < -/* Override any gcc2 internal prototype to avoid an error. */ -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func(); - -int main() { - -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -$ac_func(); -#endif - -; return 0; } -EOF -if { (eval echo configure:4369: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - eval "ac_cv_func_$ac_func=yes" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - eval "ac_cv_func_$ac_func=no" -fi -rm -f conftest* -fi - -if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then - echo "$ac_t""yes" 1>&6 - ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'` - cat >> confdefs.h <&6 -LIBOBJS="$LIBOBJS ${ac_func}.${ac_objext}" -fi -done - - - -if test "x$prefix" = xNONE; then - sysconfdir_x=`echo $sysconfdir | sed -e 's,${prefix},'"$ac_default_prefix,"` -else - sysconfdir_x=`echo $sysconfdir | sed -e 's,${prefix},'"$prefix,"` - -fi - - -for ac_func in getifaddrs -do -echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:4407: checking for $ac_func" >&5 -if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.$ac_ext < -/* Override any gcc2 internal prototype to avoid an error. */ -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func(); - -int main() { - -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -$ac_func(); -#endif - -; return 0; } -EOF -if { (eval echo configure:4435: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - eval "ac_cv_func_$ac_func=yes" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - eval "ac_cv_func_$ac_func=no" -fi -rm -f conftest* -fi - -if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then - echo "$ac_t""yes" 1>&6 - ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'` - cat >> confdefs.h <&6 -fi -done - - -for ac_func in arc4random -do -echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:4463: checking for $ac_func" >&5 -if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then - echo $ac_n "(cached) $ac_c" 1>&6 -else - cat > conftest.$ac_ext < -/* Override any gcc2 internal prototype to avoid an error. */ -/* We use char because int might match the return type of a gcc2 - builtin and then its argument prototype would still apply. */ -char $ac_func(); - -int main() { - -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined (__stub_$ac_func) || defined (__stub___$ac_func) -choke me -#else -$ac_func(); -#endif - -; return 0; } -EOF -if { (eval echo configure:4491: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then - rm -rf conftest* - eval "ac_cv_func_$ac_func=yes" -else - echo "configure: failed program was:" >&5 - cat conftest.$ac_ext >&5 - rm -rf conftest* - eval "ac_cv_func_$ac_func=no" -fi -rm -f conftest* -fi - -if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then - echo "$ac_t""yes" 1>&6 - ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'` - cat >> confdefs.h <&6 -LIBOBJS="$LIBOBJS ${ac_func}.${ac_objext}" -fi -done - - - -echo $ac_n "checking if --with-pkgversion option is specified""... $ac_c" 1>&6 -echo "configure:4519: checking if --with-pkgversion option is specified" >&5 -# Check whether --with-pkgversion or --without-pkgversion was given. -if test "${with_pkgversion+set}" = set; then - withval="$with_pkgversion" - echo "$ac_t""$withval" 1>&6 - CPPFLAGS="$CPPFLAGS -DRACOON_PKG_VERSION=\"\\\"$withval\\\"\"" -else - echo "$ac_t""no" 1>&6 - pkgversion=no -fi - - -trap '' 1 2 15 -cat > confcache <<\EOF -# This file is a shell script that caches the results of configure -# tests run on this system so they can be shared between configure -# scripts and configure runs. It is not useful on other systems. -# If it contains results you don't want to keep, you may remove or edit it. -# -# By default, configure uses ./config.cache as the cache file, -# creating it if it does not exist already. You can give configure -# the --cache-file=FILE option to use a different cache file; that is -# what configure does when it calls configure scripts in -# subdirectories, so they share the cache. -# Giving --cache-file=/dev/null disables caching, for debugging configure. -# config.status only pays attention to the cache file if you give it the -# --recheck option to rerun configure. -# -EOF -# The following way of writing the cache mishandles newlines in values, -# but we know of no workaround that is simple, portable, and efficient. -# So, don't put newlines in cache variables' values. -# Ultrix sh set writes to stderr and can't be redirected directly, -# and sets the high bit in the cache file unless we assign to the vars. -(set) 2>&1 | - case `(ac_space=' '; set | grep ac_space) 2>&1` in - *ac_space=\ *) - # `set' does not quote correctly, so add quotes (double-quote substitution - # turns \\\\ into \\, and sed turns \\ into \). - sed -n \ - -e "s/'/'\\\\''/g" \ - -e "s/^\\([a-zA-Z0-9_]*_cv_[a-zA-Z0-9_]*\\)=\\(.*\\)/\\1=\${\\1='\\2'}/p" - ;; - *) - # `set' quotes correctly as required by POSIX, so do not add quotes. - sed -n -e 's/^\([a-zA-Z0-9_]*_cv_[a-zA-Z0-9_]*\)=\(.*\)/\1=${\1=\2}/p' - ;; - esac >> confcache -if cmp -s $cache_file confcache; then - : -else - if test -w $cache_file; then - echo "updating cache $cache_file" - cat confcache > $cache_file - else - echo "not updating unwritable cache $cache_file" - fi -fi -rm -f confcache - -trap 'rm -fr conftest* confdefs* core core.* *.core $ac_clean_files; exit 1' 1 2 15 - -test "x$prefix" = xNONE && prefix=$ac_default_prefix -# Let make expand exec_prefix. -test "x$exec_prefix" = xNONE && exec_prefix='${prefix}' - -# Any assignment to VPATH causes Sun make to only execute -# the first set of double-colon rules, so remove it if not needed. -# If there is a colon in the path, we need to keep it. -if test "x$srcdir" = x.; then - ac_vpsub='/^[ ]*VPATH[ ]*=[^:]*$/d' -fi - -trap 'rm -f $CONFIG_STATUS conftest*; exit 1' 1 2 15 - -# Transform confdefs.h into DEFS. -# Protect against shell expansion while executing Makefile rules. -# Protect against Makefile macro expansion. -cat > conftest.defs <<\EOF -s%#define \([A-Za-z_][A-Za-z0-9_]*\) *\(.*\)%-D\1=\2%g -s%[ `~#$^&*(){}\\|;'"<>?]%\\&%g -s%\[%\\&%g -s%\]%\\&%g -s%\$%$$%g -EOF -DEFS=`sed -f conftest.defs confdefs.h | tr '\012' ' '` -rm -f conftest.defs - - -# Without the "./", some shells look in PATH for config.status. -: ${CONFIG_STATUS=./config.status} - -echo creating $CONFIG_STATUS -rm -f $CONFIG_STATUS -cat > $CONFIG_STATUS </dev/null | sed 1q`: -# -# $0 $ac_configure_args -# -# Compiler output produced by configure, useful for debugging -# configure, is in ./config.log if it exists. - -ac_cs_usage="Usage: $CONFIG_STATUS [--recheck] [--version] [--help]" -for ac_option -do - case "\$ac_option" in - -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r) - echo "running \${CONFIG_SHELL-/bin/sh} $0 $ac_configure_args --no-create --no-recursion" - exec \${CONFIG_SHELL-/bin/sh} $0 $ac_configure_args --no-create --no-recursion ;; - -version | --version | --versio | --versi | --vers | --ver | --ve | --v) - echo "$CONFIG_STATUS generated by autoconf version 2.13" - exit 0 ;; - -help | --help | --hel | --he | --h) - echo "\$ac_cs_usage"; exit 0 ;; - *) echo "\$ac_cs_usage"; exit 1 ;; - esac -done - -ac_given_srcdir=$srcdir -ac_given_INSTALL="$INSTALL" - -trap 'rm -fr `echo "Makefile samples/psk.txt samples/racoon.conf" | sed "s/:[^ ]*//g"` conftest*; exit 1' 1 2 15 -EOF -cat >> $CONFIG_STATUS < conftest.subs <<\\CEOF -$ac_vpsub -$extrasub -s%@SHELL@%$SHELL%g -s%@CFLAGS@%$CFLAGS%g -s%@CPPFLAGS@%$CPPFLAGS%g -s%@CXXFLAGS@%$CXXFLAGS%g -s%@FFLAGS@%$FFLAGS%g -s%@DEFS@%$DEFS%g -s%@LDFLAGS@%$LDFLAGS%g -s%@LIBS@%$LIBS%g -s%@exec_prefix@%$exec_prefix%g -s%@prefix@%$prefix%g -s%@program_transform_name@%$program_transform_name%g -s%@bindir@%$bindir%g -s%@sbindir@%$sbindir%g -s%@libexecdir@%$libexecdir%g -s%@datadir@%$datadir%g -s%@sysconfdir@%$sysconfdir%g -s%@sharedstatedir@%$sharedstatedir%g -s%@localstatedir@%$localstatedir%g -s%@libdir@%$libdir%g -s%@includedir@%$includedir%g -s%@oldincludedir@%$oldincludedir%g -s%@infodir@%$infodir%g -s%@mandir@%$mandir%g -s%@CC@%$CC%g -s%@CPP@%$CPP%g -s%@LEX@%$LEX%g -s%@LEXLIB@%$LEXLIB%g -s%@INSTALL_PROGRAM@%$INSTALL_PROGRAM%g -s%@INSTALL_SCRIPT@%$INSTALL_SCRIPT%g -s%@INSTALL_DATA@%$INSTALL_DATA%g -s%@SET_MAKE@%$SET_MAKE%g -s%@host@%$host%g -s%@host_alias@%$host_alias%g -s%@host_cpu@%$host_cpu%g -s%@host_vendor@%$host_vendor%g -s%@host_os@%$host_os%g -s%@OPTFLAG@%$OPTFLAG%g -s%@DEBUGRMOBJS@%$DEBUGRMOBJS%g -s%@LIBOBJS@%$LIBOBJS%g -s%@CRYPTOBJS@%$CRYPTOBJS%g -s%@sysconfdir_x@%$sysconfdir_x%g - -CEOF -EOF - -cat >> $CONFIG_STATUS <<\EOF - -# Split the substitutions into bite-sized pieces for seds with -# small command number limits, like on Digital OSF/1 and HP-UX. -ac_max_sed_cmds=90 # Maximum number of lines to put in a sed script. -ac_file=1 # Number of current file. -ac_beg=1 # First line for current file. -ac_end=$ac_max_sed_cmds # Line after last line for current file. -ac_more_lines=: -ac_sed_cmds="" -while $ac_more_lines; do - if test $ac_beg -gt 1; then - sed "1,${ac_beg}d; ${ac_end}q" conftest.subs > conftest.s$ac_file - else - sed "${ac_end}q" conftest.subs > conftest.s$ac_file - fi - if test ! -s conftest.s$ac_file; then - ac_more_lines=false - rm -f conftest.s$ac_file - else - if test -z "$ac_sed_cmds"; then - ac_sed_cmds="sed -f conftest.s$ac_file" - else - ac_sed_cmds="$ac_sed_cmds | sed -f conftest.s$ac_file" - fi - ac_file=`expr $ac_file + 1` - ac_beg=$ac_end - ac_end=`expr $ac_end + $ac_max_sed_cmds` - fi -done -if test -z "$ac_sed_cmds"; then - ac_sed_cmds=cat -fi -EOF - -cat >> $CONFIG_STATUS <> $CONFIG_STATUS <<\EOF -for ac_file in .. $CONFIG_FILES; do if test "x$ac_file" != x..; then - # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in". - case "$ac_file" in - *:*) ac_file_in=`echo "$ac_file"|sed 's%[^:]*:%%'` - ac_file=`echo "$ac_file"|sed 's%:.*%%'` ;; - *) ac_file_in="${ac_file}.in" ;; - esac - - # Adjust a relative srcdir, top_srcdir, and INSTALL for subdirectories. - - # Remove last slash and all that follows it. Not all systems have dirname. - ac_dir=`echo $ac_file|sed 's%/[^/][^/]*$%%'` - if test "$ac_dir" != "$ac_file" && test "$ac_dir" != .; then - # The file is in a subdirectory. - test ! -d "$ac_dir" && mkdir "$ac_dir" - ac_dir_suffix="/`echo $ac_dir|sed 's%^\./%%'`" - # A "../" for each directory in $ac_dir_suffix. - ac_dots=`echo $ac_dir_suffix|sed 's%/[^/]*%../%g'` - else - ac_dir_suffix= ac_dots= - fi - - case "$ac_given_srcdir" in - .) srcdir=. - if test -z "$ac_dots"; then top_srcdir=. - else top_srcdir=`echo $ac_dots|sed 's%/$%%'`; fi ;; - /*) srcdir="$ac_given_srcdir$ac_dir_suffix"; top_srcdir="$ac_given_srcdir" ;; - *) # Relative path. - srcdir="$ac_dots$ac_given_srcdir$ac_dir_suffix" - top_srcdir="$ac_dots$ac_given_srcdir" ;; - esac - - case "$ac_given_INSTALL" in - [/$]*) INSTALL="$ac_given_INSTALL" ;; - *) INSTALL="$ac_dots$ac_given_INSTALL" ;; - esac - - echo creating "$ac_file" - rm -f "$ac_file" - configure_input="Generated automatically from `echo $ac_file_in|sed 's%.*/%%'` by configure." - case "$ac_file" in - *Makefile*) ac_comsub="1i\\ -# $configure_input" ;; - *) ac_comsub= ;; - esac - - ac_file_inputs=`echo $ac_file_in|sed -e "s%^%$ac_given_srcdir/%" -e "s%:% $ac_given_srcdir/%g"` - sed -e "$ac_comsub -s%@configure_input@%$configure_input%g -s%@srcdir@%$srcdir%g -s%@top_srcdir@%$top_srcdir%g -s%@INSTALL@%$INSTALL%g -" $ac_file_inputs | (eval "$ac_sed_cmds") > $ac_file -fi; done -rm -f conftest.s* - -EOF -cat >> $CONFIG_STATUS <> $CONFIG_STATUS <<\EOF - -exit 0 -EOF -chmod +x $CONFIG_STATUS -rm -fr confdefs* $ac_clean_files -test "$no_create" = yes || ${CONFIG_SHELL-/bin/sh} $CONFIG_STATUS || exit 1 - diff --git a/kame/kame/racoon/configure.in b/kame/kame/racoon/configure.in deleted file mode 100644 index 04983834ee..0000000000 --- a/kame/kame/racoon/configure.in +++ /dev/null @@ -1,715 +0,0 @@ -dnl Process this file with autoconf to produce a configure script. -AC_INIT(admin.c) - -dnl Checks for programs. -AC_PROG_CC -AC_PROG_CPP -AC_PROG_LEX -AC_PROG_INSTALL -AC_PROG_MAKE_SET - -AC_CANONICAL_HOST -case $host in -*netbsd*) - CFLAGS="-Wl,-R/usr/pkg/lib $CFLAGS" ;; -esac - -AC_SUBST(OPTFLAG) -OPTFLAG="-O -DYIPS_DEBUG" -AC_MSG_CHECKING(if --enable-debug option is specified) -AC_ARG_ENABLE(debug, [ --enable-debug build a debug version], - [OPTFLAG="-g $OPTFLAG"; enable_debug=yes], [enable_debug=no]) -AC_MSG_RESULT($enable_debug) - -AC_SUBST(DEBUGRMOBJS) -AC_MSG_CHECKING(if --enable-debugrm option is specified) -AC_ARG_ENABLE(debugrm, [ --enable-debugrm build with the memory allocation recorder], - [OPTFLAG="-DDEBUG_RECORD_MALLOCATION $OPTFLAG"; enable_debugrm=yes], - [enable_debugrm=no]) -if test "$enable_debugrm" != "no"; then - DEBUGRMOBJS="debugrm.o" -fi -AC_MSG_RESULT($enable_debugrm) - -AC_MSG_CHECKING(if --enable-yydebug option is specified) -AC_ARG_ENABLE(yydebug, [ --enable-yydebug build a yydebug version], - [AC_DEFINE(YYDEBUG) - enable_yydebug=yes], [enable_yydebug=no]) -AC_MSG_RESULT($enable_yydebug) - -OPTFLAG="-Wall -Wmissing-prototypes -Wmissing-declarations $OPTFLAG" -AC_MSG_CHECKING(if --enable-pedant option is specified) -AC_ARG_ENABLE(pedant, [ --enable-pedant pedantic compiler options], - [OPTFLAG="-Werror $OPTFLAG"; enable_pedant=yes], - [enable_pedant=no]) -AC_MSG_RESULT($enable_pedant) - -AC_MSG_CHECKING(if --enable-adminport option is specified) -AC_ARG_ENABLE(adminport, - [ --enable-adminport enable admin port (INSECURE!)], - [], [enable_adminport=no]) -if test $enable_adminport = "yes"; then - AC_DEFINE(ENABLE_ADMINPORT) -fi -AC_MSG_RESULT($enable_adminport) - -AC_MSG_CHECKING(if --enable-rc5 option is specified) -AC_ARG_ENABLE(rc5, - [ --enable-rc5 enable RC5 encryption (patented)], - [], [enable_rc5=no]) -AC_MSG_RESULT($enable_rc5) - -AC_MSG_CHECKING(if --enable-idea option is specified) -AC_ARG_ENABLE(idea, - [ --enable-idea enable IDEA encryption (patented)], - [], [enable_idea=no]) -AC_MSG_RESULT($enable_idea) - -AC_MSG_CHECKING(if --enable-gssapi option is specified) -AC_ARG_ENABLE(rc5, - [ --enable-gssapi enable GSS-API authentication], - [], [enable_gssapi=no]) -if test "x$enable_gssapi" = "xyes"; then - AC_DEFINE(HAVE_GSSAPI) -fi -AC_MSG_RESULT($enable_gssapi) - -AC_MSG_CHECKING(if --enable-stats option is specified) -AC_ARG_ENABLE(stats, - [ --enable-stats enable statistics logging function], - [], [enable_stats=no]) -if test "x$enable_stats" = "xyes"; then - AC_DEFINE(ENABLE_STATS) -fi -AC_MSG_RESULT($enable_stats) - -AC_MSG_CHECKING(if --enable-samode-unspec option is specified) -AC_ARG_ENABLE(samode-unspec, - [ --enable-samode-unspec enable to use unspecified a mode of SA], - [], [enable_samode_unspec=no]) -if test "x$enable_samode_unspec" = "xyes"; then - AC_DEFINE(ENABLE_SAMODE_UNSPECIFIED) -fi -AC_MSG_RESULT($enable_samode_unspec) - -efence_dir= -AC_MSG_CHECKING(if --with-efence option is specified) -AC_ARG_WITH(efence, [ --with-efence=DIR specify ElectricFence directory], - [efence_dir=$withval], [efence_dir=no]) -AC_MSG_RESULT(${efence_dir}) -if test "$efence_dir" != "no"; then - if test "x$efence_dir" = "x"; then - RACOON_PATH_LIBS(EF_Print, efence) - else - RACOON_PATH_LIBS(EF_Print, efence, $efence_dir) - fi -fi - -gc_dir= -AC_MSG_CHECKING(if --with-gc option is specified) -AC_ARG_WITH(gc, [ --with-gc=DIR specify Bohem GC directory (experimental)], - [gc_dir=$withval], [gc_dir=no]) -AC_MSG_RESULT(${gc_dir}) -if test "$gc_dir" != "no"; then - AC_DEFINE(GC) - if test "x$gc_dir" = "x"; then - RACOON_PATH_LIBS(GC_malloc, leak) - else - RACOON_PATH_LIBS(GC_malloc, leak, $gc_dir) - fi -fi - -dmalloc_dir= -AC_MSG_CHECKING(if --with-dmalloc option is specified) -AC_ARG_WITH(dmalloc, [ --with-dmalloc=DIR specify Dmalloc directory], - [dmalloc_dir=$withval], [dmalloc_dir=no]) -AC_MSG_RESULT(${dmalloc_dir}) -if test "$dmalloc_dir" != "no"; then - AC_DEFINE(DMALLOC) - if test "x$dmalloc_dir" = "x"; then - RACOON_PATH_LIBS(dmalloc_log_unfreed, dmalloc) - else - RACOON_PATH_LIBS(dmalloc_log_unfreed, dmalloc, $dmalloc_dir) - fi -fi - -tcpdump= -AC_MSG_CHECKING(if --with-tcpdump option is specified) -AC_ARG_WITH(tcpdump, [ --with-tcpdump use tcpdump decoder on debugging], - [tcpdump=$withval], [tcpdump=no]) -AC_MSG_RESULT(${tcpdump}) -if test "$tcpdump" != "no"; then - LIBOBJS="$LIBOBJS print-isakmp.o" - AC_DEFINE(HAVE_PRINT_ISAKMP_C) - CPPFLAGS="$CPPFLAGS -I$(srcdir)" -fi - -AC_MSG_CHECKING(if __func__ is available) -AC_TRY_COMPILE(dnl -[#include -], [char *x = __func__;], - [AC_DEFINE(HAVE_FUNC_MACRO) - AC_MSG_RESULT(yes)], - [AC_MSG_RESULT(no)]) - -dnl Checks for libraries. -AC_MSG_CHECKING([whether to enable ipv6]) -AC_ARG_ENABLE(ipv6, -[ --enable-ipv6 Enable ipv6 (with ipv4) support - --disable-ipv6 Disable ipv6 support], -[ case "$enableval" in - no) - AC_MSG_RESULT(no) - ipv6=no - ;; - *) AC_MSG_RESULT(yes) - AC_DEFINE(INET6) - ipv6=yes - ;; - esac ], - - AC_TRY_RUN([ /* AF_INET6 avalable check */ -#include -#include -main() -{ - exit(0); - if (socket(AF_INET6, SOCK_STREAM, 0) < 0) - exit(1); - else - exit(0); -} -], - AC_MSG_RESULT(yes) - AC_DEFINE(ENABLE_IPV6) - ipv6=yes, - AC_MSG_RESULT(no) - ipv6=no, - AC_MSG_RESULT(no) - ipv6=no -)) - -ipv6type=unknown -ipv6lib=none -ipv6libdir=none - -if test "$ipv6" = "yes"; then - AC_MSG_CHECKING([ipv6 stack type]) - for i in inria kame linux toshiba v6d zeta; do - ipv6trylibc=no - case $i in - inria) - dnl http://www.kame.net/ - AC_EGREP_CPP(yes, [dnl -#include -#ifdef IPV6_INRIA_VERSION -yes -#endif], - [ipv6type=$i; - ipv6lib=inet6; - ipv6libdir=/usr/lib; - ipv6trylibc=yes - CPPFLAGS="-DINET6 $CPPFLAGS"]) - ;; - kame) - dnl http://www.kame.net/ - AC_EGREP_CPP(yes, [dnl -#include -#ifdef __KAME__ -yes -#endif], - [ipv6type=$i; - ipv6lib=inet6; - ipv6libdir=/usr/local/v6/lib; - ipv6trylibc=yes - CPPFLAGS="-DINET6 $CPPFLAGS"]) - ;; - linux) - dnl http://www.v6.linux.or.jp/ - if test -d /usr/inet6; then - ipv6type=$i - ipv6lib=inet6 - ipv6libdir=/usr/inet6/lib - CPPFLAGS="-DINET6 -I/usr/inet6/include $CPPFLAGS" - fi - ;; - toshiba) - AC_EGREP_CPP(yes, [dnl -#include -#ifdef _TOSHIBA_INET6 -yes -#endif], - [ipv6type=$i; - ipv6lib=inet6; - ipv6libdir=/usr/local/v6/lib; - CPPFLAGS="-DINET6 $CPPFLAGS"]) - ;; - v6d) - AC_EGREP_CPP(yes, [dnl -#include -#ifdef __V6D__ -yes -#endif], - [ipv6type=$i; - ipv6lib=v6; - ipv6libdir=/usr/local/v6/lib; - CPPFLAGS="-I/usr/local/v6/include $CPPFLAGS"]) - ;; - zeta) - AC_EGREP_CPP(yes, [dnl -#include -#ifdef _ZETA_MINAMI_INET6 -yes -#endif], - [ipv6type=$i; - ipv6lib=inet6; - ipv6libdir=/usr/local/v6/lib; - CPPFLAGS="-DINET6 $CPPFLAGS"]) - ;; - esac - if test "$ipv6type" != "unknown"; then - break - fi - done - AC_MSG_RESULT($ipv6type) -fi - -if test "$ipv6" = "yes" -a "$ipv6lib" != "none"; then - if test -d $ipv6libdir -a -f $ipv6libdir/lib$ipv6lib.a; then - echo "using lib$ipv6lib for getaddrinfo" - LIBS="$LIBS -L$ipv6libdir -l$ipv6lib" - else - if test "$ipv6trylibc" = "yes"; then - echo 'using libc for getaddrinfo' - else - echo "Fatal: no $ipv6lib library found. " - echo "cannot continue. You need to fetch lib$ipv6lib.a " - echo "from appropriate ipv6 kit and compile beforehand." - exit 1 - fi - fi -fi - -if test "$ipv6" = "yes"; then - AC_MSG_CHECKING(for advanced API support) - AC_CACHE_VAL(racoon_cv_advapi, [dnl - AC_TRY_COMPILE([#ifndef INET6 -#define INET6 -#endif -#include -#include ], - [struct in6_pktinfo a;], - [racoon_cv_advapi="yes"], [racoon_cv_advapi="no"])]) - AC_MSG_RESULT($racoon_cv_advapi) - if test "$racoon_cv_advapi" = yes; then - AC_DEFINE(ADVAPI) - fi -fi - -AC_MSG_CHECKING(getaddrinfo bug) -AC_TRY_RUN([ -#include -#include -#include -#include -#include - -main() -{ - int passive, gaierr, inet4 = 0, inet6 = 0; - struct addrinfo hints, *ai, *aitop; - char straddr[INET6_ADDRSTRLEN], strport[16]; - - for (passive = 0; passive <= 1; passive++) { - memset(&hints, 0, sizeof(hints)); - hints.ai_family = AF_UNSPEC; - hints.ai_flags = passive ? AI_PASSIVE : 0; - hints.ai_protocol = IPPROTO_TCP; - hints.ai_socktype = SOCK_STREAM; - if ((gaierr = getaddrinfo(NULL, "54321", &hints, &aitop)) != 0) { - (void)gai_strerror(gaierr); - goto bad; - } - for (ai = aitop; ai; ai = ai->ai_next) { - if (ai->ai_addr == NULL || - ai->ai_addrlen == 0 || - getnameinfo(ai->ai_addr, ai->ai_addrlen, - straddr, sizeof(straddr), strport, sizeof(strport), - NI_NUMERICHOST|NI_NUMERICSERV) != 0) { - goto bad; - } - switch (ai->ai_family) { - case AF_INET: - if (strcmp(strport, "54321") != 0) { - goto bad; - } - if (passive) { - if (strcmp(straddr, "0.0.0.0") != 0) { - goto bad; - } - } else { - if (strcmp(straddr, "127.0.0.1") != 0) { - goto bad; - } - } - inet4++; - break; - case AF_INET6: - if (strcmp(strport, "54321") != 0) { - goto bad; - } - if (passive) { - if (strcmp(straddr, "::") != 0) { - goto bad; - } - } else { - if (strcmp(straddr, "::1") != 0) { - goto bad; - } - } - inet6++; - break; - case AF_UNSPEC: - goto bad; - break; - default: - /* another family support? */ - break; - } - } - } - - if (!(inet4 == 0 || inet4 == 2)) - goto bad; - if (!(inet6 == 0 || inet6 == 2)) - goto bad; - - if (aitop) - freeaddrinfo(aitop); - exit(0); - - bad: - if (aitop) - freeaddrinfo(aitop); - exit(1); -} -], -AC_MSG_RESULT(good) -buggygetaddrinfo=no, -AC_MSG_RESULT(buggy) -buggygetaddrinfo=yes, -AC_MSG_RESULT(buggy) -buggygetaddrinfo=yes) - -if test "$buggygetaddrinfo" = "yes"; then - if test "$ipv6" = "yes"; then - echo 'Fatal: You must get working getaddrinfo() function.' - echo ' or you can specify "--disable-ipv6"'. - exit 1 - else - CPPFLAGS="$CPPFLAGS -I./missing" - fi -fi -AC_REPLACE_FUNCS(getaddrinfo getnameinfo) - -AC_MSG_CHECKING(if --with-ssleay option is specified) -AC_ARG_WITH(ssleay, [ --with-ssleay=DIR specify SSLeay directory], - [crypto_dir=$withval]) -AC_MSG_RESULT(${crypto_dir-"default"}) - -dnl if test "$crypto_dir" != "default"; then -dnl LIBS="-L$crypto_dir/lib $LIBS" -dnl if test -f $crypto_dir/include/md5.h; then -dnl CFLAGS="-I$crypto_dir/include $CFLAGS" -dnl elif test -d $crypto_dir/include/ssleay -a -f $dir/include/ssleay/md5.h; then -dnl CFLAGS="-I$crypto_dir/include/ssleay -I$crypto_dir/include $CFLAGS" -dnl elif test -d $crypto_dir/include/openssl -a -f $dir/include/openssl/md5.h; then -dnl CFLAGS="-I$crypto_dir/include/openssl -I$crypto_dir/include $CFLAGS" -dnl fi -dnl fi - -if test "x$crypto_dir" = "x"; then - case $host_os in - netbsd*) crypto_dir="/usr/pkg";; - freebsd*) - if test -d /usr/local/ssl; then - crypto_dir="/usr/local/ssl" - else - crypto_dir="/usr/local" - fi - ;; - esac -else - LIBS="$LIBS -L${crypto_dir}/lib" - CFLAGS="-I${crypto_dir}/include $CFLAGS" -fi -if test "x$krb5_incdir" = "x"; then - case $host_os in - netbsd*) krb5_incdir="/usr/include/krb5";; - esac -fi -if test "x$krb5_libs" = "x"; then - case $host_os in - netbsd*) krb5_libs="-lgssapi -lkrb5 -lcom_err -lroken -lasn1";; - freebsd*) krb5_libs="-lgssapi -lkrb5 -lcom_err -lroken -lasn1 -lcrypt";; - esac -fi -if test "$enable_gssapi" = "yes"; then - case $host_os in - netbsd*) - LIBS="$LIBS $krb5_libs" - CPPFLAGS="-I$krb5_incdir $CPPFLAGS" - ;; - esac -fi -dnl for some reason, past version of freebsd port requires us to set -I for -dnl BOTH openssl/cast.h and cast.h. who should I blame (or am I mistaken?) -RACOON_PATH_LIBS(CAST_cfb64_encrypt, crypto, ${crypto_dir}/lib) -AC_TRY_COMPILE([#include -#include -#include -#include -#include -#include -#include ], [], [], [openssl_compile_failed=yes]) - -if test "x$openssl_compile_failed" = "xyes"; then - echo - echo "Fatal: crypto library and headers not found." - echo Specify proper directory by using --with-ssleay. - if test `uname -s` = FreeBSD; then - echo Use ports/security/SSLeay to install SSLeay, or visit - elif test `uname -s` = NetBSD; then - echo Use pkgsrc/security/SSLeay to install SSLeay, or visit - else - echo -n "Visit " - fi - echo ftp://psych.psy.uq.oz.au/pub/Crypto/SSL/, or visit - echo http://www.openssl.org/ - exit 1 -fi -dnl AC_MSG_RESULT("$ssleay_lib and $ssleay_include") - -AC_MSG_CHECKING(openssl version) -AC_EGREP_CPP(yes, [#include -#if OPENSSL_VERSION_NUMBER >= 0x00904100L -yes -#endif], [AC_MSG_RESULT(ok)], [AC_MSG_RESULT(too old) - echo - echo "FATAL: OpenSSL version must be 0.9.4 or higher." - exit 1]) - -dnl AC_MSG_CHECKING(for libssl) -AC_CHECK_LIB(ssl, ssl_ok, [], [], -lcrypto) - -AC_CHECK_LIB(crypto, des_cbc_encrypt) -AC_CHECK_LIB(l, yywrap) -AC_CHECK_LIB(y, yyerror) - -dnl PF_KEYv2 support check -AC_MSG_CHECKING(for PF_KEYv2 support) -AC_CACHE_VAL(ac_cv_pfkey, [dnl -AC_TRY_COMPILE([ -#include -#include -#include ], - [int x = PF_KEY, y = PF_KEY_V2;], - [ac_cv_pfkey="yes"], [ac_cv_pfkey="no"])]) -AC_MSG_RESULT($ac_cv_pfkey) -if test "$ac_cv_pfkey" = yes; then - OPTFLAG="-DHAVE_PFKEYV2 $OPTFLAG" -fi - -dnl old KAME header check -if test "$ac_cv_pfkey" = "yes"; then - AC_MSG_CHECKING(for old KAME PF_KEYv2 header file) - AC_TRY_COMPILE([ -#include -#include -#include ], - [struct sadb_msg m; m.sadb_msg_reserved2 = 0;], - [AC_MSG_RESULT(old) - echo "FATAL: obsolete KAME PF_KEYv2 declaration (non-PF_KEY sadb_msg)" - exit 1]) - AC_TRY_COMPILE([ -#include -#include -#include ], - [struct sadb_x_policy m; m.sadb_x_policy_id = 0;], [], - [AC_MSG_RESULT(old) - echo "FATAL: obsolete KAME PF_KEYv2 declaration (no sadb_x_policy_id)" - exit 1]) - AC_TRY_COMPILE([ -#include -#include -#include ], - [struct sadb_x_sa2 m;], [], - [AC_MSG_RESULT(old) - echo "FATAL: obsolete KAME PF_KEYv2 declaration (no sadb_x_sa2)" - exit 1]) - AC_MSG_RESULT(fine) -fi - -ipsectype=unknown -ipseclib=none -ipseclibdir=none -AC_MSG_CHECKING([ipsec library path]) -for i in inria kame; do - ipsectrylibc=no - case $i in - inria) - dnl http://www.kame.net/ - AC_EGREP_CPP(yes, [dnl -#include -#ifdef IPV6_INRIA_VERSION -yes -#endif], - [ipsectype=$i; - ipseclib=ipsec; - ipseclibdir=/usr/lib]) - ;; - kame) - dnl http://www.kame.net/ - AC_EGREP_CPP(yes, [dnl -#include -#ifdef __KAME__ -yes -#endif], - [ipsectype=$i; - ipseclib=ipsec; - ipseclibdir=/usr/local/v6/lib]) - ;; - esac - if test "$ipsectype" != "unknown"; then - break - fi -done -AC_MSG_RESULT($ipseclibdir) - -dnl this is gross, but we need to invoke either AC_CHECK LIB or AC_CHECK_FUNCS. -if test "$ipseclib" != "none"; then - if test "$ipseclibdir" != "none"; then - RACOON_PATH_LIBS(ipsec_strerror, $ipseclib, $ipseclibdir) - else - RACOON_PATH_LIBS(ipsec_strerror, $ipseclib) - fi -fi - -AC_MSG_CHECKING(if --with-libpfkey option is specified) -AC_ARG_WITH(libpfkey, [ --with-libpfkey=DIR specify libpfkey.a dir], - [libpfkey_dir=$withval], [libpfkey_dir=no]) -AC_MSG_RESULT(${libpfkey_dir}) -if test "$libpfkey_dir" != "no"; then - if test "x$libpfkey_dir" = "x"; then - RACOON_PATH_LIBS(pfkey_send_spdsetidx, pfkey) - else - RACOON_PATH_LIBS(pfkey_send_spdsetidx, pfkey, $libpfkey_dir) - fi -fi - -AC_MSG_CHECKING(if --with-liblwres option is specified) -AC_ARG_WITH(liblwres, [ --with-lwres=DIR specify liblwres path (like /usr/pkg)], - [liblwres_dir=$withval], [liblwres_dir=no]) -AC_MSG_RESULT(${liblwres_dir}) -if test "$liblwres_dir" != "no"; then - if test -d "$liblwres_dir/lib" -a -d "$liblwres_dir/lib"; then - if test "x$liblwres_dir" = "x"; then - RACOON_PATH_LIBS(lwres_getrrsetbyname, lwres) - else - RACOON_PATH_LIBS(lwres_getrrsetbyname, lwres, "$liblwres_dir/lib") - fi - CFLAGS="$CFLAGS -I$liblwres_dir/include" - AC_CHECK_FUNCS(lwres_getrrsetbyname) - else - echo "FATAL: $liblwres_dir/lib or $liblwres_dir/include not found" - exit 1 - fi -fi -AC_CHECK_FUNCS(getrrsetbyname) - -dnl Checks for header files. -AC_HEADER_STDC -AC_HEADER_SYS_WAIT -AC_CHECK_HEADERS(limits.h sys/time.h unistd.h stdarg.h varargs.h) -signing=yes -if test "$enable_rc5" = "yes"; then - rc5header=openssl/rc5.h -else - rc5header= -fi -if test "$enable_idea" = "yes"; then - ideaheader=openssl/idea.h -else - ideaheader= -fi -AC_CHECK_HEADERS($ideaheader $rc5header openssl/rsa.h openssl/pem.h openssl/evp.h openssl/x509.h, - [], [nosymbol=`echo $ac_hdr | sed -e 's/.h$//' -e 's/^openssl.//' -e 's/^/NO_/' | tr 'a-z' 'A-Z'` - CPPFLAGS="$CPPFLAGS -D$nosymbol=1" - signing=no]) -if test $signing = "yes"; then - AC_DEFINE(HAVE_SIGNING_C) -fi -AC_CHECK_HEADERS(openssl/cversion.h openssl/opensslv.h) - -AC_SUBST(CRYPTOBJS) - -dnl checking rijndael -AC_CHECK_HEADER(openssl/rijndael.h, [], [ - CPPFLAGS="$CPPFLAGS -I./missing" - CRYPTOBJS="$CRYPTOBJS rijndael-api-fst.o rijndael-alg-fst.o" -]) - -dnl checking sha2 -AC_MSG_CHECKING(sha2 support) -AC_EGREP_CPP(yes, [#include -#if OPENSSL_VERSION_NUMBER >= 0x0090602fL -yes -#endif], -[AC_MSG_RESULT(no) - echo "WARNING: racoon sha2 library is not compatible with recent openssl(0.9.6b or above)." - echo "WARNING: sha2 disabled."], -[AC_MSG_RESULT(yes) - AC_DEFINE(WITH_SHA2) - AC_CHECK_HEADER(openssl/sha2.h, [], [ - CPPFLAGS="$CPPFLAGS -I./missing" - CRYPTOBJS="$CRYPTOBJS sha2.o"])] -) - -dnl Checks for typedefs, structures, and compiler characteristics. -AC_C_CONST -AC_TYPE_PID_T -AC_TYPE_SIZE_T -AC_HEADER_TIME -AC_STRUCT_TM - -dnl Checks for library functions. -AC_FUNC_MEMCMP -AC_TYPE_SIGNAL -AC_FUNC_VPRINTF -AC_CHECK_FUNCS(gettimeofday select socket strerror strtol strtoul) -AC_REPLACE_FUNCS(strdup) - -dnl expand ${sysconfdir}, ugly... -if test "x$prefix" = xNONE; then - sysconfdir_x=`echo $sysconfdir | sed -e 's,${prefix},'"$ac_default_prefix,"` -else - sysconfdir_x=`echo $sysconfdir | sed -e 's,${prefix},'"$prefix,"` - -fi -AC_SUBST(sysconfdir_x) - -dnl Checks for getifaddrs -AC_CHECK_FUNCS(getifaddrs) - -dnl Checks for arc4random -AC_REPLACE_FUNCS(arc4random) - -dnl defines package version -AC_MSG_CHECKING(if --with-pkgversion option is specified) -AC_ARG_WITH(pkgversion, [ --with-pkgversion=VERSION specify package version], - [AC_MSG_RESULT($withval) - CPPFLAGS="$CPPFLAGS -DRACOON_PKG_VERSION=\"\\\"$withval\\\"\""], - [AC_MSG_RESULT(no) - pkgversion=no]) - -AC_OUTPUT(Makefile samples/psk.txt samples/racoon.conf) diff --git a/kame/kame/racoon/contrib/sp.pl b/kame/kame/racoon/contrib/sp.pl deleted file mode 100644 index d1f9cafec2..0000000000 --- a/kame/kame/racoon/contrib/sp.pl +++ /dev/null @@ -1,21 +0,0 @@ -#! /usr/pkg/bin/perl - -die "insufficient arguments" if (scalar(@ARGV) < 2); -$src = $ARGV[0]; -$dst = $ARGV[1]; -$mode = 'transport'; -if (scalar(@ARGV) > 2) { - $mode = $ARGV[2]; -} - -open(OUT, "|setkey -c"); -if ($mode eq 'transport') { - print STDERR "install esp transport mode: $src -> $dst\n"; - print OUT "spdadd $src $dst any -P out ipsec esp/transport//require;\n"; - print OUT "spdadd $dst $src any -P in ipsec esp/transport//require;\n"; -} elsif ($mode eq 'delete') { - print STDERR "delete policy: $src -> $dst\n"; - print OUT "spddelete $src $dst any -P out;\n"; - print OUT "spddelete $dst $src any -P in;\n"; -} -close(OUT); diff --git a/kame/kame/racoon/crypto_openssl.c b/kame/kame/racoon/crypto_openssl.c deleted file mode 100644 index f6a48c65a0..0000000000 --- a/kame/kame/racoon/crypto_openssl.c +++ /dev/null @@ -1,2368 +0,0 @@ -/* $KAME: crypto_openssl.c,v 1.88 2004/08/24 06:52:41 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include - -#include -#include -#include -#include - -/* get openssl/ssleay version number */ -#ifdef HAVE_OPENSSL_OPENSSLV_H -# include -#else -# error no opensslv.h found. -#endif - -#ifndef OPENSSL_VERSION_NUMBER -#error OPENSSL_VERSION_NUMBER is not defined. OpenSSL0.9.4 or later required. -#endif - -#ifdef HAVE_OPENSSL_PEM_H -#include -#endif -#ifdef HAVE_OPENSSL_EVP_H -#include -#endif -#ifdef HAVE_OPENSSL_X509_H -#include -#include -#include -#endif -#include -#include -#include -#include -#include -#include -#include -#ifdef HAVE_OPENSSL_IDEA_H -#include -#endif -#include -#ifdef HAVE_OPENSSL_RC5_H -#include -#endif -#include -#include -#ifdef HAVE_OPENSSL_RIJNDAEL_H -#include -#else -#include "crypto/rijndael/rijndael-api-fst.h" -#endif -#ifdef HAVE_OPENSSL_SHA2_H -#include -#else -#include "crypto/sha2/sha2.h" -#endif - -/* 0.9.7 stuff? */ -#if OPENSSL_VERSION_NUMBER < 0x0090700fL -typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES; -#else -#define USE_NEW_DES_API -#endif - -#include "var.h" -#include "misc.h" -#include "vmbuf.h" -#include "plog.h" -#include "crypto_openssl.h" -#include "debug.h" -#include "gcmalloc.h" - -/* - * I hate to cast every parameter to des_xx into void *, but it is - * necessary for SSLeay/OpenSSL portability. It sucks. - */ - -#ifdef HAVE_SIGNING_C -static int cb_check_cert_local __P((int, X509_STORE_CTX *)); -static int cb_check_cert_remote __P((int, X509_STORE_CTX *)); -static X509 *mem2x509 __P((vchar_t *)); -#endif - -static caddr_t eay_hmac_init __P((vchar_t *, const EVP_MD *)); - -#ifdef HAVE_SIGNING_C -/* X509 Certificate */ -/* - * convert the string of the subject name into DER - * e.g. str = "C=JP, ST=Kanagawa"; - */ -vchar_t * -eay_str2asn1dn(str, len) - char *str; - int len; -{ - X509_NAME *name; - char *buf; - char *field, *value; - int i, j; - vchar_t *ret; - caddr_t p; - - buf = racoon_malloc(len + 1); - if (!buf) { - printf("failed to allocate buffer\n"); - return NULL; - } - memcpy(buf, str, len); - - name = X509_NAME_new(); - - field = &buf[0]; - value = NULL; - for (i = 0; i < len; i++) { - if (!value && buf[i] == '=') { - buf[i] = '\0'; - value = &buf[i + 1]; - continue; - } else if (buf[i] == ',' || buf[i] == '/') { - buf[i] = '\0'; -#if 0 - printf("[%s][%s]\n", field, value); -#endif - if (!X509_NAME_add_entry_by_txt(name, field, - MBSTRING_ASC, value, -1, -1, 0)) - goto err; - for (j = i + 1; j < len; j++) { - if (buf[j] != ' ') - break; - } - field = &buf[j]; - value = NULL; - continue; - } - } - buf[len] = '\0'; -#if 0 - printf("[%s][%s]\n", field, value); -#endif - if (!X509_NAME_add_entry_by_txt(name, field, - MBSTRING_ASC, value, -1, -1, 0)) - goto err; - - i = i2d_X509_NAME(name, NULL); - if (!i) - goto err; - ret = vmalloc(i); - if (!ret) - goto err; - p = ret->v; - i = i2d_X509_NAME(name, (unsigned char **)&p); - if (!i) - goto err; - - return ret; - - err: - if (buf) - racoon_free(buf); - if (name) - X509_NAME_free(name); - return NULL; -} - -/* - * compare two subjectNames. - * OUT: 0: equal - * positive: - * -1: other error. - */ -int -eay_cmp_asn1dn(n1, n2) - vchar_t *n1, *n2; -{ - X509_NAME *a = NULL, *b = NULL; - caddr_t p; - int i = -1; - - p = n1->v; - if (!d2i_X509_NAME(&a, (unsigned char **)&p, n1->l)) - goto end; - p = n2->v; - if (!d2i_X509_NAME(&b, (unsigned char **)&p, n2->l)) - goto end; - - i = X509_NAME_cmp(a, b); - - end: - if (a) - X509_NAME_free(a); - if (b) - X509_NAME_free(b); - return i; -} - -/* - * this functions is derived from apps/verify.c in OpenSSL0.9.5 - */ -int -eay_check_x509cert(cert, CApath, local) - vchar_t *cert; - char *CApath; - int local; -{ - X509_STORE *cert_ctx = NULL; - X509_LOOKUP *lookup = NULL; - X509 *x509 = NULL; -#if OPENSSL_VERSION_NUMBER >= 0x00905100L - X509_STORE_CTX *csc; -#else - X509_STORE_CTX csc; -#endif - int error = -1; - - /* XXX define only functions required. */ -#if OPENSSL_VERSION_NUMBER >= 0x00905100L - OpenSSL_add_all_algorithms(); -#else - SSLeay_add_all_algorithms(); -#endif - - cert_ctx = X509_STORE_new(); - if (cert_ctx == NULL) - goto end; - - if (local) - X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert_local); - else - X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert_remote); - - lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file()); - if (lookup == NULL) - goto end; - X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT); /* XXX */ - - lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir()); - if (lookup == NULL) - goto end; - error = X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM); - if(!error) { - error = -1; - goto end; - } - error = -1; /* initialized */ - - /* read the certificate to be verified */ - x509 = mem2x509(cert); - if (x509 == NULL) - goto end; - -#if OPENSSL_VERSION_NUMBER >= 0x00905100L - csc = X509_STORE_CTX_new(); - if (csc == NULL) - goto end; - X509_STORE_CTX_init(csc, cert_ctx, x509, NULL); -#if OPENSSL_VERSION_NUMBER >= 0x00907000L - X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK); - X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK_ALL); -#endif - error = X509_verify_cert(csc); - X509_STORE_CTX_cleanup(csc); -#else - X509_STORE_CTX_init(&csc, cert_ctx, x509, NULL); - error = X509_verify_cert(&csc); - X509_STORE_CTX_cleanup(&csc); -#endif - - /* - * if x509_verify_cert() is successful then the value of error is - * set non-zero. - */ - error = error ? 0 : -1; - -end: - if (error) - printf("%s\n", eay_strerror()); - if (cert_ctx != NULL) - X509_STORE_free(cert_ctx); - if (x509 != NULL) - X509_free(x509); - - return(error); -} - -/* - * Callback function for verifing certificate. - * Derived from cb() in openssl/apps/s_server.c - * - * This one is called for certificates obtained from - * 'peers_certfile' directive. - */ -static int -cb_check_cert_local(ok, ctx) - int ok; - X509_STORE_CTX *ctx; -{ - char buf[256]; - int log_tag; - - if (!ok) { - X509_NAME_oneline( - X509_get_subject_name(ctx->current_cert), - buf, - 256); - /* - * since we are just checking the certificates, it is - * ok if they are self signed. But we should still warn - * the user. - */ - switch (ctx->error) { - case X509_V_ERR_CERT_HAS_EXPIRED: - case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: -#if OPENSSL_VERSION_NUMBER >= 0x00905100L - case X509_V_ERR_INVALID_PURPOSE: - case X509_V_ERR_UNABLE_TO_GET_CRL: -#endif - ok = 1; - log_tag = LLV_WARNING; - break; - default: - log_tag = LLV_ERROR; - } - plog(log_tag, LOCATION, NULL, - "%s(%d) at depth:%d SubjectName:%s\n", - X509_verify_cert_error_string(ctx->error), - ctx->error, - ctx->error_depth, - buf); - } - ERR_clear_error(); - - return ok; -} - -/* - * Similar to cb_check_cert_local() but this one is called - * for certificates obtained from the IKE payload. - */ -static int -cb_check_cert_remote(ok, ctx) - int ok; - X509_STORE_CTX *ctx; -{ - char buf[256]; - int log_tag; - - if (!ok) { - X509_NAME_oneline( - X509_get_subject_name(ctx->current_cert), - buf, - 256); - - switch (ctx->error) { - case X509_V_ERR_UNABLE_TO_GET_CRL: - ok = 1; - log_tag = LLV_WARNING; - break; - default: - log_tag = LLV_ERROR; - } - plog(log_tag, LOCATION, NULL, - "%s(%d) at depth:%d SubjectName:%s\n", - X509_verify_cert_error_string(ctx->error), - ctx->error, - ctx->error_depth, - buf); - } - ERR_clear_error(); - - return ok; -} - -/* - * get a subjectAltName from X509 certificate. - */ -vchar_t * -eay_get_x509asn1subjectname(cert) - vchar_t *cert; -{ - X509 *x509 = NULL; - u_char *bp; - vchar_t *name = NULL; - int len; - int error = -1; - - bp = cert->v; - - x509 = mem2x509(cert); - if (x509 == NULL) - goto end; - - /* get the length of the name */ - len = i2d_X509_NAME(x509->cert_info->subject, NULL); - name = vmalloc(len); - if (!name) - goto end; - /* get the name */ - bp = name->v; - len = i2d_X509_NAME(x509->cert_info->subject, &bp); - - error = 0; - - end: - if (error) { - plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror()); - if (name) { - vfree(name); - name = NULL; - } - } - if (x509) - X509_free(x509); - - return name; -} - -/* - * get the subjectAltName from X509 certificate. - * the name must be terminated by '\0'. - */ -int -eay_get_x509subjectaltname(cert, altname, type, pos) - vchar_t *cert; - char **altname; - int *type; - int pos; -{ - X509 *x509 = NULL; - GENERAL_NAMES *gens; - GENERAL_NAME *gen; - int i, len; - int error = -1; - - *altname = NULL; - *type = GENT_OTHERNAME; - - x509 = mem2x509(cert); - if (x509 == NULL) - goto end; - - gens = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL); - if (gens == NULL) - goto end; - - for(i = 0; i < sk_GENERAL_NAME_num(gens); i++) { - if (i + 1 != pos) - continue; - break; - } - - /* there is no data at "pos" */ - if (i == sk_GENERAL_NAME_num(gens)) - goto end; - - gen = sk_GENERAL_NAME_value(gens, i); - - /* make sure if the data is terminated by '\0'. */ - if (gen->d.ia5->data[gen->d.ia5->length] != '\0') { - plog(LLV_ERROR, LOCATION, NULL, - "data is not terminated by '\0'."); - hexdump(gen->d.ia5->data, gen->d.ia5->length + 1); - goto end; - } - - len = gen->d.ia5->length + 1; - *altname = racoon_malloc(len); - if (!*altname) - goto end; - - strlcpy(*altname, gen->d.ia5->data, len); - *type = gen->type; - - error = 0; - - end: - if (error) { - if (*altname) { - racoon_free(*altname); - *altname = NULL; - } - plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror()); - } - if (x509) - X509_free(x509); - - return error; -} - -/* - * decode a X509 certificate and make a readable text terminated '\n'. - * return the buffer allocated, so must free it later. - */ -char * -eay_get_x509text(cert) - vchar_t *cert; -{ - X509 *x509 = NULL; - BIO *bio = NULL; - char *text = NULL; - u_char *bp = NULL; - int len = 0; - int error = -1; - - x509 = mem2x509(cert); - if (x509 == NULL) - goto end; - - bio = BIO_new(BIO_s_mem()); - if (bio == NULL) - goto end; - - error = X509_print(bio, x509); - if (error != 1) { - error = -1; - goto end; - } - - len = BIO_get_mem_data(bio, &bp); - text = racoon_malloc(len + 1); - if (text == NULL) - goto end; - memcpy(text, bp, len); - text[len] = '\0'; - - error = 0; - - end: - if (error) { - if (text) { - racoon_free(text); - text = NULL; - } - plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror()); - } - if (bio) - BIO_free(bio); - if (x509) - X509_free(x509); - - return text; -} - -/* get X509 structure from buffer. */ -static X509 * -mem2x509(cert) - vchar_t *cert; -{ - X509 *x509; - -#ifndef EAYDEBUG - { - u_char *bp; - - bp = cert->v; - - x509 = d2i_X509(NULL, &bp, cert->l); - } -#else - { - BIO *bio; - int len; - - bio = BIO_new(BIO_s_mem()); - if (bio == NULL) - return NULL; - len = BIO_write(bio, cert->v, cert->l); - if (len == -1) - return NULL; - x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL); - BIO_free(bio); - } -#endif - return x509; -} - -/* - * get a X509 certificate from local file. - * a certificate must be PEM format. - * Input: - * path to a certificate. - * Output: - * NULL if error occured - * other is the cert. - */ -vchar_t * -eay_get_x509cert(path) - char *path; -{ - FILE *fp; - X509 *x509; - vchar_t *cert; - u_char *bp; - int len; - int error; - - /* Read private key */ - fp = fopen(path, "r"); - if (fp == NULL) - return NULL; -#if OPENSSL_VERSION_NUMBER >= 0x00904100L - x509 = PEM_read_X509(fp, NULL, NULL, NULL); -#else - x509 = PEM_read_X509(fp, NULL, NULL); -#endif - fclose (fp); - - if (x509 == NULL) - return NULL; - - len = i2d_X509(x509, NULL); - cert = vmalloc(len); - if (cert == NULL) { - X509_free(x509); - return NULL; - } - bp = cert->v; - error = i2d_X509(x509, &bp); - X509_free(x509); - - if (error == 0) - return NULL; - - return cert; -} - -/* - * sign a souce by X509 signature. - * XXX: to be get hash type from my cert ? - * to be handled EVP_dss(). - */ -vchar_t * -eay_get_x509sign(source, privkey, cert) - vchar_t *source; - vchar_t *privkey; - vchar_t *cert; -{ - vchar_t *sig = NULL; - - sig = eay_rsa_sign(source, privkey); - - return sig; -} - -/* - * check a X509 signature - * XXX: to be get hash type from my cert ? - * to be handled EVP_dss(). - * OUT: return -1 when error. - * 0 - */ -int -eay_check_x509sign(source, sig, cert) - vchar_t *source; - vchar_t *sig; - vchar_t *cert; -{ - X509 *x509; - u_char *bp; - EVP_PKEY *evp; - - bp = cert->v; - - x509 = d2i_X509(NULL, &bp, cert->l); - if (x509 == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror()); - return -1; - } - - evp = X509_get_pubkey(x509); - if (!evp) { - plog(LLV_ERROR, LOCATION, NULL, - "X509_get_pubkey: %s\n", eay_strerror()); - return -1; - } - - return eay_rsa_verify(source, sig, evp); -} - -/* - * check a signature by signed with PKCS7 certificate. - * XXX: to be get hash type from my cert ? - * to be handled EVP_dss(). - * OUT: return -1 when error. - * 0 - */ -int -eay_check_pkcs7sign(source, sig, cert) - vchar_t *source; - vchar_t *sig; - vchar_t *cert; -{ - X509 *x509; - EVP_MD_CTX md_ctx; - EVP_PKEY *evp; - int error; - BIO *bio = BIO_new(BIO_s_mem()); - char *bp; - - if (bio == NULL) - return -1; - error = BIO_write(bio, cert->v, cert->l); - if (error != cert->l) - return -1; - - bp = cert->v; - x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL); - BIO_free(bio); - if (x509 == NULL) - return -1; - - evp = X509_get_pubkey(x509); - X509_free(x509); - if (evp == NULL) - return -1; - - /* Verify the signature */ - /* XXX: to be handled EVP_dss() */ - EVP_VerifyInit(&md_ctx, EVP_sha1()); - EVP_VerifyUpdate(&md_ctx, source->v, source->l); - error = EVP_VerifyFinal(&md_ctx, sig->v, sig->l, evp); - - EVP_PKEY_free(evp); - - if (error != 1) - return -1; - - return 0; -} - -/* - * get PKCS#1 Private Key of PEM format from local file. - */ -vchar_t * -eay_get_pkcs1privkey(path) - char *path; -{ - FILE *fp; - EVP_PKEY *evp = NULL; - vchar_t *pkey = NULL; - u_char *bp; - int pkeylen; - int error = -1; - - /* Read private key */ - fp = fopen(path, "r"); - if (fp == NULL) - return NULL; - -#if OPENSSL_VERSION_NUMBER >= 0x00904100L - evp = PEM_read_PrivateKey(fp, NULL, NULL, NULL); -#else - evp = PEM_read_PrivateKey(fp, NULL, NULL); -#endif - fclose (fp); - - if (evp == NULL) - return NULL; - - pkeylen = i2d_PrivateKey(evp, NULL); - if (pkeylen == 0) - goto end; - pkey = vmalloc(pkeylen); - if (pkey == NULL) - goto end; - bp = pkey->v; - pkeylen = i2d_PrivateKey(evp, &bp); - if (pkeylen == 0) - goto end; - - error = 0; - -end: - if (evp != NULL) - EVP_PKEY_free(evp); - if (error != 0 && pkey != NULL) { - vfree(pkey); - pkey = NULL; - } - - return pkey; -} - -/* - * get PKCS#1 Public Key of PEM format from local file. - */ -vchar_t * -eay_get_pkcs1pubkey(path) - char *path; -{ - FILE *fp; - EVP_PKEY *evp = NULL; - vchar_t *pkey = NULL; - X509 *x509 = NULL; - u_char *bp; - int pkeylen; - int error = -1; - - /* Read private key */ - fp = fopen(path, "r"); - if (fp == NULL) - return NULL; - -#if OPENSSL_VERSION_NUMBER >= 0x00904100L - x509 = PEM_read_X509(fp, NULL, NULL, NULL); -#else - x509 = PEM_read_X509(fp, NULL, NULL); -#endif - fclose (fp); - - if (x509 == NULL) - return NULL; - - /* Get public key - eay */ - evp = X509_get_pubkey(x509); - if (evp == NULL) - return NULL; - - pkeylen = i2d_PublicKey(evp, NULL); - if (pkeylen == 0) - goto end; - pkey = vmalloc(pkeylen); - if (pkey == NULL) - goto end; - bp = pkey->v; - pkeylen = i2d_PublicKey(evp, &bp); - if (pkeylen == 0) - goto end; - - error = 0; -end: - if (evp != NULL) - EVP_PKEY_free(evp); - if (error != 0 && pkey != NULL) { - vfree(pkey); - pkey = NULL; - } - - return pkey; -} -#endif - -vchar_t * -eay_rsa_sign(src, privkey) - vchar_t *src, *privkey; -{ - EVP_PKEY *evp; - u_char *bp = privkey->v; - vchar_t *sig = NULL; - int len; - int pad = RSA_PKCS1_PADDING; - - /* XXX to be handled EVP_PKEY_DSA */ - evp = d2i_PrivateKey(EVP_PKEY_RSA, NULL, &bp, privkey->l); - if (evp == NULL) - return NULL; - - /* XXX: to be handled EVP_dss() */ - /* XXX: Where can I get such parameters ? From my cert ? */ - - len = RSA_size(evp->pkey.rsa); - - sig = vmalloc(len); - if (sig == NULL) - return NULL; - - len = RSA_private_encrypt(src->l, src->v, sig->v, evp->pkey.rsa, pad); - EVP_PKEY_free(evp); - if (len == 0 || len != sig->l) { - vfree(sig); - sig = NULL; - } - - return sig; -} - -int -eay_rsa_verify(src, sig, evp) - vchar_t *src, *sig; - EVP_PKEY *evp; -{ - vchar_t *xbuf = NULL; - int pad = RSA_PKCS1_PADDING; - int len = 0; - int error; - - len = RSA_size(evp->pkey.rsa); - xbuf = vmalloc(len); - if (xbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror()); - EVP_PKEY_free(evp); - return -1; - } - - len = RSA_public_decrypt(sig->l, sig->v, xbuf->v, evp->pkey.rsa, pad); - if (len == 0 || len != src->l) - plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror()); - EVP_PKEY_free(evp); - if (len == 0 || len != src->l) { - vfree(xbuf); - return -1; - } - - error = memcmp(src->v, xbuf->v, src->l); - vfree(xbuf); - if (error != 0) - return -1; - - return 0; -} - -/* - * get error string - * MUST load ERR_load_crypto_strings() first. - */ -char * -eay_strerror() -{ - static char ebuf[512]; - int len = 0, n; - unsigned long l; - char buf[200]; -#if OPENSSL_VERSION_NUMBER >= 0x00904100L - const char *file, *data; -#else - char *file, *data; -#endif - int line, flags; - unsigned long es; - - es = CRYPTO_thread_id(); - - while ((l = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0){ - n = snprintf(ebuf + len, sizeof(ebuf) - len, - "%lu:%s:%s:%d:%s ", - es, ERR_error_string(l, buf), file, line, - (flags & ERR_TXT_STRING) ? data : ""); - if (n < 0 || n >= sizeof(ebuf) - len) - break; - len += n; - if (sizeof(ebuf) < len) - break; - } - - return ebuf; -} - -void -eay_init_error() -{ - ERR_load_crypto_strings(); -} - -void -eay_close_error() -{ - ERR_free_strings(); -} - -/* - * DES-CBC - */ -vchar_t * -eay_des_encrypt(data, key, iv) - vchar_t *data, *key, *iv; -{ - vchar_t *res; -#ifdef USE_NEW_DES_API - DES_key_schedule ks; -#else - des_key_schedule ks; -#endif - - if (data->l % 8) - return NULL; - -#ifdef USE_NEW_DES_API - if (DES_key_sched((void *)key->v, &ks) != 0) -#else - if (des_key_sched((void *)key->v, ks) != 0) -#endif - return NULL; - - /* allocate buffer for result */ - if ((res = vmalloc(data->l)) == NULL) - return NULL; - - /* decryption data */ -#ifdef USE_NEW_DES_API - DES_cbc_encrypt((void *)data->v, (void *)res->v, data->l, - &ks, (void *)iv->v, DES_ENCRYPT); -#else - des_cbc_encrypt((void *)data->v, (void *)res->v, data->l, - ks, (void *)iv->v, DES_ENCRYPT); -#endif - - return res; -} - -vchar_t * -eay_des_decrypt(data, key, iv) - vchar_t *data, *key, *iv; -{ - vchar_t *res; -#ifdef USE_NEW_DES_API - DES_key_schedule ks; -#else - des_key_schedule ks; -#endif - -#ifdef USE_NEW_DES_API - if (DES_key_sched((void *)key->v, &ks) != 0) -#else - if (des_key_sched((void *)key->v, ks) != 0) -#endif - return NULL; - - /* allocate buffer for result */ - if ((res = vmalloc(data->l)) == NULL) - return NULL; - - /* decryption data */ -#ifdef USE_NEW_DES_API - DES_cbc_encrypt((void *)data->v, (void *)res->v, data->l, - &ks, (void *)iv->v, DES_DECRYPT); -#else - des_cbc_encrypt((void *)data->v, (void *)res->v, data->l, - ks, (void *)iv->v, DES_DECRYPT); -#endif - - return res; -} - -int -eay_des_weakkey(key) - vchar_t *key; -{ -#ifdef USE_NEW_DES_API - return DES_is_weak_key((void *)key->v); -#else - return des_is_weak_key((void *)key->v); -#endif -} - -int -eay_des_keylen(len) - int len; -{ - if (len != 0 && len != 64) - return -1; - return 64; -} - -#ifdef HAVE_OPENSSL_IDEA_H -/* - * IDEA-CBC - */ -vchar_t * -eay_idea_encrypt(data, key, iv) - vchar_t *data, *key, *iv; -{ - vchar_t *res; - IDEA_KEY_SCHEDULE ks; - - idea_set_encrypt_key(key->v, &ks); - - /* allocate buffer for result */ - if ((res = vmalloc(data->l)) == NULL) - return NULL; - - /* decryption data */ - idea_cbc_encrypt(data->v, res->v, data->l, - &ks, iv->v, IDEA_ENCRYPT); - - return res; -} - -vchar_t * -eay_idea_decrypt(data, key, iv) - vchar_t *data, *key, *iv; -{ - vchar_t *res; - IDEA_KEY_SCHEDULE ks, dks; - - idea_set_encrypt_key(key->v, &ks); - idea_set_decrypt_key(&ks, &dks); - - /* allocate buffer for result */ - if ((res = vmalloc(data->l)) == NULL) - return NULL; - - /* decryption data */ - idea_cbc_encrypt(data->v, res->v, data->l, - &dks, iv->v, IDEA_DECRYPT); - - return res; -} - -int -eay_idea_weakkey(key) - vchar_t *key; -{ - return 0; /* XXX */ -} - -int -eay_idea_keylen(len) - int len; -{ - if (len != 0 && len != 128) - return -1; - return 128; -} -#endif - -/* - * BLOWFISH-CBC - */ -vchar_t * -eay_bf_encrypt(data, key, iv) - vchar_t *data, *key, *iv; -{ - vchar_t *res; - BF_KEY ks; - - BF_set_key(&ks, key->l, key->v); - - /* allocate buffer for result */ - if ((res = vmalloc(data->l)) == NULL) - return NULL; - - /* decryption data */ - BF_cbc_encrypt(data->v, res->v, data->l, - &ks, iv->v, BF_ENCRYPT); - - return res; -} - -vchar_t * -eay_bf_decrypt(data, key, iv) - vchar_t *data, *key, *iv; -{ - vchar_t *res; - BF_KEY ks; - - BF_set_key(&ks, key->l, key->v); - - /* allocate buffer for result */ - if ((res = vmalloc(data->l)) == NULL) - return NULL; - - /* decryption data */ - BF_cbc_encrypt(data->v, res->v, data->l, - &ks, iv->v, BF_DECRYPT); - - return res; -} - -int -eay_bf_weakkey(key) - vchar_t *key; -{ - return 0; /* XXX to be done. refer to RFC 2451 */ -} - -int -eay_bf_keylen(len) - int len; -{ - if (len == 0) - return 448; - if (len < 40 || len > 448) - return -1; - return len; -} - -#ifdef HAVE_OPENSSL_RC5_H -/* - * RC5-CBC - */ -vchar_t * -eay_rc5_encrypt(data, key, iv) - vchar_t *data, *key, *iv; -{ - vchar_t *res; - RC5_32_KEY ks; - - /* in RFC 2451, there is information about the number of round. */ - RC5_32_set_key(&ks, key->l, key->v, 16); - - /* allocate buffer for result */ - if ((res = vmalloc(data->l)) == NULL) - return NULL; - - /* decryption data */ - RC5_32_cbc_encrypt(data->v, res->v, data->l, - &ks, iv->v, RC5_ENCRYPT); - - return res; -} - -vchar_t * -eay_rc5_decrypt(data, key, iv) - vchar_t *data, *key, *iv; -{ - vchar_t *res; - RC5_32_KEY ks; - - /* in RFC 2451, there is information about the number of round. */ - RC5_32_set_key(&ks, key->l, key->v, 16); - - /* allocate buffer for result */ - if ((res = vmalloc(data->l)) == NULL) - return NULL; - - /* decryption data */ - RC5_32_cbc_encrypt(data->v, res->v, data->l, - &ks, iv->v, RC5_DECRYPT); - - return res; -} - -int -eay_rc5_weakkey(key) - vchar_t *key; -{ - return 0; /* No known weak keys when used with 16 rounds. */ - -} - -int -eay_rc5_keylen(len) - int len; -{ - if (len == 0) - return 128; - if (len < 40 || len > 2040) - return -1; - return len; -} -#endif - -/* - * 3DES-CBC - */ -vchar_t * -eay_3des_encrypt(data, key, iv) - vchar_t *data, *key, *iv; -{ - vchar_t *res; -#ifdef USE_NEW_DES_API - DES_key_schedule ks1, ks2, ks3; -#else - des_key_schedule ks1, ks2, ks3; -#endif - - if (key->l < 24) - return NULL; - -#ifdef USE_NEW_DES_API - if (DES_key_sched((void *)key->v, &ks1) != 0) - return NULL; - if (DES_key_sched((void *)(key->v + 8), &ks2) != 0) - return NULL; - if (DES_key_sched((void *)(key->v + 16), &ks3) != 0) - return NULL; -#else - if (des_key_sched((void *)key->v, ks1) != 0) - return NULL; - if (des_key_sched((void *)(key->v + 8), ks2) != 0) - return NULL; - if (des_key_sched((void *)(key->v + 16), ks3) != 0) - return NULL; -#endif - - /* allocate buffer for result */ - if ((res = vmalloc(data->l)) == NULL) - return NULL; - - /* decryption data */ -#ifdef USE_NEW_DES_API - DES_ede3_cbc_encrypt((void *)data->v, (void *)res->v, data->l, - &ks1, &ks2, &ks3, (void *)iv->v, DES_ENCRYPT); -#else - des_ede3_cbc_encrypt((void *)data->v, (void *)res->v, data->l, - ks1, ks2, ks3, (void *)iv->v, DES_ENCRYPT); -#endif - - return res; -} - -vchar_t * -eay_3des_decrypt(data, key, iv) - vchar_t *data, *key, *iv; -{ - vchar_t *res; -#ifdef USE_NEW_DES_API - DES_key_schedule ks1, ks2, ks3; -#else - des_key_schedule ks1, ks2, ks3; -#endif - - if (key->l < 24) - return NULL; - -#ifdef USE_NEW_DES_API - if (DES_key_sched((void *)key->v, &ks1) != 0) - return NULL; - if (DES_key_sched((void *)(key->v + 8), &ks2) != 0) - return NULL; - if (DES_key_sched((void *)(key->v + 16), &ks3) != 0) - return NULL; -#else - if (des_key_sched((void *)key->v, ks1) != 0) - return NULL; - if (des_key_sched((void *)(key->v + 8), ks2) != 0) - return NULL; - if (des_key_sched((void *)(key->v + 16), ks3) != 0) - return NULL; -#endif - - /* allocate buffer for result */ - if ((res = vmalloc(data->l)) == NULL) - return NULL; - - /* decryption data */ -#ifdef USE_NEW_DES_API - DES_ede3_cbc_encrypt((void *)data->v, (void *)res->v, data->l, - &ks1, &ks2, &ks3, (void *)iv->v, DES_DECRYPT); -#else - des_ede3_cbc_encrypt((void *)data->v, (void *)res->v, data->l, - ks1, ks2, ks3, (void *)iv->v, DES_DECRYPT); -#endif - - return res; -} - -int -eay_3des_weakkey(key) - vchar_t *key; -{ - if (key->l < 24) - return 0; - -#ifdef USE_NEW_DES_API - return (DES_is_weak_key((void *)key->v) || - DES_is_weak_key((void *)(key->v + 8)) || - DES_is_weak_key((void *)(key->v + 16))); -#else - return (des_is_weak_key((void *)key->v) || - des_is_weak_key((void *)(key->v + 8)) || - des_is_weak_key((void *)(key->v + 16))); -#endif -} - -int -eay_3des_keylen(len) - int len; -{ - if (len != 0 && len != 192) - return -1; - return 192; -} - -/* - * CAST-CBC - */ -vchar_t * -eay_cast_encrypt(data, key, iv) - vchar_t *data, *key, *iv; -{ - vchar_t *res; - CAST_KEY ks; - - CAST_set_key(&ks, key->l, key->v); - - /* allocate buffer for result */ - if ((res = vmalloc(data->l)) == NULL) - return NULL; - - /* decryption data */ - CAST_cbc_encrypt(data->v, res->v, data->l, - &ks, iv->v, DES_ENCRYPT); - - return res; -} - -vchar_t * -eay_cast_decrypt(data, key, iv) - vchar_t *data, *key, *iv; -{ - vchar_t *res; - CAST_KEY ks; - - CAST_set_key(&ks, key->l, key->v); - - /* allocate buffer for result */ - if ((res = vmalloc(data->l)) == NULL) - return NULL; - - /* decryption data */ - CAST_cbc_encrypt(data->v, res->v, data->l, - &ks, iv->v, DES_DECRYPT); - - return res; -} - -int -eay_cast_weakkey(key) - vchar_t *key; -{ - return 0; /* No known weak keys. */ -} - -int -eay_cast_keylen(len) - int len; -{ - if (len == 0) - return 128; - if (len < 40 || len > 128) - return -1; - return len; -} - -/* - * AES(RIJNDAEL)-CBC - */ -vchar_t * -eay_aes_encrypt(data, key, iv) - vchar_t *data, *key, *iv; -{ - vchar_t *res; - keyInstance k; - cipherInstance c; - - memset(&k, 0, sizeof(k)); - if (rijndael_makeKey(&k, DIR_ENCRYPT, key->l << 3, key->v) < 0) - return NULL; - - /* allocate buffer for result */ - if ((res = vmalloc(data->l)) == NULL) - return NULL; - - /* encryption data */ - memset(&c, 0, sizeof(c)); - if (rijndael_cipherInit(&c, MODE_CBC, iv->v) < 0) - return NULL; - if (rijndael_blockEncrypt(&c, &k, data->v, data->l << 3, res->v) < 0) - return NULL; - - return res; -} - -vchar_t * -eay_aes_decrypt(data, key, iv) - vchar_t *data, *key, *iv; -{ - vchar_t *res; - keyInstance k; - cipherInstance c; - - memset(&k, 0, sizeof(k)); - if (rijndael_makeKey(&k, DIR_DECRYPT, key->l << 3, key->v) < 0) - return NULL; - - /* allocate buffer for result */ - if ((res = vmalloc(data->l)) == NULL) - return NULL; - - /* decryption data */ - memset(&c, 0, sizeof(c)); - if (rijndael_cipherInit(&c, MODE_CBC, iv->v) < 0) - return NULL; - if (rijndael_blockDecrypt(&c, &k, data->v, data->l << 3, res->v) < 0) - return NULL; - - return res; -} - -int -eay_aes_weakkey(key) - vchar_t *key; -{ - return 0; -} - -int -eay_aes_keylen(len) - int len; -{ - if (len == 0) - return 128; - if (len != 128 && len != 192 && len != 256) - return -1; - return len; -} - -/* for ipsec part */ -int -eay_null_hashlen() -{ - return 0; -} - -int -eay_kpdk_hashlen() -{ - return 0; -} - -int -eay_twofish_keylen(len) - int len; -{ - if (len < 0 || len > 256) - return -1; - return len; -} - -int -eay_null_keylen(len) - int len; -{ - return 0; -} - -/* - * HMAC functions - */ -static caddr_t -eay_hmac_init(key, md) - vchar_t *key; - const EVP_MD *md; -{ - HMAC_CTX *c = racoon_malloc(sizeof(*c)); - - HMAC_Init(c, key->v, key->l, md); - - return (caddr_t)c; -} - -#ifdef WITH_SHA2 -/* - * HMAC SHA2-512 - */ -vchar_t * -eay_hmacsha2_512_one(key, data) - vchar_t *key, *data; -{ - vchar_t *res; - caddr_t ctx; - - ctx = eay_hmacsha2_512_init(key); - eay_hmacsha2_512_update(ctx, data); - res = eay_hmacsha2_512_final(ctx); - - return(res); -} - -caddr_t -eay_hmacsha2_512_init(key) - vchar_t *key; -{ - return eay_hmac_init(key, EVP_sha2_512()); -} - -void -eay_hmacsha2_512_update(c, data) - caddr_t c; - vchar_t *data; -{ - HMAC_Update((HMAC_CTX *)c, data->v, data->l); -} - -vchar_t * -eay_hmacsha2_512_final(c) - caddr_t c; -{ - vchar_t *res; - unsigned int l; - - if ((res = vmalloc(SHA512_DIGEST_LENGTH)) == 0) - return NULL; - - HMAC_Final((HMAC_CTX *)c, res->v, &l); - res->l = l; - HMAC_cleanup((HMAC_CTX *)c); - (void)racoon_free(c); - - if (SHA512_DIGEST_LENGTH != res->l) { - plog(LLV_ERROR, LOCATION, NULL, - "hmac sha2_512 length mismatch %d.\n", res->l); - vfree(res); - return NULL; - } - - return(res); -} - -/* - * HMAC SHA2-384 - */ -vchar_t * -eay_hmacsha2_384_one(key, data) - vchar_t *key, *data; -{ - vchar_t *res; - caddr_t ctx; - - ctx = eay_hmacsha2_384_init(key); - eay_hmacsha2_384_update(ctx, data); - res = eay_hmacsha2_384_final(ctx); - - return(res); -} - -caddr_t -eay_hmacsha2_384_init(key) - vchar_t *key; -{ - return eay_hmac_init(key, EVP_sha2_384()); -} - -void -eay_hmacsha2_384_update(c, data) - caddr_t c; - vchar_t *data; -{ - HMAC_Update((HMAC_CTX *)c, data->v, data->l); -} - -vchar_t * -eay_hmacsha2_384_final(c) - caddr_t c; -{ - vchar_t *res; - unsigned int l; - - if ((res = vmalloc(SHA384_DIGEST_LENGTH)) == 0) - return NULL; - - HMAC_Final((HMAC_CTX *)c, res->v, &l); - res->l = l; - HMAC_cleanup((HMAC_CTX *)c); - (void)racoon_free(c); - - if (SHA384_DIGEST_LENGTH != res->l) { - plog(LLV_ERROR, LOCATION, NULL, - "hmac sha2_384 length mismatch %d.\n", res->l); - vfree(res); - return NULL; - } - - return(res); -} - -/* - * HMAC SHA2-256 - */ -vchar_t * -eay_hmacsha2_256_one(key, data) - vchar_t *key, *data; -{ - vchar_t *res; - caddr_t ctx; - - ctx = eay_hmacsha2_256_init(key); - eay_hmacsha2_256_update(ctx, data); - res = eay_hmacsha2_256_final(ctx); - - return(res); -} - -caddr_t -eay_hmacsha2_256_init(key) - vchar_t *key; -{ - return eay_hmac_init(key, EVP_sha2_256()); -} - -void -eay_hmacsha2_256_update(c, data) - caddr_t c; - vchar_t *data; -{ - HMAC_Update((HMAC_CTX *)c, data->v, data->l); -} - -vchar_t * -eay_hmacsha2_256_final(c) - caddr_t c; -{ - vchar_t *res; - unsigned int l; - - if ((res = vmalloc(SHA256_DIGEST_LENGTH)) == 0) - return NULL; - - HMAC_Final((HMAC_CTX *)c, res->v, &l); - res->l = l; - HMAC_cleanup((HMAC_CTX *)c); - (void)racoon_free(c); - - if (SHA256_DIGEST_LENGTH != res->l) { - plog(LLV_ERROR, LOCATION, NULL, - "hmac sha2_256 length mismatch %d.\n", res->l); - vfree(res); - return NULL; - } - - return(res); -} -#endif /* WITH_SHA2 */ - -/* - * HMAC SHA1 - */ -vchar_t * -eay_hmacsha1_one(key, data) - vchar_t *key, *data; -{ - vchar_t *res; - caddr_t ctx; - - ctx = eay_hmacsha1_init(key); - eay_hmacsha1_update(ctx, data); - res = eay_hmacsha1_final(ctx); - - return(res); -} - -caddr_t -eay_hmacsha1_init(key) - vchar_t *key; -{ - return eay_hmac_init(key, EVP_sha1()); -} - -void -eay_hmacsha1_update(c, data) - caddr_t c; - vchar_t *data; -{ - HMAC_Update((HMAC_CTX *)c, data->v, data->l); -} - -vchar_t * -eay_hmacsha1_final(c) - caddr_t c; -{ - vchar_t *res; - unsigned int l; - - if ((res = vmalloc(SHA_DIGEST_LENGTH)) == 0) - return NULL; - - HMAC_Final((HMAC_CTX *)c, res->v, &l); - res->l = l; - HMAC_cleanup((HMAC_CTX *)c); - (void)racoon_free(c); - - if (SHA_DIGEST_LENGTH != res->l) { - plog(LLV_ERROR, LOCATION, NULL, - "hmac sha1 length mismatch %d.\n", res->l); - vfree(res); - return NULL; - } - - return(res); -} - -/* - * HMAC MD5 - */ -vchar_t * -eay_hmacmd5_one(key, data) - vchar_t *key, *data; -{ - vchar_t *res; - caddr_t ctx; - - ctx = eay_hmacmd5_init(key); - eay_hmacmd5_update(ctx, data); - res = eay_hmacmd5_final(ctx); - - return(res); -} - -caddr_t -eay_hmacmd5_init(key) - vchar_t *key; -{ - return eay_hmac_init(key, EVP_md5()); -} - -void -eay_hmacmd5_update(c, data) - caddr_t c; - vchar_t *data; -{ - HMAC_Update((HMAC_CTX *)c, data->v, data->l); -} - -vchar_t * -eay_hmacmd5_final(c) - caddr_t c; -{ - vchar_t *res; - unsigned int l; - - if ((res = vmalloc(MD5_DIGEST_LENGTH)) == 0) - return NULL; - - HMAC_Final((HMAC_CTX *)c, res->v, &l); - res->l = l; - HMAC_cleanup((HMAC_CTX *)c); - (void)racoon_free(c); - - if (MD5_DIGEST_LENGTH != res->l) { - plog(LLV_ERROR, LOCATION, NULL, - "hmac md5 length mismatch %d.\n", res->l); - vfree(res); - return NULL; - } - - return(res); -} - -#ifdef WITH_SHA2 -/* - * SHA2-512 functions - */ -caddr_t -eay_sha2_512_init() -{ - SHA512_CTX *c = racoon_malloc(sizeof(*c)); - - SHA512_Init(c); - - return((caddr_t)c); -} - -void -eay_sha2_512_update(c, data) - caddr_t c; - vchar_t *data; -{ - SHA512_Update((SHA512_CTX *)c, data->v, data->l); - - return; -} - -vchar_t * -eay_sha2_512_final(c) - caddr_t c; -{ - vchar_t *res; - - if ((res = vmalloc(SHA512_DIGEST_LENGTH)) == 0) - return(0); - - SHA512_Final(res->v, (SHA512_CTX *)c); - (void)racoon_free(c); - - return(res); -} - -vchar_t * -eay_sha2_512_one(data) - vchar_t *data; -{ - caddr_t ctx; - vchar_t *res; - - ctx = eay_sha2_512_init(); - eay_sha2_512_update(ctx, data); - res = eay_sha2_512_final(ctx); - - return(res); -} -#endif - -int -eay_sha2_512_hashlen() -{ - return SHA512_DIGEST_LENGTH << 3; -} - -#ifdef WITH_SHA2 -/* - * SHA2-384 functions - */ -caddr_t -eay_sha2_384_init() -{ - SHA384_CTX *c = racoon_malloc(sizeof(*c)); - - SHA384_Init(c); - - return((caddr_t)c); -} - -void -eay_sha2_384_update(c, data) - caddr_t c; - vchar_t *data; -{ - SHA384_Update((SHA384_CTX *)c, data->v, data->l); - - return; -} - -vchar_t * -eay_sha2_384_final(c) - caddr_t c; -{ - vchar_t *res; - - if ((res = vmalloc(SHA384_DIGEST_LENGTH)) == 0) - return(0); - - SHA384_Final(res->v, (SHA384_CTX *)c); - (void)racoon_free(c); - - return(res); -} - -vchar_t * -eay_sha2_384_one(data) - vchar_t *data; -{ - caddr_t ctx; - vchar_t *res; - - ctx = eay_sha2_384_init(); - eay_sha2_384_update(ctx, data); - res = eay_sha2_384_final(ctx); - - return(res); -} -#endif - -int -eay_sha2_384_hashlen() -{ - return SHA384_DIGEST_LENGTH << 3; -} - -#ifdef WITH_SHA2 -/* - * SHA2-256 functions - */ -caddr_t -eay_sha2_256_init() -{ - SHA256_CTX *c = racoon_malloc(sizeof(*c)); - - SHA256_Init(c); - - return((caddr_t)c); -} - -void -eay_sha2_256_update(c, data) - caddr_t c; - vchar_t *data; -{ - SHA256_Update((SHA256_CTX *)c, data->v, data->l); - - return; -} - -vchar_t * -eay_sha2_256_final(c) - caddr_t c; -{ - vchar_t *res; - - if ((res = vmalloc(SHA256_DIGEST_LENGTH)) == 0) - return(0); - - SHA256_Final(res->v, (SHA256_CTX *)c); - (void)racoon_free(c); - - return(res); -} - -vchar_t * -eay_sha2_256_one(data) - vchar_t *data; -{ - caddr_t ctx; - vchar_t *res; - - ctx = eay_sha2_256_init(); - eay_sha2_256_update(ctx, data); - res = eay_sha2_256_final(ctx); - - return(res); -} -#endif - -int -eay_sha2_256_hashlen() -{ - return SHA256_DIGEST_LENGTH << 3; -} - -/* - * SHA functions - */ -caddr_t -eay_sha1_init() -{ - SHA_CTX *c = racoon_malloc(sizeof(*c)); - - SHA1_Init(c); - - return((caddr_t)c); -} - -void -eay_sha1_update(c, data) - caddr_t c; - vchar_t *data; -{ - SHA1_Update((SHA_CTX *)c, data->v, data->l); - - return; -} - -vchar_t * -eay_sha1_final(c) - caddr_t c; -{ - vchar_t *res; - - if ((res = vmalloc(SHA_DIGEST_LENGTH)) == 0) - return(0); - - SHA1_Final(res->v, (SHA_CTX *)c); - (void)racoon_free(c); - - return(res); -} - -vchar_t * -eay_sha1_one(data) - vchar_t *data; -{ - caddr_t ctx; - vchar_t *res; - - ctx = eay_sha1_init(); - eay_sha1_update(ctx, data); - res = eay_sha1_final(ctx); - - return(res); -} - -int -eay_sha1_hashlen() -{ - return SHA_DIGEST_LENGTH << 3; -} - -/* - * MD5 functions - */ -caddr_t -eay_md5_init() -{ - MD5_CTX *c = racoon_malloc(sizeof(*c)); - - MD5_Init(c); - - return((caddr_t)c); -} - -void -eay_md5_update(c, data) - caddr_t c; - vchar_t *data; -{ - MD5_Update((MD5_CTX *)c, data->v, data->l); - - return; -} - -vchar_t * -eay_md5_final(c) - caddr_t c; -{ - vchar_t *res; - - if ((res = vmalloc(MD5_DIGEST_LENGTH)) == 0) - return(0); - - MD5_Final(res->v, (MD5_CTX *)c); - (void)racoon_free(c); - - return(res); -} - -vchar_t * -eay_md5_one(data) - vchar_t *data; -{ - caddr_t ctx; - vchar_t *res; - - ctx = eay_md5_init(); - eay_md5_update(ctx, data); - res = eay_md5_final(ctx); - - return(res); -} - -int -eay_md5_hashlen() -{ - return MD5_DIGEST_LENGTH << 3; -} - -/* - * eay_set_random - * size: number of bytes. - */ -vchar_t * -eay_set_random(size) - u_int32_t size; -{ - BIGNUM *r = NULL; - vchar_t *res = 0; - - if ((r = BN_new()) == NULL) - goto end; - BN_rand(r, size * 8, 0, 0); - eay_bn2v(&res, r); - -end: - if (r) - BN_free(r); - return(res); -} - -/* DH */ -int -eay_dh_generate(prime, g, publen, pub, priv) - vchar_t *prime, **pub, **priv; - u_int publen; - u_int32_t g; -{ - BIGNUM *p = NULL; - DH *dh = NULL; - int error = -1; - - /* initialize */ - /* pre-process to generate number */ - if (eay_v2bn(&p, prime) < 0) - goto end; - - if ((dh = DH_new()) == NULL) - goto end; - dh->p = p; - p = NULL; /* p is now part of dh structure */ - dh->g = NULL; - if ((dh->g = BN_new()) == NULL) - goto end; - if (!BN_set_word(dh->g, g)) - goto end; - - if (publen != 0) - dh->length = publen; - - /* generate public and private number */ - if (!DH_generate_key(dh)) - goto end; - - /* copy results to buffers */ - if (eay_bn2v(pub, dh->pub_key) < 0) - goto end; - if (eay_bn2v(priv, dh->priv_key) < 0) { - vfree(*pub); - goto end; - } - - error = 0; - -end: - if (dh != NULL) - DH_free(dh); - if (p != 0) - BN_free(p); - return(error); -} - -int -eay_dh_compute(prime, g, pub, priv, pub2, key) - vchar_t *prime, *pub, *priv, *pub2, **key; - u_int32_t g; -{ - BIGNUM *dh_pub = NULL; - DH *dh = NULL; - int l; - caddr_t v = NULL; - int error = -1; - - /* make public number to compute */ - if (eay_v2bn(&dh_pub, pub2) < 0) - goto end; - - /* make DH structure */ - if ((dh = DH_new()) == NULL) - goto end; - if (eay_v2bn(&dh->p, prime) < 0) - goto end; - if (eay_v2bn(&dh->pub_key, pub) < 0) - goto end; - if (eay_v2bn(&dh->priv_key, priv) < 0) - goto end; - dh->length = pub2->l * 8; - - dh->g = NULL; - if ((dh->g = BN_new()) == NULL) - goto end; - if (!BN_set_word(dh->g, g)) - goto end; - - if ((v = (caddr_t)racoon_calloc(prime->l, sizeof(u_char))) == NULL) - goto end; - if ((l = DH_compute_key(v, dh_pub, dh)) == -1) - goto end; - memcpy((*key)->v + (prime->l - l), v, l); - - error = 0; - -end: - if (dh_pub != NULL) - BN_free(dh_pub); - if (dh != NULL) - DH_free(dh); - if (v != NULL) - racoon_free(v); - return(error); -} - -#if 1 -int -eay_v2bn(bn, var) - BIGNUM **bn; - vchar_t *var; -{ - if ((*bn = BN_bin2bn(var->v, var->l, NULL)) == NULL) - return -1; - - return 0; -} -#else -/* - * convert vchar_t <-> BIGNUM. - * - * vchar_t: unit is u_char, network endian, most significant byte first. - * BIGNUM: unit is BN_ULONG, each of BN_ULONG is in host endian, - * least significant BN_ULONG must come first. - * - * hex value of "0x3ffe050104" is represented as follows: - * vchar_t: 3f fe 05 01 04 - * BIGNUM (BN_ULONG = u_int8_t): 04 01 05 fe 3f - * BIGNUM (BN_ULONG = u_int16_t): 0x0104 0xfe05 0x003f - * BIGNUM (BN_ULONG = u_int32_t_t): 0xfe050104 0x0000003f - */ -int -eay_v2bn(bn, var) - BIGNUM **bn; - vchar_t *var; -{ - u_char *p; - u_char *q; - BN_ULONG *r; - int l; - BN_ULONG num; - - *bn = BN_new(); - if (*bn == NULL) - goto err; - l = (var->l * 8 + BN_BITS2 - 1) / BN_BITS2; - if (bn_expand(*bn, l * BN_BITS2) == NULL) - goto err; - (*bn)->top = l; - - /* scan from least significant byte */ - p = (u_char *)var->v; - q = (u_char *)(var->v + var->l); - r = (*bn)->d; - num = 0; - l = 0; - do { - q--; - num = num | ((BN_ULONG)*q << (l++ * 8)); - if (l == BN_BYTES) { - *r++ = num; - num = 0; - l = 0; - } - } while (p < q); - if (l) - *r = num; - return 0; - -err: - if (*bn) - BN_free(*bn); - return -1; -} -#endif - -int -eay_bn2v(var, bn) - vchar_t **var; - BIGNUM *bn; -{ - *var = vmalloc(bn->top * BN_BYTES); - if (*var == NULL) - return(-1); - - (*var)->l = BN_bn2bin(bn, (*var)->v); - - return 0; -} - -const char * -eay_version() -{ - return SSLeay_version(SSLEAY_VERSION); -} diff --git a/kame/kame/racoon/crypto_openssl.h b/kame/kame/racoon/crypto_openssl.h deleted file mode 100644 index abdd6ef61c..0000000000 --- a/kame/kame/racoon/crypto_openssl.h +++ /dev/null @@ -1,202 +0,0 @@ -/* $KAME: crypto_openssl.h,v 1.31 2004/08/24 06:52:41 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifdef HAVE_SIGNING_C -/* X509 Certificate */ - -#include - -#define GENT_OTHERNAME GEN_OTHERNAME -#define GENT_EMAIL GEN_EMAIL -#define GENT_DNS GEN_DNS -#define GENT_X400 GEN_X400 -#define GENT_DIRNAME GEN_DIRNAME -#define GENT_EDIPARTY GEN_EDIPARTY -#define GENT_URI GEN_URI -#define GENT_IPADD GEN_IPADD -#define GENT_RID GEN_RID - -extern vchar_t *eay_str2asn1dn __P((char *, int)); -extern int eay_cmp_asn1dn __P((vchar_t *, vchar_t *)); -extern int eay_check_x509cert __P((vchar_t *, char *, int)); -extern vchar_t *eay_get_x509asn1subjectname __P((vchar_t *)); -extern int eay_get_x509subjectaltname __P((vchar_t *, char **, int *, int)); -extern char *eay_get_x509text __P((vchar_t *)); -extern vchar_t *eay_get_x509cert __P((char *)); -extern vchar_t *eay_get_x509sign __P((vchar_t *, vchar_t *, vchar_t *)); -extern int eay_check_x509sign __P((vchar_t *, vchar_t *, vchar_t *)); -extern int eay_check_pkcs7sign __P((vchar_t *, vchar_t *, vchar_t *)); - -/* RSA */ -extern vchar_t *eay_rsa_sign __P((vchar_t *, vchar_t *)); -extern int eay_rsa_verify __P((vchar_t *, vchar_t *, EVP_PKEY *)); - -/* ASN.1 */ -extern vchar_t *eay_get_pkcs1privkey __P((char *)); -extern vchar_t *eay_get_pkcs1pubkey __P((char *)); -#endif - -/* string error */ -extern char *eay_strerror __P((void)); -extern void eay_init_error __P((void)); -extern void eay_close_error __P((void)); - -/* DES */ -extern vchar_t *eay_des_encrypt __P((vchar_t *, vchar_t *, vchar_t *)); -extern vchar_t *eay_des_decrypt __P((vchar_t *, vchar_t *, vchar_t *)); -extern int eay_des_weakkey __P((vchar_t *)); -extern int eay_des_keylen __P((int)); - -/* IDEA */ -extern vchar_t *eay_idea_encrypt __P((vchar_t *, vchar_t *, vchar_t *)); -extern vchar_t *eay_idea_decrypt __P((vchar_t *, vchar_t *, vchar_t *)); -extern int eay_idea_weakkey __P((vchar_t *)); -extern int eay_idea_keylen __P((int)); - -/* blowfish */ -extern vchar_t *eay_bf_encrypt __P((vchar_t *, vchar_t *, vchar_t *)); -extern vchar_t *eay_bf_decrypt __P((vchar_t *, vchar_t *, vchar_t *)); -extern int eay_bf_weakkey __P((vchar_t *)); -extern int eay_bf_keylen __P((int)); - -/* RC5 */ -extern vchar_t *eay_rc5_encrypt __P((vchar_t *, vchar_t *, vchar_t *)); -extern vchar_t *eay_rc5_decrypt __P((vchar_t *, vchar_t *, vchar_t *)); -extern int eay_rc5_weakkey __P((vchar_t *)); -extern int eay_rc5_keylen __P((int)); - -/* 3DES */ -extern vchar_t *eay_3des_encrypt __P((vchar_t *, vchar_t *, vchar_t *)); -extern vchar_t *eay_3des_decrypt __P((vchar_t *, vchar_t *, vchar_t *)); -extern int eay_3des_weakkey __P((vchar_t *)); -extern int eay_3des_keylen __P((int)); - -/* CAST */ -extern vchar_t *eay_cast_encrypt __P((vchar_t *, vchar_t *, vchar_t *)); -extern vchar_t *eay_cast_decrypt __P((vchar_t *, vchar_t *, vchar_t *)); -extern int eay_cast_weakkey __P((vchar_t *)); -extern int eay_cast_keylen __P((int)); - -/* AES(RIJNDAEL) */ -extern vchar_t *eay_aes_encrypt __P((vchar_t *, vchar_t *, vchar_t *)); -extern vchar_t *eay_aes_decrypt __P((vchar_t *, vchar_t *, vchar_t *)); -extern int eay_aes_weakkey __P((vchar_t *)); -extern int eay_aes_keylen __P((int)); - -/* misc */ -extern int eay_null_keylen __P((int)); -extern int eay_null_hashlen __P((void)); -extern int eay_kpdk_hashlen __P((void)); -extern int eay_twofish_keylen __P((int)); - -/* hash */ -#if defined(WITH_SHA2) -/* HMAC SHA2 */ -extern vchar_t *eay_hmacsha2_512_one __P((vchar_t *, vchar_t *)); -extern caddr_t eay_hmacsha2_512_init __P((vchar_t *)); -extern void eay_hmacsha2_512_update __P((caddr_t, vchar_t *)); -extern vchar_t *eay_hmacsha2_512_final __P((caddr_t)); -extern vchar_t *eay_hmacsha2_384_one __P((vchar_t *, vchar_t *)); -extern caddr_t eay_hmacsha2_384_init __P((vchar_t *)); -extern void eay_hmacsha2_384_update __P((caddr_t, vchar_t *)); -extern vchar_t *eay_hmacsha2_384_final __P((caddr_t)); -extern vchar_t *eay_hmacsha2_256_one __P((vchar_t *, vchar_t *)); -extern caddr_t eay_hmacsha2_256_init __P((vchar_t *)); -extern void eay_hmacsha2_256_update __P((caddr_t, vchar_t *)); -extern vchar_t *eay_hmacsha2_256_final __P((caddr_t)); -#endif -/* HMAC SHA1 */ -extern vchar_t *eay_hmacsha1_one __P((vchar_t *, vchar_t *)); -extern caddr_t eay_hmacsha1_init __P((vchar_t *)); -extern void eay_hmacsha1_update __P((caddr_t, vchar_t *)); -extern vchar_t *eay_hmacsha1_final __P((caddr_t)); -/* HMAC MD5 */ -extern vchar_t *eay_hmacmd5_one __P((vchar_t *, vchar_t *)); -extern caddr_t eay_hmacmd5_init __P((vchar_t *)); -extern void eay_hmacmd5_update __P((caddr_t, vchar_t *)); -extern vchar_t *eay_hmacmd5_final __P((caddr_t)); - -#if defined(WITH_SHA2) -/* SHA2 functions */ -extern caddr_t eay_sha2_512_init __P((void)); -extern void eay_sha2_512_update __P((caddr_t, vchar_t *)); -extern vchar_t *eay_sha2_512_final __P((caddr_t)); -extern vchar_t *eay_sha2_512_one __P((vchar_t *)); -#endif -extern int eay_sha2_512_hashlen __P((void)); - -#if defined(WITH_SHA2) -extern caddr_t eay_sha2_384_init __P((void)); -extern void eay_sha2_384_update __P((caddr_t, vchar_t *)); -extern vchar_t *eay_sha2_384_final __P((caddr_t)); -extern vchar_t *eay_sha2_384_one __P((vchar_t *)); -#endif -extern int eay_sha2_384_hashlen __P((void)); - -#if defined(WITH_SHA2) -extern caddr_t eay_sha2_256_init __P((void)); -extern void eay_sha2_256_update __P((caddr_t, vchar_t *)); -extern vchar_t *eay_sha2_256_final __P((caddr_t)); -extern vchar_t *eay_sha2_256_one __P((vchar_t *)); -#endif -extern int eay_sha2_256_hashlen __P((void)); - -/* SHA functions */ -extern caddr_t eay_sha1_init __P((void)); -extern void eay_sha1_update __P((caddr_t, vchar_t *)); -extern vchar_t *eay_sha1_final __P((caddr_t)); -extern vchar_t *eay_sha1_one __P((vchar_t *)); -extern int eay_sha1_hashlen __P((void)); - -/* MD5 functions */ -extern caddr_t eay_md5_init __P((void)); -extern void eay_md5_update __P((caddr_t, vchar_t *)); -extern vchar_t *eay_md5_final __P((caddr_t)); -extern vchar_t *eay_md5_one __P((vchar_t *)); -extern int eay_md5_hashlen __P((void)); - -/* eay_set_random */ -extern vchar_t *eay_set_random __P((u_int32_t)); - -/* DH */ -extern int eay_dh_generate __P((vchar_t *, u_int32_t, u_int, vchar_t **, vchar_t **)); -extern int eay_dh_compute __P((vchar_t *, u_int32_t, vchar_t *, vchar_t *, vchar_t *, vchar_t **)); - -/* misc */ -extern int eay_revbnl __P((vchar_t *)); -#include -extern int eay_v2bn __P((BIGNUM **, vchar_t *)); -extern int eay_bn2v __P((vchar_t **, BIGNUM *)); - -extern const char *eay_version __P((void)); - -#define CBC_BLOCKLEN 8 -#define IPSEC_ENCRYPTKEYLEN 8 diff --git a/kame/kame/racoon/debug.h b/kame/kame/racoon/debug.h deleted file mode 100644 index e98118d7dd..0000000000 --- a/kame/kame/racoon/debug.h +++ /dev/null @@ -1,34 +0,0 @@ -/* $KAME: debug.h,v 1.17 2001/01/10 02:58:58 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* define by main.c */ -extern int f_local; -extern int vflag; diff --git a/kame/kame/racoon/debugrm.c b/kame/kame/racoon/debugrm.c deleted file mode 100644 index 196bf17a12..0000000000 --- a/kame/kame/racoon/debugrm.c +++ /dev/null @@ -1,274 +0,0 @@ -/* $KAME: debugrm.c,v 1.6 2001/12/13 16:07:46 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#define NONEED_DRM - -#include -#include - -#include -#include -#include -#include -#include - -#include "debugrm.h" - -#include "vmbuf.h" /* need to mask vmbuf.c functions. */ - -#define DRMLISTSIZE 1024 - -struct drm_list_t { - void *ptr; - char msg[100]; -}; -static struct drm_list_t drmlist[DRMLISTSIZE]; - -static int drm_unknown; - -static void DRM_add __P((void *, char *)); -static void DRM_del __P((void *)); -static void DRM_setmsg __P((char *, int, void *, int, char *, int, char *)); - -void -DRM_init() -{ - int i; - drm_unknown = 0; - for (i = 0; i < sizeof(drmlist)/sizeof(drmlist[0]); i++) - drmlist[i].ptr = 0; -} - -void -DRM_dump() -{ - FILE *fp; - int i; - - fp = fopen(DRMDUMPFILE, "w"); - if (fp == NULL) - err(1, "fopen"); /*XXX*/ - fprintf(fp, "drm_unknown=%d\n", drm_unknown); - for (i = 0; i < sizeof(drmlist)/sizeof(drmlist[0]); i++) { - if (drmlist[i].ptr) - fprintf(fp, "%s\n", drmlist[i].msg); - } - fclose(fp); -} - -static void -DRM_add(p, msg) - void *p; - char *msg; -{ - int i; - for (i = 0; i < sizeof(drmlist)/sizeof(drmlist[0]); i++) { - if (!drmlist[i].ptr) { - drmlist[i].ptr = p; - strlcpy(drmlist[i].msg, msg, sizeof(drmlist[i].msg)); - return; - } - } -} - -static void -DRM_del(p) - void *p; -{ - int i; - - if (!p) - return; - - for (i = 0; i < sizeof(drmlist)/sizeof(drmlist[0]); i++) { - if (drmlist[i].ptr == p) { - drmlist[i].ptr = 0; - return; - } - } - drm_unknown++; -} - -static void -DRM_setmsg(buf, buflen, ptr, size, file, line, func) - char *buf, *file, *func; - int buflen, size, line; - void *ptr; -{ - time_t t; - struct tm *tm; - int len; - - t = time(NULL); - tm = localtime(&t); - len = strftime(buf, buflen, "%Y/%m/%d:%T ", tm); - - snprintf(buf + len, buflen - len, "%p %6d %s:%d:%s", - ptr, size, file , line, func); -} - -void * -DRM_malloc(file, line, func, size) - char *file, *func; - int line; - size_t size; -{ - void *p; - - p = malloc(size); - if (p) { - char buf[1024]; - DRM_setmsg(buf, sizeof(buf), p, size, file, line, func); - DRM_add(p, buf); - } - - return p; -} - -void * -DRM_calloc(file, line, func, number, size) - char *file, *func; - int line; - size_t number, size; -{ - void *p; - - p = calloc(number, size); - if (p) { - char buf[1024]; - DRM_setmsg(buf, sizeof(buf), p, number * size, file, line, func); - DRM_add(p, buf); - } - return p; -} - -void * -DRM_realloc(file, line, func, ptr, size) - char *file, *func; - int line; - void *ptr; - size_t size; -{ - void *p; - - p = realloc(ptr, size); - if (p) { - char buf[1024]; - if (ptr && p != ptr) { - DRM_del(ptr); - DRM_setmsg(buf, sizeof(buf), p, size, file, line, func); - DRM_add(p, buf); - } - } - - return p; -} - -void -DRM_free(file, line, func, ptr) - char *file, *func; - int line; - void *ptr; -{ - DRM_del(ptr); - free(ptr); -} - -/* - * mask vmbuf.c functions. - */ -void * -DRM_vmalloc(file, line, func, size) - char *file, *func; - int line; - size_t size; -{ - void *p; - - p = vmalloc(size); - if (p) { - char buf[1024]; - DRM_setmsg(buf, sizeof(buf), p, size, file, line, func); - DRM_add(p, buf); - } - - return p; -} - -void * -DRM_vrealloc(file, line, func, ptr, size) - char *file, *func; - int line; - void *ptr; - size_t size; -{ - void *p; - - p = vrealloc(ptr, size); - if (p) { - char buf[1024]; - if (ptr && p != ptr) { - DRM_del(ptr); - DRM_setmsg(buf, sizeof(buf), p, size, file, line, func); - DRM_add(p, buf); - } - } - - return p; -} - -void -DRM_vfree(file, line, func, ptr) - char *file, *func; - int line; - void *ptr; -{ - DRM_del(ptr); - vfree(ptr); -} - -void * -DRM_vdup(file, line, func, ptr) - char *file, *func; - int line; - void *ptr; -{ - void *p; - - p = vdup(ptr); - if (p) { - char buf[1024]; - DRM_setmsg(buf, sizeof(buf), p, 0, file, line, func); - DRM_add(p, buf); - } - - return p; -} diff --git a/kame/kame/racoon/debugrm.h b/kame/kame/racoon/debugrm.h deleted file mode 100644 index 2f7d87628e..0000000000 --- a/kame/kame/racoon/debugrm.h +++ /dev/null @@ -1,87 +0,0 @@ -/* $KAME: debugrm.h,v 1.4 2002/06/10 19:58:29 itojun Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#define DRMDUMPFILE "/var/tmp/debugrm.dump" - -#ifdef NONEED_DRM -#ifndef racoon_malloc -#define racoon_malloc(sz) malloc((sz)) -#endif -#ifndef racoon_calloc -#define racoon_calloc(cnt, sz) calloc((cnt), (sz)) -#endif -#ifndef racoon_realloc -#define racoon_realloc(old, sz) realloc((old), (sz)) -#endif -#ifndef racoon_free -#define racoon_free(p) free((p)) -#endif -#else /*!NONEED_DRM*/ -#ifndef racoon_malloc -#define racoon_malloc(sz) \ - DRM_malloc(__FILE__, __LINE__, __func__, (sz)) -#endif -#ifndef racoon_calloc -#define racoon_calloc(cnt, sz) \ - DRM_calloc(__FILE__, __LINE__, __func__, (cnt), (sz)) -#endif -#ifndef racoon_realloc -#define racoon_realloc(old, sz) \ - DRM_realloc(__FILE__, __LINE__, __func__, (old), (sz)) -#endif -#ifndef racoon_free -#define racoon_free(p) \ - DRM_free(__FILE__, __LINE__, __func__, (p)) -#endif -#endif /*NONEED_DRM*/ - -extern void DRM_init __P((void)); -extern void DRM_dump __P((void)); -extern void *DRM_malloc __P((char *, int, char *, size_t)); -extern void *DRM_calloc __P((char *, int, char *, size_t, size_t)); -extern void *DRM_realloc __P((char *, int, char *, void *, size_t)); -extern void DRM_free __P((char *, int, char *, void *)); - -#ifndef NONEED_DRM -#define vmalloc(sz) \ - DRM_vmalloc(__FILE__, __LINE__, __func__, (sz)) -#define vdup(old) \ - DRM_vdup(__FILE__, __LINE__, __func__, (old)) -#define vrealloc(old, sz) \ - DRM_vrealloc(__FILE__, __LINE__, __func__, (old), (sz)) -#define vfree(p) \ - DRM_vfree(__FILE__, __LINE__, __func__, (p)) -#endif - -extern void *DRM_vmalloc __P((char *, int, char *, size_t)); -extern void *DRM_vrealloc __P((char *, int, char *, void *, size_t)); -extern void DRM_vfree __P((char *, int, char *, void *)); -extern void *DRM_vdup __P((char *, int, char *, void *)); diff --git a/kame/kame/racoon/dhgroup.h b/kame/kame/racoon/dhgroup.h deleted file mode 100644 index d54788ef62..0000000000 --- a/kame/kame/racoon/dhgroup.h +++ /dev/null @@ -1,198 +0,0 @@ -/* $KAME: dhgroup.h,v 1.3 2003/12/14 04:13:11 itojun Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#define OAKLEY_PRIME_MODP768 \ - "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \ - "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \ - "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \ - "E485B576 625E7EC6 F44C42E9 A63A3620 FFFFFFFF FFFFFFFF" - -#define OAKLEY_PRIME_MODP1024 \ - "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \ - "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \ - "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \ - "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" \ - "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381" \ - "FFFFFFFF FFFFFFFF" - -#define OAKLEY_PRIME_MODP1536 \ - "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \ - "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \ - "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \ - "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" \ - "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" \ - "C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" \ - "83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" \ - "670C354E 4ABC9804 F1746C08 CA237327 FFFFFFFF FFFFFFFF" - -/* RFC 3526 */ -#define OAKLEY_PRIME_MODP2048 \ - "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \ - "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \ - "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \ - "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" \ - "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" \ - "C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" \ - "83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" \ - "670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B" \ - "E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9" \ - "DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510" \ - "15728E5A 8AACAA68 FFFFFFFF FFFFFFFF" - -#define OAKLEY_PRIME_MODP3072 \ - "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \ - "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \ - "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \ - "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" \ - "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" \ - "C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" \ - "83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" \ - "670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B" \ - "E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9" \ - "DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510" \ - "15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64" \ - "ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7" \ - "ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B" \ - "F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C" \ - "BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31" \ - "43DB5BFC E0FD108E 4B82D120 A93AD2CA FFFFFFFF FFFFFFFF" - -#define OAKLEY_PRIME_MODP4096 \ - "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \ - "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \ - "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \ - "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" \ - "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" \ - "C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" \ - "83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" \ - "670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B" \ - "E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9" \ - "DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510" \ - "15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64" \ - "ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7" \ - "ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B" \ - "F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C" \ - "BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31" \ - "43DB5BFC E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7" \ - "88719A10 BDBA5B26 99C32718 6AF4E23C 1A946834 B6150BDA" \ - "2583E9CA 2AD44CE8 DBBBC2DB 04DE8EF9 2E8EFC14 1FBECAA6" \ - "287C5947 4E6BC05D 99B2964F A090C3A2 233BA186 515BE7ED" \ - "1F612970 CEE2D7AF B81BDD76 2170481C D0069127 D5B05AA9" \ - "93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34063199" \ - "FFFFFFFF FFFFFFFF" - -#define OAKLEY_PRIME_MODP6144 \ - "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \ - "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \ - "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \ - "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" \ - "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" \ - "C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" \ - "83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" \ - "670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B" \ - "E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9" \ - "DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510" \ - "15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64" \ - "ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7" \ - "ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B" \ - "F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C" \ - "BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31" \ - "43DB5BFC E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7" \ - "88719A10 BDBA5B26 99C32718 6AF4E23C 1A946834 B6150BDA" \ - "2583E9CA 2AD44CE8 DBBBC2DB 04DE8EF9 2E8EFC14 1FBECAA6" \ - "287C5947 4E6BC05D 99B2964F A090C3A2 233BA186 515BE7ED" \ - "1F612970 CEE2D7AF B81BDD76 2170481C D0069127 D5B05AA9" \ - "93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34028492" \ - "36C3FAB4 D27C7026 C1D4DCB2 602646DE C9751E76 3DBA37BD" \ - "F8FF9406 AD9E530E E5DB382F 413001AE B06A53ED 9027D831" \ - "179727B0 865A8918 DA3EDBEB CF9B14ED 44CE6CBA CED4BB1B" \ - "DB7F1447 E6CC254B 33205151 2BD7AF42 6FB8F401 378CD2BF" \ - "5983CA01 C64B92EC F032EA15 D1721D03 F482D7CE 6E74FEF6" \ - "D55E702F 46980C82 B5A84031 900B1C9E 59E7C97F BEC7E8F3" \ - "23A97A7E 36CC88BE 0F1D45B7 FF585AC5 4BD407B2 2B4154AA" \ - "CC8F6D7E BF48E1D8 14CC5ED2 0F8037E0 A79715EE F29BE328" \ - "06A1D58B B7C5DA76 F550AA3D 8A1FBFF0 EB19CCB1 A313D55C" \ - "DA56C9EC 2EF29632 387FE8D7 6E3C0468 043E8F66 3F4860EE" \ - "12BF2D5B 0B7474D6 E694F91E 6DCC4024 FFFFFFFF FFFFFFFF" - -#define OAKLEY_PRIME_MODP8192 \ - "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \ - "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \ - "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \ - "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" \ - "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" \ - "C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" \ - "83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" \ - "670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B" \ - "E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9" \ - "DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510" \ - "15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64" \ - "ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7" \ - "ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B" \ - "F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C" \ - "BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31" \ - "43DB5BFC E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7" \ - "88719A10 BDBA5B26 99C32718 6AF4E23C 1A946834 B6150BDA" \ - "2583E9CA 2AD44CE8 DBBBC2DB 04DE8EF9 2E8EFC14 1FBECAA6" \ - "287C5947 4E6BC05D 99B2964F A090C3A2 233BA186 515BE7ED" \ - "1F612970 CEE2D7AF B81BDD76 2170481C D0069127 D5B05AA9" \ - "93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34028492" \ - "36C3FAB4 D27C7026 C1D4DCB2 602646DE C9751E76 3DBA37BD" \ - "F8FF9406 AD9E530E E5DB382F 413001AE B06A53ED 9027D831" \ - "179727B0 865A8918 DA3EDBEB CF9B14ED 44CE6CBA CED4BB1B" \ - "DB7F1447 E6CC254B 33205151 2BD7AF42 6FB8F401 378CD2BF" \ - "5983CA01 C64B92EC F032EA15 D1721D03 F482D7CE 6E74FEF6" \ - "D55E702F 46980C82 B5A84031 900B1C9E 59E7C97F BEC7E8F3" \ - "23A97A7E 36CC88BE 0F1D45B7 FF585AC5 4BD407B2 2B4154AA" \ - "CC8F6D7E BF48E1D8 14CC5ED2 0F8037E0 A79715EE F29BE328" \ - "06A1D58B B7C5DA76 F550AA3D 8A1FBFF0 EB19CCB1 A313D55C" \ - "DA56C9EC 2EF29632 387FE8D7 6E3C0468 043E8F66 3F4860EE" \ - "12BF2D5B 0B7474D6 E694F91E 6DBE1159 74A3926F 12FEE5E4" \ - "38777CB6 A932DF8C D8BEC4D0 73B931BA 3BC832B6 8D9DD300" \ - "741FA7BF 8AFC47ED 2576F693 6BA42466 3AAB639C 5AE4F568" \ - "3423B474 2BF1C978 238F16CB E39D652D E3FDB8BE FC848AD9" \ - "22222E04 A4037C07 13EB57A8 1A23F0C7 3473FC64 6CEA306B" \ - "4BCBC886 2F8385DD FA9D4B7F A2C087E8 79683303 ED5BDD3A" \ - "062B3CF5 B3A278A6 6D2A13F8 3F44F82D DF310EE0 74AB6A36" \ - "4597E899 A0255DC1 64F31CC5 0846851D F9AB4819 5DED7EA1" \ - "B1D510BD 7EE74D73 FAF36BC3 1ECFA268 359046F4 EB879F92" \ - "4009438B 481C6CD7 889A002E D5EE382B C9190DA6 FC026E47" \ - "9558E447 5677E9AA 9E3050E2 765694DF C81F56E8 80B96E71" \ - "60C980DD 98EDD3DF FFFFFFFF FFFFFFFF" - -extern struct dhgroup dh_modp768; -extern struct dhgroup dh_modp1024; -extern struct dhgroup dh_modp1536; -extern struct dhgroup dh_modp2048; -extern struct dhgroup dh_modp3072; -extern struct dhgroup dh_modp4096; -extern struct dhgroup dh_modp6144; -extern struct dhgroup dh_modp8192; diff --git a/kame/kame/racoon/dnssec.c b/kame/kame/racoon/dnssec.c deleted file mode 100644 index c9fe652289..0000000000 --- a/kame/kame/racoon/dnssec.c +++ /dev/null @@ -1,147 +0,0 @@ -/* $KAME: dnssec.c,v 1.2 2001/08/05 18:46:07 itojun Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include -#include - -#include "var.h" -#include "vmbuf.h" -#include "misc.h" -#include "plog.h" -#include "debug.h" - -#include "isakmp_var.h" -#include "isakmp.h" -#include "ipsec_doi.h" -#include "oakley.h" -#include "netdb_dnssec.h" -#include "strnames.h" -#include "dnssec.h" -#include "gcmalloc.h" - -extern int h_errno; - -cert_t * -dnssec_getcert(id) - vchar_t *id; -{ - cert_t *cert = NULL; - struct certinfo *res = NULL; - struct ipsecdoi_id_b *id_b; - int type; - char *name = NULL; - int namelen; - int error; - - id_b = (struct ipsecdoi_id_b *)id->v; - - namelen = id->l - sizeof(*id_b); - name = racoon_malloc(namelen + 1); - if (!name) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer.\n"); - return NULL; - } - memcpy(name, id_b + 1, namelen); - name[namelen] = '\0'; - - switch (id_b->type) { - case IPSECDOI_ID_FQDN: - error = getcertsbyname(name, &res); - if (error != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "getcertsbyname(\"%s\") failed.\n", name); - goto err; - } - break; - case IPSECDOI_ID_IPV4_ADDR: - case IPSECDOI_ID_IPV6_ADDR: - /* XXX should be processed to query PTR ? */ - default: - plog(LLV_ERROR, LOCATION, NULL, - "inpropper ID type passed %s " - "though getcert method is dnssec.\n", - s_ipsecdoi_ident(id_b->type)); - return NULL; - } - - /* check response */ - if (res->ci_next == NULL) { - plog(LLV_WARNING, LOCATION, NULL, - "not supported multiple CERT RR.\n"); - } - switch (res->ci_type) { - case DNSSEC_TYPE_PKIX: - /* XXX is it enough condition to set this type ? */ - type = ISAKMP_CERT_X509SIGN; - break; - default: - plog(LLV_ERROR, LOCATION, NULL, - "not supported CERT RR type %d.\n", res->ci_type); - goto err; - } - - /* create cert holder */ - cert = oakley_newcert(); - if (cert == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get cert buffer.\n"); - goto err; - } - cert->pl = vmalloc(res->ci_certlen + 1); - if (cert->pl == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get cert buffer.\n"); - goto err; - } - memcpy(cert->pl->v + 1, res->ci_cert, res->ci_certlen); - cert->pl->v[0] = type; - cert->cert.v = cert->pl->v + 1; - cert->cert.l = cert->pl->l - 1; - - plog(LLV_DEBUG, LOCATION, NULL, "created CERT payload:\n"); - plogdump(LLV_DEBUG, cert->pl->v, cert->pl->l); - -end: - if (res) - freecertinfo(res); - - return cert; - -err: - if (name) - racoon_free(name); - if (cert) - oakley_delcert(cert); - goto end; -} diff --git a/kame/kame/racoon/dnssec.h b/kame/kame/racoon/dnssec.h deleted file mode 100644 index f2e25bbc8b..0000000000 --- a/kame/kame/racoon/dnssec.h +++ /dev/null @@ -1,32 +0,0 @@ -/* $KAME: dnssec.h,v 1.1 2001/04/11 06:11:55 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -extern cert_t *dnssec_getcert __P((vchar_t *)); diff --git a/kame/kame/racoon/doc/FAQ b/kame/kame/racoon/doc/FAQ deleted file mode 100644 index b001b6329d..0000000000 --- a/kame/kame/racoon/doc/FAQ +++ /dev/null @@ -1,101 +0,0 @@ -racoon FAQ -KAME team -$KAME: FAQ,v 1.9 2000/11/24 03:09:38 itojun Exp $ - - -Q: With what other IKE/IPsec implementation racoon is known to be interoperable? - -A: - See "IMPLEMENTATION" document supplied with KAME kit, or: - http://www.kame.net/dev/cvsweb.cgi/kame/IMPLEMENTATION - As we have tested/got test reports in the past, and our end and - the other end may have changed their implemenations, we are not sure - if we can interoperate with them today (we hope them to interoperate, - but we are not sure). - Also note that, IKE interoperability highly depends on configuration - on both ends. You must configure both ends exactly the same. - -Q: How can I make racoon interoperate with ? - -A: - Configure both ends exactly the same. With just a tiny little - differnce, you will be in trouble. - -Q: How to build racoon on my platform? - -A: (NetBSD 1.5/current, FreeBSD 4.1/current) - To build racoon on these platforms, there are couple of ways: - - on NetBSD/FreeBSD integrated platforms, use pkgsrc/ports. - It is the easiest and recommended way. - - If you need to use configure.in and Makefile.in distributed with - KAME kit, kame/kame/racoon, use the following operation: - % (cd ../../../netbsd/lib; make) - % env LIBS=-L../../../netbsd/lib/libpfkey CFLAGS=-I../../sys \ - ./configure --with-libpfkey - % make - If you do not do the above, you may see missing symbols with pfkey_xx - functions, and/or mismatch in ipsec.h. PKGSRC/PORTS IS DEFINITELY - THE RECOMMENDED WAY. - -A: (KAME-patched platforms) - - on KAME-patched platforms, use /usr.sbin/racoon, not - configure.in and Makefile.in. - - If you need to use configure.in and Makefile.in under - kame/kame/racoon, use the following options to configure.in: - % env LIBS=-L../../../bsdi4/lib/libpfkey ./configure \ - --with-libpfkey - % make - -Q: Describe me the options to "configure". - -A: - --enable-debug: - Enable debugging options. - --enable-yydebug: - Enable yacc/lex tracing. - --enable-pedant: - Use strict compilation options (-Wall -Werror). - --with-adminport: (INSECURE) - Lets racoon to listen to racoon admin port, which is to - be contacted by kmpstat(8). This one still needs more work - (it lacks authentication, and is insecure), and is disabled - by default. If you need kmpstat(8) for your experiment, - you may turn this on, but make sure to use use it only in - testbed network environment (not the reallife network). - --with-efence: (for debug only) - Use ElectricFence library, which helps us debug dynamic - memory allocation mistakes. - --with-gc: (experimental) - Use Bohem-GC garbage collector. - Make sure you compile all the binaries, including libipsec/ - whatever, with "GC_malloc" and "GC_free" instead of "malloc" - and "free" (cc -Dmalloc=GC_malloc -Dfree=GC_free"). - -Q: How can I get help? - -A: - Always identify your operating system platforms, the versions you are - using (like "KAME SNAP, 2000/Sep/4"), and information to repeat the - problem. It is *mandatory* for you to submit the following at least: - - version identification - - trace from racoon, taken by "racoon -d 0xffffffff" - (maximum debug level) - - configuration file you are using - - probabaly, tcpdump trace - http://orange.kame.net/dev/send-pr.html has the guideline. - - If you do not identify the version you are using, we will not help you. - - If your question is not confidential, send your questions to: - - as KAME problem report from http://orange.kame.net/dev/send-pr.html - - snap-users@kame.net - users mailing list, subscription guildeline: seewww.kame.net. - - NOT TO INDIVIDUAL DEVELOPERS. - - If your question is confidential, send your questions to: - - core@kame.net - -Q: Other documents to look at? - http://www.netbsd.org/Documentation/network/ipsec/ - http://www.kame.net/ - http://www.kame.net/newsletter/ diff --git a/kame/kame/racoon/doc/README.certificate b/kame/kame/racoon/doc/README.certificate deleted file mode 100644 index a8a49efb8d..0000000000 --- a/kame/kame/racoon/doc/README.certificate +++ /dev/null @@ -1 +0,0 @@ -See http://www.kame.net/newsletter/20000912/ diff --git a/kame/kame/racoon/doc/README.gssapi b/kame/kame/racoon/doc/README.gssapi deleted file mode 100644 index 9cb3fbb5bb..0000000000 --- a/kame/kame/racoon/doc/README.gssapi +++ /dev/null @@ -1,106 +0,0 @@ -The gss-api authentication mechanism implementation for racoon was -based on the ietf draft draft-ietf-ipsec-isakmp-gss-auth-06.txt. - -The implementation uses the Heimdal gss-api library, i.e. gss-api -on top of Kerberos 5. The Heimdal gss-api library had to be modified -to meet the requirements of using gss-api in a daemon. More specifically, -the gss_acquire_cred() call did not work for other cases than -GSS_C_NO_CREDENTIAL ("use default creds"). Daemons are often started -as root, and have no Kerberos 5 credentials, so racoon explicitly -needs to acquire its credentials. The usual method (already used -by login authentication daemons) in these situations is to add -a set of special credentials to be used. For example, authentication -by daemons concerned with login credentials, uses 'host/fqdn' as -its credential, where fqdn is the hostname on the interface that -is being used. These special credentials need to be extracted into -a local keytab from the kdc. The default value used in racoon -is 'ike/fqdn', but it can be overridden in the racoon config file. - -The modification to the Heimdal gss-api library implements the -mechanism above. If a credential other than GSS_C_NO_CREDENTIAL -is specified to gss_acquire_cred(), it first looks in the default -credential cache if it its principal matches the desired credential. -If not, it extracts it from the default keytab file, and stores -it in a memory-based credential cache, part of the gss credential -structure. - - - -The modifcations to racoon itself are as follows: - - * The racoon.conf config file accepts a new keyword, "gssapi_id", - to be used inside a proposal specification. It specifies - a string (a Kerberos 5 principal in this case), specifying the - credential that racoon will try to acquire. The default value - is 'ike/fqdn', where fqdn is the hostname for the interface - being used for the exchange. If the id is not specified, no - GSS endpoint attribute will be specified in the first SA sent. - However, if the initiator does specify a GSS endpoint attribute, - racoon will always respond with its own GSS endpoint name - in the SA (the default one if not specified by this option). - - * The racoon.conf file accepts "gssapi_krb" as authentication - method inside a proposal specification. The number used - for this method is 65001, which is a temporary number as - specified in the draft. - - * The cftoken.l and cfparse.y source files were modified to - pick up the configuration options. The original sources - stored algorithms in bitmask, which unfortunately meant - that the maximum value was 32, clearly not enough for 65001. - After consulting with the author (sakane@kame.net), it turned - out that method was a leftover, and no longer needed. I replaced - it with plain integers. - - * The gss-api specific code was concentrated as much as possible - in gssapi.c and gssapi.h. The code to call functions defined - in these files is conditional on HAVE_GSSAPI, except for the - config scan code. Specifying this flag on the compiler commandline - is conditional on the --enable-gssapi option to the configure - script. - - * Racoon seems to want to send accepted SA proposals back to - the initiator in a verbatim fashion, leaving no room to - insert the (variable-length) GSS endpoint name attribute. - I worked around this by re-assembling the extracted SA - into a new SA if the gssapi_krb method is used, and the - initiator sent the name attribute. This scheme should - possibly be re-examined by the racoon maintainers, storing - the SAs (the transformations, to be more precise) in a different - fashion to allow for variable-length attributes to be - re-inserted would be a good change, but I considered it to be - beyond the scope of this project. - - * The various state functions for aggressive and main mode - (in isakmp_agg.c and isakmp_ident.c respectively) were - changed to conditionally change their behavior if the - gssapi_krb method is specified. - - -This implementation tried to follow the specification in the ietf draft -as close as possible. However, it has not been tested against other -IKE daemon implementations. The only other one I know of is Windows 2000, -and it has some caveats. I attempted to be Windows 2000 compatible. -Should racoon be tried against Windows 2000, the gssapi_id option in -the config file must be used, as Windows 2000 expects the GSS endpoint -name to be sent at all times. I have my doubts as to the W2K compatibility, -because the spec describes the GSS endpoint name sent by W2K as -an unicode string 'xxx@domain', which doesn't seem to match the -required standard for gss-api + kerberos 5 (i.e. I am fairly certain -that such a string will be rejected by the Heimdal gss-api library, as it -is not a valid Kerberos 5 principal). - -With the Heimdal gss-api implementation, the gssapi_krb authentication -method will only work in main mode. Aggressive mode does not allow -for the extra round-trips needed by gss_init_sec_context and -gss_accept_sec_context when mutual authentication is requested. -The draft specifies that the a fallback should be done to main mode, -through the return of INVALID-EXCHANGE-TYPE if it turns out that -the gss-api mechanisms needs more roundtrips. This is implemented. -Unfortunately, racoon does not seem to properly fall back to -its next mode, and this is not specific to the gssapi_krb method. -So, to avoid problems, only specify main mode in the config file. - - - -- Frank van der Linden - diff --git a/kame/kame/racoon/doc/SantaBarbara-result.jp b/kame/kame/racoon/doc/SantaBarbara-result.jp deleted file mode 100644 index d66fbe7c96..0000000000 --- a/kame/kame/racoon/doc/SantaBarbara-result.jp +++ /dev/null @@ -1,176 +0,0 @@ -Mon May 24 1999 - Fri May 28 1999 - -vs SSH - KAME -> SSH - - phase1 $B$GE($,%Q%1%C%H2r$1$J$$L5$/$F<:GT!#(B - RC5, IDEA, CAST, blowfish $BA4LG!D$L$L$L(B - racoon $B$N(B keylength $B4V0c$C$F$?!#(B - phase 1 $B$,0l=V$G(B expire $B$7$F$?!#(B - lifetime $BAw$C$F$3$J$$;~(B 0 $BF~$l$F$?!#(Bdefault $B$rF~$l$k!#(B - isakmp-test.ssh.fi$B$G3NG'(B - - $B:FAw$r0l2s$K?tH/Aw$C$FMh$k!#(B - racoon $B$O:FAw$J%Q%1%C%H$r0-$$%Q%1%C%H$H;W$C$F(B exchange $B$r=*$i$;$F$?!#(B - $B0E9f2=$5$l$F$k%Q%1%C%H$r4|BT$7$F$k;~$bF1$8!#(B - $B7k6I!"0-$$%Q%1%C%H$+:FAw$J%Q%1%C%H$+$NH=CG$,=PMh$J$$$N$GL5;k$9$k!#(B - - $BE($,CY$/$F!"$3$C$A$,@h$K:FAw$r$"$-$i$a$A$c$&!#(B - - $B$P$C$A$j(B - phase 1: RC5 - phase 2: ESP 1DES+SHA1 - -vs Altiga - Altiga -> KAME - phase1: modp768,MD5,3DES - phase2: ESP DES+MD5 tunnel mode - - SA $B$NJ}8~%A%'%C%/$K0z$C$+$+$C$F!"(Bphase 2 $B$N(B inbound SA $B$,FM$C9~$a$J$$!#(B - $B$J$*$7$F(B phase 2 $B8r49$O(B OK - - $B8~$3$&$+$i$N(B ESP $B%Q%1%C%H$r$[$I$$$F!"8e$m$KEj$2$h$&$H$9$k$,(B - $B$J$s$H(B inbound $B$N(B policy check $B$K$R$C$+$+$C$FE>Aw$G$-$J$$!D(B - a --- A === B --- b - - a -> b B $B9T$-(B - b -> a A $B5"$j(B A->a $B$KEj$2$k;~$K0z$C$+$+$k!#(B - $B$H$j$"$($:(B b->a A $B$r>C$7$FD)@o!#(BOK - - PFKEYv2$B $B$"$j!#(B - -vs CheckPoint - $B$U$i$l$?!#(B - $B%F%9%HCf$@$C$?$_$?$$!#(B - -vs HITACHI - KAME -> HITACHI - HITACHI -> KAME - - $B$D$J$.$C$Q$J$7$G?'!9!#(B - $B>!! KAME - config file$BLdBj(B: phase 1$B$N(Btransport$B$N(Bdiffie-hellman$B$O(Bmust - config file$B$K4V0c$$$,$"$C$?$i6+$V$Y$-!#(B - lifetime attribute$B$N(Bparser$B4V0c$$(B - lifetime attribute$B$N(Bparse$B$K<:GT$9$k$H!"(B0$B$r@_Dj$7$A$c$&(B - default$B$KLa$9(B - KAME -> freeSWAN - $BD9$$(Bproposal$B$rEj$2$k$H(Bparse$B$7$F$/$l$J$$(B - $B@hJ}$,(Bquick mode$B$N:G8e$G;`$L(B(SADB_UPDATE$BAjEv$N=hM}$G$X$/$k(B) - -vs Netlock - $B$"$C$A(Binitiator$B$G$d$C$F$_$k$,!"$3$C$AB&$N(Bphase 2 proposal parser$B$NLdBj(B - (AND$B$,2rKAME AH SHA1 - - phase1: modp768,MD5,3DES - phase2: AH SHA1 tunnel mode - AH checksum error - MD5 $B;n$9M=Dj!#$J$s$+LdBj$,$"$C$F:#2s$O$*3+$-$i$7$$!#(B - - phase2: ESP DES+MD5 tunnel mode - $BAPJ}8~(BOK - - CERT $B$N%G%b8+$;$F$b$i$&M=Dj(B - $BAj KAME - phase 1: 1DES+SHA1 - phase 2: ESP 1DES+SHA1 - KAME -> ashley - phase 1: 3DES+MD5 - phase 2: ESP 1DES+SHA1 - - ashley-laurent$B$,(Bresponder$B$N$H$-!"(Bproposal id #$B$r=q$-49$($F(B - $BJV$7$F$$$k$N$G%W%m%H%3%kE*$K$O$$$1$J$$(B(racoon$B$OL[$C$F!!e$N%W%m%H%3%k(B - ($BNc(B: AH+ESP)$B$r@5$7$/=hM}$G$-$J$$!#(B - $B$H$j$"$($:0BA4:v$O$$$l$?(B - initiator$B$N$H$-$O(Bconfig file$B$K=q$$$F$"$C$F$b$9$Y$7(B - -question - - informational exchange - - 1st exchange in phase 1 $B$NJV;v$O(B cookie $BKd$a$FJV$9$+!)(B - - phase 1 $B$G0E9f$G$-$k$^$G$O!"Mh$?E[$=$N$^$^JV$;$PNI$$$N$G$O!)(B - - phase 1 $B$H8@$($I$b(B msg-id $B$OF~$l$k!#(B - - informatinal message - $B0E9f2=$5$l$F$J$1$l$PL5;k$9$k$Y$-$@!#(B(DoS attack) - - retransmmission - $B8E$$%Q%1%C%H$H!"4|BT$7$J$$(B payload $B$NH=CG$,LLE]$J$N$G!"(B - $B%Q%1%C%H$r%A%'%C%/$7$F!"4|BT$7$J$$(Bpayload$B$,F~$C$F$$$l$P(B - $BHaLD$"$2$FL5;k!#0E9f2=$5$l$F$J$/$F$b%"%i!<%`$"$2$FL5;k!#(B - mulformed packet $B$OA4ItL5;k$7$J$$$H(BDOS$B967b$KBP93=PMh$J$$!#(B - 1st exchange $B$r56B$$5$l$k$H!"$$$D$^$G$?$C$F$b@5$7$$Aj $B$I$&$7$h$&(B? - -racoon - - zonbie-pst $B$7$J$j$*(B - phase 2 $B40N;(B - $BJRJ}(Breboot - reboot $B$7$F$J$$J}$+$i(B phase 2 $B$K9T$/(B - reboot $B$7$?$[$&$+$i(B invalid-cookie - - phase 2 $B$N(B id-type deirective $B$$$k!)(B - - first contact $B=hM}$7$m$h$J!#(B-> $B$H$j$"$($:$7$J$/$FNI$$!#(B - - phase 1 $B$N(B SA payload $B$N(BSPI $B$C$F!)(B - option $B$K$7$?J}$,NI$$$+$b!#(B - isakmp-test.ssh $B$O%*%W%7%g%s(B - - SADB_DELETE $B$+$i(B delete payload $B=P$9$h$&$K$9$k!#(B - $B$1$I(B DELETE 2$BH/!)(B - - $B8GM-%"%I%l%9$N(Bproxy $B%b!<%I$,(Bsetkey $B=PMh$J$$!#(B - spdadd 209.154.67.34 10.64.91.10 any -P ipsec esp/require/209.154.64.91; - PFKEYv2 $B$d$k$H$-$J$*$9!#(B - diff --git a/kame/kame/racoon/doc/helsinki-result.jp b/kame/kame/racoon/doc/helsinki-result.jp deleted file mode 100644 index 9d0b847277..0000000000 --- a/kame/kame/racoon/doc/helsinki-result.jp +++ /dev/null @@ -1,533 +0,0 @@ -Mon Aug 13 2001 - Fri Aug 17 2001 -$KAME: helsinki-result.jp,v 1.49 2001/08/17 14:33:48 sakane Exp $ - - -generic - sec* interface($Bl9g$O!)$=$s$J$N$"$j$($J$$!)(B - - phase 1$B$G80D9$N%M%4$,$G$-$J$$!#(B($B$G$-$k!#4*0c$$$@$C$?(B) - - IPsec$B$G$N(BSHA2 support$B3NG'(B($BE:IU$9$k(Bbit$B?t(B)$B!#(B - - SSH$B$7!#(Bany$B$N>l9g(Bwildcard$B$@$H(B - $B;W$C$F8!:w$9$Y$-!#(Bexactly right!! - - phase 2$B$G!"(Bipsec enc mode$B$,$D$$$F$$$J$+$C$?$H$-$NpJs$O;vA0$K7W;;$7$H$/J}$,$$$$$+$b(B - - subjectAltName$B$H(BID payload$BHf3S$K$D$$$F$h$/9M$($J$$$H>ZL@=q$O;H$($J$$!#(B - $B>ZL@=q$rAw$kA0$K!"$I$N(BID$B$r(BsubjectAltName$B$K;H$&$+7h$a$J$$$H$$$1$J$$$+$i!#(B - - ndp$B$r(Bbypass$B$5$;$k%U%i%0$+%]%j%7$,$"$C$?J}$,$$$$$+$b!#(B - $B0l1~(Bipsec_setsocket(NULL)$B$O$7$F$$$k!#(Bip6_output()$B$K%U%i%0EO$9(B? - $BH~$7$/$J$$(B... (itojun) - - -latest isakmpd on KAME - Tue Aug 14 01:42:55 JST 2001 - isakmpd$B$N(Binterface selection$BIt$rD>$7$?$i(Bphase 1$B$O@.8y$7$?!#(B - phase 2$B$,$&$^$/$$$+$J$$LOMM!#B?J,@_DjLdBj!#(B - -35:36.982316 130.233.9.166:500 -> 130.233.9.165:500: isakmp 1.0 msgid 00000000: -phase 1 ? ident[E]: [encrypted id] -2001-08-13 23:35:36: DEBUG: isakmp.c:402:isakmp_main(): malformed cookie receive -d or the spi expired. - - -USAGI linux - Tue Aug 14 01:42:55 JST 2001 - $B$J$s$+:#$O$^$C$F$$$k$i$7$$!#(B - - Wed Aug 15 JST - ESP 3des, des$B$N(Bmanual key$B$O@.8y(B - - Thu Aug 16 JST - $B$H$j$"$($:(Bpluto$B$@$1F0$+$7$?!#(Bphase 2$B$O40N;$9$k$,7k2L$N80$,0c$&!#(B - - -Compaq Tru54 UNIX X5.1B-BL4 - Tue Aug 14 17:09:18 JST 2001 - IPv4, ESP, tunnel mode - phase 1/2$B$H$b(B3DES + SHA1, group 2 - phase 1 lifetime = 10min, phase 2 lifetime = 5min - - IPv6, ESP + AH, transport tunnel mode - phase 1/2$B$H$b(B3DES + SHA1, group 2 - phase 1 lifetime = 10min, phase 2 lifetime = 5min - - IPv6, IPComp + ESP + AH, transport mode - phase 1/2$B$H$b(B3DES + SHA1 + defalte, group 2 - phase 1 lifetime = 10min, phase 2 lifetime = 5min - - initiator/responder$B$I$A$i$b$d$C$?!#(B - - Compaq$B$,(Binitiator$B$N>l9g$KLdBj$"$j!#(B - Compaq$BB&$O(Bphase 2 lifetime$B$N(Bproposal$B:n$jItJ,$K(Bbug$B$,5o$k$h$&$G!"(B - GUI$B$G(B5min$B$H8@$C$F$b(B10min$B$H8@$C$F$/$k(B(phase 1 lifetime$B$NCM$r(B - $B%3%T!<$7$F$$$k(B?)$B!#(B - - chargen$BCf$N(Brekey$BEy$b;n$7$?!#LdBj$J$7!#(B - - IPv4 over IPv6/IPv6 over IPv4$B$d$m$&$H8@$o$l$?$,$G$-$:!#(Bsec* transition - $B=*$o$C$?$i$d$l$k$+$J!#(B - - $BL@F|(B12:00 RSA signature mode$B$G:F@o(B - $B$`$`!"(Bauthentication-failed$B$G<:GT!#$3$C$A$NLdBj$+!)(B - - Fitec$B$H8=>]$O0l=o!#(Bopenssl 0.9.6 $B$r;H$&$HLdBj$J$7!#(B - openssl$B$N%P!<%8%g%s2<$2$A$c$C$?$N$G(B - ipv6 address as subjectAltName $B$O=PMh$:!#(B - - -Sun - Thu Aug 16 16:30 EEST 2001 - phase1: RSA signature, 3des, sha1, dh5 - phase2: ESP transport, aes 128, sha1, dh5 - - $BLdBj$J$7(B - - Sun$B$O(B phase2$B$N(BAES$B$N80D9$r$D$1$F$J$+$C$?!#(Bdraft$B$K$h$k$H(Bmust$B!#(B - racoon$BB&$,(Bdefault$B80D9$r%;%C%H$9$k$h$&$K$7$FBP1~!#(B - - -IBM AIX 5.1 - Tue Aug 14 17:33:43 JST 2001 - IPv6 test$B$7$h$&$H8@$o$l$k$b!"@hJ}$N%^%7%s(B($B1s3VCO(B)$B$K(Bglobal address$B$J$7!#(B - - Thu Aug 16 21:00 ESST 2001 - IPv6$B$@$1(B - phase1 pre-shared-key, 3des, sha1, dh2 - phase2 esp transport, 3des, sha1, pfs2 - $B:G=i$N(B1$B2s$OLdBj$J$7!#(B - phase2 SA$B$r>C$7$F:F%M%4$9$k$H(Bisakmpd$B$,$@$s$^$j$K$J$k!#(B - ibm isakmpd $B$KLdBj$"$k$C$]$$!#(B - - san diego$B$G$d$C$?;~$O(B manual $B$@$C$?$+$J!)(B - $B$=$&$G$9(B(itojun) - - prasad$B7/$O%$%s%I$K5"$C$F$k$N$GMh$J$$!#(B - -F-Secure VPN+ 5.40 - Tue Aug 14 19:44:15 JST 2001 - IPv4, ESP, tunnel mode - phase 1 3DES + SHA1, group 5, lifetime = 10min - phase 2 AES + SHA1, group 5, lifetime = 2min - - IPv4, IPComp + ESP, transport mode - phase 1 3DES + SHA1, group 5, lifetime = 10min - phase 2 AES + SHA1 + deflate, group 5, lifetime = 2min - - $B$I$A$i$bLdBj$J$7!"(Brekey$B$b(BOK$B!#(B - - IPComp + ESP tunnel mode (IP ESP IPComp IP payload)$B$r$d$m$&$H$7$F(B - ipcomp/tunnel//use esp/transport//use$B$H%]%j%7$r=q$$$?$i!"(B - IKE phase 2$BE*$K(B - $B8~$3$&(B: IPComp tunnel, ESP tunnel - $B$3$C$A(B: IPComp tunnel, ESP transport - $B$N(Bproposal$B$rHf3S$7$F!"(Bno proposal chosen$B$K$J$k!#$3$C$A$NLdBj(B - (bundle$B$N f-secure$B$O(BsubjectAltName$B$r(B1$B$D$7$+ZL@=q$r:n$jD>$7$F@.8y!#(B - - DH$B8x3+>pJs$O;vA0$K7W;;$7$H$/J}$,$$$$$+$b(B - -SecGo CryptoIP v3 - Tue Aug 14 21:41:36 JST 2001 - IPv4, ESP, transport mode - phase 1 3DES + SHA1, group 5, lifetime = 10min - phase 2 blowfish, group 5, lifetime = 2min - - phase 2 AES$B$b;n$=$&$H$7$?$,<:GT(B(SecGo$BB&$,(B12$B0J30$N(Balgorithm #$B$r(B - $B;H$C$F$$$?(B or $B%3%s%Q%$%k$7$F$J$+$C$?(B)$B!#(Brekey$B$b$d$C$F$_$?!#(B - - phase 1 AES$B$b$G$-$k$i$7$$(B(SSH toolkit$B;HMQ(B)$B!#(B - - Wed Aug 15 00:16:35 JST 2001 - IPv4, ESP, transport mode - phase 1 3DES + SHA1, lifetime = 10min - phase 2 AES, lifetime = 2min - - tested rekey as well. - -Oullim information technologies SECUREWORKS VPN gateway 3.0 - Tue Aug 14 21:48:36 JST 2001 - phase 2 AES/blowfish$B$O$I$&$@$M$H%J%s%Q$7$F$_$k$b!"(Bnot ready$B!#(B - $BL@F|$+L@8eF|$M$H$N$3$H!#(B - - Wed Aug 15 17:15:09 JST 2001 - IPv4, ESP, tunnel mode - phase 1 3DES + SHA1, group 2, lifetime = 10min - phase 2 AES + SHA1, group 2, lifetime = 2min - - $B<:GT!#@hJ}$,(BAES$B$N$H$-$K(BESP ICV check$B$K<:GT$9$k!#(B - - IPv4, ESP, tunnel mode - phase 1 3DES + SHA1, group 2, lifetime = 10min - phase 2 AES + MD5, group 2, lifetime = 2min - - $B$*$J$8$/<:GT(B - - IPv4, ESP, tunnel mode - phase 1 3DES + SHA1, group 2, lifetime = 10min - phase 2 3DES + MD5, group 2, lifetime = 2min - - $B@.8y!#(B - - $B@hJ}$,$3$&$$$&$NEj$2$F$/$k$N$G!"$3$C$A$OE\$k(B(id payload$B$N=g=x$,(B - $BIaDL$G$O$J$$(B)$B!#(B - ->11:59.824877 130.233.10.30:500 -> 130.233.9.166:500: isakmp 1.0 msgid 75973360: phase 2/others ? oakley-quick: -> (hash: len=20) -> (sa: doi=ipsec situation=identity -> (p: #1 protoid=ipsec-esp transform=1 spi=6fd60ca5 -> (t: #1 id=3des (type=lifetype value=sec)(type=life value=0078)(type=enc mode value=tunnel)(type=auth value=hmac-md5)(type=group desc value=modp1024)))) -> (nonce: n len=16) -> (ke: key len=128) -> (id: idtype=IPv4 protoid=0 port=0 len=4 130.233.9.166) -> (id: idtype=IPv4net protoid=0 port=0 len=8 192.168.10.0/255.255.255.0) - - Wed Aug 15 18:39:11 JST 2001 - IPv4, ESP, tunnel mode - phase 1 3DES + SHA1, group 2, lifetime = 10min - phase 2 AES, group 2, lifetime = 2min - - IKE$BE*$K$OBg>fIW!#(BIPsec$BE*$K$^$@BLL\!#(B - - Wed Aug 15 19:09:05 JST 2001 - IPv4, ESP, tunnel mode - phase 1 3DES + SHA1, group 2, lifetime = 10min - phase 2 AES, group 2, lifetime = 2min - - IPv4, ESP, tunnel mode - phase 1 3DES + SHA1, group 2, lifetime = 10min - phase 2 AES + SHA1, group 2, lifetime = 2min - - $B8~$3$&$,(BAES code$B$r=$@5$7$?!#(BIKE$BE*$K$b(BIPsec$BE*$K$bBg>fIW!#(B - rekey$B$b0l1~@.8y(B($B8~$3$&$O(Breal lifetime == soft, real * 1.2 == hard$B$H$+$K(B - $B@_Dj$7$F$$$k$N$G$A$g$C$H%X%s$@$C$?$1$I(B)$B!#(B - - Thu Aug 16 22:01:57 JST 2001 - $B$b$&$$$A$I!#$"$H$O(BID payload$B$N=g=x$@$1!#(B - - Fri Aug 17 02:00 JST$B:"(B - $B:FD)@o!#@.8y!#(B - - -Trilogy AdmitOne 2.6 - Tue Aug 14 21:58:01 JST 2001 - 30$BJ,8e$H8@$o$l$?!#(B - - Wed Aug 15 01:53:42 JST 2001 - $BL@F|!#(B - - Wed Aug 15 16:09:50 JST 2001 - IPv4, ESP, transport mode - phase 1 3DES + SHA1, group 1, lifetime = 10min - phase 2 AES + SHA1, group 1, lifetime = 2min - - Trilogy$BB&$O(BIKE phase 2$B$N(Bkey length$B$,(Bbyte$BC10L$@$H;W$C$F$$$k$i$7$/(B - negotiation$B<:GT!#=$@58e:FD)@o!#(B - - Wed Aug 15 17:40:05 JST 2001 - IPv4, ESP, transport mode - phase 1 3DES + SHA1, group 1, lifetime = 10min - phase 2 AES + SHA1, group 1, lifetime = 2min - - $B:FD)@o!#$3$A$i$,(Binitiator$B$N$H$-$O$&$^$/$$$/!#$"$A$i$,(Binitiator$B$N(B - $B>l9g!"(Bid payload$B$K(Bproto=icmp$B$,Kd$^$C$F$*$j!"$3$A$i$N(Bkernel policy - proto=any$B$K(Bmatch$B$;$:(Bno policy found$B$K$J$k!#MW=$@5!#(B - ->spdadd 130.233.9.166 130.233.10.167 any -P out ipsec esp/transport//use; ->spdadd 130.233.10.167 130.233.9.166 any -P in ipsec esp/transport//use; - ->35:45.215745 130.233.10.167:500 -> 130.233.9.166:500: isakmp 1.0 msgid dba05304: phase 2/others ? oakley-quick: -> (hash: len=20) -> (sa: doi=ipsec situation=identity -> (p: #1 protoid=ipsec-esp transform=1 spi=dba05304 -> (t: #1 id=aes (type=lifetype value=sec)(type=life value=7080)(type=lifetype value=kb)(type=life value=2000)(type= ->group desc value=modp768)(type=enc mode value=transport)(type=auth value=hmac-sha1)(type=keylen value=0080)))) -> (nonce: n len=64) -> (ke: key len=96) -> (id: idtype=IPv4 protoid=icmp port=0 len=4 130.233.10.167) -> (id: idtype=IPv4 protoid=icmp port=0 len=4 130.233.9.166) - ->2001-08-15 17:35:45: DEBUG: isakmp_quick.c:1951:get_proposal_r(): get a src address from ID payload 130.233.10.167[0] prefixlen=32 ul_proto=1 ->2001-08-15 17:35:45: DEBUG: isakmp_quick.c:1956:get_proposal_r(): get dst address from ID payload 130.233.9.166[0] prefixlen=32 ul_proto=1 ->2001-08-15 17:35:45: DEBUG: policy.c:245:cmpspidxwild(): sub:0xbfbfd350: 130.233.10.167/32[0] 130.233.9.166/32[0] proto=icmp dir=in ->2001-08-15 17:35:45: DEBUG: policy.c:246:cmpspidxwild(): db: 0x80ca408: 130.233.10.167/32[0] 130.233.9.166/32[0] proto=any dir=in ->2001-08-15 17:35:45: DEBUG: policy.c:245:cmpspidxwild(): sub:0xbfbfd350: 130.233.10.167/32[0] 130.233.9.166/32[0] proto=icmp dir=in ->2001-08-15 17:35:45: DEBUG: policy.c:246:cmpspidxwild(): db: 0x80ca808: 130.233.9.166/32[0] 130.233.10.167/32[0] proto=any dir=out ->2001-08-15 17:35:45: ERROR: isakmp_quick.c:1979:get_proposal_r(): no policy found: 130.233.10.167/32[0] 130.233.9.166/32[0] proto=icmp dir=in - - -ZyXEL - Tue Aug 14 12:00 ESST 2001 - phase1 main mode, pre-shared key, des, sha1, dh1 - phase2 esp, des, sha1, tunnel - - $BLdBj$J$7!#(Bproposal$B$O(B1$B$D$@$1e;J$K(BKAME$B$H%F%9%H$7$F$3$$$H8@$o$l$?$i$7$$!#(B - - -WindowsXP - Tue Aug 14 20:00 - phase1 main mode, pre-shared key, 3des, sha1, modp3072 - phase2 esp, 3des, sha1, transport - - modp3072$B$d$m$&$h$H%J%s%Q$5$l$k!#(B - dh$B$N7W;;(B: fbsd43 P100MHz$B$GLs(B7(s) - XP P2 200MHz$B$GLs(B9(s) - - $BL@F|M$7$F$b$i$C$?$H8@$C$F$k$,!"(B - $Bu673NG'$7$F$b$i$C$F8e$+$i:F@o$9$kM=Dj!#(B - -isakmpd (jakob@openbsd) - Tue Aug 14 - IPv4, ESP, transport mode - phase 1 3DES + SHA1, group 2, lifetime = 10min - phase 2 AES + SHA1, group 2, lifetime = 2min - - $BLdBj$J$7!#(B - - Wed Aug 15 21:25:49 JST 2001 - IPv6, ESP, tunnel mode - phase 1 3DES + SHA1, group 2, lifetime = 10min - phase 2 AES + SHA1, group 2, lifetime = 2min - - $B8~$3$&$O(Bmain mode$B$G(BFQDN$B$r(BID$B$K;H$$$?$,$C$?$,!"$3$&$$$&%(%i!<$GE\$i$l$k!#(B - sakane$B$O$3$l$O(Bwg$B$G$N9g0U$H;W$C$F$$$k$,!"MW3NG'!#(B -2001-08-15 21:14:41: ERROR: ipsec_doi.c:3063:ipsecdoi_checkid1(): Expecting IP address type in main mode, but FQDN. - - Fri Aug 17 10:00 - rsa signature. - $BLdBj$J$7!#(B - - isakmpd$B$O(B subjectAltName$B$r(B1$B$D$7$+$Ne$,$C$FMh$J$$!#(B - - 500 proposal$B$rEj$2$F$/$k!#(Bproposal#$B$O(B1byte$B$J$N$GCF$/$Y$-!#(B - racoon$B$O:G=i$KA4It%Q!<%9$7$F$k$_$?$$!#(B - - RSA signature mode - ssh$BB&$K(Bpublic key$B7W;;$KLdBj$"$C$?!#D>$7$F(BOK - ssh$B$O(Bssh-test-ca1$B$,%5%$%s$7$?>ZL@=q$r;H$$!"(B - racoon$B$O(Bfujixerox$B$,%5%$%s$7$?>ZL@=q$G$b(BOK - - AES phase1 $B$,$&$^$/$$$+$J$$!#4V0c$$$J$/(Bracoon$B$NLdBj!#(B($BD>$7$FF0:n3NG':Q(B) - - phase1 proposal$B$N%Q!<%9$KCn$,$$$k$+$b!#MW3NG'(B - -freeswan - IPv4, IPComp + ESP, transport mode - phase 1 3DES + SHA1, group 5, lifetime = 10min - phase 2 3DES + SHA1 + deflate, group 5, lifetime = 2min - - IPComp$B$K$OLdBj$J$7!#(B - - $B@hJ}$,(Binitiate$B$7$F$-$?$H$-$KLdBj$"$j!#(Bphase 2$B$G!"(Bipcomp enc mode$B$,(B - $BL5;XDj$N>l9g!"(Bipcomp$B$N>l9g$@$1$O(Btransport$B$H;W$o$J$1$l$P$J$i$J$$!#(B - $B$,!"(Bracoon$B$O8=>u$3$l$r(BRFC2407$BE*$K(B(Any$B$H$7$F(B)$B Encapsulation Mode -> RESERVED 0 -> Tunnel 1 -> Transport 2 -> -> Values 3-61439 are reserved to IANA. Values 61440-65535 are -> for private use. -> -> If unspecified, the default value shall be assumed to be -> unspecified (host-dependent). - -draft-shacham-ippcp-rfc2393bis-08.txt -> Encapsulation Mode -> -> To propose a non-default Encapsulation Mode (such as Tunnel -> Mode), an IPComp proposal MUST include an Encapsulation Mode -> attribute. If the Encapsulation Mode is unspecified, the -> default value of Transport Mode is assumed. - ->42:28.211568 130.233.9.175:500 -> 130.233.9.166:500: isakmp 1.0 msgid 6935cbd8: phase 2/others ? oakley-quick: -> (hash: len=20) -> (sa: doi=ipsec situation=identity -> (p: #0 protoid=ipsec-esp transform=2 spi=3a47a3e7 -> (t: #0 id=3des (type=group desc value=0005)(type=enc mode value=transport)(type=lifetype value=sec)(type=life value=7080)(type=auth value=hmac-md5)) -> (t: #1 id=3des (type=group desc value=0005)(type=enc mode value=transport)(type=lifetype value=sec)(type=life value=7080)(type=auth value=hmac-sha1))) -> (p: #0 protoid=ipcomp transform=1 spi=ac23 -> (t: #0 id=deflate (type=lifetype value=sec)(type=life value=7080)))) -> (nonce: n len=16) -> (ke: key len=192) - ->2001-08-15 16:42:28: DEBUG: ipsec_doi.c:1024:get_ph2approvalx(): peer's single bundle: ->2001-08-15 16:42:28: DEBUG: proposal.c:814:printsaproto(): (proto_id=ESP spisize=4 spi=3a47a3e7 spi_p=00000000 encmode=Transport reqid=0:0) ->2001-08-15 16:42:28: DEBUG: proposal.c:848:printsatrns(): (trns_id=3DES encklen=0 authtype=1) ->2001-08-15 16:42:28: DEBUG: proposal.c:848:printsatrns(): (trns_id=3DES encklen=0 authtype=2) ->2001-08-15 16:42:28: DEBUG: proposal.c:814:printsaproto(): (proto_id=IPCOMP spisize=2 spi=0000ac23 spi_p=00000000 encmode=Any reqid=0:0) ->2001-08-15 16:42:28: DEBUG: proposal.c:855:printsatrns(): (trns_id=DEFLATE) ->2001-08-15 16:42:28: DEBUG: ipsec_doi.c:1027:get_ph2approvalx(): my single bundle: ->2001-08-15 16:42:28: DEBUG: proposal.c:814:printsaproto(): (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=0:0) ->2001-08-15 16:42:28: DEBUG: proposal.c:848:printsatrns(): (trns_id=3DES encklen=0 authtype=2) ->2001-08-15 16:42:28: DEBUG: proposal.c:814:printsaproto(): (proto_id=IPCOMP spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=0:0) ->2001-08-15 16:42:28: DEBUG: proposal.c:855:printsatrns(): (trns_id=DEFLATE) ->2001-08-15 16:42:28: ERROR: proposal.c:497:cmpsatrns(): authtype mismatched: my:1 peer:2 ->2001-08-15 16:42:28: ERROR: proposal.c:365:cmpsaprop_alloc(): IPComp SPI size promoted from 16bit to 32bit ->2001-08-15 16:42:28: ERROR: proposal.c:378:cmpsaprop_alloc(): encmode mismatched: my:2 peer:0 <----- - - Thu Aug 16 16:49:08 JST 2001 - IPv4, IPComp + ESP, transport mode - phase 1 3DES + SHA1, group 5, lifetime = 10min - phase 2 3DES + SHA1 + deflate, group 5, lifetime = 2min - $B:FD)@o!#=$@5$G$-$?$3$H$r3NG'!#(B - - -netopia - Wed Aug 15 19:00 JST$B:"(B - IPv6, ESP, transport mode - phase 1 3DES + SHA1, group 2, lifetime = 24h - phase 2 3DES + SHA1, group 2, lifetime = 1h - - KAME$B%Y!<%9l9g(B)$B!#(B - - IPv6, ESP, transport mode - phase 1 3DES + SHA1, group 2, lifetime = 24h - phase 2 3DES + SHA1, group 2, lifetime = 1h - - $B<:GT!#(Bericsson$BB&!"(BND$B$,$*$+$7$$!#(B - - -Nokia EPOC - Wed Aug 15 20:51:25 JST 2001 - IPv6, ESP, tunnel mode - phase 1 3DES + SHA1, group 2, lifetime = 3600min - phase 2 3DES + SHA1 + deflate, group 2, lifetime = 2min - - IPsec key$B$bF~$k$,!"@hJ}$N%]%j%7LdBj$G(Bping$B$OJV$i$J$$!#(B - -Trustworks TrustedClient v3.2 - Thu Aug 16 20:17:51 JST 2001 - IPv6, AH + ESP, transport mode - phase 1 3DES + SHA1, group 5, lifetime = 3min - phase 2 3DES + SHA1, group 5, lifetime = 2min - - $B@hJ}$,(Bresponder$B$N$H$-!"808r49$,=*N;$7$?=V4V@hJ}$N(BIKE daemon$B$,(Bpanic$B!#(B - $B$^$"808r49<+BN$O$G$-$F$$$k$h$&$@!#(B - - -Nortel GatewayController/CallServer 2000 (not released yet) - Fri Aug 17 00:16:23 JST 2001 - IPv4, ESP, transport mode - phase 1 3DES + SHA1, group 5, lifetime = 3min - phase 2 AES + SHA1, group 5, lifetime = 2min - - Nortel$BB&(Binitiator: round=10$B$H$$$&(Battribute$B$r$D$1$F$/$k$N$G(Bno proposal - chosen - KAME$BB&(Binitiator: id payload$BH4$-(B(ip address$B;H$((B)$B$@$H(BNortel$BB&$O(B - $B$X$/$k$N$GBLL\(B - - IPv4, ESP, transport mode - phase 1 3DES + SHA1, group 5, lifetime = 3min - phase 2 3DES + SHA1, group 5, lifetime = 2min - - Nortel$BB&(Binitiator: ok - KAME$BB&(Binitiator: id payload$BH4$-$@$H(BNortel$BB&$O$X$/$k$N$GBLL\(B diff --git a/kame/kame/racoon/doc/ibm-result.jp b/kame/kame/racoon/doc/ibm-result.jp deleted file mode 100644 index 1eb962f7ca..0000000000 --- a/kame/kame/racoon/doc/ibm-result.jp +++ /dev/null @@ -1,273 +0,0 @@ -Mon Oct 26 1998 - Fri Oct 30 1998 - -vs SSH http://isakmp-test.ssh.fi/ - $B$A$c$s$H%/%j%C%/$7$F@_Dj$9$l$PF0$/!#$9$2JXMx!#(B - - SSH -> KAME - phase 1: DES+MD5 - phase 2: DES+MD5 - $B:G8e$^$G$-$A$s$H$$$1$k!#(B - - phase 1: 3DES+MD5 (final cipher key$B@8@.$G(BSEGV$B$7$F$$$?$,=$@5:Q$_(B) - phase 2: DES+MD5 - quick mode3$BH/L\(B(SSH -> KAME)$B$,(BKAME$BB&$G$[$I$1$J$$!#(B - $B$I$&$d$i!"(Bisakmp-test.ssh.fi$B$KF~$C$F$k SSH - phase 1: DES+MD5 - phase 1: 3DES+MD5 (final cipher key$B@8@.$G(BSEGV$B$7$F$$$?$,=$@5:Q$_(B) - - phase 2$B$O(BPFS$B$7$J$$$H7y$o$l$k!#%/%j%C%/$N$7$+$?$,B-$j$J$$(B? - -vs NIST linux IPsec + plutoplus - NIST -> KAME - phase 2: ESP DES+hmac-MD5$B$G!"(BKEYMAT$B$N $B=$@5:Q$_(B - phase 2: initiator$B$,!V(BPFS$B$7$J$/$F$$$$!W$H8@$C$F$k$N$K(B - KE payload$B$r$D$1$F$$$?(B -> $B=$@5:Q$_(B - $B$&$^$/$$$C$?!#(BESP DES+hmac-MD5 - KAME -> NIST - NIST$B$O(Bproposal$B$rJ#?tEj$2$k$HF0$+$J$$!#=$@5Cf$i$7$$!#(B - PFS$B4X78$NLdBj$OBP(BRedCreek$B$G=$@5:Q$_!#(B - $B$&$^$/$$$C$?!#(BESP 3DES+hmac-SHA1 - -vs Checkpoint - tunnel mode$B$N$_!"F;>lGK$j$G$-$:(B - -vs RedCreek - KAME$B$O80$N(Brenew$B$,$G$-$J$$!#(B - RedCreek$B$O(BIPsec+fragment$B$G(Bping$B$7$F$bJV;v$7$J$$!#@hJ}$O(Brouter$BLr$G!"(B - $B$I$&$b(Btunnel$B$N1|9T$-$N(Bfragment$B$O$A$c$s$H=hM}$9$k$,!"<+J,08$N(B - fragment$B$O=hM}$7$F$/$l$J$$$h$&$@!#(B - RedCreek$B$O(Bphase 1$B$N(BDH group$B$H!"(Bphase 2$B$N(BPFS DH group$B$,F1$8$H;W$C$F$k!#(B - - RedCreek -> KAME - ok - KAME -> RedCreek - phase 2$B$G(BKAME -> RC$B$N(Bquick mode1$BH/L\$rEj$2$?$H$3$m$G$X$/$k!#(B - PFS$B$7$h$&$H8@$C$F$$$k$N$K(BKE payload$B$H$+(BDH group$B$r$D$1$F$$$J$$!#(B - -> $B$3$l$+$iD>$7(B - - $B?eMK8a8e!"D>$7$?!#$A$c$s$HF0$$$?!#(B - -vs Secure Computing - KAME -> Secure Computing - $B$5$C$/$j(Bok$B!#(B - phase1 DES+MD5 - phase2 ESP DES+hmac-md5 - - Secure Computing -> KAME - phase1 DES+SHA1 - phase2 ESP DES+hmac-md5 - ok - phase1 3DES+SHA1 - $B%@%a!#B?J,(BSecure Computing$B$N(B3DES$B$,%P%0$C$F$k!#(B - (KAME vs SSH$B$N<+F01?E>$O(Bok) - $B$"$C$A$N(Bparity bit(2^0)$B$,2x$7$$(B? - $BMbF|(B($BLZMK(B)$B$d$j$J$*$7$?$i$G$-$?!#$J$s$@(B? - - phase1$B$N(Bproposal$B$NJV$7J}$r%(%s%P%0$7$F$?$N$GD>$7$^$7$?!#(B - -vs FreeS/WAN - KAME -> S/WAN OK - phase1 DES+MD5 - phase2 ESP DES+none - Phase 1 $B$G$OBt;3(Bproposal$B$rEj$2$D$1$F$O%@%a!#(B-> ibm.conf $B$r=$@5!#(B - pluto $B$N(B life duration $B$N2r KAME N/A - transport mode $B$G(B initiate $B$G$-$J$$!#(B - racoon $B$O(B tunnel mode $B$N80$rFM$C9~$a$J$$!#(B - -vs Netscreen - Netscreen -> KAME OK - phase1 DES+SHA1 - phase2 ESP DES+none - KAME -> Netscreen NG - phase 2 $B$G(B netscreen $B$K(B mulformed payload $BJV$5$l$k!#(B - -> netscreen $BD4$YCf!#(B - $B$J$s$H$J$/(B multi transform $B$KBP1~$7$F$$$J$$MM;R!#(B - -vs Data Fellows (F-Secure$B:n$C$F$$$k$H$3(B) - KAME -> Data Fellows OK - phase1 DES+MD5 - phase2 ESP DES+HMAC-MD5 - proposal number $B$O(B 1,2,3,..$B$H8@$&$N$G(B ibm.conf $B$GF($2$k!#(B - $B$?$^$K(B ESP Authentication failed $B$,=P$k!#ITL@!#(B - Data Fellow -> KAME OK - phase1 $B$N(B 3DES $B$r;H$C$?$i(B1$B2s$@$1<:GT$7$?!#:F8=$;$:!#(B - parity bit $BLdBj!)(B - phase2 $B$N(B HASH(2) $B$K<:GT$9$k!#(B - IDii,IDir$B$rIU$1$k=hM}$r$$$$2C8:$K$7$F$?!#(B-> $B=$@5(B - -vs Routerware - phase 1$B$N(BDH group$B$H!"(Bphase 2$B$N(BPFS DH group$B$,F1$8$H2>Dj$7$F$$$k$h$&$@!#(B - - KAME -> Routerware - phase 1(DES+MD5)$B!":G=i$N0E9f2=$5$l$?%Q%1%C%H(B(3$B1}I|L\$N9T$-(B)$B$r(B - Routerware$B$,$[$I$1$J$$!#8~$3$&$O(Blog$B$,A4A3$G$J$$(B... - $B$K$$$A$c$s$OHS$K$$$/$H9T$C$F5"$C$F$7$^$C$?!#L@F|:F;n9g!#(B - - $B7k6I$d$l$J$$$^$^5"$C$F$7$^$C$?!#$7$/$7$/!#(B - -vs Shiva - tunnel mode$B$N$_(B - -vs Intel (only IKE) - KAME -> Intel OK - phase1 DES MD5 - phase2 AH SHA1 - - Intel $B$G(B acceptable $B$J$N$K(B no supported payload $B$,=P$F$?!#(B - $B$=$N(B Informational Exchange $B$N(B decode $B$K(B racoon $B$,<:GT!#(B - -> Informational $B$N(B IV $B$O(B phase1 $B$+$iD>$G:n$k!#(B - -> Intel $B$O5/0x(Bexchange$B$N(B M-ID $B$HF1$8(BM-ID$B$r;H$C$F$$$k!#(B - Intel -> KAME OK - phase1 DES MD5 - phase2 AH SHA1 - -vs Microsoft WinNT(Win2000 :-P) - DELETE payload$B$,Mh$?$1$I=hM}$K<:GT!#$7$?$,(B - $B%F%9%H$7$F$$$J$$!#(B - - Microsoft -> KAME - phase 1: DES+MD5 - phase 2: ESP(DES+MD5) - - phase 2$B$"$?$^$N(BID payload$B$N=hM}$KLdBj$,$"$C$?$N$GD>$7$?$i(B - $B$A$c$s$HF0$$$?!#(B - - KAME -> Microsoft - phase 1: DES+MD5 - phase 2: ESP(DES+MD5) - - phase 2$B$N:G8e$,40N;$7$J$$!#M}M3$O!"(Bcommit bit$B$D$-$N%Q%1%C%H$r(B - $B IBM - phase 1 3DES+MD5 - phase 2 AH(hmac-SHA1) - - encryption mode attribute$B$r$D$1K:$l$?!#(Bconfig file$B$K(B - $B=q$$$?$iDL$C$?!#(B - - IBM -> KAME - phase 1 3DES+MD5 - phase 2 AH(hmac-SHA1) - - $B$5$C$/$j(Bok - -vs KAME - phase 1: 3DES+MD5 - phase 2: AH(hmac-SHA1) + ESP(DES+hmac-MD5) - - NOTE: phase 2$B$K$D$$$F$O8DJL$K%M%4!#(B - ping -f$B!"(Btelnet chargen$B$H$b$P$C$A$7!#(B - $B$?$^!<$K(B - - ah checksum error - - $B=i4|2=IT==J,$J(BSA$B$,(B{esp,ah}_output$B$KEO$k(B("no replay field") - $B$,5/$-$k!#$J$<$@!#(B - - 2054652 inbound processes succeeded - 0 inbound process's security policy violation - 214 inbound SA is unavailable - 0 inbound processing failed due to EINVAL - 0 failed getting a SPI - 0 inbound packets failed on AH replay check - 0 inbound packets failed on ESP replay check - 1027563 inbound AH packets considered authentic - 3 inbound AH packets failed on authentication - 1027036 inbound ESP packets considered authentic - 0 inbound ESP packets failed on authentication - AH input histogram: - hmac SHA1: 1027566 - ESP input histogram: - DES CBC: 1027089 - 1929501 succeeded outbound process - 0 outbound process's security policy violation - 13956 outbound SA is unavailable - 17 outbound processes failed due to EINVAL - 0 packets without route - AH output histogram: - hmac SHA1: 964909 - ESP output histogram: - DES CBC: 964592 - -manual keying -============= -vs NIST - RC5-cbc: $B$P$C$A$j(B - -vs SSH - CAST128-cbc: $B$@$a(B - SSLeay$B$N!V80D9$,C;$$$H$-$N(Bround$B?tLdBj(B?$B!W$N$?$a$+(B? - mail$B$GLd$$9g$o$;Cf(B(11/1) - - KAME$B$N(Bsys/crypto$B$K%P%0$"$j!#=$@5:Q$_!#(B - -vs Ericsson ACC (mobile-ip$B$7$F$k$R$H$H$N4X78$OITL@(B) - (manual keying$B!"(BAH tunnel) - Ericcson$B $B$3$N$;$$$+!"$A$g$C$H(Bfragment$B$7$9$.$N%1$"$j(B - $B;vB&$H$C$?$N$rE:IU!#(B - ---- on kame host -03:40:30.840690 0:0:86:5:80:da 0:10:4b:a2:8b:aa 0800 74: 10.161.149.1.1167 > 10.161.184.1.19: S 1110010782:1110010782(0) win 8192 (DF) [tos 0x10] (ttl 64, id 259) -03:40:30.843568 0:10:4b:a2:8b:aa 0:0:86:5:80:da 0800 60: 10.161.184.1.19 > 10.161.149.1.1167: S 3191535599:3191535599(0) ack 1110010783 win 32736 (ttl 62, id 61263) - ~~~~ -03:40:30.843925 0:0:86:5:80:da 0:10:4b:a2:8b:aa 0800 60: 10.161.149.1.1167 > 10.161.184.1.19: . ack 1 win 9548 (DF) [tos 0x10] (ttl 64, id 260) -03:40:30.848227 0:10:4b:a2:8b:aa 0:0:86:5:80:da 0800 128: 10.161.184.1.19 > 10.161.149.1.1167: P 1:75(74) ack 1 win 32736 (DF) [tos 0x10] (ttl 62, id 61264) -03:40:30.857492 0:10:4b:a2:8b:aa 0:0:86:5:80:da 0800 1418: 10.161.184.1.19 > 10.161.149.1.1167: P 75:1439(1364) ack 1 win 32736 (DF) [tos 0x10] (ttl 62, id 61265) - ---- on freeswan host -tcpdump: listening on eth0 -12:18:47.780450 0:0:e8:2a:26:93 0:e0:98:0:16:c0 0800 74: 10.161.149.1.1184 > 10.161.184.1.19: S 1540282774:1540282774(0) win 8192 (DF) [tos 0x10] -12:18:47.780450 0:e0:98:0:16:c0 0:0:e8:2a:26:93 0800 58: 10.161.184.1.19 > 10.161.149.1.1184: S 400137676:400137676(0) ack 1540282775 win 32736 -12:18:47.790450 0:0:e8:2a:26:93 0:e0:98:0:16:c0 0800 60: 10.161.149.1.1184 > 10.161.184.1.19: . ack 1 win 9548 (DF) [tos 0x10] -12:18:47.790450 0:e0:98:0:16:c0 0:0:e8:2a:26:93 0800 128: 10.161.184.1.19 > 10.161.149.1.1184: P 1:75(74) ack 1 win 32736 (DF) [tos 0x10] -12:18:47.790450 0:e0:98:0:16:c0 0:0:e8:2a:26:93 0800 1418: 10.161.184.1.19 > 10.161.149.1.1184: P 75:1439(1364) ack 1 win 32736 (DF) [tos 0x10] -12:18:47.940450 0:0:e8:2a:26:93 0:e0:98:0:16:c0 0800 60: 10.161.149.1.1184 > 10.161.184.1.19: . ack 1439 win 9548 (DF) [tos 0x10] -12:18:47.940450 0:e0:98:0:16:c0 0:0:e8:2a:26:93 0800 1418: 10.161.184.1.19 > 10.161.149.1.1184: P 1439:2803(1364) ack 1 win 32736 [tos 0x10] -12:18:47.940450 0:e0:98:0:16:c0 0:0:e8:2a:26:93 0800 1418: 10.161.184.1.19 > 10.161.149.1.1184: P 2803:4167(1364) ack 1 win 32736 [tos 0x10] -12:18:47.940450 0:e0:98:0:16:c0 0:0:e8:2a:26:93 0800 1418: 10.161.184.1.19 > 10.161.149.1.1184: P 4167:5531(1364) ack 1 win 32736 [tos 0x10] - - - AH tunnel(hmac-MD5) freeswan router <-> kame router$B4V(B - host-host$B$N(Bping -f$B$b$A$c$s$HF0$/!#(B - - AH tunnel(hmac-SHA1) - $B$@$a$@$a!#(Bfreeswan$B$N%P%0!"$^$?$O80@_Dj<:GT!#(B - - ESP tunnel(DES+hmac-MD5): - kame router$B$N%P%0(B(snap-users$B;2>H(B)$B$N$;$$$G:G=iF0$+$J$+$C$?$,!"(B - $BD>$7$?!#$P$C$A$jF0$$$?!#(B - ping -f$B$N(Bpacket loss$BN((B25% - freeswan router$B$,$?$C$W$j(Blog$B$r$H$C$F$k$;$$(B? - - AH transport(hmac-MD5) freeswan router <-> kame router$B4V(B - $B;n$7$?!#F0$$$?!#(B - - freeswan$B$G$O!"APJ}8~$N80$O$*$J$8$H2>Dj$7$F$$$k(B($B$$$?(B)$B$i$7$$!#(B - $B:G6aD>$7$?$i$7$$$N$G!"=y!9$K$G$-$k$h$&$K$J$C$F$$$kLOMM!#(B - diff --git a/kame/kame/racoon/doc/pattern b/kame/kame/racoon/doc/pattern deleted file mode 100644 index 9548c6af1c..0000000000 --- a/kame/kame/racoon/doc/pattern +++ /dev/null @@ -1,167 +0,0 @@ -IPsec transport mode - - HOST-A ================ HOST-B - (A) (B) - - IKE negotiation: A <--> B - phase 1 ID payloads: - SA addresses: A <--> B - outgoing packet: IP(A->B) - phase 2 ID payloads: none, or - - HOST-A's policy: - spdadd A B any -P out ipsec ah/transport//require; - spdadd B A any -P in ipsec ah/transport//require; - - HOST-B's policy: - spdadd B A any -P out ipsec ah/transport//require; - spdadd A B any -P in ipsec ah/transport//require; - - both racoon.conf: - no particular twists - -IPsec tunnel mode - - HOST-A --- Gateway-A =========== Gateway-B --- HOST-B - (A) (GA) (GB) (B) - - IKE negotiation: GA <--> GB - phase 2 ID payloads: - IDs should reflect GA and GB's authenticity. - SA addresses: GA <--> GB - outgoing packet: IP(GA->GB) - phase 2 ID payloads: A, B - - Gateway-A's policy: - spdadd A B any -P out ipsec esp/tunnel/GA-GB/require; - spdadd B A any -P in ipsec esp/tunnel/GB-GA/require; - - Gateway-B's policy: - spdadd B A any -P out ipsec esp/tunnel/GB-GA/require; - spdadd A B any -P in ipsec esp/tunnel/GA-GB/require; - - both racoon.conf: - no particular twists - -MIP6 - - MN ================ CN - (HA/COA) (CNA) - - IKE negotiation: COA <--> CNA - * MN always initiate IKE session probably. - phase 1 ID payloads: - SA addresses: HA <--> CNA - outgoing packet: IP(COA->CNA) | HAoption(HA) - phase 2 ID payloads: - - MN's policy: - spdadd HA CNA any -P out ipsec ah/transport//require; - spdadd CNA HA any -P in ipsec ah/transport//require; - - MN's racoon.conf: - remote CNA { support_mip6 on; } - - CN's policy: - spdadd CNA HA any -P out ipsec ah/transport//require; - spdadd HA CNA any -P in ipsec ah/transport//require; - - CN's racoon.conf: - support_mip6 on; - (generate_policy on;) - -o Anonymous client on IPsec transport mode - - HOST-A communicates with Server by using IPsec transport mode. - - HOST-A =========== Server - (A) (G) - - IKE negotiation: A <-> G - phase 1 ID payloads: anything,anything - SA addresses: A <--> S - phase 2 ID payloads: none - - S accepts network connections from network range net/pl (like - 1.0.0.0/8). - - HOST-A's policy: - spdadd A S any -P out ipsec esp/transport//require; - spdadd S A any -P in ipsec esp/transport//require; - - A's racoon.conf: - no particular twists - - Server's policy: - spdadd S net/pl any -P out ipsec esp/transport//require; - spdadd net/pl S any -P in ipsec esp/transport//require; - - Server's racoon.conf: - anonymous { passive on; } - - due to the absense of phase 2 ID, IPsec SA will be installed for - A <--> S, not for net/pl <--> S. - -o anonymous client allocated IP address dynamically and having a internal - address. - - HOST-A communicates with hosts on Network-B through Gateway - by using IPsec tunnel mode. - IP address of HOST-A is allocated dynamically. - - HOST-A =========== Gateway ----------- Network-B - (Ao/Ai) (G) (net-B) - - HOST-A has two IP address, Ao as outernal is dynamically allocated, - and Ai as internal can be routed to Network-B. - Gateway's address on A side is G. - main mode with pre-shared key can not be used. - - IKE negotiation: Ao <-> G - phase 1 ID payloads: anything,anything - SA addresses: Ao <--> G - phase 2 ID payloads: Ai/net-B - - policy configuration at HOST-A: - spdadd Ai net-B any -P out ipsec esp/tunnel/Ao-G/require; - spdadd net-B Ai any -P in ipsec esp/tunnel/G-Ao/require; - - racoon.conf at HOST-A: - no particular twists - - policy configuration at Gateway: - Nothing - - Server's racoon.conf: - anonymous { passive on; } - -o anonymous client allocated IP address dynamically. - - HOST-A communicates with hosts on Network-B through Gateway - by using IPsec tunnel mode, also using NAT. - IP address of HOST-A is allocated dynamically. - - HOST-A =========== Gateway ----------- Network-B - (A) (G) (net-B) - - HOST-A's IP address is dynamically allocated, - Gateway's address on A side is G. - main mode with pre-shared key can not be used. - - IKE negotiation: A <-> G - phase 1 ID payloads: anything,anything - SA addresses: A <--> G - phase 2 ID payloads: A/net-B - - policy configuration at HOST-A: - spdadd A net-B any -P out ipsec esp/tunnel/A-G/require; - spdadd net-B A any -P in ipsec esp/tunnel/G-A/require; - - racoon.conf at HOST-A: - no particular twists - - policy configuration at Gateway: - Nothing - - Server's racoon.conf: - anonymous { passive on; } diff --git a/kame/kame/racoon/doc/question b/kame/kame/racoon/doc/question deleted file mode 100644 index c435770e18..0000000000 --- a/kame/kame/racoon/doc/question +++ /dev/null @@ -1,577 +0,0 @@ -$KAME: question,v 1.28 2003/05/23 05:13:03 sakane Exp $ - -This was sent to Kivinen and Paul at 20-Sep-2000. - -Q: how may policy matters are. can we interoperate ? - -Q. If there is the phase 1 spi size excepting 16 and 0 in SA payload. - warn it. and reject or accept ? - -Q. ID payload handling in phase 2 besides IPSECDOI_ID_IP*. - e.g. IPSECDOI_ID_DER_ASN1_DN. Well, are these used in phase 2 ? - -Q. The padding for data attribute. - in particular, variable-length attribute like ID-userfqdn. - -Q. vendorid's hash algorithm - For aggressive mode ?. - In main mode, should I use negotiated algorithm ? -A. it's not needed any negotiation. - -Q. If we use different hash algorith to compute the value of the vendor id, - is it possible to be same result of the hash value ? - -Q. encryption during aggressive mode. - when i receive encrypted packet of 2nd message from responder, - it can be decoded. When i am responder, should i send encrypted one ? - -Q: phase2 PFS and KE payload - when the responder was not required PFS, if the initiator send KE ? - if the responder's pfs group is not match to the initiator's one ? - If initiator requests PFS, should we accept without acceptable check ? - reject the proposal and quit the phase 2. - accept it. - it's policy issue. - -Q. If tye type of ID payload is SUBNET, should it be allowed ::1/128 as host - address ? -A. yes. consensus at bake-off. - -Q. how many proposal can we send ? - 30? 300? infinite ? - -Q. Is there only one payload of RESPONDER-LIFETIME in a IKE message - even if SA bundle is required ? - At the moment, racoon sends this notify payload(s) against each protocol. - -Q. Which is SPI to be used initiator's or responder's when sending - RESPONDER-LIFETIME ? -A. At the moment, racoon sends responder's one. - -Q. Is it typo in the base mode draft ? - HDR, SA, Idii, Ni_b => - Ni ??? - <= HDR, SA, Idir, Nr_b - Nr ??? -A. Yes, typo. (network associates said.) - -Q. What's proto_id in notify message of the responder 2nd message with commit - bit processing when multiple different SA applyed ? - -Q. Is it forbidden to clear commit bit during phase2 negotiation ? -A. not forbidden, - -Q. how many time is the notify message sent in phase 2 ? -A. don't resend notify message because peer can use Acknowledged - Informational if peer requires the reply of the notify message. -Q. phase 1 is ? - -Q. What kind of policy configuration is desired? - policy.conf makes sense in certain situations only, such as: - - we are the initiator, and trying to enforce certain configuration. - - If we would like to talk with strangers (like IPsec-ready webserver, or - "IPsec with everyone" configuration), or need to move from place to place - (like IPsec-ready nomadic node), we need an ability to write "wildcard - policy entry" which matches situations/packets/whatever, and then install - non-wildcard policy entry into the kernel. - For example: - - policy.conf says 0.0.0.0/0 -> 0.0.0.0/0, protocol "any", type "use", - for "encrypt everything" configuration. - - phase 2 ID payload will be exchanged for real address we have, and the - peer has (a.b.c.d/32). This is not the same as "0.0.0.0/0" configured - onto policy entry. - - with the current code, policy.conf and phase 2 ID does not match, and - it will fail. - - If we are acting as responder, we will be making policy entry from phase 2 - IDs. Is it always okay to accept phase 2 IDs as is, into our kernel policy? - We'll need to have filtering rule, or mapping rules from phase 2 IDs to - kernel policy. - For example: - - we have 10.1.1.0/24 -> 10.1.2.0/24, protocol "any" in policy.conf. - - what happens if we get, as responder, 10.1.1.0/25 -> 10.1.2.0/25, - protocol "any"? should we accept it as is, or should we respect our - configuration? - if we respect our configuration, 10.1.1.128/25 -> 10.1.2.128/25 traffic - will be encrypted from our side, and end up being dropped by the peer. - - what happens if we get, as responder, 10.1.1.0/24 -> 10.1.2.0/24, - protocol "tcp"? should we accept it as is, or should we respect our - configuration? - if we respect our configuration, non-tcp traffic will be dropped on - the peer. - - -> the question is obsoleted by configuration language change. - -Q. What's msgid of informational exchange for error notify message during - phase2 ? Is it same as msgid of phase2 negotiation caused error ? - Or new msgid created ? If later case, spi must be conveyed. -A. new msgid should be used -Q. how can we deduce phase 2 from the notification? -A. see draft-ietf-ipsec-notifymsg-*.txt - -Q. I don't know the situation to initiate acknowledged informational. - -Q. How many certificate payload in a packet are sent ? - isakmp-test.ssh.fi send both CRL and CERT in a packet. -A. multiple CERT payload can be sent. Or use PKCS#7. - -Q. What should we do if nonce size is greater than size of RSA modulus - in authentication with public key encryption, also size of body of - ID payload ? - -Q. For IKE negotiation of IPComp, how should we encode CPI (2 byte) into SPI - field of proposal payload (for AH/ESP, normally 4 bytes)? - Options are as follows: - (1) put it as 4 byte value, set SPI size to 4 - 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - ! Next Payload ! RESERVED ! Payload Length ! - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - ! Proposal # !ProtID = ipcomp! SPI Size(4)!# of Transforms! - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - ! SPI = 0x0000XXXX ! - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - (2) put it as 2 byte value, set SPI size to 2. No padding must be made. - 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - ! Next Payload ! RESERVED ! Payload Length ! - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - ! Proposal # !ProtID = ipcomp! SPI Size(2)!# of Transforms! - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - ! SPI = 0xXXXX ! ... transform ... - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - IRE did (1), IIRC. (Jan 2000) - - SSH does (2), and rejects (1). (Sep 2000) - - The following email suggests (2) for normal case, and allow (1) for backward - compatibility (responder case I bet). - To: ipsec@lists.tislabs.com - From: Joern Sierwald - Subject: Re: issues from the bakeoff - Date: Wed, 16 Jun 1999 11:02:16 +0300 - Message-Id: <3.0.5.32.19990616110216.00b77880@smtp.datafellows.com> - -A: (2) for normal case, and allow (1) for backward compatibility - (responder case I bet). - -Q. INITIAL-CONTACT message. - When should we send an INITIAL-CONTACT message? -A. see jenkins rekey draft - - We must ignore unencrypted INITIAL-CONTACT message. - - If we have two nodes and they issue the first packet of phase 1 at the same - time, both may try to transmit INITIAL-CONTACT message, and effectively - kills both connection attempt. - - node 1 node 2 - | | - |----------\ /---------| phase 1 first packet - | \/ | - | /\ | - |<---------/ \-------->| - | | - |----------\ /---------| INITIAL-CONTACT - | \/ | - | /\ | - |<---------/ \-------->| - - Options are as follows: - (1) don't throw INITIAL-CONTACT message. - (2) don't delete old phase 1 information, even if we get INITIAL-CONTACT - message.. - (3) don't delete phase 1 information, if it is very new. delete phase 1 - information only if they are old. - (4) implement tie-breaker rule. for example, compare IP address and remove - phase 1 initiated by the one who has larger IP address. - -Q: IPv6 neighbor discovery. - When a security policy is set to "all packet require IPsec", it will - cover IPv6 ND packets as well. The node will try to secure ND, and - we will have chicken-and-egg problem (without ND we cannot send IKE - packets, without IKE negotiation we cannot send ND). - - What can we do? - - always bypass IPsec policy lookup if a packet is for ND. - - Security policy should have more detail rules to filter - such packet, like icmp6 type/code filters. - -Q: When there are no ID payloads in phase 2 ? -A. guess from the pair of address of IKE peer. - -Q: Delete payload. - Which SPI should I carry on Delete notify ? - There is no documentation. - - An initiator should send a set of SPI of inbound SAs. - A responder should delete a set of outbound SAs which are sent by - an initiator. - - When an IKE node deletes old SAs, should it send DELETE notify to - a peer ? - - When does a node send DELETE notify ? - when a IKE node deletes old SAs expilicitly. - when a SA expires (hard lifetime reached). - It may not be necessary. - - When a DELETE notify packet is dropped, SA will get inconsistent - between peers. - We can prevent from it by using "heartbeat" ? - - when there is no phase 1 SA, should I negotiate phase 1 SA before - sending delete notify ? - A: no need. (the consensus made at the mailing list ?) - -Q: "heartbeat" - It means a signal of "I'm alive". - It is exchanged in phase 1.5. - When a responder dies/reboots, phase 2 SA sitll remains but - we can know the rebooting of the peer by using "heartbeat". - - Is INITIAL-CONTACT message useless if we choise "heartbeat" ? - We don't know. - -Q: responder's action in a normal case. - A responder should never initiate both phase 1 and phase 2 at anytime. - Once we have decided which side we are (initiator/responder), the - relationship will never change. - -Q: only the byte type of lifetime on phase 2, not exist the type of time. - No ducumentation states explicitly. - We can choose to use default lifetime (28800). - We can reject it accortding to a policy. - -Q: phase 2 lifetime negotiation - what should I do if the peer has proposed the lifetime value which - does not match to our policy ? - - always reject it. - - use my lifetime, then send RESPONDER LIFETIME. - - during negotiation obey the initiator. install SA lifetime based - on the lifetime we have decided (not from the negotiation). - -Q: phase 1 lifetime negotiation - can we do like phase 2 ? - -Q: Does RFC2407 4.5.4 Lifetime Notification say for phase 2 ? or phase 1 ? - responder lifetime may be inapproprite for phase1 because - proposal is not encrypted, so bad guy can forge it. - -Q: phase 1 lifetime of bytes. - What should we count ? - Or it should be obsoleted ? - -Q: phase 2 lifetime of bytes. - byte lifetime of an SA is harder to implement/manipulate than - wallclock lifetime, because: - - if there's packet losses on the link, it will lead to disagreement - between peers about how much traffic were gone through the SA. - - it is unclear when to compute the lifetime. for example, for IPComp, - there's a big difference between computing byte lifetime before - compression, or after compression. [RFC2401 page 23: - should compute byte lifetime using a packet BEFORE IPsec processing] - - it is more questionable to use byte lifetime for inbound SA, than - for outbound SA. we will have more problem if we expire inbound SA - earlier than the peer (if we expire an SA earlier than the peer, - inbound traffic will result in "no SA found" error). - -Q: soft and hard lifetime. [RFC2401 page 23] - RFC2401 talks about soft and hard lifetime. for stable rekeying - operation, it may help if we introduce another kind of lifetime; - - soft lifetime (80% of hard lifetime, for example): - should inform IKE of the expiry, and IKE should try to negotiate - a new SA. - deprecation lifetime (90%): - no outbound packet should be generated by this SA. - inbound packet is handled okay. - hard lifetime (100%) - SA will be erased. - -Q: responder should not modify phase 2 attributes - even for phase 1, we should not modify attributes. - for lifetime attributes, it is okay to switch between V/B format. - - draft-ietf-ipsec-ike-01.txt Appendix A: - If this is the case, an - attribute offered as variable (or basic) by the initiator of this - protocol MAY be returned to the initiator as a basic (or variable). - -Q: check if reserved field is zero, reject if - we should do this (sakane) - i don't think so, it will kill future protocol enhancements (itojun) - -Q: order of proposals in IKE phase 2 packet, and IPsec processing order - how to negotiate SA bundle. - IKE: esp+ah, or ah+esp - -> is it safe to consider both as IP|AH|ESP|ULP? - -> is the proposal prefered to send the order of ah+esp. - IKE: ah+ah? - reject? or policy issue. - RFC2401bis should state the pattern of SA bundle. - AH - AH+ESP - AH +IPCOMP - AH+ESP+IPCOMP - ESP - AH+ESP - AH+ESP+IPCOMP - ESP+IPCOMP - AH+ESP - AH+ESP+IPCOMP - Also RFC2401bis should state the meaning of protcol mode. - - we are going to install both SAs, ESP and AH. and they are bundled. - we should negotiate both SAs in single phase2. - - can we do that separately ? - it is hard to verify the policy because the policy might be - defined SA bundle. - when i make packet IP2|AH|ESP|IP1|ULP. - proposal and order must be - ah/transport + esp/tunnel ? - ah/tunnel + esp/tunnel ? - -Q: what should we do if phase 1 SA expires, during phase2 SA negotiation? -A. restart phase 2 negotiation from scratch - -Q: what kind of notification message a node should send on decode failure? - ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE - iked - ISAKMP_NTYPE_UNEQUAL_PAYLOAD_LENGTHS - racoon - ISAKMP_NTYPE_PAYLOAD_MALFORMED - sanity check would be hairy - -Q: Certificate Request. - where to attach CR? - obey draft-ietf-ipsec-pki-req-05.txt. - what should we put inside CR? - my own signer? - RFC2408 page 34 says; - - o Certificate Authority (variable length) - Contains an encoding of - an acceptable certificate authority for the type of certificate - requested. As an example, for an X.509 certificate this field - would contain the Distinguished Name encoding of the Issuer Name - of an X.509 certificate authority acceptable to the sender of - this payload. This would be included to assist the responder in - determining how much of the certificate chain would need to be - sent in response to this request. If there is no specific - certificate authority requested, this field SHOULD not be - included. - -Message-Id: <200009262047.XAA10637@torni.hel.fi.ssh.com> -Subject: CERT_REQ_PAYLOAD usage -From: Tero Kivinen -Date: Tue, 26 Sep 2000 23:47:00 +0300 (EET DST) - - 1) If you absolutely need certificates from the other side for - the authentication to work, you MUST send certificate request - payload. - - 2) If the authentication can succeed without the other end - sending certificates (you have some certificate for the other - end, or you can fetch the certificate from the certificate - repository), you MAY send certificate request. - - 3) If you just want any certificate without specifying the CA - root, send certificate request having empty CA name. - - 4) When you receive certificate request you MUST send your own - certificate for that CA. - - 5) If you receive empty certificate request you MUST send the - certificate you are going use in the authentication. If you - have multiple certificates for the same private key, you - SHOULD send all of them. - - 6) If you do not receive certificate request, you SHOULD NOT - send any certificates, unless you have reason to belive that - the other end has wrong certificate for you (for example you - have enrolled a new certificate recently). - - 7) You MAY include extra certificates, CRLs etc if you have - them available (I.e include your other certificates also - (certificate pre-loading), include sub-CA certificates, - include CRLs etc. - -Q: retransmission method (implementation issue) - how can I realize that the last packet in phase 1 was dropped. - main/base mode: - no problem in initiator side. - responder should wait for the retransmited 5th(3rd) packet - from initiator. - aggressive mode: - responder should wait for the retransmited 2nd packet - from responder. - quick mode: - initiator should wait for the retransmited 2nd packet - from responder. - when i am initiator, if we don not use commit bit, i will - install the SAs after sending last message. - - under the following situation we will see retransmisson of phase 1 3rd - packet (prior to the last packet) from the peer, even if we already - have started phase 2 negotiaiton: - - initiator have transmitted the last (5th) packet of phase 1 exchange. - the initiator believes that phase 1 is done. - - the last (5th) packet in phase 1 exchange was lost - responder retransmits phase 1 N-1 packet - main mode - FW-1 transmits the last packet in phase 1/2 exchange, 3 times. - -Q: retransmission timer? - should we manage it in per-peer basis? - yup. we may need to - RFC2408: change retransmission timer dynamically - gets harder to debug... - -Q: checks against retransmission - check ISAKPM header only (watanabe) - check MD5(msg) - -Sender: owner-ipsec@lists.tislabs.com -Message-Id: <200007170936.e6H9a2J113489@thunk.east.sun.com> -Subject: Re: simplifying rekeying [draft-jenkins-ipsec-rekeying-06.txt] -From: Bill Sommerfeld - - pedants may need to worry about the following case: - - initiator responder - | | - |-------(1)------->| - | | - | +--(2)--------| - | | | - |-------(1)--+ | - | | | | - |<---+ | | - | | | - |-------(3)------->| - | | | - |<------(4)--------| - | | | - | +---->| - | | - : : - -Q: Nonce size - a size of value MUST be 4 - 252 (RFC2409) - reject if the value is out-of-range - -Q: x.509 certificate and ID payload - if there is the certificate and the type of ID payload is - not DN, then compare with the subjectAltName in certificate. - DN, then compare with the subjectName in certificate. - must take care of the order of OID. - -Q: IP address of subjectAltName and of real entity. - There are two subjectAltName, email and IP address, in the certificate. - ID payload includes USER-FQDN, and same to email address of - subjectAltName. - If IP address of subjectAltName is different from the real entity's - IP address. What should we do ? - -Q: commit bit - who will set the commit bit? when? - - no action. if the other end sets it to 1, we should do that too - (sakane) - responder should set it to 1. or it may leave it as is (watanabe) - - should revisit rekey draft. - -Q: what happens if we have multiple phase 1 SAs for the same src/dst pair? - -Q: phase 1 ID payload - RSA signature and pre-shared key - same ID value. - must include the ID into subject alt name. - -Q: rekey. - - common: IPsec layer always use oldest SA. optionally, send a delete - payload for old SA when we got a new SA. - - freeswan: trust no informational exchange (including initial-contact). - assume everyone will be using the latest SA in IPsec layer. - assume that phase 2 responder will install new key when the - responder got 1st packet of phase 2 (not the 3rd packet). - -Q: for responder side, is it allowed to reorder proposals? for example, -is it allowed to reply to the following proposal: -with this: - -(initiator sends ESP then AH) - -46:51.456226 3ffe:501:ffff:0:250:daff:fe87:4bbe:500 -> 3ffe:501:ffff:0:2a0:ccff:fe3c:4093:500: isakmp 1.0 msgid 3827457a: phase 2/others ? oakley-quick: - (hash: len=20) - (sa: doi=ipsec situation=identity - (p: #1 protoid=ipsec-esp transform=15 spi=058a15c0 - (t: #1 id=blowfish (type=lifetype value=sec)(type=life value=0e10)(type=enc mode value=transport)(type=keylen value=0080)(type=auth value=hmac-md5)(type=group desc value=modp1024)) - (t: #2 id=blowfish (type=lifetype value=sec)(type=life value=0e10)(type=enc mode value=transport)(type=keylen value=0080)(type=auth value=hmac-sha1)(type=group desc value=modp1024)) - (t: #3 id=blowfish (type=lifetype value=sec)(type=life value=0e10)(type=enc mode value=transport)(type=keylen value=0080)(type=group desc value=modp1024)) - (t: #4 id=3des (type=lifetype value=sec)(type=life value=0e10)(type=enc mode value=transport)(type=auth value=hmac-md5)(type=group desc value=modp1024)) - (t: #5 id=3des (type=lifetype value=sec)(type=life value=0e10)(type=enc mode value=transport)(type=auth value=hmac-sha1)(type=group desc value=modp1024)) - (t: #6 id=3des (type=lifetype value=sec)(type=life value=0e10)(type=enc mode value=transport)(type=group desc value=modp1024)) - (t: #7 id=1des (type=lifetype value=sec)(type=life value=0e10)(type=enc mode value=transport)(type=auth value=hmac-md5)(type=group desc value=modp1024)) - (t: #8 id=1des (type=lifetype value=sec)(type=life value=0e10)(type=enc mode value=transport)(type=auth value=hmac-sha1)(type=group desc value=modp1024)) - (t: #9 id=1des (type=lifetype value=sec)(type=life value=0e10)(type=enc mode value=transport)(type=group desc value=modp1024)) - (t: #10 id=cast (type=lifetype value=sec)(type=life value=0e10)(type=enc mode value=transport)(type=keylen value=0080)(type=auth value=hmac-md5)(type=group desc value=modp1024)) - (t: #11 id=cast (type=lifetype value=sec)(type=life value=0e10)(type=enc mode value=transport)(type=keylen value=0080)(type=auth value=hmac-sha1)(type=group desc value=modp1024)) - (t: #12 id=cast (type=lifetype value=sec)(type=life value=0e10)(type=enc mode value=transport)(type=keylen value=0080)(type=group desc value=modp1024)) - (t: #13 id=null (type=lifetype value=sec)(type=life value=0e10)(type=enc mode value=transport)(type=auth value=hmac-md5)(type=group desc value=modp1024)) - (t: #14 id=null (type=lifetype value=sec)(type=life value=0e10)(type=enc mode value=transport)(type=auth value=hmac-sha1)(type=group desc value=modp1024)) - (t: #15 id=null (type=lifetype value=sec)(type=life value=0e10)(type=enc mode value=transport)(type=group desc value=modp1024))) - (p: #1 protoid=ipsec-ah transform=2 spi=0f316870 - (t: #1 id=md5 (type=lifetype value=sec)(type=life value=0e10)(type=enc mode value=transport)(type=auth value=hmac-md5)(type=group desc value=modp1024)) - (t: #2 id=sha (type=lifetype value=sec)(type=life value=0e10)(type=enc mode value=transport)(type=auth value=hmac-sha1)(type=group desc value=modp1024)))) - (nonce: n len=16) - (ke: key len=128) - (id: idtype=IPv6 protoid=tcp port=0 len=16 3ffe:501:ffff:0:250:daff:fe87:4bbe) - (id: idtype=IPv6 protoid=tcp port=0 len=16 3ffe:501:ffff:0:2a0:ccff:fe3c:4093) - -(respoinder swap order, sends AH then ESP) - -46:53.368883 3ffe:501:ffff:0:2a0:ccff:fe3c:4093:500 -> 3ffe:501:ffff:0:250:daff:fe87:4bbe:500: isakmp 1.0 msgid 3827457a: phase 2/others ? oakley-quick: - (hash: len=20) - (sa: doi=ipsec situation=identity - (p: #1 protoid=ipsec-ah transform=1 spi=f8dc5700 - (t: #1 id=md5 (type=lifetype value=sec)(type=life value=0e10)(type=enc mode value=transport)(type=auth value=hmac-md5)(type=group desc value=modp1024))) - (p: #1 protoid=ipsec-esp transform=1 spi=f8dc5701 - (t: #4 id=3des (type=lifetype value=sec)(type=life value=0e10)(type=enc mode value=transport)(type=auth value=hmac-md5)(type=group desc value=modp1024)))) - (nonce: n len=16) - (ke: key len=128) - (id: idtype=IPv6 protoid=tcp port=0 len=16 3ffe:501:ffff:0:250:daff:fe87:4bbe) - (id: idtype=IPv6 protoid=tcp port=0 len=16 3ffe:501:ffff:0:2a0:ccff:fe3c:4093) - -Q: IPComp SA with wellknown CPI in CPI field. how to handle it? - with the current code, wellknown CPI will be installed as is, because: - - racoon can negotiate an IPComp SA with wellknown CPI, and installs it as is - - the kernel have no check about it - however, by doing so we will have CPI (SPI) conflict on rekey, or with - multiple peers. - - there could be couple of stragegies from implementation point of view - (workaround): - (1) do not install IPComp SA if we negotiated it with wellknown CPI. - this will introduce another trouble: no trigger for rekey, due to - no lifetime management on the IPComp SA. - (2) install IPComp SA with fabricated (local) CPI, with RAWCPI option flag - raised. confusing... - (3) use topmost 16 bits to turn wellknown CPI into unique numbers. - how to assign numbers? - the problem is not unique to racoon, it is a generic problem. - protocol-wise, we could have couple of fixes: - (1) never negotiate an IPComp SA with a wellknown CPI. - (2) disambiguate IPComp SA by using other attributes, like lifetime, - installation timestamp or whatever. - (3) always IPComp as a addendum to ESP/AH. do not treat it as an independent - SA. - I'm in favor of (1). diff --git a/kame/kame/racoon/doc/racoonquestion.sh b/kame/kame/racoon/doc/racoonquestion.sh deleted file mode 100644 index 94ea7f9217..0000000000 --- a/kame/kame/racoon/doc/racoonquestion.sh +++ /dev/null @@ -1,36 +0,0 @@ -#! /bin/sh - -# $KAME: racoonquestion.sh,v 1.1 2001/01/27 05:46:22 itojun Exp $ - -# sends question about racoon to sakane. -# % racoonquestion logfile conffile -# -# caveat: the script will tell everything about your system, and every secret -# keys, to sakane. - -if [ $# != 2 ]; then - echo usage: sendracoonquestion logfile conffile - exit 1 -fi -if [ -e /tmp/racoonbug ]; then - echo fatal: clean /tmp/racoonbug first. - exit 1 -fi -if [ `whoami` != root ]; then - echo fatal: must be a root to invoke this. - exit 1 -fi - -# do not let others read the result -umask 0077 -mkdir /tmp/racoonbug || exit 1 -setkey -DP > /tmp/racoonbug/spd.$$ -setkey -D > /tmp/racoonbug/sad.$$ -ifconfig -a > /tmp/racoonbug/ifconfig.$$ -netstat -rn >/tmp/racoonbug/netstat.$$ -cp $1 /tmp/racoonbug/logfile.$$ -cp $2 /tmp/racoonbug/conffile.$$ -cd /tmp/racoonbug -shar spd.$$ sad.$$ ifconfig.$$ netstat.$$ logfile.$$ conffile.$$ | mail sakane@kame.net -cd /tmp -/bin/rm -fr /tmp/racoonbug diff --git a/kame/kame/racoon/doc/redmond.txt b/kame/kame/racoon/doc/redmond.txt deleted file mode 100644 index c44e590810..0000000000 --- a/kame/kame/racoon/doc/redmond.txt +++ /dev/null @@ -1,255 +0,0 @@ -Appendix: - -It's summary report of IPsec Interoperability Workshop Aug 31st- Sept 3 1998. -To be consider each following items.. ;-( - -Location: Microsoft Campus, Redmond WA -Attending: 60 people, 19 companies. - Axent/Raptor, Cisco IOS, Checkpoint, Intel, HiFn, Interlink, -IRE, Microsoft NT5, Netscreen, Redcreek, SSH, Timestep, Worldcom/ANS, IRE, -Free SWAN - Verisign, Entrust, Worldcom Advanced Networks - James -Matheke, Digital Signature Trust Company, Microsoft PKI & Directory reps - L2TP/IPsec: Microsoft NT5 and Cisco IOS - -Handouts: -(I will get these on a public web site ASAP. Stay tuned for pointer) - -Network Configuration Tear Sheet - network topology explanation & diagram -Testing Matrix: had 43 options * (transport + tunnel) * (initial + rekey) = -172 tests. -Rodney Thayer's draft IPsec certificate profile -IPsec Rekeying Issues powerpoint slides, by Tim Jenkins of Timestep -Working copy of Draft-ietf-ipsec-ldap-schema.txt -Powerpoint slides presented at IETF Policy BOF explaining -draft-ietf-ipsec-ldap-schema.txt -Microsoft Directory Enabled Networking Powerpoint slides by Steve Judd -Microsoft Public Key Infrastructure Powerpoint slides by Rick Johnson -Windows NT5.0 Beta2 walkthrough guide for creating IPsec policy - - -Debriefing Survey -================= -On Wed and Thursday, I surveyed 8 companies with the following questions, -saying that I would compile a list of responses without indicating vendors -and post the compiled report to the IETF IPsec mailing list. Here are the -results. I have attempted to reduce duplication by indicating in -parentheses how many of the respondants indicated a similar response, eg (4) -means 4 out of 8 vendors. There is no priority or ordering on these -listings, other than popular reponses appear first. - -What did you fix? -=========================================================== -Policy mgmt bugs. Modification on end-to-end policy configuration (3) -Fragmentation on large packet (2) -Vendor id payload support -3DES key generation -Multiple MM proposals are not draft compliant -Initial contact handling -Additional padding that expands payload in IKE MM -Construction of id payload of type ID FQDN and ID USER NAME during RSA -Signatures -Fixed the parsing of pulling out the SubjectAltName out of the cert. -Problems handling multiple proposals -Problems handling the payload when 2 lifetypes were being sent, for example -seconds and bytes. -Better understanding of what is in main mode -Circular cert chain signature handling -Draft change to support initial contact -Make sure that if peer sends back invalid ids, that they do not overwrite -the initiators ids -Ignore empty cert request payload -Wrong checksum in inner payload header. Other implementations were not -checking -Empty payload of cert caused AV -Cert signed circular chain handling -ISAKMP config mode- hashing incorrectly -RSA encryption mode- not encrypting all that we should -AH + ESP negotiated for tunnel mode -Nothing -If we didn't receive proxy IDs during QM when negotiating transport mode, we -would fail. Most vendors don't send these. IOS and NT do this to support -protocol and port based filters. We need to add a test case to do this -regularly. -If we did not receive the encapsulation attribute, we would send it back. -Wrongly padding the Oakley header length to 4 byte boundaries -Bug found in test tools -Where and HOW to encode v3 extensions in PKCS10 requests. Mostly due to how -old BCERT toolkits used to do it which is not what RSA actually spec'd. - -What did you not fix - what still needs to be worked on? -========================================================= -PKI usage: Cert subject altname comparison with MM id payload, Certificate -chain processing, CRL support, Cross-certification, DN in certs, Every (CA?) -vendor had different cert request format (5) -Using DSS/DSA - only supported by HiFn, CA vendors MS & Entrust & GTE (2) -Fragmented TCP packets failing auth checks -Need to send deletes for all of the SPIs when doing an AND proposal -Initiating SAs -Commit bit handling -Rekey issues: Initiator switching to responder because original responder -hit lifetime timeout first and visa-versa. -Responder changing attributes in transform. -The PKCS10 requests with v3 extensions. Currently MS puts then in a -proprietary attribute (said they would change), the 'standard' attribute to -put them in is the rsaExtensionsAttribute, however RSA BCERT and TIPEM -toolkits add an extra level of encoding and encode the sequence of extension -as a T61String which is NOT the documented format. The cure is to have CA -vendors try to decode from both and have all new clients only do -rsaExtensionsAttribute as Seq of Ext. - -What are the open IPsec design issues? -======================================================== -PKI usage, cert formats, CA enrollment, deployment model for cert-based -trust, supporting CRLs, supporting cert request payload (5) -Peer Recovery, stale/Inactive SAs which linger when peer has lost state. -Orphaned phase2 SA. This can be due to a missed delete (since deletes are -not reliable) or a system crash of a peer (4) -ISAKMP header not authenticated. Initial contact & all notifications are not -authenticated (4) -Commit bit. Since it is unauthenticated if it is present in the IKE header. -Is it still a MUST? (2) -Version#s not authenticated in IKE header -Common policy configuration & distribution for multiple vendor devices that -a single manager can use. -Mobile clients - preshared key per user? Lose identity protection with -aggressive mode -Rekey mechanism that doesn't lose traffic by design -When tunneling traffic, do you reassemble packet first, then filter, then -forward to tunnel? -Configuration problems, ISAKMP config needs further work -Support in drafts for authentication method per selector conflicts with -using MM with QM. Applications can't use their own trust system for their -traffic - must be manually configured out-of-band between machines (IP -addresses). This is why MM with QM protection is abandoned by vendors in -favor of aggressive mode, so that QM parameters, and also identities, can be -known first to succeed with authentication. -Race conditions when have multiple SAs to same box from one source, rekeying -MM over multiple QM -Multiple QM proposals -How to get tunnels set up -Mismatch filters in policy. When initiator should propose both the full -filter breadth, as well as the specific packet protocol type/ports to the -responder, so the responder can pick the widest clean match. -Need some kind of model for using SNMP MIB for reporting and management of -IPsec enabled devices. -Think IKE is open to denial of service attack because anyone can provoke DH -computation in MM. Should only create state when get cookie back to reduce -denial of service. -IKE over non-IP -Disagreement on how AH with ESP in transport or tunnel mode should be -expressed in policy, negotiated, or have their separate SAs managed -Need full client-side configuration to support simultaneous tunnels from one -client to different gateways -Need "Credential Request Payload" more general than just certificate request -payload, to support retry for authentication when both systems participate -in multiple trust models. - -What are the open IPsec interop issues? If products shipped today, what -problems would customers encounter with multiple IPsec products? -================================================================ -Policy expression, configuration for interop (5) -Peer recovery of SAs, with mobile users, between two gateways (2) -US export IPsec interop- no support at all in drafts for what products have -to implement for ESP. Custom DH group for export not supported in drafts (2) -Understanding why proposals failed- Error messages to detail why proposal -not chosen (Michael Richardson going to collect error codes & messages from -vendors) -Multiple proposals for export not supported -Policy distribution -Client interop because clients haven't been tested much, mostly GW/FW -Real world application usage/admin, where systems are taken up/down, address -changes, etc. -Biggest challenge is to cover all aspects/combinations -Hard to balance tolerance of variance among IPsec implementations which is -necessary for interop with strictness of checks to fulfill security and -draft requirements. -Scalability -Some/many vendors not installing SA parameters which were negotiated, using -what filter policy specified. -Cert encoding for CRP, most people understand X.509 -Key usage flags in cert, what you expect to get back for generic or specific -for data encryperment. Maybe define another type of cert field encoding, -have 1-9, need 10. -How to process Subject Altname -Nobody else is doing encrypted nonces -Enforcing check that traffic sent through IPsec format matches filter which -was negotiated. This must be agreed upon by other vendors. Not covering -this in bakeoff testing because people mostly ping and ftp test, not -multi-protocol or multi-port through same SA. -Having certificate storage and key signing operations on smartcards, where -they don't provide a signature without the OID -What was good about the bakeoff? -========================================================= -Small size, good working time (4) -Organized well (2) -Providing PCs, cables (2) -Beer (2) -Having a preplanned test matrix -Having several CA vendors, ability to discuss and try CRLs, different certs -Plenty of space, good friendly atmosphere. Microsoft people being very -helpful -Timing was good -The network was setup when we got there. -More than one network allocated for each vendor to allow gateway testing - -What wasn't so good about bakeoff? -======================================================== -Had to reconfigure because test net was not on Internet which for many -caused a reboot. Only really need 4-5 class C addresses with preplanned -private net space. Should have DHCP on external net. NAT from private to -public wouldn't work using IPsec, of course, because using IPsec to get back -home to company net. (3) -Power failure Monday morning (2) -Internet access via ISDN 128Kb was very slow (2) -Didn't seem that anyone could cover the test matrix with another vendor even -50%. -Everyone still ping testing, not real traffic, limited ftp transfers for -those who tried rekeying -No T-shirts -Clients were not really tested, mostly vendor's gateway/Firewall products. -Not testing CRLs, not testing cert expirations -Hard to understand why two systems would not interoperate -Need phones at each station -Network addressing plan was hard to read and understand what is needed. -Need picture of topology. -Impossible to design comprehensive test matrix, don't have time in a bakeoff -to test all of these -No time to get into real situation test -Test matrix too confusing. Rather see list of topologies with spec of "to -reach my network do this MM proposal and these different policies for telnet -and http" - -For next bakeoff at IBM, what should be done? -======================================================== -Test rekey in each direction under stress (4). Use FTP for this. -Huge payload to test fragmentation & reassembly in IPsec ESP, AH under load -(2) -Seat vendors together who more advanced in their IPSEC/IKE implementations. -Otherwise it will be n-X-n testing matrix which is impossible with 60 -vendors present. -Post test matrix to the IPsec list before the event to get comments on it's -completeness -Make sure real world topology is tested: static IP client -> GW -- internal -net -- servers on PCs -ICSA should say more about rekeying issues, or allow vendors out of their -NDA signed during certification testing to discuss rekeying issues -Not relying on non-mandatory messages -Peer recovery testing -Negotiating and maintaining many SAs -Need next NT5.0 post-beta2 release to test with -Need denial of service and IPsec knowlegable attack tests -Need a complete implementation of all IPsec capabilities to test against, -Need an attacker box to test against -All CA vendors should support Subject Altname -Need telephone at desk -Need vendors capabilities listed and what they want to test in advance -Test nested tunnels -Test transport over tunnel mode -Test random IP addresses to simulate mobility -Have bakeoff at the same place where you stay, in hotel -Attack testing - -End of Report - - diff --git a/kame/kame/racoon/doc/rules.jp b/kame/kame/racoon/doc/rules.jp deleted file mode 100644 index 2aee8bf79a..0000000000 --- a/kame/kame/racoon/doc/rules.jp +++ /dev/null @@ -1,37 +0,0 @@ -new() - allocate ¤¹¤ë - ´ðËÜŪ¤Ê½é´ü²½¡£ - ¿·µ¬¤Ëalloc¤¹¤ëÆâÉôÊÑ¿ô̾¤Ï new -init() - Àµ¤·¤¤»Ñ¤Ë¤Ê¤ë¤¿¤á¤Î½é´ü²½¡£ - ¤Û¤È¤ó¤É new() ¤ÈÂÐ -del() - free() - list ¤ËÃí°Õ¡ª -rem() - list ¤«¤éÀÚ¤êÎ¥¤¹ -ins() - list ¤ØÄɲᣠ- ¿·µ¬¤Ëinsert¤¹¤ëÆâÉôÊÑ¿ô̾¤Ï new - ¤â¤·¿Æ¤¬¤¤¤ì¤Ð head - -void() - return ¤Ï¤É¤¦¤¹¤ë¡© - - -YIPSDEBUG ¤È plog ¤Ï²þ¹Ô¤¹¤ë¡£ - -¤Ç¤­¤ë¤À¤± K&R·Á¼° - -2¤ÄÊ»¤»¤Æɾ²Á¤·¤Ê¤¤¤È¤¤¤±¤Ê¤¤Ê¸¤Î»þ¤Ë || ¤Ç¤Ä¤Ê¤²¤Æ¤ë½ê¤¬¤¢¤ë¤«¤â¡Ä - if (hogea() || hogeb()) - goto error; - -¥í¥°¤ÎÅý°ì(°Æ) -phase1 -phase2 -IV -isakmp -ipsec -ISAKMP-SA -IPsec-SA diff --git a/kame/kame/racoon/doc/sandiego-result.en b/kame/kame/racoon/doc/sandiego-result.en deleted file mode 100644 index 0e12619e6c..0000000000 --- a/kame/kame/racoon/doc/sandiego-result.en +++ /dev/null @@ -1,121 +0,0 @@ -Mon Jan 10 2000 - Fri Jan 14 2000 - -brief translation - see Japanese version for more complete results. -this is *past test result* and implementation (both sides) -is already fixed to address those problems, in most cases. - -vs microsoft - as responder - NT resends last packet on phase 1, racoon panics -> fixed - - revenge, did well - phase 1: pre-shared/3des/sha1/dh2 - phase 2: esp/sha/des/600sec/3kb - -vs bluesteel - config issues -> okay - phase 1: pre-shared/md5/des/dh1/10min - phase 2: esp/md5/des/10min - -vs racoon - rekey goes well, but sometimes phase 2 goes wrong. - - memory leakage in kernel code -> fixed - racoon memory leakage (gets bigger and bigger) -> not yet - - IPv6 works just fine like IPv4 case (no scoped address support yet) - -vs ashley laurent - phase 1 userfqdn support -> ok - phase 2 pfs -> ashley-laurent panics - - phase1: psk/userfadn/md5/des/dh2 - -vs ericsson - issues in kame side: - initiator: shouldn't attach DH group type for well-known DH groups - responder: blowfish key length - - fixed, okay - phase 1: pre-shared/des/md5/dh1/lifetime 1hour/lifebyte 1MB - phase 2: esp/md5/blowfish 56bit/lifetime 1hour/lifebyte 1MB - - ericsson manages phase 1 and 2 together (should be managed separately - from jenkins-rekey), problem with interpretation of delete payload - -vs ibm - IPv4: main/aggressive, both ok - phase 1 3des/md5/dh1/3600sec - phase 2 esp/transport/des/sha1/dh2/1800sec - -vs radguard - gateway: need more improvement - phase 1: pre-shared/des/md5/dh1 - phase 2: esp tun(to node behind gw)/3des/sha1/dh2 - client: fragment issue on radguard side - phase 1: pre-shared/3des/sha1/dh2 - phase 2: esp tun(myself)/3des/sha1/dh2 - - no base mode support yet - -vs network associates - base mode: - initiator/responder: psk - PSK HASH_R -> fixed to conform to RFC2409 - phase2 proposal parsing problem -> need fix on NAI side - - ok, rekey ok - phase 1: pre-shared/sha1/3des/dh2/10min - phase 2: esp/md5/cast128/dh2/5min - dh group 5, ok - agressive mode, ok - - byte lifetime bug on racoon side -> fixed - -vs intel - base mode: HASH computation bug in initiator/responder - -vs freeswan - group 5: phase1 ok. - no KE on phase2 PFS, probabilistic - - config file parsing bug on racoon - - phase1: psk/sha1/3des/dh5/10min - phase2: esp/3des/md5/dh1/10min - -vs ire - ipcomp over ike - variable-length spi support, etc. - phase 1: 3des/sha1/dh1/600s - phase 2: esp/transport/3des/sha1/300s, ipcomp/deflate/300s - - ok. tried so far: - ip esp ipcomp payload - ip ah ipcomp payload - ip esp ipcomp ip payload - ip ah ipcomp ip payload - - - window size issue in kame side - backout sys/netinet6/ipcomp_core.c 1.3 -> 1.4 - - ire does not handle packet > link MTU - - tunnel/transport interpretation issue - -vs fitel - just fine, tunnel/transport ok. rekey has some problem - phase1: pks/userfqdn/md5/des/20s - phase2: pfs1/md5/des/10s - - nonce len = 320 -> malformed payload - random padding -> ok - rekey -> some problems - -vs cisco - IKE works fine - phase 1: pre-shared/3des/sha1/dh2/180sec - phase 2: esp transport/3des/sha1/dh2/120sec - - phase 1: pre-shared/3des/sha1/dh2/180sec - phase 2: esp tunnel/3des/sha1/dh2/120sec - - dangling SA in kernel, fails to lookup policy -> fixed, refcnt issue diff --git a/kame/kame/racoon/doc/sandiego-result.jp b/kame/kame/racoon/doc/sandiego-result.jp deleted file mode 100644 index 4e78ec9feb..0000000000 --- a/kame/kame/racoon/doc/sandiego-result.jp +++ /dev/null @@ -1,303 +0,0 @@ -Mon Jan 10 2000 - Fri Jan 14 2000 - -vs microsoft - as responder - phase 1$B$N:G8e$N%Q%1%C%H$r:FAw$7$F$/$k!#(Bkame$BB&$N(Bstate machine$B$N(B - null pointer check$B$,B-$j$:Mn$A$?!#L@F|:FD)@o!#(B - - $B:FD)@o!"$&$^$/$$$C$?(B - phase 1: pre-shared/3des/sha1/dh2 - phase 2: esp/sha/des/600sec/3kb - -vs bluesteel - $B$&$^$/$$$C$?$i$7$$!#(B - - $B$&$^$/$$$+$J$+$C$?!#(B - initiator: $B80$G$-$?$1$I(B ping $B$7$F$b8~$3$&$,JV;v$;$:!#(B - $B:F@oM=Dj(B - transport $B$d$m$&$H$7$?$iE($,(B tunnel mode $B$r%M%4$C$F$?!#(B - tunnel $B$N;~$OE($,FbB&$N%"%I%l%9$r4V0c$C$F$?!#(B - $B$H8@$&J,$1$G(B OK. - phase 1: pre-shared/md5/des/dh1/10min - phase 2: esp/md5/des/10min - - $B$d$C$Q$j%M%4$C$?%]%j%7$rFM$C9~$`J}$,3Z$C$9!D(B - -vs racoon - rekey$BLdBj$r2r7h$7$?$"$H(B - - phase 2$B$r(B5$BIC$K(B1$B2s(Brekey - - phase 1$B$r(B8$BIC$K(B1$B2s(Brekey - $B$J$I$N$$$8$a$r$7$F$$$k$,!"$*$*$`$M2wD4!#(B - $B$?$^$K(Bphase 2$B$N<:GT$,$"$k(B(ping$B$7$F$k$H(B10$BIC$/$i$$7j$,$"$/(B)$B!#(B - - chargen$B$H$+$bJB9T$7$F;n$7$F$$$k$,LdBj$J$7!#(B - - kernel code$B$K(Bmemory leak$B$O$[$H$s$I$J$$LOMM!#(B - racoon$BFb$K(Bmemory leak$B$,$"$kLOMM!#F0$+$7$F$k$HB@$k!#(B - - IPv6$B$b(BIPv4$BF1MM$A$c$s$HF0$$$F$^$9(B($B$?$@$7(Bglobal address)$B!#(B - - phase 1$B$,(Baggressive mode$B$N$H$-!"(Brekey$B$K<:GT$7$d$9$$!#(B - (phase 1$B$rBT$C$F(Bphase 2$B$,:F3+$7$J$$(B) - - rekey$B$N$H$-$K$H$-$I$-(Bno spi$B1>!9$,=P$k!#(Bjenkins-ipsec-rekey$B$r(B - $B$b$C$H4hD%$i$J$$$HBLL\$+(B? - -vs ashley laurent - phase 1 userfqdn support$B$$$l$F$h$s$H8@$o$l$?!#:#2s4V$K9g$&$N$+$J!#(B - - userfqdn $BF~$l$F:F@o$7$h$&$H$7$?$1$I!"E($,(B tunnel mode $B$N(B client $B$"$j(B - $B$7$+%5%]!<%H$7$F$J$$$N$G!"L@F|:F@oM=Dj!#(B - - PC$BMQ0U$7$F:F@o!#(Bphase1 $B$O$"$C$5$j(Bok. - phase2 $B$G(B pfs $B$r;H$&$HE($,%/%i%C%7%e$9$k!#(B - $B<#$j$=$&$bL5$$$N$G%F%9%H$O$"$-$i$a!#(B - - phase1: psk/userfadn/md5/des/dh2 - - pfs group $B$@$1;vA0$K(Bprotocol $B$N30$G%M%4$7$J$$$H%@%a$J$N$C$FJQ$+$b(B - -vs ericsson - initiator: $B4{CN$N(BDH group$B$K$D$$$F$O(BDH group type$B$r$D$1$F$O$$$1$J$$(B - responder: blowfish$B!"$*$h$S(Bkey length$B$r$A$c$s$H%5%]!<%H$7$J$$$H$^$:$$(B - - $B=$@58e(Bok(size=2000$B$N(Bping$B$^$G(B) - phase 1: pre-shared/des/md5/dh1/lifetime 1hour/lifebyte 1MB - phase 2: esp/md5/blowfish 56bit/lifetime 1hour/lifebyte 1MB - - delete payload$B$rJ}(Bok - phase 1 3des/md5/dh1/3600sec - phase 2 esp/transport/des/sha1/dh2/1800sec - -vs radguard - gateway: $B$$$^$$$A!#860xITL@!#(B - $B$3$C$A(Binitiate: policy$B$N$"$,$j$+$?$,$^$:$$(B/phase 1 2$B$H$b(B - $B$$$^$$$A(B - $B$3$C$A(Brespond: phase 1 2$B$H$b$$$^$$$A!#@hJ}(Bgateway$BN"$N(Bnode$B$+$i(B - ping$B$,FO$+$J$$(B - - phase 1: pre-shared/des/md5/dh1 - phase 2: esp tun($BN"(B)/3des/sha1/dh2 - client: $B$P$C$A$j!"$?$@$7@hJ}$K(Bfragment$BLdBj$"$j(B(ping > 1500$BEz$($J$7(B) - phase 1: pre-shared/3des/sha1/dh2 - phase 2: esp tun($B<+J,<+?H(B)/3des/sha1/dh2 - - base mode $B$d$m$&$h$C$F8@$C$?$i;}$C$FMh$F$J$$$+$i!"(B - $B$&$A$N%F%9%H%5%$%H(B www.ip-sec.com $B$G%F%9%H$7$F$_$F$C$F8@$o$l$k!#(B - $B8+$?$1$I(B base mode $B$N$+$1$i$b$J$$$>!#(B - -vs network associates - base mode: - initiator/responder: psk - PSK $B$N(B HASH_R $B$N7W;;$O(B RFC2409 $B$@$h$HM!$5$l$k!D(B - $B<#$7$F(B phase1 ok. - phase2 $B$G8~$3$&$K(B no proposal choosen. $B$H8@$o$l$k!#(B - md5/sha1 x des/3des, esp, transport $B$N$O$:$J$s$@$1$I!D(B - $B%A%'%C%/$7$F$b$i$C$F$k:GCf!#(B - - $B$U$D$&$N(B: $B$P$C$A$j!"(Brekey$BJ|Bj$b$P$C$A$j(B - phase 1: pre-shared/sha1/3des/dh2/10min - phase 2: esp/md5/cast128/dh2/5min - $BL@F|(Bdh5$B$r$d$kM=Dj!#(B(1/12) - dh5$B@.8y!#(B(1/13) - agressive mode$B$b$d$C$?!#(B - - $B$3$C$A$,$o!"(Bbyte lifetime$B$KCn$"$j!#$D$M$K@_Dj$N(B1024$BG\$N(Bproposal$B$r(B - $BEj$2$k!#(B - $B$5$i$K(Blifetime$B$KCn!#(B - -vs intel - base mode: initiator/responder$B6&$KE($,(BHASH$B$N7W;;4V0c$C$F$$$k$i$7$$!#(B - $B:F@oM=Dj!#(B - -vs freeswan - group 5: phase1 ok. - phase2 $B$G(B PFS $B$7$F$k$N$K(B KE $B$,=P$J$$;~$,$"$k!#(B - $BBgNL$K(Bracoon.conf$B=q$$$F5/F0$9$k$HMn$A$:$K%Q!<%9$K<:GT$9$k;~$,$"$k!#(B - $B7k2L!"JQ$JCM$,F~$k;~$,$"$k!#(BKE$B$,=P$J$$$N$O$3$N$;$$!#(B - - racoon.conf $B$r>/$J$a$K$7$F:FD)@o!#(B - $B:#EY$O(B KE $B=P$7$?$N$K<:GT!#(B - freeswan $B$O(B informational exchange $B$7$J$$$N$G!"2?$,5/$-$?$+$o$+$i$J$$!#(B - - phase2 $B$N(Bproposal$B$r(B6$B8D=q$$$?$i(B SPI=0 $B$G=P$7$F$$$?!#(B - $B$H$j$"$($:>/$J$a$K=q$$$F:FD)@o!#(B - - phase2 $B$G(BPFS$B$r;H$C$?;~$O(B SA $B$N(B group description $B$r(B - $B=q$+$J$$$H%(%i!<$K$J$k!#(B - - $B<#$7$F(Bok. thanx hugh! - phase1: psk/sha1/3des/dh5/10min - phase2: esp/3des/md5/dh1/10min - -vs ire - ipcomp over ike$B$N%F%9%H(B - spi$B$^$o$j$J$I$?$/$5$sD>$7$?!#(B2byte spi$B$,Mh$?$H$-$NBP=hEy!#(B - $B8=>u$N(Bcode$B$O(Bwell-known cpi$B$r$D$C$3$^$l$k$H:$$k!#(B - phase 1: 3des/sha1/dh1/600s - phase 2: esp/transport/3des/sha1/300s, ipcomp/deflate/300s - - $B$H$j$"$($:(Bipcomp$B$O(Bok$B!#$d$C$F$_$?AH9g$;(B: - ip esp ipcomp payload - ip ah ipcomp payload - ip esp ipcomp ip payload - ip ah ipcomp ip payload - - - kame$BB&$N(Bwindow size$B$,$A$$$5$9$F?-D9$G$-$J$$!#(B - sys/netinet6/ipcomp_core.c 1.3 -> 1.4$B$,0-1F6A$7$F$$$k$N$GLa$9!#(B - - ire$BB&$O(Btransport mode$B$N$H$-!"05=LA0%5%$%:(B > MTU$B$r2rC$9(B - $BF~$jB&(B: $B8E$$(BSA$B$O(Blifetime$B$^$G;D$9!#(B - rekey $B$7$?8e$K;H$&(B SA $B$NLdBj$OL5$5$=$&!#860xITL@!#(B - -vs cisco - IKE$B$O$[$\LdBj$J$7!#(B - phase 1: pre-shared/3des/sha1/dh2/180sec - phase 2: esp transport/3des/sha1/dh2/120sec - - phase 1: pre-shared/3des/sha1/dh2/180sec - phase 2: esp tunnel/3des/sha1/dh2/120sec - - ipsec SA$B$r%+!<%M%k$K$$$l$?8e!"(Bpacket$B=PNO;~$N(BSA$B8!:w$K(B - $B<:GT$7$F$7$^$&>I>uB3H/!#(Bdelete payload$B$r$/$i$C$?$H$-$K>C$7$?(BSA$B$,(B - dead$B$N$^$^;D$C$F$7$^$$!"8!:w$r$"$-$i$a$k!#$3$l$OFsEY$H>C$;$J$$(B? - -> $BD>$7$?!#(Breference count$BLdBj!#(B - ->206.175.160.20 206.175.161.114 -> esp mode=tunnel spi=372644951(0x16361c57) reqid=0(0x00000000) -> E: 3des-cbc 83dfc523 b3b66e28 06222ccf f33d1d4b c039aeef 07b0e7f0 -> A: hmac-sha1 e30c8e8a d3a8fa30 1985ed93 bdf1ad35 9cd46861 -> replay=4 flags=0x00000000 state=dead seq=1 pid=495 -> created: Jan 13 22:24:40 2000 current: Jan 13 22:39:54 2000 -> diff: 914(s) hard: 120(s) soft: 96(s) -> last: hard: 0(s) soft: 0(s) -> current: 0(bytes) hard: 0(bytes) soft: 515395584(bytes) -> allocated: 0 hard: 0 soft: 0 -> refcnt=1 ->206.175.160.20 206.175.161.114 -> esp mode=tunnel spi=205659402(0x0c421d0a) reqid=0(0x00000000) -> E: 3des-cbc b2bec5f2 9a9d7d7c 92a5aea3 0ce5310c 7cedd2bb efdd62b2 -> A: hmac-sha1 8fff7c61 990fbb3e 6730e2ed c26c06cf 3c75a2c4 -> replay=4 flags=0x00000000 state=dead seq=0 pid=495 -> created: Jan 13 22:24:47 2000 current: Jan 13 22:39:54 2000 -> diff: 907(s) hard: 120(s) soft: 96(s) -> last: hard: 0(s) soft: 0(s) -> current: 0(bytes) hard: 0(bytes) soft: 0(bytes) -> allocated: 0 hard: 0 soft: 0 -> refcnt=1 - -$B%F%9%H$9$k$K$O(B - psk.txt$B$K%(%s%H%jDI2C!#(B - samples/Makefile$B$KAjl9g$O$1$C$3$$$m$$$m$$$8$i$J$$$HBLL\$+$b!#(B - -kame - kernel$B$N(Bmbuf/key management memory$B$N(Bleak$B$O$[$H$s$I3'L5!#$$$/$i$G$b(B - $BB3$1$i$l$^$9!#(Bracoon$B$OB@$C$?$j$U$s$E$1$?$j(B? $B$H$K$.$d$+!#(B - - bundle$B$K$D$$$F(B: - - proposal$B$$$C$3$K$D$$$F(Btransform$B$$$C$3$K$J$k$h$&$J(Bconfig file$B$G$J$$$H(B - $BF0$+$J$$!#$D$^$j!"(B - proposal { protocol ah; protocol esp; } - $B$O$$$$$,(B - proposal { protocol esp; protocol esp; } - $B$d!"(Bstrength$B$N;HMQ$OIT2D!#(B - - $B$H$-$I$-(Bacquire$B$^$o$j$N(Btrouble$B$G(Brekey$B$7$J$/$J$k$3$H$,$"$k!#(B - bundle$B;H$C$F$$$J$$$H$-$b;w$?>I>u$,=P$k$,!"(Bbundle$B$r;H$&$H$5$i$K(B - $B5/$-$d$9$$5$$,$9$k!#(B - (socket policy$B$K(Brequire$B$H=q$$$?>l9g$K!"(Bacquire$B$,>e$,$i$J$$$3$H$,B?$$(B) - - acquire$B$r(Buserland$BB&$G%U%#%k%?$9$k$H$3$m$G!"%U%#%k%?$7$9$.$K(B - $B$J$k$3$H$,$"$k!#(B($B%M%4$k$Y$-$J$N$K%M%4$i$J$$(B) - -> reference count$BLdBj$H$N$+$i$_$+(B? - -> acquire$B$N%U%#%k%?%j%s%0$O$h$$$3$H$+$o$k$$$3$H$+(B? - kernel$BB&$O$^$"$$$$$H$7$F!"(Buserland$BB&$O(Bkernel$BB&>pJs$H(Buserland$BB&>pJs$N(B - $B$:$l$K$D$$$F$b$&$A$g$C$H4hD%$i$J$$$H$$$1$J$$$+$b$7$l$J$$!#(B - $BNc$($P!"(Bracoon$BF0$+$7$J$,$i(Bsetkey -F$B$7$?>l9g!"(B - $B8=>u(B: phase 2 handle$B$O;D$C$F$$$k$,80$O$J$$$N$G!"0lDj;~4V%U%#%k%?$9$k(B - $Be$,$C$?$i$=$N(BSA$B$,$[$s$H$K%+!<%M%k$K$"$k$N$+8!>Z$9$k(B? - acquire$B$K!V(Bkernel$B$N$J$+$K$O(BSA$B$,$"$k(B/$B$J$$!W>pJs$N(Bextension$B$r$D$1$k(B? - - kernel$B$G(Bah use/esp use$B$H=q$$$F$"$k$N$K(Bracoon$BB&$G(Besp$B$7$+%M%4$7$J$+$C$?(B - $B>l9g!"1J1s$K(Bah$B$N(Bacquire$B$,>e$,$jB3$1$k!#(B - $B$G!"(Bah$B$N(Bacquire$B$,$"$,$C$?$K$b78$o$i$:!"(Bracoon$B$O(Besp$B$N%M%4$r$9$k$N$G(B - $B1J5W$K%M%4$,B3$/!#(B - - kernel policy$B$H(Bracoon policy$B$N@09g@-(B - racoon$B$,(Bkernel$B$K(B - $B%]%j%7$r$D$C$3$a$P$h$$(B - - acquire$B$N:Y$+$$%A%'%C%/(B - ah$B$,MW5a$5$l$F$$$k$N$K(Besp$B$r%M%4$i$J$$$h$&$K(B - $B$,I,MW!#(B - - byte lifetime$BLdBj!#(B - - $BJRJ}8~$@$1$?$/$5$s(Btraffic$B$,$"$k$H!"JRJ}8~$@$1(Bexpire$B$9$k!#(B - $B$G!"%M%4$9$k$H5UB&$O$A$C$H$b(Bexpire$B$7$J$$$N$G80$,$?$/$5$sN/$C$F$$$/!#(B - - $B%Q%1%C%H%m%9$,$"$k$H!"=P$7B&$O(Bexpire$B$9$k$N$Kl9g$,$"$k!#(B($BLdBj$K$O$J$i$J$$$H;W$&$,(B) - - $B$I$C$A$N5sF0$,K>$^$7$$$N$+(B? - racoon: lifetime$B!"$3$C$AB&$N(Bconfig file$B$K4X78$J$/%M%4$7$?7k2L$r(B - kernel$B$K$$$l$k!#(B - nai pgp client: lifetime$B$N%M%4$OIaDL$KDL$9$,!"(Bkernel$B$K$$$l$k$N$O(B - min($B<+J,$N%]%j%7(B, $B%M%47k2L(B) - - initiate $B$9$k%Q%i%a!<%?$H(B acceptable check $B$K;H$&%Q%i%a!<%?$r(B - $BJ,$1$?J}$,NI$$$+$b$7$l$J$$!#(B - $B>/$J$/$H$b(B lifetime $B$d(B PFS group $B$K$OHO0O$,I,MW!#(B - - DOS$BBP:v(B - - $BF1$8(B src $B$+$i!"(Bphase 1 $B$N0lH/L\$r(B - n$BIC4V$K(B m$BH/o(B ESP $B$N(B lifetime $B$O(B 28800(s) - $B$1$I!"(B ipcomp $B$N(B lifetime $B$C$F!g$G$bNI$$$/$i$$$J$N$K!#(B - IPcomp $B$N%M%4$C$FI,MW$J$s$@$m$&$+!)(B (i.e. $BAje$N%M%4$NI,MW@-$O5?Ld(B) - -> IPComp capable node$B$+$I$&$+$N>pJs$rC_$($k$K$O(BSA$B$r;H$&!#(B - SA$B$O%a%b%j$r?)$&!#%a%b%j$$$D$^$G$b?)$C$F$k$N$O7y!#(B - $B$h$C$F(Bipcomp lifetime$B$bI,MW!#(B diff --git a/kame/kame/racoon/doc/sandiego0009-result.en b/kame/kame/racoon/doc/sandiego0009-result.en deleted file mode 100644 index 9d19c084a9..0000000000 --- a/kame/kame/racoon/doc/sandiego0009-result.en +++ /dev/null @@ -1,357 +0,0 @@ -$KAME: sandiego0009-result.en,v 1.35 2000/09/23 15:37:37 itojun Exp $ -Mon Sep 18 2000 - Fri Sep 22 2000 -Paradise Point Hotel, San Diego, CA - - -Goals: -- kernel IPsec: rijndael-cbc, twofish-cbc, blowfish-cbc -- racoon: RSA signature, verify cert chain - -Things to look at during tests: -IPsec: -- behavior against large packet (> MTU) -- TCP behavior (fragmentation) -IKE: -- interpretation of phase 2 proposal. if we want "IP AH ESP IP payload", - is it "AH tunnel + ESP tunnel", or "AH transport + ESP tunnel"? -- attribute formatting. TV/TLV mistakes? -- mandatory/optional attributes mistakes (like key length attributes). -- negotiation mode of key length attributes. - -Result template: --->8 -vs XXX - phase 1: initiate/responder, main/aggressive - preshared, 3des-cbc, md5, DH group 2, lifetime 600 - preshared, des-cbc, sha1, DH group 2, lifetime 1000 - rsasig, 3des-cbc, sha1, DH group 2, lifetime 600 - phase 2: PFS group 2 - ESP blowfish-cbc, transport mode, lifetime 600 - ESP 3des-cbc, transport mode, lifetime 600 - IPsec: - (flood) ping with small packet - (flood) ping with large packet (>1500) - tcp session (look at fragmentation issue) - Notes: --->8 - -Result: - -* No body has base mode with RSA signature. - -vs Cryptek - phase 1: responder, main - preshared, 3des-cbc, md5, DH group 1, lifetime 600 <== choiced - preshared, des-cbc, sha1, DH group 1, lifetime 1000 - phase 2: - ESP 3des-cbc, hmac-sha1, transport mode, lifetime 600, PFS group 2 - Notes: - - racoon crashed because of linker problem, header size had changed. - - ph1 proposal mismatched because cryptek sent DH group 1, but I - expected 2. - - cryptek sent the length of 4 as ph1 spi size. - racoon warned and ignore it. - - phase 1: initiator, main - preshared, 3des-cbc, md5, DH group 1, lifetime 600 <== choiced - preshared, des-cbc, sha1, DH group 1, lifetime 1000 - phase 2: - no PFS - ESP des-cbc, hmac-sha1, transport mode, lifetime 300 - ESP des-cbc, hmac-md5, transport mode, lifetime 300 - ESP 3des-cbc, hmac-sha1, transport mode, lifetime 300 <== choiced - ESP 3des-cbc, hmac-md5, transport mode, lifetime 300 - Notes: - - cryptek might send me the broken ID payload. - - IPsec-SA was installed, but cryptek still sent me the notify of - invalid-payload. - -vs SSH (IPv6) - phase 1: aggressive - either of the following: - preshared, blowfish, md5, DH group 2 - preshared, 3des, sha1, DH group 2 - phase 2: - either of the following (not sure if algorithm names are right): - PFS group 2 - ESP blowfish-cbc+md5, transport mode - ESP 3des-cbc+sha1, transport mode - AH md5, transport mode - ESP blowfish-cbc + AH sha1, transport mode - ESP blowfish-cbc+md5 + AH sha1, transport mode - IPCOMP deflate + ESP blowfish-cbc+md5 + AH sha1, transport mode - IPCOMP deflate + AH sha1, transport mode - ESP twofish-cbc+sha1, transport mode - ESP rijndael-cbc+sha1, transport mode - IPCOMP deflate + ESP rijndael-cbc+sha1, transport mode - IPCOMP deflate + ESP twofish-cbc+sha1, transport mode - - Notes: - - both end had issues with ND, if we configure "encrypt all" policy. - both end changed policy to use ipsec on tcp6 only (not on icmp6). - - racoon crashed if SSH attaches more than 10 phase 1 proposals. - (fixed) - - in phase 2 first packet, racoon crashed in cmpspidx_wild(). - (seems to be fixed, not 100% sure) - - in phase 2 negotiation, racoon assumes that the order of proposal - payloads is the same as the order of protocols in kernel policy. - ssh does not assume it - (fixed/racoon can do both behavior, not sure if which side is more - common) - - no SADB_ACQUIRE on ipcomp SPD (fixed by making SADB_ACQUIRE processing - violate RFC2367 a little) - - SADB_UPDATE when wellknown CPI is negotiated - - rekey is working fine. - - SSH uses different algorithm number for twofish than the AES draft. - - deflate does not look stable enough (memory leak in SSH side). - - twofish/rijndael are variable length cipher, need key length attribute - (fixed) - -vs RapidStream - phase 1: responder, main - rsasig, 3des-cbc, md5, DH group 1, lifetime 600 - phase 2: - 3des, hmac-sha1, tunnel mode, lifetime 300, PFS group 2 - Notes: - - racoon crashed due to unkown problem. I may be incorrect to use - openssl functions. - - rapidstream sent multiple subjectAltName and ID was matched 2nd one. - But racoon can not process multiple one. (fixed) - - fragmented packet was failed due to no response from rapidstream. - -vs HITACHI - phase 1: responder, main - rsasig, 3des-cbc, sha1, DH group 2, lifetime 600 - both subjectAltName and DN are OK. - multiple subjectAltName is OK. - subjectAltName = email - subjectAltName = dns - phase 2: - des, hmac-sha1, tunnel mode, lifetime 300 <== choiced - des, hmac-md5, tunnel mode, lifetime 300 - 3des, hmac-sha1, tunnel mode, lifetime 300 - 3des, hmac-md5, tunnel mode, lifetime 300 - Notes: - - rekeying is fine. - -vs Ericsson - manual key - ESP blowfish-cbc, transport mode, key = mekmitasdigoat (112bit) - - Notes: - - works just fine after blowfish-cbc logic fix. - - no fragment tests as Ericsson side would panic. - -vs Linux FreeSWAN - phase 1: main - preshared, 3des-cbc, md5, DH group 2, lifetime 1h - phase 2: - ESP 3des-cbc, hmac-md5, tunnel mode, lifetime 1h, PFS 2 - - rekey test: - phase 1: main - preshared, 3des-cbc, md5, DH group 2, lifetime 1m - phase 2: - ESP 3des-cbc, hmac-md5, tunnel mode, lifetime 20s, PFS 2 - - IPv6 test: - phase 1: main - preshared, 3des-cbc, md5, DH group 2, lifetime 1h - phase 2: - ESP 3des-cbc, hmac-md5, transport mode, lifetime 1h, PFS 2 - AH - (the IPsec SA did not get installed into linux kernel) - - Notes: - - ping with short, long (2k, 32k, 64k) - - chargen - FreeSWAN did not consider ESP header size on MSS computation - - rekey - some packet losses on flood ping. this was because of - difference in rekey. - KAME: jenkins draft, uses oldest key possible - linux: uses latest key possible, and assumes that phase 2 responder - will install inbound SA on reception of 1st packet - - IPv6 test: linux side cannot install IPsec SA into the kernel - (negotiation was successful) - - linux side chokes if they gets proposal with algorithm # which linux - side does not know about. - - racoon chokes if (1) racoon is phase 2 responder, (2) there's no id - payload from initiator, and (3) kame side has tcp policy (not "any" - policy). - - racoon choked if the peer (responder) reorders phase 2 proposals. - -vs HiFn - phase 1: initiator, main - rsasig, 3des-cbc, md5, DH group 2, lifetime 180 <== choiced - rsasig, 3des-cbc, sha1, DH group 2, lifetime 600 - subjectAltName = email - phase 2: - ESP 3des-cbc, hmac-sha1, tunnel mode, lifetime 600, PFS group 2 - Notes: - - defined "verify_cert off;" - - rekey test: - phase 1: initiator, main - rsasig, 3des-cbc, sha1, DH group 2, lifetime 60 - phase 2: - ESP 3des-cbc, hmac-sha1, tunnel mode, lifetime 30, PFS group 2 - Notes: - - large ping (8k) test. - - when rekeying started, sometime ok but sometime HiFn did not - response last phase 2 packet. - -vs NxNetworks - phase 1: main - preshared, 3des-cbc, sha1, DH group 2 - phase 2: - ESP 3des-cbc, hmac-sha1, tunnel mode, PFS 2 - - phase 1: main - preshared, 3des-cbc, md5, DH group 2 - phase 2: - ESP blowfish, hmac-md5, tunnel mode, no PFS - Notes: - - fragmented packets did not get through NxNet gw. - - phase 2 ID: (KAME) the gw itself (NxNet) net10 addr behind NxNet - - phase 1: aggressive - rsasig, 3des, sha1, DH group 2 - rsasig, 3des, md5, DH group 2 - subjectAltName = email - phase 2: - 3des, sha1, tunnel, pfs 2 - - parsing the type of subjectaltname fault in racoon. (fixed) - - even if using old SA, when old SA expire, packet may drop - when both sides clock are different. - -vs Intel Canada - phase 1: main - rsasig, 3des, sha1, DH group 2 - entrust, subjectaltname = ipaddress - phase 2: - 3des, sha1, transport, pfs 2 - - when kame did not send CR, then intel did not reply CERT. - It makes sense. - -vs Intel (Packet Protect Pro/100S) - phase 1: main - preshared, 3des-cbc, sha1, DH group 2 - phase 2: - ESP 3des-cbc, hmac-md5, transport mode, no PFS - Notes: - - fragmented ping works fine, large ftp transfer went well too - - phase 1: main - rsasig, 3des, sha1, DH group 2 - subjectaltname = ipaddress - phase 2: - 3des, md5, transport, no pfs - - a lot of SA were installed, because kame doesn't delete old SA - until it expires. - -vs Intel - phase 1: main - rsasig, 3des-cbc, sha1, DH group 2 - entrust, subjectaltname = ipaddress - phase 2: - ESP 3des-cbc, hmac-sha1, transport mode, PFS 2 - Notes: - - 64k ping does not work. freebsd problem ? it's not relative ipsec. - -vs NetLock - phase 1: main - preshared, des-cbc, md5, DH group 1 - phase 2: - ESP des-cbc, hmac-md5, tunnel mode, no PFS - - phase 1: main - preshared, 3des-cbc, sha1, DH group 1 - phase 2: - ESP 3des-cbc, hmac-md5, tunnel mode, no PFS - - phase 1: main - preshared, 3des-cbc, sha1, DH group 1 - phase 2: - ESP 3des-cbc, hmac-md5, transport mode, no PFS - - phase 1: main - preshared, 3des-cbc, sha1, DH group 1 - phase 2: - IPComp deflate + ESP 3des-cbc, hmac-md5, transport mode, no PFS - (failed due to IPComp SPI size) - - Notes: - - fragmented ping works fine, large ftp transfer went well too - - BSD userland (or socket layer?) limits UDP echo size to 4k - -vs Pivotal - manual key - fragmented packet (8k) is ok. - 1: esp tunnel des-cbc, hmac-md5 - vpn test. - 2: esp tunnel 3des-cbc, hmac-sha1 - internal address is same to pivotal's network (10.33.134.0/24). - ifconfig lo0 inet 10.33.134.4 netmask 255.255.255.0 alias - route add -inet -net 10.33.134.0/24 206.175.32.1 - -vs Cisco - phase 1: main, initiator - rsasig, 3des-cbc, sha1, DH group 2 - entrust, subjectaltname = ipaddress - Notes: - - I had not sent CR, then cisco did not CERT even though rsasig - was negotiated. In this caes, I SHOULD send CR. - - negotiation failed because ID and subjectaltname in Cisco's CERT - mismatched. - - phase 1: main, responder - rsasig, 3des-cbc, sha1, DH group 2 - entrust, subjectaltname = ipaddress - phase 2: - ESP 3des-cbc, hmac-sha1, transport mode, PFS 2 - Notes: - -vs RSA - phase 1: aggressive, initiator - rsasig, 3des-cbc, sha1, DH group 5 - rsa, subjectaltname = ipaddress - phase 2: - ESP 3des-cbc, hmac-sha1, transport mode, PFS 5 - Notes: - - pfs group mismatched. it's racoon's bug. (fixed) - - phase 1: aggressive, responder - rsasig, 3des-cbc, sha1, DH group 2 - rsa, subjectaltname = ipaddress - phase 2: - ESP 3des-cbc, hmac-sha1, transport mode, PFS 2 - Notes: - -vs III - manual key - 1: esp tunnel des-cbc, hmac-md5 - kame sent 1492 bytes packet. but no response. - 2: ah transport hmac-sha1 - 1474 bytes packet was replyed from iii. in addition broken 46 bytes. - -vs IBM AIX - phase 1: responder main - rsasig, 3des-cbc, sha1, DH group 2, lifetime 600 - use subjectname as ID payload. - phase 2: PFS group 2 - ESP 3des-cbc, transport mode, lifetime 300 - Notes: - negotiation success on IPv6. - we promise to test for IPv6 subjectaltname over 6bone. - -common problem: -- KAME/FreeBSD3 presents strange behavior with outgoing fragmented packet. - (1) it cannot ping with some specific sizes, on loopback interface - (around 16300 or so). - (2) first fragmented packet is never get replied by the peer. - this depends on operating system type. -- need more checks about kernel ACQUIRE rate-limiting policy. - (1) is the behavior sane when a DELETE/FLUSH is issued? - i have seen no ACQUIRE is passed right after DELETE payload is sent. - (2) should we use ppsratecheck (per-SA) or whatever? shouldn't it be - integrated into SPD/SAD entries? -- IPv6 ND and policy lookup (chicken-and-egg). diff --git a/kame/kame/racoon/dump.c b/kame/kame/racoon/dump.c deleted file mode 100644 index 3104ca5d27..0000000000 --- a/kame/kame/racoon/dump.c +++ /dev/null @@ -1,221 +0,0 @@ -/* $KAME: dump.c,v 1.3 2000/09/23 15:31:05 itojun Exp $ */ - -/* - * Copyright (C) 2000 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include -#include - -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#if TIME_WITH_SYS_TIME -# include -# include -#else -# if HAVE_SYS_TIME_H -# include -# else -# include -# endif -#endif -#include -#ifdef HAVE_UNISTD_H -#include -#endif -#include -#include - -#include "vmbuf.h" - -/* copied from pcap-int.h */ -struct pcap_timeval { - u_int32_t tv_sec; /* seconds */ - u_int32_t tv_usec; /* microseconds */ -}; - -struct pcap_sf_pkthdr { - struct pcap_timeval ts; /* time stamp */ - u_int32_t caplen; /* length of portion present */ - u_int32_t len; /* length this packet (off wire) */ -}; - -#define TCPDUMP_MAGIC 0xa1b2c3d4 - -static int fd = -1; - -int -isakmp_dump_open(path) - char *path; -{ - struct pcap_file_header hdr; - - path = "isakmp.dump"; - - if (fd >= 0) - return EBUSY; - - fd = open(path, O_WRONLY|O_CREAT|O_APPEND, 0600); - if (fd < 0) - return errno; - - memset(&hdr, 0, sizeof(hdr)); - hdr.magic = TCPDUMP_MAGIC; - hdr.version_major = PCAP_VERSION_MAJOR; - hdr.version_minor = PCAP_VERSION_MINOR; - - hdr.thiszone = 0; - hdr.snaplen = 60000; /* should be enough */ - hdr.sigfigs = 0; - hdr.linktype = DLT_NULL; - - if (write(fd, &hdr, sizeof(hdr)) != sizeof(hdr)) - return errno; - - return 0; -} - -int -isakmp_dump_close() -{ - close(fd); - fd = -1; - return 0; -} - -int -isakmp_dump(msg, from, my) - vchar_t *msg; - struct sockaddr *from; - struct sockaddr *my; -{ - struct ip ip; -#ifdef INET6 - struct ip6_hdr ip6; -#endif - struct udphdr uh; - int32_t af; /*llhdr for DLT_NULL*/ - struct pcap_sf_pkthdr sf_hdr; - struct timeval tv; - - /* af validation */ - if (from && my) { - if (from->sa_family == my->sa_family) - af = from->sa_family; - else - return EAFNOSUPPORT; - } else if (from) - af = from->sa_family; - else if (my) - af = my->sa_family; - else - af = AF_INET; /*assume it*/ - switch (af) { - case AF_INET: -#ifdef INET6 - case AF_INET6: -#endif - break; - default: - return EAFNOSUPPORT; - } - - memset(&sf_hdr, 0, sizeof(sf_hdr)); - gettimeofday(&tv, NULL); - sf_hdr.ts.tv_sec = tv.tv_sec; - sf_hdr.ts.tv_usec = tv.tv_usec; - - /* write out timestamp and llhdr */ - switch (af == AF_INET) { - case AF_INET: - sf_hdr.caplen = sf_hdr.len = sizeof(ip); - break; - case AF_INET6: - sf_hdr.caplen = sf_hdr.len = sizeof(ip6); - break; - } - sf_hdr.caplen += sizeof(af) + sizeof(uh) + msg->l; - sf_hdr.len += sizeof(af) + sizeof(uh) + msg->l; - if (write(fd, &sf_hdr, sizeof(sf_hdr)) < sizeof(sf_hdr)) - return errno; - if (write(fd, &af, sizeof(af)) < sizeof(af)) - return errno; - - /* write out llhdr and ip header */ - if (af == AF_INET) { - memset(&ip, 0, sizeof(ip)); - ip.ip_v = IPVERSION; - ip.ip_hl = sizeof(ip) >> 2; - if (from) - ip.ip_src = ((struct sockaddr_in *)from)->sin_addr; - if (my) - ip.ip_dst = ((struct sockaddr_in *)my)->sin_addr; - ip.ip_p = IPPROTO_UDP; - ip.ip_ttl = 1; - ip.ip_len = htons(sizeof(ip) + sizeof(uh) + msg->l); - if (write(fd, &ip, sizeof(ip)) < sizeof(ip)) - return errno; - } else if (af == AF_INET6) { - memset(&ip6, 0, sizeof(ip6)); - ip6.ip6_vfc = IPV6_VERSION; - if (from) - ip6.ip6_src = ((struct sockaddr_in6 *)from)->sin6_addr; - if (my) - ip6.ip6_dst = ((struct sockaddr_in6 *)my)->sin6_addr; - ip6.ip6_nxt = IPPROTO_UDP; - ip6.ip6_plen = htons(sizeof(uh) + msg->l); - ip6.ip6_hlim = 1; - if (write(fd, &ip6, sizeof(ip6)) < sizeof(ip6)) - return errno; - } - - /* write out udp header */ - memset(&uh, 0, sizeof(uh)); - uh.uh_sport = htons(500); - uh.uh_dport = htons(500); - uh.uh_ulen = htons(msg->l & 0xffff); - uh.uh_sum = htons(0x0000); /*no checksum - invalid for IPv6*/ - if (write(fd, &uh, sizeof(uh)) < sizeof(uh)) - return errno; - - /* write out payload */ - if (write(fd, msg->v, msg->l) != msg->l) - return errno; - - return 0; -} diff --git a/kame/kame/racoon/dump.h b/kame/kame/racoon/dump.h deleted file mode 100644 index 4fe7395eb2..0000000000 --- a/kame/kame/racoon/dump.h +++ /dev/null @@ -1,34 +0,0 @@ -/* $KAME: dump.h,v 1.1 2000/09/22 19:50:00 itojun Exp $ */ - -/* - * Copyright (C) 2000 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -extern int isakmp_dump_open __P((char *)); -extern int isakmp_dump_close __P((void)); -extern int isakmp_dump __P((vchar_t *, struct sockaddr *, struct sockaddr *)); diff --git a/kame/kame/racoon/eaytest.c b/kame/kame/racoon/eaytest.c deleted file mode 100644 index 6391621bd8..0000000000 --- a/kame/kame/racoon/eaytest.c +++ /dev/null @@ -1,966 +0,0 @@ -/* $KAME: eaytest.c,v 1.45 2004/06/16 11:55:36 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include - -#include - -#include -#include -#include -#include -#include -#include -#include -#include - -#include -#include - -#include "var.h" -#include "vmbuf.h" -#include "misc.h" -#include "debug.h" -#include "str2val.h" - -#include "oakley.h" -#include "dhgroup.h" -#include "crypto_openssl.h" - -#define PVDUMP(var) hexdump((var)->v, (var)->l) - -u_int32_t loglevel = 4; - -/* prototype */ -void plog __P((int, const char *, struct sockaddr *, const char *, ...)); - -void rsatest __P((int, char **)); -#if 0 -static vchar_t *pem_read_buf __P((char *)); -#endif -void certtest __P((int, char **)); -static char **getcerts __P((char *)); -void ciphertest __P((int, char **)); -void hmactest __P((int, char **)); -#ifdef WITH_SHA2 -void sha2test __P((int, char **)); -#endif -void sha1test __P((int, char **)); -void md5test __P((int, char **)); -void dhtest __P((int, char **)); -void bntest __P((int, char **)); -void Usage __P((void)); - -void -plog(int pri, const char *func, struct sockaddr *sa, const char *fmt, ...) -{ - va_list ap; - - va_start(ap, fmt); - vprintf(fmt, ap); - va_end(ap); -} - -/* test */ - -void -rsatest(ac, av) - int ac; - char **av; -{ -#if 0 - char *text = "this is test."; - vchar_t src; - vchar_t *priv, *pub, *sig; - int error; - - char *pkcs1 = -"-----BEGIN RSA PRIVATE KEY-----\n" -"MIICXQIBAAKBgQChe5/Fzk9SA0vCKBOcu9jBcLb9oLv50PeuEfQojhakY+OH8A3Q\n" -"M8A0qIDG6uhTNGPvzCWb/+mKeOB48n5HJpLxlDFyP3kyd2yXHIZ/MN8g1nh4FsB0\n" -"iTkk8QUCJkkan6FCOBrIeLEsGA5AdodzuR+khnCMt8vO+NFHZYKAQeynyQIDAQAB\n" -"AoGAOfDcnCHxjhDGrwyoNNWl6Yqi7hAtQm67YAbrH14UO7nnmxAENM9MyNgpFLaW\n" -"07v5m8IZQIcradcDXAJOUwNBN8E06UflwEYCaScIwndvr5UpVlN3e2NC6Wyg2yC7\n" -"GarxQput3zj35XNR5bK42UneU0H6zDxpHWqI1SwE+ToAHu0CQQDNl9gUJTpg0L09\n" -"HkbE5jeb8bA5I20nKqBOBP0v5tnzpwu41umQwk9I7Ru0ucD7j+DW4k8otadW+FnI\n" -"G1M1MpSjAkEAyRMt4bN8otfpOpsOQWzw4jQtouohOxRFCrQTntHhU20PrQnQLZWs\n" -"pOVzqCjRytYtkPEUA1z8QK5gGcVPcOQsowJBALmt2rwPB1NrEo5Bat7noO+Zb3Ob\n" -"WDiYWeE8xkHd95gDlSWiC53ur9aINo6ZeP556jGIgL+el/yHHecJLrQL84sCQH48\n" -"zUxq/C/cb++8UzneJGlPqusiJNTLiAENR1gpmlZfHT1c8Nb9phMsfu0vG29GAfuC\n" -"bzchVLljALCNQK+2gRMCQQCNIgN+R9mRWZhFAcC1sq++YnuSBlw4VwdL/fd1Yg9e\n" -"Ul+U98yPl/NXt8Rs4TRBFcOZjkFI8xv0hQtevTgTmgz+\n" -"-----END RSA PRIVATE KEY-----\n\n"; - char *pubkey = -"-----BEGIN PUBLIC KEY-----\n" -"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQChe5/Fzk9SA0vCKBOcu9jBcLb9\n" -"oLv50PeuEfQojhakY+OH8A3QM8A0qIDG6uhTNGPvzCWb/+mKeOB48n5HJpLxlDFy\n" -"P3kyd2yXHIZ/MN8g1nh4FsB0iTkk8QUCJkkan6FCOBrIeLEsGA5AdodzuR+khnCM\n" -"t8vO+NFHZYKAQeynyQIDAQAB\n" -"-----END PUBLIC KEY-----\n\n"; - - priv = pem_read_buf(pkcs1); - - src.v = text; - src.l = strlen(text); - - /* sign */ - sig = eay_rsa_sign(&src, priv); - if (sig == NULL) - printf("sign failed. %s\n", eay_strerror()); - printf("RSA signed data.\n"); - PVDUMP(sig); - - /* verify */ - pub = pem_read_buf(pubkey); - error = eay_rsa_verify(&src, sig, pub); - if (error) - printf("verifying failed.\n"); - else - printf("verified.\n"); -#endif - return; -} - -#if 0 -static vchar_t * -pem_read_buf(buf) - char *buf; -{ - BIO *bio; - char *nm = NULL, *header = NULL; - unsigned char *data = NULL; - long len; - vchar_t *ret; - int error; - - bio = BIO_new_mem_buf(buf, strlen(buf)); - error = PEM_read_bio(bio, &nm, &header, &data, &len); - if (error == 0) - errx(1, "%s", eay_strerror()); - ret = vmalloc(len); - if (ret == NULL) - err(1, "vmalloc"); - memcpy(ret->v, data, len); - - return ret; -} -#endif - -void -certtest(ac, av) - int ac; - char **av; -{ - char *certpath; - char **certs; - int type; - int error; - - printf("\n**Test for Certificate.**\n"); - - { - char dnstr[] = "C=JP, ST=Kanagawa, L=Fujisawa, O=WIDE Project, OU=KAME Project, CN=Shoichi Sakane/Email=sakane@kame.net"; - vchar_t *asn1dn = NULL, asn1dn0; - char dn0[] = { - 0x30,0x81,0x9a,0x31,0x0b,0x30,0x09,0x06, - 0x03,0x55,0x04,0x06,0x13,0x02,0x4a,0x50, - 0x31,0x11,0x30,0x0f,0x06,0x03,0x55,0x04, - 0x08,0x13,0x08,0x4b,0x61,0x6e,0x61,0x67, - 0x61,0x77,0x61,0x31,0x11,0x30,0x0f,0x06, - 0x03,0x55,0x04,0x07,0x13,0x08,0x46,0x75, - 0x6a,0x69,0x73,0x61,0x77,0x61,0x31,0x15, - 0x30,0x13,0x06,0x03,0x55,0x04,0x0a,0x13, - 0x0c,0x57,0x49,0x44,0x45,0x20,0x50,0x72, - 0x6f,0x6a,0x65,0x63,0x74,0x31,0x15,0x30, - 0x13,0x06,0x03,0x55,0x04,0x0b,0x13,0x0c, - 0x4b,0x41,0x4d,0x45,0x20,0x50,0x72,0x6f, - 0x6a,0x65,0x63,0x74,0x31,0x17,0x30,0x15, - 0x06,0x03,0x55,0x04,0x03,0x13,0x0e,0x53, - 0x68,0x6f,0x69,0x63,0x68,0x69,0x20,0x53, - 0x61,0x6b,0x61,0x6e,0x65,0x31,0x1e,0x30, - 0x1c,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7, - 0x0d,0x01,0x09,0x01, - 0x0c, /* <== XXX */ - 0x0f,0x73,0x61, - 0x6b,0x61,0x6e,0x65,0x40,0x6b,0x61,0x6d, - 0x65,0x2e,0x6e,0x65,0x74, - }; - - printf("check to convert the string into subjectName.\n"); - printf("%s\n", dnstr); - - asn1dn0.v = dn0; - asn1dn0.l = sizeof(dn0); - - asn1dn = eay_str2asn1dn(dnstr, sizeof(dnstr)); - if (asn1dn == NULL || asn1dn->l != asn1dn0.l) - errx(1, "asn1dn length mismatched.\n"); - - /* - * NOTE: The value pointed by "<==" above is different from the - * return of eay_str2asn1dn(). but eay_cmp_asn1dn() can distinguish - * both of the names are same name. - */ - if (eay_cmp_asn1dn(&asn1dn0, asn1dn)) - errx(1, "asn1dn mismatched.\n"); - vfree(asn1dn); - - printf("succeed.\n"); - } - - eay_init_error(); - - /* get certs */ - if (ac > 1) { - certpath = *(av + 1); - certs = getcerts(certpath); - } else { - printf("\nCAUTION: These certificates are probably invalid " - "on your environment because you don't have their " - "issuer's certs in your environment.\n\n"); - - certpath = "/usr/local/openssl/certs"; - certs = getcerts(NULL); - } - - while (*certs != NULL) { - - vchar_t c; - char *str; - vchar_t *vstr; - - printf("===CERT===\n"); - - c.v = *certs; - c.l = strlen(*certs); - - /* print text */ - str = eay_get_x509text(&c); - printf("%s", str); - racoon_free(str); - - /* print ASN.1 of subject name */ - vstr = eay_get_x509asn1subjectname(&c); - if (!vstr) - return; - PVDUMP(vstr); - printf("\n"); - vfree(vstr); - - /* print subject alt name */ - { - int pos; - for (pos = 1; ; pos++) { - error = eay_get_x509subjectaltname(&c, &str, &type, pos); - if (error) { - printf("no subjectaltname found.\n"); - break; - } - if (!str) - break; - printf("SubjectAltName: %d: %s\n", type, str); - racoon_free(str); - } - } - - error = eay_check_x509cert(&c, certpath, 1); - if (error) - printf("ERROR: cert is invalid.\n"); - printf("\n"); - - certs++; - } -} - -static char ** -getcerts(path) - char *path; -{ - char **certs = NULL, **p; - DIR *dirp; - struct dirent *dp; - struct stat sb; - char buf[512]; - int len; - int n; - int fd; - - static char *samplecerts[] = { -/* self signed */ -"-----BEGIN CERTIFICATE-----\n" -"MIICpTCCAg4CAQAwDQYJKoZIhvcNAQEEBQAwgZoxCzAJBgNVBAYTAkpQMREwDwYD\n" -"VQQIEwhLYW5hZ2F3YTERMA8GA1UEBxMIRnVqaXNhd2ExFTATBgNVBAoTDFdJREUg\n" -"UHJvamVjdDEVMBMGA1UECxMMS0FNRSBQcm9qZWN0MRcwFQYDVQQDEw5TaG9pY2hp\n" -"IFNha2FuZTEeMBwGCSqGSIb3DQEJARYPc2FrYW5lQGthbWUubmV0MB4XDTAwMDgy\n" -"NDAxMzc0NFoXDTAwMDkyMzAxMzc0NFowgZoxCzAJBgNVBAYTAkpQMREwDwYDVQQI\n" -"EwhLYW5hZ2F3YTERMA8GA1UEBxMIRnVqaXNhd2ExFTATBgNVBAoTDFdJREUgUHJv\n" -"amVjdDEVMBMGA1UECxMMS0FNRSBQcm9qZWN0MRcwFQYDVQQDEw5TaG9pY2hpIFNh\n" -"a2FuZTEeMBwGCSqGSIb3DQEJARYPc2FrYW5lQGthbWUubmV0MIGfMA0GCSqGSIb3\n" -"DQEBAQUAA4GNADCBiQKBgQCpIQG/H3zn4czAmPBcbkDrYxE1A9vcpghpib3Of0Op\n" -"SsiWIBOyIMiVAzK/I/JotWp3Vdn5fzGp/7DGAbWXAALas2xHkNmTMPpu6qhmNQ57\n" -"kJHZHal24mgc1hwbrI9fb5olvIexx9a1riNPnKMRVHzXYizsyMbf+lJJmZ8QFhWN\n" -"twIDAQABMA0GCSqGSIb3DQEBBAUAA4GBACKs6X/BYycuHI3iop403R3XWMHHnNBN\n" -"5XTHVWiWgR1cMWkq/dp51gn+nPftpdAaYGpqGkiHGhZcXLoBaX9uON3p+7av+sQN\n" -"plXwnvUf2Zsgu+fojskS0gKcDlYiq1O8TOaBgJouFZgr1q6PiYjVEJGogAP28+HN\n" -"M4o+GBFbFoqK\n" -"-----END CERTIFICATE-----\n\n", -/* signed by SSH testing CA + CA1 + CA2 */ -"-----BEGIN X509 CERTIFICATE-----\n" -"MIICtTCCAj+gAwIBAgIEOaR8NjANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJG\n" -"STEkMCIGA1UEChMbU1NIIENvbW11bmljYXRpb25zIFNlY3VyaXR5MREwDwYDVQQL\n" -"EwhXZWIgdGVzdDEbMBkGA1UEAxMSVGVzdCBDQSAxIHN1YiBjYSAyMB4XDTAwMDgy\n" -"NDAwMDAwMFoXDTAwMTAwMTAwMDAwMFowgZoxCzAJBgNVBAYTAkpQMREwDwYDVQQI\n" -"EwhLYW5hZ2F3YTERMA8GA1UEBxMIRnVqaXNhd2ExFTATBgNVBAoTDFdJREUgUHJv\n" -"amVjdDEVMBMGA1UECxMMS0FNRSBQcm9qZWN0MRcwFQYDVQQDEw5TaG9pY2hpIFNh\n" -"a2FuZTEeMBwGCSqGSIb3DQEJAQwPc2FrYW5lQGthbWUubmV0MIGfMA0GCSqGSIb3\n" -"DQEBAQUAA4GNADCBiQKBgQCpIQG/H3zn4czAmPBcbkDrYxE1A9vcpghpib3Of0Op\n" -"SsiWIBOyIMiVAzK/I/JotWp3Vdn5fzGp/7DGAbWXAALas2xHkNmTMPpu6qhmNQ57\n" -"kJHZHal24mgc1hwbrI9fb5olvIexx9a1riNPnKMRVHzXYizsyMbf+lJJmZ8QFhWN\n" -"twIDAQABo18wXTALBgNVHQ8EBAMCBaAwGgYDVR0RBBMwEYEPc2FrYW5lQGthbWUu\n" -"bmV0MDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9sZGFwLnNzaC5maS9jcmxzL2Nh\n" -"MS0yLmNybDANBgkqhkiG9w0BAQUFAANhADtaqual41OWshF/rwCTuR6zySBJysGp\n" -"+qjkp5efCiYKhAu1L4WXlMsV/SNdzspui5tHasPBvUw8gzFsU/VW/B2zuQZkimf1\n" -"u6ZPjUb/vt8vLOPScP5MeH7xrTk9iigsqQ==\n" -"-----END X509 CERTIFICATE-----\n\n", -/* VP100 */ -"-----BEGIN CERTIFICATE-----\n" -"MIICXzCCAcigAwIBAgIEOXGBIzANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJG\n" -"STEkMCIGA1UEChMbU1NIIENvbW11bmljYXRpb25zIFNlY3VyaXR5MREwDwYDVQQL\n" -"EwhXZWIgdGVzdDESMBAGA1UEAxMJVGVzdCBDQSAxMB4XDTAwMDcxNjAwMDAwMFoX\n" -"DTAwMDkwMTAwMDAwMFowNTELMAkGA1UEBhMCanAxETAPBgNVBAoTCHRhaGl0ZXN0\n" -"MRMwEQYDVQQDEwpmdXJ1a2F3YS0xMIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKB\n" -"gQDUmI2RaAuoLvtRDbASwRhbkj/Oq0BBIKgAqbFknc/EanJSQwZQu82gD88nf7gG\n" -"VEioWmKPLDuEjz5JCuM+k5f7HYHI1wWmz1KFr7UA+avZm4Kp6YKnhuH7soZp7kBL\n" -"hTiZEpL0jdmCWLW3ZXoro55rmPrBsCd+bt8VU6tRZm5dUwIBKaNZMFcwCwYDVR0P\n" -"BAQDAgWgMBYGA1UdEQQPMA2CBVZQMTAwhwQKFIaFMDAGA1UdHwQpMCcwJaAjoCGG\n" -"H2h0dHA6Ly9sZGFwLnNzaC5maS9jcmxzL2NhMS5jcmwwDQYJKoZIhvcNAQEFBQAD\n" -"gYEAKJ/2Co/KYW65mwpGG3CBvsoRL8xyUMHGt6gQpFLHiiHuAdix1ADTL6uoFuYi\n" -"4sE5omQm1wKVv2ZhS03zDtUfKoVEv0HZ7IY3AU/FZT/M5gQvbt43Dki/ma3ock2I\n" -"PPhbLsvXm+GCVh3jvkYGk1zr7VERVeTPtmT+hW63lcxfFp4=\n" -"-----END CERTIFICATE-----\n\n", -/* IKED */ -"-----BEGIN CERTIFICATE-----\n" -"MIIEFTCCA7+gAwIBAgIKYU5X6AAAAAAACTANBgkqhkiG9w0BAQUFADCBljEpMCcG\n" -"CSqGSIb3DQEJARYaeS13YXRhbmFAc2RsLmhpdGFjaGkuY28uanAxCzAJBgNVBAYT\n" -"AkpQMREwDwYDVQQIEwhLQU5BR0FXQTERMA8GA1UEBxMIWW9rb2hhbWExEDAOBgNV\n" -"BAoTB0hJVEFDSEkxDDAKBgNVBAsTA1NETDEWMBQGA1UEAxMNSVBzZWMgVGVzdCBD\n" -"QTAeFw0wMDA3MTUwMjUxNDdaFw0wMTA3MTUwMzAxNDdaMEUxCzAJBgNVBAYTAkpQ\n" -"MREwDwYDVQQIEwhLQU5BR0FXQTEQMA4GA1UEChMHSElUQUNISTERMA8GA1UEAxMI\n" -"V0FUQU5BQkUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA6Wja5A7Ldzrtx+rMWHEB\n" -"Cyt+/ZoG0qdFQbuuUiU1vOSq+1f+ZSCYAdTq13Lrr6Xfz3jDVFEZLPID9PSTFwq+\n" -"yQIDAQABo4ICPTCCAjkwDgYDVR0PAQH/BAQDAgTwMBMGA1UdJQQMMAoGCCsGAQUF\n" -"CAICMB0GA1UdDgQWBBTkv7/MH5Ra+S1zBAmnUIH5w8ZTUTCB0gYDVR0jBIHKMIHH\n" -"gBQsF2qoaTl5F3GFLKrttaxPJ8j4faGBnKSBmTCBljEpMCcGCSqGSIb3DQEJARYa\n" -"eS13YXRhbmFAc2RsLmhpdGFjaGkuY28uanAxCzAJBgNVBAYTAkpQMREwDwYDVQQI\n" -"EwhLQU5BR0FXQTERMA8GA1UEBxMIWW9rb2hhbWExEDAOBgNVBAoTB0hJVEFDSEkx\n" -"DDAKBgNVBAsTA1NETDEWMBQGA1UEAxMNSVBzZWMgVGVzdCBDQYIQeccIf4GYDIBA\n" -"rS6HSUt8XjB7BgNVHR8EdDByMDagNKAyhjBodHRwOi8vZmxvcmEyMjAvQ2VydEVu\n" -"cm9sbC9JUHNlYyUyMFRlc3QlMjBDQS5jcmwwOKA2oDSGMmZpbGU6Ly9cXGZsb3Jh\n" -"MjIwXENlcnRFbnJvbGxcSVBzZWMlMjBUZXN0JTIwQ0EuY3JsMIGgBggrBgEFBQcB\n" -"AQSBkzCBkDBFBggrBgEFBQcwAoY5aHR0cDovL2Zsb3JhMjIwL0NlcnRFbnJvbGwv\n" -"ZmxvcmEyMjBfSVBzZWMlMjBUZXN0JTIwQ0EuY3J0MEcGCCsGAQUFBzAChjtmaWxl\n" -"Oi8vXFxmbG9yYTIyMFxDZXJ0RW5yb2xsXGZsb3JhMjIwX0lQc2VjJTIwVGVzdCUy\n" -"MENBLmNydDANBgkqhkiG9w0BAQUFAANBAG8yZAWHb6g3zba453Hw5loojVDZO6fD\n" -"9lCsyaxeo9/+7x1JEEcdZ6qL7KKqe7ZBwza+hIN0ITkp2WEWo22gTz4=\n" -"-----END CERTIFICATE-----\n\n", -/* From Entrust */ -"-----BEGIN CERTIFICATE-----\n" -"MIIDXTCCAsagAwIBAgIEOb6khTANBgkqhkiG9w0BAQUFADA4MQswCQYDVQQGEwJV\n" -"UzEQMA4GA1UEChMHRW50cnVzdDEXMBUGA1UECxMOVlBOIEludGVyb3AgUk8wHhcN\n" -"MDAwOTE4MjMwMDM3WhcNMDMwOTE4MjMzMDM3WjBTMQswCQYDVQQGEwJVUzEQMA4G\n" -"A1UEChMHRW50cnVzdDEXMBUGA1UECxMOVlBOIEludGVyb3AgUk8xGTAXBgNVBAMT\n" -"EFNob2ljaGkgU2FrYW5lIDIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKj3\n" -"eXSt1qXxFXzpa265B/NQYk5BZN7pNJg0tlTKBTVV3UgpQ92Bx5DoNfZh11oIv0Sw\n" -"6YnG5p9F9ma36U9HDoD3hVTjAvQKy4ssCsnU1y6v5XOU1QvYQo6UTzgsXUTaIau4\n" -"Lrccl+nyoiNzy3lG51tLR8CxuA+3OOAK9xPjszClAgMBAAGjggFXMIIBUzBABgNV\n" -"HREEOTA3gQ9zYWthbmVAa2FtZS5uZXSHBM6vIHWCHjIwNi0xNzUtMzItMTE3LnZw\n" -"bndvcmtzaG9wLmNvbTATBgNVHSUEDDAKBggrBgEFBQgCAjALBgNVHQ8EBAMCAKAw\n" -"KwYDVR0QBCQwIoAPMjAwMDA5MTgyMzAwMzdagQ8yMDAyMTAyNTExMzAzN1owWgYD\n" -"VR0fBFMwUTBPoE2gS6RJMEcxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0\n" -"MRcwFQYDVQQLEw5WUE4gSW50ZXJvcCBSTzENMAsGA1UEAxMEQ1JMMTAfBgNVHSME\n" -"GDAWgBTzVmhu0tBoWKwkZE5mXpooE9630DAdBgNVHQ4EFgQUEgBHPtXggJqei5Xz\n" -"92CrWXTJxfAwCQYDVR0TBAIwADAZBgkqhkiG9n0HQQAEDDAKGwRWNS4wAwIEsDAN\n" -"BgkqhkiG9w0BAQUFAAOBgQCIFriNGMUE8GH5LuDrTJfA8uGx8vLy2seljuo694TR\n" -"et/ojp9QnfOJ1PF9iAdGaEaSLfkwhY4fZNZzxic5HBoHLeo9BXLP7i7FByXjvOZC\n" -"Y8++0dC8NVvendIILcJBM5nbDq1TqIbb8K3SP80XhO5JLVJkoZiQftAMjo0peZPO\n" -"EQ==\n" -"-----END CERTIFICATE-----\n\n", - NULL, - }; - - if (path == NULL) - return (char **)&samplecerts; - - stat(path, &sb); - if (!(sb.st_mode & S_IFDIR)) { - printf("ERROR: %s is not directory.\n", path); - exit(0); - } - - dirp = opendir(path); - if (dirp == NULL) { - printf("opendir failed.\n"); - exit(0); - } - - n = 0; - while ((dp = readdir(dirp)) != NULL) { - if (dp->d_type != DT_REG) - continue; - if (strcmp(dp->d_name + dp->d_namlen - 4, "cert")) - continue; - snprintf(buf, sizeof(buf), "%s/%s", path, dp->d_name); - stat(buf, &sb); - - p = (char **)realloc(certs, (n + 1) * sizeof(certs)); - if (p == NULL) - err(1, "realloc"); - certs = p; - - certs[n] = malloc(sb.st_size + 1); - if (certs[n] == NULL) - err(1, "malloc"); - - fd = open(buf, O_RDONLY); - if (fd == -1) - err(1, "open"); - len = read(fd, certs[n], sb.st_size); - if (len == -1) - err(1, "read"); - if (len != sb.st_size) - errx(1, "read: length mismatch"); - certs[n][sb.st_size] = '\0'; - close(fd); - - printf("%s: %d\n", dp->d_name, (int)sb.st_size); - - n++; - } - - p = (char **)realloc(certs, (n + 1) * sizeof(certs)); - if (p == NULL) - err(1, "realloc"); - certs = p; - certs[n] = NULL; - - return certs; -} - -void -ciphertest(ac, av) - int ac; - char **av; -{ - vchar_t data; - vchar_t key; - vchar_t iv0; - vchar_t *res1, *res2, *iv; - - printf("\n**Test for CIPHER.**\n"); - - data.v = str2val("\ -06000017 03000000 73616b61 6e65406b 616d652e 6e657409 0002c104 308202b8 \ -04f05a90 \ - ", 16, &data.l); - key.v = str2val("f59bd70f 81b9b9cc 2a32c7fd 229a4b37", 16, &key.l); - iv0.v = str2val("26b68c90 9467b4ab 7ec29fa0 0b696b55", 16, &iv0.l); - - iv = vmalloc(8); - - /* des */ - printf("DES\n"); - printf("data:\n"); - PVDUMP(&data); - - memcpy(iv->v, iv0.v, 8); - res1 = eay_des_encrypt(&data, &key, iv); - if (res1 == NULL) - errx(1, "length must be 8"); - printf("encrypto:\n"); - PVDUMP(res1); - - memcpy(iv->v, iv0.v, 8); - res2 = eay_des_decrypt(res1, &key, iv); - printf("decrypto:\n"); - PVDUMP(res2); - - if (memcmp(data.v, res2->v, data.l)) - printf("XXX NG XXX\n"); - vfree(res1); - vfree(res2); - -#ifdef HAVE_OPENSSL_IDEA_H - /* idea */ - printf("IDEA\n"); - printf("data:\n"); - PVDUMP(&data); - - memcpy(iv->v, iv0.v, 8); - res1 = eay_idea_encrypt(&data, &key, iv); - printf("encrypto:\n"); - PVDUMP(res1); - - memcpy(iv->v, iv0.v, 8); - res2 = eay_idea_decrypt(res1, &key, iv); - printf("decrypto:\n"); - PVDUMP(res2); - - if (memcmp(data.v, res2->v, data.l)) - printf("XXX NG XXX\n"); - vfree(res1); - vfree(res2); -#endif - - /* blowfish */ - printf("BLOWFISH\n"); - printf("data:\n"); - PVDUMP(&data); - - memcpy(iv->v, iv0.v, 8); - res1 = eay_bf_encrypt(&data, &key, iv); - printf("encrypto:\n"); - PVDUMP(res1); - - memcpy(iv->v, iv0.v, 8); - res2 = eay_bf_decrypt(res1, &key, iv); - printf("decrypto:\n"); - PVDUMP(res2); - - if (memcmp(data.v, res2->v, data.l)) - printf("XXX NG XXX\n"); - vfree(res1); - vfree(res2); - -#ifdef HAVE_OPENSSL_RC5_H - /* rc5 */ - printf("RC5\n"); - printf("data:\n"); - PVDUMP(&data); - - memcpy(iv->v, iv0.v, 8); - res1 = eay_bf_encrypt(&data, &key, iv); - printf("encrypto:\n"); - PVDUMP(res1); - - memcpy(iv->v, iv0.v, 8); - res2 = eay_bf_decrypt(res1, &key, iv); - printf("decrypto:\n"); - PVDUMP(res2); - - if (memcmp(data.v, res2->v, data.l)) - printf("XXX NG XXX\n"); - vfree(res1); - vfree(res2); -#endif - - /* 3des */ - printf("3DES\n"); - printf("data:\n"); - PVDUMP(&data); - - memcpy(iv->v, iv0.v, 8); - res1 = eay_3des_encrypt(&data, &key, iv); - printf("encrypto:\n"); - if (res1) - PVDUMP(res1); - - memcpy(iv->v, iv0.v, 8); - res2 = eay_3des_decrypt(res1, &key, iv); - printf("decrypto:\n"); - if (res1) - PVDUMP(res2); - - if (res2 && memcmp(data.v, res2->v, data.l)) - printf("XXX NG XXX\n"); - vfree(res1); - vfree(res2); - - /* cast */ - printf("CAST\n"); - printf("data:\n"); - PVDUMP(&data); - - memcpy(iv->v, iv0.v, 8); - res1 = eay_cast_encrypt(&data, &key, iv); - printf("encrypto:\n"); - PVDUMP(res1); - - memcpy(iv->v, iv0.v, 8); - res2 = eay_cast_decrypt(res1, &key, iv); - printf("decrypto:\n"); - PVDUMP(res2); - - if (memcmp(data.v, res2->v, data.l)) - printf("XXX NG XXX\n"); - vfree(res1); - vfree(res2); - - /* aes */ - iv = vrealloc(iv, 16); - - printf("AES\n"); - printf("data:\n"); - PVDUMP(&data); - - { - vchar_t *buf; - int padlen = 16 - data.l % 16; - buf = vmalloc(data.l + padlen); - memcpy(buf->v, data.v, data.l); - - memcpy(iv->v, iv0.v, 16); - res1 = eay_aes_encrypt(buf, &key, iv); - printf("encrypto:\n"); - PVDUMP(res1); - - memcpy(iv->v, iv0.v, 16); - res2 = eay_aes_decrypt(res1, &key, iv); - printf("decrypto:\n"); - PVDUMP(res2); - - if (memcmp(data.v, res2->v, data.l)) - printf("XXX NG XXX\n"); - vfree(res1); - vfree(res2); - } -} - -void -hmactest(ac, av) - int ac; - char **av; -{ - char *keyword = "hehehe test secret!"; - char *object = "d7e6a6c1876ef0488bb74958b9fee94e"; - char *object1 = "d7e6a6c1876ef048"; - char *object2 = "8bb74958b9fee94e"; - char *r_hmd5 = "5702d7d1 fd1bfc7e 210fc9fa cda7d02c"; - char *r_hsha1 = "309999aa 9779a43e ebdea839 1b4e7ee1 d8646874"; -#ifdef WITH_SHA2 - char *r_hsha2 = "d47262d8 a5b6f39d d8686939 411b3e79 ed2e27f9 2c4ea89f dd0a06ae 0c0aa396"; -#endif - vchar_t *key, *data, *data1, *data2, *res; - vchar_t mod; - caddr_t ctx; - - printf("\n**Test for HMAC MD5 & SHA1.**\n"); - - key = vmalloc(strlen(keyword)); - memcpy(key->v, keyword, key->l); - - data = vmalloc(strlen(object)); - data1 = vmalloc(strlen(object1)); - data2 = vmalloc(strlen(object2)); - memcpy(data->v, object, data->l); - memcpy(data1->v, object1, data1->l); - memcpy(data2->v, object2, data2->l); - - /* HMAC MD5 */ - printf("HMAC MD5 by eay_hmacmd5_one()\n"); - res = eay_hmacmd5_one(key, data); - PVDUMP(res); - mod.v = str2val(r_hmd5, 16, &mod.l); - if (memcmp(res->v, mod.v, mod.l)) - printf(" XXX NG XXX\n"); - free(mod.v); - vfree(res); - - /* HMAC MD5 */ - printf("HMAC MD5 by eay_hmacmd5_xxx()\n"); - ctx = eay_hmacmd5_init(key); - eay_hmacmd5_update(ctx, data1); - eay_hmacmd5_update(ctx, data2); - res = eay_hmacmd5_final(ctx); - PVDUMP(res); - mod.v = str2val(r_hmd5, 16, &mod.l); - if (memcmp(res->v, mod.v, mod.l)) - printf(" XXX NG XXX\n"); - free(mod.v); - vfree(res); - -#ifdef WITH_SHA2 - /* HMAC SHA2 */ - printf("HMAC SHA2 by eay_hmacsha2_256_one()\n"); - res = eay_hmacsha2_256_one(key, data); - PVDUMP(res); - mod.v = str2val(r_hsha2, 16, &mod.l); - if (memcmp(res->v, mod.v, mod.l)) - printf(" XXX NG XXX\n"); - free(mod.v); - vfree(res); -#endif - - /* HMAC SHA1 */ - printf("HMAC SHA1 by eay_hmacsha1_one()\n"); - res = eay_hmacsha1_one(key, data); - PVDUMP(res); - mod.v = str2val(r_hsha1, 16, &mod.l); - if (memcmp(res->v, mod.v, mod.l)) - printf(" XXX NG XXX\n"); - free(mod.v); - vfree(res); - - /* HMAC MD5 */ - printf("HMAC SHA1 by eay_hmacsha1_xxx()\n"); - ctx = eay_hmacsha1_init(key); - eay_hmacsha1_update(ctx, data1); - eay_hmacsha1_update(ctx, data2); - res = eay_hmacsha1_final(ctx); - PVDUMP(res); - mod.v = str2val(r_hsha1, 16, &mod.l); - if (memcmp(res->v, mod.v, mod.l)) - printf(" XXX NG XXX\n"); - free(mod.v); - vfree(res); - - vfree(data); - vfree(data1); - vfree(data2); - vfree(key); -} - -void -sha1test(ac, av) - int ac; - char **av; -{ - char *word1 = "1234567890", *word2 = "12345678901234567890"; - caddr_t ctx; - vchar_t *buf, *res; - - printf("\n**Test for SHA1.**\n"); - - ctx = eay_sha1_init(); - buf = vmalloc(strlen(word1)); - memcpy(buf->v, word1, buf->l); - eay_sha1_update(ctx, buf); - eay_sha1_update(ctx, buf); - res = eay_sha1_final(ctx); - PVDUMP(res); - vfree(res); - vfree(buf); - - ctx = eay_sha1_init(); - buf = vmalloc(strlen(word2)); - memcpy(buf->v, word2, buf->l); - eay_sha1_update(ctx, buf); - res = eay_sha1_final(ctx); - PVDUMP(res); - vfree(res); - - res = eay_sha1_one(buf); - PVDUMP(res); - vfree(res); - vfree(buf); -} - -void -md5test(ac, av) - int ac; - char **av; -{ - char *word1 = "1234567890", *word2 = "12345678901234567890"; - caddr_t ctx; - vchar_t *buf, *res; - - printf("\n**Test for MD5.**\n"); - - ctx = eay_md5_init(); - buf = vmalloc(strlen(word1)); - memcpy(buf->v, word1, buf->l); - eay_md5_update(ctx, buf); - eay_md5_update(ctx, buf); - res = eay_md5_final(ctx); - PVDUMP(res); - vfree(res); - vfree(buf); - - ctx = eay_md5_init(); - buf = vmalloc(strlen(word2)); - memcpy(buf->v, word2, buf->l); - eay_md5_update(ctx, buf); - res = eay_md5_final(ctx); - PVDUMP(res); - vfree(res); - - res = eay_md5_one(buf); - PVDUMP(res); - vfree(res); - vfree(buf); -} - -void -dhtest(ac, av) - int ac; - char **av; -{ - static struct { - char *name; - char *p; - } px[] = { - { "modp768", OAKLEY_PRIME_MODP768, }, - { "modp1024", OAKLEY_PRIME_MODP1024, }, - { "modp1536", OAKLEY_PRIME_MODP1536, }, - { "modp2048", OAKLEY_PRIME_MODP2048, }, - { "modp3072", OAKLEY_PRIME_MODP3072, }, - { "modp4096", OAKLEY_PRIME_MODP4096, }, - { "modp6144", OAKLEY_PRIME_MODP6144, }, - { "modp8192", OAKLEY_PRIME_MODP8192, }, - }; - vchar_t p1, *pub1, *priv1, *gxy1; - vchar_t p2, *pub2, *priv2, *gxy2; - int i; - - printf("\n**Test for DH.**\n"); - - for (i = 0; i < sizeof(px)/sizeof(px[0]); i++) { - printf("\n**Test for DH %s.**\n", px[i].name); - - p1.v = str2val(px[i].p, 16, &p1.l); - p2.v = str2val(px[i].p, 16, &p2.l); - printf("prime number = \n"); PVDUMP(&p1); - - if (eay_dh_generate(&p1, 2, 96, &pub1, &priv1) < 0) { - printf("error\n"); - return; - } - printf("private key for user 1 = \n"); PVDUMP(priv1); - printf("public key for user 1 = \n"); PVDUMP(pub1); - - if (eay_dh_generate(&p2, 2, 96, &pub2, &priv2) < 0) { - printf("error\n"); - return; - } - printf("private key for user 2 = \n"); PVDUMP(priv2); - printf("public key for user 2 = \n"); PVDUMP(pub2); - - /* process to generate key for user 1 */ - gxy1 = vmalloc(p1.l); - memset(gxy1->v, 0, gxy1->l); - eay_dh_compute(&p1, 2, pub1, priv1, pub2, &gxy1); - printf("sharing gxy1 of user 1 = \n"); PVDUMP(gxy1); - - /* process to generate key for user 2 */ - gxy2 = vmalloc(p1.l); - memset(gxy2->v, 0, gxy2->l); - eay_dh_compute(&p2, 2, pub2, priv2, pub1, &gxy2); - printf("sharing gxy2 of user 2 = \n"); PVDUMP(gxy2); - - if (memcmp(gxy1->v, gxy2->v, gxy1->l)) - printf("ERROR: sharing gxy mismatched.\n"); - - vfree(pub1); - vfree(pub2); - vfree(priv1); - vfree(priv2); - vfree(gxy1); - vfree(gxy2); - } - - return; -} - -void -bntest(ac, av) - int ac; - char **av; -{ - vchar_t *rn; - - printf("\n**Test for generate a random number.**\n"); - - rn = eay_set_random((u_int32_t)96); - PVDUMP(rn); - vfree(rn); -} - -struct { - char *name; - void (*func) __P((int, char **)); -} func[] = { - { "random", bntest, }, - { "dh", dhtest, }, - { "md5", md5test, }, - { "sha1", sha1test, }, - { "hmac", hmactest, }, - { "cipher", ciphertest, }, - { "cert", certtest, }, - { "rsa", rsatest, }, -}; - -int -main(ac, av) - int ac; - char **av; -{ - int i; - int len = sizeof(func)/sizeof(func[0]); - - if (strcmp(*av, "-h") == 0) { - printf("Usage: eaytest ["); - for (i = 0; i < len; i++) { - printf("%s", func[i].name); - if (i != len) - printf("|"); - } - printf("]\n"); - Usage(); - } - - ac--; - av++; - - if (ac == 0) { - for (i = 0; i < len; i++) - (func[i].func)(ac, av); - } else { - for (i = 0; i < len; i++) { - if (strcmp(*av, func[i].name) == 0) { - (func[i].func)(ac, av); - break; - } - } - if (i == len) - Usage(); - } - - exit(0); -} - -void -Usage() -{ - printf("Usage: eaytest [dh|md5|sha1|hmac|cipher]\n"); - printf(" eaytest cert [cert_directory]\n"); - exit(0); -} diff --git a/kame/kame/racoon/gcmalloc.h b/kame/kame/racoon/gcmalloc.h deleted file mode 100644 index ca085287d6..0000000000 --- a/kame/kame/racoon/gcmalloc.h +++ /dev/null @@ -1,114 +0,0 @@ -/* $KAME: gcmalloc.h,v 1.4 2001/11/16 04:34:57 sakane Exp $ */ - -/* - * Copyright (C) 2000, 2001 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * Debugging malloc glue for Racoon. - */ - -#ifndef _GCMALLOC_H_DEFINED -#define _GCMALLOC_H_DEFINED - -/* ElectricFence needs no special handling. */ - -/* - * Boehm-GC provides GC_malloc(), GC_realloc(), GC_free() functions, - * but not the traditional entry points. So what we do is provide - * malloc(), calloc(), realloc(), and free() entry points in the main - * program and letting the linker do the rest. - */ -#ifdef GC -#define GC_DEBUG -#include - -#ifdef RACOON_MAIN_PROGRAM -void * -malloc(size_t size) -{ - - return (GC_MALLOC(size)); -} - -void * -calloc(size_t number, size_t size) -{ - - /* GC_malloc() clears the storage. */ - return (GC_MALLOC(number * size)); -} - -void * -realloc(void *ptr, size_t size) -{ - - return (GC_REALLOC(ptr, size)); -} - -void -free(void *ptr) -{ - - GC_FREE(ptr); -} -#endif /* RACOON_MAIN_PROGRAM */ - -#define racoon_malloc(sz) GC_debug_malloc(sz, GC_EXTRAS) -#define racoon_calloc(cnt, sz) GC_debug_malloc(cnt * sz, GC_EXTRAS) -#define racoon_realloc(old, sz) GC_debug_realloc(old, sz, GC_EXTRAS) -#define racoon_free(p) GC_debug_free(p) - -#endif /* GC */ - -/* - * Dmalloc only requires that you pull in a header file and link - * against libdmalloc. - */ -#ifdef DMALLOC -#include -#endif /* DMALLOC */ - -#ifdef DEBUG_RECORD_MALLOCATION -#include -#else -#ifndef racoon_malloc -#define racoon_malloc(sz) malloc((sz)) -#endif -#ifndef racoon_calloc -#define racoon_calloc(cnt, sz) calloc((cnt), (sz)) -#endif -#ifndef racoon_realloc -#define racoon_realloc(old, sz) realloc((old), (sz)) -#endif -#ifndef racoon_free -#define racoon_free(p) free((p)) -#endif -#endif /* DEBUG_RECORD_MALLOCATION */ - -#endif /* _GCMALLOC_H_DEFINED */ diff --git a/kame/kame/racoon/getcertsbyname.c b/kame/kame/racoon/getcertsbyname.c deleted file mode 100644 index 59a8757618..0000000000 --- a/kame/kame/racoon/getcertsbyname.c +++ /dev/null @@ -1,410 +0,0 @@ -/* $KAME: getcertsbyname.c,v 1.7 2001/11/16 04:12:59 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include - -#include -#include -#include -#ifdef HAVE_LWRES_GETRRSETBYNAME -#include -#include -#else -#include -#endif -#include -#include -#include - -#ifdef DNSSEC_DEBUG -#include -#include -#endif - -#include "netdb_dnssec.h" - -/* XXX should it use ci_errno to hold errno instead of h_errno ? */ -extern int h_errno; - -static struct certinfo *getnewci __P((int, int, int, int, int, char *)); - -static struct certinfo * -getnewci(qtype, keytag, algorithm, flags, certlen, cert) - int qtype, keytag, algorithm, flags, certlen; - char *cert; -{ - struct certinfo *res; - - res = malloc(sizeof(*res)); - if (!res) - return NULL; - - memset(res, 0, sizeof(*res)); - res->ci_type = qtype; - res->ci_keytag = keytag; - res->ci_algorithm = algorithm; - res->ci_flags = flags; - res->ci_certlen = certlen; - res->ci_cert = malloc(certlen); - if (!res->ci_cert) { - free(res); - return NULL; - } - memcpy(res->ci_cert, cert, certlen); - - return res; -} - -void -freecertinfo(ci) - struct certinfo *ci; -{ - struct certinfo *next; - - do { - next = ci->ci_next; - if (ci->ci_cert) - free(ci->ci_cert); - free(ci); - ci = next; - } while (ci); -} - -/* - * get CERT RR by FQDN and create certinfo structure chain. - */ -#ifdef HAVE_LWRES_GETRRSETBYNAME -#define getrrsetbyname lwres_getrrsetbyname -#define freerrset lwres_freerrset -#define hstrerror lwres_hstrerror -#endif -#if defined(HAVE_LWRES_GETRRSETBYNAME) || defined(AHVE_GETRRSETBYNAME) -int -getcertsbyname(name, res) - char *name; - struct certinfo **res; -{ - int rdlength; - char *cp; - int type, keytag, algorithm; - struct certinfo head, *cur; - struct rrsetinfo *rr = NULL; - int i; - int error = -1; - - /* initialize res */ - *res = NULL; - - memset(&head, 0, sizeof(head)); - cur = &head; - - error = getrrsetbyname(name, C_IN, T_CERT, 0, &rr); - if (error) { -#ifdef DNSSEC_DEBUG - printf("getrrsetbyname: %s\n", hstrerror(error)); -#endif - h_errno = NO_RECOVERY; - goto end; - } - - if (rr->rri_rdclass != C_IN - || rr->rri_rdtype != T_CERT - || rr->rri_nrdatas == 0) { -#ifdef DNSSEC_DEBUG - printf("getrrsetbyname: %s", hstrerror(error)); -#endif - h_errno = NO_RECOVERY; - goto end; - } -#ifdef DNSSEC_DEBUG - if (!(rr->rri_flags & LWRDATA_VALIDATED)) - printf("rr is not valid"); -#endif - - for (i = 0; i < rr->rri_nrdatas; i++) { - rdlength = rr->rri_rdatas[i].rdi_length; - cp = rr->rri_rdatas[i].rdi_data; - - GETSHORT(type, cp); /* type */ - rdlength -= INT16SZ; - GETSHORT(keytag, cp); /* key tag */ - rdlength -= INT16SZ; - algorithm = *cp++; /* algorithm */ - rdlength -= 1; - -#ifdef DNSSEC_DEBUG - printf("type=%d keytag=%d alg=%d len=%d\n", - type, keytag, algorithm, rdlength); -#endif - - /* create new certinfo */ - cur->ci_next = getnewci(type, keytag, algorithm, - rr->rri_flags, rdlength, cp); - if (!cur->ci_next) { -#ifdef DNSSEC_DEBUG - printf("getnewci: %s", strerror(errno)); -#endif - h_errno = NO_RECOVERY; - goto end; - } - cur = cur->ci_next; - } - - *res = head.ci_next; - error = 0; - -end: - if (rr) - freerrset(rr); - if (error && head.ci_next) - freecertinfo(head.ci_next); - - return error; -} -#else /*!HAVE_LWRES_GETRRSETBYNAME*/ -int -getcertsbyname(name, res) - char *name; - struct certinfo **res; -{ - caddr_t answer = NULL, p; - int buflen, anslen, len; - HEADER *hp; - int qdcount, ancount, rdlength; - char *cp, *eom; - char hostbuf[1024]; /* XXX */ - int qtype, qclass, keytag, algorithm; - struct certinfo head, *cur; - int error = -1; - - /* initialize res */ - *res = NULL; - - memset(&head, 0, sizeof(head)); - cur = &head; - - /* get CERT RR */ - buflen = 512; - do { - - buflen *= 2; - p = realloc(answer, buflen); - if (!p) { -#ifdef DNSSEC_DEBUG - printf("realloc: %s", strerror(errno)); -#endif - h_errno = NO_RECOVERY; - goto end; - } - answer = p; - - anslen = res_query(name, C_IN, T_CERT, answer, buflen); - if (anslen == -1) - goto end; - - } while (buflen < anslen); - -#ifdef DNSSEC_DEBUG - printf("get a DNS packet len=%d\n", anslen); -#endif - - /* parse CERT RR */ - eom = answer + anslen; - - hp = (HEADER *)answer; - qdcount = ntohs(hp->qdcount); - ancount = ntohs(hp->ancount); - - /* question section */ - if (qdcount != 1) { -#ifdef DNSSEC_DEBUG - printf("query count is not 1.\n"); -#endif - h_errno = NO_RECOVERY; - goto end; - } - cp = (char *)(hp + 1); - len = dn_expand(answer, eom, cp, hostbuf, sizeof(hostbuf)); - if (len < 0) { -#ifdef DNSSEC_DEBUG - printf("dn_expand failed.\n"); -#endif - goto end; - } - cp += len; - GETSHORT(qtype, cp); /* QTYPE */ - GETSHORT(qclass, cp); /* QCLASS */ - - /* answer section */ - while (ancount-- && cp < eom) { - len = dn_expand(answer, eom, cp, hostbuf, sizeof(hostbuf)); - if (len < 0) { -#ifdef DNSSEC_DEBUG - printf("dn_expand failed.\n"); -#endif - goto end; - } - cp += len; - GETSHORT(qtype, cp); /* TYPE */ - GETSHORT(qclass, cp); /* CLASS */ - cp += INT32SZ; /* TTL */ - GETSHORT(rdlength, cp); /* RDLENGTH */ - - /* CERT RR */ - if (qtype != T_CERT) { -#ifdef DNSSEC_DEBUG - printf("not T_CERT\n"); -#endif - h_errno = NO_RECOVERY; - goto end; - } - GETSHORT(qtype, cp); /* type */ - rdlength -= INT16SZ; - GETSHORT(keytag, cp); /* key tag */ - rdlength -= INT16SZ; - algorithm = *cp++; /* algorithm */ - rdlength -= 1; - if (cp + rdlength > eom) { -#ifdef DNSSEC_DEBUG - printf("rdlength is too long.\n"); -#endif - h_errno = NO_RECOVERY; - goto end; - } -#ifdef DNSSEC_DEBUG - printf("type=%d keytag=%d alg=%d len=%d\n", - qtype, keytag, algorithm, rdlength); -#endif - - /* create new certinfo */ - cur->ci_next = getnewci(qtype, keytag, algorithm, - 0, rdlength, cp); - if (!cur->ci_next) { -#ifdef DNSSEC_DEBUG - printf("getnewci: %s", strerror(errno)); -#endif - h_errno = NO_RECOVERY; - goto end; - } - cur = cur->ci_next; - - cp += rdlength; - } - - *res = head.ci_next; - error = 0; - -end: - if (answer) - free(answer); - if (error && head.ci_next) - freecertinfo(head.ci_next); - - return error; -} -#endif - -#ifdef DNSSEC_DEBUG -int -b64encode(p, len) - char *p; - int len; -{ - static const char b64t[] = - "ABCDEFGHIJKLMNOPQRSTUVWXYZ" - "abcdefghijklmnopqrstuvwxyz" - "0123456789+/="; - - while (len > 2) { - printf("%c", b64t[(p[0] >> 2) & 0x3f]); - printf("%c", b64t[((p[0] << 4) & 0x30) | ((p[1] >> 4) & 0x0f)]); - printf("%c", b64t[((p[1] << 2) & 0x3c) | ((p[2] >> 6) & 0x03)]); - printf("%c", b64t[p[2] & 0x3f]); - len -= 3; - p += 3; - } - - if (len == 2) { - printf("%c", b64t[(p[0] >> 2) & 0x3f]); - printf("%c", b64t[((p[0] << 4) & 0x30)| ((p[1] >> 4) & 0x0f)]); - printf("%c", b64t[((p[1] << 2) & 0x3c)]); - printf("%c", '='); - } else if (len == 1) { - printf("%c", b64t[(p[0] >> 2) & 0x3f]); - printf("%c", b64t[((p[0] << 4) & 0x30)]); - printf("%c", '='); - printf("%c", '='); - } - - return 0; -} - -int -main(ac, av) - int ac; - char **av; -{ - struct certinfo *res, *p; - int i; - - if (ac < 2) { - printf("Usage: a.out (FQDN)\n"); - exit(1); - } - - i = getcertsbyname(*(av + 1), &res); - if (i != 0) { - herror("getcertsbyname"); - exit(1); - } - printf("getcertsbyname succeeded.\n"); - - i = 0; - for (p = res; p; p = p->ci_next) { - printf("certinfo[%d]:\n", i); - printf("\tci_type=%d\n", p->ci_type); - printf("\tci_keytag=%d\n", p->ci_keytag); - printf("\tci_algorithm=%d\n", p->ci_algorithm); - printf("\tci_flags=%d\n", p->ci_flags); - printf("\tci_certlen=%d\n", p->ci_certlen); - printf("\tci_cert: "); - b64encode(p->ci_cert, p->ci_certlen); - printf("\n"); - i++; - } - - freecertinfo(res); - - exit(0); -} -#endif diff --git a/kame/kame/racoon/gnuc.h b/kame/kame/racoon/gnuc.h deleted file mode 100644 index ede4f2c326..0000000000 --- a/kame/kame/racoon/gnuc.h +++ /dev/null @@ -1,43 +0,0 @@ -/* $KAME: gnuc.h,v 1.2 2000/09/13 04:50:24 itojun Exp $ */ - -/* Define __P() macro, if necessary */ -#ifndef __P -#if __STDC__ -#define __P(protos) protos -#else -#define __P(protos) () -#endif -#endif - -/* inline foo */ -#ifdef __GNUC__ -#define inline __inline -#else -#define inline -#endif - -/* - * Handle new and old "dead" routine prototypes - * - * For example: - * - * __dead void foo(void) __attribute__((volatile)); - * - */ -#ifdef __GNUC__ -#ifndef __dead -#define __dead volatile -#endif -#if __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 5) -#ifndef __attribute__ -#define __attribute__(args) -#endif -#endif -#else -#ifndef __dead -#define __dead -#endif -#ifndef __attribute__ -#define __attribute__(args) -#endif -#endif diff --git a/kame/kame/racoon/grabmyaddr.c b/kame/kame/racoon/grabmyaddr.c deleted file mode 100644 index 6c97512ff9..0000000000 --- a/kame/kame/racoon/grabmyaddr.c +++ /dev/null @@ -1,626 +0,0 @@ -/* $KAME: grabmyaddr.c,v 1.38 2005/04/14 06:22:34 suz Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include -#include - -#include -#ifdef __FreeBSD__ -#include -#endif -#include -#include -#include -#include - -#include -#include -#include -#include -#ifdef HAVE_UNISTD_H -#include -#endif -#include -#ifdef HAVE_GETIFADDRS -#include -#endif - -#include "var.h" -#include "misc.h" -#include "vmbuf.h" -#include "plog.h" -#include "sockmisc.h" -#include "debug.h" - -#include "localconf.h" -#include "grabmyaddr.h" -#include "sockmisc.h" -#include "isakmp_var.h" -#include "gcmalloc.h" - -#ifndef HAVE_GETIFADDRS -static unsigned int if_maxindex __P((void)); -#endif -static struct myaddrs *find_myaddr __P((struct myaddrs *, struct myaddrs *)); -static int suitable_ifaddr __P((const char *, const struct sockaddr *)); -#ifdef INET6 -static int suitable_ifaddr6 __P((const char *, const struct sockaddr *)); -#endif - -#ifndef HAVE_GETIFADDRS -static unsigned int -if_maxindex() -{ - struct if_nameindex *p, *p0; - unsigned int max = 0; - - p0 = if_nameindex(); - for (p = p0; p && p->if_index && p->if_name; p++) { - if (max < p->if_index) - max = p->if_index; - } - if_freenameindex(p0); - return max; -} -#endif - -void -clear_myaddr(db) - struct myaddrs **db; -{ - struct myaddrs *p; - - while (*db) { - p = (*db)->next; - delmyaddr(*db); - *db = p; - } -} - -static struct myaddrs * -find_myaddr(db, p) - struct myaddrs *db; - struct myaddrs *p; -{ - struct myaddrs *q; - char h1[NI_MAXHOST], h2[NI_MAXHOST]; - - if (getnameinfo(p->addr, p->addr->sa_len, h1, sizeof(h1), NULL, 0, - NI_NUMERICHOST | niflags) != 0) - return NULL; - - for (q = db; q; q = q->next) { - if (p->addr->sa_len != q->addr->sa_len) - continue; - if (getnameinfo(q->addr, q->addr->sa_len, h2, sizeof(h2), - NULL, 0, NI_NUMERICHOST | niflags) != 0) - return NULL; - if (strcmp(h1, h2) == 0) - return q; - } - - return NULL; -} - -void -grab_myaddrs() -{ -#ifdef HAVE_GETIFADDRS - struct myaddrs *p, *q, *old; - struct ifaddrs *ifa0, *ifap; -#ifdef INET6 -#ifdef __KAME__ - struct sockaddr_in6 *sin6; -#endif -#endif - - char addr1[NI_MAXHOST]; - - if (getifaddrs(&ifa0)) { - plog(LLV_ERROR, LOCATION, NULL, - "getifaddrs failed: %s\n", strerror(errno)); - exit(1); - /*NOTREACHED*/ - } - - old = lcconf->myaddrs; - - for (ifap = ifa0; ifap; ifap = ifap->ifa_next) { - if (!ifap->ifa_addr) - continue; - - if (ifap->ifa_addr->sa_family != AF_INET -#ifdef INET6 - && ifap->ifa_addr->sa_family != AF_INET6 -#endif - ) - continue; - - if (!suitable_ifaddr(ifap->ifa_name, ifap->ifa_addr)) { - plog(LLV_ERROR, LOCATION, NULL, - "unsuitable address: %s %s\n", - ifap->ifa_name, - saddrwop2str(ifap->ifa_addr)); - continue; - } - - p = newmyaddr(); - if (p == NULL) { - exit(1); - /*NOTREACHED*/ - } - p->addr = dupsaddr(ifap->ifa_addr); - if (p->addr == NULL) { - exit(1); - /*NOTREACHED*/ - } -#ifdef INET6 -#ifdef __KAME__ - if (ifap->ifa_addr->sa_family == AF_INET6) { - sin6 = (struct sockaddr_in6 *)p->addr; - if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr) - || IN6_IS_ADDR_SITELOCAL(&sin6->sin6_addr)) { - sin6->sin6_scope_id = - ntohs(*(u_int16_t *)&sin6->sin6_addr.s6_addr[2]); - sin6->sin6_addr.s6_addr[2] = 0; - sin6->sin6_addr.s6_addr[3] = 0; - } - } -#endif -#endif - if (getnameinfo(p->addr, p->addr->sa_len, - addr1, sizeof(addr1), - NULL, 0, - NI_NUMERICHOST | niflags)) - strlcpy(addr1, "(invalid)", sizeof(addr1)); - plog(LLV_DEBUG, LOCATION, NULL, - "my interface: %s (%s)\n", - addr1, ifap->ifa_name); - q = find_myaddr(old, p); - if (q) - p->sock = q->sock; - else - p->sock = -1; - p->next = lcconf->myaddrs; - lcconf->myaddrs = p; - } - - freeifaddrs(ifa0); - - clear_myaddr(&old); - -#else /*!HAVE_GETIFADDRS*/ - int s; - unsigned int maxif; - int len; - struct ifreq *iflist; - struct ifconf ifconf; - struct ifreq *ifr, *ifr_end; - struct myaddrs *p, *q, *old; -#ifdef INET6 -#ifdef __KAME__ - struct sockaddr_in6 *sin6; -#endif -#endif - - char addr1[NI_MAXHOST]; - - maxif = if_maxindex() + 1; - len = maxif * sizeof(struct sockaddr_storage) * 4; /* guess guess */ - - iflist = (struct ifreq *)racoon_malloc(len); - if (!iflist) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate buffer\n"); - exit(1); - /*NOTREACHED*/ - } - - if ((s = socket(PF_INET, SOCK_DGRAM, 0)) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "socket(SOCK_DGRAM) failed: %s\n", - strerror(errno)); - exit(1); - /*NOTREACHED*/ - } - memset(&ifconf, 0, sizeof(ifconf)); - ifconf.ifc_req = iflist; - ifconf.ifc_len = len; - if (ioctl(s, SIOCGIFCONF, &ifconf) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "ioctl(SIOCGIFCONF) failed: %s\n", - strerror(errno)); - exit(1); - /*NOTREACHED*/ - } - close(s); - - old = lcconf->myaddrs; - - /* Look for this interface in the list */ - ifr_end = (struct ifreq *) (ifconf.ifc_buf + ifconf.ifc_len); - -#define _IFREQ_LEN(p) \ - (sizeof((p)->ifr_name) + (p)->ifr_addr.sa_len > sizeof(struct ifreq) \ - ? sizeof((p)->ifr_name) + (p)->ifr_addr.sa_len : sizeof(struct ifreq)) - - for (ifr = ifconf.ifc_req; - ifr < ifr_end; - ifr = (struct ifreq *)((caddr_t)ifr + _IFREQ_LEN(ifr))) { - - switch (ifr->ifr_addr.sa_family) { - case AF_INET: -#ifdef INET6 - case AF_INET6: -#endif - if (!suitable_ifaddr(ifr->ifr_name, &ifr->ifr_addr)) { - plog(LLV_ERROR, LOCATION, NULL, - "unsuitable address: %s %s\n", - ifr->ifr_name, - saddrwop2str(&ifr->ifr_addr)); - continue; - } - - p = newmyaddr(); - if (p == NULL) { - exit(1); - /*NOTREACHED*/ - } - p->addr = dupsaddr(&ifr->ifr_addr); - if (p->addr == NULL) { - exit(1); - /*NOTREACHED*/ - } -#ifdef INET6 -#ifdef __KAME__ - sin6 = (struct sockaddr_in6 *)p->addr; - if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr) - || IN6_IS_ADDR_SITELOCAL(&sin6->sin6_addr)) { - sin6->sin6_scope_id = - ntohs(*(u_int16_t *)&sin6->sin6_addr.s6_addr[2]); - sin6->sin6_addr.s6_addr[2] = 0; - sin6->sin6_addr.s6_addr[3] = 0; - } -#endif -#endif - if (getnameinfo(p->addr, p->addr->sa_len, - addr1, sizeof(addr1), - NULL, 0, - NI_NUMERICHOST | niflags)) - strlcpy(addr1, "(invalid)", sizeof(addr1)); - plog(LLV_DEBUG, LOCATION, NULL, - "my interface: %s (%s)\n", - addr1, ifr->ifr_name); - q = find_myaddr(old, p); - if (q) - p->sock = q->sock; - else - p->sock = -1; - p->next = lcconf->myaddrs; - lcconf->myaddrs = p; - break; - default: - break; - } - } - - clear_myaddr(&old); - - racoon_free(iflist); -#endif /*HAVE_GETIFADDRS*/ -} - -/* - * check the interface is suitable or not - */ -static int -suitable_ifaddr(ifname, ifaddr) - const char *ifname; - const struct sockaddr *ifaddr; -{ - switch(ifaddr->sa_family) { - case AF_INET: - return 1; -#ifdef INET6 - case AF_INET6: - return suitable_ifaddr6(ifname, ifaddr); -#endif - default: - return 0; - } - /*NOTREACHED*/ -} - -#ifdef INET6 -static int -suitable_ifaddr6(ifname, ifaddr) - const char *ifname; - const struct sockaddr *ifaddr; -{ - struct in6_ifreq ifr6; - int s; - - if (ifaddr->sa_family != AF_INET6) - return 0; - - s = socket(PF_INET6, SOCK_DGRAM, 0); - if (s == -1) { - plog(LLV_ERROR, LOCATION, NULL, - "socket(SOCK_DGRAM) failed:%s\n", strerror(errno)); - return 0; - } - - memset(&ifr6, 0, sizeof(ifr6)); - strncpy(ifr6.ifr_name, ifname, strlen(ifname)); - - ifr6.ifr_addr = *(const struct sockaddr_in6 *)ifaddr; - - if (ioctl(s, SIOCGIFAFLAG_IN6, &ifr6) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "ioctl(SIOCGIFAFLAG_IN6) failed:%s\n", strerror(errno)); - close(s); - return 0; - } - - close(s); - - if (ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_DUPLICATED || - ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_DETACHED || - ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_ANYCAST) - return 0; - - /* suitable */ - return 1; -} -#endif - -int -update_myaddrs() -{ - char msg[BUFSIZ]; - int len; - struct rt_msghdr *rtm; - - len = read(lcconf->rtsock, msg, sizeof(msg)); - if (len < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "read(PF_ROUTE) failed: %s\n", - strerror(errno)); - return 0; - } - rtm = (struct rt_msghdr *)msg; - if (len < rtm->rtm_msglen) { - plog(LLV_ERROR, LOCATION, NULL, - "read(PF_ROUTE) short read\n"); - return 0; - } - if (rtm->rtm_version != RTM_VERSION) { - plog(LLV_ERROR, LOCATION, NULL, - "routing socket version mismatch\n"); - close(lcconf->rtsock); - lcconf->rtsock = -1; - return 0; - } - switch (rtm->rtm_type) { - case RTM_NEWADDR: - case RTM_DELADDR: - case RTM_DELETE: - case RTM_IFINFO: - break; - case RTM_MISS: - /* ignore this message silently */ - return 0; - default: - plog(LLV_DEBUG, LOCATION, NULL, - "msg %d not interesting\n", rtm->rtm_type); - return 0; - } - /* XXX more filters here? */ - - plog(LLV_DEBUG, LOCATION, NULL, - "caught rtm:%d, need update interface address list\n", - rtm->rtm_type); - return 1; -} - -/* - * initialize default port for ISAKMP to send, if no "listen" - * directive is specified in config file. - * - * DO NOT listen to wildcard addresses. if you receive packets to - * wildcard address, you'll be in trouble (DoS attack possible by - * broadcast storm). - */ -int -autoconf_myaddrsport() -{ - struct myaddrs *p; - struct sockaddr_in *sin4; -#ifdef INET6 - struct sockaddr_in6 *sin6; -#endif - int n; - - plog(LLV_DEBUG, LOCATION, NULL, - "configuring default isakmp port.\n"); - n = 0; - for (p = lcconf->myaddrs; p; p = p->next) { - switch (p->addr->sa_family) { - case AF_INET: - sin4 = (struct sockaddr_in *)p->addr; - sin4->sin_port = htons(lcconf->port_isakmp); - break; -#ifdef INET6 - case AF_INET6: - sin6 = (struct sockaddr_in6 *)p->addr; - sin6->sin6_port = htons(lcconf->port_isakmp); - break; -#endif - default: - plog(LLV_ERROR, LOCATION, NULL, - "unsupported AF %d\n", p->addr->sa_family); - goto err; - } - n++; - } - plog(LLV_DEBUG, LOCATION, NULL, - "%d addrs are configured successfully\n", n); - - return 0; -err: - plog(LLV_ERROR, LOCATION, NULL, "address autoconfiguration failed\n"); - return -1; -} - -/* - * get a port number to which racoon binded. - * NOTE: network byte order returned. - */ -u_short -getmyaddrsport(local) - struct sockaddr *local; -{ - struct myaddrs *p; - - /* get a relative port */ - for (p = lcconf->myaddrs; p; p = p->next) { - if (!p->addr) - continue; - if (!cmpsaddrwop(local, p->addr)) { - switch (p->addr->sa_family) { - case AF_INET: - return ((struct sockaddr_in *)p->addr)->sin_port; -#ifdef INET6 - case AF_INET6: - return ((struct sockaddr_in6 *)p->addr)->sin6_port; -#endif - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid family: %d\n", - p->addr->sa_family); - return -1; - } - } - continue; - } - - return htons(PORT_ISAKMP); -} - -struct myaddrs * -newmyaddr() -{ - struct myaddrs *new; - - new = racoon_calloc(1, sizeof(*new)); - if (new == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate buffer for myaddrs.\n"); - return NULL; - } - - new->next = NULL; - new->addr = NULL; - - return new; -} - -void -insmyaddr(new, head) - struct myaddrs *new; - struct myaddrs **head; -{ - new->next = *head; - *head = new; -} - -void -delmyaddr(myaddr) - struct myaddrs *myaddr; -{ - if (myaddr->addr) - racoon_free(myaddr->addr); - racoon_free(myaddr); -} - -int -initmyaddr() -{ - /* initialize routing socket */ - lcconf->rtsock = socket(PF_ROUTE, SOCK_RAW, PF_UNSPEC); - if (lcconf->rtsock < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "socket(PF_ROUTE) failed: %s", - strerror(errno)); - return -1; - } - - if (lcconf->myaddrs == NULL && lcconf->autograbaddr == 1) { - grab_myaddrs(); - - if (autoconf_myaddrsport() < 0) - return -1; - } - - return 0; -} - -/* select the socket to be sent */ -/* should implement other method. */ -int -getsockmyaddr(my) - struct sockaddr *my; -{ - struct myaddrs *p, *lastresort = NULL; - - for (p = lcconf->myaddrs; p; p = p->next) { - if (p->addr == NULL) - continue; - if (my->sa_family == p->addr->sa_family) - lastresort = p; - if (my->sa_len == p->addr->sa_len - && memcmp(my, p->addr, my->sa_len) == 0) { - break; - } - } - if (!p) - p = lastresort; - if (!p) { - plog(LLV_ERROR, LOCATION, NULL, - "no socket matches address family %d\n", - my->sa_family); - return -1; - } - - return p->sock; -} diff --git a/kame/kame/racoon/grabmyaddr.h b/kame/kame/racoon/grabmyaddr.h deleted file mode 100644 index 78b81e9c9e..0000000000 --- a/kame/kame/racoon/grabmyaddr.h +++ /dev/null @@ -1,47 +0,0 @@ -/* $KAME: grabmyaddr.h,v 1.6 2001/12/12 15:29:12 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -struct myaddrs { - struct myaddrs *next; - struct sockaddr *addr; - int sock; -}; - -extern void clear_myaddr __P((struct myaddrs **)); -extern void grab_myaddrs __P((void)); -extern int update_myaddrs __P((void)); -extern int autoconf_myaddrsport __P((void)); -extern u_short getmyaddrsport __P((struct sockaddr *)); -extern struct myaddrs *newmyaddr __P((void)); -extern void insmyaddr __P((struct myaddrs *, struct myaddrs **)); -extern void delmyaddr __P((struct myaddrs *)); -extern int initmyaddr __P((void)); -extern int getsockmyaddr __P((struct sockaddr *)); diff --git a/kame/kame/racoon/gssapi.c b/kame/kame/racoon/gssapi.c deleted file mode 100644 index 4bf332d927..0000000000 --- a/kame/kame/racoon/gssapi.c +++ /dev/null @@ -1,709 +0,0 @@ -/* $KAME: gssapi.c,v 1.20 2004/03/27 03:27:45 suz Exp $ */ - -/* - * Copyright 2000 Wasabi Systems, Inc. - * All rights reserved. - * - * This software was written by Frank van der Linden of Wasabi Systems - * for Zembu Labs, Inc. http://www.zembu.com/ - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Wasabi Systems for - * Zembu Labs, Inc. http://www.zembu.com/ - * 4. The name of Wasabi Systems, Inc. may not be used to endorse - * or promote products derived from this software without specific prior - * written permission. - * - * THIS SOFTWARE IS PROVIDED BY WASABI SYSTEMS, INC. ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL WASABI SYSTEMS, INC - * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#ifdef HAVE_GSSAPI -#include -#include -#include -#include - -#include -#include -#include - -#include "var.h" -#include "misc.h" -#include "vmbuf.h" -#include "plog.h" -#include "sockmisc.h" -#include "schedule.h" -#include "debug.h" - -#include "localconf.h" -#include "remoteconf.h" -#include "isakmp_var.h" -#include "isakmp.h" -#include "oakley.h" -#include "handler.h" -#include "ipsec_doi.h" -#include "crypto_openssl.h" -#include "pfkey.h" -#include "isakmp_ident.h" -#include "isakmp_inf.h" -#include "vendorid.h" -#include "gcmalloc.h" - -#include "auth_gssapi.h" - -static void -gssapi_error(OM_uint32 status_code, const char *where, - const char *fmt, ...) -{ - OM_uint32 message_context, maj_stat, min_stat; - gss_buffer_desc status_string; - va_list ap; - - va_start(ap, fmt); - plogv(LLV_ERROR, where, NULL, fmt, ap); - va_end(ap); - - message_context = 0; - - do { - maj_stat = gss_display_status(&min_stat, status_code, - GSS_C_MECH_CODE, GSS_C_NO_OID, &message_context, - &status_string); - if (GSS_ERROR(maj_stat)) - plog(LLV_ERROR, LOCATION, NULL, - "UNABLE TO GET GSSAPI ERROR CODE\n"); - else { - plog(LLV_ERROR, where, NULL, - "%s\n", status_string.value); - gss_release_buffer(&min_stat, &status_string); - } - } while (message_context != 0); -} - -/* - * vmbufs and gss_buffer_descs are really just the same on NetBSD, but - * this is to be portable. - */ -static int -gssapi_vm2gssbuf(vchar_t *vmbuf, gss_buffer_t gsstoken) -{ - - gsstoken->value = racoon_malloc(vmbuf->l); - if (gsstoken->value == NULL) - return -1; - memcpy(gsstoken->value, vmbuf->v, vmbuf->l); - gsstoken->length = vmbuf->l; - - return 0; -} - -static int -gssapi_gss2vmbuf(gss_buffer_t gsstoken, vchar_t **vmbuf) -{ - - *vmbuf = vmalloc(gsstoken->length); - if (*vmbuf == NULL) - return -1; - memcpy((*vmbuf)->v, gsstoken->value, gsstoken->length); - (*vmbuf)->l = gsstoken->length; - - return 0; -} - -static int -gssapi_get_default_name(struct ph1handle *iph1, int remote, gss_name_t *service) -{ - char name[NI_MAXHOST]; - struct sockaddr *sa; - gss_buffer_desc name_token; - OM_uint32 min_stat, maj_stat; - - sa = remote ? iph1->remote : iph1->local; - - if (getnameinfo(sa, sa->sa_len, name, NI_MAXHOST, NULL, 0, 0) != 0) - return -1; - - name_token.length = asprintf((char **)&name_token.value, - "%s@%s", GSSAPI_DEF_NAME, name); - maj_stat = gss_import_name(&min_stat, &name_token, - GSS_C_NT_HOSTBASED_SERVICE, service); - if (GSS_ERROR(maj_stat)) { - gssapi_error(min_stat, LOCATION, "import name\n"); - maj_stat = gss_release_buffer(&min_stat, &name_token); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, "release name_token"); - return -1; - } - maj_stat = gss_release_buffer(&min_stat, &name_token); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, "release name_token"); - - return 0; -} - -static int -gssapi_init(struct ph1handle *iph1) -{ - struct gssapi_ph1_state *gps; - gss_buffer_desc id_token, cred_token; - gss_buffer_t cred = &cred_token; - gss_name_t princ, canon_princ; - OM_uint32 maj_stat, min_stat; - - gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state)); - if (gps == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n"); - return -1; - } - gps->gss_context = GSS_C_NO_CONTEXT; - gps->gss_cred = GSS_C_NO_CREDENTIAL; - - gssapi_set_state(iph1, gps); - - if (iph1->rmconf->proposal->gssid != NULL) { - id_token.length = iph1->rmconf->proposal->gssid->l; - id_token.value = iph1->rmconf->proposal->gssid->v; - maj_stat = gss_import_name(&min_stat, &id_token, GSS_C_NO_OID, - &princ); - if (GSS_ERROR(maj_stat)) { - gssapi_error(min_stat, LOCATION, "import name\n"); - gssapi_free_state(iph1); - return -1; - } - } else - gssapi_get_default_name(iph1, 0, &princ); - - maj_stat = gss_canonicalize_name(&min_stat, princ, GSS_C_NO_OID, - &canon_princ); - if (GSS_ERROR(maj_stat)) { - gssapi_error(min_stat, LOCATION, "canonicalize name\n"); - maj_stat = gss_release_name(&min_stat, &princ); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, "release princ\n"); - gssapi_free_state(iph1); - return -1; - } - maj_stat = gss_release_name(&min_stat, &princ); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, "release princ\n"); - - maj_stat = gss_export_name(&min_stat, canon_princ, cred); - if (GSS_ERROR(maj_stat)) { - gssapi_error(min_stat, LOCATION, "export name\n"); - maj_stat = gss_release_name(&min_stat, &canon_princ); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, - "release canon_princ\n"); - gssapi_free_state(iph1); - return -1; - } - - plog(LLV_DEBUG, LOCATION, NULL, "will try to acquire '%*s' creds\n", - cred->length, cred->value); - maj_stat = gss_release_buffer(&min_stat, cred); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, "release cred buffer\n"); - - maj_stat = gss_acquire_cred(&min_stat, canon_princ, GSS_C_INDEFINITE, - GSS_C_NO_OID_SET, GSS_C_BOTH, &gps->gss_cred, NULL, NULL); - if (GSS_ERROR(maj_stat)) { - gssapi_error(min_stat, LOCATION, "acquire cred\n"); - maj_stat = gss_release_name(&min_stat, &canon_princ); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, - "release canon_princ\n"); - gssapi_free_state(iph1); - return -1; - } - maj_stat = gss_release_name(&min_stat, &canon_princ); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, "release canon_princ\n"); - - return 0; -} - -int -gssapi_get_itoken(struct ph1handle *iph1, int *lenp) -{ - struct gssapi_ph1_state *gps; - gss_buffer_desc empty, name_token; - gss_buffer_t itoken, rtoken, dummy; - OM_uint32 maj_stat, min_stat; - gss_name_t partner; - - if (gssapi_get_state(iph1) == NULL && gssapi_init(iph1) < 0) - return -1; - - gps = gssapi_get_state(iph1); - - empty.length = 0; - empty.value = NULL; - dummy = ∅ - - if (iph1->approval != NULL && iph1->approval->gssid != NULL) { - plog(LLV_DEBUG, LOCATION, NULL, "using provided service '%s'\n", - iph1->approval->gssid->v); - name_token.length = iph1->approval->gssid->l; - name_token.value = iph1->approval->gssid->v; - maj_stat = gss_import_name(&min_stat, &name_token, - GSS_C_NO_OID, &partner); - if (GSS_ERROR(maj_stat)) { - gssapi_error(min_stat, LOCATION, "import of %s\n", - name_token.value); - return -1; - } - } else - if (gssapi_get_default_name(iph1, 1, &partner) < 0) - return -1; - - rtoken = gps->gsscnt_p == 0 ? dummy : &gps->gss_p[gps->gsscnt_p - 1]; - itoken = &gps->gss[gps->gsscnt]; - - gps->gss_status = gss_init_sec_context(&min_stat, gps->gss_cred, - &gps->gss_context, partner, GSS_C_NO_OID, - GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG | - GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG, - 0, GSS_C_NO_CHANNEL_BINDINGS, rtoken, NULL, - itoken, NULL, NULL); - - if (GSS_ERROR(gps->gss_status)) { - gssapi_error(min_stat, LOCATION, "init_sec_context\n"); - maj_stat = gss_release_name(&min_stat, &partner); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, "release name\n"); - return -1; - } - maj_stat = gss_release_name(&min_stat, &partner); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, "release name\n"); - - plog(LLV_DEBUG, LOCATION, NULL, "gss_init_sec_context status %x\n", - gps->gss_status); - - if (lenp) - *lenp = itoken->length; - - if (itoken->length != 0) - gps->gsscnt++; - - return 0; -} - -/* - * Call gss_accept_context, with token just read from the wire. - */ -int -gssapi_get_rtoken(struct ph1handle *iph1, int *lenp) -{ - struct gssapi_ph1_state *gps; - gss_buffer_desc name_token; - gss_buffer_t itoken, rtoken; - OM_uint32 min_stat, maj_stat; - gss_name_t client_name; - - if (gssapi_get_state(iph1) == NULL && gssapi_init(iph1) < 0) - return -1; - - gps = gssapi_get_state(iph1); - - rtoken = &gps->gss_p[gps->gsscnt_p - 1]; - itoken = &gps->gss[gps->gsscnt]; - - gps->gss_status = gss_accept_sec_context(&min_stat, &gps->gss_context, - gps->gss_cred, rtoken, GSS_C_NO_CHANNEL_BINDINGS, &client_name, - NULL, itoken, NULL, NULL, NULL); - - if (GSS_ERROR(gps->gss_status)) { - gssapi_error(min_stat, LOCATION, "accept_sec_context\n"); - return -1; - } - - maj_stat = gss_display_name(&min_stat, client_name, &name_token, NULL); - if (GSS_ERROR(maj_stat)) { - gssapi_error(min_stat, LOCATION, "gss_display_name\n"); - maj_stat = gss_release_name(&min_stat, &client_name); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, - "release client_name\n"); - return -1; - } - maj_stat = gss_release_name(&min_stat, &client_name); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, "release client_name\n"); - - plog(LLV_DEBUG, LOCATION, NULL, - "gss_accept_sec_context: other side is %s\n", - name_token.value); - maj_stat = gss_release_buffer(&min_stat, &name_token); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, "release name buffer\n"); - - if (itoken->length != 0) - gps->gsscnt++; - - if (lenp) - *lenp = itoken->length; - - return 0; -} - -int -gssapi_save_received_token(struct ph1handle *iph1, vchar_t *token) -{ - struct gssapi_ph1_state *gps; - gss_buffer_t gsstoken; - int ret; - - if (gssapi_get_state(iph1) == NULL && gssapi_init(iph1) < 0) - return -1; - - gps = gssapi_get_state(iph1); - - gsstoken = &gps->gss_p[gps->gsscnt_p]; - - ret = gssapi_vm2gssbuf(token, gsstoken); - if (ret < 0) - return ret; - gps->gsscnt_p++; - - return 0; -} - -int -gssapi_get_token_to_send(struct ph1handle *iph1, vchar_t **token) -{ - struct gssapi_ph1_state *gps; - gss_buffer_t gsstoken; - int ret; - - gps = gssapi_get_state(iph1); - if (gps == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "gssapi not yet initialized?\n"); - return -1; - } - gsstoken = &gps->gss[gps->gsscnt - 1]; - ret = gssapi_gss2vmbuf(gsstoken, token); - if (ret < 0) - return ret; - - return 0; -} - -int -gssapi_get_itokens(struct ph1handle *iph1, vchar_t **tokens) -{ - struct gssapi_ph1_state *gps; - int len, i; - vchar_t *toks; - char *p; - - gps = gssapi_get_state(iph1); - if (gps == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "gssapi not yet initialized?\n"); - return -1; - } - - for (i = len = 0; i < gps->gsscnt; i++) - len += gps->gss[i].length; - - toks = vmalloc(len); - if (toks == 0) - return -1; - p = (char *)toks->v; - for (i = 0; i < gps->gsscnt; i++) { - memcpy(p, gps->gss[i].value, gps->gss[i].length); - p += gps->gss[i].length; - } - - *tokens = toks; - - plog(LLV_DEBUG, LOCATION, NULL, - "%d itokens of length %d\n", gps->gsscnt, (*tokens)->l); - - return 0; -} - -int -gssapi_get_rtokens(struct ph1handle *iph1, vchar_t **tokens) -{ - struct gssapi_ph1_state *gps; - int len, i; - vchar_t *toks; - char *p; - - gps = gssapi_get_state(iph1); - if (gps == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "gssapi not yet initialized?\n"); - return -1; - } - - if (gssapi_more_tokens(iph1)) { - plog(LLV_ERROR, LOCATION, NULL, - "gssapi roundtrips not complete\n"); - return -1; - } - - for (i = len = 0; i < gps->gsscnt_p; i++) - len += gps->gss_p[i].length; - - toks = vmalloc(len); - if (toks == 0) - return -1; - p = (char *)toks->v; - for (i = 0; i < gps->gsscnt_p; i++) { - memcpy(p, gps->gss_p[i].value, gps->gss_p[i].length); - p += gps->gss_p[i].length; - } - - *tokens = toks; - - return 0; -} - -vchar_t * -gssapi_wraphash(struct ph1handle *iph1) -{ - struct gssapi_ph1_state *gps; - OM_uint32 maj_stat, min_stat; - gss_buffer_desc hash_in_buf, hash_out_buf; - gss_buffer_t hash_in = &hash_in_buf, hash_out = &hash_out_buf; - vchar_t *outbuf; - - gps = gssapi_get_state(iph1); - if (gps == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "gssapi not yet initialized?\n"); - return NULL; - } - - if (gssapi_more_tokens(iph1)) { - plog(LLV_ERROR, LOCATION, NULL, - "gssapi roundtrips not complete\n"); - return NULL; - } - - if (gssapi_vm2gssbuf(iph1->hash, hash_in) < 0) { - plog(LLV_ERROR, LOCATION, NULL, "vm2gssbuf failed\n"); - return NULL; - } - - maj_stat = gss_wrap(&min_stat, gps->gss_context, 1, GSS_C_QOP_DEFAULT, - hash_in, NULL, hash_out); - if (GSS_ERROR(maj_stat)) { - gssapi_error(min_stat, LOCATION, "wrapping hash value\n"); - maj_stat = gss_release_buffer(&min_stat, hash_in); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, - "release hash_in buffer\n"); - return NULL; - } - - plog(LLV_DEBUG, LOCATION, NULL, "wrapped HASH, ilen %d olen %d\n", - hash_in->length, hash_out->length); - - maj_stat = gss_release_buffer(&min_stat, hash_in); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, "release hash_in buffer\n"); - - if (gssapi_gss2vmbuf(hash_out, &outbuf) < 0) { - plog(LLV_ERROR, LOCATION, NULL, "gss2vmbuf failed\n"); - maj_stat = gss_release_buffer(&min_stat, hash_out); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, - "release hash_out buffer\n"); - return NULL; - } - maj_stat = gss_release_buffer(&min_stat, hash_out); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, "release hash_out buffer\n"); - - return outbuf; -} - -vchar_t * -gssapi_unwraphash(struct ph1handle *iph1) -{ - struct gssapi_ph1_state *gps; - OM_uint32 maj_stat, min_stat; - gss_buffer_desc hashbuf, hash_outbuf; - gss_buffer_t hash_in = &hashbuf, hash_out = &hash_outbuf; - vchar_t *outbuf; - - gps = gssapi_get_state(iph1); - if (gps == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "gssapi not yet initialized?\n"); - return NULL; - } - - - hashbuf.length = ntohs(iph1->pl_hash->h.len) - sizeof(*iph1->pl_hash); - hashbuf.value = (char *)(iph1->pl_hash + 1); - - plog(LLV_DEBUG, LOCATION, NULL, "unwrapping HASH of len %d\n", - hashbuf.length); - - maj_stat = gss_unwrap(&min_stat, gps->gss_context, hash_in, hash_out, - NULL, NULL); - if (GSS_ERROR(maj_stat)) { - gssapi_error(min_stat, LOCATION, "unwrapping hash value\n"); - return NULL; - } - - if (gssapi_gss2vmbuf(hash_out, &outbuf) < 0) { - plog(LLV_ERROR, LOCATION, NULL, "gss2vmbuf failed\n"); - maj_stat = gss_release_buffer(&min_stat, hash_out); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, - "release hash_out buffer\n"); - return NULL; - } - maj_stat = gss_release_buffer(&min_stat, hash_out); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, "release hash_out buffer\n"); - - return outbuf; -} - -void -gssapi_set_id_sent(struct ph1handle *iph1) -{ - struct gssapi_ph1_state *gps; - - gps = gssapi_get_state(iph1); - - gps->gss_flags |= GSSFLAG_ID_SENT; -} - -int -gssapi_id_sent(struct ph1handle *iph1) -{ - struct gssapi_ph1_state *gps; - - gps = gssapi_get_state(iph1); - - return (gps->gss_flags & GSSFLAG_ID_SENT) != 0; -} - -void -gssapi_set_id_rcvd(struct ph1handle *iph1) -{ - struct gssapi_ph1_state *gps; - - gps = gssapi_get_state(iph1); - - gps->gss_flags |= GSSFLAG_ID_RCVD; -} - -int -gssapi_id_rcvd(struct ph1handle *iph1) -{ - struct gssapi_ph1_state *gps; - - gps = gssapi_get_state(iph1); - - return (gps->gss_flags & GSSFLAG_ID_RCVD) != 0; -} - -void -gssapi_free_state(struct ph1handle *iph1) -{ - struct gssapi_ph1_state *gps; - OM_uint32 maj_stat, min_stat; - - gps = gssapi_get_state(iph1); - - if (gps == NULL) - return; - - gssapi_set_state(iph1, NULL); - - if (gps->gss_cred != GSS_C_NO_CREDENTIAL) { - maj_stat = gss_release_cred(&min_stat, &gps->gss_cred); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, - "releasing credentials\n"); - } - racoon_free(gps); -} - -vchar_t * -gssapi_get_default_id(struct ph1handle *iph1) -{ - gss_buffer_desc id_buffer; - gss_buffer_t id = &id_buffer; - gss_name_t defname, canon_name; - OM_uint32 min_stat, maj_stat; - vchar_t *vmbuf; - - if (gssapi_get_default_name(iph1, 0, &defname) < 0) - return NULL; - - maj_stat = gss_canonicalize_name(&min_stat, defname, GSS_C_NO_OID, - &canon_name); - if (GSS_ERROR(maj_stat)) { - gssapi_error(min_stat, LOCATION, "canonicalize name\n"); - maj_stat = gss_release_name(&min_stat, &defname); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, - "release default name\n"); - return NULL; - } - maj_stat = gss_release_name(&min_stat, &defname); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, "release default name\n"); - - maj_stat = gss_export_name(&min_stat, canon_name, id); - if (GSS_ERROR(maj_stat)) { - gssapi_error(min_stat, LOCATION, "export name\n"); - maj_stat = gss_release_name(&min_stat, &canon_name); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, - "release canonical name\n"); - return NULL; - } - maj_stat = gss_release_name(&min_stat, &canon_name); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, "release canonical name\n"); - - plog(LLV_DEBUG, LOCATION, NULL, "will try to acquire '%*s' creds\n", - id->length, id->value); - - if (gssapi_gss2vmbuf(id, &vmbuf) < 0) { - plog(LLV_ERROR, LOCATION, NULL, "gss2vmbuf failed\n"); - maj_stat = gss_release_buffer(&min_stat, id); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, "release id buffer\n"); - return NULL; - } - maj_stat = gss_release_buffer(&min_stat, id); - if (GSS_ERROR(maj_stat)) - gssapi_error(min_stat, LOCATION, "release id buffer\n"); - - return vmbuf; -} -#else -int __gssapi_dUmMy; -#endif diff --git a/kame/kame/racoon/handler.c b/kame/kame/racoon/handler.c deleted file mode 100644 index 3ae8ae1530..0000000000 --- a/kame/kame/racoon/handler.c +++ /dev/null @@ -1,869 +0,0 @@ -/* $KAME: handler.c,v 1.59 2004/04/12 03:57:05 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include - -#include -#include -#include -#include -#include - -#include "var.h" -#include "misc.h" -#include "vmbuf.h" -#include "plog.h" -#include "sockmisc.h" -#include "debug.h" - -#include "schedule.h" -#include "grabmyaddr.h" -#include "algorithm.h" -#include "crypto_openssl.h" -#include "policy.h" -#include "proposal.h" -#include "isakmp_var.h" -#include "isakmp.h" -#include "isakmp_inf.h" -#include "oakley.h" -#include "remoteconf.h" -#include "localconf.h" -#include "handler.h" -#include "gcmalloc.h" - -#ifdef HAVE_GSSAPI -#include "auth_gssapi.h" -#endif - -static LIST_HEAD(_ph1tree_, ph1handle) ph1tree; -static LIST_HEAD(_ph2tree_, ph2handle) ph2tree; -static LIST_HEAD(_ctdtree_, contacted) ctdtree; -static LIST_HEAD(_rcptree_, recvdpkt) rcptree; - -static void del_recvdpkt __P((struct recvdpkt *)); -static void rem_recvdpkt __P((struct recvdpkt *)); -static void sweep_recvdpkt __P((void *)); - -/* - * functions about management of the isakmp status table - */ -/* %%% management phase 1 handler */ -/* - * search for isakmpsa handler with isakmp index. - */ - -extern caddr_t val2str(const char *, size_t); - -struct ph1handle * -getph1byindex(index) - isakmp_index *index; -{ - struct ph1handle *p; - - LIST_FOREACH(p, &ph1tree, chain) { - if (p->status == PHASE1ST_EXPIRED) - continue; - if (memcmp(&p->index, index, sizeof(*index)) == 0) - return p; - } - - return NULL; -} - -/* - * search for isakmp handler by i_ck in index. - */ -struct ph1handle * -getph1byindex0(index) - isakmp_index *index; -{ - struct ph1handle *p; - - LIST_FOREACH(p, &ph1tree, chain) { - if (p->status == PHASE1ST_EXPIRED) - continue; - if (memcmp(&p->index, index, sizeof(cookie_t)) == 0) - return p; - } - - return NULL; -} - -/* - * search for isakmpsa handler by remote address. - * don't use port number to search because this function search - * with phase 2's destinaion. - */ -struct ph1handle * -getph1byaddr(local, remote) - struct sockaddr *local, *remote; -{ - struct ph1handle *p; - - LIST_FOREACH(p, &ph1tree, chain) { - if (p->status == PHASE1ST_EXPIRED) - continue; - if (cmpsaddrwop(local, p->local) == 0 - && cmpsaddrwop(remote, p->remote) == 0) - return p; - } - - return NULL; -} - -/* - * dump isakmp-sa - */ -vchar_t * -dumpph1() -{ - struct ph1handle *iph1; - struct ph1dump *pd; - int cnt = 0; - vchar_t *buf; - - /* get length of buffer */ - LIST_FOREACH(iph1, &ph1tree, chain) - cnt++; - - buf = vmalloc(cnt * sizeof(struct ph1dump)); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer\n"); - return NULL; - } - pd = (struct ph1dump *)buf->v; - - LIST_FOREACH(iph1, &ph1tree, chain) { - memcpy(&pd->index, &iph1->index, sizeof(iph1->index)); - pd->status = iph1->status; - pd->side = iph1->side; - memcpy(&pd->remote, iph1->remote, iph1->remote->sa_len); - memcpy(&pd->local, iph1->local, iph1->local->sa_len); - pd->version = iph1->version; - pd->etype = iph1->etype; - pd->created = iph1->created; - pd->ph2cnt = iph1->ph2cnt; - pd++; - } - - return buf; -} - -/* - * create new isakmp Phase 1 status record to handle isakmp in Phase1 - */ -struct ph1handle * -newph1() -{ - struct ph1handle *iph1; - - /* create new iph1 */ - iph1 = racoon_calloc(1, sizeof(*iph1)); - if (iph1 == NULL) - return NULL; - - iph1->status = PHASE1ST_SPAWN; - - return iph1; -} - -/* - * delete new isakmp Phase 1 status record to handle isakmp in Phase1 - */ -void -delph1(iph1) - struct ph1handle *iph1; -{ - if (iph1->remote) { - racoon_free(iph1->remote); - iph1->remote = NULL; - } - if (iph1->local) { - racoon_free(iph1->local); - iph1->local = NULL; - } - - VPTRINIT(iph1->authstr); - - sched_scrub_param(iph1); - iph1->sce = NULL; - iph1->scr = NULL; - - VPTRINIT(iph1->sendbuf); - - VPTRINIT(iph1->dhpriv); - VPTRINIT(iph1->dhpub); - VPTRINIT(iph1->dhpub_p); - VPTRINIT(iph1->dhgxy); - VPTRINIT(iph1->nonce); - VPTRINIT(iph1->nonce_p); - VPTRINIT(iph1->skeyid); - VPTRINIT(iph1->skeyid_d); - VPTRINIT(iph1->skeyid_a); - VPTRINIT(iph1->skeyid_e); - VPTRINIT(iph1->key); - VPTRINIT(iph1->hash); - VPTRINIT(iph1->sig); - VPTRINIT(iph1->sig_p); - oakley_delcert(iph1->cert); - iph1->cert = NULL; - oakley_delcert(iph1->cert_p); - iph1->cert_p = NULL; - oakley_delcert(iph1->crl_p); - iph1->crl_p = NULL; - oakley_delcert(iph1->cr_p); - iph1->cr_p = NULL; - VPTRINIT(iph1->id); - VPTRINIT(iph1->id_p); - - if (iph1->ivm) { - oakley_delivm(iph1->ivm); - iph1->ivm = NULL; - } - - VPTRINIT(iph1->sa); - VPTRINIT(iph1->sa_ret); - -#ifdef HAVE_GSSAPI - VPTRINIT(iph1->gi_i); - VPTRINIT(iph1->gi_r); - - gssapi_free_state(iph1); -#endif - - racoon_free(iph1); -} - -/* - * create new isakmp Phase 1 status record to handle isakmp in Phase1 - */ -int -insph1(iph1) - struct ph1handle *iph1; -{ - /* validity check */ - if (iph1->remote == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid isakmp SA handler. no remote address.\n"); - return -1; - } - LIST_INSERT_HEAD(&ph1tree, iph1, chain); - - return 0; -} - -void -remph1(iph1) - struct ph1handle *iph1; -{ - LIST_REMOVE(iph1, chain); -} - -/* - * flush isakmp-sa - */ -void -flushph1() -{ - struct ph1handle *p, *next; - - for (p = LIST_FIRST(&ph1tree); p; p = next) { - next = LIST_NEXT(p, chain); - - /* send delete information */ - if (p->status == PHASE1ST_ESTABLISHED) - isakmp_info_send_d1(p); - - remph1(p); - delph1(p); - } -} - -void -initph1tree() -{ - LIST_INIT(&ph1tree); -} - -/* %%% management phase 2 handler */ -/* - * search ph2handle with policy id. - */ -struct ph2handle * -getph2byspid(spid) - u_int32_t spid; -{ - struct ph2handle *p; - - LIST_FOREACH(p, &ph2tree, chain) { - /* - * there are ph2handle independent on policy - * such like informational exchange. - */ - if (p->spid == spid) - return p; - } - - return NULL; -} - -/* - * search ph2handle with sequence number. - */ -struct ph2handle * -getph2byseq(seq) - u_int32_t seq; -{ - struct ph2handle *p; - - LIST_FOREACH(p, &ph2tree, chain) { - if (p->seq == seq) - return p; - } - - return NULL; -} - -/* - * search ph2handle with message id. - */ -struct ph2handle * -getph2bymsgid(iph1, msgid) - struct ph1handle *iph1; - u_int32_t msgid; -{ - struct ph2handle *p; - - LIST_FOREACH(p, &ph2tree, chain) { - if (p->msgid == msgid) - return p; - } - - return NULL; -} - -/* - * call by pk_recvexpire(). - */ -struct ph2handle * -getph2bysaidx(src, dst, proto_id, spi) - struct sockaddr *src, *dst; - u_int proto_id; - u_int32_t spi; -{ - struct ph2handle *iph2; - struct saproto *pr; - - LIST_FOREACH(iph2, &ph2tree, chain) { - if (iph2->proposal == NULL && iph2->approval == NULL) - continue; - if (iph2->approval != NULL) { - for (pr = iph2->approval->head; pr != NULL; - pr = pr->next) { - if (proto_id != pr->proto_id) - break; - if (spi == pr->spi || spi == pr->spi_p) - return iph2; - } - } else if (iph2->proposal != NULL) { - for (pr = iph2->proposal->head; pr != NULL; - pr = pr->next) { - if (proto_id != pr->proto_id) - break; - if (spi == pr->spi) - return iph2; - } - } - } - - return NULL; -} - -/* - * create new isakmp Phase 2 status record to handle isakmp in Phase2 - */ -struct ph2handle * -newph2() -{ - struct ph2handle *iph2 = NULL; - - /* create new iph2 */ - iph2 = racoon_calloc(1, sizeof(*iph2)); - if (iph2 == NULL) - return NULL; - - iph2->status = PHASE2ST_SPAWN; - - return iph2; -} - -/* - * initialize ph2handle - * NOTE: don't initialize src/dst. - * SPI in the proposal is cleared. - */ -void -initph2(iph2) - struct ph2handle *iph2; -{ - sched_scrub_param(iph2); - iph2->sce = NULL; - iph2->scr = NULL; - - VPTRINIT(iph2->sendbuf); - VPTRINIT(iph2->msg1); - - /* clear spi, keep variables in the proposal */ - if (iph2->proposal) { - struct saproto *pr; - for (pr = iph2->proposal->head; pr != NULL; pr = pr->next) - pr->spi = 0; - } - - /* clear approval */ - if (iph2->approval) { - flushsaprop(iph2->approval); - iph2->approval = NULL; - } - - /* clear the generated policy */ - if (iph2->spidx_gen) { - delsp_bothdir((struct policyindex *)iph2->spidx_gen); - racoon_free(iph2->spidx_gen); - iph2->spidx_gen = NULL; - } - - if (iph2->pfsgrp) { - oakley_dhgrp_free(iph2->pfsgrp); - iph2->pfsgrp = NULL; - } - - VPTRINIT(iph2->dhpriv); - VPTRINIT(iph2->dhpub); - VPTRINIT(iph2->dhpub_p); - VPTRINIT(iph2->dhgxy); - VPTRINIT(iph2->id); - VPTRINIT(iph2->id_p); - VPTRINIT(iph2->nonce); - VPTRINIT(iph2->nonce_p); - VPTRINIT(iph2->sa); - VPTRINIT(iph2->sa_ret); - - if (iph2->ivm) { - oakley_delivm(iph2->ivm); - iph2->ivm = NULL; - } -} - -/* - * delete new isakmp Phase 2 status record to handle isakmp in Phase2 - */ -void -delph2(iph2) - struct ph2handle *iph2; -{ - initph2(iph2); - - if (iph2->src) { - racoon_free(iph2->src); - iph2->src = NULL; - } - if (iph2->dst) { - racoon_free(iph2->dst); - iph2->dst = NULL; - } - if (iph2->src_id) { - racoon_free(iph2->src_id); - iph2->src_id = NULL; - } - if (iph2->dst_id) { - racoon_free(iph2->dst_id); - iph2->dst_id = NULL; - } - - if (iph2->proposal) { - flushsaprop(iph2->proposal); - iph2->proposal = NULL; - } - - racoon_free(iph2); -} - -/* - * create new isakmp Phase 2 status record to handle isakmp in Phase2 - */ -int -insph2(iph2) - struct ph2handle *iph2; -{ - LIST_INSERT_HEAD(&ph2tree, iph2, chain); - - return 0; -} - -void -remph2(iph2) - struct ph2handle *iph2; -{ - LIST_REMOVE(iph2, chain); -} - -void -initph2tree() -{ - LIST_INIT(&ph2tree); -} - -void -flushph2() -{ - struct ph2handle *p, *next; - - for (p = LIST_FIRST(&ph2tree); p; p = next) { - next = LIST_NEXT(p, chain); - - /* send delete information */ - if (p->status == PHASE2ST_ESTABLISHED) - isakmp_info_send_d2(p); - - unbindph12(p); - remph2(p); - delph2(p); - } -} - -/* - * Delete all Phase 2 handlers for this src/dst/proto. This - * is used during INITIAL-CONTACT processing (so no need to - * send a message to the peer). - */ -void -deleteallph2(src, dst, proto_id) - struct sockaddr *src, *dst; - u_int proto_id; -{ - struct ph2handle *iph2, *next; - struct saproto *pr; - - for (iph2 = LIST_FIRST(&ph2tree); iph2 != NULL; iph2 = next) { - next = LIST_NEXT(iph2, chain); - if (iph2->proposal == NULL && iph2->approval == NULL) - continue; - if (iph2->approval != NULL) { - for (pr = iph2->approval->head; pr != NULL; - pr = pr->next) { - if (proto_id == pr->proto_id) - goto zap_it; - } - } else if (iph2->proposal != NULL) { - for (pr = iph2->proposal->head; pr != NULL; - pr = pr->next) { - if (proto_id == pr->proto_id) - goto zap_it; - } - } - continue; - zap_it: - unbindph12(iph2); - remph2(iph2); - delph2(iph2); - } -} - -/* %%% */ -void -bindph12(iph1, iph2) - struct ph1handle *iph1; - struct ph2handle *iph2; -{ - iph2->ph1 = iph1; - LIST_INSERT_HEAD(&iph1->ph2tree, iph2, ph1bind); -} - -void -unbindph12(iph2) - struct ph2handle *iph2; -{ - if (iph2->ph1 != NULL) { - iph2->ph1 = NULL; - LIST_REMOVE(iph2, ph1bind); - } -} - -/* %%% management contacted list */ -/* - * search contacted list. - */ -struct contacted * -getcontacted(remote) - struct sockaddr *remote; -{ - struct contacted *p; - - LIST_FOREACH(p, &ctdtree, chain) { - if (cmpsaddrstrict(remote, p->remote) == 0) - return p; - } - - return NULL; -} - -/* - * create new isakmp Phase 2 status record to handle isakmp in Phase2 - */ -int -inscontacted(remote) - struct sockaddr *remote; -{ - struct contacted *new; - - /* create new iph2 */ - new = racoon_calloc(1, sizeof(*new)); - if (new == NULL) - return -1; - - new->remote = dupsaddr(remote); - - LIST_INSERT_HEAD(&ctdtree, new, chain); - - return 0; -} - -void -initctdtree() -{ - LIST_INIT(&ctdtree); -} - -/* - * check the response has been sent to the peer. when not, simply reply - * the buffered packet to the peer. - * OUT: - * 0: the packet is received at the first time. - * 1: the packet was processed before. - * 2: the packet was processed before, but the address mismatches. - * -1: error happened. - */ -int -check_recvdpkt(remote, local, rbuf) - struct sockaddr *remote, *local; - vchar_t *rbuf; -{ - vchar_t *hash; - struct recvdpkt *r; - time_t t; - int len, s; - - /* set current time */ - t = time(NULL); - - hash = eay_md5_one(rbuf); - if (!hash) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate buffer.\n"); - return -1; - } - - LIST_FOREACH(r, &rcptree, chain) { - if (memcmp(hash->v, r->hash->v, r->hash->l) == 0) - break; - } - vfree(hash); - - /* this is the first time to receive the packet */ - if (r == NULL) - return 0; - - /* - * the packet was processed before, but the remote address mismatches. - */ - if (cmpsaddrstrict(remote, r->remote) != 0) - return 2; - - /* - * it should not check the local address because the packet - * may arrive at other interface. - */ - - /* check the previous time to send */ - if (t - r->time_send < 1) { - plog(LLV_WARNING, LOCATION, NULL, - "the packet retransmitted in a short time from %s\n", - saddr2str(remote)); - /*XXX should it be error ? */ - } - - /* select the socket to be sent */ - s = getsockmyaddr(r->local); - if (s == -1) - return -1; - - /* resend the packet if needed */ - len = sendfromto(s, r->sendbuf->v, r->sendbuf->l, - r->local, r->remote, lcconf->count_persend); - if (len == -1) { - plog(LLV_ERROR, LOCATION, NULL, "sendfromto failed\n"); - return -1; - } - - /* check the retry counter */ - r->retry_counter--; - if (r->retry_counter <= 0) { - rem_recvdpkt(r); - del_recvdpkt(r); - plog(LLV_DEBUG, LOCATION, NULL, - "deleted the retransmission packet to %s.\n", - saddr2str(remote)); - } else - r->time_send = t; - - return 1; -} - -/* - * adding a hash of received packet into the received list. - */ -int -add_recvdpkt(remote, local, sbuf, rbuf) - struct sockaddr *remote, *local; - vchar_t *sbuf, *rbuf; -{ - struct recvdpkt *new = NULL; - - if (lcconf->retry_counter == 0) { - /* no need to add it */ - return 0; - } - - new = racoon_calloc(1, sizeof(*new)); - if (!new) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate buffer.\n"); - return -1; - } - - new->hash = eay_md5_one(rbuf); - if (!new->hash) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate buffer.\n"); - del_recvdpkt(new); - return -1; - } - new->remote = dupsaddr(remote); - if (new->remote == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate buffer.\n"); - del_recvdpkt(new); - return -1; - } - new->local = dupsaddr(local); - if (new->local == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate buffer.\n"); - del_recvdpkt(new); - return -1; - } - new->sendbuf = vdup(sbuf); - if (new->sendbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate buffer.\n"); - del_recvdpkt(new); - return -1; - } - - new->retry_counter = lcconf->retry_counter; - new->time_send = 0; - new->created = time(NULL); - - LIST_INSERT_HEAD(&rcptree, new, chain); - - return 0; -} - -void -del_recvdpkt(r) - struct recvdpkt *r; -{ - if (r->remote) - racoon_free(r->remote); - if (r->local) - racoon_free(r->local); - if (r->hash) - vfree(r->hash); - if (r->sendbuf) - vfree(r->sendbuf); - racoon_free(r); -} - -void -rem_recvdpkt(r) - struct recvdpkt *r; -{ - LIST_REMOVE(r, chain); -} - -void -sweep_recvdpkt(dummy) - void *dummy; -{ - struct recvdpkt *r, *next; - time_t t, lt; - - /* set current time */ - t = time(NULL); - - /* set the lifetime of the retransmission */ - lt = lcconf->retry_counter * lcconf->retry_interval; - - for (r = LIST_FIRST(&rcptree); r; r = next) { - next = LIST_NEXT(r, chain); - - if (t - r->created > lt) { - rem_recvdpkt(r); - del_recvdpkt(r); - } - } - - sched_new(lt, sweep_recvdpkt, NULL); -} - -void -init_recvdpkt() -{ - time_t lt = lcconf->retry_counter * lcconf->retry_interval; - - LIST_INIT(&rcptree); - - sched_new(lt, sweep_recvdpkt, NULL); -} diff --git a/kame/kame/racoon/handler.h b/kame/kame/racoon/handler.h deleted file mode 100644 index adeb047e6d..0000000000 --- a/kame/kame/racoon/handler.h +++ /dev/null @@ -1,422 +0,0 @@ -/* $KAME: handler.h,v 1.44 2002/07/10 23:22:03 itojun Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* Phase 1 handler */ -/* - * main mode: - * initiator responder - * 0 (---) (---) - * 1 start start (1st msg received) - * 2 (---) 1st valid msg received - * 3 1st msg sent 1st msg sent - * 4 1st valid msg received 2st valid msg received - * 5 2nd msg sent 2nd msg sent - * 6 2nd valid msg received 3rd valid msg received - * 7 3rd msg sent 3rd msg sent - * 8 3rd valid msg received (---) - * 9 SA established SA established - * - * aggressive mode: - * initiator responder - * 0 (---) (---) - * 1 start start (1st msg received) - * 2 (---) 1st valid msg received - * 3 1st msg sent 1st msg sent - * 4 1st valid msg received 2st valid msg received - * 5 (---) (---) - * 6 (---) (---) - * 7 (---) (---) - * 8 (---) (---) - * 9 SA established SA established - * - * base mode: - * initiator responder - * 0 (---) (---) - * 1 start start (1st msg received) - * 2 (---) 1st valid msg received - * 3 1st msg sent 1st msg sent - * 4 1st valid msg received 2st valid msg received - * 5 2nd msg sent (---) - * 6 (---) (---) - * 7 (---) (---) - * 8 (---) (---) - * 9 SA established SA established - */ -#define PHASE1ST_SPAWN 0 -#define PHASE1ST_START 1 -#define PHASE1ST_MSG1RECEIVED 2 -#define PHASE1ST_MSG1SENT 3 -#define PHASE1ST_MSG2RECEIVED 4 -#define PHASE1ST_MSG2SENT 5 -#define PHASE1ST_MSG3RECEIVED 6 -#define PHASE1ST_MSG3SENT 7 -#define PHASE1ST_MSG4RECEIVED 8 -#define PHASE1ST_ESTABLISHED 9 -#define PHASE1ST_EXPIRED 10 -#define PHASE1ST_MAX 11 - -/* About address semantics in each case. - * initiator(addr=I) responder(addr=R) - * src dst src dst - * (local) (remote) (local) (remote) - * phase 1 handler I R R I - * phase 2 handler I R R I - * getspi msg R I I R - * acquire msg I R - * ID payload I R I R - */ -struct ph1handle { - isakmp_index index; - - int status; /* status of this SA */ - int side; /* INITIATOR or RESPONDER */ - - struct sockaddr *remote; /* remote address to negosiate ph1 */ - struct sockaddr *local; /* local address to negosiate ph1 */ - /* XXX copy from rmconf due to anonymous configuration. - * If anonymous will be forbidden, we do delete them. */ - - struct remoteconf *rmconf; /* pointer to remote configuration */ - - struct isakmpsa *approval; /* pointer to SA(s) approved. */ - vchar_t *authstr; /* place holder of string for auth. */ - /* for example pre-shared key */ - - u_int8_t version; /* ISAKMP version */ - u_int8_t etype; /* Exchange type actually for use */ - u_int8_t flags; /* Flags */ - u_int32_t msgid; /* message id */ - - struct sched *sce; /* schedule for expire */ - - struct sched *scr; /* schedule for resend */ - int retry_counter; /* for resend. */ - vchar_t *sendbuf; /* buffer for re-sending */ - - vchar_t *dhpriv; /* DH; private value */ - vchar_t *dhpub; /* DH; public value */ - vchar_t *dhpub_p; /* DH; partner's public value */ - vchar_t *dhgxy; /* DH; shared secret */ - vchar_t *nonce; /* nonce value */ - vchar_t *nonce_p; /* partner's nonce value */ - vchar_t *skeyid; /* SKEYID */ - vchar_t *skeyid_d; /* SKEYID_d */ - vchar_t *skeyid_a; /* SKEYID_a, i.e. hash */ - vchar_t *skeyid_e; /* SKEYID_e, i.e. encryption */ - vchar_t *key; /* cipher key */ - vchar_t *hash; /* HASH minus general header */ - vchar_t *sig; /* SIG minus general header */ - vchar_t *sig_p; /* peer's SIG minus general header */ - cert_t *cert; /* CERT minus general header */ - cert_t *cert_p; /* peer's CERT minus general header */ - cert_t *crl_p; /* peer's CRL minus general header */ - cert_t *cr_p; /* peer's CR not including general */ - vchar_t *id; /* ID minus gen header */ - vchar_t *id_p; /* partner's ID minus general header */ - /* i.e. strut ipsecdoi_id_b*. */ - struct isakmp_ivm *ivm; /* IVs */ - - vchar_t *sa; /* whole SA payload to send/to be sent*/ - /* to calculate HASH */ - /* NOT INCLUDING general header. */ - - vchar_t *sa_ret; /* SA payload to reply/to be replyed */ - /* NOT INCLUDING general header. */ - /* NOTE: Should be release after use. */ - -#ifdef HAVE_GSSAPI - void *gssapi_state; /* GSS-API specific state. */ - /* Allocated when needed */ - vchar_t *gi_i; /* optional initiator GSS id */ - vchar_t *gi_r; /* optional responder GSS id */ -#endif - - struct isakmp_pl_hash *pl_hash; /* pointer to hash payload */ - - time_t created; /* timestamp for establish */ -#ifdef ENABLE_STATS - struct timeval start; - struct timeval end; -#endif - - u_int32_t msgid2; /* msgid counter for Phase 2 */ - int ph2cnt; /* the number which is negotiated by this phase 1 */ - LIST_HEAD(_ph2ofph1_, ph2handle) ph2tree; - - LIST_ENTRY(ph1handle) chain; -}; - -/* Phase 2 handler */ -/* allocated per a SA or SA bundles of a pair of peer's IP addresses. */ -/* - * initiator responder - * 0 (---) (---) - * 1 start start (1st msg received) - * 2 acquire msg get 1st valid msg received - * 3 getspi request sent getspi request sent - * 4 getspi done getspi done - * 5 1st msg sent 1st msg sent - * 6 1st valid msg received 2nd valid msg received - * 7 (commit bit) (commit bit) - * 8 SAs added SAs added - * 9 SAs established SAs established - * 10 SAs expired SAs expired - */ -#define PHASE2ST_SPAWN 0 -#define PHASE2ST_START 1 -#define PHASE2ST_STATUS2 2 -#define PHASE2ST_GETSPISENT 3 -#define PHASE2ST_GETSPIDONE 4 -#define PHASE2ST_MSG1SENT 5 -#define PHASE2ST_STATUS6 6 -#define PHASE2ST_COMMIT 7 -#define PHASE2ST_ADDSA 8 -#define PHASE2ST_ESTABLISHED 9 -#define PHASE2ST_EXPIRED 10 -#define PHASE2ST_MAX 11 - -struct ph2handle { - struct sockaddr *src; /* my address of SA. */ - struct sockaddr *dst; /* peer's address of SA. */ - - /* - * copy ip address from ID payloads when ID type is ip address. - * In other case, they must be null. - */ - struct sockaddr *src_id; - struct sockaddr *dst_id; - - u_int32_t spid; /* policy id by kernel */ - - int status; /* ipsec sa status */ - u_int8_t side; /* INITIATOR or RESPONDER */ - - struct sched *sce; /* schedule for expire */ - struct sched *scr; /* schedule for resend */ - int retry_counter; /* for resend. */ - vchar_t *sendbuf; /* buffer for re-sending */ - vchar_t *msg1; /* buffer for re-sending */ - /* used for responder's first message */ - - int retry_checkph1; /* counter to wait phase 1 finished. */ - /* NOTE: actually it's timer. */ - - u_int32_t seq; /* sequence number used by PF_KEY */ - /* - * NOTE: In responder side, we can't identify each SAs - * with same destination address for example, when - * socket based SA is required. So we set a identifier - * number to "seq", and sent kernel by pfkey. - */ - u_int8_t satype; /* satype in PF_KEY */ - /* - * saved satype in the original PF_KEY request from - * the kernel in order to reply a error. - */ - - u_int8_t flags; /* Flags for phase 2 */ - u_int32_t msgid; /* msgid for phase 2 */ - - struct sainfo *sainfo; /* place holder of sainfo */ - struct saprop *proposal; /* SA(s) proposal. */ - struct saprop *approval; /* SA(s) approved. */ - caddr_t spidx_gen; /* policy from peer's proposal */ - - struct dhgroup *pfsgrp; /* DH; prime number */ - vchar_t *dhpriv; /* DH; private value */ - vchar_t *dhpub; /* DH; public value */ - vchar_t *dhpub_p; /* DH; partner's public value */ - vchar_t *dhgxy; /* DH; shared secret */ - vchar_t *id; /* ID minus gen header */ - vchar_t *id_p; /* peer's ID minus general header */ - vchar_t *nonce; /* nonce value in phase 2 */ - vchar_t *nonce_p; /* partner's nonce value in phase 2 */ - - vchar_t *sa; /* whole SA payload to send/to be sent*/ - /* to calculate HASH */ - /* NOT INCLUDING general header. */ - - vchar_t *sa_ret; /* SA payload to reply/to be replyed */ - /* NOT INCLUDING general header. */ - /* NOTE: Should be release after use. */ - - struct isakmp_ivm *ivm; /* IVs */ - -#ifdef ENABLE_STATS - struct timeval start; - struct timeval end; -#endif - struct ph1handle *ph1; /* back pointer to isakmp status */ - - LIST_ENTRY(ph2handle) chain; - LIST_ENTRY(ph2handle) ph1bind; /* chain to ph1handle */ -}; - -/* - * for handling initial contact. - */ -struct contacted { - struct sockaddr *remote; /* remote address to negosiate ph1 */ - LIST_ENTRY(contacted) chain; -}; - -/* - * for checking a packet retransmited. - */ -struct recvdpkt { - struct sockaddr *remote; /* the remote address */ - struct sockaddr *local; /* the local address */ - vchar_t *hash; /* hash of the received packet */ - vchar_t *sendbuf; /* buffer for the response */ - int retry_counter; /* how many times to send */ - time_t time_send; /* timestamp to send a packet */ - time_t created; /* timestamp to create a queue */ - - struct sched *scr; /* schedule for resend, may not used */ - - LIST_ENTRY(recvdpkt) chain; -}; - -/* for parsing ISAKMP header. */ -struct isakmp_parse_t { - u_char type; /* payload type of mine */ - int len; /* ntohs(ptr->len) */ - struct isakmp_gen *ptr; -}; - -/* - * for IV management. - * - * - normal case - * initiator responder - * ------------------------- -------------------------- - * initialize iv(A), ive(A). initialize iv(A), ive(A). - * encode by ive(A). - * save to iv(B). ---[packet(B)]--> save to ive(B). - * decode by iv(A). - * packet consistency. - * sync iv(B) with ive(B). - * check auth, integrity. - * encode by ive(B). - * save to ive(C). <--[packet(C)]--- save to iv(C). - * decoded by iv(B). - * : - * - * - In the case that a error is found while cipher processing, - * initiator responder - * ------------------------- -------------------------- - * initialize iv(A), ive(A). initialize iv(A), ive(A). - * encode by ive(A). - * save to iv(B). ---[packet(B)]--> save to ive(B). - * decode by iv(A). - * packet consistency. - * sync iv(B) with ive(B). - * check auth, integrity. - * error found. - * create notify. - * get ive2(X) from iv(B). - * encode by ive2(X). - * get iv2(X) from iv(B). <--[packet(Y)]--- save to iv2(Y). - * save to ive2(Y). - * decoded by iv2(X). - * : - * - * The reason why the responder synchronizes iv with ive after checking the - * packet consistency is that it is required to leave the IV for decoding - * packet. Because there is a potential of error while checking the packet - * consistency. Also the reason why that is before authentication and - * integirty check is that the IV for informational exchange has to be made - * by the IV which is after packet decoded and checking the packet consistency. - * Otherwise IV mismatched happens between the intitiator and the responder. - */ -struct isakmp_ivm { - vchar_t *iv; /* for decoding packet */ - /* if phase 1, it's for computing phase2 iv */ - vchar_t *ive; /* for encoding packet */ -}; - -/* for dumping */ -struct ph1dump { - isakmp_index index; - int status; - int side; - struct sockaddr_storage remote; - struct sockaddr_storage local; - u_int8_t version; - u_int8_t etype; - time_t created; - int ph2cnt; -}; - -struct sockaddr; -struct ph1handle; -struct ph2handle; -struct policyindex; - -extern struct ph1handle *getph1byindex __P((isakmp_index *)); -extern struct ph1handle *getph1byindex0 __P((isakmp_index *)); -extern struct ph1handle *getph1byaddr __P((struct sockaddr *, - struct sockaddr *)); -extern vchar_t *dumpph1 __P((void)); -extern struct ph1handle *newph1 __P((void)); -extern void delph1 __P((struct ph1handle *)); -extern int insph1 __P((struct ph1handle *)); -extern void remph1 __P((struct ph1handle *)); -extern void flushph1 __P((void)); -extern void initph1tree __P((void)); - -extern struct ph2handle *getph2byspidx __P((struct policyindex *)); -extern struct ph2handle *getph2byspid __P((u_int32_t)); -extern struct ph2handle *getph2byseq __P((u_int32_t)); -extern struct ph2handle *getph2bymsgid __P((struct ph1handle *, u_int32_t)); -extern struct ph2handle *getph2bysaidx __P((struct sockaddr *, - struct sockaddr *, u_int, u_int32_t)); -extern struct ph2handle *newph2 __P((void)); -extern void initph2 __P((struct ph2handle *)); -extern void delph2 __P((struct ph2handle *)); -extern int insph2 __P((struct ph2handle *)); -extern void remph2 __P((struct ph2handle *)); -extern void flushph2 __P((void)); -extern void deleteallph2 __P((struct sockaddr *, struct sockaddr *, u_int)); -extern void initph2tree __P((void)); - -extern void bindph12 __P((struct ph1handle *, struct ph2handle *)); -extern void unbindph12 __P((struct ph2handle *)); - -extern struct contacted *getcontacted __P((struct sockaddr *)); -extern int inscontacted __P((struct sockaddr *)); -extern void initctdtree __P((void)); - -extern int check_recvdpkt __P((struct sockaddr *, - struct sockaddr *, vchar_t *)); -extern int add_recvdpkt __P((struct sockaddr *, struct sockaddr *, - vchar_t *, vchar_t *)); -extern void init_recvdpkt __P((void)); diff --git a/kame/kame/racoon/install-sh b/kame/kame/racoon/install-sh deleted file mode 100755 index ab74c882e9..0000000000 --- a/kame/kame/racoon/install-sh +++ /dev/null @@ -1,238 +0,0 @@ -#!/bin/sh -# -# install - install a program, script, or datafile -# This comes from X11R5. -# -# Calling this script install-sh is preferred over install.sh, to prevent -# `make' implicit rules from creating a file called install from it -# when there is no Makefile. -# -# This script is compatible with the BSD install script, but was written -# from scratch. -# - - -# set DOITPROG to echo to test this script - -# Don't use :- since 4.3BSD and earlier shells don't like it. -doit="${DOITPROG-}" - - -# put in absolute paths if you don't have them in your path; or use env. vars. - -mvprog="${MVPROG-mv}" -cpprog="${CPPROG-cp}" -chmodprog="${CHMODPROG-chmod}" -chownprog="${CHOWNPROG-chown}" -chgrpprog="${CHGRPPROG-chgrp}" -stripprog="${STRIPPROG-strip}" -rmprog="${RMPROG-rm}" -mkdirprog="${MKDIRPROG-mkdir}" - -tranformbasename="" -transform_arg="" -instcmd="$mvprog" -chmodcmd="$chmodprog 0755" -chowncmd="" -chgrpcmd="" -stripcmd="" -rmcmd="$rmprog -f" -mvcmd="$mvprog" -src="" -dst="" -dir_arg="" - -while [ x"$1" != x ]; do - case $1 in - -c) instcmd="$cpprog" - shift - continue;; - - -d) dir_arg=true - shift - continue;; - - -m) chmodcmd="$chmodprog $2" - shift - shift - continue;; - - -o) chowncmd="$chownprog $2" - shift - shift - continue;; - - -g) chgrpcmd="$chgrpprog $2" - shift - shift - continue;; - - -s) stripcmd="$stripprog" - shift - continue;; - - -t=*) transformarg=`echo $1 | sed 's/-t=//'` - shift - continue;; - - -b=*) transformbasename=`echo $1 | sed 's/-b=//'` - shift - continue;; - - *) if [ x"$src" = x ] - then - src=$1 - else - # this colon is to work around a 386BSD /bin/sh bug - : - dst=$1 - fi - shift - continue;; - esac -done - -if [ x"$src" = x ] -then - echo "install: no input file specified" - exit 1 -else - true -fi - -if [ x"$dir_arg" != x ]; then - dst=$src - src="" - - if [ -d $dst ]; then - instcmd=: - else - instcmd=mkdir - fi -else - -# Waiting for this to be detected by the "$instcmd $src $dsttmp" command -# might cause directories to be created, which would be especially bad -# if $src (and thus $dsttmp) contains '*'. - - if [ -f $src -o -d $src ] - then - true - else - echo "install: $src does not exist" - exit 1 - fi - - if [ x"$dst" = x ] - then - echo "install: no destination specified" - exit 1 - else - true - fi - -# If destination is a directory, append the input filename; if your system -# does not like double slashes in filenames, you may need to add some logic - - if [ -d $dst ] - then - dst="$dst"/`basename $src` - else - true - fi -fi - -## this sed command emulates the dirname command -dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'` - -# Make sure that the destination directory exists. -# this part is taken from Noah Friedman's mkinstalldirs script - -# Skip lots of stat calls in the usual case. -if [ ! -d "$dstdir" ]; then -defaultIFS=' -' -IFS="${IFS-${defaultIFS}}" - -oIFS="${IFS}" -# Some sh's can't handle IFS=/ for some reason. -IFS='%' -set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'` -IFS="${oIFS}" - -pathcomp='' - -while [ $# -ne 0 ] ; do - pathcomp="${pathcomp}${1}" - shift - - if [ ! -d "${pathcomp}" ] ; - then - $mkdirprog "${pathcomp}" - else - true - fi - - pathcomp="${pathcomp}/" -done -fi - -if [ x"$dir_arg" != x ] -then - $doit $instcmd $dst && - - if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi && - if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi && - if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi && - if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi -else - -# If we're going to rename the final executable, determine the name now. - - if [ x"$transformarg" = x ] - then - dstfile=`basename $dst` - else - dstfile=`basename $dst $transformbasename | - sed $transformarg`$transformbasename - fi - -# don't allow the sed command to completely eliminate the filename - - if [ x"$dstfile" = x ] - then - dstfile=`basename $dst` - else - true - fi - -# Make a temp file name in the proper directory. - - dsttmp=$dstdir/#inst.$$# - -# Move or copy the file name to the temp name - - $doit $instcmd $src $dsttmp && - - trap "rm -f ${dsttmp}" 0 && - -# and set any options; do chmod last to preserve setuid bits - -# If any of these fail, we abort the whole thing. If we want to -# ignore errors from any of these, just make sure not to ignore -# errors from the above "$doit $instcmd $src $dsttmp" command. - - if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi && - if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi && - if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi && - if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi && - -# Now rename the file to the real destination. - - $doit $rmcmd -f $dstdir/$dstfile && - $doit $mvcmd $dsttmp $dstdir/$dstfile - -fi && - - -exit 0 diff --git a/kame/kame/racoon/ipsec_doi.c b/kame/kame/racoon/ipsec_doi.c deleted file mode 100644 index 0a7653570e..0000000000 --- a/kame/kame/racoon/ipsec_doi.c +++ /dev/null @@ -1,3936 +0,0 @@ -/* $KAME: ipsec_doi.c,v 1.172 2005/04/18 03:48:32 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include - -#include -#include - -#ifdef IPV6_INRIA_VERSION -#include -#else -#include -#endif - -#include -#include -#include -#include -#include -#if TIME_WITH_SYS_TIME -# include -# include -#else -# if HAVE_SYS_TIME_H -# include -# else -# include -# endif -#endif - -#include "var.h" -#include "vmbuf.h" -#include "misc.h" -#include "plog.h" -#include "debug.h" - -#include "cfparse_proto.h" -#include "isakmp_var.h" -#include "isakmp.h" -#include "ipsec_doi.h" -#include "oakley.h" -#include "remoteconf.h" -#include "localconf.h" -#include "sockmisc.h" -#include "handler.h" -#include "policy.h" -#include "algorithm.h" -#include "sainfo.h" -#include "proposal.h" -#include "crypto_openssl.h" -#include "strnames.h" -#include "gcmalloc.h" - -#ifdef HAVE_GSSAPI -#include "auth_gssapi.h" -#endif - -int verbose_proposal_check = 1; - -static vchar_t *get_ph1approval __P((struct ph1handle *, struct prop_pair **)); -static struct isakmpsa *get_ph1approvalx __P((struct prop_pair *, - struct isakmpsa *, struct isakmpsa *)); -static void print_ph1mismatched __P((struct prop_pair *, struct isakmpsa *)); -static int t2isakmpsa __P((struct isakmp_pl_t *, struct isakmpsa *)); -static int cmp_aproppair_i __P((struct prop_pair *, struct prop_pair *)); -static struct prop_pair *get_ph2approval __P((struct ph2handle *, - struct prop_pair **)); -static struct prop_pair *get_ph2approvalx __P((struct ph2handle *, - struct prop_pair *)); -static void free_proppair0 __P((struct prop_pair *)); - -static int get_transform - __P((struct isakmp_pl_p *, struct prop_pair **, int *)); -static u_int32_t ipsecdoi_set_ld __P((vchar_t *)); - -static int check_doi __P((u_int32_t)); -static int check_situation __P((u_int32_t)); - -static int check_prot_main __P((int)); -static int check_prot_quick __P((int)); -static int (*check_protocol[]) __P((int)) = { - check_prot_main, /* IPSECDOI_TYPE_PH1 */ - check_prot_quick, /* IPSECDOI_TYPE_PH2 */ -}; - -static int check_spi_size __P((int, int)); - -static int check_trns_isakmp __P((int)); -static int check_trns_ah __P((int)); -static int check_trns_esp __P((int)); -static int check_trns_ipcomp __P((int)); -static int (*check_transform[]) __P((int)) = { - 0, - check_trns_isakmp, /* IPSECDOI_PROTO_ISAKMP */ - check_trns_ah, /* IPSECDOI_PROTO_IPSEC_AH */ - check_trns_esp, /* IPSECDOI_PROTO_IPSEC_ESP */ - check_trns_ipcomp, /* IPSECDOI_PROTO_IPCOMP */ -}; - -static int check_attr_isakmp __P((struct isakmp_pl_t *)); -static int check_attr_ah __P((struct isakmp_pl_t *)); -static int check_attr_esp __P((struct isakmp_pl_t *)); -static int check_attr_ipsec __P((int, struct isakmp_pl_t *)); -static int check_attr_ipcomp __P((struct isakmp_pl_t *)); -static int (*check_attributes[]) __P((struct isakmp_pl_t *)) = { - 0, - check_attr_isakmp, /* IPSECDOI_PROTO_ISAKMP */ - check_attr_ah, /* IPSECDOI_PROTO_IPSEC_AH */ - check_attr_esp, /* IPSECDOI_PROTO_IPSEC_ESP */ - check_attr_ipcomp, /* IPSECDOI_PROTO_IPCOMP */ -}; - -static int setph1prop __P((struct isakmpsa *, caddr_t)); -static int setph1trns __P((struct isakmpsa *, caddr_t)); -static int setph1attr __P((struct isakmpsa *, caddr_t)); -static vchar_t *setph2proposal0 __P((const struct ph2handle *, - const struct saprop *, const struct saproto *)); - -static vchar_t *getidval __P((int, vchar_t *)); - -#ifdef HAVE_GSSAPI -static struct isakmpsa *fixup_initiator_sa __P((struct isakmpsa *, - struct isakmpsa *)); -#endif - -/*%%%*/ -/* - * check phase 1 SA payload. - * make new SA payload to be replyed not including general header. - * the pointer to one of isakmpsa in proposal is set into iph1->approval. - * OUT: - * positive: the pointer to new buffer of SA payload. - * network byte order. - * NULL : error occurd. - */ -int -ipsecdoi_checkph1proposal(sa, iph1) - vchar_t *sa; - struct ph1handle *iph1; -{ - vchar_t *newsa; /* new SA payload approved. */ - struct prop_pair **pair; - - /* get proposal pair */ - pair = get_proppair(sa, IPSECDOI_TYPE_PH1); - if (pair == NULL) - return -1; - - /* check and get one SA for use */ - newsa = get_ph1approval(iph1, pair); - - free_proppair(pair); - - if (newsa == NULL) - return -1; - - iph1->sa_ret = newsa; - - return 0; -} - -/* - * acceptable check for remote configuration. - * return a new SA payload to be reply to peer. - */ -static vchar_t * -get_ph1approval(iph1, pair) - struct ph1handle *iph1; - struct prop_pair **pair; -{ - vchar_t *newsa; - struct isakmpsa *sa, tsa; - struct prop_pair *s, *p; - int prophlen; - int i; - - iph1->approval = NULL; - - for (i = 0; i < MAXPROPPAIRLEN; i++) { - if (pair[i] == NULL) - continue; - for (s = pair[i]; s; s = s->next) { - prophlen = sizeof(struct isakmp_pl_p) - + s->prop->spi_size; - /* compare proposal and select one */ - for (p = s; p; p = p->tnext) { - sa = get_ph1approvalx(p, iph1->rmconf->proposal, - &tsa); - if (sa != NULL) - goto found; - } - } - } - - /* - * if there is no suitable proposal, racoon complains about all of - * mismatched items in those proposal. - */ - if (verbose_proposal_check) { - for (i = 0; i < MAXPROPPAIRLEN; i++) { - if (pair[i] == NULL) - continue; - for (s = pair[i]; s; s = s->next) { - prophlen = sizeof(struct isakmp_pl_p) - + s->prop->spi_size; - for (p = s; p; p = p->tnext) { - print_ph1mismatched(p, - iph1->rmconf->proposal); - } - } - } - } - plog(LLV_ERROR, LOCATION, NULL, "no suitable proposal found.\n"); - - return NULL; - -found: - plog(LLV_DEBUG, LOCATION, NULL, "an acceptable proposal found.\n"); - - /* check DH group settings */ - if (sa->dhgrp) { - if (sa->dhgrp->prime && sa->dhgrp->gen1) { - /* it's ok */ - goto saok; - } - plog(LLV_WARNING, LOCATION, NULL, - "invalid DH parameter found, use default.\n"); - oakley_dhgrp_free(sa->dhgrp); - } - - if (oakley_setdhgroup(sa->dh_group, &sa->dhgrp) == -1) { - sa->dhgrp = NULL; - return NULL; - } - -saok: -#ifdef HAVE_GSSAPI - if (sa->gssid != NULL) - plog(LLV_DEBUG, LOCATION, NULL, "gss id in new sa '%s'\n", - sa->gssid->v); - if (iph1-> side == INITIATOR) { - if (iph1->rmconf->proposal->gssid != NULL) - iph1->gi_i = vdup(iph1->rmconf->proposal->gssid); - if (tsa.gssid != NULL) - iph1->gi_r = vdup(tsa.gssid); - iph1->approval = fixup_initiator_sa(sa, &tsa); - } else { - if (tsa.gssid != NULL) { - iph1->gi_r = vdup(tsa.gssid); - if (iph1->rmconf->proposal->gssid != NULL) - iph1->gi_i = - vdup(iph1->rmconf->proposal->gssid); - else - iph1->gi_i = gssapi_get_default_id(iph1); - if (sa->gssid == NULL && iph1->gi_i != NULL) - sa->gssid = vdup(iph1->gi_i); - } - iph1->approval = sa; - } - if (iph1->gi_i != NULL) - plog(LLV_DEBUG, LOCATION, NULL, "GIi is %*s\n", - iph1->gi_i->l, iph1->gi_i->v); - if (iph1->gi_r != NULL) - plog(LLV_DEBUG, LOCATION, NULL, "GIr is %*s\n", - iph1->gi_r->l, iph1->gi_r->v); -#else - iph1->approval = sa; -#endif - - newsa = get_sabyproppair(p, iph1); - if (newsa == NULL) - iph1->approval = NULL; - - return newsa; -} - -/* - * compare peer's single proposal and all of my proposal. - * and select one if suiatable. - * p : one of peer's proposal. - * proposal: my proposals. - */ -static struct isakmpsa * -get_ph1approvalx(p, proposal, sap) - struct prop_pair *p; - struct isakmpsa *proposal, *sap; -{ - struct isakmp_pl_p *prop = p->prop; - struct isakmp_pl_t *trns = p->trns; - struct isakmpsa sa, *s, *tsap; - - plog(LLV_DEBUG, LOCATION, NULL, - "prop#=%d, prot-id=%s, spi-size=%d, #trns=%d\n", - prop->p_no, s_ipsecdoi_proto(prop->proto_id), - prop->spi_size, prop->num_t); - - plog(LLV_DEBUG, LOCATION, NULL, - "trns#=%d, trns-id=%s\n", - trns->t_no, - s_ipsecdoi_trns(prop->proto_id, trns->t_id)); - - tsap = sap != NULL ? sap : &sa; - - memset(tsap, 0, sizeof(*tsap)); - if (t2isakmpsa(trns, tsap) < 0) - return NULL; - for (s = proposal; s != NULL; s = s->next) { - plog(LLV_DEBUG, LOCATION, NULL, "Compared: DB:Peer\n"); - plog(LLV_DEBUG, LOCATION, NULL, "(lifetime = %ld:%ld)\n", - s->lifetime, tsap->lifetime); - plog(LLV_DEBUG, LOCATION, NULL, "(lifebyte = %ld:%ld)\n", - s->lifebyte, tsap->lifebyte); - plog(LLV_DEBUG, LOCATION, NULL, "enctype = %s:%s\n", - s_oakley_attr_v(OAKLEY_ATTR_ENC_ALG, - s->enctype), - s_oakley_attr_v(OAKLEY_ATTR_ENC_ALG, - tsap->enctype)); - plog(LLV_DEBUG, LOCATION, NULL, "(encklen = %d:%d)\n", - s->encklen, tsap->encklen); - plog(LLV_DEBUG, LOCATION, NULL, "hashtype = %s:%s\n", - s_oakley_attr_v(OAKLEY_ATTR_HASH_ALG, - s->hashtype), - s_oakley_attr_v(OAKLEY_ATTR_HASH_ALG, - tsap->hashtype)); - plog(LLV_DEBUG, LOCATION, NULL, "authmethod = %s:%s\n", - s_oakley_attr_v(OAKLEY_ATTR_AUTH_METHOD, - s->authmethod), - s_oakley_attr_v(OAKLEY_ATTR_AUTH_METHOD, - tsap->authmethod)); - plog(LLV_DEBUG, LOCATION, NULL, "dh_group = %s:%s\n", - s_oakley_attr_v(OAKLEY_ATTR_GRP_DESC, - s->dh_group), - s_oakley_attr_v(OAKLEY_ATTR_GRP_DESC, - tsap->dh_group)); -#if 0 - /* XXX to be considered */ - if (tsap->lifetime > s->lifetime) ; - if (tsap->lifebyte > s->lifebyte) ; -#endif - /* - * if responder side and peer's key length in proposal - * is bigger than mine, it might be accepted. - */ - if(tsap->enctype == s->enctype && - tsap->authmethod == s->authmethod && - tsap->hashtype == s->hashtype && - tsap->dh_group == s->dh_group && - tsap->encklen == s->encklen) - break; - } - - if (tsap->dhgrp != NULL) - oakley_dhgrp_free(tsap->dhgrp); - return s; -} - -/* - * print all of items in peer's proposal which are mismatched to my proposal. - * p : one of peer's proposal. - * proposal: my proposals. - */ -static void -print_ph1mismatched(p, proposal) - struct prop_pair *p; - struct isakmpsa *proposal; -{ - struct isakmpsa sa, *s; - - memset(&sa, 0, sizeof(sa)); - if (t2isakmpsa(p->trns, &sa) < 0) - return; - for (s = proposal; s ; s = s->next) { - if (sa.enctype != s->enctype) { - plog(LLV_ERROR, LOCATION, NULL, - "rejected enctype: " - "DB(prop#%d:trns#%d):Peer(prop#%d:trns#%d) = " - "%s:%s\n", - s->prop_no, s->trns_no, - p->prop->p_no, p->trns->t_no, - s_oakley_attr_v(OAKLEY_ATTR_ENC_ALG, - s->enctype), - s_oakley_attr_v(OAKLEY_ATTR_ENC_ALG, - sa.enctype)); - } - if (sa.authmethod != s->authmethod) { - plog(LLV_ERROR, LOCATION, NULL, - "rejected authmethod: " - "DB(prop#%d:trns#%d):Peer(prop#%d:trns#%d) = " - "%s:%s\n", - s->prop_no, s->trns_no, - p->prop->p_no, p->trns->t_no, - s_oakley_attr_v(OAKLEY_ATTR_AUTH_METHOD, - s->authmethod), - s_oakley_attr_v(OAKLEY_ATTR_AUTH_METHOD, - sa.authmethod)); - } - if (sa.hashtype != s->hashtype) { - plog(LLV_ERROR, LOCATION, NULL, - "rejected hashtype: " - "DB(prop#%d:trns#%d):Peer(prop#%d:trns#%d) = " - "%s:%s\n", - s->prop_no, s->trns_no, - p->prop->p_no, p->trns->t_no, - s_oakley_attr_v(OAKLEY_ATTR_HASH_ALG, - s->hashtype), - s_oakley_attr_v(OAKLEY_ATTR_HASH_ALG, - sa.hashtype)); - } - if (sa.dh_group != s->dh_group) { - plog(LLV_ERROR, LOCATION, NULL, - "rejected dh_group: " - "DB(prop#%d:trns#%d):Peer(prop#%d:trns#%d) = " - "%s:%s\n", - s->prop_no, s->trns_no, - p->prop->p_no, p->trns->t_no, - s_oakley_attr_v(OAKLEY_ATTR_GRP_DESC, - s->dh_group), - s_oakley_attr_v(OAKLEY_ATTR_GRP_DESC, - sa.dh_group)); - } - } - - if (sa.dhgrp != NULL) - oakley_dhgrp_free(sa.dhgrp); -} - -/* - * get ISAKMP data attributes - */ -static int -t2isakmpsa(trns, sa) - struct isakmp_pl_t *trns; - struct isakmpsa *sa; -{ - struct isakmp_data *d, *prev; - int flag, type; - int error = -1; - int life_t; - int keylen = 0; - vchar_t *val = NULL; - int len, tlen; - u_char *p; - - tlen = ntohs(trns->h.len) - sizeof(*trns); - prev = (struct isakmp_data *)NULL; - d = (struct isakmp_data *)(trns + 1); - - /* default */ - life_t = OAKLEY_ATTR_SA_LD_TYPE_DEFAULT; - sa->lifetime = OAKLEY_ATTR_SA_LD_SEC_DEFAULT; - sa->lifebyte = 0; - sa->dhgrp = racoon_calloc(1, sizeof(struct dhgroup)); - if (!sa->dhgrp) - goto err; - - while (tlen > 0) { - - type = ntohs(d->type) & ~ISAKMP_GEN_MASK; - flag = ntohs(d->type) & ISAKMP_GEN_MASK; - - plog(LLV_DEBUG, LOCATION, NULL, - "type=%s, flag=0x%04x, lorv=%s\n", - s_oakley_attr(type), flag, - s_oakley_attr_v(type, ntohs(d->lorv))); - - /* get variable-sized item */ - switch (type) { - case OAKLEY_ATTR_GRP_PI: - case OAKLEY_ATTR_GRP_GEN_ONE: - case OAKLEY_ATTR_GRP_GEN_TWO: - case OAKLEY_ATTR_GRP_CURVE_A: - case OAKLEY_ATTR_GRP_CURVE_B: - case OAKLEY_ATTR_SA_LD: - case OAKLEY_ATTR_GRP_ORDER: - if (flag) { /*TV*/ - len = 2; - p = (u_char *)&d->lorv; - } else { /*TLV*/ - len = ntohs(d->lorv); - p = (u_char *)(d + 1); - } - val = vmalloc(len); - if (!val) - return -1; - memcpy(val->v, p, len); - break; - - default: - break; - } - - switch (type) { - case OAKLEY_ATTR_ENC_ALG: - sa->enctype = (u_int16_t)ntohs(d->lorv); - break; - - case OAKLEY_ATTR_HASH_ALG: - sa->hashtype = (u_int16_t)ntohs(d->lorv); - break; - - case OAKLEY_ATTR_AUTH_METHOD: - sa->authmethod = ntohs(d->lorv); - break; - - case OAKLEY_ATTR_GRP_DESC: - sa->dh_group = (u_int16_t)ntohs(d->lorv); - break; - - case OAKLEY_ATTR_GRP_TYPE: - { - int type = (int)ntohs(d->lorv); - if (type == OAKLEY_ATTR_GRP_TYPE_MODP) - sa->dhgrp->type = type; - else - return -1; - break; - } - case OAKLEY_ATTR_GRP_PI: - sa->dhgrp->prime = val; - break; - - case OAKLEY_ATTR_GRP_GEN_ONE: - vfree(val); - if (!flag) - sa->dhgrp->gen1 = ntohs(d->lorv); - else { - int len = ntohs(d->lorv); - sa->dhgrp->gen1 = 0; - if (len > 4) - return -1; - memcpy(&sa->dhgrp->gen1, d + 1, len); - sa->dhgrp->gen1 = ntohl(sa->dhgrp->gen1); - } - break; - - case OAKLEY_ATTR_GRP_GEN_TWO: - vfree(val); - if (!flag) - sa->dhgrp->gen2 = ntohs(d->lorv); - else { - int len = ntohs(d->lorv); - sa->dhgrp->gen2 = 0; - if (len > 4) - return -1; - memcpy(&sa->dhgrp->gen2, d + 1, len); - sa->dhgrp->gen2 = ntohl(sa->dhgrp->gen2); - } - break; - - case OAKLEY_ATTR_GRP_CURVE_A: - sa->dhgrp->curve_a = val; - break; - - case OAKLEY_ATTR_GRP_CURVE_B: - sa->dhgrp->curve_b = val; - break; - - case OAKLEY_ATTR_SA_LD_TYPE: - { - int type = (int)ntohs(d->lorv); - switch (type) { - case OAKLEY_ATTR_SA_LD_TYPE_SEC: - case OAKLEY_ATTR_SA_LD_TYPE_KB: - life_t = type; - break; - default: - life_t = OAKLEY_ATTR_SA_LD_TYPE_DEFAULT; - break; - } - break; - } - case OAKLEY_ATTR_SA_LD: - if (!prev - || (ntohs(prev->type) & ~ISAKMP_GEN_MASK) != - OAKLEY_ATTR_SA_LD_TYPE) { - plog(LLV_ERROR, LOCATION, NULL, - "life duration must follow ltype\n"); - break; - } - - switch (life_t) { - case IPSECDOI_ATTR_SA_LD_TYPE_SEC: - sa->lifetime = ipsecdoi_set_ld(val); - vfree(val); - if (sa->lifetime == 0) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid life duration.\n"); - goto err; - } - break; - case IPSECDOI_ATTR_SA_LD_TYPE_KB: - sa->lifebyte = ipsecdoi_set_ld(val); - vfree(val); - if (sa->lifebyte == 0) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid life duration.\n"); - goto err; - } - break; - default: - vfree(val); - plog(LLV_ERROR, LOCATION, NULL, - "invalid life type: %d\n", life_t); - goto err; - } - break; - - case OAKLEY_ATTR_KEY_LEN: - { - int len = ntohs(d->lorv); - if (len % 8 != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "keylen %d: not multiple of 8\n", - len); - goto err; - } - sa->encklen = (u_int16_t)len; - keylen++; - break; - } - case OAKLEY_ATTR_PRF: - case OAKLEY_ATTR_FIELD_SIZE: - /* unsupported */ - break; - - case OAKLEY_ATTR_GRP_ORDER: - sa->dhgrp->order = val; - break; -#ifdef HAVE_GSSAPI - case OAKLEY_ATTR_GSS_ID: - { - int len = ntohs(d->lorv); - - sa->gssid = vmalloc(len); - memcpy(sa->gssid->v, d + 1, len); - plog(LLV_DEBUG, LOCATION, NULL, - "received gss id '%s' (len %d)\n", sa->gssid->v, - sa->gssid->l); - break; - } -#endif - - default: - break; - } - - prev = d; - if (flag) { - tlen -= sizeof(*d); - d = (struct isakmp_data *)((char *)d + sizeof(*d)); - } else { - tlen -= (sizeof(*d) + ntohs(d->lorv)); - d = (struct isakmp_data *)((char *)d + sizeof(*d) + ntohs(d->lorv)); - } - } - - /* key length must not be specified on some algorithms */ - if (keylen) { - if (sa->enctype == OAKLEY_ATTR_ENC_ALG_DES -#ifdef HAVE_OPENSSL_IDEA_H - || sa->enctype == OAKLEY_ATTR_ENC_ALG_IDEA -#endif - || sa->enctype == OAKLEY_ATTR_ENC_ALG_3DES) { - plog(LLV_ERROR, LOCATION, NULL, - "keylen must not be specified " - "for encryption algorithm %d\n", - sa->enctype); - return -1; - } - } - - return 0; -err: - return error; -} - -/*%%%*/ -/* - * check phase 2 SA payload and select single proposal. - * make new SA payload to be replyed not including general header. - * This function is called by responder only. - * OUT: - * 0: succeed. - * -1: error occured. - */ -int -ipsecdoi_selectph2proposal(iph2) - struct ph2handle *iph2; -{ - struct prop_pair **pair; - struct prop_pair *ret; - - /* get proposal pair */ - pair = get_proppair(iph2->sa, IPSECDOI_TYPE_PH2); - if (pair == NULL) - return -1; - - /* check and select a proposal. */ - ret = get_ph2approval(iph2, pair); - free_proppair(pair); - if (ret == NULL) - return -1; - - /* make a SA to be replayed. */ - /* SPI must be updated later. */ - iph2->sa_ret = get_sabyproppair(ret, iph2->ph1); - free_proppair0(ret); - if (iph2->sa_ret == NULL) - return -1; - - return 0; -} - -/* - * check phase 2 SA payload returned from responder. - * This function is called by initiator only. - * OUT: - * 0: valid. - * -1: invalid. - */ -int -ipsecdoi_checkph2proposal(iph2) - struct ph2handle *iph2; -{ - struct prop_pair **rpair = NULL, **spair = NULL; - struct prop_pair *p; - int i, n, num; - int error = -1; - - /* get proposal pair of SA sent. */ - spair = get_proppair(iph2->sa, IPSECDOI_TYPE_PH2); - if (spair == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get prop pair.\n"); - goto end; - } - - /* XXX should check the number of transform */ - - /* get proposal pair of SA replyed */ - rpair = get_proppair(iph2->sa_ret, IPSECDOI_TYPE_PH2); - if (rpair == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get prop pair.\n"); - goto end; - } - - /* check proposal is only one ? */ - n = 0; - num = 0; - for (i = 0; i < MAXPROPPAIRLEN; i++) { - if (rpair[i]) { - n = i; - num++; - } - } - if (num == 0) { - plog(LLV_ERROR, LOCATION, NULL, - "no proposal received.\n"); - goto end; - } - if (num != 1) { - plog(LLV_ERROR, LOCATION, NULL, - "some proposals received.\n"); - goto end; - } - - if (spair[n] == NULL) { - plog(LLV_WARNING, LOCATION, NULL, - "invalid proposal number:%d received.\n", i); - } - - - if (rpair[n]->tnext != NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "multi transforms replyed.\n"); - goto end; - } - - if (cmp_aproppair_i(rpair[n], spair[n])) { - plog(LLV_ERROR, LOCATION, NULL, - "proposal mismathed.\n"); - goto end; - } - - /* - * check and select a proposal. - * ensure that there is no modification of the proposal by - * cmp_aproppair_i() - */ - p = get_ph2approval(iph2, rpair); - if (p == NULL) - goto end; - - /* make a SA to be replayed. */ - VPTRINIT(iph2->sa_ret); - iph2->sa_ret = get_sabyproppair(p, iph2->ph1); - free_proppair0(p); - if (iph2->sa_ret == NULL) - goto end; - - error = 0; - -end: - if (rpair) - free_proppair(rpair); - if (spair) - free_proppair(spair); - - return error; -} - -/* - * compare two prop_pairs if these are identical. - * a: a proposal is replyed from the responder. it must not include multi - * transforms in a protocol. - * b: a proposal is sent to the responder. - * NOTE: this function is for initiator. - * OUT - * 0: equal - * 1: not equal - */ -static int -cmp_aproppair_i(a, b) - struct prop_pair *a, *b; -{ - struct prop_pair *p, *q, *r; - int len; - - for (p = a, q = b; p && q; p = p->next, q = q->next) { - for (r = q; r; r = r->tnext) { - /* compare trns */ - if (p->trns->t_no == r->trns->t_no) - break; - } - if (!r) { - /* no suitable transform found */ - plog(LLV_ERROR, LOCATION, NULL, - "no suitable transform found.\n"); - return -1; - } - - /* compare prop */ - if (p->prop->p_no != r->prop->p_no) { - plog(LLV_WARNING, LOCATION, NULL, - "proposal #%d mismatched, " - "expected #%d.\n", - r->prop->p_no, p->prop->p_no); - /*FALLTHROUGH*/ - } - - if (p->prop->proto_id != r->prop->proto_id) { - plog(LLV_ERROR, LOCATION, NULL, - "proto_id mismathed: my:%d peer:%d\n", - r->prop->proto_id, p->prop->proto_id); - return -1; - } - - if (p->prop->proto_id != r->prop->proto_id) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid spi size: %d.\n", - p->prop->proto_id); - return -1; - } - - /* check #of transforms */ - if (p->prop->num_t != 1) { - plog(LLV_WARNING, LOCATION, NULL, - "#of transform is %d, " - "but expected 1.\n", p->prop->num_t); - /*FALLTHROUGH*/ - } - - if (p->trns->t_id != r->trns->t_id) { - plog(LLV_WARNING, LOCATION, NULL, - "transform number has been modified.\n"); - /*FALLTHROUGH*/ - } - if (p->trns->reserved != r->trns->reserved) { - plog(LLV_WARNING, LOCATION, NULL, - "reserved field should be zero.\n"); - /*FALLTHROUGH*/ - } - - /* compare attribute */ - len = ntohs(r->trns->h.len) - sizeof(*p->trns); - if (memcmp(p->trns + 1, r->trns + 1, len) != 0) { - plog(LLV_WARNING, LOCATION, NULL, - "attribute has been modified.\n"); - /*FALLTHROUGH*/ - } - } - if ((p && !q) || (!p && q)) { - /* # of protocols mismatched */ - plog(LLV_ERROR, LOCATION, NULL, - "#of protocols mismatched.\n"); - return -1; - } - - return 0; -} - -/* - * acceptable check for policy configuration. - * return a new SA payload to be reply to peer. - */ -static struct prop_pair * -get_ph2approval(iph2, pair) - struct ph2handle *iph2; - struct prop_pair **pair; -{ - struct prop_pair *ret; - int i; - - iph2->approval = NULL; - - plog(LLV_DEBUG, LOCATION, NULL, - "begin compare proposals.\n"); - - for (i = 0; i < MAXPROPPAIRLEN; i++) { - if (pair[i] == NULL) - continue; - plog(LLV_DEBUG, LOCATION, NULL, - "pair[%d]: %p\n", i, pair[i]); - print_proppair(LLV_DEBUG, pair[i]);; - - /* compare proposal and select one */ - ret = get_ph2approvalx(iph2, pair[i]); - if (ret != NULL) { - /* found */ - return ret; - } - } - - plog(LLV_ERROR, LOCATION, NULL, "no suitable policy found.\n"); - - return NULL; -} - -/* - * compare my proposals to a peers one. - * allocate a propo_pair if a suitable proposal is found. - */ -static struct prop_pair * -get_ph2approvalx(iph2, pp) - struct ph2handle *iph2; - struct prop_pair *pp; -{ - struct prop_pair *ret = NULL; - struct saprop *pr0, *pr = NULL; - struct saprop *q1, *q2; - - pr0 = aproppair2saprop(pp); - if (pr0 == NULL) - return NULL; - - for (q1 = pr0; q1; q1 = q1->next) { - for (q2 = iph2->proposal; q2; q2 = q2->next) { - plog(LLV_DEBUG, LOCATION, NULL, - "peer's single bundle:\n"); - printsaprop0(LLV_DEBUG, q1); - plog(LLV_DEBUG, LOCATION, NULL, - "my single bundle:\n"); - printsaprop0(LLV_DEBUG, q2); - - pr = cmpsaprop_alloc(iph2->ph1, q1, q2, iph2->side); - if (pr != NULL) - goto found; - - plog(LLV_ERROR, LOCATION, NULL, - "not matched\n"); - } - } - /* no proposal matching */ -err: - flushsaprop(pr0); - return NULL; - -found: - flushsaprop(pr0); - plog(LLV_DEBUG, LOCATION, NULL, "matched\n"); - iph2->approval = pr; - - { - struct saproto *sp; - struct prop_pair *p, *n, *x; - - ret = NULL; - - for (p = pp; p; p = p->next) { - /* - * find a proposal with matching proto_id. - * we have analyzed validity already, in cmpsaprop_alloc(). - */ - for (sp = pr->head; sp; sp = sp->next) { - if (sp->proto_id == p->prop->proto_id) - break; - } - if (!sp) - goto err; - if (sp->head->next) - goto err; /* XXX */ - - for (x = p; x; x = x->tnext) - if (sp->head->trns_no == x->trns->t_no) - break; - if (!x) - goto err; /* XXX */ - - n = racoon_calloc(1, sizeof(struct prop_pair)); - if (!n) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer.\n"); - goto err; - } - - n->prop = x->prop; - n->trns = x->trns; - - /* need to preserve the order */ - for (x = ret; x && x->next; x = x->next) - ; - if (x && x->prop == n->prop) { - for (/*nothing*/; x && x->tnext; x = x->tnext) - ; - x->tnext = n; - } else { - if (x) - x->next = n; - else { - ret = n; - } - } - - /* #of transforms should be updated ? */ - } - } - - return ret; -} - -void -free_proppair(pair) - struct prop_pair **pair; -{ - int i; - - for (i = 0; i < MAXPROPPAIRLEN; i++) { - free_proppair0(pair[i]); - pair[i] = NULL; - } - racoon_free(pair); -} - -static void -free_proppair0(pair) - struct prop_pair *pair; -{ - struct prop_pair *p, *q, *r, *s; - - for (p = pair; p; p = q) { - q = p->next; - for (r = p; r; r = s) { - s = r->tnext; - racoon_free(r); - } - } -} - -/* - * get proposal pairs from SA payload. - * tiny check for proposal payload. - */ -struct prop_pair ** -get_proppair(sa, mode) - vchar_t *sa; - int mode; -{ - struct prop_pair **pair; - int num_p = 0; /* number of proposal for use */ - int tlen; - caddr_t bp; - int i; - struct ipsecdoi_sa_b *sab = (struct ipsecdoi_sa_b *)sa->v; - - plog(LLV_DEBUG, LOCATION, NULL, "total SA len=%d\n", sa->l); - plogdump(LLV_DEBUG, sa->v, sa->l); - - /* check SA payload size */ - if (sa->l < sizeof(*sab)) { - plog(LLV_ERROR, LOCATION, NULL, - "Invalid SA length = %d.\n", sa->l); - return NULL; - } - - /* check DOI */ - if (check_doi(ntohl(sab->doi)) < 0) - return NULL; - - /* check SITUATION */ - if (check_situation(ntohl(sab->sit)) < 0) - return NULL; - - pair = racoon_calloc(1, MAXPROPPAIRLEN * sizeof(*pair)); - if (pair == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer.\n"); - return NULL; - } - memset(pair, 0, sizeof(pair)); - - bp = (caddr_t)(sab + 1); - tlen = sa->l - sizeof(*sab); - - { - struct isakmp_pl_p *prop; - int proplen; - vchar_t *pbuf = NULL; - struct isakmp_parse_t *pa; - - pbuf = isakmp_parsewoh(ISAKMP_NPTYPE_P, (struct isakmp_gen *)bp, tlen); - if (pbuf == NULL) - return NULL; - - for (pa = (struct isakmp_parse_t *)pbuf->v; - pa->type != ISAKMP_NPTYPE_NONE; - pa++) { - /* check the value of next payload */ - if (pa->type != ISAKMP_NPTYPE_P) { - plog(LLV_ERROR, LOCATION, NULL, - "Invalid payload type=%u\n", pa->type); - vfree(pbuf); - return NULL; - } - - prop = (struct isakmp_pl_p *)pa->ptr; - proplen = pa->len; - - plog(LLV_DEBUG, LOCATION, NULL, - "proposal #%u len=%d\n", prop->p_no, proplen); - - if (proplen == 0) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid proposal with length %d\n", proplen); - vfree(pbuf); - return NULL; - } - - /* check Protocol ID */ - if (!check_protocol[mode]) { - plog(LLV_ERROR, LOCATION, NULL, - "unsupported mode %d\n", mode); - continue; - } - - if (check_protocol[mode](prop->proto_id) < 0) - continue; - - /* check SPI length when IKE. */ - if (check_spi_size(prop->proto_id, prop->spi_size) < 0) - continue; - - /* get transform */ - if (get_transform(prop, pair, &num_p) < 0) { - vfree(pbuf); - return NULL; - } - } - vfree(pbuf); - pbuf = NULL; - } - - { - int notrans, nprop; - struct prop_pair *p, *q; - - /* check for proposals with no transforms */ - for (i = 0; i < MAXPROPPAIRLEN; i++) { - if (!pair[i]) - continue; - - plog(LLV_DEBUG, LOCATION, NULL, "pair %d:\n", i); - print_proppair(LLV_DEBUG, pair[i]); - - notrans = nprop = 0; - for (p = pair[i]; p; p = p->next) { - if (p->trns == NULL) { - notrans++; - break; - } - for (q = p; q; q = q->tnext) - nprop++; - } - -#if 0 - /* - * XXX at this moment, we cannot accept proposal group - * with multiple proposals. this should be fixed. - */ - if (pair[i]->next) { - plog(LLV_WARNING, LOCATION, NULL, - "proposal #%u ignored " - "(multiple proposal not supported)\n", - pair[i]->prop->p_no); - notrans++; - } -#endif - - if (notrans) { - for (p = pair[i]; p; p = q) { - q = p->next; - racoon_free(p); - } - pair[i] = NULL; - num_p--; - } else { - plog(LLV_DEBUG, LOCATION, NULL, - "proposal #%u: %d transform\n", - pair[i]->prop->p_no, nprop); - } - } - } - - /* bark if no proposal is found. */ - if (num_p <= 0) { - plog(LLV_ERROR, LOCATION, NULL, - "no Proposal found.\n"); - return NULL; - } - - return pair; -} - -/* - * check transform payload. - * OUT: - * positive: return the pointer to the payload of valid transform. - * 0 : No valid transform found. - */ -static int -get_transform(prop, pair, num_p) - struct isakmp_pl_p *prop; - struct prop_pair **pair; - int *num_p; -{ - int tlen; /* total length of all transform in a proposal */ - caddr_t bp; - struct isakmp_pl_t *trns; - int trnslen; - vchar_t *pbuf = NULL; - struct isakmp_parse_t *pa; - struct prop_pair *p = NULL, *q; - int num_t; - - bp = (caddr_t)prop + sizeof(struct isakmp_pl_p) + prop->spi_size; - tlen = ntohs(prop->h.len) - - (sizeof(struct isakmp_pl_p) + prop->spi_size); - pbuf = isakmp_parsewoh(ISAKMP_NPTYPE_T, (struct isakmp_gen *)bp, tlen); - if (pbuf == NULL) - return -1; - - /* check and get transform for use */ - num_t = 0; - for (pa = (struct isakmp_parse_t *)pbuf->v; - pa->type != ISAKMP_NPTYPE_NONE; - pa++) { - - num_t++; - - /* check the value of next payload */ - if (pa->type != ISAKMP_NPTYPE_T) { - plog(LLV_ERROR, LOCATION, NULL, - "Invalid payload type=%u\n", pa->type); - break; - } - - trns = (struct isakmp_pl_t *)pa->ptr; - trnslen = pa->len; - - plog(LLV_DEBUG, LOCATION, NULL, - "transform #%u len=%u\n", trns->t_no, trnslen); - - /* check transform ID */ - if (prop->proto_id >= ARRAYLEN(check_transform)) { - plog(LLV_WARNING, LOCATION, NULL, - "unsupported proto_id %u\n", - prop->proto_id); - continue; - } - if (prop->proto_id >= ARRAYLEN(check_attributes)) { - plog(LLV_WARNING, LOCATION, NULL, - "unsupported proto_id %u\n", - prop->proto_id); - continue; - } - - if (!check_transform[prop->proto_id] - || !check_attributes[prop->proto_id]) { - plog(LLV_WARNING, LOCATION, NULL, - "unsupported proto_id %u\n", - prop->proto_id); - continue; - } - if (check_transform[prop->proto_id](trns->t_id) < 0) - continue; - - /* check data attributes */ - if (check_attributes[prop->proto_id](trns) != 0) - continue; - - p = racoon_calloc(1, sizeof(*p)); - if (p == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer.\n"); - vfree(pbuf); - return -1; - } - p->prop = prop; - p->trns = trns; - - /* need to preserve the order */ - for (q = pair[prop->p_no]; q && q->next; q = q->next) - ; - if (q && q->prop == p->prop) { - for (/*nothing*/; q && q->tnext; q = q->tnext) - ; - q->tnext = p; - } else { - if (q) - q->next = p; - else { - pair[prop->p_no] = p; - (*num_p)++; - } - } - } - - vfree(pbuf); - - return 0; -} - -/* - * make a new SA payload from prop_pair. - * NOTE: this function make spi value clear. - */ -vchar_t * -get_sabyproppair(pair, iph1) - struct prop_pair *pair; - struct ph1handle *iph1; -{ - vchar_t *newsa; - int newtlen; - u_int8_t *np_p = NULL; - struct prop_pair *p; - int prophlen, trnslen; - caddr_t bp; - - newtlen = sizeof(struct ipsecdoi_sa_b); - for (p = pair; p; p = p->next) { - newtlen += (sizeof(struct isakmp_pl_p) - + p->prop->spi_size - + ntohs(p->trns->h.len)); - } - - newsa = vmalloc(newtlen); - if (newsa == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "failed to get newsa.\n"); - return NULL; - } - bp = newsa->v; - - ((struct isakmp_gen *)bp)->len = htons(newtlen); - - /* update some of values in SA header */ - ((struct ipsecdoi_sa_b *)bp)->doi = htonl(iph1->rmconf->doitype); - ((struct ipsecdoi_sa_b *)bp)->sit = htonl(iph1->rmconf->sittype); - bp += sizeof(struct ipsecdoi_sa_b); - - /* create proposal payloads */ - for (p = pair; p; p = p->next) { - prophlen = sizeof(struct isakmp_pl_p) - + p->prop->spi_size; - trnslen = ntohs(p->trns->h.len); - - if (np_p) - *np_p = ISAKMP_NPTYPE_P; - - /* create proposal */ - - memcpy(bp, p->prop, prophlen); - ((struct isakmp_pl_p *)bp)->h.np = ISAKMP_NPTYPE_NONE; - ((struct isakmp_pl_p *)bp)->h.len = htons(prophlen + trnslen); - ((struct isakmp_pl_p *)bp)->num_t = 1; - np_p = &((struct isakmp_pl_p *)bp)->h.np; - memset(bp + sizeof(struct isakmp_pl_p), 0, p->prop->spi_size); - bp += prophlen; - - /* create transform */ - memcpy(bp, p->trns, trnslen); - ((struct isakmp_pl_t *)bp)->h.np = ISAKMP_NPTYPE_NONE; - ((struct isakmp_pl_t *)bp)->h.len = htons(trnslen); - bp += trnslen; - } - - return newsa; -} - -/* - * update responder's spi - */ -int -ipsecdoi_updatespi(iph2) - struct ph2handle *iph2; -{ - struct prop_pair **pair, *p; - struct saprop *pp; - struct saproto *pr; - int i; - int error = -1; - u_int8_t *spi; - - pair = get_proppair(iph2->sa_ret, IPSECDOI_TYPE_PH2); - if (pair == NULL) - return -1; - for (i = 0; i < MAXPROPPAIRLEN; i++) { - if (pair[i]) - break; - } - if (i == MAXPROPPAIRLEN || pair[i]->tnext) { - /* multiple transform must be filtered by selectph2proposal.*/ - goto end; - } - - pp = iph2->approval; - - /* create proposal payloads */ - for (p = pair[i]; p; p = p->next) { - /* - * find a proposal/transform with matching proto_id/t_id. - * we have analyzed validity already, in cmpsaprop_alloc(). - */ - for (pr = pp->head; pr; pr = pr->next) { - if (p->prop->proto_id == pr->proto_id && - p->trns->t_id == pr->head->trns_id) { - break; - } - } - if (!pr) - goto end; - - /* - * XXX SPI bits are left-filled, for use with IPComp. - * we should be switching to variable-length spi field... - */ - spi = (u_int8_t *)&pr->spi; - spi += sizeof(pr->spi); - spi -= pr->spisize; - memcpy((caddr_t)p->prop + sizeof(*p->prop), spi, pr->spisize); - } - - error = 0; -end: - free_proppair(pair); - return error; -} - -/* - * make a new SA payload from prop_pair. - */ -vchar_t * -get_sabysaprop(pp0, sa0) - struct saprop *pp0; - vchar_t *sa0; -{ - struct prop_pair **pair; - vchar_t *newsa; - int newtlen; - u_int8_t *np_p = NULL; - struct prop_pair *p = NULL; - struct saprop *pp; - struct saproto *pr; - struct satrns *tr; - int prophlen, trnslen; - caddr_t bp; - - /* get proposal pair */ - pair = get_proppair(sa0, IPSECDOI_TYPE_PH2); - if (pair == NULL) - return NULL; - - newtlen = sizeof(struct ipsecdoi_sa_b); - for (pp = pp0; pp; pp = pp->next) { - - if (pair[pp->prop_no] == NULL) - return NULL; - - for (pr = pp->head; pr; pr = pr->next) { - newtlen += (sizeof(struct isakmp_pl_p) - + pr->spisize); - - for (tr = pr->head; tr; tr = tr->next) { - for (p = pair[pp->prop_no]; p; p = p->tnext) { - if (tr->trns_no == p->trns->t_no) - break; - } - if (p == NULL) - return NULL; - - newtlen += ntohs(p->trns->h.len); - } - } - } - - newsa = vmalloc(newtlen); - if (newsa == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "failed to get newsa.\n"); - return NULL; - } - bp = newsa->v; - - /* some of values of SA must be updated in the out of this function */ - ((struct isakmp_gen *)bp)->len = htons(newtlen); - bp += sizeof(struct ipsecdoi_sa_b); - - /* create proposal payloads */ - for (pp = pp0; pp; pp = pp->next) { - - for (pr = pp->head; pr; pr = pr->next) { - prophlen = sizeof(struct isakmp_pl_p) - + p->prop->spi_size; - - for (tr = pr->head; tr; tr = tr->next) { - for (p = pair[pp->prop_no]; p; p = p->tnext) { - if (tr->trns_no == p->trns->t_no) - break; - } - if (p == NULL) - return NULL; - - trnslen = ntohs(p->trns->h.len); - - if (np_p) - *np_p = ISAKMP_NPTYPE_P; - - /* create proposal */ - - memcpy(bp, p->prop, prophlen); - ((struct isakmp_pl_p *)bp)->h.np = ISAKMP_NPTYPE_NONE; - ((struct isakmp_pl_p *)bp)->h.len = htons(prophlen + trnslen); - ((struct isakmp_pl_p *)bp)->num_t = 1; - np_p = &((struct isakmp_pl_p *)bp)->h.np; - bp += prophlen; - - /* create transform */ - memcpy(bp, p->trns, trnslen); - ((struct isakmp_pl_t *)bp)->h.np = ISAKMP_NPTYPE_NONE; - ((struct isakmp_pl_t *)bp)->h.len = htons(trnslen); - bp += trnslen; - } - } - } - - return newsa; -} - -/* - * If some error happens then return 0. Although 0 means that lifetime is zero, - * such a value should not be accepted. - * Also 0 of lifebyte should not be included in a packet although 0 means not - * to care of it. - */ -static u_int32_t -ipsecdoi_set_ld(buf) - vchar_t *buf; -{ - u_int32_t ld; - - if (buf == 0) - return 0; - - switch (buf->l) { - case 2: - ld = ntohs(*(u_int16_t *)buf->v); - break; - case 4: - ld = ntohl(*(u_int32_t *)buf->v); - break; - default: - plog(LLV_ERROR, LOCATION, NULL, - "length %d of life duration " - "isn't supported.\n", buf->l); - return 0; - } - - return ld; -} - -/*%%%*/ -/* - * check DOI - */ -static int -check_doi(doi) - u_int32_t doi; -{ - switch (doi) { - case IPSEC_DOI: - return 0; - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid value of DOI 0x%08x.\n", doi); - return -1; - } - /* NOT REACHED */ -} - -/* - * check situation - */ -static int -check_situation(sit) - u_int32_t sit; -{ - switch (sit) { - case IPSECDOI_SIT_IDENTITY_ONLY: - return 0; - - case IPSECDOI_SIT_SECRECY: - case IPSECDOI_SIT_INTEGRITY: - plog(LLV_ERROR, LOCATION, NULL, - "situation 0x%08x unsupported yet.\n", sit); - return -1; - - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid situation 0x%08x.\n", sit); - return -1; - } - /* NOT REACHED */ -} - -/* - * check protocol id in main mode - */ -static int -check_prot_main(proto_id) - int proto_id; -{ - switch (proto_id) { - case IPSECDOI_PROTO_ISAKMP: - return 0; - - default: - plog(LLV_ERROR, LOCATION, NULL, - "Illegal protocol id=%u.\n", proto_id); - return -1; - } - /* NOT REACHED */ -} - -/* - * check protocol id in quick mode - */ -static int -check_prot_quick(proto_id) - int proto_id; -{ - switch (proto_id) { - case IPSECDOI_PROTO_IPSEC_AH: - case IPSECDOI_PROTO_IPSEC_ESP: - return 0; - - case IPSECDOI_PROTO_IPCOMP: - return 0; - - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid protocol id %d.\n", proto_id); - return -1; - } - /* NOT REACHED */ -} - -static int -check_spi_size(proto_id, size) - int proto_id, size; -{ - switch (proto_id) { - case IPSECDOI_PROTO_ISAKMP: - if (size != 0) { - /* WARNING */ - plog(LLV_DEBUG, LOCATION, NULL, - "SPI size isn't zero, but IKE proposal.\n"); - } - return 0; - - case IPSECDOI_PROTO_IPSEC_AH: - case IPSECDOI_PROTO_IPSEC_ESP: - if (size != 4) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid SPI size=%d for IPSEC proposal.\n", - size); - return -1; - } - return 0; - - case IPSECDOI_PROTO_IPCOMP: - if (size != 2 && size != 4) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid SPI size=%d for IPCOMP proposal.\n", - size); - return -1; - } - return 0; - - default: - /* ??? */ - return -1; - } - /* NOT REACHED */ -} - -/* - * check transform ID in ISAKMP. - */ -static int -check_trns_isakmp(t_id) - int t_id; -{ - switch (t_id) { - case IPSECDOI_KEY_IKE: - return 0; - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid transform-id=%u in proto_id=%u.\n", - t_id, IPSECDOI_KEY_IKE); - return -1; - } - /* NOT REACHED */ -} - -/* - * check transform ID in AH. - */ -static int -check_trns_ah(t_id) - int t_id; -{ - switch (t_id) { - case IPSECDOI_AH_MD5: - case IPSECDOI_AH_SHA: - return 0; - case IPSECDOI_AH_DES: - plog(LLV_ERROR, LOCATION, NULL, - "not support transform-id=%u in AH.\n", t_id); - return -1; - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid transform-id=%u in AH.\n", t_id); - return -1; - } - /* NOT REACHED */ -} - -/* - * check transform ID in ESP. - */ -static int -check_trns_esp(t_id) - int t_id; -{ - switch (t_id) { - case IPSECDOI_ESP_DES: - case IPSECDOI_ESP_3DES: - case IPSECDOI_ESP_NULL: - case IPSECDOI_ESP_RC5: - case IPSECDOI_ESP_CAST: - case IPSECDOI_ESP_BLOWFISH: - case IPSECDOI_ESP_RIJNDAEL: - case IPSECDOI_ESP_TWOFISH: - return 0; - case IPSECDOI_ESP_DES_IV32: - case IPSECDOI_ESP_DES_IV64: - case IPSECDOI_ESP_IDEA: - case IPSECDOI_ESP_3IDEA: - case IPSECDOI_ESP_RC4: - plog(LLV_ERROR, LOCATION, NULL, - "not support transform-id=%u in ESP.\n", t_id); - return -1; - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid transform-id=%u in ESP.\n", t_id); - return -1; - } - /* NOT REACHED */ -} - -/* - * check transform ID in IPCOMP. - */ -static int -check_trns_ipcomp(t_id) - int t_id; -{ - switch (t_id) { - case IPSECDOI_IPCOMP_OUI: - case IPSECDOI_IPCOMP_DEFLATE: - case IPSECDOI_IPCOMP_LZS: - return 0; - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid transform-id=%u in IPCOMP.\n", t_id); - return -1; - } - /* NOT REACHED */ -} - -/* - * check data attributes in IKE. - */ -static int -check_attr_isakmp(trns) - struct isakmp_pl_t *trns; -{ - struct isakmp_data *d; - int tlen; - int flag, type; - u_int16_t lorv; - - tlen = ntohs(trns->h.len) - sizeof(struct isakmp_pl_t); - d = (struct isakmp_data *)((caddr_t)trns + sizeof(struct isakmp_pl_t)); - - while (tlen > 0) { - type = ntohs(d->type) & ~ISAKMP_GEN_MASK; - flag = ntohs(d->type) & ISAKMP_GEN_MASK; - lorv = ntohs(d->lorv); - - plog(LLV_DEBUG, LOCATION, NULL, - "type=%s, flag=0x%04x, lorv=%s\n", - s_oakley_attr(type), flag, - s_oakley_attr_v(type, lorv)); - - /* - * some of the attributes must be encoded in TV. - * see RFC2409 Appendix A "Attribute Classes". - */ - switch (type) { - case OAKLEY_ATTR_ENC_ALG: - case OAKLEY_ATTR_HASH_ALG: - case OAKLEY_ATTR_AUTH_METHOD: - case OAKLEY_ATTR_GRP_DESC: - case OAKLEY_ATTR_GRP_TYPE: - case OAKLEY_ATTR_SA_LD_TYPE: - case OAKLEY_ATTR_PRF: - case OAKLEY_ATTR_KEY_LEN: - case OAKLEY_ATTR_FIELD_SIZE: - if (!flag) { /* TLV*/ - plog(LLV_ERROR, LOCATION, NULL, - "oakley attribute %d must be TV.\n", - type); - return -1; - } - break; - } - - /* sanity check for TLV. length must be specified. */ - if (!flag && lorv == 0) { /*TLV*/ - plog(LLV_ERROR, LOCATION, NULL, - "invalid length %d for TLV attribute %d.\n", - lorv, type); - return -1; - } - - switch (type) { - case OAKLEY_ATTR_ENC_ALG: - if (!alg_oakley_encdef_ok(lorv)) { - plog(LLV_ERROR, LOCATION, NULL, - "invalied encryption algorithm=%d.\n", - lorv); - return -1; - } - break; - - case OAKLEY_ATTR_HASH_ALG: - if (!alg_oakley_hashdef_ok(lorv)) { - plog(LLV_ERROR, LOCATION, NULL, - "invalied hash algorithm=%d.\n", - lorv); - return -1; - } - break; - - case OAKLEY_ATTR_AUTH_METHOD: - switch (lorv) { - case OAKLEY_ATTR_AUTH_METHOD_PSKEY: - case OAKLEY_ATTR_AUTH_METHOD_RSASIG: - case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: - break; - case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: - case OAKLEY_ATTR_AUTH_METHOD_RSAENC: - case OAKLEY_ATTR_AUTH_METHOD_RSAREV: - plog(LLV_ERROR, LOCATION, NULL, - "auth method %d isn't supported.\n", - lorv); - return -1; - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid auth method %d.\n", - lorv); - return -1; - } - break; - - case OAKLEY_ATTR_GRP_DESC: - if (!alg_oakley_dhdef_ok(lorv)) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid DH group %d.\n", - lorv); - return -1; - } - break; - - case OAKLEY_ATTR_GRP_TYPE: - switch (lorv) { - case OAKLEY_ATTR_GRP_TYPE_MODP: - break; - default: - plog(LLV_ERROR, LOCATION, NULL, - "unsupported DH group type %d.\n", - lorv); - return -1; - } - break; - - case OAKLEY_ATTR_GRP_PI: - case OAKLEY_ATTR_GRP_GEN_ONE: - /* sanity checks? */ - break; - - case OAKLEY_ATTR_GRP_GEN_TWO: - case OAKLEY_ATTR_GRP_CURVE_A: - case OAKLEY_ATTR_GRP_CURVE_B: - plog(LLV_ERROR, LOCATION, NULL, - "attr type=%u isn't supported.\n", type); - return -1; - - case OAKLEY_ATTR_SA_LD_TYPE: - switch (lorv) { - case OAKLEY_ATTR_SA_LD_TYPE_SEC: - case OAKLEY_ATTR_SA_LD_TYPE_KB: - break; - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid life type %d.\n", lorv); - return -1; - } - break; - - case OAKLEY_ATTR_SA_LD: - /* should check the value */ - break; - - case OAKLEY_ATTR_PRF: - case OAKLEY_ATTR_KEY_LEN: - break; - - case OAKLEY_ATTR_FIELD_SIZE: - plog(LLV_ERROR, LOCATION, NULL, - "attr type=%u isn't supported.\n", type); - return -1; - - case OAKLEY_ATTR_GRP_ORDER: - break; - - case OAKLEY_ATTR_GSS_ID: - break; - - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid attribute type %d.\n", type); - return -1; - } - - if (flag) { - tlen -= sizeof(*d); - d = (struct isakmp_data *)((char *)d - + sizeof(*d)); - } else { - tlen -= (sizeof(*d) + lorv); - d = (struct isakmp_data *)((char *)d - + sizeof(*d) + lorv); - } - } - - return 0; -} - -/* - * check data attributes in IPSEC AH/ESP. - */ -static int -check_attr_ah(trns) - struct isakmp_pl_t *trns; -{ - return check_attr_ipsec(IPSECDOI_PROTO_IPSEC_AH, trns); -} - -static int -check_attr_esp(trns) - struct isakmp_pl_t *trns; -{ - return check_attr_ipsec(IPSECDOI_PROTO_IPSEC_ESP, trns); -} - -static int -check_attr_ipsec(proto_id, trns) - int proto_id; - struct isakmp_pl_t *trns; -{ - struct isakmp_data *d; - int tlen; - int flag, type = 0; - u_int16_t lorv; - int attrseen[16]; /* XXX magic number */ - - tlen = ntohs(trns->h.len) - sizeof(struct isakmp_pl_t); - d = (struct isakmp_data *)((caddr_t)trns + sizeof(struct isakmp_pl_t)); - memset(attrseen, 0, sizeof(attrseen)); - - while (tlen > 0) { - type = ntohs(d->type) & ~ISAKMP_GEN_MASK; - flag = ntohs(d->type) & ISAKMP_GEN_MASK; - lorv = ntohs(d->lorv); - - plog(LLV_DEBUG, LOCATION, NULL, - "type=%s, flag=0x%04x, lorv=%s\n", - s_ipsecdoi_attr(type), flag, - s_ipsecdoi_attr_v(type, lorv)); - - if (type < sizeof(attrseen)/sizeof(attrseen[0])) - attrseen[type]++; - - switch (type) { - case IPSECDOI_ATTR_ENC_MODE: - if (! flag) { - plog(LLV_ERROR, LOCATION, NULL, - "must be TV when ENC_MODE.\n"); - return -1; - } - - switch (lorv) { - case IPSECDOI_ATTR_ENC_MODE_TUNNEL: - case IPSECDOI_ATTR_ENC_MODE_TRNS: - break; - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid encryption mode=%u.\n", - lorv); - return -1; - } - break; - - case IPSECDOI_ATTR_AUTH: - if (! flag) { - plog(LLV_ERROR, LOCATION, NULL, - "must be TV when AUTH.\n"); - return -1; - } - - switch (lorv) { - case IPSECDOI_ATTR_AUTH_HMAC_MD5: - if (proto_id == IPSECDOI_PROTO_IPSEC_AH && - trns->t_id != IPSECDOI_AH_MD5) { -ahmismatch: - plog(LLV_ERROR, LOCATION, NULL, - "auth algorithm %u conflicts " - "with transform %u.\n", - lorv, trns->t_id); - return -1; - } - break; - case IPSECDOI_ATTR_AUTH_HMAC_SHA1: - if (proto_id == IPSECDOI_PROTO_IPSEC_AH) { - if (trns->t_id != IPSECDOI_AH_SHA) - goto ahmismatch; - } - break; - case IPSECDOI_ATTR_AUTH_DES_MAC: - case IPSECDOI_ATTR_AUTH_KPDK: - plog(LLV_ERROR, LOCATION, NULL, - "auth algorithm %u isn't supported.\n", - lorv); - return -1; - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid auth algorithm=%u.\n", - lorv); - return -1; - } - break; - - case IPSECDOI_ATTR_SA_LD_TYPE: - if (! flag) { - plog(LLV_ERROR, LOCATION, NULL, - "must be TV when LD_TYPE.\n"); - return -1; - } - - switch (lorv) { - case IPSECDOI_ATTR_SA_LD_TYPE_SEC: - case IPSECDOI_ATTR_SA_LD_TYPE_KB: - break; - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid life type %d.\n", lorv); - return -1; - } - break; - - case IPSECDOI_ATTR_SA_LD: - if (flag) { - /* i.e. ISAKMP_GEN_TV */ - plog(LLV_DEBUG, LOCATION, NULL, - "life duration was in TLV.\n"); - } else { - /* i.e. ISAKMP_GEN_TLV */ - if (lorv == 0) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid length of LD\n"); - return -1; - } - } - break; - - case IPSECDOI_ATTR_GRP_DESC: - if (! flag) { - plog(LLV_ERROR, LOCATION, NULL, - "must be TV when GRP_DESC.\n"); - return -1; - } - - if (!alg_oakley_dhdef_ok(lorv)) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid group description=%u.\n", - lorv); - return -1; - } - break; - - case IPSECDOI_ATTR_KEY_LENGTH: - if (! flag) { - plog(LLV_ERROR, LOCATION, NULL, - "must be TV when KEY_LENGTH.\n"); - return -1; - } - break; - - case IPSECDOI_ATTR_KEY_ROUNDS: - case IPSECDOI_ATTR_COMP_DICT_SIZE: - case IPSECDOI_ATTR_COMP_PRIVALG: - plog(LLV_ERROR, LOCATION, NULL, - "attr type=%u isn't supported.\n", type); - return -1; - - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid attribute type %d.\n", type); - return -1; - } - - if (flag) { - tlen -= sizeof(*d); - d = (struct isakmp_data *)((char *)d - + sizeof(*d)); - } else { - tlen -= (sizeof(*d) + lorv); - d = (struct isakmp_data *)((caddr_t)d - + sizeof(*d) + lorv); - } - } - - if (proto_id == IPSECDOI_PROTO_IPSEC_AH && - !attrseen[IPSECDOI_ATTR_AUTH]) { - plog(LLV_ERROR, LOCATION, NULL, - "attr AUTH must be present for AH.\n", type); - return -1; - } - - if (proto_id == IPSECDOI_PROTO_IPSEC_ESP && - trns->t_id == IPSECDOI_ESP_NULL && - !attrseen[IPSECDOI_ATTR_AUTH]) { - plog(LLV_ERROR, LOCATION, NULL, - "attr AUTH must be present for ESP NULL encryption.\n"); - return -1; - } - - return 0; -} - -static int -check_attr_ipcomp(trns) - struct isakmp_pl_t *trns; -{ - struct isakmp_data *d; - int tlen; - int flag, type = 0; - u_int16_t lorv; - int attrseen[16]; /* XXX magic number */ - - tlen = ntohs(trns->h.len) - sizeof(struct isakmp_pl_t); - d = (struct isakmp_data *)((caddr_t)trns + sizeof(struct isakmp_pl_t)); - memset(attrseen, 0, sizeof(attrseen)); - - while (tlen > 0) { - type = ntohs(d->type) & ~ISAKMP_GEN_MASK; - flag = ntohs(d->type) & ISAKMP_GEN_MASK; - lorv = ntohs(d->lorv); - - plog(LLV_DEBUG, LOCATION, NULL, - "type=%d, flag=0x%04x, lorv=0x%04x\n", - type, flag, lorv); - - if (type < sizeof(attrseen)/sizeof(attrseen[0])) - attrseen[type]++; - - switch (type) { - case IPSECDOI_ATTR_ENC_MODE: - if (! flag) { - plog(LLV_ERROR, LOCATION, NULL, - "must be TV when ENC_MODE.\n"); - return -1; - } - - switch (lorv) { - case IPSECDOI_ATTR_ENC_MODE_TUNNEL: - case IPSECDOI_ATTR_ENC_MODE_TRNS: - break; - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid encryption mode=%u.\n", - lorv); - return -1; - } - break; - - case IPSECDOI_ATTR_SA_LD_TYPE: - if (! flag) { - plog(LLV_ERROR, LOCATION, NULL, - "must be TV when LD_TYPE.\n"); - return -1; - } - - switch (lorv) { - case IPSECDOI_ATTR_SA_LD_TYPE_SEC: - case IPSECDOI_ATTR_SA_LD_TYPE_KB: - break; - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid life type %d.\n", lorv); - return -1; - } - break; - - case IPSECDOI_ATTR_SA_LD: - if (flag) { - /* i.e. ISAKMP_GEN_TV */ - plog(LLV_DEBUG, LOCATION, NULL, - "life duration was in TLV.\n"); - } else { - /* i.e. ISAKMP_GEN_TLV */ - if (lorv == 0) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid length of LD\n"); - return -1; - } - } - break; - - case IPSECDOI_ATTR_GRP_DESC: - if (! flag) { - plog(LLV_ERROR, LOCATION, NULL, - "must be TV when GRP_DESC.\n"); - return -1; - } - - if (!alg_oakley_dhdef_ok(lorv)) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid group description=%u.\n", - lorv); - return -1; - } - break; - - case IPSECDOI_ATTR_AUTH: - plog(LLV_ERROR, LOCATION, NULL, - "invalid attr type=%u.\n", type); - return -1; - - case IPSECDOI_ATTR_KEY_LENGTH: - case IPSECDOI_ATTR_KEY_ROUNDS: - case IPSECDOI_ATTR_COMP_DICT_SIZE: - case IPSECDOI_ATTR_COMP_PRIVALG: - plog(LLV_ERROR, LOCATION, NULL, - "attr type=%u isn't supported.\n", type); - return -1; - - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid attribute type %d.\n", type); - return -1; - } - - if (flag) { - tlen -= sizeof(*d); - d = (struct isakmp_data *)((char *)d - + sizeof(*d)); - } else { - tlen -= (sizeof(*d) + lorv); - d = (struct isakmp_data *)((caddr_t)d - + sizeof(*d) + lorv); - } - } - -#if 0 - if (proto_id == IPSECDOI_PROTO_IPCOMP && - !attrseen[IPSECDOI_ATTR_AUTH]) { - plog(LLV_ERROR, LOCATION, NULL, - "attr AUTH must be present for AH.\n", type); - return -1; - } -#endif - - return 0; -} - -/* %%% */ -/* - * create phase1 proposal from remote configuration. - * NOT INCLUDING isakmp general header of SA payload - */ -vchar_t * -ipsecdoi_setph1proposal(props) - struct isakmpsa *props; -{ - vchar_t *mysa; - int sablen; - - /* count total size of SA minus isakmp general header */ - /* not including isakmp general header of SA payload */ - sablen = sizeof(struct ipsecdoi_sa_b); - sablen += setph1prop(props, NULL); - - mysa = vmalloc(sablen); - if (mysa == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate my sa buffer\n"); - return NULL; - } - - /* create SA payload */ - /* not including isakmp general header */ - ((struct ipsecdoi_sa_b *)mysa->v)->doi = htonl(props->rmconf->doitype); - ((struct ipsecdoi_sa_b *)mysa->v)->sit = htonl(props->rmconf->sittype); - - (void)setph1prop(props, mysa->v + sizeof(struct ipsecdoi_sa_b)); - - return mysa; -} - -static int -setph1prop(props, buf) - struct isakmpsa *props; - caddr_t buf; -{ - struct isakmp_pl_p *prop = NULL; - struct isakmpsa *s = NULL; - int proplen, trnslen; - u_int8_t *np_t; /* pointer next trns type in previous header */ - int trns_num; - caddr_t p = buf; - - proplen = sizeof(*prop); - if (buf) { - /* create proposal */ - prop = (struct isakmp_pl_p *)p; - prop->h.np = ISAKMP_NPTYPE_NONE; - prop->p_no = props->prop_no; - prop->proto_id = IPSECDOI_PROTO_ISAKMP; - prop->spi_size = 0; - p += sizeof(*prop); - } - - np_t = NULL; - trns_num = 0; - - for (s = props; s != NULL; s = s->next) { - if (np_t) - *np_t = ISAKMP_NPTYPE_T; - - trnslen = setph1trns(s, p); - proplen += trnslen; - if (buf) { - /* save buffer to pre-next payload */ - np_t = &((struct isakmp_pl_t *)p)->h.np; - p += trnslen; - - /* count up transform length */ - trns_num++; - } - } - - /* update proposal length */ - if (buf) { - prop->h.len = htons(proplen); - prop->num_t = trns_num; - } - - return proplen; -} - -static int -setph1trns(sa, buf) - struct isakmpsa *sa; - caddr_t buf; -{ - struct isakmp_pl_t *trns = NULL; - int trnslen, attrlen; - caddr_t p = buf; - - trnslen = sizeof(*trns); - if (buf) { - /* create transform */ - trns = (struct isakmp_pl_t *)p; - trns->h.np = ISAKMP_NPTYPE_NONE; - trns->t_no = sa->trns_no; - trns->t_id = IPSECDOI_KEY_IKE; - p += sizeof(*trns); - } - - attrlen = setph1attr(sa, p); - trnslen += attrlen; - if (buf) - p += attrlen; - - if (buf) - trns->h.len = htons(trnslen); - - return trnslen; -} - -static int -setph1attr(sa, buf) - struct isakmpsa *sa; - caddr_t buf; -{ - caddr_t p = buf; - int attrlen = 0; - - if (sa->lifetime) { - attrlen += sizeof(struct isakmp_data) - + sizeof(struct isakmp_data); - if (sa->lifetime > 0xffff) - attrlen += sizeof(sa->lifetime); - if (buf) { - p = isakmp_set_attr_l(p, OAKLEY_ATTR_SA_LD_TYPE, - OAKLEY_ATTR_SA_LD_TYPE_SEC); - if (sa->lifetime > 0xffff) { - u_int32_t v = htonl((u_int32_t)sa->lifetime); - p = isakmp_set_attr_v(p, OAKLEY_ATTR_SA_LD, - (caddr_t)&v, sizeof(v)); - } else { - p = isakmp_set_attr_l(p, OAKLEY_ATTR_SA_LD, - sa->lifetime); - } - } - } - - if (sa->lifebyte) { - attrlen += sizeof(struct isakmp_data) - + sizeof(struct isakmp_data); - if (sa->lifebyte > 0xffff) - attrlen += sizeof(sa->lifebyte); - if (buf) { - p = isakmp_set_attr_l(p, OAKLEY_ATTR_SA_LD_TYPE, - OAKLEY_ATTR_SA_LD_TYPE_KB); - if (sa->lifebyte > 0xffff) { - u_int32_t v = htonl((u_int32_t)sa->lifebyte); - p = isakmp_set_attr_v(p, OAKLEY_ATTR_SA_LD, - (caddr_t)&v, sizeof(v)); - } else { - p = isakmp_set_attr_l(p, OAKLEY_ATTR_SA_LD, - sa->lifebyte); - } - } - } - - if (sa->enctype) { - attrlen += sizeof(struct isakmp_data); - if (buf) - p = isakmp_set_attr_l(p, OAKLEY_ATTR_ENC_ALG, sa->enctype); - } - if (sa->encklen) { - attrlen += sizeof(struct isakmp_data); - if (buf) - p = isakmp_set_attr_l(p, OAKLEY_ATTR_KEY_LEN, sa->encklen); - } - if (sa->authmethod) { - attrlen += sizeof(struct isakmp_data); - if (buf) - p = isakmp_set_attr_l(p, OAKLEY_ATTR_AUTH_METHOD, sa->authmethod); - } - if (sa->hashtype) { - attrlen += sizeof(struct isakmp_data); - if (buf) - p = isakmp_set_attr_l(p, OAKLEY_ATTR_HASH_ALG, sa->hashtype); - } - switch (sa->dh_group) { - case OAKLEY_ATTR_GRP_DESC_MODP768: - case OAKLEY_ATTR_GRP_DESC_MODP1024: - case OAKLEY_ATTR_GRP_DESC_MODP1536: - case OAKLEY_ATTR_GRP_DESC_MODP2048: - case OAKLEY_ATTR_GRP_DESC_MODP3072: - case OAKLEY_ATTR_GRP_DESC_MODP4096: - case OAKLEY_ATTR_GRP_DESC_MODP6144: - case OAKLEY_ATTR_GRP_DESC_MODP8192: - /* don't attach group type for known groups */ - attrlen += sizeof(struct isakmp_data); - if (buf) { - p = isakmp_set_attr_l(p, OAKLEY_ATTR_GRP_DESC, - sa->dh_group); - } - break; - case OAKLEY_ATTR_GRP_DESC_EC2N155: - case OAKLEY_ATTR_GRP_DESC_EC2N185: - /* don't attach group type for known groups */ - attrlen += sizeof(struct isakmp_data); - if (buf) { - p = isakmp_set_attr_l(p, OAKLEY_ATTR_GRP_TYPE, - OAKLEY_ATTR_GRP_TYPE_EC2N); - } - break; - case 0: - default: - break; - } - -#ifdef HAVE_GSSAPI - if (sa->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB && - sa->gssid != NULL) { - attrlen += sizeof(struct isakmp_data); - attrlen += sa->gssid->l; - if (buf) { - plog(LLV_DEBUG, LOCATION, NULL, "gss id attr: len %d, " - "val '%s'\n", sa->gssid->l, sa->gssid->v); - p = isakmp_set_attr_v(p, OAKLEY_ATTR_GSS_ID, - (caddr_t)sa->gssid->v, - sa->gssid->l); - } - } -#endif - - return attrlen; -} - -static vchar_t * -setph2proposal0(iph2, pp, pr) - const struct ph2handle *iph2; - const struct saprop *pp; - const struct saproto *pr; -{ - vchar_t *p; - struct isakmp_pl_p *prop; - struct isakmp_pl_t *trns; - struct satrns *tr; - int attrlen; - size_t trnsoff; - caddr_t x0, x; - u_int8_t *np_t; /* pointer next trns type in previous header */ - const u_int8_t *spi; - - p = vmalloc(sizeof(*prop) + sizeof(pr->spi)); - if (p == NULL) - return NULL; - - /* create proposal */ - prop = (struct isakmp_pl_p *)p->v; - prop->h.np = ISAKMP_NPTYPE_NONE; - prop->p_no = pp->prop_no; - prop->proto_id = pr->proto_id; - prop->num_t = 1; - - spi = (const u_int8_t *)&pr->spi; - switch (pr->proto_id) { - case IPSECDOI_PROTO_IPCOMP: - /* - * draft-shacham-ippcp-rfc2393bis-05.txt: - * construct 16bit SPI (CPI). - * XXX we may need to provide a configuration option to - * generate 32bit SPI. otherwise we cannot interoeprate - * with nodes that uses 32bit SPI, in case we are initiator. - */ - prop->spi_size = sizeof(u_int16_t); - spi += sizeof(pr->spi) - sizeof(u_int16_t); - p->l -= sizeof(pr->spi); - p->l += sizeof(u_int16_t); - break; - default: - prop->spi_size = sizeof(pr->spi); - break; - } - memcpy(prop + 1, spi, prop->spi_size); - - /* create transform */ - trnsoff = sizeof(*prop) + prop->spi_size; - np_t = NULL; - - for (tr = pr->head; tr; tr = tr->next) { - - switch (pr->proto_id) { - case IPSECDOI_PROTO_IPSEC_ESP: - /* - * don't build a null encryption - * with no authentication transform. - */ - if (tr->trns_id == IPSECDOI_ESP_NULL && - tr->authtype == IPSECDOI_ATTR_AUTH_NONE) - continue; - break; - } - - if (np_t) { - *np_t = ISAKMP_NPTYPE_T; - prop->num_t++; - } - - /* get attribute length */ - attrlen = 0; - if (pp->lifetime) { - attrlen += sizeof(struct isakmp_data) - + sizeof(struct isakmp_data); - if (pp->lifetime > 0xffff) - attrlen += sizeof(u_int32_t); - } - if (pp->lifebyte && pp->lifebyte != IPSECDOI_ATTR_SA_LD_KB_MAX) { - attrlen += sizeof(struct isakmp_data) - + sizeof(struct isakmp_data); - if (pp->lifebyte > 0xffff) - attrlen += sizeof(u_int32_t); - } - attrlen += sizeof(struct isakmp_data); /* enc mode */ - if (tr->encklen) - attrlen += sizeof(struct isakmp_data); - - switch (pr->proto_id) { - case IPSECDOI_PROTO_IPSEC_ESP: - /* non authentication mode ? */ - if (tr->authtype != IPSECDOI_ATTR_AUTH_NONE) - attrlen += sizeof(struct isakmp_data); - break; - case IPSECDOI_PROTO_IPSEC_AH: - if (tr->authtype == IPSECDOI_ATTR_AUTH_NONE) { - plog(LLV_ERROR, LOCATION, NULL, - "no authentication algorithm found " - "but protocol is AH.\n"); - vfree(p); - return NULL; - } - attrlen += sizeof(struct isakmp_data); - break; - case IPSECDOI_PROTO_IPCOMP: - break; - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid protocol: %d\n", pr->proto_id); - vfree(p); - return NULL; - } - - if (alg_oakley_dhdef_ok(iph2->sainfo->pfs_group)) - attrlen += sizeof(struct isakmp_data); - - p = vrealloc(p, p->l + sizeof(*trns) + attrlen); - if (p == NULL) - return NULL; - prop = (struct isakmp_pl_p *)p->v; - - /* set transform's values */ - trns = (struct isakmp_pl_t *)(p->v + trnsoff); - trns->h.np = ISAKMP_NPTYPE_NONE; - trns->t_no = tr->trns_no; - trns->t_id = tr->trns_id; - - /* set attributes */ - x = x0 = p->v + trnsoff + sizeof(*trns); - - if (pp->lifetime) { - x = isakmp_set_attr_l(x, IPSECDOI_ATTR_SA_LD_TYPE, - IPSECDOI_ATTR_SA_LD_TYPE_SEC); - if (pp->lifetime > 0xffff) { - u_int32_t v = htonl((u_int32_t)pp->lifetime); - x = isakmp_set_attr_v(x, IPSECDOI_ATTR_SA_LD, - (caddr_t)&v, sizeof(v)); - } else { - x = isakmp_set_attr_l(x, IPSECDOI_ATTR_SA_LD, - pp->lifetime); - } - } - - if (pp->lifebyte && pp->lifebyte != IPSECDOI_ATTR_SA_LD_KB_MAX) { - x = isakmp_set_attr_l(x, IPSECDOI_ATTR_SA_LD_TYPE, - IPSECDOI_ATTR_SA_LD_TYPE_KB); - if (pp->lifebyte > 0xffff) { - u_int32_t v = htonl((u_int32_t)pp->lifebyte); - x = isakmp_set_attr_v(x, IPSECDOI_ATTR_SA_LD, - (caddr_t)&v, sizeof(v)); - } else { - x = isakmp_set_attr_l(x, IPSECDOI_ATTR_SA_LD, - pp->lifebyte); - } - } - - x = isakmp_set_attr_l(x, IPSECDOI_ATTR_ENC_MODE, pr->encmode); - - if (tr->encklen) - x = isakmp_set_attr_l(x, IPSECDOI_ATTR_KEY_LENGTH, tr->encklen); - - /* mandatory check has done above. */ - if ((pr->proto_id == IPSECDOI_PROTO_IPSEC_ESP && tr->authtype != IPSECDOI_ATTR_AUTH_NONE) - || pr->proto_id == IPSECDOI_PROTO_IPSEC_AH) - x = isakmp_set_attr_l(x, IPSECDOI_ATTR_AUTH, tr->authtype); - - if (alg_oakley_dhdef_ok(iph2->sainfo->pfs_group)) - x = isakmp_set_attr_l(x, IPSECDOI_ATTR_GRP_DESC, - iph2->sainfo->pfs_group); - - /* update length of this transform. */ - trns = (struct isakmp_pl_t *)(p->v + trnsoff); - trns->h.len = htons(sizeof(*trns) + attrlen); - - /* save buffer to pre-next payload */ - np_t = &trns->h.np; - - trnsoff += (sizeof(*trns) + attrlen); - } - - if (np_t == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "no suitable proposal was created.\n"); - return NULL; - } - - /* update length of this protocol. */ - prop->h.len = htons(p->l); - - return p; -} - -/* - * create phase2 proposal from policy configuration. - * NOT INCLUDING isakmp general header of SA payload. - * This function is called by initiator only. - */ -int -ipsecdoi_setph2proposal(iph2) - struct ph2handle *iph2; -{ - struct saprop *proposal, *a; - struct saproto *b = NULL; - vchar_t *q; - struct ipsecdoi_sa_b *sab; - struct isakmp_pl_p *prop; - size_t propoff; /* for previous field of type of next payload. */ - - proposal = iph2->proposal; - - iph2->sa = vmalloc(sizeof(*sab)); - if (iph2->sa == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate my sa buffer\n"); - return -1; - } - - /* create SA payload */ - sab = (struct ipsecdoi_sa_b *)iph2->sa->v; - sab->doi = htonl(IPSEC_DOI); - sab->sit = htonl(IPSECDOI_SIT_IDENTITY_ONLY); /* XXX configurable ? */ - - prop = NULL; - propoff = 0; - for (a = proposal; a; a = a->next) { - for (b = a->head; b; b = b->next) { - q = setph2proposal0(iph2, a, b); - if (q == NULL) { - VPTRINIT(iph2->sa); - return -1; - } - - iph2->sa = vrealloc(iph2->sa, iph2->sa->l + q->l); - if (iph2->sa == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate my sa buffer\n"); - if (q) - vfree(q); - return -1; - } - memcpy(iph2->sa->v + iph2->sa->l - q->l, q->v, q->l); - if (propoff != 0) { - prop = (struct isakmp_pl_p *)(iph2->sa->v + - propoff); - prop->h.np = ISAKMP_NPTYPE_P; - } - propoff = iph2->sa->l - q->l; - - vfree(q); - } - } - - return 0; -} - -/* - * return 1 if all of the given protocols are transport mode. - */ -int -ipsecdoi_transportmode(pp) - struct saprop *pp; -{ - struct saproto *pr = NULL; - - for (; pp; pp = pp->next) { - for (pr = pp->head; pr; pr = pr->next) { - if (pr->encmode != IPSECDOI_ATTR_ENC_MODE_TRNS) - return 0; - } - } - - return 1; -} - -int -ipsecdoi_get_defaultlifetime() -{ - return IPSECDOI_ATTR_SA_LD_SEC_DEFAULT; -} - -int -ipsecdoi_checkalgtypes(proto_id, enc, auth, comp) - int proto_id, enc, auth, comp; -{ -#define TMPALGTYPE2STR(n) s_algtype(algclass_ipsec_##n, n) - switch (proto_id) { - case IPSECDOI_PROTO_IPSEC_ESP: - if (enc == 0 || comp != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "illegal algorithm defined " - "ESP enc=%s auth=%s comp=%s.\n", - TMPALGTYPE2STR(enc), - TMPALGTYPE2STR(auth), - TMPALGTYPE2STR(comp)); - return -1; - } - break; - case IPSECDOI_PROTO_IPSEC_AH: - if (enc != 0 || auth == 0 || comp != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "illegal algorithm defined " - "AH enc=%s auth=%s comp=%s.\n", - TMPALGTYPE2STR(enc), - TMPALGTYPE2STR(auth), - TMPALGTYPE2STR(comp)); - return -1; - } - break; - case IPSECDOI_PROTO_IPCOMP: - if (enc != 0 || auth != 0 || comp == 0) { - plog(LLV_ERROR, LOCATION, NULL, - "illegal algorithm defined " - "IPcomp enc=%s auth=%s comp=%s.\n", - TMPALGTYPE2STR(enc), - TMPALGTYPE2STR(auth), - TMPALGTYPE2STR(comp)); - return -1; - } - break; - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid ipsec protocol %d\n", proto_id); - return -1; - } -#undef TMPALGTYPE2STR - return 0; -} - -int -ipproto2doi(proto) - int proto; -{ - switch (proto) { - case IPPROTO_AH: - return IPSECDOI_PROTO_IPSEC_AH; - case IPPROTO_ESP: - return IPSECDOI_PROTO_IPSEC_ESP; - case IPPROTO_IPCOMP: - return IPSECDOI_PROTO_IPCOMP; - } - return -1; /* XXX */ -} - -int -doi2ipproto(proto) - int proto; -{ - switch (proto) { - case IPSECDOI_PROTO_IPSEC_AH: - return IPPROTO_AH; - case IPSECDOI_PROTO_IPSEC_ESP: - return IPPROTO_ESP; - case IPSECDOI_PROTO_IPCOMP: - return IPPROTO_IPCOMP; - } - return -1; /* XXX */ -} - -/* - * check the following: - * - In main mode with pre-shared key, only address type can be used. - * - if proper type for phase 1 ? - * - if phase 1 ID payload conformed RFC2407 4.6.2. - * (proto, port) must be (0, 0), (udp, 500) or (udp, [specified]). - * - if ID payload sent from peer is equal to the ID expected by me. - * - * both of "id" and "id_p" should be ID payload without general header, - */ -int -ipsecdoi_checkid1(iph1) - struct ph1handle *iph1; -{ - struct ipsecdoi_id_b *id_b; - struct sockaddr *sa; - caddr_t sa1, sa2; - - if (iph1->id_p == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid iph1 passed id_p == NULL\n"); - return ISAKMP_INTERNAL_ERROR; - } - if (iph1->id_p->l < sizeof(*id_b)) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid value passed as \"ident\" (len=%lu)\n", - (u_long)iph1->id_p->l); - return ISAKMP_NTYPE_INVALID_ID_INFORMATION; - } - - id_b = (struct ipsecdoi_id_b *)iph1->id_p->v; - - /* - * In main mode with pre-shared key, the address type is only allowed - * in the Interop consensus. however Cisco PIX uses the FQDN type. - */ - if (iph1->etype == ISAKMP_ETYPE_IDENT && - iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_PSKEY) { - if (id_b->type != IPSECDOI_ID_IPV4_ADDR && - id_b->type != IPSECDOI_ID_IPV6_ADDR && - id_b->type != IPSECDOI_ID_FQDN) { - plog(LLV_ERROR, LOCATION, NULL, - "%s is not expected type in main mode.\n", - s_ipsecdoi_ident(id_b->type)); - return ISAKMP_NTYPE_INVALID_ID_INFORMATION; - } - } - - /* if proper type for phase 1 ? */ - switch (id_b->type) { - case IPSECDOI_ID_IPV4_ADDR_SUBNET: - case IPSECDOI_ID_IPV6_ADDR_SUBNET: - case IPSECDOI_ID_IPV4_ADDR_RANGE: - case IPSECDOI_ID_IPV6_ADDR_RANGE: - plog(LLV_WARNING, LOCATION, NULL, - "such ID type %s is not proper.\n", - s_ipsecdoi_ident(id_b->type)); - /*FALLTHROUGH*/ - } - - /* if phase 1 ID payload conformed RFC2407 4.6.2. */ - if (id_b->type == IPSECDOI_ID_IPV4_ADDR && - id_b->type == IPSECDOI_ID_IPV6_ADDR) { - - if (id_b->proto_id == 0 && ntohs(id_b->port) != 0) { - plog(LLV_WARNING, LOCATION, NULL, - "protocol ID and Port mismatched. " - "proto_id:%d port:%d\n", - id_b->proto_id, ntohs(id_b->port)); - /*FALLTHROUGH*/ - - } else if (id_b->proto_id == IPPROTO_UDP) { - /* - * copmaring with expecting port. - * always permit if port is equal to PORT_ISAKMP - */ - if (ntohs(id_b->port) != PORT_ISAKMP) { - - u_int16_t port; - - switch (iph1->remote->sa_family) { - case AF_INET: - port = ((struct sockaddr_in *)iph1->remote)->sin_port; - break; -#ifdef INET6 - case AF_INET6: - port = ((struct sockaddr_in6 *)iph1->remote)->sin6_port; - break; -#endif - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid family: %d\n", - iph1->remote->sa_family); - return ISAKMP_NTYPE_INVALID_ID_INFORMATION; - } - if (ntohs(id_b->port) != port) { - plog(LLV_WARNING, LOCATION, NULL, - "port %d expected, but %d\n", - port, ntohs(id_b->port)); - /*FALLTHROUGH*/ - } - } - } - } - - /* compare with the ID if specified. */ - if (iph1->rmconf->idv_p) { - vchar_t *ident0 = NULL; - vchar_t ident; - - /* check the type of both IDs */ - if (iph1->rmconf->idvtype_p != doi2idtype(id_b->type)) { - plog(LLV_WARNING, LOCATION, NULL, - "ID type mismatched.\n"); - if (iph1->rmconf->verify_identifier) - return ISAKMP_NTYPE_INVALID_ID_INFORMATION; - } - - /* compare defined ID with the ID sent by peer. */ - ident0 = getidval(iph1->rmconf->idvtype_p, iph1->rmconf->idv_p); - - switch (iph1->rmconf->idvtype_p) { - case IDTYPE_ASN1DN: - ident.v = (caddr_t)(id_b + 1); - ident.l = ident0->l; - if (eay_cmp_asn1dn(ident0, &ident)) { - err: - plog(LLV_WARNING, LOCATION, NULL, - "ID value mismatched.\n"); - if (iph1->rmconf->verify_identifier) - return ISAKMP_NTYPE_INVALID_ID_INFORMATION; - } - break; - case IDTYPE_ADDRESS: - sa = (struct sockaddr *)ident0->v; - sa2 = (caddr_t)(id_b + 1); - switch (sa->sa_family) { - case AF_INET: - if (iph1->id_p->l - sizeof(*id_b) != sizeof(struct in_addr)) - goto err; - - sa1 = (caddr_t)&((struct sockaddr_in *)sa)->sin_addr; - if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0) - goto err; - break; -#ifdef INET6 - case AF_INET6: - if (iph1->id_p->l - sizeof(*id_b) != sizeof(struct in6_addr)) - goto err; - sa1 = (caddr_t)&((struct sockaddr_in6 *)sa)->sin6_addr; - if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0) - goto err; - break; -#endif - default: - goto err; - } - break; - default: - if (memcmp(ident0->v, id_b + 1, ident0->l)) { - plog(LLV_WARNING, LOCATION, NULL, - "ID value mismatched.\n"); - if (iph1->rmconf->verify_identifier) - return ISAKMP_NTYPE_INVALID_ID_INFORMATION; - } - break; - } - vfree(ident0); - } - - return 0; -} - -/* - * create ID payload for phase 1 and set into iph1->id. - * NOT INCLUDING isakmp general header. - * see, RFC2407 4.6.2.1 - */ -int -ipsecdoi_setid1(iph1) - struct ph1handle *iph1; -{ - vchar_t *ret = NULL; - struct ipsecdoi_id_b id_b; - vchar_t *ident = NULL; - struct sockaddr *ipid = NULL; - - /* init */ - id_b.proto_id = 0; - id_b.port = 0; - ident = NULL; - - switch (iph1->rmconf->idvtype) { - case IDTYPE_FQDN: - id_b.type = IPSECDOI_ID_FQDN; - ident = getidval(iph1->rmconf->idvtype, iph1->rmconf->idv); - break; - case IDTYPE_USERFQDN: - id_b.type = IPSECDOI_ID_USER_FQDN; - ident = getidval(iph1->rmconf->idvtype, iph1->rmconf->idv); - break; - case IDTYPE_KEYID: - id_b.type = IPSECDOI_ID_KEY_ID; - ident = getidval(iph1->rmconf->idvtype, iph1->rmconf->idv); - break; -#ifdef HAVE_SIGNING_C - case IDTYPE_ASN1DN: - id_b.type = IPSECDOI_ID_DER_ASN1_DN; - if (iph1->rmconf->idv) { - /* XXX it must be encoded to asn1dn. */ - ident = vdup(iph1->rmconf->idv); - } else { - if (oakley_getmycert(iph1) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get own CERT.\n"); - goto err; - } - ident = eay_get_x509asn1subjectname(&iph1->cert->cert); - } - break; -#endif - case IDTYPE_ADDRESS: - /* - * if the value of the id type was set by the configuration - * file, then use it. otherwise the value is get from local - * ip address by using ike negotiation. - */ - if (iph1->rmconf->idv) - ipid = (struct sockaddr *)iph1->rmconf->idv->v; - /*FALLTHROUGH*/ - default: - { - int l; - caddr_t p; - - if (ipid == NULL) - ipid = iph1->local; - - /* use IP address */ - switch (ipid->sa_family) { - case AF_INET: - id_b.type = IPSECDOI_ID_IPV4_ADDR; - l = sizeof(struct in_addr); - p = (caddr_t)&((struct sockaddr_in *)ipid)->sin_addr; - break; -#ifdef INET6 - case AF_INET6: - id_b.type = IPSECDOI_ID_IPV6_ADDR; - l = sizeof(struct in6_addr); - p = (caddr_t)&((struct sockaddr_in6 *)ipid)->sin6_addr; - break; -#endif - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid address family.\n"); - goto err; - } - id_b.proto_id = IPPROTO_UDP; - id_b.port = htons(PORT_ISAKMP); - ident = vmalloc(l); - if (!ident) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get ID buffer.\n"); - return 0; - } - memcpy(ident->v, p, ident->l); - } - } - if (!ident) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get ID buffer.\n"); - return 0; - } - - ret = vmalloc(sizeof(id_b) + ident->l); - if (ret == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get ID buffer.\n"); - goto err; - } - - memcpy(ret->v, &id_b, sizeof(id_b)); - memcpy(ret->v + sizeof(id_b), ident->v, ident->l); - - iph1->id = ret; - - plog(LLV_DEBUG, LOCATION, NULL, - "use ID type of %s\n", s_ipsecdoi_ident(id_b.type)); - if (ident) - vfree(ident); - return 0; - -err: - if (ident) - vfree(ident); - plog(LLV_ERROR, LOCATION, NULL, "failed get my ID\n"); - return -1; -} - -static vchar_t * -getidval(type, val) - int type; - vchar_t *val; -{ - vchar_t *new = NULL; - - if (val) - new = vdup(val); - else if (lcconf->ident[type]) - new = vdup(lcconf->ident[type]); - - return new; -} - -/* it's only called by cfparse.y. */ -int -set_identifier(vpp, type, value) - vchar_t **vpp, *value; - int type; -{ - vchar_t *new = NULL; - - /* simply return if value is null. */ - if (!value) - return 0; - - switch (type) { - case IDTYPE_FQDN: - case IDTYPE_USERFQDN: - /* length is adjusted since QUOTEDSTRING teminates NULL. */ - new = vmalloc(value->l - 1); - if (new == NULL) - return -1; - memcpy(new->v, value->v, new->l); - break; - case IDTYPE_KEYID: - { - FILE *fp; - char b[512]; - int tlen, len; - - fp = fopen(value->v, "r"); - if (fp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "can not open %s\n", value->v); - return -1; - } - tlen = 0; - while ((len = fread(b, 1, sizeof(b), fp)) != 0) { - new = vrealloc(new, tlen + len); - if (!new) { - fclose(fp); - return -1; - } - memcpy(new->v + tlen, b, len); - tlen += len; - } - break; - } - case IDTYPE_ADDRESS: - { - struct sockaddr *sa; - - /* length is adjusted since QUOTEDSTRING teminates NULL. */ - if (value->l == 0) - break; - - sa = str2saddr(value->v, NULL); - if (sa == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid ip address %s\n", value->v); - return -1; - } - - new = vmalloc(sa->sa_len); - if (new == NULL) - return -1; - memcpy(new->v, sa, new->l); - break; - } - case IDTYPE_ASN1DN: - new = eay_str2asn1dn(value->v, value->l - 1); - if (new == NULL) - return -1; - break; - } - - *vpp = new; - - return 0; -} - -/* - * create ID payload for phase 2, and set into iph2->id and id_p. There are - * NOT INCLUDING isakmp general header. - * this function is for initiator. responder will get to copy from payload. - * responder ID type is always address type. - * see, RFC2407 4.6.2.1 - */ -int -ipsecdoi_setid2(iph2) - struct ph2handle *iph2; -{ - struct secpolicy *sp; - - /* check there is phase 2 handler ? */ - sp = getspbyspid(iph2->spid); - if (sp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "no policy found for spid:%lu.\n", iph2->spid); - return -1; - } - - iph2->id = ipsecdoi_sockaddr2id((struct sockaddr *)&sp->spidx.src, - sp->spidx.prefs, sp->spidx.ul_proto); - if (iph2->id == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get ID for %s\n", - spidx2str(&sp->spidx)); - return -1; - } - plog(LLV_DEBUG, LOCATION, NULL, "use local ID type %s\n", - s_ipsecdoi_ident(((struct ipsecdoi_id_b *)iph2->id->v)->type)); - - /* remote side */ - iph2->id_p = ipsecdoi_sockaddr2id((struct sockaddr *)&sp->spidx.dst, - sp->spidx.prefd, sp->spidx.ul_proto); - if (iph2->id_p == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get ID for %s\n", - spidx2str(&sp->spidx)); - VPTRINIT(iph2->id); - return -1; - } - plog(LLV_DEBUG, LOCATION, NULL, - "use remote ID type %s\n", - s_ipsecdoi_ident(((struct ipsecdoi_id_b *)iph2->id_p->v)->type)); - - return 0; -} - -/* - * set address type of ID. - * NOT INCLUDING general header. - */ -vchar_t * -ipsecdoi_sockaddr2id(saddr, prefixlen, ul_proto) - struct sockaddr *saddr; - u_int prefixlen; - u_int ul_proto; -{ - vchar_t *new; - int type, len1, len2; - caddr_t sa; - u_short port; - - /* - * Q. When type is SUBNET, is it allowed to be ::1/128. - * A. Yes. (consensus at bake-off) - */ - switch (saddr->sa_family) { - case AF_INET: - len1 = sizeof(struct in_addr); - if (prefixlen == (sizeof(struct in_addr) << 3)) { - type = IPSECDOI_ID_IPV4_ADDR; - len2 = 0; - } else { - type = IPSECDOI_ID_IPV4_ADDR_SUBNET; - len2 = sizeof(struct in_addr); - } - sa = (caddr_t)&((struct sockaddr_in *)(saddr))->sin_addr; - port = ((struct sockaddr_in *)(saddr))->sin_port; - break; -#ifdef INET6 - case AF_INET6: - len1 = sizeof(struct in6_addr); - if (prefixlen == (sizeof(struct in6_addr) << 3)) { - type = IPSECDOI_ID_IPV6_ADDR; - len2 = 0; - } else { - type = IPSECDOI_ID_IPV6_ADDR_SUBNET; - len2 = sizeof(struct in6_addr); - } - sa = (caddr_t)&((struct sockaddr_in6 *)(saddr))->sin6_addr; - port = ((struct sockaddr_in6 *)(saddr))->sin6_port; - break; -#endif - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid family: %d.\n", saddr->sa_family); - return NULL; - } - - /* get ID buffer */ - new = vmalloc(sizeof(struct ipsecdoi_id_b) + len1 + len2); - if (new == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get ID buffer.\n"); - return NULL; - } - - memset(new->v, 0, new->l); - - /* set the part of header. */ - ((struct ipsecdoi_id_b *)new->v)->type = type; - - /* set ul_proto and port */ - /* - * NOTE: we use both IPSEC_ULPROTO_ANY and IPSEC_PORT_ANY as wild card - * because 0 means port number of 0. Instead of 0, we use IPSEC_*_ANY. - */ - ((struct ipsecdoi_id_b *)new->v)->proto_id = - ul_proto == IPSEC_ULPROTO_ANY ? 0 : ul_proto; - ((struct ipsecdoi_id_b *)new->v)->port = - port == IPSEC_PORT_ANY ? 0 : port; - memcpy(new->v + sizeof(struct ipsecdoi_id_b), sa, len1); - - /* set address */ - - /* set prefix */ - if (len2) { - u_char *p = new->v + sizeof(struct ipsecdoi_id_b) + len1; - u_int bits = prefixlen; - - while (bits >= 8) { - *p++ = 0xff; - bits -= 8; - } - - if (bits > 0) - *p = ~((1 << (8 - bits)) - 1); - } - - return new; -} - -/* - * create sockaddr structure from ID payload (buf). - * buffers (saddr, prefixlen, ul_proto) must be allocated. - * see, RFC2407 4.6.2.1 - */ -int -ipsecdoi_id2sockaddr(buf, saddr, prefixlen, ul_proto) - vchar_t *buf; - struct sockaddr *saddr; - u_int8_t *prefixlen; - u_int16_t *ul_proto; -{ - struct ipsecdoi_id_b *id_b = (struct ipsecdoi_id_b *)buf->v; - u_int plen = 0; - - /* - * When a ID payload of subnet type with a IP address of full bit - * masked, it has to be processed as host address. - * e.g. below 2 type are same. - * type = ipv6 subnet, data = 2001::1/128 - * type = ipv6 address, data = 2001::1 - */ - switch (id_b->type) { - case IPSECDOI_ID_IPV4_ADDR: - case IPSECDOI_ID_IPV4_ADDR_SUBNET: - saddr->sa_len = sizeof(struct sockaddr_in); - saddr->sa_family = AF_INET; - ((struct sockaddr_in *)saddr)->sin_port = - (id_b->port == 0 - ? IPSEC_PORT_ANY - : id_b->port); /* see sockaddr2id() */ - memcpy(&((struct sockaddr_in *)saddr)->sin_addr, - buf->v + sizeof(*id_b), sizeof(struct in_addr)); - break; -#ifdef INET6 - case IPSECDOI_ID_IPV6_ADDR: - case IPSECDOI_ID_IPV6_ADDR_SUBNET: - saddr->sa_len = sizeof(struct sockaddr_in6); - saddr->sa_family = AF_INET6; - ((struct sockaddr_in6 *)saddr)->sin6_port = - (id_b->port == 0 - ? IPSEC_PORT_ANY - : id_b->port); /* see sockaddr2id() */ - memcpy(&((struct sockaddr_in6 *)saddr)->sin6_addr, - buf->v + sizeof(*id_b), sizeof(struct in6_addr)); - break; -#endif - default: - plog(LLV_ERROR, LOCATION, NULL, - "unsupported ID type %d\n", id_b->type); - return ISAKMP_NTYPE_INVALID_ID_INFORMATION; - } - - /* get prefix length */ - switch (id_b->type) { - case IPSECDOI_ID_IPV4_ADDR: - plen = sizeof(struct in_addr) << 3; - break; -#ifdef INET6 - case IPSECDOI_ID_IPV6_ADDR: - plen = sizeof(struct in6_addr) << 3; - break; -#endif - case IPSECDOI_ID_IPV4_ADDR_SUBNET: -#ifdef INET6 - case IPSECDOI_ID_IPV6_ADDR_SUBNET: -#endif - { - u_char *p; - u_int max; - int alen = sizeof(struct in_addr); - - switch (id_b->type) { - case IPSECDOI_ID_IPV4_ADDR_SUBNET: - alen = sizeof(struct in_addr); - break; -#ifdef INET6 - case IPSECDOI_ID_IPV6_ADDR_SUBNET: - alen = sizeof(struct in6_addr); - break; -#endif - } - - /* sanity check */ - if (buf->l < alen) - return ISAKMP_INTERNAL_ERROR; - - /* get subnet mask length */ - plen = 0; - max = alen <<3; - - p = buf->v - + sizeof(struct ipsecdoi_id_b) - + alen; - - for (; *p == 0xff; p++) { - if (plen >= max) - break; - plen += 8; - } - - if (plen < max) { - u_int l = 0; - u_char b = ~(*p); - - while (b) { - b >>= 1; - l++; - } - - l = 8 - l; - plen += l; - } - } - break; - } - - *prefixlen = plen; - *ul_proto = id_b->proto_id == 0 - ? IPSEC_ULPROTO_ANY - : id_b->proto_id; /* see sockaddr2id() */ - - return 0; -} - -/* - * make printable string from ID payload except of general header. - */ -const char * -ipsecdoi_id2str(id) - const vchar_t *id; -{ - static char buf[256]; - - /* XXX */ - buf[0] = '\0'; - - return buf; -} - -/* - * set IPsec data attributes into a proposal. - * NOTE: MUST called per a transform. - */ -int -ipsecdoi_t2satrns(t, pp, pr, tr) - struct isakmp_pl_t *t; - struct saprop *pp; - struct saproto *pr; - struct satrns *tr; -{ - struct isakmp_data *d, *prev; - int flag, type; - int error = -1; - int life_t; - int tlen; - - tr->trns_no = t->t_no; - tr->trns_id = t->t_id; - - tlen = ntohs(t->h.len) - sizeof(*t); - prev = (struct isakmp_data *)NULL; - d = (struct isakmp_data *)(t + 1); - - /* default */ - life_t = IPSECDOI_ATTR_SA_LD_TYPE_DEFAULT; - pp->lifetime = IPSECDOI_ATTR_SA_LD_SEC_DEFAULT; - pp->lifebyte = 0; - tr->authtype = IPSECDOI_ATTR_AUTH_NONE; - - while (tlen > 0) { - - type = ntohs(d->type) & ~ISAKMP_GEN_MASK; - flag = ntohs(d->type) & ISAKMP_GEN_MASK; - - plog(LLV_DEBUG, LOCATION, NULL, - "type=%s, flag=0x%04x, lorv=%s\n", - s_ipsecdoi_attr(type), flag, - s_ipsecdoi_attr_v(type, ntohs(d->lorv))); - - switch (type) { - case IPSECDOI_ATTR_SA_LD_TYPE: - { - int type = ntohs(d->lorv); - switch (type) { - case IPSECDOI_ATTR_SA_LD_TYPE_SEC: - case IPSECDOI_ATTR_SA_LD_TYPE_KB: - life_t = type; - break; - default: - plog(LLV_WARNING, LOCATION, NULL, - "invalid life duration type. " - "use default\n"); - life_t = IPSECDOI_ATTR_SA_LD_TYPE_DEFAULT; - break; - } - break; - } - case IPSECDOI_ATTR_SA_LD: - if (prev == NULL - || (ntohs(prev->type) & ~ISAKMP_GEN_MASK) != - IPSECDOI_ATTR_SA_LD_TYPE) { - plog(LLV_ERROR, LOCATION, NULL, - "life duration must follow ltype\n"); - break; - } - - { - u_int32_t t; - vchar_t *ld_buf = NULL; - - if (flag) { - /* i.e. ISAKMP_GEN_TV */ - ld_buf = vmalloc(sizeof(d->lorv)); - if (ld_buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get LD buffer.\n"); - goto end; - } - memcpy(ld_buf->v, &d->lorv, sizeof(d->lorv)); - } else { - int len = ntohs(d->lorv); - /* i.e. ISAKMP_GEN_TLV */ - ld_buf = vmalloc(len); - if (ld_buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get LD buffer.\n"); - goto end; - } - memcpy(ld_buf->v, d + 1, len); - } - switch (life_t) { - case IPSECDOI_ATTR_SA_LD_TYPE_SEC: - t = ipsecdoi_set_ld(ld_buf); - vfree(ld_buf); - if (t == 0) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid life duration.\n"); - goto end; - } - /* lifetime must be equal in a proposal. */ - if (pp->lifetime == IPSECDOI_ATTR_SA_LD_SEC_DEFAULT) - pp->lifetime = t; - else if (pp->lifetime != t) { - plog(LLV_ERROR, LOCATION, NULL, - "lifetime mismatched " - "in a proposal, " - "prev:%ld curr:%ld.\n", - pp->lifetime, t); - goto end; - } - break; - case IPSECDOI_ATTR_SA_LD_TYPE_KB: - t = ipsecdoi_set_ld(ld_buf); - vfree(ld_buf); - if (t == 0) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid life duration.\n"); - goto end; - } - /* lifebyte must be equal in a proposal. */ - if (pp->lifebyte == 0) - pp->lifebyte = t; - else if (pp->lifebyte != t) { - plog(LLV_ERROR, LOCATION, NULL, - "lifebyte mismatched " - "in a proposal, " - "prev:%ld curr:%ld.\n", - pp->lifebyte, t); - goto end; - } - break; - default: - vfree(ld_buf); - plog(LLV_ERROR, LOCATION, NULL, - "invalid life type: %d\n", life_t); - goto end; - } - } - break; - - case IPSECDOI_ATTR_GRP_DESC: - /* - * RFC2407: 4.5 IPSEC Security Association Attributes - * Specifies the Oakley Group to be used in a PFS QM - * negotiation. For a list of supported values, see - * Appendix A of [IKE]. - */ - if (pp->pfs_group == 0) - pp->pfs_group = (u_int16_t)ntohs(d->lorv); - else if (pp->pfs_group != (u_int16_t)ntohs(d->lorv)) { - plog(LLV_ERROR, LOCATION, NULL, - "pfs_group mismatched " - "in a proposal.\n"); - goto end; - } - break; - - case IPSECDOI_ATTR_ENC_MODE: - if (pr->encmode && - pr->encmode != (u_int16_t)ntohs(d->lorv)) { - plog(LLV_ERROR, LOCATION, NULL, - "multiple encmode exist " - "in a transform.\n"); - goto end; - } - pr->encmode = (u_int16_t)ntohs(d->lorv); - break; - - case IPSECDOI_ATTR_AUTH: - if (tr->authtype != IPSECDOI_ATTR_AUTH_NONE) { - plog(LLV_ERROR, LOCATION, NULL, - "multiple authtype exist " - "in a transform.\n"); - goto end; - } - tr->authtype = (u_int16_t)ntohs(d->lorv); - break; - - case IPSECDOI_ATTR_KEY_LENGTH: - if (pr->proto_id != IPSECDOI_PROTO_IPSEC_ESP) { - plog(LLV_ERROR, LOCATION, NULL, - "key length defined but not ESP"); - goto end; - } - tr->encklen = ntohs(d->lorv); - break; - - case IPSECDOI_ATTR_KEY_ROUNDS: - case IPSECDOI_ATTR_COMP_DICT_SIZE: - case IPSECDOI_ATTR_COMP_PRIVALG: - default: - break; - } - - prev = d; - if (flag) { - tlen -= sizeof(*d); - d = (struct isakmp_data *)((char *)d + sizeof(*d)); - } else { - tlen -= (sizeof(*d) + ntohs(d->lorv)); - d = (struct isakmp_data *)((caddr_t)d + sizeof(*d) + ntohs(d->lorv)); - } - } - - error = 0; -end: - return error; -} - -int -ipsecdoi_authalg2trnsid(alg) - int alg; -{ - switch (alg) { - case IPSECDOI_ATTR_AUTH_HMAC_MD5: - return IPSECDOI_AH_MD5; - case IPSECDOI_ATTR_AUTH_HMAC_SHA1: - return IPSECDOI_AH_SHA; - case IPSECDOI_ATTR_AUTH_DES_MAC: - return IPSECDOI_AH_DES; - case IPSECDOI_ATTR_AUTH_KPDK: - return IPSECDOI_AH_MD5; /* XXX */ - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid authentication algorithm:%d\n", alg); - } - return -1; -} - -#ifdef HAVE_GSSAPI -struct isakmpsa * -fixup_initiator_sa(match, received) - struct isakmpsa *match, *received; -{ - struct isakmpsa *newsa; - - if (received->gssid == NULL) - return match; - - newsa = newisakmpsa(); - memcpy(newsa, match, sizeof *newsa); - - if (match->dhgrp != NULL) { - newsa->dhgrp = racoon_calloc(1, sizeof(struct dhgroup)); - memcpy(newsa->dhgrp, match->dhgrp, sizeof (struct dhgroup)); - } - newsa->next = NULL; - newsa->rmconf = NULL; - - newsa->gssid = vdup(received->gssid); - - return newsa; -} -#endif - -static int rm_idtype2doi[] = { - IPSECDOI_ID_FQDN, - IPSECDOI_ID_USER_FQDN, - IPSECDOI_ID_KEY_ID, - 255, /* it's type of "address" - * it expands into 4 types by another function. */ - IPSECDOI_ID_DER_ASN1_DN, -}; - -/* - * convert idtype to DOI value. - * OUT 255 : NG - * other: converted. - */ -int -idtype2doi(idtype) - int idtype; -{ - if (ARRAYLEN(rm_idtype2doi) > idtype) - return rm_idtype2doi[idtype]; - return 255; -} - -int -doi2idtype(doi) - int doi; -{ - switch(doi) { - case IPSECDOI_ID_FQDN: - return(IDTYPE_FQDN); - case IPSECDOI_ID_USER_FQDN: - return(IDTYPE_USERFQDN); - case IPSECDOI_ID_KEY_ID: - return(IDTYPE_KEYID); - case IPSECDOI_ID_DER_ASN1_DN: - return(IDTYPE_ASN1DN); - case IPSECDOI_ID_IPV4_ADDR: - case IPSECDOI_ID_IPV4_ADDR_SUBNET: - case IPSECDOI_ID_IPV6_ADDR: - case IPSECDOI_ID_IPV6_ADDR_SUBNET: - return(IDTYPE_ADDRESS); - default: - plog(LLV_WARNING, LOCATION, NULL, - "Inproper idtype:%d in this function.\n", - s_ipsecdoi_ident(doi)); - return(IDTYPE_ADDRESS); /* XXX */ - } - /*NOTREACHED*/ -} - diff --git a/kame/kame/racoon/ipsec_doi.h b/kame/kame/racoon/ipsec_doi.h deleted file mode 100644 index b64aa93188..0000000000 --- a/kame/kame/racoon/ipsec_doi.h +++ /dev/null @@ -1,212 +0,0 @@ -/* $KAME: ipsec_doi.h,v 1.35 2003/06/27 07:32:38 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* refered to RFC2407 */ - -#define IPSEC_DOI 1 - -/* 4.2 IPSEC Situation Definition */ -#define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001 -#define IPSECDOI_SIT_SECRECY 0x00000002 -#define IPSECDOI_SIT_INTEGRITY 0x00000004 - -/* 4.4.1 IPSEC Security Protocol Identifiers */ - /* 4.4.2 IPSEC ISAKMP Transform Values */ -#define IPSECDOI_PROTO_ISAKMP 1 -#define IPSECDOI_KEY_IKE 1 - -/* 4.4.1 IPSEC Security Protocol Identifiers */ -#define IPSECDOI_PROTO_IPSEC_AH 2 - /* 4.4.3 IPSEC AH Transform Values */ -#define IPSECDOI_AH_MD5 2 -#define IPSECDOI_AH_SHA 3 -#define IPSECDOI_AH_DES 4 -#define IPSECDOI_AH_SHA2_256 5 -#define IPSECDOI_AH_SHA2_384 6 -#define IPSECDOI_AH_SHA2_512 7 - -/* 4.4.1 IPSEC Security Protocol Identifiers */ -#define IPSECDOI_PROTO_IPSEC_ESP 3 - /* 4.4.4 IPSEC ESP Transform Identifiers */ -#define IPSECDOI_ESP_DES_IV64 1 -#define IPSECDOI_ESP_DES 2 -#define IPSECDOI_ESP_3DES 3 -#define IPSECDOI_ESP_RC5 4 -#define IPSECDOI_ESP_IDEA 5 -#define IPSECDOI_ESP_CAST 6 -#define IPSECDOI_ESP_BLOWFISH 7 -#define IPSECDOI_ESP_3IDEA 8 -#define IPSECDOI_ESP_DES_IV32 9 -#define IPSECDOI_ESP_RC4 10 -#define IPSECDOI_ESP_NULL 11 -#define IPSECDOI_ESP_RIJNDAEL 12 -#define IPSECDOI_ESP_AES 12 -#if 1 - /* draft-ietf-ipsec-ciph-aes-cbc-00.txt */ -#define IPSECDOI_ESP_TWOFISH 253 -#else - /* SSH uses these value for now */ -#define IPSECDOI_ESP_TWOFISH 250 -#endif - -/* 4.4.1 IPSEC Security Protocol Identifiers */ -#define IPSECDOI_PROTO_IPCOMP 4 - /* 4.4.5 IPSEC IPCOMP Transform Identifiers */ -#define IPSECDOI_IPCOMP_OUI 1 -#define IPSECDOI_IPCOMP_DEFLATE 2 -#define IPSECDOI_IPCOMP_LZS 3 - -/* 4.5 IPSEC Security Association Attributes */ -/* NOTE: default value is not included in a packet. */ -#define IPSECDOI_ATTR_SA_LD_TYPE 1 /* B */ -#define IPSECDOI_ATTR_SA_LD_TYPE_DEFAULT 1 -#define IPSECDOI_ATTR_SA_LD_TYPE_SEC 1 -#define IPSECDOI_ATTR_SA_LD_TYPE_KB 2 -#define IPSECDOI_ATTR_SA_LD_TYPE_MAX 3 -#define IPSECDOI_ATTR_SA_LD 2 /* V */ -#define IPSECDOI_ATTR_SA_LD_SEC_DEFAULT 28800 /* 8 hours */ -#define IPSECDOI_ATTR_SA_LD_KB_MAX (~(1 << ((sizeof(int) << 3) - 1))) -#define IPSECDOI_ATTR_GRP_DESC 3 /* B */ -#define IPSECDOI_ATTR_ENC_MODE 4 /* B */ - /* default value: host dependent */ -#define IPSECDOI_ATTR_ENC_MODE_ANY 0 /* NOTE:internal use */ -#define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1 -#define IPSECDOI_ATTR_ENC_MODE_TRNS 2 -#define IPSECDOI_ATTR_AUTH 5 /* B */ - /* 0 means not to use authentication. */ -#define IPSECDOI_ATTR_AUTH_HMAC_MD5 1 -#define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2 -#define IPSECDOI_ATTR_AUTH_DES_MAC 3 -#define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/ -#define IPSECDOI_ATTR_SHA2_256 5 -#define IPSECDOI_ATTR_SHA2_384 6 -#define IPSECDOI_ATTR_SHA2_512 7 -#define IPSECDOI_ATTR_AUTH_NONE 254 /* NOTE:internal use */ - /* - * When negotiating ESP without authentication, the Auth - * Algorithm attribute MUST NOT be included in the proposal. - * When negotiating ESP without confidentiality, the Auth - * Algorithm attribute MUST be included in the proposal and - * the ESP transform ID must be ESP_NULL. - */ -#define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */ -#define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */ -#define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */ -#define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */ - -/* 4.6.1 Security Association Payload */ -struct ipsecdoi_pl_sa { - struct isakmp_gen h; - struct ipsecdoi_sa_b { - u_int32_t doi; /* Domain of Interpretation */ - u_int32_t sit; /* Situation */ - } b; - /* followed by Leveled Domain Identifier and so on. */ -} __attribute__((__packed__)); - -struct ipsecdoi_secrecy_h { - u_int16_t len; - u_int16_t reserved; - /* followed by the value */ -} __attribute__((__packed__)); - -/* 4.6.2 Identification Payload Content */ -struct ipsecdoi_pl_id { - struct isakmp_gen h; - struct ipsecdoi_id_b { - u_int8_t type; /* ID Type */ - u_int8_t proto_id; /* Protocol ID */ - u_int16_t port; /* Port */ - } b; - /* followed by Identification Data */ -} __attribute__((__packed__)); - -#define IPSECDOI_ID_IPV4_ADDR 1 -#define IPSECDOI_ID_FQDN 2 -#define IPSECDOI_ID_USER_FQDN 3 -#define IPSECDOI_ID_IPV4_ADDR_SUBNET 4 -#define IPSECDOI_ID_IPV6_ADDR 5 -#define IPSECDOI_ID_IPV6_ADDR_SUBNET 6 -#define IPSECDOI_ID_IPV4_ADDR_RANGE 7 -#define IPSECDOI_ID_IPV6_ADDR_RANGE 8 -#define IPSECDOI_ID_DER_ASN1_DN 9 -#define IPSECDOI_ID_DER_ASN1_GN 10 -#define IPSECDOI_ID_KEY_ID 11 - -/* compressing doi type, it's internal use. */ -#define IDTYPE_FQDN 0 -#define IDTYPE_USERFQDN 1 -#define IDTYPE_KEYID 2 -#define IDTYPE_ADDRESS 3 -#define IDTYPE_ASN1DN 4 - -/* The use for checking proposal payload. This is not exchange type. */ -#define IPSECDOI_TYPE_PH1 0 -#define IPSECDOI_TYPE_PH2 1 - -struct isakmpsa; -struct ipsecdoi_pl_sa; -struct saprop; -struct saproto; -struct satrns; -struct prop_pair; - -extern int ipsecdoi_checkph1proposal __P((vchar_t *, struct ph1handle *)); -extern int ipsecdoi_selectph2proposal __P((struct ph2handle *)); -extern int ipsecdoi_checkph2proposal __P((struct ph2handle *)); - -extern struct prop_pair **get_proppair __P((vchar_t *, int)); -extern vchar_t *get_sabyproppair __P((struct prop_pair *, struct ph1handle *)); -extern int ipsecdoi_updatespi __P((struct ph2handle *iph2)); -extern vchar_t *get_sabysaprop __P((struct saprop *, vchar_t *)); -extern int ipsecdoi_checkid1 __P((struct ph1handle *)); -extern int ipsecdoi_setid1 __P((struct ph1handle *)); -extern int set_identifier __P((vchar_t **, int, vchar_t *)); -extern int ipsecdoi_setid2 __P((struct ph2handle *)); -extern vchar_t *ipsecdoi_sockaddr2id __P((struct sockaddr *, u_int, u_int)); -extern int ipsecdoi_id2sockaddr __P((vchar_t *, struct sockaddr *, - u_int8_t *, u_int16_t *)); -extern const char *ipsecdoi_id2str __P((const vchar_t *)); - -extern vchar_t *ipsecdoi_setph1proposal __P((struct isakmpsa *)); -extern int ipsecdoi_setph2proposal __P((struct ph2handle *)); -extern int ipsecdoi_transportmode __P((struct saprop *)); -extern int ipsecdoi_get_defaultlifetime __P((void)); -extern int ipsecdoi_checkalgtypes __P((int, int, int, int)); -extern int ipproto2doi __P((int)); -extern int doi2ipproto __P((int)); - -extern int ipsecdoi_t2satrns __P((struct isakmp_pl_t *, - struct saprop *, struct saproto *, struct satrns *)); -extern int ipsecdoi_authalg2trnsid __P((int)); -extern int idtype2doi __P((int)); -extern int doi2idtype __P((int)); - diff --git a/kame/kame/racoon/isakmp.c b/kame/kame/racoon/isakmp.c deleted file mode 100644 index a4fe008d83..0000000000 --- a/kame/kame/racoon/isakmp.c +++ /dev/null @@ -1,2468 +0,0 @@ -/* $KAME: isakmp.c,v 1.182 2005/03/07 20:29:58 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include -#include - -#include -#include - -#include -#include -#include -#include -#if TIME_WITH_SYS_TIME -# include -# include -#else -# if HAVE_SYS_TIME_H -# include -# else -# include -# endif -#endif -#include -#ifdef HAVE_UNISTD_H -#include -#endif -#include - -#if !defined(HAVE_GETADDRINFO) || !defined(HAVE_GETNAMEINFO) -#include "addrinfo.h" -#endif - -#include "var.h" -#include "misc.h" -#include "vmbuf.h" -#include "plog.h" -#include "sockmisc.h" -#include "schedule.h" -#include "debug.h" - -#include "remoteconf.h" -#include "localconf.h" -#include "grabmyaddr.h" -#include "isakmp_var.h" -#include "isakmp.h" -#include "oakley.h" -#include "handler.h" -#include "ipsec_doi.h" -#include "pfkey.h" -#include "crypto_openssl.h" -#include "policy.h" -#include "isakmp_ident.h" -#include "isakmp_agg.h" -#include "isakmp_base.h" -#include "isakmp_quick.h" -#include "isakmp_inf.h" -#include "isakmp_newg.h" -#include "strnames.h" -#ifndef HAVE_ARC4RANDOM -#include "arc4random.h" -#endif - -static int nostate1 __P((struct ph1handle *, vchar_t *)); -static int nostate2 __P((struct ph2handle *, vchar_t *)); - -extern caddr_t val2str(const char *, size_t); - -static int (*ph1exchange[][2][PHASE1ST_MAX]) - __P((struct ph1handle *, vchar_t *)) = { - /* error */ - { {}, {}, }, - /* Identity Protection exchange */ - { - { nostate1, ident_i1send, nostate1, ident_i2recv, ident_i2send, - ident_i3recv, ident_i3send, ident_i4recv, ident_i4send, nostate1, }, - { nostate1, ident_r1recv, ident_r1send, ident_r2recv, ident_r2send, - ident_r3recv, ident_r3send, nostate1, nostate1, nostate1, }, - }, - /* Aggressive exchange */ - { - { nostate1, agg_i1send, nostate1, agg_i2recv, agg_i2send, - nostate1, nostate1, nostate1, nostate1, nostate1, }, - { nostate1, agg_r1recv, agg_r1send, agg_r2recv, agg_r2send, - nostate1, nostate1, nostate1, nostate1, nostate1, }, - }, - /* Base exchange */ - { - { nostate1, base_i1send, nostate1, base_i2recv, base_i2send, - base_i3recv, base_i3send, nostate1, nostate1, nostate1, }, - { nostate1, base_r1recv, base_r1send, base_r2recv, base_r2send, - nostate1, nostate1, nostate1, nostate1, nostate1, }, - }, -}; - -static int (*ph2exchange[][2][PHASE2ST_MAX]) - __P((struct ph2handle *, vchar_t *)) = { - /* error */ - { {}, {}, }, - /* Quick mode for IKE*/ - { - { nostate2, nostate2, quick_i1prep, nostate2, quick_i1send, - quick_i2recv, quick_i2send, quick_i3recv, nostate2, nostate2, }, - { nostate2, quick_r1recv, quick_r1prep, nostate2, quick_r2send, - quick_r3recv, quick_r3prep, quick_r3send, nostate2, nostate2, } - }, -}; - -static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */ - -static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *)); -static int ph1_main __P((struct ph1handle *, vchar_t *)); -static int quick_main __P((struct ph2handle *, vchar_t *)); -static int isakmp_ph1begin_r __P((vchar_t *, - struct sockaddr *, struct sockaddr *, u_int8_t)); -static int isakmp_ph2begin_i __P((struct ph1handle *, struct ph2handle *)); -static int isakmp_ph2begin_r __P((struct ph1handle *, vchar_t *)); -static int etypesw1 __P((int)); -static int etypesw2 __P((int)); - -/* - * isakmp packet handler - */ -int -isakmp_handler(so_isakmp) - int so_isakmp; -{ - struct isakmp isakmp; - struct sockaddr_storage remote; - struct sockaddr_storage local; - int remote_len = sizeof(remote); - int local_len = sizeof(local); - int len; - u_short port; - vchar_t *buf = NULL; - int error = -1; - - /* read message by MSG_PEEK */ - while ((len = recvfromto(so_isakmp, (char *)&isakmp, sizeof(isakmp), - MSG_PEEK, (struct sockaddr *)&remote, &remote_len, - (struct sockaddr *)&local, &local_len)) < 0) { - if (errno == EINTR) - continue; - plog(LLV_ERROR, LOCATION, NULL, - "failed to receive isakmp packet\n"); - goto end; - } - - /* check isakmp header length, as well as sanity of header length */ - if (len < sizeof(isakmp) || ntohl(isakmp.len) < sizeof(isakmp)) { - plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote, - "packet shorter than isakmp header size.\n"); - /* dummy receive */ - if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp), - 0, (struct sockaddr *)&remote, &remote_len)) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to receive isakmp packet\n"); - } - goto end; - } - - /* reject it if the size is tooooo big. */ - if (ntohl(isakmp.len) > 0xffff) { - plog(LLV_ERROR, LOCATION, NULL, - "the length of the isakmp header is too big.\n"); - if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp), - 0, (struct sockaddr *)&remote, &remote_len)) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to receive isakmp packet\n"); - } - goto end; - } - - /* read real message */ - if ((buf = vmalloc(ntohl(isakmp.len))) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate reading buffer\n"); - /* dummy receive */ - if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp), - 0, (struct sockaddr *)&remote, &remote_len)) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to receive isakmp packet\n"); - } - goto end; - } - - while ((len = recvfromto(so_isakmp, buf->v, buf->l, - 0, (struct sockaddr *)&remote, &remote_len, - (struct sockaddr *)&local, &local_len)) < 0) { - if (errno == EINTR) - continue; - plog(LLV_ERROR, LOCATION, NULL, - "failed to receive isakmp packet\n"); - goto end; - } - - if (len != buf->l) { - plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote, - "received invalid length, why ?\n"); - goto end; - } - - plog(LLV_DEBUG, LOCATION, NULL, "===\n"); - plog(LLV_DEBUG, LOCATION, (struct sockaddr *)&local, - "%d bytes message received from %s\n", - len, saddr2str((struct sockaddr *)&remote)); - plogdump(LLV_DEBUG, buf->v, buf->l); - - /* avoid packets with malicious port/address */ - switch (remote.ss_family) { - case AF_INET: - port = ((struct sockaddr_in *)&remote)->sin_port; - break; -#ifdef INET6 - case AF_INET6: - port = ((struct sockaddr_in6 *)&remote)->sin6_port; - break; -#endif - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid family: %d\n", remote.ss_family); - goto end; - } - if (port == 0) { - plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote, - "src port == 0 (valid as UDP but not with IKE)\n"); - goto end; - } - - /* XXX: check sender whether to be allowed or not to accept */ - - /* XXX: I don't know how to check isakmp half connection attack. */ - - /* simply reply if the packet was processed. */ - if (check_recvdpkt((struct sockaddr *)&remote, - (struct sockaddr *)&local, buf)) { - plog(LLV_NOTIFY, LOCATION, NULL, - "the packet is retransmitted by %s.\n", - saddr2str((struct sockaddr *)&remote)); - error = 0; - goto end; - } - - /* isakmp main routine */ - if (isakmp_main(buf, (struct sockaddr *)&remote, - (struct sockaddr *)&local) != 0) goto end; - - error = 0; - -end: - if (buf != NULL) - vfree(buf); - - return(error); -} - -/* - * main processing to handle isakmp payload - */ -static int -isakmp_main(msg, remote, local) - vchar_t *msg; - struct sockaddr *remote, *local; -{ - struct isakmp *isakmp = (struct isakmp *)msg->v; - isakmp_index *index = (isakmp_index *)isakmp; - u_int32_t msgid = isakmp->msgid; - struct ph1handle *iph1; - -#ifdef HAVE_PRINT_ISAKMP_C - isakmp_printpacket(msg, remote, local, 0); -#endif - - /* the initiator's cookie must not be zero */ - if (memcmp(&isakmp->i_ck, r_ck0, sizeof(cookie_t)) == 0) { - plog(LLV_ERROR, LOCATION, remote, - "malformed cookie received.\n"); - return -1; - } - - /* Check the Major and Minor Version fields. */ - /* - * XXX Is is right to check version here ? - * I think it may no be here because the version depends - * on exchange status. - */ - if (isakmp->v < ISAKMP_VERSION_NUMBER) { - if (ISAKMP_GETMAJORV(isakmp->v) < ISAKMP_MAJOR_VERSION) { - plog(LLV_ERROR, LOCATION, remote, - "invalid major version %d.\n", - ISAKMP_GETMAJORV(isakmp->v)); - return -1; - } -#if ISAKMP_MINOR_VERSION > 0 - if (ISAKMP_GETMINORV(isakmp->v) < ISAKMP_MINOR_VERSION) { - plog(LLV_ERROR, LOCATION, remote, - "invalid minor version %d.\n", - ISAKMP_GETMINORV(isakmp->v)); - return -1; - } -#endif - } - - /* check the Flags field. */ - /* XXX How is the exclusive check, E and A ? */ - if (isakmp->flags & ~(ISAKMP_FLAG_E | ISAKMP_FLAG_C | ISAKMP_FLAG_A)) { - plog(LLV_ERROR, LOCATION, remote, - "invalid flag 0x%02x.\n", isakmp->flags); - return -1; - } - - /* ignore commit bit. */ - if (ISSET(isakmp->flags, ISAKMP_FLAG_C)) { - if (isakmp->msgid == 0) { - isakmp_info_send_nx(isakmp, remote, local, - ISAKMP_NTYPE_INVALID_FLAGS, NULL); - plog(LLV_ERROR, LOCATION, remote, - "Commit bit on phase1 forbidden.\n"); - return -1; - } - } - - iph1 = getph1byindex(index); - if (iph1 != NULL) { - /* validity check */ - if (memcmp(&isakmp->r_ck, r_ck0, sizeof(cookie_t)) == 0 && - iph1->side == INITIATOR) { - plog(LLV_DEBUG, LOCATION, remote, - "malformed cookie received or " - "the initiator's cookies collide.\n"); - return -1; - } - - /* must be same addresses in one stream of a phase at least. */ - if (cmpsaddrstrict(iph1->remote, remote) != 0) { - char *saddr_db, *saddr_act; - - saddr_db = strdup(saddr2str(iph1->remote)); - saddr_act = strdup(saddr2str(remote)); - - plog(LLV_WARNING, LOCATION, remote, - "remote address mismatched. db=%s, act=%s\n", - saddr_db, saddr_act); - - racoon_free(saddr_db); - racoon_free(saddr_act); - } - /* - * don't check of exchange type here because other type will be - * with same index, for example, informational exchange. - */ - - /* XXX more acceptable check */ - } - - switch (isakmp->etype) { - case ISAKMP_ETYPE_IDENT: - case ISAKMP_ETYPE_AGG: - case ISAKMP_ETYPE_BASE: - /* phase 1 validity check */ - if (isakmp->msgid != 0) { - plog(LLV_ERROR, LOCATION, remote, - "message id should be zero in phase1.\n"); - return -1; - } - - /* search for isakmp status record of phase 1 */ - if (iph1 == NULL) { - /* - * the packet must be the 1st message from a initiator - * or the 2nd message from the responder. - */ - - /* search for phase1 handle by index without r_ck */ - iph1 = getph1byindex0(index); - if (iph1 == NULL) { - /*it must be the 1st message from a initiator.*/ - if (memcmp(&isakmp->r_ck, r_ck0, - sizeof(cookie_t)) != 0) { - - plog(LLV_DEBUG, LOCATION, remote, - "malformed cookie received " - "or the spi expired.\n"); - return -1; - } - - /* it must be responder's 1st exchange. */ - if (isakmp_ph1begin_r(msg, remote, local, - isakmp->etype) < 0) - return -1; - break; - - /*NOTREACHED*/ - } - - /* it must be the 2nd message from the responder. */ - if (iph1->side != INITIATOR) { - plog(LLV_DEBUG, LOCATION, remote, - "malformed cookie received. " - "it has to be as the initiator. %s\n", - isakmp_pindex(&iph1->index, 0)); - return -1; - } - } - - /* - * Don't delete phase 1 handler when the exchange type - * in handler is not equal to packet's one because of no - * authencication completed. - */ - if (iph1->etype != isakmp->etype) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "exchange type is mismatched: " - "db=%s packet=%s, ignore it.\n", - s_isakmp_etype(iph1->etype), - s_isakmp_etype(isakmp->etype)); - return -1; - } - - /* call main process of phase 1 */ - if (ph1_main(iph1, msg) < 0) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "phase1 negotiation failed.\n"); - remph1(iph1); - delph1(iph1); - return -1; - } - break; - - case ISAKMP_ETYPE_AUTH: - plog(LLV_INFO, LOCATION, remote, - "unsupported exchange %d received.\n", - isakmp->etype); - break; - - case ISAKMP_ETYPE_INFO: - case ISAKMP_ETYPE_ACKINFO: - /* - * iph1 must be present for Information message. - * if iph1 is null then trying to get the phase1 status - * as the packet from responder againt initiator's 1st - * exchange in phase 1. - * NOTE: We think such informational exchange should be ignored. - */ - if (iph1 == NULL) { - iph1 = getph1byindex0(index); - if (iph1 == NULL) { - plog(LLV_ERROR, LOCATION, remote, - "unknown Informational " - "exchange received.\n"); - return -1; - } - if (cmpsaddrstrict(iph1->remote, remote) != 0) { - plog(LLV_WARNING, LOCATION, remote, - "remote address mismatched. " - "db=%s\n", - saddr2str(iph1->remote)); - } - } - - if (isakmp_info_recv(iph1, msg) < 0) - return -1; - break; - - case ISAKMP_ETYPE_QUICK: - { - struct ph2handle *iph2; - - if (iph1 == NULL) { - isakmp_info_send_nx(isakmp, remote, local, - ISAKMP_NTYPE_INVALID_COOKIE, NULL); - plog(LLV_ERROR, LOCATION, remote, - "can't start the quick mode, " - "there is no ISAKMP-SA, %s\n", - isakmp_pindex((isakmp_index *)&isakmp->i_ck, - isakmp->msgid)); - return -1; - } - - /* check status of phase 1 whether negotiated or not. */ - if (iph1->status != PHASE1ST_ESTABLISHED) { - plog(LLV_ERROR, LOCATION, remote, - "can't start the quick mode, " - "there is no valid ISAKMP-SA, %s\n", - isakmp_pindex(&iph1->index, iph1->msgid)); - return -1; - } - - /* search isakmp phase 2 stauts record. */ - iph2 = getph2bymsgid(iph1, msgid); - if (iph2 == NULL) { - /* it must be new negotiation as responder */ - if (isakmp_ph2begin_r(iph1, msg) < 0) - return -1; - return 0; - /*NOTREACHED*/ - } - - /* commit bit. */ - /* XXX - * we keep to set commit bit during negotiation. - * When SA is configured, bit will be reset. - * XXX - * don't initiate commit bit. should be fixed in the future. - */ - if (ISSET(isakmp->flags, ISAKMP_FLAG_C)) - iph2->flags |= ISAKMP_FLAG_C; - - /* call main process of quick mode */ - if (quick_main(iph2, msg) < 0) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "phase2 negotiation failed.\n"); - unbindph12(iph2); - remph2(iph2); - delph2(iph2); - return -1; - } - } - break; - - case ISAKMP_ETYPE_NEWGRP: - if (iph1 == NULL) { - plog(LLV_ERROR, LOCATION, remote, - "Unknown new group mode exchange, " - "there is no ISAKMP-SA.\n"); - return -1; - } - isakmp_newgroup_r(iph1, msg); - break; - - case ISAKMP_ETYPE_NONE: - default: - plog(LLV_ERROR, LOCATION, NULL, - "Invalid exchange type %d from %s.\n", - isakmp->etype, saddr2str(remote)); - return -1; - } - - return 0; -} - -/* - * main function of phase 1. - */ -static int -ph1_main(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - int error; -#ifdef ENABLE_STATS - struct timeval start, end; -#endif - - /* ignore a packet */ - if (iph1->status == PHASE1ST_ESTABLISHED) - return 0; - -#ifdef ENABLE_STATS - gettimeofday(&start, NULL); -#endif - /* receive */ - if (ph1exchange[etypesw1(iph1->etype)] - [iph1->side] - [iph1->status] == NULL) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "why isn't the function defined.\n"); - return -1; - } - error = (ph1exchange[etypesw1(iph1->etype)] - [iph1->side] - [iph1->status])(iph1, msg); - if (error != 0) { -#if 0 - /* XXX - * When an invalid packet is received on phase1, it should - * be selected to process this packet. That is to respond - * with a notify and delete phase 1 handler, OR not to respond - * and keep phase 1 handler. - */ - plog(LLV_ERROR, LOCATION, iph1->remote, - "failed to pre-process packet.\n"); - return -1; -#else - /* ignore the error and keep phase 1 handler */ - return 0; -#endif - } - - /* free resend buffer */ - if (iph1->sendbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "no buffer found as sendbuf\n"); - return -1; - } - VPTRINIT(iph1->sendbuf); - - /* turn off schedule */ - if (iph1->scr) - SCHED_KILL(iph1->scr); - - /* send */ - plog(LLV_DEBUG, LOCATION, NULL, "===\n"); - if ((ph1exchange[etypesw1(iph1->etype)] - [iph1->side] - [iph1->status])(iph1, msg) != 0) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "failed to process packet.\n"); - return -1; - } - -#ifdef ENABLE_STATS - gettimeofday(&end, NULL); - syslog(LOG_NOTICE, "%s(%s): %8.6f", - "phase1", s_isakmp_state(iph1->etype, iph1->side, iph1->status), - timedelta(&start, &end)); -#endif - if (iph1->status == PHASE1ST_ESTABLISHED) { - -#ifdef ENABLE_STATS - gettimeofday(&iph1->end, NULL); - syslog(LOG_NOTICE, "%s(%s): %8.6f", - "phase1", s_isakmp_etype(iph1->etype), - timedelta(&iph1->start, &iph1->end)); -#endif - - /* save created date. */ - (void)time(&iph1->created); - - /* add to the schedule to expire, and seve back pointer. */ - iph1->sce = sched_new(iph1->approval->lifetime, - isakmp_ph1expire_stub, iph1); - - /* INITIAL-CONTACT processing */ - /* don't anything if local test mode. */ - if (!f_local - && iph1->rmconf->ini_contact && !getcontacted(iph1->remote)) { - /* send INITIAL-CONTACT */ - isakmp_info_send_n1(iph1, - ISAKMP_NTYPE_INITIAL_CONTACT, NULL); - /* insert a node into contacted list. */ - if (inscontacted(iph1->remote) == -1) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "failed to add contacted list.\n"); - /* ignore */ - } - } - - log_ph1established(iph1); - plog(LLV_DEBUG, LOCATION, NULL, "===\n"); - } - - return 0; -} - -/* - * main function of quick mode. - */ -static int -quick_main(iph2, msg) - struct ph2handle *iph2; - vchar_t *msg; -{ - struct isakmp *isakmp = (struct isakmp *)msg->v; - int error; -#ifdef ENABLE_STATS - struct timeval start, end; -#endif - - /* ignore a packet */ - if (iph2->status == PHASE2ST_ESTABLISHED - || iph2->status == PHASE2ST_GETSPISENT) - return 0; - -#ifdef ENABLE_STATS - gettimeofday(&start, NULL); -#endif - - /* receive */ - if (ph2exchange[etypesw2(isakmp->etype)] - [iph2->side] - [iph2->status] == NULL) { - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, - "why isn't the function defined.\n"); - return -1; - } - error = (ph2exchange[etypesw2(isakmp->etype)] - [iph2->side] - [iph2->status])(iph2, msg); - if (error != 0) { - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, - "failed to pre-process packet.\n"); - if (error == ISAKMP_INTERNAL_ERROR) - return 0; - isakmp_info_send_n1(iph2->ph1, error, NULL); - return -1; - } - - /* when using commit bit, status will be reached here. */ - if (iph2->status == PHASE2ST_ADDSA) - return 0; - - /* free resend buffer */ - if (iph2->sendbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "no buffer found as sendbuf\n"); - return -1; - } - VPTRINIT(iph2->sendbuf); - - /* turn off schedule */ - if (iph2->scr) - SCHED_KILL(iph2->scr); - - /* send */ - plog(LLV_DEBUG, LOCATION, NULL, "===\n"); - if ((ph2exchange[etypesw2(isakmp->etype)] - [iph2->side] - [iph2->status])(iph2, msg) != 0) { - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, - "failed to process packet.\n"); - return -1; - } - -#ifdef ENABLE_STATS - gettimeofday(&end, NULL); - syslog(LOG_NOTICE, "%s(%s): %8.6f", - "phase2", - s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status), - timedelta(&start, &end)); -#endif - - return 0; -} - -/* new negotiation of phase 1 for initiator */ -int -isakmp_ph1begin_i(rmconf, remote, local) - struct remoteconf *rmconf; - struct sockaddr *remote, *local; -{ - struct ph1handle *iph1; -#ifdef ENABLE_STATS - struct timeval start, end; -#endif - - /* get new entry to isakmp status table. */ - iph1 = newph1(); - if (iph1 == NULL) - return -1; - - iph1->status = PHASE1ST_START; - iph1->rmconf = rmconf; - iph1->side = INITIATOR; - iph1->version = ISAKMP_VERSION_NUMBER; - iph1->msgid = 0; - iph1->flags = 0; - iph1->ph2cnt = 0; -#ifdef HAVE_GSSAPI - iph1->gssapi_state = NULL; -#endif - iph1->approval = NULL; - - /* XXX copy remote address */ - if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) - return -1; - - (void)insph1(iph1); - - /* start phase 1 exchange */ - iph1->etype = rmconf->etypes->type; - - plog(LLV_DEBUG, LOCATION, NULL, "===\n"); - { - char *a; - - a = strdup(saddr2str(iph1->local)); - plog(LLV_INFO, LOCATION, NULL, - "initiate new phase 1 negotiation: %s<=>%s\n", - a, saddr2str(iph1->remote)); - racoon_free(a); - } - plog(LLV_INFO, LOCATION, NULL, - "begin %s mode.\n", - s_isakmp_etype(iph1->etype)); - -#ifdef ENABLE_STATS - gettimeofday(&iph1->start, NULL); - gettimeofday(&start, NULL); -#endif - /* start exchange */ - if ((ph1exchange[etypesw1(iph1->etype)] - [iph1->side] - [iph1->status])(iph1, NULL) != 0) { - /* failed to start phase 1 negotiation */ - remph1(iph1); - delph1(iph1); - - return -1; - } - -#ifdef ENABLE_STATS - gettimeofday(&end, NULL); - syslog(LOG_NOTICE, "%s(%s): %8.6f", - "phase1", - s_isakmp_state(iph1->etype, iph1->side, iph1->status), - timedelta(&start, &end)); -#endif - - return 0; -} - -/* new negotiation of phase 1 for responder */ -static int -isakmp_ph1begin_r(msg, remote, local, etype) - vchar_t *msg; - struct sockaddr *remote, *local; - u_int8_t etype; -{ - struct isakmp *isakmp = (struct isakmp *)msg->v; - struct remoteconf *rmconf; - struct ph1handle *iph1; - struct etypes *etypeok; -#ifdef ENABLE_STATS - struct timeval start, end; -#endif - - /* look for my configuration */ - rmconf = getrmconf(remote); - if (rmconf == NULL) { - plog(LLV_ERROR, LOCATION, remote, - "couldn't find " - "configuration.\n"); - return -1; - } - - /* check to be acceptable exchange type */ - etypeok = check_etypeok(rmconf, etype); - if (etypeok == NULL) { - plog(LLV_ERROR, LOCATION, remote, - "not acceptable %s mode\n", s_isakmp_etype(etype)); - return -1; - } - - /* get new entry to isakmp status table. */ - iph1 = newph1(); - if (iph1 == NULL) - return -1; - - memcpy(&iph1->index.i_ck, &isakmp->i_ck, sizeof(iph1->index.i_ck)); - iph1->status = PHASE1ST_START; - iph1->rmconf = rmconf; - iph1->flags = 0; - iph1->side = RESPONDER; - iph1->etype = etypeok->type; - iph1->version = isakmp->v; - iph1->msgid = 0; -#ifdef HAVE_GSSAPI - iph1->gssapi_state = NULL; -#endif - iph1->approval = NULL; - - /* copy remote address */ - if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) - return -1; - - (void)insph1(iph1); - - plog(LLV_DEBUG, LOCATION, NULL, "===\n"); - { - char *a; - - a = strdup(saddr2str(iph1->local)); - plog(LLV_INFO, LOCATION, NULL, - "respond new phase 1 negotiation: %s<=>%s\n", - a, saddr2str(iph1->remote)); - racoon_free(a); - } - plog(LLV_INFO, LOCATION, NULL, - "begin %s mode.\n", s_isakmp_etype(etype)); - -#ifdef ENABLE_STATS - gettimeofday(&iph1->start, NULL); - gettimeofday(&start, NULL); -#endif - /* start exchange */ - if ((ph1exchange[etypesw1(iph1->etype)] - [iph1->side] - [iph1->status])(iph1, msg) < 0 - || (ph1exchange[etypesw1(iph1->etype)] - [iph1->side] - [iph1->status])(iph1, msg) < 0) { - plog(LLV_ERROR, LOCATION, remote, - "failed to process packet.\n"); - remph1(iph1); - delph1(iph1); - return -1; - } -#ifdef ENABLE_STATS - gettimeofday(&end, NULL); - syslog(LOG_NOTICE, "%s(%s): %8.6f", - "phase1", - s_isakmp_state(iph1->etype, iph1->side, iph1->status), - timedelta(&start, &end)); -#endif - - return 0; -} - -/* new negotiation of phase 2 for initiator */ -static int -isakmp_ph2begin_i(iph1, iph2) - struct ph1handle *iph1; - struct ph2handle *iph2; -{ - /* found ISAKMP-SA. */ - plog(LLV_DEBUG, LOCATION, NULL, "===\n"); - plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n"); - { - char *a; - a = strdup(saddr2str(iph2->src)); - plog(LLV_INFO, LOCATION, NULL, - "initiate new phase 2 negotiation: %s<=>%s\n", - a, saddr2str(iph2->dst)); - racoon_free(a); - } - -#ifdef ENABLE_STATS - gettimeofday(&iph2->start, NULL); -#endif - /* found isakmp-sa */ - bindph12(iph1, iph2); - iph2->status = PHASE2ST_STATUS2; - - if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)] - [iph2->side] - [iph2->status])(iph2, NULL) < 0) { - unbindph12(iph2); - /* release ipsecsa handler due to internal error. */ - remph2(iph2); - delph2(iph2); - return -1; - } - return 0; -} - -/* new negotiation of phase 2 for responder */ -static int -isakmp_ph2begin_r(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - struct isakmp *isakmp = (struct isakmp *)msg->v; - struct ph2handle *iph2 = 0; - int error; -#ifdef ENABLE_STATS - struct timeval start, end; -#endif - - iph2 = newph2(); - if (iph2 == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate phase2 entry.\n"); - return -1; - } - - iph2->ph1 = iph1; - iph2->side = RESPONDER; - iph2->status = PHASE2ST_START; - iph2->flags = isakmp->flags; - iph2->msgid = isakmp->msgid; - iph2->seq = pk_getseq(); - iph2->ivm = oakley_newiv2(iph1, iph2->msgid); - if (iph2->ivm == NULL) { - delph2(iph2); - return -1; - } - iph2->dst = dupsaddr(iph1->remote); /* XXX should be considered */ - if (iph2->dst == NULL) { - delph2(iph2); - return -1; - } - switch (iph2->dst->sa_family) { - case AF_INET: - ((struct sockaddr_in *)iph2->dst)->sin_port = 0; - break; -#ifdef INET6 - case AF_INET6: - ((struct sockaddr_in6 *)iph2->dst)->sin6_port = 0; - break; -#endif - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid family: %d\n", iph2->dst->sa_family); - delph2(iph2); - return -1; - } - - iph2->src = dupsaddr(iph1->local); /* XXX should be considered */ - if (iph2->src == NULL) { - delph2(iph2); - return -1; - } - switch (iph2->src->sa_family) { - case AF_INET: - ((struct sockaddr_in *)iph2->src)->sin_port = 0; - break; -#ifdef INET6 - case AF_INET6: - ((struct sockaddr_in6 *)iph2->src)->sin6_port = 0; - break; -#endif - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid family: %d\n", iph2->src->sa_family); - delph2(iph2); - return -1; - } - - /* add new entry to isakmp status table */ - insph2(iph2); - bindph12(iph1, iph2); - - plog(LLV_DEBUG, LOCATION, NULL, "===\n"); - { - char *a; - - a = strdup(saddr2str(iph2->src)); - plog(LLV_INFO, LOCATION, NULL, - "respond new phase 2 negotiation: %s<=>%s\n", - a, saddr2str(iph2->dst)); - racoon_free(a); - } - -#ifdef ENABLE_STATS - gettimeofday(&start, NULL); -#endif - - error = (ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)] - [iph2->side] - [iph2->status])(iph2, msg); - if (error != 0) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "failed to pre-process packet.\n"); - if (error != ISAKMP_INTERNAL_ERROR) - isakmp_info_send_n1(iph2->ph1, error, NULL); - /* - * release handler because it's wrong that ph2handle is kept - * after failed to check message for responder's. - */ - unbindph12(iph2); - remph2(iph2); - delph2(iph2); - return -1; - } - - /* send */ - plog(LLV_DEBUG, LOCATION, NULL, "===\n"); - if ((ph2exchange[etypesw2(isakmp->etype)] - [iph2->side] - [iph2->status])(iph2, msg) < 0) { - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, - "failed to process packet.\n"); - /* don't release handler */ - return -1; - } -#ifdef ENABLE_STATS - gettimeofday(&end, NULL); - syslog(LOG_NOTICE, "%s(%s): %8.6f", - "phase2", - s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status), - timedelta(&start, &end)); -#endif - - return 0; -} - -/* - * parse ISAKMP payloads, without ISAKMP base header. - */ -vchar_t * -isakmp_parsewoh(np0, gen, len) - int np0; - struct isakmp_gen *gen; - int len; -{ - u_char np = np0 & 0xff; - int tlen, plen; - vchar_t *result; - struct isakmp_parse_t *p, *ep; - - plog(LLV_DEBUG, LOCATION, NULL, "begin.\n"); - - /* - * 5 is a magic number, but any value larger than 2 should be fine - * as we do vrealloc() in the following loop. - */ - result = vmalloc(sizeof(struct isakmp_parse_t) * 5); - if (result == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer.\n"); - return NULL; - } - p = (struct isakmp_parse_t *)result->v; - ep = (struct isakmp_parse_t *)(result->v + result->l - sizeof(*ep)); - - tlen = len; - - /* parse through general headers */ - while (0 < tlen && np != ISAKMP_NPTYPE_NONE) { - if (tlen <= sizeof(struct isakmp_gen)) { - /* don't send information, see isakmp_ident_r1() */ - plog(LLV_ERROR, LOCATION, NULL, - "invalid length of payload\n"); - vfree(result); - return NULL; - } - - plog(LLV_DEBUG, LOCATION, NULL, - "seen nptype=%u(%s)\n", np, s_isakmp_nptype(np)); - - p->type = np; - p->len = ntohs(gen->len); - if (p->len < sizeof(struct isakmp_gen) || p->len > tlen) { - plog(LLV_DEBUG, LOCATION, NULL, - "invalid length of payload\n"); - vfree(result); - return NULL; - } - p->ptr = gen; - p++; - if (ep <= p) { - int off; - - off = p - (struct isakmp_parse_t *)result->v; - result = vrealloc(result, result->l * 2); - if (result == NULL) { - plog(LLV_DEBUG, LOCATION, NULL, - "failed to realloc buffer.\n"); - vfree(result); - return NULL; - } - ep = (struct isakmp_parse_t *) - (result->v + result->l - sizeof(*ep)); - p = (struct isakmp_parse_t *)result->v; - p += off; - } - - np = gen->np; - plen = ntohs(gen->len); - gen = (struct isakmp_gen *)((caddr_t)gen + plen); - tlen -= plen; - } - p->type = ISAKMP_NPTYPE_NONE; - p->len = 0; - p->ptr = NULL; - - plog(LLV_DEBUG, LOCATION, NULL, "succeed.\n"); - - return result; -} - -/* - * parse ISAKMP payloads, including ISAKMP base header. - */ -vchar_t * -isakmp_parse(buf) - vchar_t *buf; -{ - struct isakmp *isakmp = (struct isakmp *)buf->v; - struct isakmp_gen *gen; - int tlen; - vchar_t *result; - u_char np; - - np = isakmp->np; - gen = (struct isakmp_gen *)(buf->v + sizeof(*isakmp)); - tlen = buf->l - sizeof(struct isakmp); - result = isakmp_parsewoh(np, gen, tlen); - - return result; -} - -/* %%% */ -int -isakmp_init() -{ - /* initialize a isakmp status table */ - initph1tree(); - initph2tree(); - initctdtree(); - init_recvdpkt(); - - if (isakmp_open() < 0) - goto err; - - return(0); - -err: - isakmp_close(); - return(-1); -} - -/* - * make strings containing i_cookie + r_cookie + msgid - */ -const char * -isakmp_pindex(index, msgid) - const isakmp_index *index; - const u_int32_t msgid; -{ - static char buf[64]; - const u_char *p; - int i, j; - - memset(buf, 0, sizeof(buf)); - - /* copy index */ - p = (const u_char *)index; - for (j = 0, i = 0; i < sizeof(isakmp_index); i++) { - snprintf((char *)&buf[j], sizeof(buf) - j, "%02x", p[i]); - j += 2; - switch (i) { - case 7: - buf[j++] = ':'; - } - } - - if (msgid == 0) - return buf; - - /* copy msgid */ - snprintf((char *)&buf[j], sizeof(buf) - j, ":%08x", ntohs(msgid)); - - return buf; -} - -/* open ISAKMP sockets. */ -int -isakmp_open() -{ - const int yes = 1; - int ifnum; -#ifdef INET6 - int pktinfo; -#endif - struct myaddrs *p; - - ifnum = 0; - for (p = lcconf->myaddrs; p; p = p->next) { - if (!p->addr) - continue; - - /* warn if wildcard address - should we forbid this? */ - switch (p->addr->sa_family) { - case AF_INET: - if (((struct sockaddr_in *)p->addr)->sin_addr.s_addr == 0) - plog(LLV_WARNING, LOCATION, NULL, - "listening to wildcard address," - "broadcast IKE packet may kill you\n"); - break; -#ifdef INET6 - case AF_INET6: - if (IN6_IS_ADDR_UNSPECIFIED(&((struct sockaddr_in6 *)p->addr)->sin6_addr)) - plog(LLV_WARNING, LOCATION, NULL, - "listening to wildcard address, " - "broadcast IKE packet may kill you\n"); - break; -#endif - default: - plog(LLV_ERROR, LOCATION, NULL, - "unsupported address family %d\n", - lcconf->default_af); - goto err_and_next; - } - - if ((p->sock = socket(p->addr->sa_family, SOCK_DGRAM, 0)) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "socket (%s)\n", strerror(errno)); - goto err_and_next; - } - - /* receive my interface address on inbound packets. */ - switch (p->addr->sa_family) { - case AF_INET: - if (setsockopt(p->sock, IPPROTO_IP, IP_RECVDSTADDR, - (const void *)&yes, sizeof(yes)) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "setsockopt (%s)\n", strerror(errno)); - goto err_and_next; - } - break; -#ifdef INET6 - case AF_INET6: -#ifdef ADVAPI -#ifdef IPV6_RECVPKTINFO - pktinfo = IPV6_RECVPKTINFO; -#else /* old adv. API */ - pktinfo = IPV6_PKTINFO; -#endif /* IPV6_RECVPKTINFO */ -#else - pktinfo = IPV6_RECVDSTADDR; -#endif - if (setsockopt(p->sock, IPPROTO_IPV6, pktinfo, - (const void *)&yes, sizeof(yes)) < 0) - { - plog(LLV_ERROR, LOCATION, NULL, - "setsockopt(%d): %s\n", - pktinfo, strerror(errno)); - goto err_and_next; - } - break; -#endif - } - -#ifdef IPV6_USE_MIN_MTU - if (p->addr->sa_family == AF_INET6 && - setsockopt(p->sock, IPPROTO_IPV6, IPV6_USE_MIN_MTU, - (void *)&yes, sizeof(yes)) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "setsockopt (%s)\n", strerror(errno)); - return -1; - } -#endif - - if (setsockopt_bypass(p->sock, p->addr->sa_family) < 0) - goto err_and_next; - - if (bind(p->sock, p->addr, p->addr->sa_len) < 0) { - plog(LLV_ERROR, LOCATION, p->addr, - "failed to bind (%s).\n", strerror(errno)); - close(p->sock); - goto err_and_next; - } - - ifnum++; - - plog(LLV_INFO, LOCATION, NULL, - "%s used as isakmp port (fd=%d)\n", - saddr2str(p->addr), p->sock); - - continue; - - err_and_next: - racoon_free(p->addr); - p->addr = NULL; - if (! lcconf->autograbaddr && lcconf->strict_address) - return -1; - continue; - } - - if (!ifnum) { - plog(LLV_ERROR, LOCATION, NULL, - "no address could be bound.\n"); - return -1; - } - - return 0; -} - -void -isakmp_close() -{ - struct myaddrs *p, *next; - - for (p = lcconf->myaddrs; p; p = next) { - next = p->next; - - if (!p->addr) { - racoon_free(p); - continue; - } - close(p->sock); - racoon_free(p->addr); - racoon_free(p); - } - - lcconf->myaddrs = NULL; -} - -int -isakmp_send(iph1, sbuf) - struct ph1handle *iph1; - vchar_t *sbuf; -{ - int len = 0; - int s; - - /* select the socket to be sent */ - s = getsockmyaddr(iph1->local); - if (s == -1) - return -1; - - len = sendfromto(s, sbuf->v, sbuf->l, - iph1->local, iph1->remote, lcconf->count_persend); - if (len == -1) { - plog(LLV_ERROR, LOCATION, NULL, "sendfromto failed\n"); - return -1; - } - - return 0; -} - -/* called from scheduler */ -void -isakmp_ph1resend_stub(p) - void *p; -{ - (void)isakmp_ph1resend((struct ph1handle *)p); -} - -int -isakmp_ph1resend(iph1) - struct ph1handle *iph1; -{ - if (iph1->retry_counter < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "phase1 negotiation failed due to time up. %s\n", - isakmp_pindex(&iph1->index, iph1->msgid)); - - remph1(iph1); - delph1(iph1); - return -1; - } - - if (isakmp_send(iph1, iph1->sendbuf) < 0) - return -1; - - plog(LLV_DEBUG, LOCATION, NULL, - "resend phase1 packet %s\n", - isakmp_pindex(&iph1->index, iph1->msgid)); - - iph1->retry_counter--; - - iph1->scr = sched_new(iph1->rmconf->retry_interval, - isakmp_ph1resend_stub, iph1); - - return 0; -} - -/* called from scheduler */ -void -isakmp_ph2resend_stub(p) - void *p; -{ - - (void)isakmp_ph2resend((struct ph2handle *)p); -} - -int -isakmp_ph2resend(iph2) - struct ph2handle *iph2; -{ - if (iph2->retry_counter < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "phase2 negotiation failed due to time up. %s\n", - isakmp_pindex(&iph2->ph1->index, iph2->msgid)); - unbindph12(iph2); - remph2(iph2); - delph2(iph2); - return -1; - } - - if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) - return -1; - - plog(LLV_DEBUG, LOCATION, NULL, - "resend phase2 packet %s\n", - isakmp_pindex(&iph2->ph1->index, iph2->msgid)); - - iph2->retry_counter--; - - iph2->scr = sched_new(iph2->ph1->rmconf->retry_interval, - isakmp_ph2resend_stub, iph2); - - return 0; -} - -/* called from scheduler */ -void -isakmp_ph1expire_stub(p) - void *p; -{ - - isakmp_ph1expire((struct ph1handle *)p); -} - -void -isakmp_ph1expire(iph1) - struct ph1handle *iph1; -{ - char *src, *dst; - - src = strdup(saddr2str(iph1->local)); - dst = strdup(saddr2str(iph1->remote)); - plog(LLV_INFO, LOCATION, NULL, - "ISAKMP-SA expired %s-%s spi:%s\n", - src, dst, - isakmp_pindex(&iph1->index, 0)); - racoon_free(src); - racoon_free(dst); - - SCHED_KILL(iph1->sce); - - iph1->status = PHASE1ST_EXPIRED; - - /* - * the phase1 deletion is postponed until there is no phase2. - */ - if (LIST_FIRST(&iph1->ph2tree) != NULL) { - iph1->sce = sched_new(1, isakmp_ph1expire_stub, iph1); - return; - } - - iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1); -} - -/* called from scheduler */ -void -isakmp_ph1delete_stub(p) - void *p; -{ - - isakmp_ph1delete((struct ph1handle *)p); -} - -void -isakmp_ph1delete(iph1) - struct ph1handle *iph1; -{ - char *src, *dst; - - SCHED_KILL(iph1->sce); - - if (LIST_FIRST(&iph1->ph2tree) != NULL) { - iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1); - return; - } - - /* don't re-negosiation when the phase 1 SA expires. */ - - src = strdup(saddr2str(iph1->local)); - dst = strdup(saddr2str(iph1->remote)); - plog(LLV_INFO, LOCATION, NULL, - "ISAKMP-SA deleted %s-%s spi:%s\n", - src, dst, isakmp_pindex(&iph1->index, 0)); - racoon_free(src); - racoon_free(dst); - - remph1(iph1); - delph1(iph1); - - return; -} - -/* called from scheduler. - * this function will call only isakmp_ph2delete(). - * phase 2 handler remain forever if kernel doesn't cry a expire of phase 2 SA - * by something cause. That's why this function is called after phase 2 SA - * expires in the userland. - */ -void -isakmp_ph2expire_stub(p) - void *p; -{ - - isakmp_ph2expire((struct ph2handle *)p); -} - -void -isakmp_ph2expire(iph2) - struct ph2handle *iph2; -{ - char *src, *dst; - - SCHED_KILL(iph2->sce); - - src = strdup(saddrwop2str(iph2->src)); - dst = strdup(saddrwop2str(iph2->dst)); - plog(LLV_INFO, LOCATION, NULL, - "phase2 sa expired %s-%s\n", src, dst); - racoon_free(src); - racoon_free(dst); - - iph2->status = PHASE2ST_EXPIRED; - - iph2->sce = sched_new(1, isakmp_ph2delete_stub, iph2); - - return; -} - -/* called from scheduler */ -void -isakmp_ph2delete_stub(p) - void *p; -{ - - isakmp_ph2delete((struct ph2handle *)p); -} - -void -isakmp_ph2delete(iph2) - struct ph2handle *iph2; -{ - char *src, *dst; - - SCHED_KILL(iph2->sce); - - src = strdup(saddrwop2str(iph2->src)); - dst = strdup(saddrwop2str(iph2->dst)); - plog(LLV_INFO, LOCATION, NULL, - "phase2 sa deleted %s-%s\n", src, dst); - racoon_free(src); - racoon_free(dst); - - unbindph12(iph2); - remph2(iph2); - delph2(iph2); - - return; -} - -/* %%% - * Interface between PF_KEYv2 and ISAKMP - */ -/* - * receive ACQUIRE from kernel, and begin either phase1 or phase2. - * if phase1 has been finished, begin phase2. - */ -int -isakmp_post_acquire(iph2) - struct ph2handle *iph2; -{ - struct remoteconf *rmconf; - struct ph1handle *iph1 = NULL; - - /* search appropreate configuration with masking port. */ - rmconf = getrmconf(iph2->dst); - if (rmconf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "no configuration found for %s.\n", - saddrwop2str(iph2->dst)); - return -1; - } - - /* if passive mode, ignore the acquire message */ - if (rmconf->passive) { - plog(LLV_DEBUG, LOCATION, NULL, - "because of passive mode, " - "ignore the acquire message for %s.\n", - saddrwop2str(iph2->dst)); - return 0; - } - - /* search isakmp status table by address with masking port */ - iph1 = getph1byaddr(iph2->src, iph2->dst); - - /* no ISAKMP-SA found. */ - if (iph1 == NULL) { - struct sched *sc; - - iph2->retry_checkph1 = lcconf->retry_checkph1; - sc = sched_new(1, isakmp_chkph1there_stub, iph2); - plog(LLV_INFO, LOCATION, NULL, - "IPsec-SA request for %s queued " - "due to no phase1 found.\n", - saddrwop2str(iph2->dst)); - - /* start phase 1 negotiation as a initiator. */ - if (isakmp_ph1begin_i(rmconf, iph2->dst, iph2->src) < 0) { - SCHED_KILL(sc); - return -1; - } - - return 0; - /*NOTREACHED*/ - } - - /* found ISAKMP-SA, but on negotiation. */ - if (iph1->status != PHASE1ST_ESTABLISHED) { - iph2->retry_checkph1 = lcconf->retry_checkph1; - sched_new(1, isakmp_chkph1there_stub, iph2); - plog(LLV_INFO, LOCATION, iph2->dst, - "request for establishing IPsec-SA was queued " - "due to no phase1 found.\n"); - return 0; - /*NOTREACHED*/ - } - - /* found established ISAKMP-SA */ - /* i.e. iph1->status == PHASE1ST_ESTABLISHED */ - - /* found ISAKMP-SA. */ - plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n"); - - /* begin quick mode */ - if (isakmp_ph2begin_i(iph1, iph2)) - return -1; - - return 0; -} - -/* - * receive GETSPI from kernel. - */ -int -isakmp_post_getspi(iph2) - struct ph2handle *iph2; -{ -#ifdef ENABLE_STATS - struct timeval start, end; -#endif - - /* don't process it because there is no suitable phase1-sa. */ - if (iph2->ph1->status == PHASE1ST_EXPIRED) { - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, - "the negotiation is stopped, " - "because there is no suitable ISAKMP-SA.\n"); - return -1; - } - -#ifdef ENABLE_STATS - gettimeofday(&start, NULL); -#endif - if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)] - [iph2->side] - [iph2->status])(iph2, NULL) != 0) - return -1; -#ifdef ENABLE_STATS - gettimeofday(&end, NULL); - syslog(LOG_NOTICE, "%s(%s): %8.6f", - "phase2", - s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status), - timedelta(&start, &end)); -#endif - - return 0; -} - -/* called by scheduler */ -void -isakmp_chkph1there_stub(p) - void *p; -{ - isakmp_chkph1there((struct ph2handle *)p); -} - -void -isakmp_chkph1there(iph2) - struct ph2handle *iph2; -{ - struct ph1handle *iph1; - - iph2->retry_checkph1--; - if (iph2->retry_checkph1 < 0) { - plog(LLV_ERROR, LOCATION, iph2->dst, - "phase2 negotiation failed " - "due to time up waiting for phase1. %s\n", - sadbsecas2str(iph2->dst, iph2->src, - iph2->satype, 0, 0)); - plog(LLV_INFO, LOCATION, NULL, - "delete phase 2 handler.\n"); - - /* send acquire to kernel as error */ - pk_sendeacquire(iph2); - - unbindph12(iph2); - remph2(iph2); - delph2(iph2); - - return; - } - - iph1 = getph1byaddr(iph2->src, iph2->dst); - - /* XXX Even if ph1 as responder is there, should we not start - * phase 2 negotiation ? */ - if (iph1 != NULL - && iph1->status == PHASE1ST_ESTABLISHED) { - /* found isakmp-sa */ - /* begin quick mode */ - (void)isakmp_ph2begin_i(iph1, iph2); - return; - } - - /* no isakmp-sa found */ - sched_new(1, isakmp_chkph1there_stub, iph2); - - return; -} - -/* copy variable data into ALLOCATED buffer. */ -caddr_t -isakmp_set_attr_v(buf, type, val, len) - caddr_t buf; - int type; - caddr_t val; - int len; -{ - struct isakmp_data *data; - - data = (struct isakmp_data *)buf; - data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV); - data->lorv = htons((u_int16_t)len); - memcpy(data + 1, val, len); - - return buf + sizeof(*data) + len; -} - -/* copy fixed length data into ALLOCATED buffer. */ -caddr_t -isakmp_set_attr_l(buf, type, val) - caddr_t buf; - int type; - u_int32_t val; -{ - struct isakmp_data *data; - - data = (struct isakmp_data *)buf; - data->type = htons((u_int16_t)type | ISAKMP_GEN_TV); - data->lorv = htons((u_int16_t)val); - - return buf + sizeof(*data); -} - -/* add a variable data attribute to the buffer by reallocating it. */ -vchar_t * -isakmp_add_attr_v(buf0, type, val, len) - vchar_t *buf0; - int type; - caddr_t val; - int len; -{ - vchar_t *buf = NULL; - struct isakmp_data *data; - int tlen; - int oldlen = 0; - - tlen = sizeof(*data) + len; - - if (buf0) { - oldlen = buf0->l; - buf = vrealloc(buf0, oldlen + tlen); - } else - buf = vmalloc(tlen); - if (!buf) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get a attribute buffer.\n"); - return NULL; - } - - data = (struct isakmp_data *)(buf->v + oldlen); - data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV); - data->lorv = htons((u_int16_t)len); - memcpy(data + 1, val, len); - - return buf; -} - -/* add a fixed data attribute to the buffer by reallocating it. */ -vchar_t * -isakmp_add_attr_l(buf0, type, val) - vchar_t *buf0; - int type; - u_int32_t val; -{ - vchar_t *buf = NULL; - struct isakmp_data *data; - int tlen; - int oldlen = 0; - - tlen = sizeof(*data); - - if (buf0) { - oldlen = buf0->l; - buf = vrealloc(buf0, oldlen + tlen); - } else - buf = vmalloc(tlen); - if (!buf) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get a attribute buffer.\n"); - return NULL; - } - - data = (struct isakmp_data *)(buf->v + oldlen); - data->type = htons((u_int16_t)type | ISAKMP_GEN_TV); - data->lorv = htons((u_int16_t)val); - - return buf; -} - -/* - * calculate cookie and set. - */ -int -isakmp_newcookie(place, remote, local) - caddr_t place; - struct sockaddr *remote; - struct sockaddr *local; -{ - vchar_t *buf = NULL, *buf2 = NULL; - char *p; - int blen; - int alen; - caddr_t sa1, sa2; - time_t t; - int error = -1; - u_short port; - - - if (remote->sa_family != local->sa_family) { - plog(LLV_ERROR, LOCATION, NULL, - "address family mismatch, remote:%d local:%d\n", - remote->sa_family, local->sa_family); - goto end; - } - switch (remote->sa_family) { - case AF_INET: - alen = sizeof(struct in_addr); - sa1 = (caddr_t)&((struct sockaddr_in *)remote)->sin_addr; - sa2 = (caddr_t)&((struct sockaddr_in *)local)->sin_addr; - break; -#ifdef INET6 - case AF_INET6: - alen = sizeof(struct in_addr); - sa1 = (caddr_t)&((struct sockaddr_in6 *)remote)->sin6_addr; - sa2 = (caddr_t)&((struct sockaddr_in6 *)local)->sin6_addr; - break; -#endif - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid family: %d\n", remote->sa_family); - goto end; - } - blen = (alen + sizeof(u_short)) * 2 - + sizeof(time_t) + lcconf->secret_size; - buf = vmalloc(blen); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get a cookie.\n"); - goto end; - } - p = buf->v; - - /* copy my address */ - memcpy(p, sa1, alen); - p += alen; - port = ((struct sockaddr_in *)remote)->sin_port; - memcpy(p, &port, sizeof(u_short)); - p += sizeof(u_short); - - /* copy target address */ - memcpy(p, sa2, alen); - p += alen; - port = ((struct sockaddr_in *)local)->sin_port; - memcpy(p, &port, sizeof(u_short)); - p += sizeof(u_short); - - /* copy time */ - t = time(0); - memcpy(p, (caddr_t)&t, sizeof(t)); - p += sizeof(t); - - /* copy random value */ - buf2 = eay_set_random(lcconf->secret_size); - if (buf2 == NULL) - goto end; - memcpy(p, buf2->v, lcconf->secret_size); - p += lcconf->secret_size; - vfree(buf2); - - buf2 = eay_sha1_one(buf); - memcpy(place, buf2->v, sizeof(cookie_t)); - - sa1 = val2str(place, sizeof (cookie_t)); - plog(LLV_DEBUG, LOCATION, NULL, "new cookie:\n%s\n", sa1); - racoon_free(sa1); - - error = 0; -end: - if (buf != NULL) - vfree(buf); - if (buf2 != NULL) - vfree(buf2); - return error; -} - -/* - * save partner's(payload) data into phhandle. - */ -int -isakmp_p2ph(buf, gen) - vchar_t **buf; - struct isakmp_gen *gen; -{ - /* XXX to be checked in each functions for logging. */ - if (*buf) { - plog(LLV_WARNING, LOCATION, NULL, - "ignore this payload, same payload type exist.\n"); - return -1; - } - - *buf = vmalloc(ntohs(gen->len) - sizeof(*gen)); - if (*buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer.\n"); - return -1; - } - memcpy((*buf)->v, gen + 1, (*buf)->l); - - return 0; -} - -u_int32_t -isakmp_newmsgid2(iph1) - struct ph1handle *iph1; -{ - u_int32_t msgid2; - - do { - msgid2 = arc4random(); - } while (getph2bymsgid(iph1, msgid2)); - - return msgid2; -} - -/* - * set values into allocated buffer of isakmp header for phase 1 - */ -struct isakmp_construct -set_isakmp_header(vbuf, iph1) - vchar_t *vbuf; - struct ph1handle *iph1; -{ - struct isakmp *isakmp; - struct isakmp_construct res; - - res.buff=NULL; - res.np=NULL; - - if (vbuf->l < sizeof(*isakmp)) - return res; - - isakmp = (struct isakmp *)vbuf->v; - memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(cookie_t)); - memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(cookie_t)); - isakmp->np = ISAKMP_NPTYPE_NONE ; - isakmp->v = iph1->version; - isakmp->etype = iph1->etype; - isakmp->flags = iph1->flags; - isakmp->msgid = iph1->msgid; - isakmp->len = htonl(vbuf->l); - - res.np=&(isakmp->np); - res.buff=vbuf->v + sizeof(*isakmp); - - return res; -} - -/* - * set values into allocated buffer of isakmp header for phase 2 - */ -caddr_t -set_isakmp_header2(vbuf, iph2, nptype) - vchar_t *vbuf; - struct ph2handle *iph2; - int nptype; -{ - struct isakmp *isakmp; - - if (vbuf->l < sizeof(*isakmp)) - return NULL; - - isakmp = (struct isakmp *)vbuf->v; - memcpy(&isakmp->i_ck, &iph2->ph1->index.i_ck, sizeof(cookie_t)); - memcpy(&isakmp->r_ck, &iph2->ph1->index.r_ck, sizeof(cookie_t)); - isakmp->np = nptype; - isakmp->v = iph2->ph1->version; - isakmp->etype = ISAKMP_ETYPE_QUICK; - isakmp->flags = iph2->flags; - memcpy(&isakmp->msgid, &iph2->msgid, sizeof(isakmp->msgid)); - isakmp->len = htonl(vbuf->l); - - return vbuf->v + sizeof(*isakmp); -} - - -/* - * set values into allocated buffer of isakmp payload. - */ -struct isakmp_construct -set_isakmp_payload_c(constr, src, nptype) - struct isakmp_construct constr; - vchar_t *src; - int nptype; -{ - struct isakmp_gen *gen; - caddr_t p = constr.buff; - - plog(LLV_DEBUG, LOCATION, NULL, "add payload of len %d, next type %d\n", - src->l, nptype); - - *constr.np=nptype; - gen = (struct isakmp_gen *)p; - gen->np = ISAKMP_NPTYPE_NONE ; - gen->len = htons(sizeof(*gen) + src->l); - p += sizeof(*gen); - memcpy(p, src->v, src->l); - p += src->l; - - constr.np=&(gen->np); - constr.buff=p; - - return constr; -} - -/* - * set values into allocated buffer of isakmp payload. - */ -caddr_t -set_isakmp_payload(buf, src, nptype) - caddr_t buf; - vchar_t *src; - int nptype; -{ - struct isakmp_gen *gen; - caddr_t p = buf; - - plog(LLV_DEBUG, LOCATION, NULL, "add payload of len %d, next type %d\n", - src->l, nptype); - - gen = (struct isakmp_gen *)p; - gen->np = nptype; - gen->len = htons(sizeof(*gen) + src->l); - p += sizeof(*gen); - memcpy(p, src->v, src->l); - p += src->l; - - return p; -} - - -static int -etypesw1(etype) - int etype; -{ - switch (etype) { - case ISAKMP_ETYPE_IDENT: - return 1; - case ISAKMP_ETYPE_AGG: - return 2; - case ISAKMP_ETYPE_BASE: - return 3; - default: - return 0; - } - /*NOTREACHED*/ -} - -static int -etypesw2(etype) - int etype; -{ - switch (etype) { - case ISAKMP_ETYPE_QUICK: - return 1; - default: - return 0; - } - /*NOTREACHED*/ -} - -#ifdef HAVE_PRINT_ISAKMP_C -/* for print-isakmp.c */ -char *snapend; -extern void isakmp_print __P((const u_char *, u_int, const u_char *)); - -char *getname __P((const u_char *)); -#ifdef INET6 -char *getname6 __P((const u_char *)); -#endif -int safeputchar __P((int)); - -/* - * Return a name for the IP address pointed to by ap. This address - * is assumed to be in network byte order. - */ -char * -getname(ap) - const u_char *ap; -{ - struct sockaddr_in addr; - static char ntop_buf[NI_MAXHOST]; - - memset(&addr, 0, sizeof(addr)); - addr.sin_len = sizeof(struct sockaddr_in); - addr.sin_family = AF_INET; - memcpy(&addr.sin_addr, ap, sizeof(addr.sin_addr)); - if (getnameinfo((struct sockaddr *)&addr, addr.sin_len, - ntop_buf, sizeof(ntop_buf), NULL, 0, - NI_NUMERICHOST | niflags)) - strlcpy(ntop_buf, "?", sizeof(ntop_buf)); - - return ntop_buf; -} - -#ifdef INET6 -/* - * Return a name for the IP6 address pointed to by ap. This address - * is assumed to be in network byte order. - */ -char * -getname6(ap) - const u_char *ap; -{ - struct sockaddr_in6 addr; - static char ntop_buf[NI_MAXHOST]; - - memset(&addr, 0, sizeof(addr)); - addr.sin6_len = sizeof(struct sockaddr_in6); - addr.sin6_family = AF_INET6; - memcpy(&addr.sin6_addr, ap, sizeof(addr.sin6_addr)); - if (getnameinfo((struct sockaddr *)&addr, addr.sin6_len, - ntop_buf, sizeof(ntop_buf), NULL, 0, - NI_NUMERICHOST | niflags)) - strlcpy(ntop_buf, "?", sizeof(ntop_buf)); - - return ntop_buf; -} -#endif /* INET6 */ - -int -safeputchar(c) - int c; -{ - unsigned char ch; - - ch = (unsigned char)(c & 0xff); - if (c < 0x80 && isprint(c)) - return printf("%c", c & 0xff); - else - return printf("\\%03o", c & 0xff); -} - -void -isakmp_printpacket(msg, from, my, decoded) - vchar_t *msg; - struct sockaddr *from; - struct sockaddr *my; - int decoded; -{ -#ifdef YIPS_DEBUG - struct timeval tv; - int s; - char hostbuf[NI_MAXHOST]; - char portbuf[NI_MAXSERV]; - struct isakmp *isakmp; - vchar_t *buf; -#endif - - if (loglevel < LLV_DEBUG) - return; - -#ifdef YIPS_DEBUG - plog(LLV_DEBUG, LOCATION, NULL, "begin.\n"); - - gettimeofday(&tv, NULL); - s = tv.tv_sec % 3600; - printf("%02d:%02d.%06u ", s / 60, s % 60, (u_int32_t)tv.tv_usec); - - if (from) { - if (getnameinfo(from, from->sa_len, hostbuf, sizeof(hostbuf), - portbuf, sizeof(portbuf), - NI_NUMERICHOST | NI_NUMERICSERV | niflags)) { - strlcpy(hostbuf, "?", sizeof(hostbuf)); - strlcpy(portbuf, "?", sizeof(portbuf)); - } - printf("%s:%s", hostbuf, portbuf); - } else - printf("?"); - printf(" -> "); - if (my) { - if (getnameinfo(my, my->sa_len, hostbuf, sizeof(hostbuf), - portbuf, sizeof(portbuf), - NI_NUMERICHOST | NI_NUMERICSERV | niflags)) { - strlcpy(hostbuf, "?", sizeof(hostbuf)); - strlcpy(portbuf, "?", sizeof(portbuf)); - } - printf("%s:%s", hostbuf, portbuf); - } else - printf("?"); - printf(": "); - - buf = vdup(msg); - if (!buf) { - printf("(malloc fail)\n"); - return; - } - if (decoded) { - isakmp = (struct isakmp *)buf->v; - if (isakmp->flags & ISAKMP_FLAG_E) { -#if 0 - int pad; - pad = *(u_char *)(buf->v + buf->l - 1); - if (buf->l < pad && 2 < vflag) - printf("(wrong padding)"); -#endif - isakmp->flags &= ~ISAKMP_FLAG_E; - } - } - - snapend = buf->v + buf->l; - isakmp_print(buf->v, buf->l, NULL); - vfree(buf); - printf("\n"); - fflush(stdout); - - return; -#endif -} -#endif /*HAVE_PRINT_ISAKMP_C*/ - -int -copy_ph1addresses(iph1, rmconf, remote, local) - struct ph1handle *iph1; - struct remoteconf *rmconf; - struct sockaddr *remote, *local; -{ - u_short *port = NULL; - - /* address portion must be grabbed from real remote address "remote" */ - iph1->remote = dupsaddr(remote); - if (iph1->remote == NULL) { - delph1(iph1); - return -1; - } - - /* - * if remote has no port # (in case of initiator - from ACQUIRE msg) - * - if remote.conf specifies port #, use that - * - if remote.conf does not, use 500 - * if remote has port # (in case of responder - from recvfrom(2)) - * respect content of "remote". - */ - switch (iph1->remote->sa_family) { - case AF_INET: - port = &((struct sockaddr_in *)iph1->remote)->sin_port; - if (*port) - break; - *port = ((struct sockaddr_in *)rmconf->remote)->sin_port; - if (*port) - break; - *port = htons(PORT_ISAKMP); - break; -#ifdef INET6 - case AF_INET6: - port = &((struct sockaddr_in6 *)iph1->remote)->sin6_port; - if (*port) - break; - *port = ((struct sockaddr_in6 *)rmconf->remote)->sin6_port; - if (*port) - break; - *port = htons(PORT_ISAKMP); - break; -#endif - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid family: %d\n", iph1->remote->sa_family); - return -1; - } - - if (local == NULL) - iph1->local = getlocaladdr(iph1->remote); - else - iph1->local = dupsaddr(local); - if (iph1->local == NULL) { - delph1(iph1); - return -1; - } - switch (iph1->local->sa_family) { - case AF_INET: - ((struct sockaddr_in *)iph1->local)->sin_port - = getmyaddrsport(iph1->local); - break; -#ifdef INET6 - case AF_INET6: - ((struct sockaddr_in6 *)iph1->local)->sin6_port - = getmyaddrsport(iph1->local); - break; -#endif - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid family: %d\n", iph1->remote->sa_family); - delph1(iph1); - return -1; - } - - return 0; -} - -static int -nostate1(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - plog(LLV_ERROR, LOCATION, iph1->remote, "wrong state %u.\n", - iph1->status); - return -1; -} - -static int -nostate2(iph2, msg) - struct ph2handle *iph2; - vchar_t *msg; -{ - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, "wrong state %u.\n", - iph2->status); - return -1; -} - -void -log_ph1established(iph1) - const struct ph1handle *iph1; -{ - char *src, *dst; - - src = strdup(saddr2str(iph1->local)); - dst = strdup(saddr2str(iph1->remote)); - plog(LLV_INFO, LOCATION, NULL, - "ISAKMP-SA established %s-%s spi:%s\n", - src, dst, - isakmp_pindex(&iph1->index, 0)); - racoon_free(src); - racoon_free(dst); - - return; -} - diff --git a/kame/kame/racoon/isakmp.h b/kame/kame/racoon/isakmp.h deleted file mode 100644 index 6c11259dbd..0000000000 --- a/kame/kame/racoon/isakmp.h +++ /dev/null @@ -1,348 +0,0 @@ -/* $KAME: isakmp.h,v 1.19 2001/04/11 06:11:55 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* refer to RFC 2408 */ - -/* must include first. */ -/* must include "isakmp_var.h" first. */ - -#define INITIATOR 0 /* synonym sender */ -#define RESPONDER 1 /* synonym receiver */ - -#define GENERATE 1 -#define VALIDATE 0 - -/* 3.1 ISAKMP Header Format - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - ! Initiator ! - ! Cookie ! - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - ! Responder ! - ! Cookie ! - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags ! - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - ! Message ID ! - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - ! Length ! - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -*/ -struct isakmp { - cookie_t i_ck; /* Initiator Cookie */ - cookie_t r_ck; /* Responder Cookie */ - u_int8_t np; /* Next Payload Type */ - u_int8_t v; - u_int8_t etype; /* Exchange Type */ - u_int8_t flags; /* Flags */ - u_int32_t msgid; - u_int32_t len; /* Length */ -} __attribute__((__packed__)); - -/* Next Payload Type */ -#define ISAKMP_NPTYPE_NONE 0 /* NONE*/ -#define ISAKMP_NPTYPE_SA 1 /* Security Association */ -#define ISAKMP_NPTYPE_P 2 /* Proposal */ -#define ISAKMP_NPTYPE_T 3 /* Transform */ -#define ISAKMP_NPTYPE_KE 4 /* Key Exchange */ -#define ISAKMP_NPTYPE_ID 5 /* Identification */ -#define ISAKMP_NPTYPE_CERT 6 /* Certificate */ -#define ISAKMP_NPTYPE_CR 7 /* Certificate Request */ -#define ISAKMP_NPTYPE_HASH 8 /* Hash */ -#define ISAKMP_NPTYPE_SIG 9 /* Signature */ -#define ISAKMP_NPTYPE_NONCE 10 /* Nonce */ -#define ISAKMP_NPTYPE_N 11 /* Notification */ -#define ISAKMP_NPTYPE_D 12 /* Delete */ -#define ISAKMP_NPTYPE_VID 13 /* Vendor ID */ -#define ISAKMP_NPTYPE_MAX 14 - /* 128 - 255 Private Use */ - -/* - * The following are valid when the Vendor ID is one of the - * following: - * - * MD5("A GSS-API Authentication Method for IKE") - * MD5("GSSAPI") (recognized by Windows 2000) - * MD5("MS NT5 ISAKMPOAKLEY") (sent by Windows 2000) - * - * See draft-ietf-ipsec-isakmp-gss-auth-06.txt. - */ -#define ISAKMP_NPTYPE_GSS 129 /* GSS token */ - -#define ISAKMP_MAJOR_VERSION 1 -#define ISAKMP_MINOR_VERSION 0 -#define ISAKMP_VERSION_NUMBER 0x10 -#define ISAKMP_GETMAJORV(v) (((v) & 0xf0) >> 4) -#define ISAKMP_SETMAJORV(v, m) ((v) = ((v) & 0x0f) | (((m) << 4) & 0xf0)) -#define ISAKMP_GETMINORV(v) ((v) & 0x0f) -#define ISAKMP_SETMINORV(v, m) ((v) = ((v) & 0xf0) | ((m) & 0x0f)) - -/* Exchange Type */ -#define ISAKMP_ETYPE_NONE 0 /* NONE */ -#define ISAKMP_ETYPE_BASE 1 /* Base */ -#define ISAKMP_ETYPE_IDENT 2 /* Identity Proteciton */ -#define ISAKMP_ETYPE_AUTH 3 /* Authentication Only */ -#define ISAKMP_ETYPE_AGG 4 /* Aggressive */ -#define ISAKMP_ETYPE_INFO 5 /* Informational */ -/* Additional Exchange Type */ -#define ISAKMP_ETYPE_QUICK 32 /* Quick Mode */ -#define ISAKMP_ETYPE_NEWGRP 33 /* New group Mode */ -#define ISAKMP_ETYPE_ACKINFO 34 /* Acknowledged Informational */ - -/* Flags */ -#define ISAKMP_FLAG_E 0x01 /* Encryption Bit */ -#define ISAKMP_FLAG_C 0x02 /* Commit Bit */ -#define ISAKMP_FLAG_A 0x04 /* Authentication Only Bit */ - -/* 3.2 Payload Generic Header - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - ! Next Payload ! RESERVED ! Payload Length ! - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -*/ -struct isakmp_gen { - u_int8_t np; /* Next Payload */ - u_int8_t reserved; /* RESERVED, unused, must set to 0 */ - u_int16_t len; /* Payload Length */ -} __attribute__((__packed__)); - -/* 3.3 Data Attributes - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - !A! Attribute Type ! AF=0 Attribute Length ! - !F! ! AF=1 Attribute Value ! - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - . AF=0 Attribute Value . - . AF=1 Not Transmitted . - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -*/ -struct isakmp_data { - u_int16_t type; /* defined by DOI-spec, and Attribute Format */ - u_int16_t lorv; /* if f equal 1, Attribute Length */ - /* if f equal 0, Attribute Value */ - /* if f equal 1, Attribute Value */ -} __attribute__((__packed__)); -#define ISAKMP_GEN_TLV 0x0000 -#define ISAKMP_GEN_TV 0x8000 - /* mask for type of attribute format */ -#define ISAKMP_GEN_MASK 0x8000 - -#if 0 -/* MAY NOT be used, because of being defined in ipsec-doi. */ -/* 3.4 Security Association Payload */ -struct isakmp_pl_sa { - struct isakmp_gen h; - u_int32_t doi; /* Domain of Interpretation */ - u_int32_t sit; /* Situation */ -} __attribute__((__packed__)); -#endif - -/* 3.5 Proposal Payload */ - /* - The value of the next payload field MUST only contain the value "2" - or "0". If there are additional Proposal payloads in the message, - then this field will be 2. If the current Proposal payload is the - last within the security association proposal, then this field will - be 0. - */ -struct isakmp_pl_p { - struct isakmp_gen h; - u_int8_t p_no; /* Proposal # */ - u_int8_t proto_id; /* Protocol */ - u_int8_t spi_size; /* SPI Size */ - u_int8_t num_t; /* Number of Transforms */ - /* SPI */ -} __attribute__((__packed__)); - -/* 3.6 Transform Payload */ - /* - The value of the next payload field MUST only contain the value "3" - or "0". If there are additional Transform payloads in the proposal, - then this field will be 3. If the current Transform payload is the - last within the proposal, then this field will be 0. - */ -struct isakmp_pl_t { - struct isakmp_gen h; - u_int8_t t_no; /* Transform # */ - u_int8_t t_id; /* Transform-Id */ - u_int16_t reserved; /* RESERVED2 */ - /* SA Attributes */ -} __attribute__((__packed__)); - -/* 3.7 Key Exchange Payload */ -struct isakmp_pl_ke { - struct isakmp_gen h; - /* Key Exchange Data */ -} __attribute__((__packed__)); - -#if 0 -/* NOTE: MUST NOT use because of being defined in ipsec-doi instead them. */ -/* 3.8 Identification Payload */ -struct isakmp_pl_id { - struct isakmp_gen h; - union { - u_int8_t id_type; /* ID Type */ - u_int32_t doi_data; /* DOI Specific ID Data */ - } d; - /* Identification Data */ -} __attribute__((__packed__)); -/* A.4 ISAKMP Identification Type Values */ -#define ISAKMP_ID_IPV4_ADDR 0 -#define ISAKMP_ID_IPV4_ADDR_SUBNET 1 -#define ISAKMP_ID_IPV6_ADDR 2 -#define ISAKMP_ID_IPV6_ADDR_SUBNET 3 -#endif - -/* 3.9 Certificate Payload */ -struct isakmp_pl_cert { - struct isakmp_gen h; - /* - * Encoding type of 1 octet follows immediately, - * variable length CERT data follows encoding type. - */ -} __attribute__((__packed__)); - -/* Certificate Type */ -#define ISAKMP_CERT_NONE 0 -#define ISAKMP_CERT_PKCS7 1 -#define ISAKMP_CERT_PGP 2 -#define ISAKMP_CERT_DNS 3 -#define ISAKMP_CERT_X509SIGN 4 -#define ISAKMP_CERT_X509KE 5 -#define ISAKMP_CERT_KERBEROS 6 -#define ISAKMP_CERT_CRL 7 -#define ISAKMP_CERT_ARL 8 -#define ISAKMP_CERT_SPKI 9 -#define ISAKMP_CERT_X509ATTR 10 - -/* the method to get peers certificate */ -#define ISAKMP_GETCERT_PAYLOAD 1 -#define ISAKMP_GETCERT_LOCALFILE 2 -#define ISAKMP_GETCERT_DNS 3 - -/* 3.10 Certificate Request Payload */ -struct isakmp_pl_cr { - struct isakmp_gen h; - u_int8_t num_cert; /* # Cert. Types */ - /* - Certificate Types (variable length) - -- Contains a list of the types of certificates requested, - sorted in order of preference. Each individual certificate - type is 1 octet. This field is NOT required. - */ - /* # Certificate Authorities (1 octet) */ - /* Certificate Authorities (variable length) */ -} __attribute__((__packed__)); - -/* 3.11 Hash Payload */ -struct isakmp_pl_hash { - struct isakmp_gen h; - /* Hash Data */ -} __attribute__((__packed__)); - -/* 3.12 Signature Payload */ -struct isakmp_pl_sig { - struct isakmp_gen h; - /* Signature Data */ -} __attribute__((__packed__)); - -/* 3.13 Nonce Payload */ -struct isakmp_pl_nonce { - struct isakmp_gen h; - /* Nonce Data */ -} __attribute__((__packed__)); - -/* 3.14 Notification Payload */ -struct isakmp_pl_n { - struct isakmp_gen h; - u_int32_t doi; /* Domain of Interpretation */ - u_int8_t proto_id; /* Protocol-ID */ - u_int8_t spi_size; /* SPI Size */ - u_int16_t type; /* Notify Message Type */ - /* SPI */ - /* Notification Data */ -} __attribute__((__packed__)); - -/* 3.14.1 Notify Message Types */ -/* NOTIFY MESSAGES - ERROR TYPES */ -#define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1 -#define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2 -#define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3 -#define ISAKMP_NTYPE_INVALID_COOKIE 4 -#define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5 -#define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6 -#define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7 -#define ISAKMP_NTYPE_INVALID_FLAGS 8 -#define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9 -#define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10 -#define ISAKMP_NTYPE_INVALID_SPI 11 -#define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12 -#define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13 -#define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14 -#define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15 -#define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16 -#define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17 -#define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18 -#define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19 -#define ISAKMP_NTYPE_INVALID_CERTIFICATE 20 -#define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21 -#define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22 -#define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23 -#define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24 -#define ISAKMP_NTYPE_INVALID_SIGNATURE 25 -#define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26 -#define ISAKMP_NTYPE_NOTIFY_SA_LIFETIME 27 -#define ISAKMP_NTYPE_CERTIFICATE_UNAVAILABLE 28 -#define ISAKMP_NTYPE_UNSUPPORTED_EXCHANGE_TYPE 29 -#define ISAKMP_NTYPE_UNEQUAL_PAYLOAD_LENGTHS 30 -/* NOTIFY MESSAGES - STATUS TYPES */ -#define ISAKMP_NTYPE_CONNECTED 16384 -/* 4.6.3 IPSEC DOI Notify Message Types */ -#define ISAKMP_NTYPE_RESPONDER_LIFETIME 24576 -#define ISAKMP_NTYPE_REPLAY_STATUS 24577 -#define ISAKMP_NTYPE_INITIAL_CONTACT 24578 - -/* using only to log */ -#define ISAKMP_LOG_RETRY_LIMIT_REACHED 65530 - -/* XXX means internal error but it's not reserved by any drafts... */ -#define ISAKMP_INTERNAL_ERROR -1 - -/* 3.15 Delete Payload */ -struct isakmp_pl_d { - struct isakmp_gen h; - u_int32_t doi; /* Domain of Interpretation */ - u_int8_t proto_id; /* Protocol-Id */ - u_int8_t spi_size; /* SPI Size */ - u_int16_t num_spi; /* # of SPIs */ - /* SPI(es) */ -} __attribute__((__packed__)); - diff --git a/kame/kame/racoon/isakmp_agg.c b/kame/kame/racoon/isakmp_agg.c deleted file mode 100644 index 740ea259af..0000000000 --- a/kame/kame/racoon/isakmp_agg.c +++ /dev/null @@ -1,1204 +0,0 @@ -/* $KAME: isakmp_agg.c,v 1.61 2004/09/10 03:50:24 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* Aggressive Exchange (Aggressive Mode) */ - -#include -#include - -#include -#include -#include -#include -#if TIME_WITH_SYS_TIME -# include -# include -#else -# if HAVE_SYS_TIME_H -# include -# else -# include -# endif -#endif - -#include "var.h" -#include "misc.h" -#include "vmbuf.h" -#include "plog.h" -#include "sockmisc.h" -#include "schedule.h" -#include "debug.h" - -#include "localconf.h" -#include "remoteconf.h" -#include "isakmp_var.h" -#include "isakmp.h" -#include "oakley.h" -#include "handler.h" -#include "ipsec_doi.h" -#include "crypto_openssl.h" -#include "pfkey.h" -#include "isakmp_agg.h" -#include "isakmp_inf.h" -#include "vendorid.h" -#include "strnames.h" - -#ifdef HAVE_GSSAPI -#include "auth_gssapi.h" -#endif - -/* - * begin Aggressive Mode as initiator. - */ -/* - * send to responder - * psk: HDR, SA, KE, Ni, IDi1 - * sig: HDR, SA, KE, Ni, IDi1 [, CR ] - * gssapi: HDR, SA, KE, Ni, IDi1, GSSi - * rsa: HDR, SA, [ HASH(1),] KE, Pubkey_r, Pubkey_r - * rev: HDR, SA, [ HASH(1),] Pubkey_r, Ke_i, - * Ke_i [, Ke_i ] - */ -int -agg_i1send(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; /* must be null */ -{ - struct isakmp_gen *gen; - struct isakmp_construct p; - int tlen; - int need_cr = 0; - vchar_t *cr = NULL, *gsstoken = NULL; - int error = -1; -#ifdef HAVE_GSSAPI - int len; -#endif - - /* validity check */ - if (msg != NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "msg has to be NULL in this function.\n"); - goto end; - } - if (iph1->status != PHASE1ST_START) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* create isakmp index */ - memset(&iph1->index, 0, sizeof(iph1->index)); - isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local); - - /* make ID payload into isakmp status */ - if (ipsecdoi_setid1(iph1) < 0) - goto end; - - /* create SA payload for my proposal */ - iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf->proposal); - if (iph1->sa == NULL) - goto end; - - /* consistency check of proposals */ - if (iph1->rmconf->dhgrp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "configuration failure about DH group.\n"); - goto end; - } - - /* generate DH public value */ - if (oakley_dh_generate(iph1->rmconf->dhgrp, - &iph1->dhpub, &iph1->dhpriv) < 0) - goto end; - - /* generate NONCE value */ - iph1->nonce = eay_set_random(iph1->rmconf->nonce_size); - if (iph1->nonce == NULL) - goto end; - -#ifdef HAVE_SIGNING_C - /* create CR if need */ - if (iph1->rmconf->send_cr - && oakley_needcr(iph1->rmconf->proposal->authmethod) - && iph1->rmconf->peerscertfile == NULL) { - need_cr = 1; - cr = oakley_getcr(iph1); - if (cr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get cr buffer.\n"); - goto end; - } - } -#endif - plog(LLV_DEBUG, LOCATION, NULL, "authmethod is %s\n", - s_oakley_attr_method(iph1->rmconf->proposal->authmethod)); - /* create buffer to send isakmp payload */ - tlen = sizeof(struct isakmp) - + sizeof(*gen) + iph1->sa->l - + sizeof(*gen) + iph1->dhpub->l - + sizeof(*gen) + iph1->nonce->l - + sizeof(*gen) + iph1->id->l; - if (need_cr) - tlen += sizeof(*gen) + cr->l; -#ifdef HAVE_GSSAPI - if (iph1->rmconf->proposal->authmethod == - OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) { - gssapi_get_itoken(iph1, &len); - tlen += sizeof (*gen) + len; - } -#endif - - iph1->sendbuf = vmalloc(tlen); - if (iph1->sendbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to send.\n"); - goto end; - } - - /* set isakmp header */ - p = set_isakmp_header(iph1->sendbuf, iph1); - if (p.buff == NULL) - goto end; - - /* set SA payload to propose */ - p = set_isakmp_payload_c(p, iph1->sa, ISAKMP_NPTYPE_SA); - - /* create isakmp KE payload */ - p = set_isakmp_payload_c(p, iph1->dhpub, ISAKMP_NPTYPE_KE); - - /* create isakmp NONCE payload */ - p = set_isakmp_payload_c(p, iph1->nonce, ISAKMP_NPTYPE_NONCE); - - /* create isakmp ID payload */ - p = set_isakmp_payload_c(p, iph1->id, ISAKMP_NPTYPE_ID); - -#ifdef HAVE_GSSAPI - if (iph1->rmconf->proposal->authmethod == - OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) { - gssapi_get_token_to_send(iph1, &gsstoken); - p = set_isakmp_payload_c(p, gsstoken, ISAKMP_NPTYPE_GSS); - } else -#endif - if (need_cr) - /* create isakmp CR payload */ - p = set_isakmp_payload_c(p, cr, ISAKMP_NPTYPE_CR); - -#ifdef HAVE_PRINT_ISAKMP_C - isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); -#endif - - /* send the packet, add to the schedule to resend */ - iph1->retry_counter = iph1->rmconf->retry_counter; - if (isakmp_ph1resend(iph1) == -1) - goto end; - - iph1->status = PHASE1ST_MSG1SENT; - - error = 0; - -end: - if (cr) - vfree(cr); - if (gsstoken) - vfree(gsstoken); - - return error; -} - -/* - * receive from responder - * psk: HDR, SA, KE, Nr, IDr1, HASH_R - * sig: HDR, SA, KE, Nr, IDr1, [ CR, ] [ CERT, ] SIG_R - * gssapi: HDR, SA, KE, Nr, IDr1, GSSr, HASH_R - * rsa: HDR, SA, KE, PubKey_i, PubKey_i, HASH_R - * rev: HDR, SA, PubKey_i, Ke_r, Ke_r, HASH_R - */ -int -agg_i2recv(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - vchar_t *pbuf = NULL; - struct isakmp_parse_t *pa; - vchar_t *satmp = NULL; - int error = -1; -#ifdef HAVE_GSSAPI - vchar_t *gsstoken = NULL; -#endif - - /* validity check */ - if (iph1->status != PHASE1ST_MSG1SENT) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* validate the type of next payload */ - pbuf = isakmp_parse(msg); - if (pbuf == NULL) - goto end; - pa = (struct isakmp_parse_t *)pbuf->v; - - iph1->pl_hash = NULL; - - /* SA payload is fixed postion */ - if (pa->type != ISAKMP_NPTYPE_SA) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "received invalid next payload type %d, " - "expecting %d.\n", - pa->type, ISAKMP_NPTYPE_SA); - goto end; - } - if (isakmp_p2ph(&satmp, pa->ptr) < 0) - goto end; - pa++; - - for (/*nothing*/; - pa->type != ISAKMP_NPTYPE_NONE; - pa++) { - - switch (pa->type) { - case ISAKMP_NPTYPE_KE: - if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) - goto end; - break; - case ISAKMP_NPTYPE_NONCE: - if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) - goto end; - break; - case ISAKMP_NPTYPE_ID: - if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) - goto end; - break; - case ISAKMP_NPTYPE_HASH: - iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr; - break; -#ifdef HAVE_SIGNING_C - case ISAKMP_NPTYPE_CR: - if (oakley_savecr(iph1, pa->ptr) < 0) - goto end; - break; - case ISAKMP_NPTYPE_CERT: - if (oakley_savecert(iph1, pa->ptr) < 0) - goto end; - break; - case ISAKMP_NPTYPE_SIG: - if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) - goto end; - break; -#endif - case ISAKMP_NPTYPE_VID: - (void)check_vendorid(pa->ptr); - break; - case ISAKMP_NPTYPE_N: - isakmp_check_notify(pa->ptr, iph1); - break; -#ifdef HAVE_GSSAPI - case ISAKMP_NPTYPE_GSS: - if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) - goto end; - gssapi_save_received_token(iph1, gsstoken); - break; -#endif - default: - /* don't send information, see isakmp_ident_r1() */ - plog(LLV_ERROR, LOCATION, iph1->remote, - "ignore the packet, " - "received unexpecting payload type %d.\n", - pa->type); - goto end; - } - } - - /* payload existency check */ - /* - * This check should take place after parsing SA payload because - * payloads are different by a authentication method. However, - * both rsa and rev are never supported, so it can be here. - */ - if (iph1->dhpub_p == NULL || - iph1->nonce_p == NULL || - iph1->id_p == NULL) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "some payload type doesn't exist.\n"); - goto end; - } - - /* verify identifier */ - if (ipsecdoi_checkid1(iph1) != 0) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "invalid ID payload.\n"); - goto end; - } - - /* check SA payload and set approval SA for use */ - if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "failed to get valid proposal.\n"); - /* XXX send information */ - goto end; - } - VPTRINIT(iph1->sa_ret); - - /* fix isakmp index */ - memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck, - sizeof(cookie_t)); - - /* compute sharing secret of DH */ - if (oakley_dh_compute(iph1->rmconf->dhgrp, iph1->dhpub, - iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) - goto end; - - /* generate SKEYIDs & IV & final cipher key */ - if (oakley_skeyid(iph1) < 0) - goto end; - if (oakley_skeyid_dae(iph1) < 0) - goto end; - if (oakley_compute_enckey(iph1) < 0) - goto end; - if (oakley_newiv(iph1) < 0) - goto end; - - /* validate authentication value */ - { - int type; - type = oakley_validate_auth(iph1); - if (type != 0) { - if (type == -1) { - /* message printed inner oakley_validate_auth() */ - goto end; - } - isakmp_info_send_n1(iph1, type, NULL); - goto end; - } - } - -#ifdef HAVE_SIGNING_C - if (oakley_checkcr(iph1) < 0) { - /* Ignore this error in order to be interoperability. */ - ; - } -#endif - - /* change status of isakmp status entry */ - iph1->status = PHASE1ST_MSG2RECEIVED; - - error = 0; - -end: - if (pbuf) - vfree(pbuf); - if (satmp) - vfree(satmp); - if (error) { - VPTRINIT(iph1->dhpub_p); - VPTRINIT(iph1->nonce_p); - VPTRINIT(iph1->id_p); - oakley_delcert(iph1->cert_p); - iph1->cert_p = NULL; - oakley_delcert(iph1->crl_p); - iph1->crl_p = NULL; - VPTRINIT(iph1->sig_p); - oakley_delcert(iph1->cr_p); - iph1->cr_p = NULL; - } - - return error; -} - -/* - * send to responder - * psk: HDR, HASH_I - * gssapi: HDR, HASH_I - * sig: HDR, [ CERT, ] SIG_I - * rsa: HDR, HASH_I - * rev: HDR, HASH_I - */ -int -agg_i2send(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - struct isakmp_gen *gen; - struct isakmp_construct p; - int tlen; - int need_cert = 0; - int error = -1; - vchar_t *gsshash = NULL; - - /* validity check */ - if (iph1->status != PHASE1ST_MSG2RECEIVED) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* generate HASH to send */ - plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n"); - iph1->hash = oakley_ph1hash_common(iph1, GENERATE); - if (iph1->hash == NULL) { -#ifdef HAVE_GSSAPI - if (gssapi_more_tokens(iph1)) - isakmp_info_send_n1(iph1, - ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL); -#endif - goto end; - } - - tlen = sizeof(struct isakmp); - - switch (iph1->approval->authmethod) { - case OAKLEY_ATTR_AUTH_METHOD_PSKEY: - tlen += sizeof(*gen) + iph1->hash->l; - - iph1->sendbuf = vmalloc(tlen); - if (iph1->sendbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to send.\n"); - goto end; - } - - /* set isakmp header */ - p = set_isakmp_header(iph1->sendbuf, iph1); - if (p.buff == NULL) - goto end; - - /* set HASH payload */ - p = set_isakmp_payload_c(p, iph1->hash, ISAKMP_NPTYPE_HASH); - break; -#ifdef HAVE_SIGNING_C - case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: - case OAKLEY_ATTR_AUTH_METHOD_RSASIG: - /* XXX if there is CR or not ? */ - - if (oakley_getmycert(iph1) < 0) - goto end; - - if (oakley_getsign(iph1) < 0) - goto end; - - if (iph1->cert != NULL && iph1->rmconf->send_cert) - need_cert = 1; - - tlen += sizeof(*gen) + iph1->sig->l; - if (need_cert) - tlen += sizeof(*gen) + iph1->cert->pl->l; - - iph1->sendbuf = vmalloc(tlen); - if (iph1->sendbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to send.\n"); - goto end; - } - - /* set isakmp header */ - p = set_isakmp_header(iph1->sendbuf, iph1); - if (p.buff == NULL) - goto end; - - /* add CERT payload if there */ - if (need_cert) - p = set_isakmp_payload_c(p, iph1->cert->pl, ISAKMP_NPTYPE_CERT); - /* add SIG payload */ - p = set_isakmp_payload_c(p, iph1->sig, ISAKMP_NPTYPE_SIG); - break; -#endif - case OAKLEY_ATTR_AUTH_METHOD_RSAENC: - case OAKLEY_ATTR_AUTH_METHOD_RSAREV: - tlen += sizeof(*gen) + iph1->hash->l; - break; -#ifdef HAVE_GSSAPI - case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: - gsshash = gssapi_wraphash(iph1); - if (gsshash == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to wrap hash\n"); - isakmp_info_send_n1(iph1, - ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL); - goto end; - } - tlen += sizeof(*gen) + gsshash->l; - - iph1->sendbuf = vmalloc(tlen); - if (iph1->sendbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to send.\n"); - goto end; - } - /* set isakmp header */ - p = set_isakmp_header(iph1->sendbuf, iph1); - p = set_isakmp_payload_c(p, gsshash, ISAKMP_NPTYPE_HASH); - break; -#endif - } - -#ifdef HAVE_PRINT_ISAKMP_C - isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); -#endif - - /* send to responder */ - if (isakmp_send(iph1, iph1->sendbuf) < 0) - goto end; - - /* the sending message is added to the received-list. */ - if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) { - plog(LLV_ERROR , LOCATION, NULL, - "failed to add a response packet to the tree.\n"); - goto end; - } - - /* set encryption flag */ - iph1->flags |= ISAKMP_FLAG_E; - - iph1->status = PHASE1ST_ESTABLISHED; - - error = 0; - -end: - if (gsshash) - vfree(gsshash); - return error; -} - -/* - * receive from initiator - * psk: HDR, SA, KE, Ni, IDi1 - * sig: HDR, SA, KE, Ni, IDi1 [, CR ] - * gssapi: HDR, SA, KE, Ni, IDi1 , GSSi - * rsa: HDR, SA, [ HASH(1),] KE, Pubkey_r, Pubkey_r - * rev: HDR, SA, [ HASH(1),] Pubkey_r, Ke_i, - * Ke_i [, Ke_i ] - */ -int -agg_r1recv(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - int error = -1; - vchar_t *pbuf = NULL; - struct isakmp_parse_t *pa; -#ifdef HAVE_GSSAPI - vchar_t *gsstoken = NULL; -#endif - - /* validity check */ - if (iph1->status != PHASE1ST_START) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* validate the type of next payload */ - pbuf = isakmp_parse(msg); - if (pbuf == NULL) - goto end; - pa = (struct isakmp_parse_t *)pbuf->v; - - /* SA payload is fixed postion */ - if (pa->type != ISAKMP_NPTYPE_SA) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "received invalid next payload type %d, " - "expecting %d.\n", - pa->type, ISAKMP_NPTYPE_SA); - goto end; - } - if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0) - goto end; - pa++; - - for (/*nothing*/; - pa->type != ISAKMP_NPTYPE_NONE; - pa++) { - - plog(LLV_DEBUG, LOCATION, NULL, - "received payload of type %s\n", - s_isakmp_nptype(pa->type)); - - switch (pa->type) { - case ISAKMP_NPTYPE_KE: - if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) - goto end; - break; - case ISAKMP_NPTYPE_NONCE: - if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) - goto end; - break; - case ISAKMP_NPTYPE_ID: - if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) - goto end; - break; - case ISAKMP_NPTYPE_VID: - (void)check_vendorid(pa->ptr); - break; -#ifdef HAVE_SIGNING_C - case ISAKMP_NPTYPE_CR: - if (oakley_savecr(iph1, pa->ptr) < 0) - goto end; - break; -#endif -#ifdef HAVE_GSSAPI - case ISAKMP_NPTYPE_GSS: - if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) - goto end; - gssapi_save_received_token(iph1, gsstoken); - break; -#endif - default: - /* don't send information, see isakmp_ident_r1() */ - plog(LLV_ERROR, LOCATION, iph1->remote, - "ignore the packet, " - "received unexpecting payload type %d.\n", - pa->type); - goto end; - } - } - - /* payload existency check */ - /* - * This check should take place after parsing SA payload because - * payloads are different by a authentication method. However, - * both rsa and rev are never supported, so it can be here. - */ - if (iph1->dhpub_p == NULL || - iph1->nonce_p == NULL || - iph1->id_p == NULL) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "some payload type doesn't exist.\n"); - goto end; - } - - /* verify identifier */ - if (ipsecdoi_checkid1(iph1) != 0) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "invalid ID payload.\n"); - goto end; - } - - /* check SA payload and set approval SA for use */ - if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "failed to get valid proposal.\n"); - /* XXX send information */ - goto end; - } - -#ifdef HAVE_SIGNING_C - if (oakley_checkcr(iph1) < 0) { - /* Ignore this error in order to be interoperability. */ - ; - } -#endif - - iph1->status = PHASE1ST_MSG1RECEIVED; - - error = 0; - -end: - if (pbuf) - vfree(pbuf); - if (error) { - VPTRINIT(iph1->sa); - VPTRINIT(iph1->dhpub_p); - VPTRINIT(iph1->nonce_p); - VPTRINIT(iph1->id_p); - oakley_delcert(iph1->cr_p); - iph1->cr_p = NULL; - } - - return error; -} - -/* - * send to initiator - * psk: HDR, SA, KE, Nr, IDr1, HASH_R - * sig: HDR, SA, KE, Nr, IDr1, [ CR, ] [ CERT, ] SIG_R - * gssapi: HDR, SA, KE, Nr, IDr1, GSSr, HASH_R - * rsa: HDR, SA, KE, PubKey_i, PubKey_i, HASH_R - * rev: HDR, SA, PubKey_i, Ke_r, Ke_r, HASH_R - */ -int -agg_r1send(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - struct isakmp_gen *gen; - struct isakmp_construct p; - int tlen; - int need_cr = 0; - int need_cert = 0; - vchar_t *cr = NULL; - vchar_t *vid = NULL; - int error = -1; -#ifdef HAVE_GSSAPI - int gsslen; - vchar_t *gsstoken = NULL, *gsshash = NULL; - vchar_t *gss_sa = NULL; -#endif - - /* validity check */ - if (iph1->status != PHASE1ST_MSG1RECEIVED) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* set responder's cookie */ - isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local); - - /* make ID payload into isakmp status */ - if (ipsecdoi_setid1(iph1) < 0) - goto end; - - /* generate DH public value */ - if (oakley_dh_generate(iph1->rmconf->dhgrp, - &iph1->dhpub, &iph1->dhpriv) < 0) - goto end; - - /* generate NONCE value */ - iph1->nonce = eay_set_random(iph1->rmconf->nonce_size); - if (iph1->nonce == NULL) - goto end; - - /* compute sharing secret of DH */ - if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub, - iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) - goto end; - - /* generate SKEYIDs & IV & final cipher key */ - if (oakley_skeyid(iph1) < 0) - goto end; - if (oakley_skeyid_dae(iph1) < 0) - goto end; - if (oakley_compute_enckey(iph1) < 0) - goto end; - if (oakley_newiv(iph1) < 0) - goto end; - -#ifdef HAVE_GSSAPI - if (iph1->rmconf->proposal->authmethod == - OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) - gssapi_get_rtoken(iph1, &gsslen); -#endif - - /* generate HASH to send */ - plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_R\n"); - iph1->hash = oakley_ph1hash_common(iph1, GENERATE); - if (iph1->hash == NULL) { -#ifdef HAVE_GSSAPI - if (gssapi_more_tokens(iph1)) - isakmp_info_send_n1(iph1, - ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL); -#endif - goto end; - } - -#ifdef HAVE_SIGNING_C - /* create CR if need */ - if (iph1->rmconf->send_cr - && oakley_needcr(iph1->approval->authmethod) - && iph1->rmconf->peerscertfile == NULL) { - need_cr = 1; - cr = oakley_getcr(iph1); - if (cr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get cr buffer.\n"); - goto end; - } - } -#endif - - tlen = sizeof(struct isakmp); - - switch (iph1->approval->authmethod) { - case OAKLEY_ATTR_AUTH_METHOD_PSKEY: - /* create buffer to send isakmp payload */ - tlen += sizeof(*gen) + iph1->sa_ret->l - + sizeof(*gen) + iph1->dhpub->l - + sizeof(*gen) + iph1->nonce->l - + sizeof(*gen) + iph1->id->l - + sizeof(*gen) + iph1->hash->l; - if ((vid = set_vendorid(iph1->approval->vendorid)) != NULL) - tlen += sizeof(*gen) + vid->l; - if (need_cr) - tlen += sizeof(*gen) + cr->l; - - iph1->sendbuf = vmalloc(tlen); - if (iph1->sendbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to send\n"); - goto end; - } - - /* set isakmp header */ - p = set_isakmp_header(iph1->sendbuf, iph1); - if (p.buff == NULL) - goto end; - - /* set SA payload to reply */ - p = set_isakmp_payload_c(p, iph1->sa_ret, ISAKMP_NPTYPE_SA); - - /* create isakmp KE payload */ - p = set_isakmp_payload_c(p, iph1->dhpub, ISAKMP_NPTYPE_KE); - - /* create isakmp NONCE payload */ - p = set_isakmp_payload_c(p, iph1->nonce, ISAKMP_NPTYPE_NONCE); - - /* create isakmp ID payload */ - p = set_isakmp_payload_c(p, iph1->id, ISAKMP_NPTYPE_ID); - - /* create isakmp HASH payload */ - p = set_isakmp_payload_c(p, iph1->hash, ISAKMP_NPTYPE_HASH); - - /* append vendor id, if needed */ - if (vid) - p = set_isakmp_payload_c(p, vid, ISAKMP_NPTYPE_VID); - - /* create isakmp CR payload if needed */ - if (need_cr) - p = set_isakmp_payload_c(p, cr, ISAKMP_NPTYPE_CR); - break; -#ifdef HAVE_SIGNING_C - case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: - case OAKLEY_ATTR_AUTH_METHOD_RSASIG: - /* XXX if there is CR or not ? */ - - if (oakley_getmycert(iph1) < 0) - goto end; - - if (oakley_getsign(iph1) < 0) - goto end; - - if (iph1->cert != NULL && iph1->rmconf->send_cert) - need_cert = 1; - - tlen += sizeof(*gen) + iph1->sa_ret->l - + sizeof(*gen) + iph1->dhpub->l - + sizeof(*gen) + iph1->nonce->l - + sizeof(*gen) + iph1->id->l - + sizeof(*gen) + iph1->sig->l; - if (need_cert) - tlen += sizeof(*gen) + iph1->cert->pl->l; - if ((vid = set_vendorid(iph1->approval->vendorid)) != NULL) - tlen += sizeof(*gen) + vid->l; - if (need_cr) - tlen += sizeof(*gen) + cr->l; - - iph1->sendbuf = vmalloc(tlen); - if (iph1->sendbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to send.\n"); - goto end; - } - - /* set isakmp header */ - p = set_isakmp_header(iph1->sendbuf, iph1); - if (p.buff == NULL) - goto end; - - /* set SA payload to reply */ - p = set_isakmp_payload_c(p, iph1->sa_ret, ISAKMP_NPTYPE_SA); - - /* create isakmp KE payload */ - p = set_isakmp_payload_c(p, iph1->dhpub, ISAKMP_NPTYPE_KE); - - /* create isakmp NONCE payload */ - p = set_isakmp_payload_c(p, iph1->nonce, ISAKMP_NPTYPE_NONCE); - - /* add ID payload */ - p = set_isakmp_payload_c(p, iph1->id, ISAKMP_NPTYPE_ID); - - /* add CERT payload if there */ - if (need_cert) - p = set_isakmp_payload_c(p, iph1->cert->pl, ISAKMP_NPTYPE_CERT); - /* add SIG payload */ - p = set_isakmp_payload_c(p, iph1->sig, ISAKMP_NPTYPE_SIG); - - /* append vendor id, if needed */ - if (vid) - p = set_isakmp_payload_c(p, vid, ISAKMP_NPTYPE_VID); - - /* create isakmp CR payload if needed */ - if (need_cr) - p = set_isakmp_payload_c(p, cr, ISAKMP_NPTYPE_CR); - break; -#endif - case OAKLEY_ATTR_AUTH_METHOD_RSAENC: - case OAKLEY_ATTR_AUTH_METHOD_RSAREV: - tlen += sizeof(*gen) + iph1->hash->l; - break; -#ifdef HAVE_GSSAPI - case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: - /* create buffer to send isakmp payload */ - gsshash = gssapi_wraphash(iph1); - if (gsshash == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to wrap hash\n"); - /* - * This is probably due to the GSS roundtrips not - * being finished yet. Return this error in - * the hope that a fallback to main mode will - * be done. - */ - isakmp_info_send_n1(iph1, - ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL); - goto end; - } - if (iph1->approval->gssid != NULL) - gss_sa = ipsecdoi_setph1proposal(iph1->approval); - else - gss_sa = iph1->sa_ret; - - tlen += sizeof(*gen) + gss_sa->l - + sizeof(*gen) + iph1->dhpub->l - + sizeof(*gen) + iph1->nonce->l - + sizeof(*gen) + iph1->id->l - + sizeof(*gen) + gsslen - + sizeof(*gen) + gsshash->l; - if ((vid = set_vendorid(iph1->approval->vendorid)) != NULL) - tlen += sizeof(*gen) + vid->l; - iph1->sendbuf = vmalloc(tlen); - if (iph1->sendbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to send\n"); - goto end; - } - - /* set isakmp header */ - p = set_isakmp_header(iph1->sendbuf, iph1); - if (p.buff == NULL) - goto end; - - /* set SA payload to reply */ - p = set_isakmp_payload_c(p, gss_sa, ISAKMP_NPTYPE_SA); - - /* create isakmp KE payload */ - p = set_isakmp_payload_c(p, iph1->dhpub, ISAKMP_NPTYPE_KE); - - /* create isakmp NONCE payload */ - p = set_isakmp_payload_c(p, iph1->nonce, ISAKMP_NPTYPE_NONCE); - - /* create isakmp ID payload */ - p = set_isakmp_payload_c(p, iph1->id, ISAKMP_NPTYPE_ID); - - /* create GSS payload */ - gssapi_get_token_to_send(iph1, &gsstoken); - p = set_isakmp_payload_c(p, gsstoken, ISAKMP_NPTYPE_GSS); - - /* create isakmp HASH payload */ - p = set_isakmp_payload_c(p, gsshash, ISAKMP_NPTYPE_HASH); - - /* append vendor id, if needed */ - if (vid) - p = set_isakmp_payload_c(p, vid, ISAKMP_NPTYPE_VID); - break; -#endif - } - - -#ifdef HAVE_PRINT_ISAKMP_C - isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 1); -#endif - - /* send the packet, add to the schedule to resend */ - iph1->retry_counter = iph1->rmconf->retry_counter; - if (isakmp_ph1resend(iph1) == -1) - goto end; - - /* the sending message is added to the received-list. */ - if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) { - plog(LLV_ERROR , LOCATION, NULL, - "failed to add a response packet to the tree.\n"); - goto end; - } - - iph1->status = PHASE1ST_MSG1SENT; - - error = 0; - -end: - if (cr) - vfree(cr); - if (vid) - vfree(vid); -#ifdef HAVE_GSSAPI - if (gsstoken) - vfree(gsstoken); - if (gsshash) - vfree(gsshash); - if (gss_sa != iph1->sa_ret) - vfree(gss_sa); -#endif - - return error; -} - -/* - * receive from initiator - * psk: HDR, HASH_I - * gssapi: HDR, HASH_I - * sig: HDR, [ CERT, ] SIG_I - * rsa: HDR, HASH_I - * rev: HDR, HASH_I - */ -int -agg_r2recv(iph1, msg0) - struct ph1handle *iph1; - vchar_t *msg0; -{ - vchar_t *msg = NULL; - vchar_t *pbuf = NULL; - struct isakmp_parse_t *pa; - int error = -1; - - /* validity check */ - if (iph1->status != PHASE1ST_MSG1SENT) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* decrypting if need. */ - /* XXX configurable ? */ - if (ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { - msg = oakley_do_decrypt(iph1, msg0, - iph1->ivm->iv, iph1->ivm->ive); - if (msg == NULL) - goto end; - } else - msg = vdup(msg0); - - /* validate the type of next payload */ - pbuf = isakmp_parse(msg); - if (pbuf == NULL) - goto end; - - iph1->pl_hash = NULL; - - for (pa = (struct isakmp_parse_t *)pbuf->v; - pa->type != ISAKMP_NPTYPE_NONE; - pa++) { - - switch (pa->type) { - case ISAKMP_NPTYPE_HASH: - iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr; - break; - case ISAKMP_NPTYPE_VID: - (void)check_vendorid(pa->ptr); - break; -#ifdef HAVE_SIGNING_C - case ISAKMP_NPTYPE_CERT: - if (oakley_savecert(iph1, pa->ptr) < 0) - goto end; - break; - case ISAKMP_NPTYPE_SIG: - if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) - goto end; - break; -#endif - case ISAKMP_NPTYPE_N: - isakmp_check_notify(pa->ptr, iph1); - break; - default: - /* don't send information, see isakmp_ident_r1() */ - plog(LLV_ERROR, LOCATION, iph1->remote, - "ignore the packet, " - "received unexpecting payload type %d.\n", - pa->type); - goto end; - } - } - - /* validate authentication value */ - { - int type; - type = oakley_validate_auth(iph1); - if (type != 0) { - if (type == -1) { - /* message printed inner oakley_validate_auth() */ - goto end; - } - isakmp_info_send_n1(iph1, type, NULL); - goto end; - } - } - - iph1->status = PHASE1ST_MSG2RECEIVED; - - error = 0; - -end: - if (pbuf) - vfree(pbuf); - if (msg) - vfree(msg); - if (error) { - oakley_delcert(iph1->cert_p); - iph1->cert_p = NULL; - oakley_delcert(iph1->crl_p); - iph1->crl_p = NULL; - VPTRINIT(iph1->sig_p); - } - - return error; -} - -/* - * status update and establish isakmp sa. - */ -int -agg_r2send(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - int error = -1; - - /* validity check */ - if (iph1->status != PHASE1ST_MSG2RECEIVED) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* IV synchronized when packet encrypted. */ - /* see handler.h about IV synchronization. */ - if (ISSET(((struct isakmp *)msg->v)->flags, ISAKMP_FLAG_E)) - memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l); - - /* set encryption flag */ - iph1->flags |= ISAKMP_FLAG_E; - - iph1->status = PHASE1ST_ESTABLISHED; - - error = 0; - -end: - return error; -} diff --git a/kame/kame/racoon/isakmp_agg.h b/kame/kame/racoon/isakmp_agg.h deleted file mode 100644 index 0609be7a2b..0000000000 --- a/kame/kame/racoon/isakmp_agg.h +++ /dev/null @@ -1,39 +0,0 @@ -/* $KAME: isakmp_agg.h,v 1.4 2000/10/04 17:41:00 itojun Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -extern int agg_i1send __P((struct ph1handle *, vchar_t *)); -extern int agg_i2recv __P((struct ph1handle *, vchar_t *)); -extern int agg_i2send __P((struct ph1handle *, vchar_t *)); - -extern int agg_r1recv __P((struct ph1handle *, vchar_t *)); -extern int agg_r1send __P((struct ph1handle *, vchar_t *)); -extern int agg_r2recv __P((struct ph1handle *, vchar_t *)); -extern int agg_r2send __P((struct ph1handle *, vchar_t *)); diff --git a/kame/kame/racoon/isakmp_base.c b/kame/kame/racoon/isakmp_base.c deleted file mode 100644 index f3022e0927..0000000000 --- a/kame/kame/racoon/isakmp_base.c +++ /dev/null @@ -1,1056 +0,0 @@ -/* $KAME: isakmp_base.c,v 1.50 2004/03/03 05:39:59 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* Base Exchange (Base Mode) */ - -#include -#include - -#include -#include -#include -#include -#if TIME_WITH_SYS_TIME -# include -# include -#else -# if HAVE_SYS_TIME_H -# include -# else -# include -# endif -#endif - -#include "var.h" -#include "misc.h" -#include "vmbuf.h" -#include "plog.h" -#include "sockmisc.h" -#include "schedule.h" -#include "debug.h" - -#include "localconf.h" -#include "remoteconf.h" -#include "isakmp_var.h" -#include "isakmp.h" -#include "oakley.h" -#include "handler.h" -#include "ipsec_doi.h" -#include "crypto_openssl.h" -#include "pfkey.h" -#include "isakmp_base.h" -#include "isakmp_inf.h" -#include "vendorid.h" - -/* %%% - * begin Identity Protection Mode as initiator. - */ -/* - * send to responder - * psk: HDR, SA, Idii, Ni_b - * sig: HDR, SA, Idii, Ni_b - * rsa: HDR, SA, [HASH(1),] Pubkey_r, Pubkey_r - * rev: HDR, SA, [HASH(1),] Pubkey_r, Ke_i - */ -int -base_i1send(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; /* must be null */ -{ - struct isakmp_gen *gen; - struct isakmp_construct p; - int tlen; - int error = -1; - - /* validity check */ - if (msg != NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "msg has to be NULL in this function.\n"); - goto end; - } - if (iph1->status != PHASE1ST_START) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* create isakmp index */ - memset(&iph1->index, 0, sizeof(iph1->index)); - isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local); - - /* make ID payload into isakmp status */ - if (ipsecdoi_setid1(iph1) < 0) - goto end; - - /* create SA payload for my proposal */ - iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf->proposal); - if (iph1->sa == NULL) - goto end; - - /* generate NONCE value */ - iph1->nonce = eay_set_random(iph1->rmconf->nonce_size); - if (iph1->nonce == NULL) - goto end; - - /* create buffer to send isakmp payload */ - tlen = sizeof(struct isakmp) - + sizeof(*gen) + iph1->sa->l - + sizeof(*gen) + iph1->id->l - + sizeof(*gen) + iph1->nonce->l; - - iph1->sendbuf = vmalloc(tlen); - if (iph1->sendbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to send.\n"); - goto end; - } - - /* set isakmp header */ - p = set_isakmp_header(iph1->sendbuf, iph1); - if (p.buff == NULL) - goto end; - - /* set SA payload to propose */ - p = set_isakmp_payload_c(p, iph1->sa, ISAKMP_NPTYPE_SA); - - /* create isakmp ID payload */ - p = set_isakmp_payload_c(p, iph1->id, ISAKMP_NPTYPE_ID); - - /* create isakmp NONCE payload */ - p = set_isakmp_payload_c(p, iph1->nonce, ISAKMP_NPTYPE_NONCE); - -#ifdef HAVE_PRINT_ISAKMP_C - isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); -#endif - - /* send the packet, add to the schedule to resend */ - iph1->retry_counter = iph1->rmconf->retry_counter; - if (isakmp_ph1resend(iph1) == -1) - goto end; - - iph1->status = PHASE1ST_MSG1SENT; - - error = 0; - -end: - - return error; -} - -/* - * receive from responder - * psk: HDR, SA, Idir, Nr_b - * sig: HDR, SA, Idir, Nr_b, [ CR ] - * rsa: HDR, SA, PubKey_i, PubKey_i - * rev: HDR, SA, PubKey_i, Ke_r - */ -int -base_i2recv(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - vchar_t *pbuf = NULL; - struct isakmp_parse_t *pa; - vchar_t *satmp = NULL; - int error = -1; - - /* validity check */ - if (iph1->status != PHASE1ST_MSG1SENT) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* validate the type of next payload */ - pbuf = isakmp_parse(msg); - if (pbuf == NULL) - goto end; - pa = (struct isakmp_parse_t *)pbuf->v; - - /* SA payload is fixed postion */ - if (pa->type != ISAKMP_NPTYPE_SA) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "received invalid next payload type %d, " - "expecting %d.\n", - pa->type, ISAKMP_NPTYPE_SA); - goto end; - } - if (isakmp_p2ph(&satmp, pa->ptr) < 0) - goto end; - pa++; - - for (/*nothing*/; - pa->type != ISAKMP_NPTYPE_NONE; - pa++) { - - switch (pa->type) { - case ISAKMP_NPTYPE_NONCE: - if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) - goto end; - break; - case ISAKMP_NPTYPE_ID: - if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) - goto end; - break; - case ISAKMP_NPTYPE_VID: - (void)check_vendorid(pa->ptr); - break; - default: - /* don't send information, see ident_r1recv() */ - plog(LLV_ERROR, LOCATION, iph1->remote, - "ignore the packet, " - "received unexpecting payload type %d.\n", - pa->type); - goto end; - } - } - - if (iph1->nonce_p == NULL || iph1->id_p == NULL) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "few isakmp message received.\n"); - goto end; - } - - /* verify identifier */ - if (ipsecdoi_checkid1(iph1) != 0) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "invalid ID payload.\n"); - goto end; - } - - /* check SA payload and set approval SA for use */ - if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "failed to get valid proposal.\n"); - /* XXX send information */ - goto end; - } - VPTRINIT(iph1->sa_ret); - - iph1->status = PHASE1ST_MSG2RECEIVED; - - error = 0; - -end: - if (pbuf) - vfree(pbuf); - if (satmp) - vfree(satmp); - - if (error) { - VPTRINIT(iph1->nonce_p); - VPTRINIT(iph1->id_p); - } - - return error; -} - -/* - * send to responder - * psk: HDR, KE, HASH_I - * sig: HDR, KE, [ CR, ] [CERT,] SIG_I - * rsa: HDR, KE, HASH_I - * rev: HDR, Ke_i, HASH_I - */ -int -base_i2send(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - struct isakmp_gen *gen; - struct isakmp_construct p; - vchar_t *vid = NULL; - int tlen; - int need_cert = 0; - int error = -1; - - /* validity check */ - if (iph1->status != PHASE1ST_MSG2RECEIVED) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* fix isakmp index */ - memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck, - sizeof(cookie_t)); - - /* generate DH public value */ - if (oakley_dh_generate(iph1->approval->dhgrp, - &iph1->dhpub, &iph1->dhpriv) < 0) - goto end; - - /* generate SKEYID to compute hash if not signature mode */ - if (iph1->approval->authmethod != OAKLEY_ATTR_AUTH_METHOD_RSASIG - && iph1->approval->authmethod != OAKLEY_ATTR_AUTH_METHOD_DSSSIG) { - if (oakley_skeyid(iph1) < 0) - goto end; - } - - /* generate HASH to send */ - plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n"); - iph1->hash = oakley_ph1hash_base_i(iph1, GENERATE); - if (iph1->hash == NULL) - goto end; - - /* create buffer to send isakmp payload */ - tlen = sizeof(struct isakmp); - - switch (iph1->approval->authmethod) { - case OAKLEY_ATTR_AUTH_METHOD_PSKEY: - tlen += sizeof(*gen) + iph1->dhpub->l - + sizeof(*gen) + iph1->hash->l; - if ((vid = set_vendorid(iph1->approval->vendorid)) != NULL) - tlen += sizeof(*gen) + vid->l; - - iph1->sendbuf = vmalloc(tlen); - if (iph1->sendbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to send.\n"); - goto end; - } - - /* set isakmp header */ - p = set_isakmp_header(iph1->sendbuf, iph1); - if (p.buff == NULL) - goto end; - - /* create isakmp KE payload */ - p = set_isakmp_payload_c(p, iph1->dhpub, ISAKMP_NPTYPE_KE); - - /* create isakmp HASH payload */ - p = set_isakmp_payload_c(p, iph1->hash, ISAKMP_NPTYPE_HASH); - - /* append vendor id, if needed */ - if (vid) - p = set_isakmp_payload_c(p, vid, ISAKMP_NPTYPE_VID); - break; -#ifdef HAVE_SIGNING_C - case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: - case OAKLEY_ATTR_AUTH_METHOD_RSASIG: - /* XXX if there is CR or not ? */ - - if (oakley_getmycert(iph1) < 0) - goto end; - - if (oakley_getsign(iph1) < 0) - goto end; - - if (iph1->cert && iph1->rmconf->send_cert) - need_cert = 1; - - tlen += sizeof(*gen) + iph1->dhpub->l - + sizeof(*gen) + iph1->sig->l; - if (need_cert) - tlen += sizeof(*gen) + iph1->cert->pl->l; - - iph1->sendbuf = vmalloc(tlen); - if (iph1->sendbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to send.\n"); - goto end; - } - - /* set isakmp header */ - p = set_isakmp_header(iph1->sendbuf, iph1); - if (p.buff == NULL) - goto end; - - /* create isakmp KE payload */ - p = set_isakmp_payload_c(p, iph1->dhpub, ISAKMP_NPTYPE_KE); - - /* add CERT payload if there */ - if (need_cert) - p = set_isakmp_payload_c(p, iph1->cert->pl, ISAKMP_NPTYPE_CERT); - /* add SIG payload */ - p = set_isakmp_payload_c(p, iph1->sig, ISAKMP_NPTYPE_SIG); - break; -#endif - case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: - /* ... */ - break; - case OAKLEY_ATTR_AUTH_METHOD_RSAENC: - case OAKLEY_ATTR_AUTH_METHOD_RSAREV: - tlen += sizeof(*gen) + iph1->hash->l; - break; - } - -#ifdef HAVE_PRINT_ISAKMP_C - isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); -#endif - - /* send the packet, add to the schedule to resend */ - iph1->retry_counter = iph1->rmconf->retry_counter; - if (isakmp_ph1resend(iph1) == -1) - goto end; - - /* the sending message is added to the received-list. */ - if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) { - plog(LLV_ERROR , LOCATION, NULL, - "failed to add a response packet to the tree.\n"); - goto end; - } - - iph1->status = PHASE1ST_MSG2SENT; - - error = 0; - -end: - if (vid) - vfree(vid); - return error; -} - -/* - * receive from responder - * psk: HDR, KE, HASH_R - * sig: HDR, KE, [CERT,] SIG_R - * rsa: HDR, KE, HASH_R - * rev: HDR, _Ke_r, HASH_R - */ -int -base_i3recv(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - vchar_t *pbuf = NULL; - struct isakmp_parse_t *pa; - int error = -1; - - /* validity check */ - if (iph1->status != PHASE1ST_MSG2SENT) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* validate the type of next payload */ - pbuf = isakmp_parse(msg); - if (pbuf == NULL) - goto end; - - for (pa = (struct isakmp_parse_t *)pbuf->v; - pa->type != ISAKMP_NPTYPE_NONE; - pa++) { - - switch (pa->type) { - case ISAKMP_NPTYPE_KE: - if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) - goto end; - break; - case ISAKMP_NPTYPE_HASH: - iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr; - break; -#ifdef HAVE_SIGNING_C - case ISAKMP_NPTYPE_CERT: - if (oakley_savecert(iph1, pa->ptr) < 0) - goto end; - break; - case ISAKMP_NPTYPE_SIG: - if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) - goto end; - break; -#endif - case ISAKMP_NPTYPE_VID: - (void)check_vendorid(pa->ptr); - break; - default: - /* don't send information, see ident_r1recv() */ - plog(LLV_ERROR, LOCATION, iph1->remote, - "ignore the packet, " - "received unexpecting payload type %d.\n", - pa->type); - goto end; - } - } - - /* payload existency check */ - /* validate authentication value */ - { - int type; - type = oakley_validate_auth(iph1); - if (type != 0) { - if (type == -1) { - /* message printed inner oakley_validate_auth() */ - goto end; - } - isakmp_info_send_n1(iph1, type, NULL); - goto end; - } - } - - /* compute sharing secret of DH */ - if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub, - iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) - goto end; - - /* generate SKEYID to compute hash if signature mode */ - if (iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_RSASIG - || iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_DSSSIG) { - if (oakley_skeyid(iph1) < 0) - goto end; - } - - /* generate SKEYIDs & IV & final cipher key */ - if (oakley_skeyid_dae(iph1) < 0) - goto end; - if (oakley_compute_enckey(iph1) < 0) - goto end; - if (oakley_newiv(iph1) < 0) - goto end; - - /* see handler.h about IV synchronization. */ - memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l); - - /* set encryption flag */ - iph1->flags |= ISAKMP_FLAG_E; - - iph1->status = PHASE1ST_MSG3RECEIVED; - - error = 0; - -end: - if (pbuf) - vfree(pbuf); - - if (error) { - VPTRINIT(iph1->dhpub_p); - oakley_delcert(iph1->cert_p); - iph1->cert_p = NULL; - oakley_delcert(iph1->crl_p); - iph1->crl_p = NULL; - VPTRINIT(iph1->sig_p); - } - - return error; -} - -/* - * status update and establish isakmp sa. - */ -int -base_i3send(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - int error = -1; - - /* validity check */ - if (iph1->status != PHASE1ST_MSG3RECEIVED) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - iph1->status = PHASE1ST_ESTABLISHED; - - error = 0; - -end: - return error; -} - -/* - * receive from initiator - * psk: HDR, SA, Idii, Ni_b - * sig: HDR, SA, Idii, Ni_b - * rsa: HDR, SA, [HASH(1),] Pubkey_r, Pubkey_r - * rev: HDR, SA, [HASH(1),] Pubkey_r, Ke_i - */ -int -base_r1recv(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - vchar_t *pbuf = NULL; - struct isakmp_parse_t *pa; - int error = -1; - - /* validity check */ - if (iph1->status != PHASE1ST_START) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* validate the type of next payload */ - /* - * NOTE: XXX even if multiple VID, we'll silently ignore those. - */ - pbuf = isakmp_parse(msg); - if (pbuf == NULL) - goto end; - pa = (struct isakmp_parse_t *)pbuf->v; - - /* check the position of SA payload */ - if (pa->type != ISAKMP_NPTYPE_SA) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "received invalid next payload type %d, " - "expecting %d.\n", - pa->type, ISAKMP_NPTYPE_SA); - goto end; - } - if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0) - goto end; - pa++; - - for (/*nothing*/; - pa->type != ISAKMP_NPTYPE_NONE; - pa++) { - - switch (pa->type) { - case ISAKMP_NPTYPE_NONCE: - if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) - goto end; - break; - case ISAKMP_NPTYPE_ID: - if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) - goto end; - break; - case ISAKMP_NPTYPE_VID: - (void)check_vendorid(pa->ptr); - break; - default: - /* don't send information, see ident_r1recv() */ - plog(LLV_ERROR, LOCATION, iph1->remote, - "ignore the packet, " - "received unexpecting payload type %d.\n", - pa->type); - goto end; - } - } - - if (iph1->nonce_p == NULL || iph1->id_p == NULL) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "few isakmp message received.\n"); - goto end; - } - - /* verify identifier */ - if (ipsecdoi_checkid1(iph1) != 0) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "invalid ID payload.\n"); - goto end; - } - - /* check SA payload and set approval SA for use */ - if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "failed to get valid proposal.\n"); - /* XXX send information */ - goto end; - } - - iph1->status = PHASE1ST_MSG1RECEIVED; - - error = 0; - -end: - if (pbuf) - vfree(pbuf); - - if (error) { - VPTRINIT(iph1->sa); - VPTRINIT(iph1->nonce_p); - VPTRINIT(iph1->id_p); - } - - return error; -} - -/* - * send to initiator - * psk: HDR, SA, Idir, Nr_b - * sig: HDR, SA, Idir, Nr_b, [ CR ] - * rsa: HDR, SA, PubKey_i, PubKey_i - * rev: HDR, SA, PubKey_i, Ke_r - */ -int -base_r1send(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - struct isakmp_gen *gen; - struct isakmp_construct p; - int tlen; - int error = -1; - - /* validity check */ - if (iph1->status != PHASE1ST_MSG1RECEIVED) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* set responder's cookie */ - isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local); - - /* make ID payload into isakmp status */ - if (ipsecdoi_setid1(iph1) < 0) - goto end; - - /* generate NONCE value */ - iph1->nonce = eay_set_random(iph1->rmconf->nonce_size); - if (iph1->nonce == NULL) - goto end; - - /* create buffer to send isakmp payload */ - tlen = sizeof(struct isakmp) - + sizeof(*gen) + iph1->sa_ret->l - + sizeof(*gen) + iph1->id->l - + sizeof(*gen) + iph1->nonce->l; - - iph1->sendbuf = vmalloc(tlen); - if (iph1->sendbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to send.\n"); - goto end; - } - - /* set isakmp header */ - p = set_isakmp_header(iph1->sendbuf, iph1); - if (p.buff == NULL) - goto end; - - /* set SA payload to reply */ - p = set_isakmp_payload_c(p, iph1->sa_ret, ISAKMP_NPTYPE_SA); - - /* create isakmp ID payload */ - p = set_isakmp_payload_c(p, iph1->id, ISAKMP_NPTYPE_ID); - - /* create isakmp NONCE payload */ - p = set_isakmp_payload_c(p, iph1->nonce, ISAKMP_NPTYPE_NONCE); - -#ifdef HAVE_PRINT_ISAKMP_C - isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); -#endif - - /* send the packet, add to the schedule to resend */ - iph1->retry_counter = iph1->rmconf->retry_counter; - if (isakmp_ph1resend(iph1) == -1) - goto end; - - /* the sending message is added to the received-list. */ - if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) { - plog(LLV_ERROR , LOCATION, NULL, - "failed to add a response packet to the tree.\n"); - goto end; - } - - iph1->status = PHASE1ST_MSG1SENT; - - error = 0; - -end: - VPTRINIT(iph1->sa_ret); - - return error; -} - -/* - * receive from initiator - * psk: HDR, KE, HASH_I - * sig: HDR, KE, [ CR, ] [CERT,] SIG_I - * rsa: HDR, KE, HASH_I - * rev: HDR, Ke_i, HASH_I - */ -int -base_r2recv(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - vchar_t *pbuf = NULL; - struct isakmp_parse_t *pa; - int error = -1; - - /* validity check */ - if (iph1->status != PHASE1ST_MSG1SENT) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* validate the type of next payload */ - pbuf = isakmp_parse(msg); - if (pbuf == NULL) - goto end; - - iph1->pl_hash = NULL; - - for (pa = (struct isakmp_parse_t *)pbuf->v; - pa->type != ISAKMP_NPTYPE_NONE; - pa++) { - - switch (pa->type) { - case ISAKMP_NPTYPE_KE: - if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) - goto end; - break; - case ISAKMP_NPTYPE_HASH: - iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr; - break; -#ifdef HAVE_SIGNING_C - case ISAKMP_NPTYPE_CERT: - if (oakley_savecert(iph1, pa->ptr) < 0) - goto end; - break; - case ISAKMP_NPTYPE_SIG: - if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) - goto end; - break; -#endif - case ISAKMP_NPTYPE_VID: - (void)check_vendorid(pa->ptr); - break; - default: - /* don't send information, see ident_r1recv() */ - plog(LLV_ERROR, LOCATION, iph1->remote, - "ignore the packet, " - "received unexpecting payload type %d.\n", - pa->type); - goto end; - } - } - - /* generate DH public value */ - if (oakley_dh_generate(iph1->approval->dhgrp, - &iph1->dhpub, &iph1->dhpriv) < 0) - goto end; - - /* compute sharing secret of DH */ - if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub, - iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) - goto end; - - /* generate SKEYID */ - if (oakley_skeyid(iph1) < 0) - goto end; - - /* payload existency check */ - /* validate authentication value */ - { - int type; - type = oakley_validate_auth(iph1); - if (type != 0) { - if (type == -1) { - /* message printed inner oakley_validate_auth() */ - goto end; - } - isakmp_info_send_n1(iph1, type, NULL); - goto end; - } - } - - iph1->status = PHASE1ST_MSG2RECEIVED; - - error = 0; - -end: - if (pbuf) - vfree(pbuf); - - if (error) { - VPTRINIT(iph1->dhpub_p); - oakley_delcert(iph1->cert_p); - iph1->cert_p = NULL; - oakley_delcert(iph1->crl_p); - iph1->crl_p = NULL; - VPTRINIT(iph1->sig_p); - } - - return error; -} - -/* - * send to initiator - * psk: HDR, KE, HASH_R - * sig: HDR, KE, [CERT,] SIG_R - * rsa: HDR, KE, HASH_R - * rev: HDR, _Ke_r, HASH_R - */ -int -base_r2send(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - struct isakmp_gen *gen; - struct isakmp_construct p; - vchar_t *vid = NULL; - int tlen; - int need_cert = 0; - int error = -1; - - /* validity check */ - if (iph1->status != PHASE1ST_MSG2RECEIVED) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* generate HASH to send */ - plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n"); - switch (iph1->approval->authmethod) { - case OAKLEY_ATTR_AUTH_METHOD_PSKEY: - case OAKLEY_ATTR_AUTH_METHOD_RSAENC: - case OAKLEY_ATTR_AUTH_METHOD_RSAREV: - iph1->hash = oakley_ph1hash_common(iph1, GENERATE); - break; - case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: - case OAKLEY_ATTR_AUTH_METHOD_RSASIG: - case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: - iph1->hash = oakley_ph1hash_base_r(iph1, GENERATE); - break; - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid authentication method %d\n", - iph1->approval->authmethod); - goto end; - } - if (iph1->hash == NULL) - goto end; - - /* create HDR;KE;NONCE payload */ - tlen = sizeof(struct isakmp); - - switch (iph1->approval->authmethod) { - case OAKLEY_ATTR_AUTH_METHOD_PSKEY: - tlen += sizeof(*gen) + iph1->dhpub->l - + sizeof(*gen) + iph1->hash->l; - if ((vid = set_vendorid(iph1->approval->vendorid)) != NULL) - tlen += sizeof(*gen) + vid->l; - - iph1->sendbuf = vmalloc(tlen); - if (iph1->sendbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get iph1->sendbuf to send.\n"); - goto end; - } - - /* set isakmp header */ - p = set_isakmp_header(iph1->sendbuf, iph1); - if (p.buff == NULL) - goto end; - - /* create isakmp KE payload */ - p = set_isakmp_payload_c(p, iph1->dhpub, ISAKMP_NPTYPE_KE); - - /* create isakmp HASH payload */ - p = set_isakmp_payload_c(p, iph1->hash, ISAKMP_NPTYPE_HASH); - - /* append vendor id, if needed */ - if (vid) - p = set_isakmp_payload_c(p, vid, ISAKMP_NPTYPE_VID); - break; -#ifdef HAVE_SIGNING_C - case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: - case OAKLEY_ATTR_AUTH_METHOD_RSASIG: - /* XXX if there is CR or not ? */ - - if (oakley_getmycert(iph1) < 0) - goto end; - - if (oakley_getsign(iph1) < 0) - goto end; - - if (iph1->cert && iph1->rmconf->send_cert) - need_cert = 1; - - tlen += sizeof(*gen) + iph1->dhpub->l - + sizeof(*gen) + iph1->sig->l; - if (need_cert) - tlen += sizeof(*gen) + iph1->cert->pl->l; - - iph1->sendbuf = vmalloc(tlen); - if (iph1->sendbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to send.\n"); - goto end; - } - - /* set isakmp header */ - p = set_isakmp_header(iph1->sendbuf, iph1); - if (p.buff == NULL) - goto end; - - /* create isakmp KE payload */ - p = set_isakmp_payload_c(p, iph1->dhpub, ISAKMP_NPTYPE_KE); - - /* add CERT payload if there */ - if (need_cert) - p = set_isakmp_payload_c(p, iph1->cert->pl, ISAKMP_NPTYPE_CERT); - /* add SIG payload */ - p = set_isakmp_payload_c(p, iph1->sig, ISAKMP_NPTYPE_SIG); - break; -#endif - case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: - /* ... */ - break; - case OAKLEY_ATTR_AUTH_METHOD_RSAENC: - case OAKLEY_ATTR_AUTH_METHOD_RSAREV: - tlen += sizeof(*gen) + iph1->hash->l; - break; - } - -#ifdef HAVE_PRINT_ISAKMP_C - isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); -#endif - - /* send HDR;KE;NONCE to responder */ - if (isakmp_send(iph1, iph1->sendbuf) < 0) - goto end; - - /* the sending message is added to the received-list. */ - if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) { - plog(LLV_ERROR , LOCATION, NULL, - "failed to add a response packet to the tree.\n"); - goto end; - } - - /* generate SKEYIDs & IV & final cipher key */ - if (oakley_skeyid_dae(iph1) < 0) - goto end; - if (oakley_compute_enckey(iph1) < 0) - goto end; - if (oakley_newiv(iph1) < 0) - goto end; - - /* set encryption flag */ - iph1->flags |= ISAKMP_FLAG_E; - - iph1->status = PHASE1ST_ESTABLISHED; - - error = 0; - -end: - if (vid) - vfree(vid); - return error; -} diff --git a/kame/kame/racoon/isakmp_base.h b/kame/kame/racoon/isakmp_base.h deleted file mode 100644 index 5e71818a87..0000000000 --- a/kame/kame/racoon/isakmp_base.h +++ /dev/null @@ -1,41 +0,0 @@ -/* $KAME: isakmp_base.h,v 1.6 2000/10/04 17:41:00 itojun Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -extern int base_i1send __P((struct ph1handle *, vchar_t *)); -extern int base_i2recv __P((struct ph1handle *, vchar_t *)); -extern int base_i2send __P((struct ph1handle *, vchar_t *)); -extern int base_i3recv __P((struct ph1handle *, vchar_t *)); -extern int base_i3send __P((struct ph1handle *, vchar_t *)); - -extern int base_r1recv __P((struct ph1handle *, vchar_t *)); -extern int base_r1send __P((struct ph1handle *, vchar_t *)); -extern int base_r2recv __P((struct ph1handle *, vchar_t *)); -extern int base_r2send __P((struct ph1handle *, vchar_t *)); diff --git a/kame/kame/racoon/isakmp_ident.c b/kame/kame/racoon/isakmp_ident.c deleted file mode 100644 index 57ad1808f4..0000000000 --- a/kame/kame/racoon/isakmp_ident.c +++ /dev/null @@ -1,1669 +0,0 @@ -/* $KAME: isakmp_ident.c,v 1.67 2004/03/27 03:27:46 suz Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* Identity Protecion Exchange (Main Mode) */ - -#include -#include - -#include -#include -#include -#include -#if TIME_WITH_SYS_TIME -# include -# include -#else -# if HAVE_SYS_TIME_H -# include -# else -# include -# endif -#endif - -#include "var.h" -#include "misc.h" -#include "vmbuf.h" -#include "plog.h" -#include "sockmisc.h" -#include "schedule.h" -#include "debug.h" - -#include "localconf.h" -#include "remoteconf.h" -#include "isakmp_var.h" -#include "isakmp.h" -#include "oakley.h" -#include "handler.h" -#include "ipsec_doi.h" -#include "crypto_openssl.h" -#include "pfkey.h" -#include "isakmp_ident.h" -#include "isakmp_inf.h" -#include "vendorid.h" - -#ifdef HAVE_GSSAPI -#include "auth_gssapi.h" -#endif - -static vchar_t *ident_ir2mx __P((struct ph1handle *)); -static vchar_t *ident_ir3mx __P((struct ph1handle *)); - -/* %%% - * begin Identity Protection Mode as initiator. - */ -/* - * send to responder - * psk: HDR, SA - * sig: HDR, SA - * rsa: HDR, SA - * rev: HDR, SA - */ -int -ident_i1send(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; /* must be null */ -{ - struct isakmp_gen *gen; - struct isakmp_construct p; - int tlen; - int error = -1; - - /* validity check */ - if (msg != NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "msg has to be NULL in this function.\n"); - goto end; - } - if (iph1->status != PHASE1ST_START) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* create isakmp index */ - memset(&iph1->index, 0, sizeof(iph1->index)); - isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local); - - /* create SA payload for my proposal */ - iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf->proposal); - if (iph1->sa == NULL) - goto end; - - /* create buffer to send isakmp payload */ - tlen = sizeof(struct isakmp) - + sizeof(*gen) + iph1->sa->l; - - iph1->sendbuf = vmalloc(tlen); - if (iph1->sendbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to send.\n"); - goto end; - } - - /* set isakmp header */ - p = set_isakmp_header(iph1->sendbuf, iph1); - if (p.buff == NULL) - goto end; - - /* set SA payload to propose */ - p = set_isakmp_payload_c(p, iph1->sa, ISAKMP_NPTYPE_SA); - -#ifdef HAVE_PRINT_ISAKMP_C - isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); -#endif - - /* send the packet, add to the schedule to resend */ - iph1->retry_counter = iph1->rmconf->retry_counter; - if (isakmp_ph1resend(iph1) == -1) - goto end; - - iph1->status = PHASE1ST_MSG1SENT; - - error = 0; - -end: - - return error; -} - -/* - * receive from responder - * psk: HDR, SA - * sig: HDR, SA - * rsa: HDR, SA - * rev: HDR, SA - */ -int -ident_i2recv(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - vchar_t *pbuf = NULL; - struct isakmp_parse_t *pa; - vchar_t *satmp = NULL; - int error = -1; - - /* validity check */ - if (iph1->status != PHASE1ST_MSG1SENT) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* validate the type of next payload */ - /* - * NOTE: RedCreek(as responder) attaches N[responder-lifetime] here, - * if proposal-lifetime > lifetime-redcreek-wants. - * (see doi-08 4.5.4) - * => According to the seciton 4.6.3 in RFC 2407, This is illegal. - * NOTE: we do not really care about ordering of VID and N. - * does it matters? - * NOTE: even if there's multiple VID/N, we'll ignore them. - */ - pbuf = isakmp_parse(msg); - if (pbuf == NULL) - goto end; - pa = (struct isakmp_parse_t *)pbuf->v; - - /* SA payload is fixed postion */ - if (pa->type != ISAKMP_NPTYPE_SA) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "received invalid next payload type %d, " - "expecting %d.\n", - pa->type, ISAKMP_NPTYPE_SA); - goto end; - } - if (isakmp_p2ph(&satmp, pa->ptr) < 0) - goto end; - pa++; - - for (/*nothing*/; - pa->type != ISAKMP_NPTYPE_NONE; - pa++) { - - switch (pa->type) { - case ISAKMP_NPTYPE_VID: - (void)check_vendorid(pa->ptr); - break; - default: - /* don't send information, see ident_r1recv() */ - plog(LLV_ERROR, LOCATION, iph1->remote, - "ignore the packet, " - "received unexpecting payload type %d.\n", - pa->type); - goto end; - } - } - - /* check SA payload and set approval SA for use */ - if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "failed to get valid proposal.\n"); - /* XXX send information */ - goto end; - } - VPTRINIT(iph1->sa_ret); - - iph1->status = PHASE1ST_MSG2RECEIVED; - - error = 0; - -end: - if (pbuf) - vfree(pbuf); - if (satmp) - vfree(satmp); - return error; -} - -/* - * send to responder - * psk: HDR, KE, Ni - * sig: HDR, KE, Ni - * gssapi: HDR, KE, Ni, GSSi - * rsa: HDR, KE, [ HASH(1), ] PubKey_r, PubKey_r - * rev: HDR, [ HASH(1), ] Pubkey_r, Ke_i, - * Ke_i, [<Ke_i] - */ -int -ident_i2send(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - int error = -1; - - /* validity check */ - if (iph1->status != PHASE1ST_MSG2RECEIVED) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* fix isakmp index */ - memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck, - sizeof(cookie_t)); - - /* generate DH public value */ - if (oakley_dh_generate(iph1->approval->dhgrp, - &iph1->dhpub, &iph1->dhpriv) < 0) - goto end; - - /* generate NONCE value */ - iph1->nonce = eay_set_random(iph1->rmconf->nonce_size); - if (iph1->nonce == NULL) - goto end; - -#ifdef HAVE_GSSAPI - if (iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB && - gssapi_get_itoken(iph1, NULL) < 0) - goto end; -#endif - - /* create buffer to send isakmp payload */ - iph1->sendbuf = ident_ir2mx(iph1); - if (iph1->sendbuf == NULL) - goto end; - -#ifdef HAVE_PRINT_ISAKMP_C - isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); -#endif - - /* send the packet, add to the schedule to resend */ - iph1->retry_counter = iph1->rmconf->retry_counter; - if (isakmp_ph1resend(iph1) == -1) - goto end; - - /* the sending message is added to the received-list. */ - if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) { - plog(LLV_ERROR , LOCATION, NULL, - "failed to add a response packet to the tree.\n"); - goto end; - } - - iph1->status = PHASE1ST_MSG2SENT; - - error = 0; - -end: - return error; -} - -/* - * receive from responder - * psk: HDR, KE, Nr - * sig: HDR, KE, Nr [, CR ] - * gssapi: HDR, KE, Nr, GSSr - * rsa: HDR, KE, PubKey_i, PubKey_i - * rev: HDR, PubKey_i, Ke_r, Ke_r, - */ -int -ident_i3recv(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - vchar_t *pbuf = NULL; - struct isakmp_parse_t *pa; - int error = -1; -#ifdef HAVE_GSSAPI - vchar_t *gsstoken = NULL; -#endif - - /* validity check */ - if (iph1->status != PHASE1ST_MSG2SENT) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* validate the type of next payload */ - pbuf = isakmp_parse(msg); - if (pbuf == NULL) - goto end; - - for (pa = (struct isakmp_parse_t *)pbuf->v; - pa->type != ISAKMP_NPTYPE_NONE; - pa++) { - - switch (pa->type) { - case ISAKMP_NPTYPE_KE: - if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) - goto end; - break; - case ISAKMP_NPTYPE_NONCE: - if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) - goto end; - break; - case ISAKMP_NPTYPE_VID: - (void)check_vendorid(pa->ptr); - break; -#ifdef HAVE_SIGNING_C - case ISAKMP_NPTYPE_CR: - if (oakley_savecr(iph1, pa->ptr) < 0) - goto end; - break; -#endif -#ifdef HAVE_GSSAPI - case ISAKMP_NPTYPE_GSS: - if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) - goto end; - gssapi_save_received_token(iph1, gsstoken); - break; -#endif - default: - /* don't send information, see ident_r1recv() */ - plog(LLV_ERROR, LOCATION, iph1->remote, - "ignore the packet, " - "received unexpecting payload type %d.\n", - pa->type); - goto end; - } - } - - /* payload existency check */ - if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "few isakmp message received.\n"); - goto end; - } - -#ifdef HAVE_SIGNING_C - if (oakley_checkcr(iph1) < 0) { - /* Ignore this error in order to be interoperability. */ - ; - } -#endif - - iph1->status = PHASE1ST_MSG3RECEIVED; - - error = 0; - -end: - if (pbuf) - vfree(pbuf); - if (error) { - VPTRINIT(iph1->dhpub_p); - VPTRINIT(iph1->nonce_p); - VPTRINIT(iph1->id_p); - oakley_delcert(iph1->cr_p); - iph1->cr_p = NULL; - } - - return error; -} - -/* - * send to responder - * psk: HDR*, IDi1, HASH_I - * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I - * gssapi: HDR*, IDi1, < Gssi(n) | HASH_I > - * rsa: HDR*, HASH_I - * rev: HDR*, HASH_I - */ -int -ident_i3send(iph1, msg0) - struct ph1handle *iph1; - vchar_t *msg0; -{ - int error = -1; - int dohash = 1; -#ifdef HAVE_GSSAPI - int len; -#endif - - /* validity check */ - if (iph1->status != PHASE1ST_MSG3RECEIVED) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* compute sharing secret of DH */ - if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub, - iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) - goto end; - - /* generate SKEYIDs & IV & final cipher key */ - if (oakley_skeyid(iph1) < 0) - goto end; - if (oakley_skeyid_dae(iph1) < 0) - goto end; - if (oakley_compute_enckey(iph1) < 0) - goto end; - if (oakley_newiv(iph1) < 0) - goto end; - - /* make ID payload into isakmp status */ - if (ipsecdoi_setid1(iph1) < 0) - goto end; - -#ifdef HAVE_GSSAPI - if (iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB && - gssapi_more_tokens(iph1)) { - plog(LLV_DEBUG, LOCATION, NULL, "calling get_itoken\n"); - if (gssapi_get_itoken(iph1, &len) < 0) - goto end; - if (len != 0) - dohash = 0; - } -#endif - - /* generate HASH to send */ - if (dohash) { - iph1->hash = oakley_ph1hash_common(iph1, GENERATE); - if (iph1->hash == NULL) - goto end; - } else - iph1->hash = NULL; - - /* set encryption flag */ - iph1->flags |= ISAKMP_FLAG_E; - - /* create HDR;ID;HASH payload */ - iph1->sendbuf = ident_ir3mx(iph1); - if (iph1->sendbuf == NULL) - goto end; - - /* send the packet, add to the schedule to resend */ - iph1->retry_counter = iph1->rmconf->retry_counter; - if (isakmp_ph1resend(iph1) == -1) - goto end; - - /* the sending message is added to the received-list. */ - if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg0) == -1) { - plog(LLV_ERROR , LOCATION, NULL, - "failed to add a response packet to the tree.\n"); - goto end; - } - - /* see handler.h about IV synchronization. */ - memcpy(iph1->ivm->ive->v, iph1->ivm->iv->v, iph1->ivm->iv->l); - - iph1->status = PHASE1ST_MSG3SENT; - - error = 0; - -end: - return error; -} - -/* - * receive from responder - * psk: HDR*, IDr1, HASH_R - * sig: HDR*, IDr1, [ CERT, ] SIG_R - * gssapi: HDR*, IDr1, < GSSr(n) | HASH_R > - * rsa: HDR*, HASH_R - * rev: HDR*, HASH_R - */ -int -ident_i4recv(iph1, msg0) - struct ph1handle *iph1; - vchar_t *msg0; -{ - vchar_t *pbuf = NULL; - struct isakmp_parse_t *pa; - vchar_t *msg = NULL; - int error = -1; - int type; -#ifdef HAVE_GSSAPI - vchar_t *gsstoken = NULL; -#endif - - /* validity check */ - if (iph1->status != PHASE1ST_MSG3SENT) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* decrypting */ - if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "ignore the packet, " - "expecting the packet encrypted.\n"); - goto end; - } - msg = oakley_do_decrypt(iph1, msg0, iph1->ivm->iv, iph1->ivm->ive); - if (msg == NULL) - goto end; - - /* validate the type of next payload */ - pbuf = isakmp_parse(msg); - if (pbuf == NULL) - goto end; - - iph1->pl_hash = NULL; - - for (pa = (struct isakmp_parse_t *)pbuf->v; - pa->type != ISAKMP_NPTYPE_NONE; - pa++) { - - switch (pa->type) { - case ISAKMP_NPTYPE_ID: - if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) - goto end; - break; - case ISAKMP_NPTYPE_HASH: - iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr; - break; -#ifdef HAVE_SIGNING_C - case ISAKMP_NPTYPE_CERT: - if (oakley_savecert(iph1, pa->ptr) < 0) - goto end; - break; - case ISAKMP_NPTYPE_SIG: - if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) - goto end; - break; -#endif -#ifdef HAVE_GSSAPI - case ISAKMP_NPTYPE_GSS: - if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) - goto end; - gssapi_save_received_token(iph1, gsstoken); - break; -#endif - case ISAKMP_NPTYPE_VID: - (void)check_vendorid(pa->ptr); - break; - case ISAKMP_NPTYPE_N: - isakmp_check_notify(pa->ptr, iph1); - break; - default: - /* don't send information, see ident_r1recv() */ - plog(LLV_ERROR, LOCATION, iph1->remote, - "ignore the packet, " - "received unexpecting payload type %d.\n", - pa->type); - goto end; - } - } - - /* payload existency check */ - - /* verify identifier */ - if (ipsecdoi_checkid1(iph1) != 0) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "invalid ID payload.\n"); - goto end; - } - - /* validate authentication value */ -#ifdef HAVE_GSSAPI - if (gsstoken == NULL) { -#endif - type = oakley_validate_auth(iph1); - if (type != 0) { - if (type == -1) { - /* msg printed inner oakley_validate_auth() */ - goto end; - } - isakmp_info_send_n1(iph1, type, NULL); - goto end; - } -#ifdef HAVE_GSSAPI - } -#endif - - /* - * XXX: Should we do compare two addresses, ph1handle's and ID - * payload's. - */ - - plog(LLV_DEBUG, LOCATION, iph1->remote, "peer's ID:"); - plogdump(LLV_DEBUG, iph1->id_p->v, iph1->id_p->l); - - /* see handler.h about IV synchronization. */ - memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->ive->l); - - /* - * If we got a GSS token, we need to this roundtrip again. - */ -#ifdef HAVE_GSSAPI - iph1->status = gsstoken != 0 ? PHASE1ST_MSG3RECEIVED : - PHASE1ST_MSG4RECEIVED; -#else - iph1->status = PHASE1ST_MSG4RECEIVED; -#endif - - error = 0; - -end: - if (pbuf) - vfree(pbuf); - if (msg) - vfree(msg); -#ifdef HAVE_GSSAPI - if (gsstoken) - vfree(gsstoken); -#endif - - if (error) { - VPTRINIT(iph1->id_p); - oakley_delcert(iph1->cert_p); - iph1->cert_p = NULL; - oakley_delcert(iph1->crl_p); - iph1->crl_p = NULL; - VPTRINIT(iph1->sig_p); - } - - return error; -} - -/* - * status update and establish isakmp sa. - */ -int -ident_i4send(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - int error = -1; - - /* validity check */ - if (iph1->status != PHASE1ST_MSG4RECEIVED) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* see handler.h about IV synchronization. */ - memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l); - - iph1->status = PHASE1ST_ESTABLISHED; - - error = 0; - -end: - return error; -} - -/* - * receive from initiator - * psk: HDR, SA - * sig: HDR, SA - * rsa: HDR, SA - * rev: HDR, SA - */ -int -ident_r1recv(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - vchar_t *pbuf = NULL; - struct isakmp_parse_t *pa; - int error = -1; - - /* validity check */ - if (iph1->status != PHASE1ST_START) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* validate the type of next payload */ - /* - * NOTE: XXX even if multiple VID, we'll silently ignore those. - */ - pbuf = isakmp_parse(msg); - if (pbuf == NULL) - goto end; - pa = (struct isakmp_parse_t *)pbuf->v; - - /* check the position of SA payload */ - if (pa->type != ISAKMP_NPTYPE_SA) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "received invalid next payload type %d, " - "expecting %d.\n", - pa->type, ISAKMP_NPTYPE_SA); - goto end; - } - if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0) - goto end; - pa++; - - for (/*nothing*/; - pa->type != ISAKMP_NPTYPE_NONE; - pa++) { - - switch (pa->type) { - case ISAKMP_NPTYPE_VID: - (void)check_vendorid(pa->ptr); - break; - default: - /* - * We don't send information to the peer even - * if we received malformed packet. Because we - * can't distinguish the malformed packet and - * the re-sent packet. And we do same behavior - * when we expect encrypted packet. - */ - plog(LLV_ERROR, LOCATION, iph1->remote, - "ignore the packet, " - "received unexpecting payload type %d.\n", - pa->type); - goto end; - } - } - - /* check SA payload and set approval SA for use */ - if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "failed to get valid proposal.\n"); - /* XXX send information */ - goto end; - } - - iph1->status = PHASE1ST_MSG1RECEIVED; - - error = 0; - -end: - if (pbuf) - vfree(pbuf); - if (error) { - VPTRINIT(iph1->sa); - } - - return error; -} - -/* - * send to initiator - * psk: HDR, SA - * sig: HDR, SA - * rsa: HDR, SA - * rev: HDR, SA - */ -int -ident_r1send(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - struct isakmp_gen *gen; - struct isakmp_construct p; - int tlen; - int error = -1; - vchar_t *gss_sa = NULL; - vchar_t *vid = NULL; - - /* validity check */ - if (iph1->status != PHASE1ST_MSG1RECEIVED) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* set responder's cookie */ - isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local); - -#ifdef HAVE_GSSAPI - if (iph1->approval->gssid != NULL) - gss_sa = ipsecdoi_setph1proposal(iph1->approval); - else -#endif - gss_sa = iph1->sa_ret; - - /* create buffer to send isakmp payload */ - tlen = sizeof(struct isakmp) - + sizeof(*gen) + gss_sa->l; - - if ((vid = set_vendorid(iph1->approval->vendorid)) != NULL) - tlen += sizeof(*gen) + vid->l; - - iph1->sendbuf = vmalloc(tlen); - if (iph1->sendbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to send.\n"); - goto end; - } - - /* set isakmp header */ - p = set_isakmp_header(iph1->sendbuf, iph1); - if (p.buff == NULL) - goto end; - - /* set SA payload to reply */ - p = set_isakmp_payload_c(p, gss_sa, ISAKMP_NPTYPE_SA); - - /* Set Vendor ID, if necessary. */ - if (vid) - p = set_isakmp_payload_c(p, vid, ISAKMP_NPTYPE_VID); - -#ifdef HAVE_PRINT_ISAKMP_C - isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); -#endif - - /* send the packet, add to the schedule to resend */ - iph1->retry_counter = iph1->rmconf->retry_counter; - if (isakmp_ph1resend(iph1) == -1) - goto end; - - /* the sending message is added to the received-list. */ - if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) { - plog(LLV_ERROR , LOCATION, NULL, - "failed to add a response packet to the tree.\n"); - goto end; - } - - iph1->status = PHASE1ST_MSG1SENT; - - error = 0; - -end: -#ifdef HAVE_GSSAPI - if (gss_sa != iph1->sa_ret) - vfree(gss_sa); -#endif - if (vid) - vfree(vid); - return error; -} - -/* - * receive from initiator - * psk: HDR, KE, Ni - * sig: HDR, KE, Ni - * gssapi: HDR, KE, Ni, GSSi - * rsa: HDR, KE, [ HASH(1), ] PubKey_r, PubKey_r - * rev: HDR, [ HASH(1), ] Pubkey_r, Ke_i, - * Ke_i, [<Ke_i] - */ -int -ident_r2recv(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - vchar_t *pbuf = NULL; - struct isakmp_parse_t *pa; - int error = -1; -#ifdef HAVE_GSSAPI - vchar_t *gsstoken = NULL; -#endif - - /* validity check */ - if (iph1->status != PHASE1ST_MSG1SENT) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* validate the type of next payload */ - pbuf = isakmp_parse(msg); - if (pbuf == NULL) - goto end; - - for (pa = (struct isakmp_parse_t *)pbuf->v; - pa->type != ISAKMP_NPTYPE_NONE; - pa++) { - - switch (pa->type) { - case ISAKMP_NPTYPE_KE: - if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0) - goto end; - break; - case ISAKMP_NPTYPE_NONCE: - if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0) - goto end; - break; - case ISAKMP_NPTYPE_VID: - (void)check_vendorid(pa->ptr); - break; - case ISAKMP_NPTYPE_CR: - plog(LLV_WARNING, LOCATION, iph1->remote, - "CR received, ignore it. " - "It should be in other exchange.\n"); - break; -#ifdef HAVE_GSSAPI - case ISAKMP_NPTYPE_GSS: - if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) - goto end; - gssapi_save_received_token(iph1, gsstoken); - break; -#endif - default: - /* don't send information, see ident_r1recv() */ - plog(LLV_ERROR, LOCATION, iph1->remote, - "ignore the packet, " - "received unexpecting payload type %d.\n", - pa->type); - goto end; - } - } - - /* payload existency check */ - if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "few isakmp message received.\n"); - goto end; - } - - iph1->status = PHASE1ST_MSG2RECEIVED; - - error = 0; - -end: - if (pbuf) - vfree(pbuf); -#ifdef HAVE_GSSAPI - if (gsstoken) - vfree(gsstoken); -#endif - - if (error) { - VPTRINIT(iph1->dhpub_p); - VPTRINIT(iph1->nonce_p); - VPTRINIT(iph1->id_p); - } - - return error; -} - -/* - * send to initiator - * psk: HDR, KE, Nr - * sig: HDR, KE, Nr [, CR ] - * gssapi: HDR, KE, Nr, GSSr - * rsa: HDR, KE, PubKey_i, PubKey_i - * rev: HDR, PubKey_i, Ke_r, Ke_r, - */ -int -ident_r2send(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - int error = -1; - - /* validity check */ - if (iph1->status != PHASE1ST_MSG2RECEIVED) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* generate DH public value */ - if (oakley_dh_generate(iph1->approval->dhgrp, - &iph1->dhpub, &iph1->dhpriv) < 0) - goto end; - - /* generate NONCE value */ - iph1->nonce = eay_set_random(iph1->rmconf->nonce_size); - if (iph1->nonce == NULL) - goto end; - -#ifdef HAVE_GSSAPI - if (iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) - gssapi_get_rtoken(iph1, NULL); -#endif - - /* create HDR;KE;NONCE payload */ - iph1->sendbuf = ident_ir2mx(iph1); - if (iph1->sendbuf == NULL) - goto end; - -#ifdef HAVE_PRINT_ISAKMP_C - isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0); -#endif - - /* send the packet, add to the schedule to resend */ - iph1->retry_counter = iph1->rmconf->retry_counter; - if (isakmp_ph1resend(iph1) == -1) - goto end; - - /* the sending message is added to the received-list. */ - if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) { - plog(LLV_ERROR , LOCATION, NULL, - "failed to add a response packet to the tree.\n"); - goto end; - } - - /* compute sharing secret of DH */ - if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub, - iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0) - goto end; - - /* generate SKEYIDs & IV & final cipher key */ - if (oakley_skeyid(iph1) < 0) - goto end; - if (oakley_skeyid_dae(iph1) < 0) - goto end; - if (oakley_compute_enckey(iph1) < 0) - goto end; - if (oakley_newiv(iph1) < 0) - goto end; - - iph1->status = PHASE1ST_MSG2SENT; - - error = 0; - -end: - return error; -} - -/* - * receive from initiator - * psk: HDR*, IDi1, HASH_I - * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I - * gssapi: HDR*, [ IDi1, ] < GSSi(n) | HASH_I > - * rsa: HDR*, HASH_I - * rev: HDR*, HASH_I - */ -int -ident_r3recv(iph1, msg0) - struct ph1handle *iph1; - vchar_t *msg0; -{ - vchar_t *msg = NULL; - vchar_t *pbuf = NULL; - struct isakmp_parse_t *pa; - int error = -1; - int type; -#ifdef HAVE_GSSAPI - vchar_t *gsstoken = NULL; -#endif - - /* validity check */ - if (iph1->status != PHASE1ST_MSG2SENT) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* decrypting */ - if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "reject the packet, " - "expecting the packet encrypted.\n"); - goto end; - } - msg = oakley_do_decrypt(iph1, msg0, iph1->ivm->iv, iph1->ivm->ive); - if (msg == NULL) - goto end; - - /* validate the type of next payload */ - pbuf = isakmp_parse(msg); - if (pbuf == NULL) - goto end; - - iph1->pl_hash = NULL; - - for (pa = (struct isakmp_parse_t *)pbuf->v; - pa->type != ISAKMP_NPTYPE_NONE; - pa++) { - - switch (pa->type) { - case ISAKMP_NPTYPE_ID: - if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0) - goto end; - break; - case ISAKMP_NPTYPE_HASH: - iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr; - break; -#ifdef HAVE_SIGNING_C - case ISAKMP_NPTYPE_CR: - if (oakley_savecr(iph1, pa->ptr) < 0) - goto end; - break; - case ISAKMP_NPTYPE_CERT: - if (oakley_savecert(iph1, pa->ptr) < 0) - goto end; - break; - case ISAKMP_NPTYPE_SIG: - if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0) - goto end; - break; -#endif -#ifdef HAVE_GSSAPI - case ISAKMP_NPTYPE_GSS: - if (isakmp_p2ph(&gsstoken, pa->ptr) < 0) - goto end; - gssapi_save_received_token(iph1, gsstoken); - break; -#endif - case ISAKMP_NPTYPE_VID: - (void)check_vendorid(pa->ptr); - break; - case ISAKMP_NPTYPE_N: - isakmp_check_notify(pa->ptr, iph1); - break; - default: - /* don't send information, see ident_r1recv() */ - plog(LLV_ERROR, LOCATION, iph1->remote, - "ignore the packet, " - "received unexpecting payload type %d.\n", - pa->type); - goto end; - } - } - - /* payload existency check */ - /* XXX same as ident_i4recv(), should be merged. */ - { - int ng = 0; - - switch (iph1->approval->authmethod) { - case OAKLEY_ATTR_AUTH_METHOD_PSKEY: - if (iph1->id_p == NULL || iph1->pl_hash == NULL) - ng++; - break; - case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: - case OAKLEY_ATTR_AUTH_METHOD_RSASIG: - if (iph1->id_p == NULL || iph1->sig_p == NULL) - ng++; - break; - case OAKLEY_ATTR_AUTH_METHOD_RSAENC: - case OAKLEY_ATTR_AUTH_METHOD_RSAREV: - if (iph1->pl_hash == NULL) - ng++; - break; -#ifdef HAVE_GSSAPI - case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: - if (gsstoken == NULL && iph1->pl_hash == NULL) - ng++; - break; -#endif - default: - plog(LLV_ERROR, LOCATION, iph1->remote, - "invalid authmethod %d why ?\n", - iph1->approval->authmethod); - goto end; - } - if (ng) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "few isakmp message received.\n"); - goto end; - } - } - - /* verify identifier */ - if (ipsecdoi_checkid1(iph1) != 0) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "invalid ID payload.\n"); - goto end; - } - - /* validate authentication value */ -#ifdef HAVE_GSSAPI - if (gsstoken == NULL) { -#endif - type = oakley_validate_auth(iph1); - if (type != 0) { - if (type == -1) { - /* msg printed inner oakley_validate_auth() */ - goto end; - } - isakmp_info_send_n1(iph1, type, NULL); - goto end; - } -#ifdef HAVE_GSSAPI - } -#endif - -#ifdef HAVE_SIGNING_C - if (oakley_checkcr(iph1) < 0) { - /* Ignore this error in order to be interoperability. */ - ; - } -#endif - - /* - * XXX: Should we do compare two addresses, ph1handle's and ID - * payload's. - */ - - plog(LLV_DEBUG, LOCATION, iph1->remote, "peer's ID\n"); - plogdump(LLV_DEBUG, iph1->id_p->v, iph1->id_p->l); - - /* see handler.h about IV synchronization. */ - memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->ive->l); - -#ifdef HAVE_GSSAPI - iph1->status = gsstoken != NULL ? PHASE1ST_MSG2RECEIVED : - PHASE1ST_MSG3RECEIVED; -#else - iph1->status = PHASE1ST_MSG3RECEIVED; -#endif - - error = 0; - -end: - if (pbuf) - vfree(pbuf); - if (msg) - vfree(msg); -#ifdef HAVE_GSSAPI - if (gsstoken) - vfree(gsstoken); -#endif - - if (error) { - VPTRINIT(iph1->id_p); - oakley_delcert(iph1->cert_p); - iph1->cert_p = NULL; - oakley_delcert(iph1->crl_p); - iph1->crl_p = NULL; - VPTRINIT(iph1->sig_p); - oakley_delcert(iph1->cr_p); - iph1->cr_p = NULL; - } - - return error; -} - -/* - * send to initiator - * psk: HDR*, IDr1, HASH_R - * sig: HDR*, IDr1, [ CERT, ] SIG_R - * gssapi: HDR*, IDr1, < GSSr(n) | HASH_R > - * rsa: HDR*, HASH_R - * rev: HDR*, HASH_R - */ -int -ident_r3send(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - int error = -1; - int dohash = 1; -#ifdef HAVE_GSSAPI - int len; -#endif - - /* validity check */ - if (iph1->status != PHASE1ST_MSG3RECEIVED) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph1->status); - goto end; - } - - /* make ID payload into isakmp status */ - if (ipsecdoi_setid1(iph1) < 0) - goto end; - -#ifdef HAVE_GSSAPI - if (iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB && - gssapi_more_tokens(iph1)) { - gssapi_get_rtoken(iph1, &len); - if (len != 0) - dohash = 0; - } -#endif - - if (dohash) { - /* generate HASH to send */ - plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_R\n"); - iph1->hash = oakley_ph1hash_common(iph1, GENERATE); - if (iph1->hash == NULL) - goto end; - } else - iph1->hash = NULL; - - /* set encryption flag */ - iph1->flags |= ISAKMP_FLAG_E; - - /* create HDR;ID;HASH payload */ - iph1->sendbuf = ident_ir3mx(iph1); - if (iph1->sendbuf == NULL) - goto end; - - /* send HDR;ID;HASH to responder */ - if (isakmp_send(iph1, iph1->sendbuf) < 0) - goto end; - - /* the sending message is added to the received-list. */ - if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) { - plog(LLV_ERROR , LOCATION, NULL, - "failed to add a response packet to the tree.\n"); - goto end; - } - - /* see handler.h about IV synchronization. */ - memcpy(iph1->ivm->ive->v, iph1->ivm->iv->v, iph1->ivm->iv->l); - - iph1->status = PHASE1ST_ESTABLISHED; - - error = 0; - -end: - - return error; -} - -/* - * This is used in main mode for: - * initiator's 3rd exchange send to responder - * psk: HDR, KE, Ni - * sig: HDR, KE, Ni - * rsa: HDR, KE, [ HASH(1), ] PubKey_r, PubKey_r - * rev: HDR, [ HASH(1), ] Pubkey_r, Ke_i, - * Ke_i, [<Ke_i] - * responders 2nd exchnage send to initiator - * psk: HDR, KE, Nr - * sig: HDR, KE, Nr [, CR ] - * rsa: HDR, KE, PubKey_i, PubKey_i - * rev: HDR, PubKey_i, Ke_r, Ke_r, - */ -static vchar_t * -ident_ir2mx(iph1) - struct ph1handle *iph1; -{ - vchar_t *buf = 0; - struct isakmp_gen *gen; - struct isakmp_construct p; - int tlen; - int need_cr = 0; - vchar_t *cr = NULL; - vchar_t *vid = NULL; - int error = -1; -#ifdef HAVE_GSSAPI - vchar_t *gsstoken = NULL; -#endif - -#ifdef HAVE_SIGNING_C - /* create CR if need */ - if (iph1->side == RESPONDER - && iph1->rmconf->send_cr - && oakley_needcr(iph1->approval->authmethod) - && iph1->rmconf->peerscertfile == NULL) { - need_cr = 1; - cr = oakley_getcr(iph1); - if (cr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get cr buffer.\n"); - goto end; - } - } -#endif - -#ifdef HAVE_GSSAPI - if (iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) - gssapi_get_token_to_send(iph1, &gsstoken); -#endif - - /* create buffer */ - tlen = sizeof(struct isakmp) - + sizeof(*gen) + iph1->dhpub->l - + sizeof(*gen) + iph1->nonce->l; - if ((vid = set_vendorid(iph1->approval->vendorid)) != NULL) - tlen += sizeof(*gen) + vid->l; - if (need_cr) - tlen += sizeof(*gen) + cr->l; -#ifdef HAVE_GSSAPI - if (gsstoken) - tlen += sizeof(*gen) + gsstoken->l; -#endif - - buf = vmalloc(tlen); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to send.\n"); - goto end; - } - - /* set isakmp header */ - p = set_isakmp_header(buf, iph1); - if (p.buff == NULL) - goto end; - - /* create isakmp KE payload */ - p = set_isakmp_payload_c(p, iph1->dhpub, ISAKMP_NPTYPE_KE); - - /* create isakmp NONCE payload */ - p = set_isakmp_payload_c(p, iph1->nonce, ISAKMP_NPTYPE_NONCE); - -#ifdef HAVE_GSSAPI - if (iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) { - p = set_isakmp_payload_c(p, gsstoken, ISAKMP_NPTYPE_GSS); - } -#endif - - /* append vendor id, if needed */ - if (vid) - p = set_isakmp_payload_c(p, vid, ISAKMP_NPTYPE_VID); - - /* create isakmp CR payload if needed */ - if (need_cr) - p = set_isakmp_payload_c(p, cr, ISAKMP_NPTYPE_CR); - - error = 0; - -end: - if (error && buf != NULL) { - vfree(buf); - buf = NULL; - } - if (cr) - vfree(cr); -#ifdef HAVE_GSSAPI - if (gsstoken) - vfree(gsstoken); -#endif - if (vid) - vfree(vid); - - return buf; -} - -/* - * This is used in main mode for: - * initiator's 4th exchange send to responder - * psk: HDR*, IDi1, HASH_I - * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I - * gssapi: HDR*, [ IDi1, ] < GSSi(n) | HASH_I > - * rsa: HDR*, HASH_I - * rev: HDR*, HASH_I - * responders 3rd exchnage send to initiator - * psk: HDR*, IDr1, HASH_R - * sig: HDR*, IDr1, [ CERT, ] SIG_R - * gssapi: HDR*, [ IDr1, ] < GSSr(n) | HASH_R > - * rsa: HDR*, HASH_R - * rev: HDR*, HASH_R - */ -static vchar_t * -ident_ir3mx(iph1) - struct ph1handle *iph1; -{ - vchar_t *buf = NULL, *new = NULL; - struct isakmp_construct p; - int tlen; - struct isakmp_gen *gen; - int need_cr = 0; - int need_cert = 0; - vchar_t *cr = NULL; - int error = -1; -#ifdef HAVE_GSSAPI - vchar_t *gsstoken = NULL; - vchar_t *gsshash = NULL; -#endif - - tlen = sizeof(struct isakmp); - - switch (iph1->approval->authmethod) { - case OAKLEY_ATTR_AUTH_METHOD_PSKEY: - tlen += sizeof(*gen) + iph1->id->l - + sizeof(*gen) + iph1->hash->l; - - buf = vmalloc(tlen); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to send.\n"); - goto end; - } - - /* set isakmp header */ - p = set_isakmp_header(buf, iph1); - if (p.buff == NULL) - goto end; - - /* create isakmp ID payload */ - p = set_isakmp_payload_c(p, iph1->id, ISAKMP_NPTYPE_ID); - - /* create isakmp HASH payload */ - p = set_isakmp_payload_c(p, iph1->hash, ISAKMP_NPTYPE_HASH); - break; -#ifdef HAVE_SIGNING_C - case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: - case OAKLEY_ATTR_AUTH_METHOD_RSASIG: - if (oakley_getmycert(iph1) < 0) - goto end; - - if (oakley_getsign(iph1) < 0) - goto end; - - /* create CR if need */ - if (iph1->side == INITIATOR - && iph1->rmconf->send_cr - && oakley_needcr(iph1->approval->authmethod) - && iph1->rmconf->peerscertfile == NULL) { - need_cr = 1; - cr = oakley_getcr(iph1); - if (cr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get cr buffer.\n"); - goto end; - } - } - - if (iph1->cert != NULL && iph1->rmconf->send_cert) - need_cert = 1; - - tlen += sizeof(*gen) + iph1->id->l - + sizeof(*gen) + iph1->sig->l; - if (need_cert) - tlen += sizeof(*gen) + iph1->cert->pl->l; - if (need_cr) - tlen += sizeof(*gen) + cr->l; - - buf = vmalloc(tlen); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to send.\n"); - goto end; - } - - /* set isakmp header */ - p = set_isakmp_header(buf, iph1); - if (p.buff == NULL) - goto end; - - /* add ID payload */ - p = set_isakmp_payload_c(p, iph1->id, ISAKMP_NPTYPE_ID); - - /* add CERT payload if there */ - if (need_cert) - p = set_isakmp_payload_c(p, iph1->cert->pl, ISAKMP_NPTYPE_CERT); - /* add SIG payload */ - p = set_isakmp_payload_c(p, iph1->sig, ISAKMP_NPTYPE_SIG); - - /* create isakmp CR payload */ - if (need_cr) - p = set_isakmp_payload_c(p, cr, ISAKMP_NPTYPE_CR); - break; -#endif -#ifdef HAVE_GSSAPI - case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: - if (!gssapi_id_sent(iph1)) - tlen += sizeof (*gen) + iph1->id->l; - if (iph1->hash != NULL) { - gsshash = gssapi_wraphash(iph1); - if (gsshash == NULL) - goto end; - tlen += sizeof (*gen) + gsshash->l; - } else { - gssapi_get_token_to_send(iph1, &gsstoken); - tlen += sizeof (*gen) + gsstoken->l; - } - - buf = vmalloc(tlen); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to send.\n"); - goto end; - } - - /* set isakmp header */ - p = set_isakmp_header(buf, iph1); - if (p.buff == NULL) - goto end; - - if (!gssapi_id_sent(iph1)) { - /* create isakmp ID payload */ - p = set_isakmp_payload_c(p, iph1->id, ISAKMP_NPTYPE_ID); - if (p.buff == NULL) - goto end; - gssapi_set_id_sent(iph1); - } - - if (iph1->hash != NULL) - /* create isakmp HASH payload */ - p = set_isakmp_payload_c(p, gsshash, ISAKMP_NPTYPE_HASH); - else - p = set_isakmp_payload_c(p, gsstoken, ISAKMP_NPTYPE_GSS); - break; -#endif - case OAKLEY_ATTR_AUTH_METHOD_RSAENC: - case OAKLEY_ATTR_AUTH_METHOD_RSAREV: - plog(LLV_ERROR, LOCATION, NULL, - "not supported authentication type %d\n", - iph1->approval->authmethod); - goto end; - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid authentication type %d\n", - iph1->approval->authmethod); - goto end; - } - -#ifdef HAVE_PRINT_ISAKMP_C - isakmp_printpacket(buf, iph1->local, iph1->remote, 1); -#endif - - /* encoding */ - new = oakley_do_encrypt(iph1, buf, iph1->ivm->ive, iph1->ivm->iv); - if (new == NULL) - goto end; - - vfree(buf); - - buf = new; - - error = 0; - -end: - if (cr) - vfree(cr); - if (error && buf != NULL) { - vfree(buf); - buf = NULL; - } - - return buf; -} diff --git a/kame/kame/racoon/isakmp_ident.h b/kame/kame/racoon/isakmp_ident.h deleted file mode 100644 index 85937cc505..0000000000 --- a/kame/kame/racoon/isakmp_ident.h +++ /dev/null @@ -1,45 +0,0 @@ -/* $KAME: isakmp_ident.h,v 1.4 2000/10/04 17:41:00 itojun Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -extern int ident_i1send __P((struct ph1handle *, vchar_t *)); -extern int ident_i2recv __P((struct ph1handle *, vchar_t *)); -extern int ident_i2send __P((struct ph1handle *, vchar_t *)); -extern int ident_i3recv __P((struct ph1handle *, vchar_t *)); -extern int ident_i3send __P((struct ph1handle *, vchar_t *)); -extern int ident_i4recv __P((struct ph1handle *, vchar_t *)); -extern int ident_i4send __P((struct ph1handle *, vchar_t *)); - -extern int ident_r1recv __P((struct ph1handle *, vchar_t *)); -extern int ident_r1send __P((struct ph1handle *, vchar_t *)); -extern int ident_r2recv __P((struct ph1handle *, vchar_t *)); -extern int ident_r2send __P((struct ph1handle *, vchar_t *)); -extern int ident_r3recv __P((struct ph1handle *, vchar_t *)); -extern int ident_r3send __P((struct ph1handle *, vchar_t *)); diff --git a/kame/kame/racoon/isakmp_inf.c b/kame/kame/racoon/isakmp_inf.c deleted file mode 100644 index bc52a98332..0000000000 --- a/kame/kame/racoon/isakmp_inf.c +++ /dev/null @@ -1,1361 +0,0 @@ -/* $KAME: isakmp_inf.c,v 1.85 2004/09/10 04:39:36 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include - -#include -#include -#include -#include -#ifdef IPV6_INRIA_VERSION -#include -#include -#else -#include -#endif - -#include -#include -#include -#include -#if TIME_WITH_SYS_TIME -# include -# include -#else -# if HAVE_SYS_TIME_H -# include -# else -# include -# endif -#endif - -#include "libpfkey.h" - -#include "var.h" -#include "vmbuf.h" -#include "schedule.h" -#include "str2val.h" -#include "misc.h" -#include "plog.h" -#include "debug.h" - -#include "localconf.h" -#include "remoteconf.h" -#include "sockmisc.h" -#include "isakmp_var.h" -#include "isakmp.h" -#include "isakmp_inf.h" -#include "oakley.h" -#include "handler.h" -#include "ipsec_doi.h" -#include "crypto_openssl.h" -#include "pfkey.h" -#include "policy.h" -#include "algorithm.h" -#include "proposal.h" -#include "admin.h" -#include "strnames.h" - -/* information exchange */ -static int isakmp_info_recv_n __P((struct ph1handle *, vchar_t *)); -static int isakmp_info_recv_d __P((struct ph1handle *, vchar_t *)); - -static void purge_isakmp_spi __P((int, isakmp_index *, size_t)); -static void purge_ipsec_spi __P((struct sockaddr *, int, u_int32_t *, size_t)); -static void info_recv_initialcontact __P((struct ph1handle *)); - -/* %%% - * Information Exchange - */ -/* - * receive Information - */ -int -isakmp_info_recv(iph1, msg0) - struct ph1handle *iph1; - vchar_t *msg0; -{ - vchar_t *msg = NULL; - int error = -1; - struct isakmp *isakmp; - struct isakmp_gen *gen; - u_int8_t np; - int encrypted; - - plog(LLV_DEBUG, LOCATION, NULL, "receive Information.\n"); - - encrypted = ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E); - - /* Use new IV to decrypt Informational message. */ - if (encrypted) { - - struct isakmp_ivm *ivm; - - /* compute IV */ - ivm = oakley_newiv2(iph1, ((struct isakmp *)msg0->v)->msgid); - if (ivm == NULL) - return -1; - - msg = oakley_do_decrypt(iph1, msg0, ivm->iv, ivm->ive); - oakley_delivm(ivm); - if (msg == NULL) - return -1; - - } else - msg = vdup(msg0); - - isakmp = (struct isakmp *)msg->v; - gen = (struct isakmp_gen *)((caddr_t)isakmp + sizeof(struct isakmp)); - - if (isakmp->np != ISAKMP_NPTYPE_HASH) { - plog(LLV_ERROR, LOCATION, NULL, - "ignore information because the message has no hash payload.\n"); - goto end; - } - - if (iph1->status != PHASE1ST_ESTABLISHED) { - plog(LLV_ERROR, LOCATION, NULL, - "ignore information because ISAKMP-SA has not been established yet.\n"); - goto end; - } - - np = gen->np; - - { - void *p; - vchar_t *hash, *payload; - struct isakmp_gen *nd; - - p = (caddr_t) gen + sizeof(struct isakmp_gen); - nd = (struct isakmp_gen *) ((caddr_t) gen + ntohs(gen->len)); - - /* nd length check */ - if (ntohs(nd->len) > msg->l - (sizeof(struct isakmp) + - ntohs(gen->len))) { - plog(LLV_ERROR, LOCATION, NULL, - "too long payload length (broken message?)\n"); - goto end; - } - - payload = vmalloc(ntohs(nd->len)); - if (payload == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "cannot allocate memory\n"); - goto end; - } - - memcpy(payload->v, (caddr_t) nd, ntohs(nd->len)); - - /* compute HASH */ - hash = oakley_compute_hash1(iph1, isakmp->msgid, payload); - if (hash == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "cannot compute hash\n"); - - vfree(payload); - goto end; - } - - if (ntohs(gen->len) - sizeof(struct isakmp_gen) != hash->l) { - plog(LLV_ERROR, LOCATION, NULL, - "ignore information due to hash length mismatch\n"); - - vfree(hash); - vfree(payload); - goto end; - } - - if (memcmp(p, hash->v, hash->l) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "ignore information due to hash mismatch\n"); - - vfree(hash); - vfree(payload); - goto end; - } - - plog(LLV_DEBUG, LOCATION, NULL, "hash validated.\n"); - - vfree(hash); - vfree(payload); - } - - /* make sure the packet were encrypted. */ - if (!encrypted) { - switch (iph1->etype) { - case ISAKMP_ETYPE_AGG: - case ISAKMP_ETYPE_BASE: - case ISAKMP_ETYPE_IDENT: - if ((iph1->side == INITIATOR && iph1->status < PHASE1ST_MSG3SENT) - || (iph1->side == RESPONDER && iph1->status < PHASE1ST_MSG2SENT)) { - break; - } - /*FALLTHRU*/ - default: - plog(LLV_ERROR, LOCATION, iph1->remote, - "%s message must be encrypted\n", - s_isakmp_nptype(np)); - goto end; - } - } - - switch (np) { - case ISAKMP_NPTYPE_N: - if (isakmp_info_recv_n(iph1, msg) < 0) - goto end; - break; - case ISAKMP_NPTYPE_D: - if (isakmp_info_recv_d(iph1, msg) < 0) - goto end; - break; - case ISAKMP_NPTYPE_NONCE: - /* XXX to be 6.4.2 ike-01.txt */ - /* XXX IV is to be synchronized. */ - plog(LLV_ERROR, LOCATION, iph1->remote, - "ignore Acknowledged Informational\n"); - break; - default: - /* don't send information, see isakmp_ident_r1() */ - error = 0; - plog(LLV_ERROR, LOCATION, iph1->remote, - "reject the packet, " - "received unexpecting payload type %d.\n", - gen->np); - goto end; - } - - end: - if (msg != NULL) - vfree(msg); - - return 0; -} - -/* - * send Delete payload (for ISAKMP SA) in Informational exchange. - */ -int -isakmp_info_send_d1(iph1) - struct ph1handle *iph1; -{ - struct isakmp_pl_d *d; - vchar_t *payload = NULL; - int tlen; - int error = 0; - - if (iph1->status != PHASE2ST_ESTABLISHED) - return 0; - - /* create delete payload */ - - /* send SPIs of inbound SAs. */ - /* XXX should send outbound SAs's ? */ - tlen = sizeof(*d) + sizeof(isakmp_index); - payload = vmalloc(tlen); - if (payload == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer for payload.\n"); - return errno; - } - - d = (struct isakmp_pl_d *)payload->v; - d->h.np = ISAKMP_NPTYPE_NONE; - d->h.len = htons(tlen); - d->doi = htonl(IPSEC_DOI); - d->proto_id = IPSECDOI_PROTO_ISAKMP; - d->spi_size = sizeof(isakmp_index); - d->num_spi = htons(1); - memcpy(d + 1, &iph1->index, sizeof(isakmp_index)); - - error = isakmp_info_send_common(iph1, payload, - ISAKMP_NPTYPE_D, 0); - vfree(payload); - - return error; -} - -/* - * send Delete payload (for IPsec SA) in Informational exchange, based on - * pfkey msg. It sends always single SPI. - */ -int -isakmp_info_send_d2(iph2) - struct ph2handle *iph2; -{ - struct ph1handle *iph1; - struct saproto *pr; - struct isakmp_pl_d *d; - vchar_t *payload = NULL; - int tlen; - int error = 0; - u_int8_t *spi; - - if (iph2->status != PHASE2ST_ESTABLISHED) - return 0; - - /* - * don't send delete information if there is no phase 1 handler. - * It's nonsensical to negotiate phase 1 to send the information. - */ - iph1 = getph1byaddr(iph2->src, iph2->dst); - if (iph1 == NULL) - return 0; - - /* create delete payload */ - for (pr = iph2->approval->head; pr != NULL; pr = pr->next) { - - /* send SPIs of inbound SAs. */ - /* - * XXX should I send outbound SAs's ? - * I send inbound SAs's SPI only at the moment because I can't - * decode any more if peer send encoded packet without aware of - * deletion of SA. Outbound SAs don't come under the situation. - */ - tlen = sizeof(*d) + pr->spisize; - payload = vmalloc(tlen); - if (payload == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer for payload.\n"); - return errno; - } - - d = (struct isakmp_pl_d *)payload->v; - d->h.np = ISAKMP_NPTYPE_NONE; - d->h.len = htons(tlen); - d->doi = htonl(IPSEC_DOI); - d->proto_id = pr->proto_id; - d->spi_size = pr->spisize; - d->num_spi = htons(1); - /* - * XXX SPI bits are left-filled, for use with IPComp. - * we should be switching to variable-length spi field... - */ - spi = (u_int8_t *)&pr->spi; - spi += sizeof(pr->spi); - spi -= pr->spisize; - memcpy(d + 1, spi, pr->spisize); - - error = isakmp_info_send_common(iph1, payload, - ISAKMP_NPTYPE_D, 0); - vfree(payload); - } - - return error; -} - -/* - * send Notification payload (for without ISAKMP SA) in Informational exchange - */ -int -isakmp_info_send_nx(isakmp, remote, local, type, data) - struct isakmp *isakmp; - struct sockaddr *remote, *local; - int type; - vchar_t *data; -{ - struct ph1handle *iph1 = NULL; - struct remoteconf *rmconf; - vchar_t *payload = NULL; - int tlen; - int error = -1; - struct isakmp_pl_n *n; - int spisiz = 0; /* see below */ - - /* search appropreate configuration */ - rmconf = getrmconf(remote); - if (rmconf == NULL) { - plog(LLV_ERROR, LOCATION, remote, - "no configuration found for peer address.\n"); - goto end; - } - - /* add new entry to isakmp status table. */ - iph1 = newph1(); - if (iph1 == NULL) - return -1; - - memcpy(&iph1->index.i_ck, &isakmp->i_ck, sizeof(cookie_t)); - isakmp_newcookie((char *)&iph1->index.r_ck, remote, local); - iph1->status = PHASE1ST_START; - iph1->rmconf = rmconf; - iph1->side = INITIATOR; - iph1->version = isakmp->v; - iph1->flags = 0; - iph1->msgid = 0; /* XXX */ - - /* copy remote address */ - if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) - return -1; - - tlen = sizeof(*n) + spisiz; - if (data) - tlen += data->l; - payload = vmalloc(tlen); - if (payload == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to send.\n"); - goto end; - } - - n = (struct isakmp_pl_n *)payload->v; - n->h.np = ISAKMP_NPTYPE_NONE; - n->h.len = htons(tlen); - n->doi = htonl(IPSEC_DOI); - n->proto_id = IPSECDOI_KEY_IKE; - n->spi_size = spisiz; - n->type = htons(type); - if (spisiz) - memset(n + 1, 0, spisiz); /*XXX*/ - if (data) - memcpy((caddr_t)(n + 1) + spisiz, data->v, data->l); - - error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, 0); - vfree(payload); - - end: - if (iph1 != NULL) - delph1(iph1); - - return error; -} - -/* - * send Notification payload (for ISAKMP SA) in Informational exchange - */ -int -isakmp_info_send_n1(iph1, type, data) - struct ph1handle *iph1; - int type; - vchar_t *data; -{ - vchar_t *payload = NULL; - int tlen; - int error = 0; - struct isakmp_pl_n *n; - int spisiz; - - /* - * note on SPI size: which description is correct? I have chosen - * this to be 0. - * - * RFC2408 3.1, 2nd paragraph says: ISAKMP SA is identified by - * Initiator/Responder cookie and SPI has no meaning, SPI size = 0. - * RFC2408 3.1, first paragraph on page 40: ISAKMP SA is identified - * by cookie and SPI has no meaning, 0 <= SPI size <= 16. - * RFC2407 4.6.3.3, INITIAL-CONTACT is required to set to 16. - */ - if (type == ISAKMP_NTYPE_INITIAL_CONTACT) - spisiz = sizeof(isakmp_index); - else - spisiz = 0; - - tlen = sizeof(*n) + spisiz; - if (data) - tlen += data->l; - payload = vmalloc(tlen); - if (payload == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to send.\n"); - return errno; - } - - n = (struct isakmp_pl_n *)payload->v; - n->h.np = ISAKMP_NPTYPE_NONE; - n->h.len = htons(tlen); - n->doi = htonl(iph1->rmconf->doitype); - n->proto_id = IPSECDOI_PROTO_ISAKMP; /* XXX to be configurable ? */ - n->spi_size = spisiz; - n->type = htons(type); - if (spisiz) - memcpy(n + 1, &iph1->index, sizeof(isakmp_index)); - if (data) - memcpy((caddr_t)(n + 1) + spisiz, data->v, data->l); - - error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, iph1->flags); - vfree(payload); - - return error; -} - -/* - * send Notification payload (for IPsec SA) in Informational exchange - */ -int -isakmp_info_send_n2(iph2, type, data) - struct ph2handle *iph2; - int type; - vchar_t *data; -{ - struct ph1handle *iph1 = iph2->ph1; - vchar_t *payload = NULL; - int tlen; - int error = 0; - struct isakmp_pl_n *n; - struct saproto *pr; - - if (!iph2->approval) - return EINVAL; - - pr = iph2->approval->head; - - /* XXX must be get proper spi */ - tlen = sizeof(*n) + pr->spisize; - if (data) - tlen += data->l; - payload = vmalloc(tlen); - if (payload == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to send.\n"); - return errno; - } - - n = (struct isakmp_pl_n *)payload->v; - n->h.np = ISAKMP_NPTYPE_NONE; - n->h.len = htons(tlen); - n->doi = htonl(IPSEC_DOI); /* IPSEC DOI (1) */ - n->proto_id = pr->proto_id; /* IPSEC AH/ESP/whatever*/ - n->spi_size = pr->spisize; - n->type = htons(type); - *(u_int32_t *)(n + 1) = pr->spi; - if (data) - memcpy((caddr_t)(n + 1) + pr->spisize, data->v, data->l); - - iph2->flags |= ISAKMP_FLAG_E; /* XXX Should we do FLAG_A ? */ - error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, iph2->flags); - vfree(payload); - - return error; -} - -/* - * send Information - * When ph1->skeyid_a == NULL, send message without encoding. - */ -int -isakmp_info_send_common(iph1, payload, np, flags) - struct ph1handle *iph1; - vchar_t *payload; - u_int32_t np; - int flags; -{ - struct ph2handle *iph2 = NULL; - vchar_t *hash = NULL; - struct isakmp *isakmp; - struct isakmp_gen *gen; - char *p; - int tlen; - int error = -1; - - /* add new entry to isakmp status table */ - iph2 = newph2(); - if (iph2 == NULL) - goto end; - - iph2->dst = dupsaddr(iph1->remote); - iph2->src = dupsaddr(iph1->local); - switch (iph1->remote->sa_family) { - case AF_INET: - ((struct sockaddr_in *)iph2->dst)->sin_port = 0; - ((struct sockaddr_in *)iph2->src)->sin_port = 0; - break; -#ifdef INET6 - case AF_INET6: - ((struct sockaddr_in6 *)iph2->dst)->sin6_port = 0; - ((struct sockaddr_in6 *)iph2->src)->sin6_port = 0; - break; -#endif - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid family: %d\n", iph1->remote->sa_family); - delph2(iph2); - goto end; - } - iph2->ph1 = iph1; - iph2->side = INITIATOR; - iph2->status = PHASE2ST_START; - iph2->msgid = isakmp_newmsgid2(iph1); - - /* get IV and HASH(1) if skeyid_a was generated. */ - if (iph1->skeyid_a != NULL) { - iph2->ivm = oakley_newiv2(iph1, iph2->msgid); - if (iph2->ivm == NULL) { - delph2(iph2); - goto end; - } - - /* generate HASH(1) */ - hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, payload); - if (hash == NULL) { - delph2(iph2); - goto end; - } - - /* initialized total buffer length */ - tlen = hash->l; - tlen += sizeof(*gen); - } else { - /* IKE-SA is not established */ - hash = NULL; - - /* initialized total buffer length */ - tlen = 0; - } - if ((flags & ISAKMP_FLAG_A) == 0) - iph2->flags = (hash == NULL ? 0 : ISAKMP_FLAG_E); - else - iph2->flags = (hash == NULL ? 0 : ISAKMP_FLAG_A); - - insph2(iph2); - bindph12(iph1, iph2); - - tlen += sizeof(*isakmp) + payload->l; - - /* create buffer for isakmp payload */ - iph2->sendbuf = vmalloc(tlen); - if (iph2->sendbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to send.\n"); - goto err; - } - - /* create isakmp header */ - isakmp = (struct isakmp *)iph2->sendbuf->v; - memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(cookie_t)); - memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(cookie_t)); - isakmp->np = hash == NULL ? (np & 0xff) : ISAKMP_NPTYPE_HASH; - isakmp->v = iph1->version; - isakmp->etype = ISAKMP_ETYPE_INFO; - isakmp->flags = iph2->flags; - memcpy(&isakmp->msgid, &iph2->msgid, sizeof(isakmp->msgid)); - isakmp->len = htonl(tlen); - p = (char *)(isakmp + 1); - - /* create HASH payload */ - if (hash != NULL) { - gen = (struct isakmp_gen *)p; - gen->np = np & 0xff; - gen->len = htons(sizeof(*gen) + hash->l); - p += sizeof(*gen); - memcpy(p, hash->v, hash->l); - p += hash->l; - } - - /* add payload */ - memcpy(p, payload->v, payload->l); - p += payload->l; - -#ifdef HAVE_PRINT_ISAKMP_C - isakmp_printpacket(iph2->sendbuf, iph1->local, iph1->remote, 1); -#endif - - plog(LLV_DEBUG, LOCATION, NULL, "outgoing packet dump\n"); - plogdump(LLV_DEBUG, iph2->sendbuf->v, iph2->sendbuf->l); - - /* encoding */ - if (ISSET(isakmp->flags, ISAKMP_FLAG_E)) { - vchar_t *tmp; - - tmp = oakley_do_encrypt(iph2->ph1, iph2->sendbuf, iph2->ivm->ive, - iph2->ivm->iv); - VPTRINIT(iph2->sendbuf); - if (tmp == NULL) - goto err; - iph2->sendbuf = tmp; - } - - /* HDR*, HASH(1), N */ - if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) { - VPTRINIT(iph2->sendbuf); - goto err; - } - - plog(LLV_DEBUG, LOCATION, NULL, - "sendto Information %s.\n", s_isakmp_nptype(np)); - - /* - * don't resend notify message because peer can use Acknowledged - * Informational if peer requires the reply of the notify message. - */ - - /* XXX If Acknowledged Informational required, don't delete ph2handle */ - error = 0; - VPTRINIT(iph2->sendbuf); - goto err; /* XXX */ - -end: - if (hash) - vfree(hash); - return error; - -err: - unbindph12(iph2); - remph2(iph2); - delph2(iph2); - goto end; -} - -/* - * add a notify payload to buffer by reallocating buffer. - * If buf == NULL, the function only create a notify payload. - * - * XXX Which is SPI to be included, inbound or outbound ? - */ -vchar_t * -isakmp_add_pl_n(buf0, np_p, type, pr, data) - vchar_t *buf0; - u_int8_t **np_p; - int type; - struct saproto *pr; - vchar_t *data; -{ - vchar_t *buf = NULL; - struct isakmp_pl_n *n; - int tlen; - int oldlen = 0; - - if (*np_p) - **np_p = ISAKMP_NPTYPE_N; - - tlen = sizeof(*n) + pr->spisize; - - if (data) - tlen += data->l; - if (buf0) { - oldlen = buf0->l; - buf = vrealloc(buf0, buf0->l + tlen); - } else - buf = vmalloc(tlen); - if (!buf) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get a payload buffer.\n"); - return NULL; - } - - n = (struct isakmp_pl_n *)(buf->v + oldlen); - n->h.np = ISAKMP_NPTYPE_NONE; - n->h.len = htons(tlen); - n->doi = htonl(IPSEC_DOI); /* IPSEC DOI (1) */ - n->proto_id = pr->proto_id; /* IPSEC AH/ESP/whatever*/ - n->spi_size = pr->spisize; - n->type = htons(type); - *(u_int32_t *)(n + 1) = pr->spi; /* XXX */ - if (data) - memcpy((caddr_t)(n + 1) + pr->spisize, data->v, data->l); - - /* save the pointer of next payload type */ - *np_p = &n->h.np; - - return buf; -} - -/* - * handling to receive Notification payload - */ -static int -isakmp_info_recv_n(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - struct isakmp_pl_n *n = NULL; - u_int type; - vchar_t *pbuf; - struct isakmp_parse_t *pa, *pap; - char *spi; - - if (!(pbuf = isakmp_parse(msg))) - return -1; - pa = (struct isakmp_parse_t *)pbuf->v; - for (pap = pa; pap->type; pap++) { - switch (pap->type) { - case ISAKMP_NPTYPE_HASH: - /* do something here */ - break; - case ISAKMP_NPTYPE_NONCE: - /* send to ack */ - break; - case ISAKMP_NPTYPE_N: - n = (struct isakmp_pl_n *)pap->ptr; - break; - default: - vfree(pbuf); - return -1; - } - } - vfree(pbuf); - if (!n) - return -1; - - type = ntohs(n->type); - - switch (type) { - case ISAKMP_NTYPE_CONNECTED: - case ISAKMP_NTYPE_RESPONDER_LIFETIME: - case ISAKMP_NTYPE_REPLAY_STATUS: - /* do something */ - break; - case ISAKMP_NTYPE_INITIAL_CONTACT: - info_recv_initialcontact(iph1); - break; - default: - { - u_int32_t msgid = ((struct isakmp *)msg->v)->msgid; - struct ph2handle *iph2; - - /* XXX there is a potential of dos attack. */ - if (msgid == 0) { - /* delete ph1 */ - plog(LLV_ERROR, LOCATION, iph1->remote, - "delete phase1 handle.\n"); - return -1; - } else { - iph2 = getph2bymsgid(iph1, msgid); - if (iph2 == NULL) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "unknown notify message, " - "no phase2 handle found.\n"); - } else { - /* delete ph2 */ - unbindph12(iph2); - remph2(iph2); - delph2(iph2); - } - } - } - break; - } - - /* get spi and allocate */ - if (ntohs(n->h.len) < sizeof(*n) + n->spi_size) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "invalid spi_size in notification payload.\n"); - return -1; - } - spi = val2str((u_char *)(n + 1), n->spi_size); - - plog(LLV_DEBUG, LOCATION, iph1->remote, - "notification message %d:%s, " - "doi=%d proto_id=%d spi=%s(size=%d).\n", - type, s_isakmp_notify_msg(type), - ntohl(n->doi), n->proto_id, spi, n->spi_size); - - racoon_free(spi); - - return(0); -} - -static void -purge_isakmp_spi(proto, spi, n) - int proto; - isakmp_index *spi; /*network byteorder*/ - size_t n; -{ - struct ph1handle *iph1; - size_t i; - - for (i = 0; i < n; i++) { - iph1 = getph1byindex(&spi[i]); - if (!iph1) - continue; - - plog(LLV_INFO, LOCATION, NULL, - "purged ISAKMP-SA proto_id=%s spi=%s.\n", - s_ipsecdoi_proto(proto), - isakmp_pindex(&spi[i], 0)); - - if (iph1->sce) - SCHED_KILL(iph1->sce); - iph1->status = PHASE1ST_EXPIRED; - iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1); - } -} - -static void -purge_ipsec_spi(dst0, proto, spi, n) - struct sockaddr *dst0; - int proto; - u_int32_t *spi; /*network byteorder*/ - size_t n; -{ - vchar_t *buf = NULL; - struct sadb_msg *msg, *next, *end; - struct sadb_sa *sa; - struct sockaddr *src, *dst; - struct ph2handle *iph2; - size_t i; - caddr_t mhp[SADB_EXT_MAX + 1]; - - buf = pfkey_dump_sadb(ipsecdoi2pfkey_proto(proto)); - if (buf == NULL) { - plog(LLV_DEBUG, LOCATION, NULL, - "pfkey_dump_sadb returned nothing.\n"); - return; - } - - msg = (struct sadb_msg *)buf->v; - end = (struct sadb_msg *)(buf->v + buf->l); - - while (msg < end) { - if ((msg->sadb_msg_len << 3) < sizeof(*msg)) - break; - next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3)); - if (msg->sadb_msg_type != SADB_DUMP) { - msg = next; - continue; - } - - if (pfkey_align(msg, mhp) || pfkey_check(mhp)) { - plog(LLV_ERROR, LOCATION, NULL, - "pfkey_check (%s)\n", ipsec_strerror()); - msg = next; - continue; - } - - sa = (struct sadb_sa *)(mhp[SADB_EXT_SA]); - if (!sa - || !mhp[SADB_EXT_ADDRESS_SRC] - || !mhp[SADB_EXT_ADDRESS_DST]) { - msg = next; - continue; - } - src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); - - if (sa->sadb_sa_state != SADB_SASTATE_MATURE - && sa->sadb_sa_state != SADB_SASTATE_DYING) { - msg = next; - continue; - } - - /* XXX n^2 algorithm, inefficient */ - - /* don't delete inbound SAs at the moment */ - /* XXX should we remove SAs with opposite direction as well? */ - if (cmpsaddrwop(dst0, dst)) { - msg = next; - continue; - } - - for (i = 0; i < n; i++) { - plog(LLV_DEBUG, LOCATION, NULL, - "check spi(packet)=%u spi(db)=%u.\n", - ntohl(spi[i]), ntohl(sa->sadb_sa_spi)); - if (spi[i] != sa->sadb_sa_spi) - continue; - - pfkey_send_delete(lcconf->sock_pfkey, - msg->sadb_msg_satype, - IPSEC_MODE_ANY, - src, dst, sa->sadb_sa_spi); - - /* - * delete a relative phase 2 handler. - * continue to process if no relative phase 2 handler - * exists. - */ - iph2 = getph2bysaidx(src, dst, proto, spi[i]); - if (iph2) { - unbindph12(iph2); - remph2(iph2); - delph2(iph2); - } - - plog(LLV_INFO, LOCATION, NULL, - "purged IPsec-SA proto_id=%s spi=%u.\n", - s_ipsecdoi_proto(proto), - ntohl(spi[i])); - } - - msg = next; - } - - if (buf) - vfree(buf); -} - -/* - * delete all phase2 sa relatived to the destination address. - * Don't delete Phase 1 handlers on INITIAL-CONTACT, and don't ignore - * an INITIAL-CONTACT if we have contacted the peer. This matches the - * Sun IKE behavior, and makes rekeying work much better when the peer - * restarts. - */ -static void -info_recv_initialcontact(iph1) - struct ph1handle *iph1; -{ - vchar_t *buf = NULL; - struct sadb_msg *msg, *next, *end; - struct sadb_sa *sa; - struct sockaddr *src, *dst; - caddr_t mhp[SADB_EXT_MAX + 1]; - int proto_id, i; - struct ph2handle *iph2; -#if 0 - char *loc, *rem; -#endif - - if (f_local) - return; - -#if 0 - loc = strdup(saddrwop2str(iph1->local)); - rem = strdup(saddrwop2str(iph1->remote)); - - /* - * Purge all IPSEC-SAs for the peer. We can do this - * the easy way (using a PF_KEY SADB_DELETE extension) - * or we can do it the hard way. - */ - for (i = 0; i < pfkey_nsatypes; i++) { - proto_id = pfkey2ipsecdoi_proto(pfkey_satypes[i].ps_satype); - - plog(LLV_INFO, LOCATION, NULL, - "purging %s SAs for %s -> %s\n", - pfkey_satypes[i].ps_name, loc, rem); - if (pfkey_send_delete_all(lcconf->sock_pfkey, - pfkey_satypes[i].ps_satype, IPSEC_MODE_ANY, - iph1->local, iph1->remote) == -1) { - plog(LLV_ERROR, LOCATION, NULL, - "delete_all %s -> %s failed for %s (%s)\n", - loc, rem, - pfkey_satypes[i].ps_name, ipsec_strerror()); - goto the_hard_way; - } - - deleteallph2(iph1->local, iph1->remote, proto_id); - - plog(LLV_INFO, LOCATION, NULL, - "purging %s SAs for %s -> %s\n", - pfkey_satypes[i].ps_name, rem, loc); - if (pfkey_send_delete_all(lcconf->sock_pfkey, - pfkey_satypes[i].ps_satype, IPSEC_MODE_ANY, - iph1->remote, iph1->local) == -1) { - plog(LLV_ERROR, LOCATION, NULL, - "delete_all %s -> %s failed for %s (%s)\n", - rem, loc, - pfkey_satypes[i].ps_name, ipsec_strerror()); - goto the_hard_way; - } - - deleteallph2(iph1->remote, iph1->local, proto_id); - } - - racoon_free(loc); - racoon_free(rem); - return; - - the_hard_way: - racoon_free(loc); - racoon_free(rem); -#endif - - buf = pfkey_dump_sadb(SADB_SATYPE_UNSPEC); - if (buf == NULL) { - plog(LLV_DEBUG, LOCATION, NULL, - "pfkey_dump_sadb returned nothing.\n"); - return; - } - - msg = (struct sadb_msg *)buf->v; - end = (struct sadb_msg *)(buf->v + buf->l); - - while (msg < end) { - if ((msg->sadb_msg_len << 3) < sizeof(*msg)) - break; - next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3)); - if (msg->sadb_msg_type != SADB_DUMP) { - msg = next; - continue; - } - - if (pfkey_align(msg, mhp) || pfkey_check(mhp)) { - plog(LLV_ERROR, LOCATION, NULL, - "pfkey_check (%s)\n", ipsec_strerror()); - msg = next; - continue; - } - - if (mhp[SADB_EXT_SA] == NULL - || mhp[SADB_EXT_ADDRESS_SRC] == NULL - || mhp[SADB_EXT_ADDRESS_DST] == NULL) { - msg = next; - continue; - } - sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; - src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); - - if (sa->sadb_sa_state != SADB_SASTATE_MATURE - && sa->sadb_sa_state != SADB_SASTATE_DYING) { - msg = next; - continue; - } - - /* - * RFC2407 4.6.3.3 INITIAL-CONTACT is the message that - * announces the sender of the message was rebooted. - * it is interpreted to delete all SAs which source address - * is the sender of the message. - * racoon only deletes SA which is matched both the - * source address and the destination accress. - */ - if (cmpsaddrwop(iph1->local, src) == 0 && - cmpsaddrwop(iph1->remote, dst) == 0) - ; - else if (cmpsaddrwop(iph1->remote, src) == 0 && - cmpsaddrwop(iph1->local, dst) == 0) - ; - else { - msg = next; - continue; - } - - /* - * Make sure this is an SATYPE that we manage. - * This is gross; too bad we couldn't do it the - * easy way. - */ - for (i = 0; i < pfkey_nsatypes; i++) { - if (pfkey_satypes[i].ps_satype == - msg->sadb_msg_satype) - break; - } - if (i == pfkey_nsatypes) { - msg = next; - continue; - } - - plog(LLV_INFO, LOCATION, NULL, - "purging spi=%u.\n", ntohl(sa->sadb_sa_spi)); - pfkey_send_delete(lcconf->sock_pfkey, - msg->sadb_msg_satype, - IPSEC_MODE_ANY, src, dst, sa->sadb_sa_spi); - - /* - * delete a relative phase 2 handler. - * continue to process if no relative phase 2 handler - * exists. - */ - proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype); - iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi); - if (iph2) { - unbindph12(iph2); - remph2(iph2); - delph2(iph2); - } - - msg = next; - } - - vfree(buf); -} - -/* - * handling to receive Deletion payload - */ -static int -isakmp_info_recv_d(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ - struct isakmp_pl_d *d; - int tlen, num_spi; - vchar_t *pbuf; - struct isakmp_parse_t *pa, *pap; - int protected = 0; - union { - u_int32_t spi32; - u_int16_t spi16[2]; - } spi; - - /* validate the type of next payload */ - if (!(pbuf = isakmp_parse(msg))) - return -1; - pa = (struct isakmp_parse_t *)pbuf->v; - for (pap = pa; pap->type; pap++) { - switch (pap->type) { - case ISAKMP_NPTYPE_D: - break; - case ISAKMP_NPTYPE_HASH: - if (pap == pa) { - protected++; - break; - } - plog(LLV_ERROR, LOCATION, iph1->remote, - "received next payload type %d " - "in wrong place (must be the first payload).\n", - pap->type); - vfree(pbuf); - return -1; - default: - /* don't send information, see isakmp_ident_r1() */ - plog(LLV_ERROR, LOCATION, iph1->remote, - "reject the packet, " - "received unexpecting payload type %d.\n", - pap->type); - vfree(pbuf); - return 0; - } - } - - if (!protected) { - plog(LLV_ERROR, LOCATION, NULL, - "delete payload is not proteted, " - "ignored.\n"); - vfree(pbuf); - return -1; - } - - /* process a delete payload */ - for (pap = pa; pap->type; pap++) { - if (pap->type != ISAKMP_NPTYPE_D) - continue; - - d = (struct isakmp_pl_d *)pap->ptr; - - if (ntohl(d->doi) != IPSEC_DOI) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "delete payload with invalid doi:%d.\n", - ntohl(d->doi)); - continue; - } - - num_spi = ntohs(d->num_spi); - tlen = ntohs(d->h.len) - sizeof(struct isakmp_pl_d); - - if (tlen != num_spi * d->spi_size) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "deletion payload with invalid length.\n"); - vfree(pbuf); - return -1; - } - - switch (d->proto_id) { - case IPSECDOI_PROTO_ISAKMP: - if (d->spi_size != sizeof(isakmp_index)) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "delete payload with strange spi " - "size %d(proto_id:%d)\n", - d->spi_size, d->proto_id); - continue; - } - purge_isakmp_spi(d->proto_id, - (isakmp_index *)(d + 1), num_spi); - break; - - case IPSECDOI_PROTO_IPSEC_AH: - case IPSECDOI_PROTO_IPSEC_ESP: - if (d->spi_size != sizeof(u_int32_t)) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "delete payload with strange spi " - "size %d(proto_id:%d)\n", - d->spi_size, d->proto_id); - continue; - } - purge_ipsec_spi(iph1->remote, d->proto_id, - (u_int32_t *)(d + 1), num_spi); - break; - - case IPSECDOI_PROTO_IPCOMP: - /* need to handle both 16bit/32bit SPI */ - memset(&spi, 0, sizeof(spi)); - if (d->spi_size == sizeof(spi.spi16[1])) { - memcpy(&spi.spi16[1], d + 1, - sizeof(spi.spi16[1])); - } else if (d->spi_size == sizeof(spi.spi32)) - memcpy(&spi.spi32, d + 1, sizeof(spi.spi32)); - else { - plog(LLV_ERROR, LOCATION, iph1->remote, - "delete payload with strange spi " - "size %d(proto_id:%d)\n", - d->spi_size, d->proto_id); - continue; - } - purge_ipsec_spi(iph1->remote, d->proto_id, - &spi.spi32, num_spi); - break; - - default: - plog(LLV_ERROR, LOCATION, iph1->remote, - "deletion message received, " - "invalid proto_id: %d\n", - d->proto_id); - continue; - } - - plog(LLV_DEBUG, LOCATION, NULL, "purged SAs.\n"); - } - - vfree(pbuf); - - return 0; -} - -void -isakmp_check_notify(gen, iph1) - struct isakmp_gen *gen; /* points to Notify payload */ - struct ph1handle *iph1; -{ - struct isakmp_pl_n *notify = (struct isakmp_pl_n *)gen; - - plog(LLV_DEBUG, LOCATION, iph1->remote, - "Notify Message received\n"); - - switch (ntohs(notify->type)) { - case ISAKMP_NTYPE_CONNECTED: - plog(LLV_WARNING, LOCATION, iph1->remote, - "ignore CONNECTED notification.\n"); - break; - case ISAKMP_NTYPE_RESPONDER_LIFETIME: - plog(LLV_WARNING, LOCATION, iph1->remote, - "ignore RESPONDER-LIFETIME notification.\n"); - break; - case ISAKMP_NTYPE_REPLAY_STATUS: - plog(LLV_WARNING, LOCATION, iph1->remote, - "ignore REPLAY-STATUS notification.\n"); - break; - case ISAKMP_NTYPE_INITIAL_CONTACT: - plog(LLV_WARNING, LOCATION, iph1->remote, - "ignore INITIAL-CONTACT notification, " - "because it is only accepted after phase1.\n"); - break; - default: - isakmp_info_send_n1(iph1, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE, NULL); - plog(LLV_ERROR, LOCATION, iph1->remote, - "received unknown notification type %u.\n", - ntohs(notify->type)); - } - - return; -} - diff --git a/kame/kame/racoon/isakmp_inf.h b/kame/kame/racoon/isakmp_inf.h deleted file mode 100644 index 26ad55a1cb..0000000000 --- a/kame/kame/racoon/isakmp_inf.h +++ /dev/null @@ -1,46 +0,0 @@ -/* $KAME: isakmp_inf.h,v 1.13 2000/10/04 17:41:00 itojun Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -struct saproto; -extern int isakmp_info_recv __P((struct ph1handle *, vchar_t *)); -extern int isakmp_info_send_d1 __P((struct ph1handle *)); -extern int isakmp_info_send_d2 __P((struct ph2handle *)); -extern int isakmp_info_send_nx __P((struct isakmp *, - struct sockaddr *, struct sockaddr *, int, vchar_t *)); -extern int isakmp_info_send_n1 __P((struct ph1handle *, int, vchar_t *)); -extern int isakmp_info_send_n2 __P((struct ph2handle *, int, vchar_t *)); -extern int isakmp_info_send_common __P((struct ph1handle *, - vchar_t *, u_int32_t, int)); - -extern vchar_t * isakmp_add_pl_n __P((vchar_t *, u_int8_t **, int, - struct saproto *, vchar_t *)); - -extern void isakmp_check_notify __P((struct isakmp_gen *, struct ph1handle *)); diff --git a/kame/kame/racoon/isakmp_newg.c b/kame/kame/racoon/isakmp_newg.c deleted file mode 100644 index b62446128c..0000000000 --- a/kame/kame/racoon/isakmp_newg.c +++ /dev/null @@ -1,228 +0,0 @@ -/* $KAME: isakmp_newg.c,v 1.10 2002/09/27 05:55:52 itojun Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include - -#include -#include -#include -#include - -#include "var.h" -#include "misc.h" -#include "vmbuf.h" -#include "plog.h" -#include "sockmisc.h" -#include "debug.h" - -#include "schedule.h" -#include "cfparse_proto.h" -#include "isakmp_var.h" -#include "isakmp.h" -#include "isakmp_newg.h" -#include "oakley.h" -#include "ipsec_doi.h" -#include "crypto_openssl.h" -#include "handler.h" -#include "pfkey.h" -#include "admin.h" -#include "str2val.h" -#include "vendorid.h" - -/* - * New group mode as responder - */ -int -isakmp_newgroup_r(iph1, msg) - struct ph1handle *iph1; - vchar_t *msg; -{ -#if 0 - struct isakmp *isakmp = (struct isakmp *)msg->v; - struct isakmp_pl_hash *hash = NULL; - struct isakmp_pl_sa *sa = NULL; - int error = -1; - vchar_t *buf; - struct oakley_sa *osa; - int len; - - /* validate the type of next payload */ - /* - * ISAKMP_ETYPE_NEWGRP, - * ISAKMP_NPTYPE_HASH, (ISAKMP_NPTYPE_VID), ISAKMP_NPTYPE_SA, - * ISAKMP_NPTYPE_NONE - */ - { - vchar_t *pbuf = NULL; - struct isakmp_parse_t *pa; - - if ((pbuf = isakmp_parse(msg)) == NULL) - goto end; - - for (pa = (struct isakmp_parse_t *)pbuf->v; - pa->type != ISAKMP_NPTYPE_NONE; - pa++) { - - switch (pa->type) { - case ISAKMP_NPTYPE_HASH: - if (hash) { - isakmp_info_send_n1(iph1, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE, NULL); - plog(LLV_ERROR, LOCATION, iph1->remote, - "received multiple payload type %d.\n", - pa->type); - vfree(pbuf); - goto end; - } - hash = (struct isakmp_pl_hash *)pa->ptr; - break; - case ISAKMP_NPTYPE_SA: - if (sa) { - isakmp_info_send_n1(iph1, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE, NULL); - plog(LLV_ERROR, LOCATION, iph1->remote, - "received multiple payload type %d.\n", - pa->type); - vfree(pbuf); - goto end; - } - sa = (struct isakmp_pl_sa *)pa->ptr; - break; - case ISAKMP_NPTYPE_VID: - (void)check_vendorid(pa->ptr); - break; - default: - isakmp_info_send_n1(iph1, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE, NULL); - plog(LLV_ERROR, LOCATION, iph1->remote, - "ignore the packet, " - "received unexpecting payload type %d.\n", - pa->type); - vfree(pbuf); - goto end; - } - } - vfree(pbuf); - - if (!hash || !sa) { - isakmp_info_send_n1(iph1, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE, NULL); - plog(LLV_ERROR, LOCATION, iph1->remote, - "no HASH, or no SA payload.\n"); - goto end; - } - } - - /* validate HASH */ - { - char *r_hash; - vchar_t *my_hash = NULL; - int result; - - plog(LLV_DEBUG, LOCATION, NULL, "validate HASH\n"); - - len = sizeof(isakmp->msgid) + ntohs(sa->h.len); - buf = vmalloc(len); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to send.\n"); - goto end; - } - memcpy(buf->v, &isakmp->msgid, sizeof(isakmp->msgid)); - memcpy(buf->v + sizeof(isakmp->msgid), sa, ntohs(sa->h.len)); - - plog(LLV_DEBUG, LOCATION, NULL, "hash source\n"); - plogdump(LLV_DEBUG, buf->v, buf->l); - - my_hash = isakmp_prf(iph1->skeyid_a, buf, iph1); - vfree(buf); - if (my_hash == NULL) - goto end; - - plog(LLV_DEBUG, LOCATION, NULL, "hash result\n"); - plogdump(LLV_DEBUG, my_hash->v, my_hash->l); - - r_hash = (char *)hash + sizeof(*hash); - - plog(LLV_DEBUG, LOCATION, NULL, "original hash\n")); - plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash))); - - result = memcmp(my_hash->v, r_hash, my_hash->l); - vfree(my_hash); - - if (result) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "HASH mismatch.\n"); - isakmp_info_send_n1(iph1, ISAKMP_NTYPE_INVALID_HASH_INFORMATION, NULL); - goto end; - } - } - - /* check SA payload and get new one for use */ - buf = ipsecdoi_get_proposal((struct ipsecdoi_sa *)sa, - OAKLEY_NEWGROUP_MODE); - if (buf == NULL) { - isakmp_info_send_n1(iph1, ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED, NULL); - goto end; - } - - /* save sa parameters */ - osa = ipsecdoi_get_oakley(buf); - if (osa == NULL) { - isakmp_info_send_n1(iph1, ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED, NULL); - goto end; - } - vfree(buf); - - switch (osa->dhgrp) { - case OAKLEY_ATTR_GRP_DESC_MODP768: - case OAKLEY_ATTR_GRP_DESC_MODP1024: - case OAKLEY_ATTR_GRP_DESC_MODP1536: - /*XXX*/ - default: - isakmp_info_send_n1(iph1, ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED, NULL); - plog(LLV_ERROR, LOCATION, NULL, - "dh group %d isn't supported.\n", osa->dhgrp); - goto end; - } - - plog(LLV_INFO, LOCATION, iph1->remote, - "got new dh group %s.\n", isakmp_pindex(&iph1->index, 0)); - - error = 0; - -end: - if (error) { - if (iph1 != NULL) - (void)isakmp_free_ph1(iph1); - } - return error; -#endif - return 0; -} - diff --git a/kame/kame/racoon/isakmp_newg.h b/kame/kame/racoon/isakmp_newg.h deleted file mode 100644 index 6d1a17f299..0000000000 --- a/kame/kame/racoon/isakmp_newg.h +++ /dev/null @@ -1,32 +0,0 @@ -/* $KAME: isakmp_newg.h,v 1.4 2000/10/04 17:41:01 itojun Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -extern int isakmp_newgroup_r __P((struct ph1handle *, vchar_t *)); diff --git a/kame/kame/racoon/isakmp_quick.c b/kame/kame/racoon/isakmp_quick.c deleted file mode 100644 index 490b1ab5a1..0000000000 --- a/kame/kame/racoon/isakmp_quick.c +++ /dev/null @@ -1,2112 +0,0 @@ -/* $KAME: isakmp_quick.c,v 1.96 2005/01/11 01:09:50 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include - -#include -#include - -#include -#include -#include -#include -#if TIME_WITH_SYS_TIME -# include -# include -#else -# if HAVE_SYS_TIME_H -# include -# else -# include -# endif -#endif - -#ifdef IPV6_INRIA_VERSION -#include -#else -#include -#endif - -#include "var.h" -#include "vmbuf.h" -#include "schedule.h" -#include "misc.h" -#include "plog.h" -#include "debug.h" - -#include "localconf.h" -#include "remoteconf.h" -#include "isakmp_var.h" -#include "isakmp.h" -#include "isakmp_inf.h" -#include "isakmp_quick.h" -#include "oakley.h" -#include "handler.h" -#include "ipsec_doi.h" -#include "crypto_openssl.h" -#include "pfkey.h" -#include "policy.h" -#include "algorithm.h" -#include "sockmisc.h" -#include "proposal.h" -#include "sainfo.h" -#include "admin.h" -#include "strnames.h" - -/* quick mode */ -static vchar_t *quick_ir1mx __P((struct ph2handle *, vchar_t *, vchar_t *)); -static int get_sainfo_r __P((struct ph2handle *)); -static int get_proposal_r __P((struct ph2handle *)); -#ifdef INET6 -static u_int32_t setscopeid __P((struct sockaddr *, struct sockaddr *)); -#endif - -/* %%% - * Quick Mode - */ -/* - * begin Quick Mode as initiator. send pfkey getspi message to kernel. - */ -int -quick_i1prep(iph2, msg) - struct ph2handle *iph2; - vchar_t *msg; /* must be null pointer */ -{ - int error = ISAKMP_INTERNAL_ERROR; - - /* validity check */ - if (iph2->status != PHASE2ST_STATUS2) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph2->status); - goto end; - } - - iph2->msgid = isakmp_newmsgid2(iph2->ph1); - iph2->ivm = oakley_newiv2(iph2->ph1, iph2->msgid); - if (iph2->ivm == NULL) - return 0; - - iph2->status = PHASE2ST_GETSPISENT; - - /* don't anything if local test mode. */ - if (f_local) { - error = 0; - goto end; - } - - /* send getspi message */ - if (pk_sendgetspi(iph2) < 0) - goto end; - - plog(LLV_DEBUG, LOCATION, NULL, "pfkey getspi sent.\n"); - - iph2->sce = sched_new(lcconf->wait_ph2complete, - pfkey_timeover_stub, iph2); - - error = 0; - -end: - return error; -} - -/* - * send to responder - * HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ] - */ -int -quick_i1send(iph2, msg) - struct ph2handle *iph2; - vchar_t *msg; /* must be null pointer */ -{ - vchar_t *body = NULL; - vchar_t *hash = NULL; - struct isakmp_gen *gen; - char *p; - int tlen; - int error = ISAKMP_INTERNAL_ERROR; - int pfsgroup, idci, idcr; - int np; - struct ipsecdoi_id_b *id, *id_p; - - /* validity check */ - if (msg != NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "msg has to be NULL in this function.\n"); - goto end; - } - if (iph2->status != PHASE2ST_GETSPIDONE) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph2->status); - goto end; - } - - /* create SA payload for my proposal */ - if (ipsecdoi_setph2proposal(iph2) < 0) - goto end; - - /* generate NONCE value */ - iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size); - if (iph2->nonce == NULL) - goto end; - - /* - * DH value calculation is kicked out into cfparse.y. - * because pfs group can not be negotiated, it's only to be checked - * acceptable. - */ - /* generate KE value if need */ - pfsgroup = iph2->proposal->pfs_group; - if (pfsgroup) { - /* DH group settting if PFS is required. */ - if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to set DH value.\n"); - goto end; - } - if (oakley_dh_generate(iph2->pfsgrp, - &iph2->dhpub, &iph2->dhpriv) < 0) { - goto end; - } - } - - /* generate ID value */ - if (ipsecdoi_setid2(iph2) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get ID.\n"); - goto end; - } - plog(LLV_DEBUG, LOCATION, NULL, "IDci:"); - plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l); - plog(LLV_DEBUG, LOCATION, NULL, "IDcr:"); - plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l); - - /* - * we do not attach IDci nor IDcr, under the following condition: - * - all proposals are transport mode - * - no MIP6 or proxy - * - id payload suggests to encrypt all the traffic (no specific - * protocol type) - */ - id = (struct ipsecdoi_id_b *)iph2->id->v; - id_p = (struct ipsecdoi_id_b *)iph2->id_p->v; - if (id->proto_id == 0 - && id_p->proto_id == 0 - && iph2->ph1->rmconf->support_proxy == 0 - && ipsecdoi_transportmode(iph2->proposal)) { - idci = idcr = 0; - } else - idci = idcr = 1; - - /* create SA;NONCE payload, and KE if need, and IDii, IDir. */ - tlen = + sizeof(*gen) + iph2->sa->l - + sizeof(*gen) + iph2->nonce->l; - if (pfsgroup) - tlen += (sizeof(*gen) + iph2->dhpub->l); - if (idci) - tlen += sizeof(*gen) + iph2->id->l; - if (idcr) - tlen += sizeof(*gen) + iph2->id_p->l; - - body = vmalloc(tlen); - if (body == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to send.\n"); - goto end; - } - - p = body->v; - - /* add SA payload */ - p = set_isakmp_payload(p, iph2->sa, ISAKMP_NPTYPE_NONCE); - - /* add NONCE payload */ - if (pfsgroup) - np = ISAKMP_NPTYPE_KE; - else if (idci || idcr) - np = ISAKMP_NPTYPE_ID; - else - np = ISAKMP_NPTYPE_NONE; - p = set_isakmp_payload(p, iph2->nonce, np); - - /* add KE payload if need. */ - np = (idci || idcr) ? ISAKMP_NPTYPE_ID : ISAKMP_NPTYPE_NONE; - if (pfsgroup) - p = set_isakmp_payload(p, iph2->dhpub, np); - - /* IDci */ - np = (idcr) ? ISAKMP_NPTYPE_ID : ISAKMP_NPTYPE_NONE; - if (idci) - p = set_isakmp_payload(p, iph2->id, np); - - /* IDcr */ - if (idcr) - p = set_isakmp_payload(p, iph2->id_p, ISAKMP_NPTYPE_NONE); - - /* generate HASH(1) */ - hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, body); - if (hash == NULL) - goto end; - - /* send isakmp payload */ - iph2->sendbuf = quick_ir1mx(iph2, body, hash); - if (iph2->sendbuf == NULL) - goto end; - - /* send the packet, add to the schedule to resend */ - iph2->retry_counter = iph2->ph1->rmconf->retry_counter; - if (isakmp_ph2resend(iph2) == -1) - goto end; - - /* change status of isakmp status entry */ - iph2->status = PHASE2ST_MSG1SENT; - - error = 0; - -end: - if (body != NULL) - vfree(body); - if (hash != NULL) - vfree(hash); - - return error; -} - -/* - * receive from responder - * HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ] - */ -int -quick_i2recv(iph2, msg0) - struct ph2handle *iph2; - vchar_t *msg0; -{ - vchar_t *msg = NULL; - vchar_t *hbuf = NULL; /* for hash computing. */ - vchar_t *pbuf = NULL; /* for payload parsing */ - struct isakmp_parse_t *pa; - struct isakmp *isakmp = (struct isakmp *)msg0->v; - struct isakmp_pl_hash *hash = NULL; - int f_id; - char *p; - int tlen; - int error = ISAKMP_INTERNAL_ERROR; - - /* validity check */ - if (iph2->status != PHASE2ST_MSG1SENT) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph2->status); - goto end; - } - - /* decrypt packet */ - if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, - "Packet wasn't encrypted.\n"); - goto end; - } - msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive); - if (msg == NULL) - goto end; - - /* create buffer for validating HASH(2) */ - /* - * ordering rule: - * 1. the first one must be HASH - * 2. the second one must be SA (added in isakmp-oakley-05!) - * 3. two IDs must be considered as IDci, then IDcr - */ - pbuf = isakmp_parse(msg); - if (pbuf == NULL) - goto end; - pa = (struct isakmp_parse_t *)pbuf->v; - - /* HASH payload is fixed postion */ - if (pa->type != ISAKMP_NPTYPE_HASH) { - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, - "received invalid next payload type %d, " - "expecting %d.\n", - pa->type, ISAKMP_NPTYPE_HASH); - goto end; - } - hash = (struct isakmp_pl_hash *)pa->ptr; - pa++; - - /* - * this restriction was introduced in isakmp-oakley-05. - * we do not check this for backward compatibility. - * TODO: command line/config file option to enable/disable this code - */ - /* HASH payload is fixed postion */ - if (pa->type != ISAKMP_NPTYPE_SA) { - plog(LLV_WARNING, LOCATION, iph2->ph1->remote, - "received invalid next payload type %d, " - "expecting %d.\n", - pa->type, ISAKMP_NPTYPE_HASH); - } - - /* allocate buffer for computing HASH(2) */ - tlen = iph2->nonce->l - + ntohl(isakmp->len) - sizeof(*isakmp); - hbuf = vmalloc(tlen); - if (hbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get hash buffer.\n"); - goto end; - } - p = hbuf->v + iph2->nonce->l; /* retain the space for Ni_b */ - - /* - * parse the payloads. - * copy non-HASH payloads into hbuf, so that we can validate HASH. - */ - iph2->sa_ret = NULL; - f_id = 0; /* flag to use checking ID */ - tlen = 0; /* count payload length except of HASH payload. */ - for (; pa->type; pa++) { - - /* copy to buffer for HASH */ - /* Don't modify the payload */ - memcpy(p, pa->ptr, pa->len); - - switch (pa->type) { - case ISAKMP_NPTYPE_SA: - if (iph2->sa_ret != NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "Ignored, multiple SA " - "isn't supported.\n"); - break; - } - if (isakmp_p2ph(&iph2->sa_ret, pa->ptr) < 0) - goto end; - break; - - case ISAKMP_NPTYPE_NONCE: - if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) - goto end; - break; - - case ISAKMP_NPTYPE_KE: - if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) - goto end; - break; - - case ISAKMP_NPTYPE_ID: - { - vchar_t *vp; - - /* check ID value */ - if (f_id == 0) { - /* for IDci */ - f_id = 1; - vp = iph2->id; - } else { - /* for IDcr */ - vp = iph2->id_p; - } - - if (memcmp(vp->v, (caddr_t)pa->ptr + sizeof(struct isakmp_gen), vp->l)) { - - plog(LLV_ERROR, LOCATION, NULL, - "mismatched ID was returned.\n"); - error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED; - goto end; - } - } - break; - - case ISAKMP_NPTYPE_N: - isakmp_check_notify(pa->ptr, iph2->ph1); - break; - - default: - /* don't send information, see ident_r1recv() */ - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, - "ignore the packet, " - "received unexpecting payload type %d.\n", - pa->type); - goto end; - } - - p += pa->len; - - /* compute true length of payload. */ - tlen += pa->len; - } - - /* payload existency check */ - if (hash == NULL || iph2->sa_ret == NULL || iph2->nonce_p == NULL) { - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, - "few isakmp message received.\n"); - goto end; - } - - /* Fixed buffer for calculating HASH */ - memcpy(hbuf->v, iph2->nonce->v, iph2->nonce->l); - plog(LLV_DEBUG, LOCATION, NULL, - "HASH allocated:hbuf->l=%d actual:tlen=%d\n", - hbuf->l, tlen + iph2->nonce->l); - /* adjust buffer length for HASH */ - hbuf->l = iph2->nonce->l + tlen; - - /* validate HASH(2) */ - { - char *r_hash; - vchar_t *my_hash = NULL; - int result; - - r_hash = (char *)hash + sizeof(*hash); - - plog(LLV_DEBUG, LOCATION, NULL, "HASH(2) received:"); - plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash)); - - my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf); - if (my_hash == NULL) - goto end; - - result = memcmp(my_hash->v, r_hash, my_hash->l); - vfree(my_hash); - - if (result) { - plog(LLV_DEBUG, LOCATION, iph2->ph1->remote, - "HASH(2) mismatch.\n"); - error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION; - goto end; - } - } - - /* validity check SA payload sent from responder */ - if (ipsecdoi_checkph2proposal(iph2) < 0) { - error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN; - goto end; - } - - /* change status of isakmp status entry */ - iph2->status = PHASE2ST_STATUS6; - - error = 0; - -end: - if (hbuf) - vfree(hbuf); - if (pbuf) - vfree(pbuf); - if (msg) - vfree(msg); - - if (error) { - VPTRINIT(iph2->sa_ret); - VPTRINIT(iph2->nonce_p); - VPTRINIT(iph2->dhpub_p); - VPTRINIT(iph2->id); - VPTRINIT(iph2->id_p); - } - - return error; -} - -/* - * send to responder - * HDR*, HASH(3) - */ -int -quick_i2send(iph2, msg0) - struct ph2handle *iph2; - vchar_t *msg0; -{ - vchar_t *msg = NULL; - vchar_t *buf = NULL; - vchar_t *hash = NULL; - char *p = NULL; - int tlen; - int error = ISAKMP_INTERNAL_ERROR; - - /* validity check */ - if (iph2->status != PHASE2ST_STATUS6) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph2->status); - goto end; - } - - /* generate HASH(3) */ - { - vchar_t *tmp = NULL; - - plog(LLV_DEBUG, LOCATION, NULL, "HASH(3) generate\n"); - - tmp = vmalloc(iph2->nonce->l + iph2->nonce_p->l); - if (tmp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get hash buffer.\n"); - goto end; - } - memcpy(tmp->v, iph2->nonce->v, iph2->nonce->l); - memcpy(tmp->v + iph2->nonce->l, iph2->nonce_p->v, iph2->nonce_p->l); - - hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp); - vfree(tmp); - - if (hash == NULL) - goto end; - } - - /* create buffer for isakmp payload */ - tlen = sizeof(struct isakmp) - + sizeof(struct isakmp_gen) + hash->l; - buf = vmalloc(tlen); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to send.\n"); - goto end; - } - - /* create isakmp header */ - p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH); - if (p == NULL) - goto end; - - /* add HASH(3) payload */ - p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_NONE); - -#ifdef HAVE_PRINT_ISAKMP_C - isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1); -#endif - - /* encoding */ - iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv); - if (iph2->sendbuf == NULL) - goto end; - - /* if there is commit bit, need resending */ - if (ISSET(iph2->flags, ISAKMP_FLAG_C)) { - /* send the packet, add to the schedule to resend */ - iph2->retry_counter = iph2->ph1->rmconf->retry_counter; - if (isakmp_ph2resend(iph2) == -1) - goto end; - } else { - /* send the packet */ - if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) - goto end; - } - - /* the sending message is added to the received-list. */ - if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, - iph2->sendbuf, msg0) == -1) { - plog(LLV_ERROR , LOCATION, NULL, - "failed to add a response packet to the tree.\n"); - goto end; - } - - /* compute both of KEYMATs */ - if (oakley_compute_keymat(iph2, INITIATOR) < 0) - goto end; - - iph2->status = PHASE2ST_ADDSA; - - /* don't anything if local test mode. */ - if (f_local) { - error = 0; - goto end; - } - - /* if there is commit bit don't set up SA now. */ - if (ISSET(iph2->flags, ISAKMP_FLAG_C)) { - iph2->status = PHASE2ST_COMMIT; - error = 0; - goto end; - } - - /* Do UPDATE for initiator */ - plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n"); - if (pk_sendupdate(iph2) < 0) { - plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n"); - goto end; - } - plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n"); - - /* Do ADD for responder */ - if (pk_sendadd(iph2) < 0) { - plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n"); - goto end; - } - plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n"); - - error = 0; - -end: - if (buf != NULL) - vfree(buf); - if (msg != NULL) - vfree(msg); - if (hash != NULL) - vfree(hash); - - return error; -} - -/* - * receive from responder - * HDR#*, HASH(4), notify - */ -int -quick_i3recv(iph2, msg0) - struct ph2handle *iph2; - vchar_t *msg0; -{ - vchar_t *msg = NULL; - vchar_t *pbuf = NULL; /* for payload parsing */ - struct isakmp_parse_t *pa; - struct isakmp_pl_hash *hash = NULL; - vchar_t *notify = NULL; - int error = ISAKMP_INTERNAL_ERROR; - - /* validity check */ - if (iph2->status != PHASE2ST_COMMIT) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph2->status); - goto end; - } - - /* decrypt packet */ - if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, - "Packet wasn't encrypted.\n"); - goto end; - } - msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive); - if (msg == NULL) - goto end; - - /* validate the type of next payload */ - pbuf = isakmp_parse(msg); - if (pbuf == NULL) - goto end; - - for (pa = (struct isakmp_parse_t *)pbuf->v; - pa->type != ISAKMP_NPTYPE_NONE; - pa++) { - - switch (pa->type) { - case ISAKMP_NPTYPE_HASH: - hash = (struct isakmp_pl_hash *)pa->ptr; - break; - case ISAKMP_NPTYPE_N: - isakmp_check_notify(pa->ptr, iph2->ph1); - notify = vmalloc(pa->len); - if (notify == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get notify buffer.\n"); - goto end; - } - memcpy(notify->v, pa->ptr, notify->l); - break; - default: - /* don't send information, see ident_r1recv() */ - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, - "ignore the packet, " - "received unexpecting payload type %d.\n", - pa->type); - goto end; - } - } - - /* payload existency check */ - if (hash == NULL) { - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, - "few isakmp message received.\n"); - goto end; - } - - /* validate HASH(4) */ - { - char *r_hash; - vchar_t *my_hash = NULL; - vchar_t *tmp = NULL; - int result; - - r_hash = (char *)hash + sizeof(*hash); - - plog(LLV_DEBUG, LOCATION, NULL, "HASH(4) validate:"); - plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash)); - - my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify); - vfree(tmp); - if (my_hash == NULL) - goto end; - - result = memcmp(my_hash->v, r_hash, my_hash->l); - vfree(my_hash); - - if (result) { - plog(LLV_DEBUG, LOCATION, iph2->ph1->remote, - "HASH(4) mismatch.\n"); - error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION; - goto end; - } - } - - iph2->status = PHASE2ST_ADDSA; - iph2->flags ^= ISAKMP_FLAG_C; /* reset bit */ - - /* don't anything if local test mode. */ - if (f_local) { - error = 0; - goto end; - } - - /* Do UPDATE for initiator */ - plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n"); - if (pk_sendupdate(iph2) < 0) { - plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n"); - goto end; - } - plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n"); - - /* Do ADD for responder */ - if (pk_sendadd(iph2) < 0) { - plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n"); - goto end; - } - plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n"); - - error = 0; - -end: - if (msg != NULL) - vfree(msg); - if (pbuf != NULL) - vfree(pbuf); - if (notify != NULL) - vfree(notify); - - return error; -} - -/* - * receive from initiator - * HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ] - */ -int -quick_r1recv(iph2, msg0) - struct ph2handle *iph2; - vchar_t *msg0; -{ - vchar_t *msg = NULL; - vchar_t *hbuf = NULL; /* for hash computing. */ - vchar_t *pbuf = NULL; /* for payload parsing */ - struct isakmp_parse_t *pa; - struct isakmp *isakmp = (struct isakmp *)msg0->v; - struct isakmp_pl_hash *hash = NULL; - char *p; - int tlen; - int f_id_order; /* for ID payload detection */ - int error = ISAKMP_INTERNAL_ERROR; - - /* validity check */ - if (iph2->status != PHASE2ST_START) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph2->status); - goto end; - } - - /* decrypting */ - if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, - "Packet wasn't encrypted.\n"); - error = ISAKMP_NTYPE_PAYLOAD_MALFORMED; - goto end; - } - /* decrypt packet */ - msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive); - if (msg == NULL) - goto end; - - /* create buffer for using to validate HASH(1) */ - /* - * ordering rule: - * 1. the first one must be HASH - * 2. the second one must be SA (added in isakmp-oakley-05!) - * 3. two IDs must be considered as IDci, then IDcr - */ - pbuf = isakmp_parse(msg); - if (pbuf == NULL) - goto end; - pa = (struct isakmp_parse_t *)pbuf->v; - - /* HASH payload is fixed postion */ - if (pa->type != ISAKMP_NPTYPE_HASH) { - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, - "received invalid next payload type %d, " - "expecting %d.\n", - pa->type, ISAKMP_NPTYPE_HASH); - error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX; - goto end; - } - hash = (struct isakmp_pl_hash *)pa->ptr; - pa++; - - /* - * this restriction was introduced in isakmp-oakley-05. - * we do not check this for backward compatibility. - * TODO: command line/config file option to enable/disable this code - */ - /* HASH payload is fixed postion */ - if (pa->type != ISAKMP_NPTYPE_SA) { - plog(LLV_WARNING, LOCATION, iph2->ph1->remote, - "received invalid next payload type %d, " - "expecting %d.\n", - pa->type, ISAKMP_NPTYPE_HASH); - error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX; - } - - /* allocate buffer for computing HASH(1) */ - tlen = ntohl(isakmp->len) - sizeof(*isakmp); - hbuf = vmalloc(tlen); - if (hbuf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get hash buffer.\n"); - goto end; - } - p = hbuf->v; - - /* - * parse the payloads. - * copy non-HASH payloads into hbuf, so that we can validate HASH. - */ - iph2->sa = NULL; /* we don't support multi SAs. */ - iph2->nonce_p = NULL; - iph2->dhpub_p = NULL; - iph2->id_p = NULL; - iph2->id = NULL; - tlen = 0; /* count payload length except of HASH payload. */ - - /* - * IDi2 MUST be immediatelly followed by IDr2. We allowed the - * illegal case, but logged. First ID payload is to be IDi2. - * And next ID payload is to be IDr2. - */ - f_id_order = 0; - - for (; pa->type; pa++) { - - /* copy to buffer for HASH */ - /* Don't modify the payload */ - memcpy(p, pa->ptr, pa->len); - - if (pa->type != ISAKMP_NPTYPE_ID) - f_id_order = 0; - - switch (pa->type) { - case ISAKMP_NPTYPE_SA: - if (iph2->sa != NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "Multi SAs isn't supported.\n"); - goto end; - } - if (isakmp_p2ph(&iph2->sa, pa->ptr) < 0) - goto end; - break; - - case ISAKMP_NPTYPE_NONCE: - if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0) - goto end; - break; - - case ISAKMP_NPTYPE_KE: - if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0) - goto end; - break; - - case ISAKMP_NPTYPE_ID: - if (iph2->id_p == NULL) { - /* for IDci */ - f_id_order++; - - if (isakmp_p2ph(&iph2->id_p, pa->ptr) < 0) - goto end; - - } else if (iph2->id == NULL) { - /* for IDcr */ - if (f_id_order == 0) { - plog(LLV_ERROR, LOCATION, NULL, - "IDr2 payload is not " - "immediatelly followed " - "by IDi2. We allowed.\n"); - /* XXX we allowed in this case. */ - } - - if (isakmp_p2ph(&iph2->id, pa->ptr) < 0) - goto end; - } else { - plog(LLV_ERROR, LOCATION, NULL, - "received too many ID payloads.\n"); - plogdump(LLV_ERROR, iph2->id->v, iph2->id->l); - error = ISAKMP_NTYPE_INVALID_ID_INFORMATION; - goto end; - } - break; - - case ISAKMP_NPTYPE_N: - isakmp_check_notify(pa->ptr, iph2->ph1); - break; - - default: - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, - "ignore the packet, " - "received unexpecting payload type %d.\n", - pa->type); - error = ISAKMP_NTYPE_PAYLOAD_MALFORMED; - goto end; - } - - p += pa->len; - - /* compute true length of payload. */ - tlen += pa->len; - } - - /* payload existency check */ - if (hash == NULL || iph2->sa == NULL || iph2->nonce_p == NULL) { - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, - "few isakmp message received.\n"); - error = ISAKMP_NTYPE_PAYLOAD_MALFORMED; - goto end; - } - - if (iph2->id_p) { - plog(LLV_DEBUG, LOCATION, NULL, "received IDci2:"); - plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l); - } - if (iph2->id) { - plog(LLV_DEBUG, LOCATION, NULL, "received IDcr2:"); - plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l); - } - - /* adjust buffer length for HASH */ - hbuf->l = tlen; - - /* validate HASH(1) */ - { - char *r_hash; - vchar_t *my_hash = NULL; - int result; - - r_hash = (caddr_t)hash + sizeof(*hash); - - plog(LLV_DEBUG, LOCATION, NULL, "HASH(1) validate:"); - plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash)); - - my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf); - if (my_hash == NULL) - goto end; - - result = memcmp(my_hash->v, r_hash, my_hash->l); - vfree(my_hash); - - if (result) { - plog(LLV_DEBUG, LOCATION, iph2->ph1->remote, - "HASH(1) mismatch.\n"); - error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION; - goto end; - } - } - - /* get sainfo */ - error = get_sainfo_r(iph2); - if (error) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get sainfo.\n"); - goto end; - } - - /* check the existence of ID payload and create responder's proposal */ - error = get_proposal_r(iph2); - switch (error) { - case -2: - /* generate a policy template from peer's proposal */ - if (set_proposal_from_proposal(iph2)) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to generate a proposal template " - "from client's proposal.\n"); - return ISAKMP_INTERNAL_ERROR; - } - /*FALLTHROUGH*/ - case 0: - /* select single proposal or reject it. */ - if (ipsecdoi_selectph2proposal(iph2) < 0) { - error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN; - goto end; - } - break; - default: - plog(LLV_ERROR, LOCATION, NULL, - "failed to get proposal for responder.\n"); - goto end; - } - - /* check KE and attribute of PFS */ - if (iph2->dhpub_p != NULL && iph2->approval->pfs_group == 0) { - plog(LLV_ERROR, LOCATION, NULL, - "no PFS is specified, but peer sends KE.\n"); - error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN; - goto end; - } - if (iph2->dhpub_p == NULL && iph2->approval->pfs_group != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "PFS is specified, but peer doesn't sends KE.\n"); - error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN; - goto end; - } - - /* - * save the packet from the initiator in order to resend the - * responder's first packet against this packet. - */ - iph2->msg1 = vdup(msg0); - - /* change status of isakmp status entry */ - iph2->status = PHASE2ST_STATUS2; - - error = 0; - -end: - if (hbuf) - vfree(hbuf); - if (msg) - vfree(msg); - if (pbuf) - vfree(pbuf); - - if (error) { - VPTRINIT(iph2->sa); - VPTRINIT(iph2->nonce_p); - VPTRINIT(iph2->dhpub_p); - VPTRINIT(iph2->id); - VPTRINIT(iph2->id_p); - } - - return error; -} - -/* - * call pfkey_getspi. - */ -int -quick_r1prep(iph2, msg) - struct ph2handle *iph2; - vchar_t *msg; -{ - int error = ISAKMP_INTERNAL_ERROR; - - /* validity check */ - if (iph2->status != PHASE2ST_STATUS2) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph2->status); - goto end; - } - - iph2->status = PHASE2ST_GETSPISENT; - - /* send getspi message */ - if (pk_sendgetspi(iph2) < 0) - goto end; - - plog(LLV_DEBUG, LOCATION, NULL, "pfkey getspi sent.\n"); - - iph2->sce = sched_new(lcconf->wait_ph2complete, - pfkey_timeover_stub, iph2); - - error = 0; - -end: - return error; -} - -/* - * send to initiator - * HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ] - */ -int -quick_r2send(iph2, msg) - struct ph2handle *iph2; - vchar_t *msg; -{ - vchar_t *body = NULL; - vchar_t *hash = NULL; - struct isakmp_gen *gen; - char *p; - int tlen; - int error = ISAKMP_INTERNAL_ERROR; - int pfsgroup; - u_int8_t *np_p = NULL; - - /* validity check */ - if (msg != NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "msg has to be NULL in this function.\n"); - goto end; - } - if (iph2->status != PHASE2ST_GETSPIDONE) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph2->status); - goto end; - } - - /* update responders SPI */ - if (ipsecdoi_updatespi(iph2) < 0) { - plog(LLV_ERROR, LOCATION, NULL, "failed to update spi.\n"); - goto end; - } - - /* generate NONCE value */ - iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size); - if (iph2->nonce == NULL) - goto end; - - /* generate KE value if need */ - pfsgroup = iph2->approval->pfs_group; - if (iph2->dhpub_p != NULL && pfsgroup != 0) { - /* DH group settting if PFS is required. */ - if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to set DH value.\n"); - goto end; - } - /* generate DH public value */ - if (oakley_dh_generate(iph2->pfsgrp, - &iph2->dhpub, &iph2->dhpriv) < 0) { - goto end; - } - } - - /* create SA;NONCE payload, and KE and ID if need */ - tlen = sizeof(*gen) + iph2->sa_ret->l - + sizeof(*gen) + iph2->nonce->l; - if (iph2->dhpub_p != NULL && pfsgroup != 0) - tlen += (sizeof(*gen) + iph2->dhpub->l); - if (iph2->id_p != NULL) - tlen += (sizeof(*gen) + iph2->id_p->l - + sizeof(*gen) + iph2->id->l); - - body = vmalloc(tlen); - if (body == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to send.\n"); - goto end; - } - p = body->v; - - /* make SA payload */ - p = set_isakmp_payload(body->v, iph2->sa_ret, ISAKMP_NPTYPE_NONCE); - - /* add NONCE payload */ - np_p = &((struct isakmp_gen *)p)->np; /* XXX */ - p = set_isakmp_payload(p, iph2->nonce, - (iph2->dhpub_p != NULL && pfsgroup != 0) - ? ISAKMP_NPTYPE_KE - : (iph2->id_p != NULL - ? ISAKMP_NPTYPE_ID - : ISAKMP_NPTYPE_NONE)); - - /* add KE payload if need. */ - if (iph2->dhpub_p != NULL && pfsgroup != 0) { - np_p = &((struct isakmp_gen *)p)->np; /* XXX */ - p = set_isakmp_payload(p, iph2->dhpub, - (iph2->id_p == NULL) - ? ISAKMP_NPTYPE_NONE - : ISAKMP_NPTYPE_ID); - } - - /* add ID payloads received. */ - if (iph2->id_p != NULL) { - /* IDci */ - p = set_isakmp_payload(p, iph2->id_p, ISAKMP_NPTYPE_ID); - /* IDcr */ - np_p = &((struct isakmp_gen *)p)->np; /* XXX */ - p = set_isakmp_payload(p, iph2->id, ISAKMP_NPTYPE_NONE); - } - - /* add a RESPONDER-LIFETIME notify payload if needed */ - { - vchar_t *data = NULL; - struct saprop *pp = iph2->approval; - struct saproto *pr; - - if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_SEC) { - u_int32_t v = htonl((u_int32_t)pp->lifetime); - data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE, - IPSECDOI_ATTR_SA_LD_TYPE_SEC); - if (!data) - goto end; - data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD, - (caddr_t)&v, sizeof(v)); - if (!data) - goto end; - } - if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_KB) { - u_int32_t v = htonl((u_int32_t)pp->lifebyte); - data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE, - IPSECDOI_ATTR_SA_LD_TYPE_KB); - if (!data) - goto end; - data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD, - (caddr_t)&v, sizeof(v)); - if (!data) - goto end; - } - - /* - * XXX Is there only single RESPONDER-LIFETIME payload in a IKE message - * in the case of SA bundle ? - */ - if (data) { - for (pr = pp->head; pr; pr = pr->next) { - body = isakmp_add_pl_n(body, &np_p, - ISAKMP_NTYPE_RESPONDER_LIFETIME, pr, data); - if (!body) { - vfree(data); - return error; /* XXX */ - } - } - vfree(data); - } - } - - /* generate HASH(2) */ - { - vchar_t *tmp; - - tmp = vmalloc(iph2->nonce_p->l + body->l); - if (tmp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get hash buffer.\n"); - goto end; - } - memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l); - memcpy(tmp->v + iph2->nonce_p->l, body->v, body->l); - - hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, tmp); - vfree(tmp); - - if (hash == NULL) - goto end; - } - - /* send isakmp payload */ - iph2->sendbuf = quick_ir1mx(iph2, body, hash); - if (iph2->sendbuf == NULL) - goto end; - - /* send the packet, add to the schedule to resend */ - iph2->retry_counter = iph2->ph1->rmconf->retry_counter; - if (isakmp_ph2resend(iph2) == -1) - goto end; - - /* the sending message is added to the received-list. */ - if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, iph2->msg1) == -1) { - plog(LLV_ERROR , LOCATION, NULL, - "failed to add a response packet to the tree.\n"); - goto end; - } - - /* change status of isakmp status entry */ - iph2->status = PHASE2ST_MSG1SENT; - - error = 0; - -end: - if (body != NULL) - vfree(body); - if (hash != NULL) - vfree(hash); - - return error; -} - -/* - * receive from initiator - * HDR*, HASH(3) - */ -int -quick_r3recv(iph2, msg0) - struct ph2handle *iph2; - vchar_t *msg0; -{ - vchar_t *msg = NULL; - vchar_t *pbuf = NULL; /* for payload parsing */ - struct isakmp_parse_t *pa; - struct isakmp_pl_hash *hash = NULL; - int error = ISAKMP_INTERNAL_ERROR; - - /* validity check */ - if (iph2->status != PHASE2ST_MSG1SENT) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph2->status); - goto end; - } - - /* decrypt packet */ - if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) { - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, - "Packet wasn't encrypted.\n"); - goto end; - } - msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive); - if (msg == NULL) - goto end; - - /* validate the type of next payload */ - pbuf = isakmp_parse(msg); - if (pbuf == NULL) - goto end; - - for (pa = (struct isakmp_parse_t *)pbuf->v; - pa->type != ISAKMP_NPTYPE_NONE; - pa++) { - - switch (pa->type) { - case ISAKMP_NPTYPE_HASH: - hash = (struct isakmp_pl_hash *)pa->ptr; - break; - case ISAKMP_NPTYPE_N: - isakmp_check_notify(pa->ptr, iph2->ph1); - break; - default: - /* don't send information, see ident_r1recv() */ - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, - "ignore the packet, " - "received unexpecting payload type %d.\n", - pa->type); - goto end; - } - } - - /* payload existency check */ - if (hash == NULL) { - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, - "few isakmp message received.\n"); - goto end; - } - - /* validate HASH(3) */ - /* HASH(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b) */ - { - char *r_hash; - vchar_t *my_hash = NULL; - vchar_t *tmp = NULL; - int result; - - r_hash = (char *)hash + sizeof(*hash); - - plog(LLV_DEBUG, LOCATION, NULL, "HASH(3) validate:"); - plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash)); - - tmp = vmalloc(iph2->nonce_p->l + iph2->nonce->l); - if (tmp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get hash buffer.\n"); - goto end; - } - memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l); - memcpy(tmp->v + iph2->nonce_p->l, iph2->nonce->v, iph2->nonce->l); - - my_hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp); - vfree(tmp); - if (my_hash == NULL) - goto end; - - result = memcmp(my_hash->v, r_hash, my_hash->l); - vfree(my_hash); - - if (result) { - plog(LLV_ERROR, LOCATION, iph2->ph1->remote, - "HASH(3) mismatch.\n"); - error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION; - goto end; - } - } - - /* if there is commit bit, don't set up SA now. */ - if (ISSET(iph2->flags, ISAKMP_FLAG_C)) { - iph2->status = PHASE2ST_COMMIT; - } else - iph2->status = PHASE2ST_STATUS6; - - error = 0; - -end: - if (pbuf != NULL) - vfree(pbuf); - if (msg != NULL) - vfree(msg); - - return error; -} - -/* - * send to initiator - * HDR#*, HASH(4), notify - */ -int -quick_r3send(iph2, msg0) - struct ph2handle *iph2; - vchar_t *msg0; -{ - vchar_t *buf = NULL; - vchar_t *myhash = NULL; - struct isakmp_pl_n *n; - vchar_t *notify = NULL; - char *p; - int tlen; - int error = ISAKMP_INTERNAL_ERROR; - - /* validity check */ - if (iph2->status != PHASE2ST_COMMIT) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph2->status); - goto end; - } - - /* generate HASH(4) */ - /* XXX What can I do in the case of multiple different SA */ - plog(LLV_DEBUG, LOCATION, NULL, "HASH(4) generate\n"); - - /* XXX What should I do if there are multiple SAs ? */ - tlen = sizeof(struct isakmp_pl_n) + iph2->approval->head->spisize; - notify = vmalloc(tlen); - if (notify == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get notify buffer.\n"); - goto end; - } - n = (struct isakmp_pl_n *)notify->v; - n->h.np = ISAKMP_NPTYPE_NONE; - n->h.len = htons(tlen); - n->doi = htonl(IPSEC_DOI); - n->proto_id = iph2->approval->head->proto_id; - n->spi_size = sizeof(iph2->approval->head->spisize); - n->type = htons(ISAKMP_NTYPE_CONNECTED); - memcpy(n + 1, &iph2->approval->head->spi, iph2->approval->head->spisize); - - myhash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify); - if (myhash == NULL) - goto end; - - /* create buffer for isakmp payload */ - tlen = sizeof(struct isakmp) - + sizeof(struct isakmp_gen) + myhash->l - + notify->l; - buf = vmalloc(tlen); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to send.\n"); - goto end; - } - - /* create isakmp header */ - p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH); - if (p == NULL) - goto end; - - /* add HASH(4) payload */ - p = set_isakmp_payload(p, myhash, ISAKMP_NPTYPE_N); - - /* add notify payload */ - memcpy(p, notify->v, notify->l); - -#ifdef HAVE_PRINT_ISAKMP_C - isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1); -#endif - - /* encoding */ - iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv); - if (iph2->sendbuf == NULL) - goto end; - - /* send the packet */ - if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) - goto end; - - /* the sending message is added to the received-list. */ - if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, msg0) == -1) { - plog(LLV_ERROR , LOCATION, NULL, - "failed to add a response packet to the tree.\n"); - goto end; - } - - iph2->status = PHASE2ST_COMMIT; - - error = 0; - -end: - if (buf != NULL) - vfree(buf); - if (myhash != NULL) - vfree(myhash); - if (notify != NULL) - vfree(notify); - - return error; -} - -/* - * set SA to kernel. - */ -int -quick_r3prep(iph2, msg0) - struct ph2handle *iph2; - vchar_t *msg0; -{ - vchar_t *msg = NULL; - int error = ISAKMP_INTERNAL_ERROR; - - /* validity check */ - if (iph2->status != PHASE2ST_STATUS6) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatched %d.\n", iph2->status); - goto end; - } - - /* compute both of KEYMATs */ - if (oakley_compute_keymat(iph2, RESPONDER) < 0) - goto end; - - iph2->status = PHASE2ST_ADDSA; - iph2->flags ^= ISAKMP_FLAG_C; /* reset bit */ - - /* don't anything if local test mode. */ - if (f_local) { - error = 0; - goto end; - } - - /* Do UPDATE as responder */ - plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n"); - if (pk_sendupdate(iph2) < 0) { - plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n"); - goto end; - } - plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n"); - - /* Do ADD for responder */ - if (pk_sendadd(iph2) < 0) { - plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n"); - goto end; - } - plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n"); - - /* - * set policies into SPD if the policy is generated - * from peer's policy. - */ - if (iph2->spidx_gen) { - - struct policyindex *spidx; - struct sockaddr_storage addr; - u_int8_t pref; - struct sockaddr *src = iph2->src; - struct sockaddr *dst = iph2->dst; - - /* make inbound policy */ - iph2->src = dst; - iph2->dst = src; - if (pk_sendspdupdate2(iph2) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "pfkey spdupdate2(inbound) failed.\n"); - goto end; - } - plog(LLV_DEBUG, LOCATION, NULL, - "pfkey spdupdate2(inbound) sent.\n"); - - /* make outbound policy */ - iph2->src = src; - iph2->dst = dst; - spidx = (struct policyindex *)iph2->spidx_gen; - spidx->dir = IPSEC_DIR_OUTBOUND; - addr = spidx->src; - spidx->src = spidx->dst; - spidx->dst = addr; - pref = spidx->prefs; - spidx->prefs = spidx->prefd; - spidx->prefd = pref; - - if (pk_sendspdupdate2(iph2) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "pfkey spdupdate2(outbound) failed.\n"); - goto end; - } - plog(LLV_DEBUG, LOCATION, NULL, - "pfkey spdupdate2(outbound) sent.\n"); - - /* spidx_gen is unnecessary any more */ - delsp_bothdir((struct policyindex *)iph2->spidx_gen); - racoon_free(iph2->spidx_gen); - iph2->spidx_gen = NULL; - } - - error = 0; - -end: - if (msg != NULL) - vfree(msg); - - return error; -} - -/* - * create HASH, body (SA, NONCE) payload with isakmp header. - */ -static vchar_t * -quick_ir1mx(iph2, body, hash) - struct ph2handle *iph2; - vchar_t *body, *hash; -{ - struct isakmp *isakmp; - vchar_t *buf = NULL, *new = NULL; - char *p; - int tlen; - struct isakmp_gen *gen; - int error = ISAKMP_INTERNAL_ERROR; - - /* create buffer for isakmp payload */ - tlen = sizeof(*isakmp) - + sizeof(*gen) + hash->l - + body->l; - buf = vmalloc(tlen); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to send.\n"); - goto end; - } - - /* re-set encryption flag, for serurity. */ - iph2->flags |= ISAKMP_FLAG_E; - - /* set isakmp header */ - p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH); - if (p == NULL) - goto end; - - /* add HASH payload */ - /* XXX is next type always SA ? */ - p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_SA); - - /* add body payload */ - memcpy(p, body->v, body->l); - -#ifdef HAVE_PRINT_ISAKMP_C - isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1); -#endif - - /* encoding */ - new = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv); - if (new == NULL) - goto end; - - vfree(buf); - - buf = new; - - error = 0; - -end: - if (error && buf != NULL) { - vfree(buf); - buf = NULL; - } - - return buf; -} - -/* - * get remote's sainfo. - * NOTE: this function is for responder. - */ -static int -get_sainfo_r(iph2) - struct ph2handle *iph2; -{ - vchar_t *idsrc = NULL, *iddst = NULL; - int prefixlen; - int error = ISAKMP_INTERNAL_ERROR; - - if (iph2->id_p == NULL) { - switch (iph2->src->sa_family) { - case AF_INET: - prefixlen = sizeof(struct in_addr) << 3; - break; - case AF_INET6: - prefixlen = sizeof(struct in6_addr) << 3; - break; - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid family: %d\n", iph2->src->sa_family); - goto end; - } - idsrc = ipsecdoi_sockaddr2id(iph2->src, prefixlen, - IPSEC_ULPROTO_ANY); - } else { - idsrc = vdup(iph2->id); - } - if (idsrc == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to set ID for source.\n"); - goto end; - } - - if (iph2->id == NULL) { - switch (iph2->dst->sa_family) { - case AF_INET: - prefixlen = sizeof(struct in_addr) << 3; - break; - case AF_INET6: - prefixlen = sizeof(struct in6_addr) << 3; - break; - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid family: %d\n", iph2->dst->sa_family); - goto end; - } - iddst = ipsecdoi_sockaddr2id(iph2->dst, prefixlen, - IPSEC_ULPROTO_ANY); - } else { - iddst = vdup(iph2->id_p); - } - if (iddst == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to set ID for destination.\n"); - goto end; - } - - iph2->sainfo = getsainfo(idsrc, iddst, iph2->ph1->id_p); - if (iph2->sainfo == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get sainfo.\n"); - goto end; - } - - plog(LLV_DEBUG, LOCATION, NULL, - "get sa info: %s\n", sainfo2str(iph2->sainfo)); - - error = 0; -end: - if (idsrc) - vfree(idsrc); - if (iddst) - vfree(iddst); - - return error; -} - -/* - * Copy both IP addresses in ID payloads into [src,dst]_id if both ID types - * are IP address and same address family. - * Then get remote's policy from SPD copied from kernel. - * If the type of ID payload is address or subnet type, then the index is - * made from the payload. If there is no ID payload, or the type of ID - * payload is NOT address type, then the index is made from the address - * pair of phase 1. - * NOTE: This function is only for responder. - */ -static int -get_proposal_r(iph2) - struct ph2handle *iph2; -{ - struct policyindex spidx; - struct secpolicy *sp_in, *sp_out; - int idi2type = 0; /* switch whether copy IDs into id[src,dst]. */ - int error = ISAKMP_INTERNAL_ERROR; - - /* check the existence of ID payload */ - if ((iph2->id_p != NULL && iph2->id == NULL) - || (iph2->id_p == NULL && iph2->id != NULL)) { - plog(LLV_ERROR, LOCATION, NULL, - "Both IDs wasn't found in payload.\n"); - return ISAKMP_NTYPE_INVALID_ID_INFORMATION; - } - - /* make sure if id[src,dst] is null. */ - if (iph2->src_id || iph2->dst_id) { - plog(LLV_ERROR, LOCATION, NULL, - "Why do ID[src,dst] exist already.\n"); - return ISAKMP_INTERNAL_ERROR; - } - - memset(&spidx, 0, sizeof(spidx)); - -#define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type - - /* make a spidx; a key to search SPD */ - spidx.dir = IPSEC_DIR_INBOUND; - spidx.ul_proto = 0; - - /* - * make destination address in spidx from either ID payload - * or phase 1 address into a address in spidx. - */ - if (iph2->id != NULL - && (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR - || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR - || _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET - || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) { - /* get a destination address of a policy */ - error = ipsecdoi_id2sockaddr(iph2->id, - (struct sockaddr *)&spidx.dst, - &spidx.prefd, &spidx.ul_proto); - if (error) - return error; - -#ifdef INET6 - /* - * get scopeid from the SA address. - * note that the phase 1 source address is used as - * a destination address to search for a inbound policy entry - * because rcoon is responder. - */ - if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) { - error = setscopeid((struct sockaddr *)&spidx.dst, - iph2->src); - if (error) - return error; - } -#endif - - if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR - || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) - idi2type = _XIDT(iph2->id); - - } else { - - plog(LLV_DEBUG, LOCATION, NULL, - "get a destination address of SP index " - "from phase1 address " - "due to no ID payloads found " - "OR because ID type is not address.\n"); - - /* - * copy the SOURCE address of IKE into the DESTINATION address - * of the key to search the SPD because the direction of policy - * is inbound. - */ - memcpy(&spidx.dst, iph2->src, iph2->src->sa_len); - switch (spidx.dst.ss_family) { - case AF_INET: - spidx.prefd = sizeof(struct in_addr) << 3; - break; -#ifdef INET6 - case AF_INET6: - spidx.prefd = sizeof(struct in6_addr) << 3; - break; -#endif - default: - spidx.prefd = 0; - break; - } - } - - /* make source address in spidx */ - if (iph2->id_p != NULL - && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR - || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR - || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET - || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) { - /* get a source address of inbound SA */ - error = ipsecdoi_id2sockaddr(iph2->id_p, - (struct sockaddr *)&spidx.src, - &spidx.prefs, &spidx.ul_proto); - if (error) - return error; - -#ifdef INET6 - /* - * get scopeid from the SA address. - * for more detail, see above of this function. - */ - if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) { - error = setscopeid((struct sockaddr *)&spidx.src, - iph2->dst); - if (error) - return error; - } -#endif - - /* make id[src,dst] if both ID types are IP address and same */ - if (_XIDT(iph2->id_p) == idi2type - && spidx.dst.ss_family == spidx.src.ss_family) { - iph2->src_id = dupsaddr((struct sockaddr *)&spidx.dst); - iph2->dst_id = dupsaddr((struct sockaddr *)&spidx.src); - } - - } else { - plog(LLV_DEBUG, LOCATION, NULL, - "get a source address of SP index " - "from phase1 address " - "due to no ID payloads found " - "OR because ID type is not address.\n"); - - /* see above comment. */ - memcpy(&spidx.src, iph2->dst, iph2->dst->sa_len); - switch (spidx.src.ss_family) { - case AF_INET: - spidx.prefs = sizeof(struct in_addr) << 3; - break; -#ifdef INET6 - case AF_INET6: - spidx.prefs = sizeof(struct in6_addr) << 3; - break; -#endif - default: - spidx.prefs = 0; - break; - } - } - -#undef _XIDT - - plog(LLV_DEBUG, LOCATION, NULL, - "get a src address from ID payload " - "%s prefixlen=%u ul_proto=%u\n", - saddr2str((struct sockaddr *)&spidx.src), - spidx.prefs, spidx.ul_proto); - plog(LLV_DEBUG, LOCATION, NULL, - "get dst address from ID payload " - "%s prefixlen=%u ul_proto=%u\n", - saddr2str((struct sockaddr *)&spidx.dst), - spidx.prefd, spidx.ul_proto); - - /* - * convert the ul_proto if it is 0 - * because 0 in ID payload means a wild card. - */ - if (spidx.ul_proto == 0) - spidx.ul_proto = IPSEC_ULPROTO_ANY; - - /* get inbound policy */ - sp_in = getsp_r(&spidx); - if (sp_in == NULL) { - if (iph2->ph1->rmconf->gen_policy) { - plog(LLV_INFO, LOCATION, NULL, - "no policy found, " - "try to generate the policy : %s\n", - spidx2str(&spidx)); - iph2->spidx_gen = racoon_malloc(sizeof(spidx)); - if (!iph2->spidx_gen) { - plog(LLV_ERROR, LOCATION, NULL, - "buffer allocation failed.\n"); - return ISAKMP_INTERNAL_ERROR; - } - memcpy(iph2->spidx_gen, &spidx, sizeof(spidx)); - return -2; /* special value */ - } - plog(LLV_ERROR, LOCATION, NULL, - "no policy found: %s\n", spidx2str(&spidx)); - return ISAKMP_INTERNAL_ERROR; - } - - /* get outbound policy */ - { - struct sockaddr_storage addr; - u_int8_t pref; - - spidx.dir = IPSEC_DIR_OUTBOUND; - addr = spidx.src; - spidx.src = spidx.dst; - spidx.dst = addr; - pref = spidx.prefs; - spidx.prefs = spidx.prefd; - spidx.prefd = pref; - - sp_out = getsp_r(&spidx); - if (!sp_out) { - plog(LLV_WARNING, LOCATION, NULL, - "no outbound policy found: %s\n", - spidx2str(&spidx)); - } - } - - plog(LLV_DEBUG, LOCATION, NULL, - "suitable SP found:%s\n", spidx2str(&spidx)); - - /* - * In the responder side, the inbound policy should be using IPsec. - * outbound policy is not checked currently. - */ - if (sp_in->policy != IPSEC_POLICY_IPSEC) { - plog(LLV_ERROR, LOCATION, NULL, - "policy found, but no IPsec required: %s\n", - spidx2str(&spidx)); - return ISAKMP_INTERNAL_ERROR; - } - - /* set new proposal derived from a policy into the iph2->proposal. */ - if (set_proposal_from_policy(iph2, sp_in, sp_out) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to create saprop.\n"); - return ISAKMP_INTERNAL_ERROR; - } - - return 0; -} - -#ifdef INET6 -static u_int32_t -setscopeid(sp_addr0, sa_addr0) - struct sockaddr *sp_addr0, *sa_addr0; -{ - struct sockaddr_in6 *sp_addr, *sa_addr; - - sp_addr = (struct sockaddr_in6 *)sp_addr0; - sa_addr = (struct sockaddr_in6 *)sa_addr0; - - if (!IN6_IS_ADDR_LINKLOCAL(&sp_addr->sin6_addr) - && !IN6_IS_ADDR_SITELOCAL(&sp_addr->sin6_addr) - && !IN6_IS_ADDR_MULTICAST(&sp_addr->sin6_addr)) - return 0; - - /* this check should not be here ? */ - if (sa_addr->sin6_family != AF_INET6) { - plog(LLV_ERROR, LOCATION, NULL, - "can't get scope ID: family mismatch\n"); - return -1; - } - - if (!IN6_IS_ADDR_LINKLOCAL(&sa_addr->sin6_addr)) { - plog(LLV_ERROR, LOCATION, NULL, - "scope ID is not supported except of lladdr.\n"); - return -1; - } - - sp_addr->sin6_scope_id = sa_addr->sin6_scope_id; - - return 0; -} -#endif diff --git a/kame/kame/racoon/isakmp_quick.h b/kame/kame/racoon/isakmp_quick.h deleted file mode 100644 index d87f78fc23..0000000000 --- a/kame/kame/racoon/isakmp_quick.h +++ /dev/null @@ -1,43 +0,0 @@ -/* $KAME: isakmp_quick.h,v 1.5 2000/10/04 17:41:01 itojun Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -extern int quick_i1prep __P((struct ph2handle *, vchar_t *)); -extern int quick_i1send __P((struct ph2handle *, vchar_t *)); -extern int quick_i2recv __P((struct ph2handle *, vchar_t *)); -extern int quick_i2send __P((struct ph2handle *, vchar_t *)); -extern int quick_i3recv __P((struct ph2handle *, vchar_t *)); - -extern int quick_r1recv __P((struct ph2handle *, vchar_t *)); -extern int quick_r1prep __P((struct ph2handle *, vchar_t *)); -extern int quick_r2send __P((struct ph2handle *, vchar_t *)); -extern int quick_r3recv __P((struct ph2handle *, vchar_t *)); -extern int quick_r3send __P((struct ph2handle *, vchar_t *)); -extern int quick_r3prep __P((struct ph2handle *, vchar_t *)); diff --git a/kame/kame/racoon/isakmp_var.h b/kame/kame/racoon/isakmp_var.h deleted file mode 100644 index 3bf8c676eb..0000000000 --- a/kame/kame/racoon/isakmp_var.h +++ /dev/null @@ -1,116 +0,0 @@ -/* $KAME: isakmp_var.h,v 1.22 2004/03/03 05:39:59 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#define PORT_ISAKMP 500 - -#define DEFAULT_NONCE_SIZE 16 - -typedef u_char cookie_t[8]; -typedef u_char msgid_t[4]; - -typedef struct { /* i_cookie + r_cookie */ - cookie_t i_ck; - cookie_t r_ck; -} isakmp_index; - -/* Temporary structure to make payload construction easier - */ -struct isakmp_construct{ - caddr_t buff; - u_int8_t *np; -}; - -struct isakmp_gen; -struct sched; - -struct sockaddr; -struct ph1handle; -struct ph2handle; -struct remoteconf; -struct isakmp_gen; -struct ipsecdoi_pl_id; /* XXX */ -struct isakmp_pl_ke; /* XXX */ -struct isakmp_pl_nonce; /* XXX */ - -extern int isakmp_handler __P((int)); -extern int isakmp_ph1begin_i __P((struct remoteconf *, struct sockaddr *, - struct sockaddr *)); - -extern vchar_t *isakmp_parsewoh __P((int, struct isakmp_gen *, int)); -extern vchar_t *isakmp_parse __P((vchar_t *)); - -extern int isakmp_init __P((void)); -extern const char *isakmp_pindex __P((const isakmp_index *, const u_int32_t)); -extern int isakmp_open __P((void)); -extern void isakmp_close __P((void)); -extern int isakmp_send __P((struct ph1handle *, vchar_t *)); - -extern void isakmp_ph1resend_stub __P((void *)); -extern int isakmp_ph1resend __P((struct ph1handle *)); -extern void isakmp_ph2resend_stub __P((void *)); -extern int isakmp_ph2resend __P((struct ph2handle *)); -extern void isakmp_ph1expire_stub __P((void *)); -extern void isakmp_ph1expire __P((struct ph1handle *)); -extern void isakmp_ph1delete_stub __P((void *)); -extern void isakmp_ph1delete __P((struct ph1handle *)); -extern void isakmp_ph2expire_stub __P((void *)); -extern void isakmp_ph2expire __P((struct ph2handle *)); -extern void isakmp_ph2delete_stub __P((void *)); -extern void isakmp_ph2delete __P((struct ph2handle *)); - -extern int isakmp_post_acquire __P((struct ph2handle *)); -extern int isakmp_post_getspi __P((struct ph2handle *)); -extern void isakmp_chkph1there_stub __P((void *)); -extern void isakmp_chkph1there __P((struct ph2handle *)); - -extern caddr_t isakmp_set_attr_v __P((caddr_t, int, caddr_t, int)); -extern caddr_t isakmp_set_attr_l __P((caddr_t, int, u_int32_t)); -extern vchar_t *isakmp_add_attr_v __P((vchar_t *, int, caddr_t, int)); -extern vchar_t *isakmp_add_attr_l __P((vchar_t *, int, u_int32_t)); - -extern int isakmp_newcookie __P((caddr_t, struct sockaddr *, struct sockaddr *)); - -extern int isakmp_p2ph __P((vchar_t **, struct isakmp_gen *)); - -extern u_int32_t isakmp_newmsgid2 __P((struct ph1handle *)); -extern struct isakmp_construct set_isakmp_header __P((vchar_t *, struct ph1handle *)); -extern caddr_t set_isakmp_header2 __P((vchar_t *, struct ph2handle *, int)); -extern caddr_t set_isakmp_payload __P((caddr_t, vchar_t *, int)); -extern struct isakmp_construct set_isakmp_payload_c __P((struct isakmp_construct, vchar_t *, int)); - -#ifdef HAVE_PRINT_ISAKMP_C -extern void isakmp_printpacket __P((vchar_t *, struct sockaddr *, - struct sockaddr *, int)); -#endif - -extern int copy_ph1addresses __P(( struct ph1handle *, - struct remoteconf *, struct sockaddr *, struct sockaddr *)); -extern void log_ph1established __P((const struct ph1handle *)); diff --git a/kame/kame/racoon/kmpstat.c b/kame/kame/racoon/kmpstat.c deleted file mode 100644 index 199b444e8f..0000000000 --- a/kame/kame/racoon/kmpstat.c +++ /dev/null @@ -1,1129 +0,0 @@ -/* $KAME: kmpstat.c,v 1.33 2004/08/16 08:20:28 itojun Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include -#include - -#include -#include -#include -#include - -#include -#include -#include -#include -#if TIME_WITH_SYS_TIME -# include -# include -#else -# if HAVE_SYS_TIME_H -# include -# else -# include -# endif -#endif -#include -#ifdef HAVE_UNISTD_H -#include -#endif -#include - -#include "libpfkey.h" - -#include "var.h" -#include "misc.h" -#include "vmbuf.h" -#include "plog.h" -#include "debug.h" - -#include "schedule.h" -#include "isakmp_var.h" -#include "isakmp.h" -#include "oakley.h" -#include "handler.h" -#include "pfkey.h" -#include "admin.h" -#include "admin_var.h" - -static void usage __P((void)); -static void com_init __P((void)); -static int com_send __P((vchar_t *)); -static vchar_t *com_recv __P((void)); - -static vchar_t *get_combuf __P((int, char **)); -static vchar_t *f_reload __P((int, char **)); -static vchar_t *f_getsched __P((int, char **)); -static vchar_t *f_getsa __P((int, char **)); -static vchar_t *f_flushsa __P((int, char **)); -static vchar_t *f_deletesa __P((int, char **)); -static vchar_t *f_exchangesa __P((int, char **)); - -struct cmd_tag { - vchar_t *(*func) __P((int, char **)); - int cmd; - char *str; -} cmdtab[] = { - { f_reload, ADMIN_RELOAD_CONF, "reload-config" }, - { f_reload, ADMIN_RELOAD_CONF, "rc" }, - { f_getsched, ADMIN_SHOW_SCHED, "show-schedule" }, - { f_getsched, ADMIN_SHOW_SCHED, "sc" }, - { f_getsa, ADMIN_SHOW_SA, "show-sa" }, - { f_getsa, ADMIN_SHOW_SA, "ss" }, - { f_flushsa, ADMIN_FLUSH_SA, "flush-sa" }, - { f_flushsa, ADMIN_FLUSH_SA, "fs" }, - { f_deletesa, ADMIN_DELETE_SA, "delete-sa" }, - { f_deletesa, ADMIN_DELETE_SA, "ds" }, - { f_exchangesa, ADMIN_ESTABLISH_SA, "establish-sa" }, - { f_exchangesa, ADMIN_ESTABLISH_SA, "es" }, - { NULL, 0, NULL }, -}; - -static int get_proto __P((char *)); -static vchar_t *get_index __P((int, char **)); -static int get_family __P((char *)); -static vchar_t *get_comindexes __P((int, int, char **)); -static int get_comindex __P((char *, char **, char **, char **)); -static struct sockaddr *get_sockaddr __P((int, char *, char *)); -static int get_ulproto __P((char *)); - -struct proto_tag { - int proto; - char *str; -} prototab[] = { - { ADMIN_PROTO_ISAKMP, "isakmp" }, - { ADMIN_PROTO_IPSEC, "ipsec" }, - { ADMIN_PROTO_AH, "ah" }, - { ADMIN_PROTO_ESP, "esp" }, - { ADMIN_PROTO_INTERNAL, "internal" }, - { 0, NULL }, -}; - -struct ulproto_tag { - int ul_proto; - char *str; -} ulprototab[] = { - { 0, "any" }, - { IPPROTO_ICMP, "icmp" }, - { IPPROTO_TCP, "tcp" }, - { IPPROTO_UDP, "udp" }, - { 0, NULL }, -}; - -int so; - -static char _addr1_[NI_MAXHOST], _addr2_[NI_MAXHOST]; - -char *pname; -int long_format = 0; -u_int32_t loglevel = 4; - -void dump_isakmp_sa __P((char *, int)); -void dump_internal __P((char *, int)); -char *pindex_isakmp __P((isakmp_index *)); -void print_schedule __P((caddr_t, int)); -char * fixed_addr __P((char *, char *, int)); - -static void -usage() -{ - printf( -"Usage:\n" -" %s reload-config\n" -" %s [-l [-l]] show-sa [protocol]\n" -" %s flush-sa [protocol]\n" -" %s delete-sa \n" -" %s establish-sa \n" -"\n" -" : \"isakmp\", \"esp\" or \"ah\".\n" -" In the case of \"show-sa\" or \"flush-sa\", you can use \"ipsec\".\n" -"\n" -" : \"isakmp\" \n" -" : {\"esp\",\"ah\"} \n" -" \n" -" : \"inet\" or \"inet6\"\n" -" : \"icmp\", \"tcp\", \"udp\" or \"any\"\n", - pname, pname, pname, pname, pname); -} - -int -main(ac, av) - int ac; - char **av; -{ - vchar_t *combuf; - int c; - - pname = *av; - - while ((c = getopt(ac, av, "ld")) != -1) { - switch(c) { - case 'l': - long_format++; - break; - - case 'd': - loglevel++; - break; - - default: - usage(); - exit(0); - } - } - - ac -= optind; - av += optind; - - combuf = get_combuf(ac, av); - if (!combuf) - err(1, "kmpstat"); - - if (loglevel) - hexdump(combuf, ((struct admin_com *)combuf)->ac_len); - - com_init(); - - if (com_send(combuf) < 0) - goto bad; - - vfree(combuf); - - combuf = com_recv(); - if (!combuf) - goto bad; - - exit(0); - - bad: - exit(1); -} - -static void -com_init() -{ - struct sockaddr_un name; - - memset(&name, 0, sizeof(name)); - name.sun_family = AF_UNIX; - snprintf(name.sun_path, sizeof(name.sun_path), - "%s", PORT_ADMIN); - - so = socket(AF_UNIX, SOCK_STREAM, 0); - if (so < 0) - err(1, "socket"); - - if (connect(so, (struct sockaddr *)&name, sizeof(name)) < 0) { - (void)close(so); - err(1, "connect"); - } -} - -static int -com_send(combuf) - vchar_t *combuf; -{ - int len; - - if ((len = send(so, combuf->v, combuf->l, 0)) < 0){ - perror("send"); - (void)close(so); - return -1; - } - - return len; -} - -static vchar_t * -com_recv() -{ - vchar_t *combuf = NULL; - struct admin_com h, *com; - caddr_t buf; - int len; - - /* receive by PEEK */ - len = recv(so, &h, sizeof(h), MSG_PEEK); - if (len == -1) - goto bad; - - /* sanity check */ - if (len < sizeof(h)) - return NULL; - if (len == 0) - goto bad; - - /* error ? */ - if (h.ac_errno) { - errno = h.ac_errno; - goto bad; - } - - /* allocate buffer */ - combuf = vmalloc(h.ac_len); - if (combuf == NULL) - goto bad; - - /* read real message */ - { - int l = 0; - caddr_t p = combuf->v; - while (l < combuf->l) { - if ((len = recv(so, p, h.ac_len, 0)) < 0) { - perror("recv"); - goto bad; - } - l += len; - p += len; - } - } - - com = (struct admin_com *)combuf->v; - len = com->ac_len - sizeof(*com); - buf = combuf->v + sizeof(*com); - - switch (com->ac_cmd) { - case ADMIN_SHOW_SCHED: - print_schedule(buf, len); - break; - - case ADMIN_SHOW_SA: - { - switch (com->ac_proto) { - case ADMIN_PROTO_ISAKMP: - dump_isakmp_sa(buf, len); - break; - case ADMIN_PROTO_IPSEC: - case ADMIN_PROTO_AH: - case ADMIN_PROTO_ESP: - { - struct sadb_msg *msg = (struct sadb_msg *)buf; - - switch (msg->sadb_msg_errno) { - case ENOENT: - switch (msg->sadb_msg_type) { - case SADB_DELETE: - case SADB_GET: - printf("No entry.\n"); - break; - case SADB_DUMP: - printf("No SAD entries.\n"); - break; - } - break; - case 0: - while (1) { - pfkey_sadump(msg); - if (msg->sadb_msg_seq == 0) - break; - msg = (struct sadb_msg *)((caddr_t)msg + - PFKEY_UNUNIT64(msg->sadb_msg_len)); - } - break; - default: - printf("%s.\n", strerror(msg->sadb_msg_errno)); - } - } - break; - case ADMIN_PROTO_INTERNAL: - dump_internal(buf, len); - break; - default: - printf("Invalid proto [%d]\n", com->ac_proto); - } - - } - break; - - default: - break; - } - - (void)close(so); - return combuf; - - bad: - (void)close(so); - return NULL; -} - -/* %%% */ -/* - * return command buffer. - */ -static vchar_t * -get_combuf(ac, av) - int ac; - char **av; -{ - struct cmd_tag *cp; - - if (ac == 0) { - usage(); - exit(0); - } - - /* checking the string of command. */ - for (cp = &cmdtab[0]; cp->str; cp++) { - if (strcmp(*av, cp->str) == 0) { - break; - } - } - if (!cp->str) { - printf("Invalid command [%s]\n", *av); - errno = EINVAL; - return NULL; - } - - ac--; - av++; - return (cp->func)(ac, av); -} - -static vchar_t * -f_reload(ac, av) - int ac; - char **av; -{ - vchar_t *buf; - struct admin_com *head; - - buf = vmalloc(sizeof(*head)); - if (buf == NULL) - errx(1, "not enough core"); - - head = (struct admin_com *)buf->v; - head->ac_len = buf->l; - head->ac_cmd = ADMIN_RELOAD_CONF; - head->ac_errno = 0; - head->ac_proto = 0; - - return buf; -} - -static vchar_t * -f_getsched(ac, av) - int ac; - char **av; -{ - vchar_t *buf; - struct admin_com *head; - - buf = vmalloc(sizeof(*head)); - if (buf == NULL) - errx(1, "not enough core"); - - head = (struct admin_com *)buf->v; - head->ac_len = buf->l; - head->ac_cmd = ADMIN_SHOW_SCHED; - head->ac_errno = 0; - head->ac_proto = 0; - - return buf; -} - -static vchar_t * -f_getsa(ac, av) - int ac; - char **av; -{ - vchar_t *buf; - struct admin_com *head; - int proto; - - /* need protocol */ - if (ac != 1) - errx(1, "insufficient arguments"); - proto = get_proto(*av); - if (proto == -1) - errx(1, "unknown protocol %s", *av); - - buf = vmalloc(sizeof(*head)); - if (buf == NULL) - errx(1, "not enough core"); - - head = (struct admin_com *)buf->v; - head->ac_len = buf->l; - head->ac_cmd = ADMIN_SHOW_SA; - head->ac_errno = 0; - head->ac_proto = proto; - - return buf; -} - -static vchar_t * -f_flushsa(ac, av) - int ac; - char **av; -{ - vchar_t *buf; - struct admin_com *head; - int proto; - - /* need protocol */ - if (ac != 1) - errx(1, "insufficient arguments"); - proto = get_proto(*av); - if (proto == -1) - errx(1, "unknown protocol %s", *av); - - buf = vmalloc(sizeof(*head)); - if (buf == NULL) - errx(1, "not enough core"); - - head = (struct admin_com *)buf->v; - head->ac_len = buf->l; - head->ac_cmd = ADMIN_FLUSH_SA; - head->ac_errno = 0; - head->ac_proto = proto; - - return buf; -} - -static vchar_t * -f_deletesa(ac, av) - int ac; - char **av; -{ - vchar_t *buf, *index; - struct admin_com *head; - int proto; - - /* need protocol */ - if (ac < 1) - errx(1, "insufficient arguments"); - proto = get_proto(*av); - if (proto == -1) - errx(1, "unknown protocol %s", *av); - - /* get index(es) */ - av++; - ac--; - switch (proto) { - case ADMIN_PROTO_ISAKMP: - index = get_index(ac, av); - if (index == NULL) - return NULL; - break; - case ADMIN_PROTO_AH: - case ADMIN_PROTO_ESP: - index = get_index(ac, av); - if (index == NULL) - return NULL; - break; - default: - errno = EPROTONOSUPPORT; - return NULL; - } - - buf = vmalloc(sizeof(*head) + index->l); - if (buf == NULL) - return NULL; - - head = (struct admin_com *)buf->v; - head->ac_len = buf->l + index->l; - head->ac_cmd = ADMIN_DELETE_SA; - head->ac_errno = 0; - head->ac_proto = proto; - - return buf; -} - -static vchar_t * -f_exchangesa(ac, av) - int ac; - char **av; -{ - vchar_t *buf, *index; - struct admin_com *head; - int proto; - - /* need protocol */ - if (ac < 1) - errx(1, "insufficient arguments"); - if ((proto = get_proto(*av)) == -1) - errx(1, "unknown protocol %s", *av); - - /* get index(es) */ - av++; - ac--; - switch (proto) { - case ADMIN_PROTO_ISAKMP: - index = get_index(ac, av); - if (index == NULL) - return NULL; - break; - case ADMIN_PROTO_AH: - case ADMIN_PROTO_ESP: - index = get_index(ac, av); - if (index == NULL) - return NULL; - break; - default: - errno = EPROTONOSUPPORT; - return NULL; - } - - buf = vmalloc(sizeof(*head) + index->l); - if (buf == NULL) - return NULL; - - head = (struct admin_com *)buf->v; - head->ac_len = buf->l; - head->ac_cmd = ADMIN_ESTABLISH_SA; - head->ac_errno = 0; - head->ac_proto = proto; - - memcpy(buf->v+sizeof(*head), index->v, index->l); - - return buf; -} - -static int -get_proto(str) - char *str; -{ - struct proto_tag *cp; - - if (str == NULL) { - errno = EINVAL; - return -1; - } - - /* checking the string of command. */ - for (cp = &prototab[0]; cp->str; cp++) { - if (strcmp(str, cp->str) == 0) - return cp->proto; - } - - errno = EINVAL; - return -1; -} - -static vchar_t * -get_index(ac, av) - int ac; - char **av; -{ - int family; - - if (ac != 3 && ac != 4) { - errno = EINVAL; - return NULL; - } - - /* checking the string of family */ - family = get_family(*av); - if (family == -1) - return NULL; - av++; - ac--; - - return get_comindexes(family, ac, av); -} - -static int -get_family(str) - char *str; -{ - if (strcmp("inet", str) == 0) - return AF_INET; -#ifdef INET6 - else if (strcmp("inet6", str) == 0) - return AF_INET6; -#endif - errno = EAFNOSUPPORT; - return -1; -} - -static vchar_t * -get_comindexes(family, ac, av) - int family; - int ac; - char **av; -{ - vchar_t *buf; - struct admin_com_indexes *ci; - char *p_name = NULL, *p_port = NULL; - char *p_prefs = NULL, *p_prefd = NULL; - struct sockaddr *src = NULL, *dst = NULL; - int ulproto; - - if (ac != 2 && ac != 3) { - errno = EINVAL; - return NULL; - } - - if (get_comindex(*av, &p_name, &p_port, &p_prefs) == -1) - goto bad; - src = get_sockaddr(family, p_name, p_port); - if (p_name) { - racoon_free(p_name); - p_name = NULL; - } - if (p_port) { - racoon_free(p_port); - p_port = NULL; - } - if (src == NULL) - goto bad; - av++; - ac--; - if (get_comindex(*av, &p_name, &p_port, &p_prefd) == -1) - goto bad; - dst = get_sockaddr(family, p_name, p_port); - if (p_name) { - racoon_free(p_name); - p_name = NULL; - } - if (p_port) { - racoon_free(p_port); - p_port = NULL; - } - if (dst == NULL) - goto bad; - - buf = vmalloc(sizeof(*ci)); - if (buf == NULL) - goto bad; - - av++; - ac--; - if(ac){ - ulproto = get_ulproto(*av); - if (ulproto == -1) - goto bad; - }else - ulproto=0; - - ci = (struct admin_com_indexes *)buf->v; - if(p_prefs) - ci->prefs = (u_int8_t)atoi(p_prefs); /* XXX should be handled error. */ - else - ci->prefs = 32; - if(p_prefd) - ci->prefd = (u_int8_t)atoi(p_prefd); /* XXX should be handled error. */ - else - ci->prefd = 32; - ci->ul_proto = ulproto; - memcpy(&ci->src, src, src->sa_len); - memcpy(&ci->dst, dst, dst->sa_len); - - if (p_name) - racoon_free(p_name); - - return buf; - - bad: - if (p_name) - racoon_free(p_name); - if (p_port) - racoon_free(p_port); - if (p_prefs) - racoon_free(p_prefs); - if (p_prefd) - racoon_free(p_prefd); - return NULL; -} - -static int -get_comindex(str, name, port, pref) - char *str, **name, **port, **pref; -{ - char *p; - - *name = *port = *pref = NULL; - - *name = strdup(str); - p = strpbrk(*name, "/["); - if (p != NULL) { - if (*(p + 1) == '\0') - goto bad; - if (*p == '/') { - *p = '\0'; - *pref = strdup(p + 1); - p = strchr(*pref, '['); - if (p != NULL) { - if (*(p + 1) == '\0') - goto bad; - *p = '\0'; - *port = strdup(p + 1); - p = strchr(*pref, ']'); - if (p == NULL) - goto bad; - *p = '\0'; - } - } else if (*p == '[') { - *p = '\0'; - *port = strdup(p + 1); - p = strchr(*pref, ']'); - if (p == NULL) - goto bad; - *p = '\0'; - } else { - /* XXX */ - } - } - - return 0; - - bad: - - if (*name) - racoon_free(*name); - if (*port) - racoon_free(*port); - if (*pref) - racoon_free(*pref); - *name = *port = *pref = NULL; - return -1; -} - -static struct sockaddr * -get_sockaddr(family, name, port) - int family; - char *name, *port; -{ - struct addrinfo hint, *ai; - int error; - - memset(&hint, 0, sizeof(hint)); - hint.ai_family = PF_UNSPEC; - hint.ai_family = family; - hint.ai_socktype = SOCK_STREAM; - - error = getaddrinfo(name, port, &hint, &ai); - if (error != 0) { - printf("%s: %s/%s\n", gai_strerror(error), name, port); - return NULL; - } - - return ai->ai_addr; -} - -static int -get_ulproto(str) - char *str; -{ - struct ulproto_tag *cp; - - if(str == NULL){ - errno = EINVAL; - return -1; - } - - /* checking the string of upper layer protocol. */ - for (cp = &ulprototab[0]; cp->str; cp++) { - if (strcmp(str, cp->str) == 0) - return cp->ul_proto; - } - - errno = EINVAL; - return -1; -} - -/* %%% */ -void -dump_isakmp_sa(buf, len) - char *buf; - int len; -{ - struct ph1dump *pd; - struct tm *tm; - char tbuf[56]; - caddr_t p = NULL; - -/* isakmp status header */ -/* short header; - 1234567890123456789012 0000000000000000:0000000000000000 000000000000 -*/ -char *header1 = -"Destination Cookies Created"; - -/* semi long header; - 1234567890123456789012 0000000000000000:0000000000000000 00 X 00 X 0000-00-00 00:00:00 000000 -*/ -char *header2 = -"Destination Cookies ST S V E Created Phase2"; - -/* long header; - 0000:0000:0000:0000:0000:0000:0000:0000.00000 0000:0000:0000:0000:0000:0000:0000:0000.00000 0000000000000000:0000000000000000 00 X 00 X 0000-00-00 00:00:00 000000 -*/ -char *header3 = -"Source Destination Cookies ST S V E Created Phase2"; - -/* phase status header */ -/* short format; - side stats source address destination address - xxx xxxxx 1234567890123456789012 1234567890123456789012 -*/ - - static char *estr[] = { "", "B", "M", "U", "A", "I", }; - - switch (long_format) { - case 0: - printf("%s\n", header1); - break; - case 1: - printf("%s\n", header2); - break; - case 2: - default: - printf("%s\n", header3); - break; - } - - if (len % sizeof(*pd)) - printf("invalid length %d\n", len); - len /= sizeof(*pd); - - pd = (struct ph1dump *)buf; - - while (len-- > 0) { - /* source address */ - if (long_format >= 2) { - GETNAMEINFO((struct sockaddr *)&pd->local, _addr1_, _addr2_); - switch (long_format) { - case 0: - break; - case 1: - p = fixed_addr(_addr1_, _addr2_, 22); - break; - case 2: - default: - p = fixed_addr(_addr1_, _addr2_, 45); - break; - } - printf("%s ", p); - } - - /* destination address */ - GETNAMEINFO((struct sockaddr *)&pd->remote, _addr1_, _addr2_); - switch (long_format) { - case 0: - case 1: - p = fixed_addr(_addr1_, _addr2_, 22); - break; - case 2: - default: - p = fixed_addr(_addr1_, _addr2_, 45); - break; - } - printf("%s ", p); - - printf("%s ", pindex_isakmp(&pd->index)); - - /* statuc, side and version */ - if (long_format >= 1) { - printf("%2d %c %2x ", - pd->status, - pd->side == INITIATOR ? 'I' : 'R', - pd->version); - if (ARRAYLEN(estr) > pd->etype) - printf("%s ", estr[pd->etype]); - } - - /* created date */ - if (pd->created) { - tm = localtime(&pd->created); - strftime(tbuf, sizeof(tbuf), "%Y-%m-%d %T", tm); - } else - snprintf(tbuf, sizeof(tbuf), " "); - printf("%s ", tbuf); - - /* counter of phase 2 */ - if (long_format >= 1) - printf("%6d ", pd->ph2cnt); - - printf("\n"); - - pd++; - } - - return; -} - -/* %%% */ -void -dump_internal(buf, tlen) - char *buf; - int tlen; -{ - struct ph2handle *iph2; - struct sockaddr *addr; - -/* -short header; - source address destination address - 1234567890123456789012 1234567890123456789012 -*/ -char *short_h1 = -"Source Destination "; - -/* -long header; - source address destination address - 123456789012345678901234567890123456789012345 123456789012345678901234567890123456789012345 - 0000:0000:0000:0000:0000:0000:0000:0000.00000 0000:0000:0000:0000:0000:0000:0000:0000.00000 0000:0000:0000:0000:0000:0000:0000:0000.00000 -*/ -char *long_h1 = -"Source Destination "; - - printf("%s\n", long_format ? long_h1 : short_h1); - - while (tlen > 0) { - iph2 = (struct ph2handle *)buf; - addr = (struct sockaddr *)(++iph2); - - GETNAMEINFO(addr, _addr1_, _addr2_); - printf("%s ", long_format ? - fixed_addr(_addr1_, _addr2_, 45) - : fixed_addr(_addr1_, _addr2_, 22)); - addr++; - tlen -= addr->sa_len; - - GETNAMEINFO(addr, _addr1_, _addr2_); - printf("%s ", long_format ? - fixed_addr(_addr1_, _addr2_, 45) - : fixed_addr(_addr1_, _addr2_, 22)); - addr++; - tlen -= addr->sa_len; - - printf("\n"); - } - - return; -} - -/* %%% */ -char * -pindex_isakmp(index) - isakmp_index *index; -{ - static char buf[64]; - u_char *p; - int i, j; - - memset(buf, 0, sizeof(buf)); - - /* copy index */ - p = (u_char *)index; - for (j = 0, i = 0; i < sizeof(isakmp_index); i++) { - snprintf((char *)&buf[j], sizeof(buf) - j, "%02x", p[i]); - j += 2; - switch (i) { - case 7: -#if 0 - case 15: -#endif - buf[j++] = ':'; - } - } - - return buf; -} - -/* print schedule */ -char *str_sched_stat[] = { -"off", -"on", -"dead", -}; - -char *str_sched_id[] = { -"PH1resend", -"PH1lifetime", -"PH2resend", -"PSTacquire", -"PSTlifetime", -}; - -void -print_schedule(buf, len) - caddr_t buf; - int len; -{ - struct scheddump *sc = (struct scheddump *)buf; - struct tm *tm; - char tbuf[56]; - - if (len % sizeof(*sc)) - printf("invalid length %d\n", len); - len /= sizeof(*sc); - - /* 00000000 00000000 00000000 xxx........*/ - printf("index tick xtime created\n"); - - while (len-- > 0) { - tm = localtime(&sc->created); - strftime(tbuf, sizeof(tbuf), "%Y-%m-%d %T", tm); - - printf("%-8ld %-8ld %-8ld %s\n", - sc->id, - (long)sc->tick, - (long)sc->xtime, - tbuf); - sc++; - } - - return; -} - -char * -fixed_addr(addr, port, len) - char *addr, *port; - int len; -{ - static char _addr_buf_[BUFSIZ]; - char *p; - int plen, i; - - /* initialize */ - memset(_addr_buf_, ' ', sizeof(_addr_buf_)); - - plen = strlen(port); - if (len < plen + 1) - return NULL; - - p = _addr_buf_; - for (i = 0; i < len - plen - 1 && addr[i] != '\0'; /*noting*/) - *p++ = addr[i++]; - *p++ = '.'; - - for (i = 0; i < plen && port[i] != '\0'; /*noting*/) - *p++ = port[i++]; - - _addr_buf_[len] = '\0'; - - return _addr_buf_; -} diff --git a/kame/kame/racoon/localconf.c b/kame/kame/racoon/localconf.c deleted file mode 100644 index c4f1d14a45..0000000000 --- a/kame/kame/racoon/localconf.c +++ /dev/null @@ -1,324 +0,0 @@ -/* $KAME: localconf.c,v 1.33 2001/08/09 07:32:19 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include - -#include -#include -#include -#include -#include -#include - -#include "var.h" -#include "misc.h" -#include "vmbuf.h" -#include "plog.h" -#include "debug.h" - -#include "localconf.h" -#include "algorithm.h" -#include "isakmp_var.h" -#include "isakmp.h" -#include "ipsec_doi.h" -#include "grabmyaddr.h" -#include "vendorid.h" -#include "str2val.h" -#include "safefile.h" -#include "admin.h" -#include "gcmalloc.h" - -struct localconf *lcconf; - -static void setdefault __P((void)); -static vchar_t *getpsk __P((const char *, const int)); - -void -initlcconf() -{ - lcconf = racoon_calloc(1, sizeof(*lcconf)); - if (lcconf == NULL) - errx(1, "failed to allocate local conf."); - - setdefault(); - - lcconf->racoon_conf = LC_DEFAULT_CF; -} - -void -flushlcconf() -{ - int i; - - setdefault(); - clear_myaddr(&lcconf->myaddrs); - for (i = 0; i < LC_PATHTYPE_MAX; i++) { - if (lcconf->pathinfo[i]) { - racoon_free(lcconf->pathinfo[i]); - lcconf->pathinfo[i] = NULL; - } - } - for (i = 0; i < LC_IDENTTYPE_MAX; i++) { - if (lcconf->ident[i]) - vfree(lcconf->ident[i]); - lcconf->ident[i] = NULL; - } -} - -static void -setdefault() -{ - lcconf->autograbaddr = 1; - lcconf->port_isakmp = PORT_ISAKMP; - lcconf->default_af = AF_INET; - lcconf->pad_random = LC_DEFAULT_PAD_RANDOM; - lcconf->pad_randomlen = LC_DEFAULT_PAD_RANDOMLEN; - lcconf->pad_maxsize = LC_DEFAULT_PAD_MAXSIZE; - lcconf->pad_strict = LC_DEFAULT_PAD_STRICT; - lcconf->pad_excltail = LC_DEFAULT_PAD_EXCLTAIL; - lcconf->retry_counter = LC_DEFAULT_RETRY_COUNTER; - lcconf->retry_interval = LC_DEFAULT_RETRY_INTERVAL; - lcconf->count_persend = LC_DEFAULT_COUNT_PERSEND; - lcconf->secret_size = LC_DEFAULT_SECRETSIZE; - lcconf->retry_checkph1 = LC_DEFAULT_RETRY_CHECKPH1; - lcconf->wait_ph2complete = LC_DEFAULT_WAIT_PH2COMPLETE; - lcconf->strict_address = FALSE; - lcconf->complex_bundle = TRUE; /*XXX FALSE;*/ -} - -/* - * get PSK by string. - */ -vchar_t * -getpskbyname(id0) - vchar_t *id0; -{ - char *id; - vchar_t *key = NULL; - - id = racoon_calloc(1, 1 + id0->l - sizeof(struct ipsecdoi_id_b)); - if (id == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get psk buffer.\n"); - goto end; - } - memcpy(id, id0->v + sizeof(struct ipsecdoi_id_b), - id0->l - sizeof(struct ipsecdoi_id_b)); - id[id0->l - sizeof(struct ipsecdoi_id_b)] = '\0'; - - key = getpsk(id, id0->l - sizeof(struct ipsecdoi_id_b)); - -end: - if (id) - racoon_free(id); - return key; -} - -/* - * get PSK by address. - */ -vchar_t * -getpskbyaddr(remote) - struct sockaddr *remote; -{ - vchar_t *key = NULL; - char addr[NI_MAXHOST], port[NI_MAXSERV]; - - GETNAMEINFO(remote, addr, port); - - key = getpsk(addr, strlen(addr)); - - return key; -} - -static vchar_t * -getpsk(str, len) - const char *str; - const int len; -{ - FILE *fp; - char buf[1024]; /* XXX how is variable length ? */ - vchar_t *key = NULL; - char *p, *q; - size_t keylen; - char *k = NULL; - - if (safefile(lcconf->pathinfo[LC_PATHTYPE_PSK], 1) == 0) - fp = fopen(lcconf->pathinfo[LC_PATHTYPE_PSK], "r"); - else - fp = NULL; - if (fp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to open pre_share_key file %s\n", - lcconf->pathinfo[LC_PATHTYPE_PSK]); - return NULL; - } - - while (fgets(buf, sizeof(buf), fp) != NULL) { - /* comment line */ - if (buf[0] == '#') - continue; - - /* search the end of 1st string. */ - for (p = buf; *p != '\0' && !isspace(*p); p++) - ; - if (*p == '\0') - continue; /* no 2nd parameter */ - *p = '\0'; - /* search the 1st of 2nd string. */ - while (isspace(*++p)) - ; - if (*p == '\0') - continue; /* no 2nd parameter */ - p--; - if (strncmp(buf, str, len) == 0 && buf[len] == '\0') { - p++; - keylen = 0; - for (q = p; *q != '\0' && *q != '\n'; q++) - keylen++; - *q = '\0'; - - /* fix key if hex string */ - if (strncmp(p, "0x", 2) == 0) { - k = str2val(p + 2, 16, &keylen); - if (k == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get psk buffer.\n"); - goto end; - } - p = k; - } - - key = vmalloc(keylen); - if (key == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate key buffer.\n"); - goto end; - } - memcpy(key->v, p, key->l); - if (k) - racoon_free(k); - goto end; - } - } - -end: - fclose(fp); - return key; -} - -/* - * get a file name of a type specified. - */ -void -getpathname(path, len, type, name) - char *path; - int len, type; - const char *name; -{ - snprintf(path, len, "%s%s%s", - name[0] == '/' ? "" : lcconf->pathinfo[type], - name[0] == '/' ? "" : "/", - name); - - plog(LLV_DEBUG, LOCATION, NULL, "filename: %s\n", path); -} - -#if 0 /* DELETEIT */ -static int lc_doi2idtype[] = { - -1, - -1, - LC_IDENTTYPE_FQDN, - LC_IDENTTYPE_USERFQDN, - -1, - -1, - -1, - -1, - -1, - LC_IDENTTYPE_CERTNAME, - -1, - LC_IDENTTYPE_KEYID, -}; - -/* - * convert DOI value to idtype - * OUT -1 : NG - * other: converted. - */ -int -doi2idtype(idtype) - int idtype; -{ - if (ARRAYLEN(lc_doi2idtype) > idtype) - return lc_doi2idtype[idtype]; - return -1; -} -#endif - -static int lc_sittype2doi[] = { - IPSECDOI_SIT_IDENTITY_ONLY, - IPSECDOI_SIT_SECRECY, - IPSECDOI_SIT_INTEGRITY, -}; - -/* - * convert sittype to DOI value. - * OUT -1 : NG - * other: converted. - */ -int -sittype2doi(sittype) - int sittype; -{ - if (ARRAYLEN(lc_sittype2doi) > sittype) - return lc_sittype2doi[sittype]; - return -1; -} - -static int lc_doitype2doi[] = { - IPSEC_DOI, -}; - -/* - * convert doitype to DOI value. - * OUT -1 : NG - * other: converted. - */ -int -doitype2doi(doitype) - int doitype; -{ - if (ARRAYLEN(lc_doitype2doi) > doitype) - return lc_doitype2doi[doitype]; - return -1; -} - diff --git a/kame/kame/racoon/localconf.h b/kame/kame/racoon/localconf.h deleted file mode 100644 index e7435337d3..0000000000 --- a/kame/kame/racoon/localconf.h +++ /dev/null @@ -1,111 +0,0 @@ -/* $KAME: localconf.h,v 1.28 2001/12/11 23:44:08 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* local configuration */ - -#define LC_DEFAULT_CF SYSCONFDIR "/racoon.conf" - -#define LC_PATHTYPE_INCLUDE 0 -#define LC_PATHTYPE_PSK 1 -#define LC_PATHTYPE_CERT 2 -#define LC_PATHTYPE_BACKUPSA 3 -#define LC_PATHTYPE_MAX 4 - -#define LC_DEFAULT_PAD_MAXSIZE 20 -#define LC_DEFAULT_PAD_RANDOM TRUE -#define LC_DEFAULT_PAD_RANDOMLEN FALSE -#define LC_DEFAULT_PAD_STRICT FALSE -#define LC_DEFAULT_PAD_EXCLTAIL TRUE -#define LC_DEFAULT_RETRY_COUNTER 5 -#define LC_DEFAULT_RETRY_INTERVAL 10 -#define LC_DEFAULT_COUNT_PERSEND 1 -#define LC_DEFAULT_RETRY_CHECKPH1 30 -#define LC_DEFAULT_WAIT_PH2COMPLETE 30 - -#define LC_DEFAULT_SECRETSIZE 16 /* 128 bits */ - -#define LC_IDENTTYPE_MAX 5 /* XXX */ - -struct localconf { - char *racoon_conf; /* configuration filename */ - - u_int16_t port_isakmp; /* port for isakmp as default */ - u_int16_t port_admin; /* port for admin */ - int default_af; /* default address family */ - - int sock_admin; - int sock_pfkey; - int rtsock; /* routing socket */ - - int autograbaddr; - struct myaddrs *myaddrs; - - char *pathinfo[LC_PATHTYPE_MAX]; - vchar_t *ident[LC_IDENTTYPE_MAX]; /* base of Identifier payload. */ - - int pad_random; - int pad_randomlen; - int pad_maxsize; - int pad_strict; - int pad_excltail; - - int retry_counter; /* times to retry. */ - int retry_interval; /* interval each retry. */ - int count_persend; /* the number of packets each retry. */ - /* above 3 values are copied into a handler. */ - - int retry_checkph1; - int wait_ph2complete; - - int secret_size; - int strict_address; /* strictly check addresses. */ - - int complex_bundle; - /* - * If we want to make a packet "IP2 AH ESP IP1 ULP", - * the SPD in KAME expresses AH transport + ESP tunnel. - * So racoon sent the proposal contained such the order. - * But lots of implementation interprets AH tunnel + ESP - * tunnel in this case. racoon has changed the format, - * usually uses this format. If the option, 'complex_bundle' - * is enable, racoon uses old format. - */ -}; - -extern struct localconf *lcconf; - -extern void initlcconf __P((void)); -extern void flushlcconf __P((void)); -extern vchar_t *getpskbyname __P((vchar_t *)); -extern vchar_t *getpskbyaddr __P((struct sockaddr *)); -extern void getpathname __P((char *, int, int, const char *)); -extern int sittype2doi __P((int)); -extern int doitype2doi __P((int)); diff --git a/kame/kame/racoon/logger.c b/kame/kame/racoon/logger.c deleted file mode 100644 index b42a9d3f77..0000000000 --- a/kame/kame/racoon/logger.c +++ /dev/null @@ -1,258 +0,0 @@ -/* $KAME: logger.c,v 1.9 2002/09/03 14:37:03 itojun Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include - -#include -#include -#include -#include -#ifdef HAVE_STDARG_H -#include -#else -#include -#endif -#if TIME_WITH_SYS_TIME -# include -# include -#else -# if HAVE_SYS_TIME_H -# include -# else -# include -# endif -#endif - -#include "logger.h" -#include "var.h" -#include "gcmalloc.h" - -struct log * -log_open(siz, fname) - size_t siz; - char *fname; -{ - struct log *p; - - p = (struct log *)racoon_malloc(sizeof(*p)); - if (p == NULL) - return NULL; - memset(p, 0, sizeof(*p)); - - p->buf = (char **)racoon_malloc(sizeof(char *) * siz); - if (p->buf == NULL) { - racoon_free(p); - return NULL; - } - memset(p->buf, 0, sizeof(char *) * siz); - - p->tbuf = (time_t *)racoon_malloc(sizeof(time_t *) * siz); - if (p->tbuf == NULL) { - racoon_free(p->buf); - racoon_free(p); - return NULL; - } - memset(p->tbuf, 0, sizeof(time_t *) * siz); - - p->siz = siz; - if (fname) - p->fname = strdup(fname); - - return p; -} - -/* - * append string to ring buffer. - * string must be \n-terminated (since we add timestamps). - * even if not, we'll add \n to avoid formatting mistake (see log_close()). - */ -void -log_add(p, str) - struct log *p; - char *str; -{ - /* syslog if p->fname == NULL? */ - if (p->buf[p->head]) - racoon_free(p->buf[p->head]); - p->buf[p->head] = strdup(str); - p->tbuf[p->head] = time(NULL); - p->head++; - p->head %= p->siz; -} - -/* - * write out string to the log file, as is. - * \n-termination is up to the caller. if you don't add \n, the file - * format may be broken. - */ -int -log_print(p, str) - struct log *p; - char *str; -{ - FILE *fp; - - if (p->fname == NULL) - return -1; /*XXX syslog?*/ - fp = fopen(p->fname, "a"); - if (fp == NULL) - return -1; - fprintf(fp, "%s", str); - fclose(fp); - - return 0; -} - -int -log_vprint(struct log *p, const char *fmt, ...) -{ - va_list ap; - - FILE *fp; - - if (p->fname == NULL) - return -1; /*XXX syslog?*/ - fp = fopen(p->fname, "a"); - if (fp == NULL) - return -1; - va_start(ap, fmt); - vfprintf(fp, fmt, ap); - va_end(ap); - - fclose(fp); - - return 0; -} - -int -log_vaprint(struct log *p, const char *fmt, va_list ap) -{ - FILE *fp; - - if (p->fname == NULL) - return -1; /*XXX syslog?*/ - fp = fopen(p->fname, "a"); - if (fp == NULL) - return -1; - vfprintf(fp, fmt, ap); - fclose(fp); - - return 0; -} - -/* - * write out content of ring buffer, and reclaim the log structure - */ -int -log_close(p) - struct log *p; -{ - FILE *fp; - int i, j; - char ts[256]; - struct tm *tm; - - if (p->fname == NULL) - goto nowrite; - fp = fopen(p->fname, "a"); - if (fp == NULL) - goto nowrite; - - for (i = 0; i < p->siz; i++) { - j = (p->head + i) % p->siz; - if (p->buf[j]) { - tm = localtime(&p->tbuf[j]); - strftime(ts, sizeof(ts), "%B %d %T", tm); - fprintf(fp, "%s: %s\n", ts, p->buf[j]); - if (*(p->buf[j] + strlen(p->buf[j]) - 1) != '\n') - fprintf(fp, "\n"); - } - } - fclose(fp); - -nowrite: - log_free(p); - return 0; -} - -void -log_free(p) - struct log *p; -{ - int i; - - for (i = 0; i < p->siz; i++) - racoon_free(p->buf[i]); - racoon_free(p->buf); - racoon_free(p->tbuf); - if (p->fname) - racoon_free(p->fname); - racoon_free(p); -} - -#ifdef TEST -struct log *l; - -void -vatest(const char *fmt, ...) -{ - va_list ap; - va_start(ap, fmt); - log_vaprint(l, fmt, ap); - va_end(ap); -} - -int -main(argc, argv) - int argc; - char **argv; -{ - int i; - - l = log_open(30, "/tmp/hoge"); - if (l == NULL) - errx(1, "hoge"); - - for (i = 0; i < 50; i++) { - log_add(l, "foo"); - log_add(l, "baa"); - log_add(l, "baz"); - } - log_print(l, "hoge\n"); - log_vprint(l, "hoge %s\n", "this is test"); - vatest("%s %s\n", "this is", "vprint test"); - abort(); - log_free(l); -} - -#endif - diff --git a/kame/kame/racoon/logger.h b/kame/kame/racoon/logger.h deleted file mode 100644 index eb5c556f15..0000000000 --- a/kame/kame/racoon/logger.h +++ /dev/null @@ -1,46 +0,0 @@ -/* $KAME: logger.h,v 1.4 2000/10/04 17:41:01 itojun Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -struct log { - int head; - int siz; - char **buf; - time_t *tbuf; - char *fname; -}; - -extern struct log *log_open __P((size_t, char *)); -extern void log_add __P((struct log *, char *)); -extern int log_print __P((struct log *, char *)); -extern int log_vprint __P((struct log *, const char *, ...)); -extern int log_vaprint __P((struct log *, const char *, va_list)); -extern int log_close __P((struct log *)); -extern void log_free __P((struct log *)); diff --git a/kame/kame/racoon/main.c b/kame/kame/racoon/main.c deleted file mode 100644 index 710b740423..0000000000 --- a/kame/kame/racoon/main.c +++ /dev/null @@ -1,407 +0,0 @@ -/* $KAME: main.c,v 1.51 2004/09/10 04:55:41 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include -#include - -#include - -#include -#include -#include -#include -#include -#ifdef HAVE_UNISTD_H -#include -#endif -#include -#include - -/* - * If we're using a debugging malloc library, this may define our - * wrapper stubs. - */ -#define RACOON_MAIN_PROGRAM -#include "gcmalloc.h" - -#include "var.h" -#include "misc.h" -#include "vmbuf.h" -#include "plog.h" -#include "debug.h" - -#include "cfparse_proto.h" -#include "isakmp_var.h" -#include "remoteconf.h" -#include "localconf.h" -#include "session.h" -#include "oakley.h" -#include "pfkey.h" -#include "crypto_openssl.h" -#include "backupsa.h" -#ifndef HAVE_ARC4RANDOM -#include "arc4random.h" -#endif - -int f_foreground = 0; /* force running in foreground. */ -int f_local = 0; /* local test mode. behave like a wall. */ -int vflag = 1; /* for print-isakmp.c */ -static int loading_sa = 0; /* install sa when racoon boots up. */ - -#define RACOON_VERSION "20001216 sakane@kame.net" -#ifdef RACOON_PKG_VERSION -static char version0[] = "@(#)package version " RACOON_PKG_VERSION ; -static char version[] = "@(#)internal version " RACOON_VERSION ; -#else -static char version[] = "@(#)racoon 20001216 " RACOON_VERSION ; -#endif -static pid_t racoon_pid = 0; - -int main __P((int, char **)); -static void usage __P((void)); -static void parse __P((int, char **)); -static void restore_params __P((void)); -static void save_params __P((void)); -static void saverestore_params __P((int)); -#if 0 -static void cleanup_pidfile __P((void)); -#endif - -void -usage() -{ - printf("usage: racoon [-BdFv%s] %s[-f (file)] [-l (file)] [-p (port)]\n", -#ifdef INET6 - "46", -#else - "", -#endif -#ifdef ENABLE_ADMINPORT - "[-a (port)] " -#else - "" -#endif - ); - printf(" -B: install SA to the kernel from the file " - "specified by the configuration file.\n"); - printf(" -d: debug level, more -d will generate more debug message.\n"); - printf(" -F: run in foreground, do not become daemon.\n"); - printf(" -v: be more verbose\n"); -#ifdef INET6 - printf(" -4: IPv4 mode.\n"); - printf(" -6: IPv6 mode.\n"); -#endif -#ifdef ENABLE_ADMINPORT - printf(" -a: port number for admin port.\n"); -#endif - printf(" -f: pathname for configuration file.\n"); - printf(" -l: pathname for log file.\n"); - printf(" -p: port number for isakmp (default: %d).\n", PORT_ISAKMP); - exit_program(1, NULL); -} - -int -main(ac, av) - int ac; - char **av; -{ - int error; - - if (geteuid() != 0) { - errx(1, "must be root to invoke this program."); - /* NOTREACHED*/ - } - - /* - * Don't let anyone read files I write. Although some files (such as - * the PID file) can be other readable, we dare to use the global mask, - * because racoon uses fopen(3), which can't specify the permission - * at the creation time. - */ - umask(077); - if (umask(077) != 077) { - errx(1, "could not set umask"); - /* NOTREACHED*/ - } - -#ifdef DEBUG_RECORD_MALLOCATION - DRM_init(); -#endif - - initlcconf(); - initrmconf(); - oakley_dhinit(); - eay_init_error(); - - parse(ac, av); - - ploginit(); - (void)arc4random(); /* XXX test if random number is available */ - -#ifdef RACOON_PKG_VERSION - plog(LLV_INFO, LOCATION, NULL, "%s\n", version0); -#endif - plog(LLV_INFO, LOCATION, NULL, "%s\n", version); - plog(LLV_INFO, LOCATION, NULL, "@(#)" - "This product linked %s (http://www.openssl.org/)" - "\n", eay_version()); - - if (pfkey_init() < 0) { - exit_program(1, "something error happened " - "while pfkey initializing."); - /* NOTREACHED*/ - } - - /* - * in order to prefer the parameters by command line, - * saving some parameters before parsing configuration file. - */ - save_params(); - error = cfparse(); - if (error != 0) - exit_program(1, "failed to parse configuration file."); - restore_params(); - - /* - * install SAs from the specified file. If the file is not specified - * by the configuration file, racoon will exit. - */ - if (loading_sa && !f_local) { - if (backupsa_from_file() != 0) - exit_program(1, "something error happened " - "SA recovering."); - } - - if (f_foreground) - close(0); - else { - const char *pid_file = _PATH_VARRUN "racoon.pid"; - FILE *fp; - - if (daemon(0, 0) < 0) { - exit_program(1, "failed to be daemon. (%s)", - strerror(errno)); - } - /* - * In case somebody has started inetd manually, we need to - * clear the logname, so that old servers run as root do not - * get the user's logname.. - */ - if (setlogin("") < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "cannot clear logname: %s\n", strerror(errno)); - /* no big deal if it fails.. */ - } - racoon_pid = getpid(); - fp = fopen(pid_file, "w"); - if (fp) { - if (fchmod(fileno(fp), - S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) == -1) { - error = errno; - fclose(fp); - exit_program(1, "%s", strerror(error)); - } - fprintf(fp, "%ld\n", (long)racoon_pid); - fclose(fp); - } else { - plog(LLV_ERROR, LOCATION, NULL, - "cannot open %s", pid_file); - } - if (!f_local) { -#if 0 - if (atexit(cleanup_pidfile) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "cannot register pidfile cleanup"); - } -#endif - } - } - - (void)session(); - - exit_program(0, NULL); - - /*NOTREACHED*/ - exit(0); -} - -#if 0 -static void -cleanup_pidfile() -{ - pid_t p = getpid(); - - /* if it's not child process, clean everything */ - if (racoon_pid == p) { - const char *pid_file = _PATH_VARRUN "racoon.pid"; - - (void) unlink(pid_file); - } -} -#endif - -static void -parse(ac, av) - int ac; - char **av; -{ - extern char *optarg; - extern int optind; - int c; -#ifdef YYDEBUG - extern int yydebug; -#endif - - pname = strrchr(*av, '/'); - if (pname) - pname++; - else - pname = *av; - - while ((c = getopt(ac, av, "dFp:a:f:l:vZB" -#ifdef YYDEBUG - "y" -#endif -#ifdef INET6 - "46" -#endif - )) != -1) { - switch (c) { - case 'd': - loglevel++; - break; - case 'F': - printf("Foreground mode.\n"); - f_foreground = 1; - break; - case 'p': - lcconf->port_isakmp = atoi(optarg); - break; - case 'a': -#ifdef ENABLE_ADMINPORT - lcconf->port_admin = atoi(optarg); - break; -#else - fprintf(stderr, "%s: the option is disabled " - "in the configuration\n", pname); - exit(1); -#endif - case 'f': - lcconf->racoon_conf = optarg; - break; - case 'l': - plogset(optarg); - break; - case 'v': - vflag++; - break; - case 'Z': - /* - * only local test. - * To specify -Z option and to choice a appropriate - * port number for ISAKMP, you can launch some racoons - * on the local host for debug. - * pk_sendadd() on initiator side is always failed - * even if this flag is used. Because there is same - * spi in the SAD which is inserted by pk_sendgetspi() - * on responder side. - */ - printf("Local test mode.\n"); - f_local = 1; - break; -#ifdef YYDEBUG - case 'y': - yydebug = 1; - break; -#endif -#ifdef INET6 - case '4': - lcconf->default_af = AF_INET; - break; - case '6': - lcconf->default_af = AF_INET6; - break; -#endif - case 'B': - loading_sa++; - break; - default: - usage(); - /* NOTREACHED */ - } - } - ac -= optind; - av += optind; - - if (ac != 0) { - usage(); - /* NOTREACHED */ - } - - return; -} - -static void -restore_params() -{ - saverestore_params(1); -} - -static void -save_params() -{ - saverestore_params(0); -} - -static void -saverestore_params(f) - int f; -{ - static u_int16_t s_port_isakmp; -#ifdef ENABLE_ADMINPORT - static u_int16_t s_port_admin; -#endif - - /* 0: save, 1: restore */ - if (f) { - lcconf->port_isakmp = s_port_isakmp; -#ifdef ENABLE_ADMINPORT - lcconf->port_admin = s_port_admin; -#endif - } else { - s_port_isakmp = lcconf->port_isakmp; -#ifdef ENABLE_ADMINPORT - s_port_admin = lcconf->port_admin; -#endif - } -} diff --git a/kame/kame/racoon/misc.c b/kame/kame/racoon/misc.c deleted file mode 100644 index 35dfb68b87..0000000000 --- a/kame/kame/racoon/misc.c +++ /dev/null @@ -1,167 +0,0 @@ -/* $KAME: misc.c,v 1.23 2001/08/16 14:37:29 itojun Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include - -#include "var.h" -#include "misc.h" -#include "debug.h" - -#if 0 -static int bindump __P((void *, size_t)); - -static int -bindump(buf0, len) - void *buf0; - size_t len; -{ - unsigned char *buf = (unsigned char *)buf0; - size_t i; - - for (i = 0; i < len; i++) { - if ((buf[i] & 0x80) || !isprint(buf[i])) - printf("\\x%x", buf[i]); - else - printf("%c", buf[i]); - } - printf("\n"); - - return 0; -} -#endif - -int -hexdump(buf0, len) - void *buf0; - size_t len; -{ - caddr_t buf = (caddr_t)buf0; - size_t i; - - for (i = 0; i < len; i++) { - if (i != 0 && i % 32 == 0) - printf("\n"); - if (i % 4 == 0) - printf(" "); - printf("%02x", (unsigned char)buf[i]); - } - printf("\n"); - - return 0; -} - -char * -bit2str(n, bl) - int n, bl; -{ -#define MAXBITLEN 128 - static char b[MAXBITLEN + 1]; - int i; - - if (bl > MAXBITLEN) - return "Failed to convert."; /* NG */ - memset(b, '0', bl); - b[bl] = '\0'; - - for (i = 0; i < bl; i++) { - if (n & (1 << i)) - b[bl - 1 - i] = '1'; - } - - return b; -} - -const char * -debug_location(file, line, func) - const char *file; - int line; - const char *func; -{ - static char buf[1024]; - const char *p; - - /* truncate pathname */ - p = strrchr(file, '/'); - if (p) - p++; - else - p = file; - - if (func) - snprintf(buf, sizeof(buf), "%s:%d:%s()", p, line, func); - else - snprintf(buf, sizeof(buf), "%s:%d", p, line); - - return buf; -} - -/* - * get file size. - * -1: error occured. - */ -int -getfsize(path) - char *path; -{ - struct stat st; - - if (stat(path, &st) != 0) - return -1; - else - return st.st_size; -} - -/* - * calculate the difference between two times. - * t1: start - * t2: end - */ -double -timedelta(t1, t2) - struct timeval *t1, *t2; -{ - if (t2->tv_usec >= t1->tv_usec) - return t2->tv_sec - t1->tv_sec + - (double)(t2->tv_usec - t1->tv_usec) / 1000000; - - return t2->tv_sec - t1->tv_sec - 1 + - (double)(1000000 + t2->tv_usec - t1->tv_usec) / 1000000; -} diff --git a/kame/kame/racoon/misc.h b/kame/kame/racoon/misc.h deleted file mode 100644 index d1e2914e4b..0000000000 --- a/kame/kame/racoon/misc.h +++ /dev/null @@ -1,46 +0,0 @@ -/* $KAME: misc.h,v 1.13 2002/06/10 19:58:29 itojun Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#define BIT2STR(b) bit2str(b, sizeof(b)<<3) - -#ifdef HAVE_FUNC_MACRO -#define LOCATION debug_location(__FILE__, __LINE__, __func__) -#else -#define LOCATION debug_location(__FILE__, __LINE__, NULL) -#endif - -extern int hexdump __P((void *, size_t)); -extern char *bit2str __P((int, int)); -extern void *get_newbuf __P((void *, size_t)); -extern const char *debug_location __P((const char *, int, const char *)); -extern int getfsize __P((char *)); -struct timeval; -extern double timedelta __P((struct timeval *, struct timeval *)); diff --git a/kame/kame/racoon/missing/addrinfo.h b/kame/kame/racoon/missing/addrinfo.h deleted file mode 100644 index 93a9eda6c2..0000000000 --- a/kame/kame/racoon/missing/addrinfo.h +++ /dev/null @@ -1,100 +0,0 @@ -/* - * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifndef HAVE_GETADDRINFO - -/* - * Error return codes from getaddrinfo() - */ -#define EAI_ADDRFAMILY 1 /* address family for hostname not supported */ -#define EAI_AGAIN 2 /* temporary failure in name resolution */ -#define EAI_BADFLAGS 3 /* invalid value for ai_flags */ -#define EAI_FAIL 4 /* non-recoverable failure in name resolution */ -#define EAI_FAMILY 5 /* ai_family not supported */ -#define EAI_MEMORY 6 /* memory allocation failure */ -#define EAI_NODATA 7 /* no address associated with hostname */ -#define EAI_NONAME 8 /* hostname nor servname provided, or not known */ -#define EAI_SERVICE 9 /* servname not supported for ai_socktype */ -#define EAI_SOCKTYPE 10 /* ai_socktype not supported */ -#define EAI_SYSTEM 11 /* system error returned in errno */ -#define EAI_BADHINTS 12 -#define EAI_PROTOCOL 13 -#define EAI_MAX 14 - -/* - * Flag values for getaddrinfo() - */ -#define AI_PASSIVE 0x00000001 /* get address to use bind() */ -#define AI_CANONNAME 0x00000002 /* fill ai_canonname */ -#define AI_NUMERICHOST 0x00000004 /* prevent name resolution */ -/* valid flags for addrinfo */ -#define AI_MASK (AI_PASSIVE | AI_CANONNAME | AI_NUMERICHOST) - -#define AI_ALL 0x00000100 /* IPv6 and IPv4-mapped (with AI_V4MAPPED) */ -#define AI_V4MAPPED_CFG 0x00000200 /* accept IPv4-mapped if kernel supports */ -#define AI_ADDRCONFIG 0x00000400 /* only if any address is assigned */ -#define AI_V4MAPPED 0x00000800 /* accept IPv4-mapped IPv6 address */ -/* special recommended flags for getipnodebyname */ -#define AI_DEFAULT (AI_V4MAPPED_CFG | AI_ADDRCONFIG) - -/* - * Constants for getnameinfo() - */ -#define NI_MAXHOST 1025 -#define NI_MAXSERV 32 - -/* - * Flag values for getnameinfo() - */ -#define NI_NOFQDN 0x00000001 -#define NI_NUMERICHOST 0x00000002 -#define NI_NAMEREQD 0x00000004 -#define NI_NUMERICSERV 0x00000008 -#define NI_DGRAM 0x00000010 - -struct addrinfo { - int ai_flags; /* AI_PASSIVE, AI_CANONNAME */ - int ai_family; /* PF_xxx */ - int ai_socktype; /* SOCK_xxx */ - int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */ - size_t ai_addrlen; /* length of ai_addr */ - char *ai_canonname; /* canonical name for hostname */ - struct sockaddr *ai_addr; /* binary address */ - struct addrinfo *ai_next; /* next structure in linked list */ -}; - -struct sockaddr_storage { - u_int8_t __ss_len; - u_int8_t __ss_family; - u_int8_t fill[126]; -}; - -extern void freehostent __P((struct hostent *)); -extern char *gai_strerror __P((int)); -#endif diff --git a/kame/kame/racoon/missing/arc4random.c b/kame/kame/racoon/missing/arc4random.c deleted file mode 100644 index 9e2c2d7dbe..0000000000 --- a/kame/kame/racoon/missing/arc4random.c +++ /dev/null @@ -1,67 +0,0 @@ -/* $KAME: arc4random.c,v 1.1 2002/06/04 05:20:27 itojun Exp $ */ - -/* - * Copyright (C) 2000 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ -/* - * a stub function to make random() to return good random numbers. - */ - -#include -#include -#include -#include -#include -#include -#include - -#include "arc4random.h" - -static int fd = -1; - -static void -arc4random_init() -{ - - fd = open("/dev/urandom", O_RDONLY, 0600); - if (fd < 0) { - err(1, "/dev/urandom"); - /*NOTREACHED*/ - } -} - -u_int32_t -arc4random() -{ - u_int32_t v; - - if (fd < 0) - arc4random_init(); - read(fd, &v, sizeof(v)); - return v; -} diff --git a/kame/kame/racoon/missing/crypto/rijndael/boxes-fst.dat b/kame/kame/racoon/missing/crypto/rijndael/boxes-fst.dat deleted file mode 100644 index ebb574a525..0000000000 --- a/kame/kame/racoon/missing/crypto/rijndael/boxes-fst.dat +++ /dev/null @@ -1,957 +0,0 @@ -/* $KAME: boxes-fst.dat,v 1.1 2001/08/08 09:56:27 sakane Exp $ */ - -const word8 S[256] = { - 99, 124, 119, 123, 242, 107, 111, 197, 48, 1, 103, 43, 254, 215, 171, 118, -202, 130, 201, 125, 250, 89, 71, 240, 173, 212, 162, 175, 156, 164, 114, 192, -183, 253, 147, 38, 54, 63, 247, 204, 52, 165, 229, 241, 113, 216, 49, 21, - 4, 199, 35, 195, 24, 150, 5, 154, 7, 18, 128, 226, 235, 39, 178, 117, - 9, 131, 44, 26, 27, 110, 90, 160, 82, 59, 214, 179, 41, 227, 47, 132, - 83, 209, 0, 237, 32, 252, 177, 91, 106, 203, 190, 57, 74, 76, 88, 207, -208, 239, 170, 251, 67, 77, 51, 133, 69, 249, 2, 127, 80, 60, 159, 168, - 81, 163, 64, 143, 146, 157, 56, 245, 188, 182, 218, 33, 16, 255, 243, 210, -205, 12, 19, 236, 95, 151, 68, 23, 196, 167, 126, 61, 100, 93, 25, 115, - 96, 129, 79, 220, 34, 42, 144, 136, 70, 238, 184, 20, 222, 94, 11, 219, -224, 50, 58, 10, 73, 6, 36, 92, 194, 211, 172, 98, 145, 149, 228, 121, -231, 200, 55, 109, 141, 213, 78, 169, 108, 86, 244, 234, 101, 122, 174, 8, -186, 120, 37, 46, 28, 166, 180, 198, 232, 221, 116, 31, 75, 189, 139, 138, -112, 62, 181, 102, 72, 3, 246, 14, 97, 53, 87, 185, 134, 193, 29, 158, -225, 248, 152, 17, 105, 217, 142, 148, 155, 30, 135, 233, 206, 85, 40, 223, -140, 161, 137, 13, 191, 230, 66, 104, 65, 153, 45, 15, 176, 84, 187, 22 -}; - -#ifdef INTERMEDIATE_VALUE_KAT -static const word8 Si[256] = { - 82, 9, 106, 213, 48, 54, 165, 56, 191, 64, 163, 158, 129, 243, 215, 251, -124, 227, 57, 130, 155, 47, 255, 135, 52, 142, 67, 68, 196, 222, 233, 203, - 84, 123, 148, 50, 166, 194, 35, 61, 238, 76, 149, 11, 66, 250, 195, 78, - 8, 46, 161, 102, 40, 217, 36, 178, 118, 91, 162, 73, 109, 139, 209, 37, -114, 248, 246, 100, 134, 104, 152, 22, 212, 164, 92, 204, 93, 101, 182, 146, -108, 112, 72, 80, 253, 237, 185, 218, 94, 21, 70, 87, 167, 141, 157, 132, -144, 216, 171, 0, 140, 188, 211, 10, 247, 228, 88, 5, 184, 179, 69, 6, -208, 44, 30, 143, 202, 63, 15, 2, 193, 175, 189, 3, 1, 19, 138, 107, - 58, 145, 17, 65, 79, 103, 220, 234, 151, 242, 207, 206, 240, 180, 230, 115, -150, 172, 116, 34, 231, 173, 53, 133, 226, 249, 55, 232, 28, 117, 223, 110, - 71, 241, 26, 113, 29, 41, 197, 137, 111, 183, 98, 14, 170, 24, 190, 27, -252, 86, 62, 75, 198, 210, 121, 32, 154, 219, 192, 254, 120, 205, 90, 244, - 31, 221, 168, 51, 136, 7, 199, 49, 177, 18, 16, 89, 39, 128, 236, 95, - 96, 81, 127, 169, 25, 181, 74, 13, 45, 229, 122, 159, 147, 201, 156, 239, -160, 224, 59, 77, 174, 42, 245, 176, 200, 235, 187, 60, 131, 83, 153, 97, - 23, 43, 4, 126, 186, 119, 214, 38, 225, 105, 20, 99, 85, 33, 12, 125 -}; -#endif /* INTERMEDIATE_VALUE_KAT */ - -union xtab { - word32 xt32[256]; - word8 xt8[256][4]; -}; - -static const union xtab xT1 = { - .xt8 = { -{0xc6,0x63,0x63,0xa5}, {0xf8,0x7c,0x7c,0x84}, {0xee,0x77,0x77,0x99}, {0xf6,0x7b,0x7b,0x8d}, -{0xff,0xf2,0xf2,0x0d}, {0xd6,0x6b,0x6b,0xbd}, {0xde,0x6f,0x6f,0xb1}, {0x91,0xc5,0xc5,0x54}, -{0x60,0x30,0x30,0x50}, {0x02,0x01,0x01,0x03}, {0xce,0x67,0x67,0xa9}, {0x56,0x2b,0x2b,0x7d}, -{0xe7,0xfe,0xfe,0x19}, {0xb5,0xd7,0xd7,0x62}, {0x4d,0xab,0xab,0xe6}, {0xec,0x76,0x76,0x9a}, -{0x8f,0xca,0xca,0x45}, {0x1f,0x82,0x82,0x9d}, {0x89,0xc9,0xc9,0x40}, {0xfa,0x7d,0x7d,0x87}, -{0xef,0xfa,0xfa,0x15}, {0xb2,0x59,0x59,0xeb}, {0x8e,0x47,0x47,0xc9}, {0xfb,0xf0,0xf0,0x0b}, -{0x41,0xad,0xad,0xec}, {0xb3,0xd4,0xd4,0x67}, {0x5f,0xa2,0xa2,0xfd}, {0x45,0xaf,0xaf,0xea}, -{0x23,0x9c,0x9c,0xbf}, {0x53,0xa4,0xa4,0xf7}, {0xe4,0x72,0x72,0x96}, {0x9b,0xc0,0xc0,0x5b}, -{0x75,0xb7,0xb7,0xc2}, {0xe1,0xfd,0xfd,0x1c}, {0x3d,0x93,0x93,0xae}, {0x4c,0x26,0x26,0x6a}, -{0x6c,0x36,0x36,0x5a}, {0x7e,0x3f,0x3f,0x41}, {0xf5,0xf7,0xf7,0x02}, {0x83,0xcc,0xcc,0x4f}, -{0x68,0x34,0x34,0x5c}, {0x51,0xa5,0xa5,0xf4}, {0xd1,0xe5,0xe5,0x34}, {0xf9,0xf1,0xf1,0x08}, -{0xe2,0x71,0x71,0x93}, {0xab,0xd8,0xd8,0x73}, {0x62,0x31,0x31,0x53}, {0x2a,0x15,0x15,0x3f}, -{0x08,0x04,0x04,0x0c}, {0x95,0xc7,0xc7,0x52}, {0x46,0x23,0x23,0x65}, {0x9d,0xc3,0xc3,0x5e}, -{0x30,0x18,0x18,0x28}, {0x37,0x96,0x96,0xa1}, {0x0a,0x05,0x05,0x0f}, {0x2f,0x9a,0x9a,0xb5}, -{0x0e,0x07,0x07,0x09}, {0x24,0x12,0x12,0x36}, {0x1b,0x80,0x80,0x9b}, {0xdf,0xe2,0xe2,0x3d}, -{0xcd,0xeb,0xeb,0x26}, {0x4e,0x27,0x27,0x69}, {0x7f,0xb2,0xb2,0xcd}, {0xea,0x75,0x75,0x9f}, -{0x12,0x09,0x09,0x1b}, {0x1d,0x83,0x83,0x9e}, {0x58,0x2c,0x2c,0x74}, {0x34,0x1a,0x1a,0x2e}, -{0x36,0x1b,0x1b,0x2d}, {0xdc,0x6e,0x6e,0xb2}, {0xb4,0x5a,0x5a,0xee}, {0x5b,0xa0,0xa0,0xfb}, -{0xa4,0x52,0x52,0xf6}, {0x76,0x3b,0x3b,0x4d}, {0xb7,0xd6,0xd6,0x61}, {0x7d,0xb3,0xb3,0xce}, -{0x52,0x29,0x29,0x7b}, {0xdd,0xe3,0xe3,0x3e}, {0x5e,0x2f,0x2f,0x71}, {0x13,0x84,0x84,0x97}, -{0xa6,0x53,0x53,0xf5}, {0xb9,0xd1,0xd1,0x68}, {0x00,0x00,0x00,0x00}, {0xc1,0xed,0xed,0x2c}, -{0x40,0x20,0x20,0x60}, {0xe3,0xfc,0xfc,0x1f}, {0x79,0xb1,0xb1,0xc8}, {0xb6,0x5b,0x5b,0xed}, -{0xd4,0x6a,0x6a,0xbe}, {0x8d,0xcb,0xcb,0x46}, {0x67,0xbe,0xbe,0xd9}, {0x72,0x39,0x39,0x4b}, -{0x94,0x4a,0x4a,0xde}, {0x98,0x4c,0x4c,0xd4}, {0xb0,0x58,0x58,0xe8}, {0x85,0xcf,0xcf,0x4a}, -{0xbb,0xd0,0xd0,0x6b}, {0xc5,0xef,0xef,0x2a}, {0x4f,0xaa,0xaa,0xe5}, {0xed,0xfb,0xfb,0x16}, -{0x86,0x43,0x43,0xc5}, {0x9a,0x4d,0x4d,0xd7}, {0x66,0x33,0x33,0x55}, {0x11,0x85,0x85,0x94}, -{0x8a,0x45,0x45,0xcf}, {0xe9,0xf9,0xf9,0x10}, {0x04,0x02,0x02,0x06}, {0xfe,0x7f,0x7f,0x81}, -{0xa0,0x50,0x50,0xf0}, {0x78,0x3c,0x3c,0x44}, {0x25,0x9f,0x9f,0xba}, {0x4b,0xa8,0xa8,0xe3}, -{0xa2,0x51,0x51,0xf3}, {0x5d,0xa3,0xa3,0xfe}, {0x80,0x40,0x40,0xc0}, {0x05,0x8f,0x8f,0x8a}, -{0x3f,0x92,0x92,0xad}, {0x21,0x9d,0x9d,0xbc}, {0x70,0x38,0x38,0x48}, {0xf1,0xf5,0xf5,0x04}, -{0x63,0xbc,0xbc,0xdf}, {0x77,0xb6,0xb6,0xc1}, {0xaf,0xda,0xda,0x75}, {0x42,0x21,0x21,0x63}, -{0x20,0x10,0x10,0x30}, {0xe5,0xff,0xff,0x1a}, {0xfd,0xf3,0xf3,0x0e}, {0xbf,0xd2,0xd2,0x6d}, -{0x81,0xcd,0xcd,0x4c}, {0x18,0x0c,0x0c,0x14}, {0x26,0x13,0x13,0x35}, {0xc3,0xec,0xec,0x2f}, -{0xbe,0x5f,0x5f,0xe1}, {0x35,0x97,0x97,0xa2}, {0x88,0x44,0x44,0xcc}, {0x2e,0x17,0x17,0x39}, -{0x93,0xc4,0xc4,0x57}, {0x55,0xa7,0xa7,0xf2}, {0xfc,0x7e,0x7e,0x82}, {0x7a,0x3d,0x3d,0x47}, -{0xc8,0x64,0x64,0xac}, {0xba,0x5d,0x5d,0xe7}, {0x32,0x19,0x19,0x2b}, {0xe6,0x73,0x73,0x95}, -{0xc0,0x60,0x60,0xa0}, {0x19,0x81,0x81,0x98}, {0x9e,0x4f,0x4f,0xd1}, {0xa3,0xdc,0xdc,0x7f}, -{0x44,0x22,0x22,0x66}, {0x54,0x2a,0x2a,0x7e}, {0x3b,0x90,0x90,0xab}, {0x0b,0x88,0x88,0x83}, -{0x8c,0x46,0x46,0xca}, {0xc7,0xee,0xee,0x29}, {0x6b,0xb8,0xb8,0xd3}, {0x28,0x14,0x14,0x3c}, -{0xa7,0xde,0xde,0x79}, {0xbc,0x5e,0x5e,0xe2}, {0x16,0x0b,0x0b,0x1d}, {0xad,0xdb,0xdb,0x76}, -{0xdb,0xe0,0xe0,0x3b}, {0x64,0x32,0x32,0x56}, {0x74,0x3a,0x3a,0x4e}, {0x14,0x0a,0x0a,0x1e}, -{0x92,0x49,0x49,0xdb}, {0x0c,0x06,0x06,0x0a}, {0x48,0x24,0x24,0x6c}, {0xb8,0x5c,0x5c,0xe4}, -{0x9f,0xc2,0xc2,0x5d}, {0xbd,0xd3,0xd3,0x6e}, {0x43,0xac,0xac,0xef}, {0xc4,0x62,0x62,0xa6}, -{0x39,0x91,0x91,0xa8}, {0x31,0x95,0x95,0xa4}, {0xd3,0xe4,0xe4,0x37}, {0xf2,0x79,0x79,0x8b}, -{0xd5,0xe7,0xe7,0x32}, {0x8b,0xc8,0xc8,0x43}, {0x6e,0x37,0x37,0x59}, {0xda,0x6d,0x6d,0xb7}, -{0x01,0x8d,0x8d,0x8c}, {0xb1,0xd5,0xd5,0x64}, {0x9c,0x4e,0x4e,0xd2}, {0x49,0xa9,0xa9,0xe0}, -{0xd8,0x6c,0x6c,0xb4}, {0xac,0x56,0x56,0xfa}, {0xf3,0xf4,0xf4,0x07}, {0xcf,0xea,0xea,0x25}, -{0xca,0x65,0x65,0xaf}, {0xf4,0x7a,0x7a,0x8e}, {0x47,0xae,0xae,0xe9}, {0x10,0x08,0x08,0x18}, -{0x6f,0xba,0xba,0xd5}, {0xf0,0x78,0x78,0x88}, {0x4a,0x25,0x25,0x6f}, {0x5c,0x2e,0x2e,0x72}, -{0x38,0x1c,0x1c,0x24}, {0x57,0xa6,0xa6,0xf1}, {0x73,0xb4,0xb4,0xc7}, {0x97,0xc6,0xc6,0x51}, -{0xcb,0xe8,0xe8,0x23}, {0xa1,0xdd,0xdd,0x7c}, {0xe8,0x74,0x74,0x9c}, {0x3e,0x1f,0x1f,0x21}, -{0x96,0x4b,0x4b,0xdd}, {0x61,0xbd,0xbd,0xdc}, {0x0d,0x8b,0x8b,0x86}, {0x0f,0x8a,0x8a,0x85}, -{0xe0,0x70,0x70,0x90}, {0x7c,0x3e,0x3e,0x42}, {0x71,0xb5,0xb5,0xc4}, {0xcc,0x66,0x66,0xaa}, -{0x90,0x48,0x48,0xd8}, {0x06,0x03,0x03,0x05}, {0xf7,0xf6,0xf6,0x01}, {0x1c,0x0e,0x0e,0x12}, -{0xc2,0x61,0x61,0xa3}, {0x6a,0x35,0x35,0x5f}, {0xae,0x57,0x57,0xf9}, {0x69,0xb9,0xb9,0xd0}, -{0x17,0x86,0x86,0x91}, {0x99,0xc1,0xc1,0x58}, {0x3a,0x1d,0x1d,0x27}, {0x27,0x9e,0x9e,0xb9}, -{0xd9,0xe1,0xe1,0x38}, {0xeb,0xf8,0xf8,0x13}, {0x2b,0x98,0x98,0xb3}, {0x22,0x11,0x11,0x33}, -{0xd2,0x69,0x69,0xbb}, {0xa9,0xd9,0xd9,0x70}, {0x07,0x8e,0x8e,0x89}, {0x33,0x94,0x94,0xa7}, -{0x2d,0x9b,0x9b,0xb6}, {0x3c,0x1e,0x1e,0x22}, {0x15,0x87,0x87,0x92}, {0xc9,0xe9,0xe9,0x20}, -{0x87,0xce,0xce,0x49}, {0xaa,0x55,0x55,0xff}, {0x50,0x28,0x28,0x78}, {0xa5,0xdf,0xdf,0x7a}, -{0x03,0x8c,0x8c,0x8f}, {0x59,0xa1,0xa1,0xf8}, {0x09,0x89,0x89,0x80}, {0x1a,0x0d,0x0d,0x17}, -{0x65,0xbf,0xbf,0xda}, {0xd7,0xe6,0xe6,0x31}, {0x84,0x42,0x42,0xc6}, {0xd0,0x68,0x68,0xb8}, -{0x82,0x41,0x41,0xc3}, {0x29,0x99,0x99,0xb0}, {0x5a,0x2d,0x2d,0x77}, {0x1e,0x0f,0x0f,0x11}, -{0x7b,0xb0,0xb0,0xcb}, {0xa8,0x54,0x54,0xfc}, {0x6d,0xbb,0xbb,0xd6}, {0x2c,0x16,0x16,0x3a} - } -}; -#define T1 xT1.xt8 - -static const union xtab xT2 = { - .xt8 = { -{0xa5,0xc6,0x63,0x63}, {0x84,0xf8,0x7c,0x7c}, {0x99,0xee,0x77,0x77}, {0x8d,0xf6,0x7b,0x7b}, -{0x0d,0xff,0xf2,0xf2}, {0xbd,0xd6,0x6b,0x6b}, {0xb1,0xde,0x6f,0x6f}, {0x54,0x91,0xc5,0xc5}, -{0x50,0x60,0x30,0x30}, {0x03,0x02,0x01,0x01}, {0xa9,0xce,0x67,0x67}, {0x7d,0x56,0x2b,0x2b}, -{0x19,0xe7,0xfe,0xfe}, {0x62,0xb5,0xd7,0xd7}, {0xe6,0x4d,0xab,0xab}, {0x9a,0xec,0x76,0x76}, -{0x45,0x8f,0xca,0xca}, {0x9d,0x1f,0x82,0x82}, {0x40,0x89,0xc9,0xc9}, {0x87,0xfa,0x7d,0x7d}, -{0x15,0xef,0xfa,0xfa}, {0xeb,0xb2,0x59,0x59}, {0xc9,0x8e,0x47,0x47}, {0x0b,0xfb,0xf0,0xf0}, -{0xec,0x41,0xad,0xad}, {0x67,0xb3,0xd4,0xd4}, {0xfd,0x5f,0xa2,0xa2}, {0xea,0x45,0xaf,0xaf}, -{0xbf,0x23,0x9c,0x9c}, {0xf7,0x53,0xa4,0xa4}, {0x96,0xe4,0x72,0x72}, {0x5b,0x9b,0xc0,0xc0}, -{0xc2,0x75,0xb7,0xb7}, {0x1c,0xe1,0xfd,0xfd}, {0xae,0x3d,0x93,0x93}, {0x6a,0x4c,0x26,0x26}, -{0x5a,0x6c,0x36,0x36}, {0x41,0x7e,0x3f,0x3f}, {0x02,0xf5,0xf7,0xf7}, {0x4f,0x83,0xcc,0xcc}, -{0x5c,0x68,0x34,0x34}, {0xf4,0x51,0xa5,0xa5}, {0x34,0xd1,0xe5,0xe5}, {0x08,0xf9,0xf1,0xf1}, -{0x93,0xe2,0x71,0x71}, {0x73,0xab,0xd8,0xd8}, {0x53,0x62,0x31,0x31}, {0x3f,0x2a,0x15,0x15}, -{0x0c,0x08,0x04,0x04}, {0x52,0x95,0xc7,0xc7}, {0x65,0x46,0x23,0x23}, {0x5e,0x9d,0xc3,0xc3}, -{0x28,0x30,0x18,0x18}, {0xa1,0x37,0x96,0x96}, {0x0f,0x0a,0x05,0x05}, {0xb5,0x2f,0x9a,0x9a}, -{0x09,0x0e,0x07,0x07}, {0x36,0x24,0x12,0x12}, {0x9b,0x1b,0x80,0x80}, {0x3d,0xdf,0xe2,0xe2}, -{0x26,0xcd,0xeb,0xeb}, {0x69,0x4e,0x27,0x27}, {0xcd,0x7f,0xb2,0xb2}, {0x9f,0xea,0x75,0x75}, -{0x1b,0x12,0x09,0x09}, {0x9e,0x1d,0x83,0x83}, {0x74,0x58,0x2c,0x2c}, {0x2e,0x34,0x1a,0x1a}, -{0x2d,0x36,0x1b,0x1b}, {0xb2,0xdc,0x6e,0x6e}, {0xee,0xb4,0x5a,0x5a}, {0xfb,0x5b,0xa0,0xa0}, -{0xf6,0xa4,0x52,0x52}, {0x4d,0x76,0x3b,0x3b}, {0x61,0xb7,0xd6,0xd6}, {0xce,0x7d,0xb3,0xb3}, -{0x7b,0x52,0x29,0x29}, {0x3e,0xdd,0xe3,0xe3}, {0x71,0x5e,0x2f,0x2f}, {0x97,0x13,0x84,0x84}, -{0xf5,0xa6,0x53,0x53}, {0x68,0xb9,0xd1,0xd1}, {0x00,0x00,0x00,0x00}, {0x2c,0xc1,0xed,0xed}, -{0x60,0x40,0x20,0x20}, {0x1f,0xe3,0xfc,0xfc}, {0xc8,0x79,0xb1,0xb1}, {0xed,0xb6,0x5b,0x5b}, -{0xbe,0xd4,0x6a,0x6a}, {0x46,0x8d,0xcb,0xcb}, {0xd9,0x67,0xbe,0xbe}, {0x4b,0x72,0x39,0x39}, -{0xde,0x94,0x4a,0x4a}, {0xd4,0x98,0x4c,0x4c}, {0xe8,0xb0,0x58,0x58}, {0x4a,0x85,0xcf,0xcf}, -{0x6b,0xbb,0xd0,0xd0}, {0x2a,0xc5,0xef,0xef}, {0xe5,0x4f,0xaa,0xaa}, {0x16,0xed,0xfb,0xfb}, -{0xc5,0x86,0x43,0x43}, {0xd7,0x9a,0x4d,0x4d}, {0x55,0x66,0x33,0x33}, {0x94,0x11,0x85,0x85}, -{0xcf,0x8a,0x45,0x45}, {0x10,0xe9,0xf9,0xf9}, {0x06,0x04,0x02,0x02}, {0x81,0xfe,0x7f,0x7f}, -{0xf0,0xa0,0x50,0x50}, {0x44,0x78,0x3c,0x3c}, {0xba,0x25,0x9f,0x9f}, {0xe3,0x4b,0xa8,0xa8}, -{0xf3,0xa2,0x51,0x51}, {0xfe,0x5d,0xa3,0xa3}, {0xc0,0x80,0x40,0x40}, {0x8a,0x05,0x8f,0x8f}, -{0xad,0x3f,0x92,0x92}, {0xbc,0x21,0x9d,0x9d}, {0x48,0x70,0x38,0x38}, {0x04,0xf1,0xf5,0xf5}, -{0xdf,0x63,0xbc,0xbc}, {0xc1,0x77,0xb6,0xb6}, {0x75,0xaf,0xda,0xda}, {0x63,0x42,0x21,0x21}, -{0x30,0x20,0x10,0x10}, {0x1a,0xe5,0xff,0xff}, {0x0e,0xfd,0xf3,0xf3}, {0x6d,0xbf,0xd2,0xd2}, -{0x4c,0x81,0xcd,0xcd}, {0x14,0x18,0x0c,0x0c}, {0x35,0x26,0x13,0x13}, {0x2f,0xc3,0xec,0xec}, -{0xe1,0xbe,0x5f,0x5f}, {0xa2,0x35,0x97,0x97}, {0xcc,0x88,0x44,0x44}, {0x39,0x2e,0x17,0x17}, -{0x57,0x93,0xc4,0xc4}, {0xf2,0x55,0xa7,0xa7}, {0x82,0xfc,0x7e,0x7e}, {0x47,0x7a,0x3d,0x3d}, -{0xac,0xc8,0x64,0x64}, {0xe7,0xba,0x5d,0x5d}, {0x2b,0x32,0x19,0x19}, {0x95,0xe6,0x73,0x73}, -{0xa0,0xc0,0x60,0x60}, {0x98,0x19,0x81,0x81}, {0xd1,0x9e,0x4f,0x4f}, {0x7f,0xa3,0xdc,0xdc}, -{0x66,0x44,0x22,0x22}, {0x7e,0x54,0x2a,0x2a}, {0xab,0x3b,0x90,0x90}, {0x83,0x0b,0x88,0x88}, -{0xca,0x8c,0x46,0x46}, {0x29,0xc7,0xee,0xee}, {0xd3,0x6b,0xb8,0xb8}, {0x3c,0x28,0x14,0x14}, -{0x79,0xa7,0xde,0xde}, {0xe2,0xbc,0x5e,0x5e}, {0x1d,0x16,0x0b,0x0b}, {0x76,0xad,0xdb,0xdb}, -{0x3b,0xdb,0xe0,0xe0}, {0x56,0x64,0x32,0x32}, {0x4e,0x74,0x3a,0x3a}, {0x1e,0x14,0x0a,0x0a}, -{0xdb,0x92,0x49,0x49}, {0x0a,0x0c,0x06,0x06}, {0x6c,0x48,0x24,0x24}, {0xe4,0xb8,0x5c,0x5c}, -{0x5d,0x9f,0xc2,0xc2}, {0x6e,0xbd,0xd3,0xd3}, {0xef,0x43,0xac,0xac}, {0xa6,0xc4,0x62,0x62}, -{0xa8,0x39,0x91,0x91}, {0xa4,0x31,0x95,0x95}, {0x37,0xd3,0xe4,0xe4}, {0x8b,0xf2,0x79,0x79}, -{0x32,0xd5,0xe7,0xe7}, {0x43,0x8b,0xc8,0xc8}, {0x59,0x6e,0x37,0x37}, {0xb7,0xda,0x6d,0x6d}, -{0x8c,0x01,0x8d,0x8d}, {0x64,0xb1,0xd5,0xd5}, {0xd2,0x9c,0x4e,0x4e}, {0xe0,0x49,0xa9,0xa9}, -{0xb4,0xd8,0x6c,0x6c}, {0xfa,0xac,0x56,0x56}, {0x07,0xf3,0xf4,0xf4}, {0x25,0xcf,0xea,0xea}, -{0xaf,0xca,0x65,0x65}, {0x8e,0xf4,0x7a,0x7a}, {0xe9,0x47,0xae,0xae}, {0x18,0x10,0x08,0x08}, -{0xd5,0x6f,0xba,0xba}, {0x88,0xf0,0x78,0x78}, {0x6f,0x4a,0x25,0x25}, {0x72,0x5c,0x2e,0x2e}, -{0x24,0x38,0x1c,0x1c}, {0xf1,0x57,0xa6,0xa6}, {0xc7,0x73,0xb4,0xb4}, {0x51,0x97,0xc6,0xc6}, -{0x23,0xcb,0xe8,0xe8}, {0x7c,0xa1,0xdd,0xdd}, {0x9c,0xe8,0x74,0x74}, {0x21,0x3e,0x1f,0x1f}, -{0xdd,0x96,0x4b,0x4b}, {0xdc,0x61,0xbd,0xbd}, {0x86,0x0d,0x8b,0x8b}, {0x85,0x0f,0x8a,0x8a}, -{0x90,0xe0,0x70,0x70}, {0x42,0x7c,0x3e,0x3e}, {0xc4,0x71,0xb5,0xb5}, {0xaa,0xcc,0x66,0x66}, -{0xd8,0x90,0x48,0x48}, {0x05,0x06,0x03,0x03}, {0x01,0xf7,0xf6,0xf6}, {0x12,0x1c,0x0e,0x0e}, -{0xa3,0xc2,0x61,0x61}, {0x5f,0x6a,0x35,0x35}, {0xf9,0xae,0x57,0x57}, {0xd0,0x69,0xb9,0xb9}, -{0x91,0x17,0x86,0x86}, {0x58,0x99,0xc1,0xc1}, {0x27,0x3a,0x1d,0x1d}, {0xb9,0x27,0x9e,0x9e}, -{0x38,0xd9,0xe1,0xe1}, {0x13,0xeb,0xf8,0xf8}, {0xb3,0x2b,0x98,0x98}, {0x33,0x22,0x11,0x11}, -{0xbb,0xd2,0x69,0x69}, {0x70,0xa9,0xd9,0xd9}, {0x89,0x07,0x8e,0x8e}, {0xa7,0x33,0x94,0x94}, -{0xb6,0x2d,0x9b,0x9b}, {0x22,0x3c,0x1e,0x1e}, {0x92,0x15,0x87,0x87}, {0x20,0xc9,0xe9,0xe9}, -{0x49,0x87,0xce,0xce}, {0xff,0xaa,0x55,0x55}, {0x78,0x50,0x28,0x28}, {0x7a,0xa5,0xdf,0xdf}, -{0x8f,0x03,0x8c,0x8c}, {0xf8,0x59,0xa1,0xa1}, {0x80,0x09,0x89,0x89}, {0x17,0x1a,0x0d,0x0d}, -{0xda,0x65,0xbf,0xbf}, {0x31,0xd7,0xe6,0xe6}, {0xc6,0x84,0x42,0x42}, {0xb8,0xd0,0x68,0x68}, -{0xc3,0x82,0x41,0x41}, {0xb0,0x29,0x99,0x99}, {0x77,0x5a,0x2d,0x2d}, {0x11,0x1e,0x0f,0x0f}, -{0xcb,0x7b,0xb0,0xb0}, {0xfc,0xa8,0x54,0x54}, {0xd6,0x6d,0xbb,0xbb}, {0x3a,0x2c,0x16,0x16} - } -}; -#define T2 xT2.xt8 - -static const union xtab xT3 = { - .xt8 = { -{0x63,0xa5,0xc6,0x63}, {0x7c,0x84,0xf8,0x7c}, {0x77,0x99,0xee,0x77}, {0x7b,0x8d,0xf6,0x7b}, -{0xf2,0x0d,0xff,0xf2}, {0x6b,0xbd,0xd6,0x6b}, {0x6f,0xb1,0xde,0x6f}, {0xc5,0x54,0x91,0xc5}, -{0x30,0x50,0x60,0x30}, {0x01,0x03,0x02,0x01}, {0x67,0xa9,0xce,0x67}, {0x2b,0x7d,0x56,0x2b}, -{0xfe,0x19,0xe7,0xfe}, {0xd7,0x62,0xb5,0xd7}, {0xab,0xe6,0x4d,0xab}, {0x76,0x9a,0xec,0x76}, -{0xca,0x45,0x8f,0xca}, {0x82,0x9d,0x1f,0x82}, {0xc9,0x40,0x89,0xc9}, {0x7d,0x87,0xfa,0x7d}, -{0xfa,0x15,0xef,0xfa}, {0x59,0xeb,0xb2,0x59}, {0x47,0xc9,0x8e,0x47}, {0xf0,0x0b,0xfb,0xf0}, -{0xad,0xec,0x41,0xad}, {0xd4,0x67,0xb3,0xd4}, {0xa2,0xfd,0x5f,0xa2}, {0xaf,0xea,0x45,0xaf}, -{0x9c,0xbf,0x23,0x9c}, {0xa4,0xf7,0x53,0xa4}, {0x72,0x96,0xe4,0x72}, {0xc0,0x5b,0x9b,0xc0}, -{0xb7,0xc2,0x75,0xb7}, {0xfd,0x1c,0xe1,0xfd}, {0x93,0xae,0x3d,0x93}, {0x26,0x6a,0x4c,0x26}, -{0x36,0x5a,0x6c,0x36}, {0x3f,0x41,0x7e,0x3f}, {0xf7,0x02,0xf5,0xf7}, {0xcc,0x4f,0x83,0xcc}, -{0x34,0x5c,0x68,0x34}, {0xa5,0xf4,0x51,0xa5}, {0xe5,0x34,0xd1,0xe5}, {0xf1,0x08,0xf9,0xf1}, -{0x71,0x93,0xe2,0x71}, {0xd8,0x73,0xab,0xd8}, {0x31,0x53,0x62,0x31}, {0x15,0x3f,0x2a,0x15}, -{0x04,0x0c,0x08,0x04}, {0xc7,0x52,0x95,0xc7}, {0x23,0x65,0x46,0x23}, {0xc3,0x5e,0x9d,0xc3}, -{0x18,0x28,0x30,0x18}, {0x96,0xa1,0x37,0x96}, {0x05,0x0f,0x0a,0x05}, {0x9a,0xb5,0x2f,0x9a}, -{0x07,0x09,0x0e,0x07}, {0x12,0x36,0x24,0x12}, {0x80,0x9b,0x1b,0x80}, {0xe2,0x3d,0xdf,0xe2}, -{0xeb,0x26,0xcd,0xeb}, {0x27,0x69,0x4e,0x27}, {0xb2,0xcd,0x7f,0xb2}, {0x75,0x9f,0xea,0x75}, -{0x09,0x1b,0x12,0x09}, {0x83,0x9e,0x1d,0x83}, {0x2c,0x74,0x58,0x2c}, {0x1a,0x2e,0x34,0x1a}, -{0x1b,0x2d,0x36,0x1b}, {0x6e,0xb2,0xdc,0x6e}, {0x5a,0xee,0xb4,0x5a}, {0xa0,0xfb,0x5b,0xa0}, -{0x52,0xf6,0xa4,0x52}, {0x3b,0x4d,0x76,0x3b}, {0xd6,0x61,0xb7,0xd6}, {0xb3,0xce,0x7d,0xb3}, -{0x29,0x7b,0x52,0x29}, {0xe3,0x3e,0xdd,0xe3}, {0x2f,0x71,0x5e,0x2f}, {0x84,0x97,0x13,0x84}, -{0x53,0xf5,0xa6,0x53}, {0xd1,0x68,0xb9,0xd1}, {0x00,0x00,0x00,0x00}, {0xed,0x2c,0xc1,0xed}, -{0x20,0x60,0x40,0x20}, {0xfc,0x1f,0xe3,0xfc}, {0xb1,0xc8,0x79,0xb1}, {0x5b,0xed,0xb6,0x5b}, -{0x6a,0xbe,0xd4,0x6a}, {0xcb,0x46,0x8d,0xcb}, {0xbe,0xd9,0x67,0xbe}, {0x39,0x4b,0x72,0x39}, -{0x4a,0xde,0x94,0x4a}, {0x4c,0xd4,0x98,0x4c}, {0x58,0xe8,0xb0,0x58}, {0xcf,0x4a,0x85,0xcf}, -{0xd0,0x6b,0xbb,0xd0}, {0xef,0x2a,0xc5,0xef}, {0xaa,0xe5,0x4f,0xaa}, {0xfb,0x16,0xed,0xfb}, -{0x43,0xc5,0x86,0x43}, {0x4d,0xd7,0x9a,0x4d}, {0x33,0x55,0x66,0x33}, {0x85,0x94,0x11,0x85}, -{0x45,0xcf,0x8a,0x45}, {0xf9,0x10,0xe9,0xf9}, {0x02,0x06,0x04,0x02}, {0x7f,0x81,0xfe,0x7f}, -{0x50,0xf0,0xa0,0x50}, {0x3c,0x44,0x78,0x3c}, {0x9f,0xba,0x25,0x9f}, {0xa8,0xe3,0x4b,0xa8}, -{0x51,0xf3,0xa2,0x51}, {0xa3,0xfe,0x5d,0xa3}, {0x40,0xc0,0x80,0x40}, {0x8f,0x8a,0x05,0x8f}, -{0x92,0xad,0x3f,0x92}, {0x9d,0xbc,0x21,0x9d}, {0x38,0x48,0x70,0x38}, {0xf5,0x04,0xf1,0xf5}, -{0xbc,0xdf,0x63,0xbc}, {0xb6,0xc1,0x77,0xb6}, {0xda,0x75,0xaf,0xda}, {0x21,0x63,0x42,0x21}, -{0x10,0x30,0x20,0x10}, {0xff,0x1a,0xe5,0xff}, {0xf3,0x0e,0xfd,0xf3}, {0xd2,0x6d,0xbf,0xd2}, -{0xcd,0x4c,0x81,0xcd}, {0x0c,0x14,0x18,0x0c}, {0x13,0x35,0x26,0x13}, {0xec,0x2f,0xc3,0xec}, -{0x5f,0xe1,0xbe,0x5f}, {0x97,0xa2,0x35,0x97}, {0x44,0xcc,0x88,0x44}, {0x17,0x39,0x2e,0x17}, -{0xc4,0x57,0x93,0xc4}, {0xa7,0xf2,0x55,0xa7}, {0x7e,0x82,0xfc,0x7e}, {0x3d,0x47,0x7a,0x3d}, -{0x64,0xac,0xc8,0x64}, {0x5d,0xe7,0xba,0x5d}, {0x19,0x2b,0x32,0x19}, {0x73,0x95,0xe6,0x73}, -{0x60,0xa0,0xc0,0x60}, {0x81,0x98,0x19,0x81}, {0x4f,0xd1,0x9e,0x4f}, {0xdc,0x7f,0xa3,0xdc}, -{0x22,0x66,0x44,0x22}, {0x2a,0x7e,0x54,0x2a}, {0x90,0xab,0x3b,0x90}, {0x88,0x83,0x0b,0x88}, -{0x46,0xca,0x8c,0x46}, {0xee,0x29,0xc7,0xee}, {0xb8,0xd3,0x6b,0xb8}, {0x14,0x3c,0x28,0x14}, -{0xde,0x79,0xa7,0xde}, {0x5e,0xe2,0xbc,0x5e}, {0x0b,0x1d,0x16,0x0b}, {0xdb,0x76,0xad,0xdb}, -{0xe0,0x3b,0xdb,0xe0}, {0x32,0x56,0x64,0x32}, {0x3a,0x4e,0x74,0x3a}, {0x0a,0x1e,0x14,0x0a}, -{0x49,0xdb,0x92,0x49}, {0x06,0x0a,0x0c,0x06}, {0x24,0x6c,0x48,0x24}, {0x5c,0xe4,0xb8,0x5c}, -{0xc2,0x5d,0x9f,0xc2}, {0xd3,0x6e,0xbd,0xd3}, {0xac,0xef,0x43,0xac}, {0x62,0xa6,0xc4,0x62}, -{0x91,0xa8,0x39,0x91}, {0x95,0xa4,0x31,0x95}, {0xe4,0x37,0xd3,0xe4}, {0x79,0x8b,0xf2,0x79}, -{0xe7,0x32,0xd5,0xe7}, {0xc8,0x43,0x8b,0xc8}, {0x37,0x59,0x6e,0x37}, {0x6d,0xb7,0xda,0x6d}, -{0x8d,0x8c,0x01,0x8d}, {0xd5,0x64,0xb1,0xd5}, {0x4e,0xd2,0x9c,0x4e}, {0xa9,0xe0,0x49,0xa9}, -{0x6c,0xb4,0xd8,0x6c}, {0x56,0xfa,0xac,0x56}, {0xf4,0x07,0xf3,0xf4}, {0xea,0x25,0xcf,0xea}, -{0x65,0xaf,0xca,0x65}, {0x7a,0x8e,0xf4,0x7a}, {0xae,0xe9,0x47,0xae}, {0x08,0x18,0x10,0x08}, -{0xba,0xd5,0x6f,0xba}, {0x78,0x88,0xf0,0x78}, {0x25,0x6f,0x4a,0x25}, {0x2e,0x72,0x5c,0x2e}, -{0x1c,0x24,0x38,0x1c}, {0xa6,0xf1,0x57,0xa6}, {0xb4,0xc7,0x73,0xb4}, {0xc6,0x51,0x97,0xc6}, -{0xe8,0x23,0xcb,0xe8}, {0xdd,0x7c,0xa1,0xdd}, {0x74,0x9c,0xe8,0x74}, {0x1f,0x21,0x3e,0x1f}, -{0x4b,0xdd,0x96,0x4b}, {0xbd,0xdc,0x61,0xbd}, {0x8b,0x86,0x0d,0x8b}, {0x8a,0x85,0x0f,0x8a}, -{0x70,0x90,0xe0,0x70}, {0x3e,0x42,0x7c,0x3e}, {0xb5,0xc4,0x71,0xb5}, {0x66,0xaa,0xcc,0x66}, -{0x48,0xd8,0x90,0x48}, {0x03,0x05,0x06,0x03}, {0xf6,0x01,0xf7,0xf6}, {0x0e,0x12,0x1c,0x0e}, -{0x61,0xa3,0xc2,0x61}, {0x35,0x5f,0x6a,0x35}, {0x57,0xf9,0xae,0x57}, {0xb9,0xd0,0x69,0xb9}, -{0x86,0x91,0x17,0x86}, {0xc1,0x58,0x99,0xc1}, {0x1d,0x27,0x3a,0x1d}, {0x9e,0xb9,0x27,0x9e}, -{0xe1,0x38,0xd9,0xe1}, {0xf8,0x13,0xeb,0xf8}, {0x98,0xb3,0x2b,0x98}, {0x11,0x33,0x22,0x11}, -{0x69,0xbb,0xd2,0x69}, {0xd9,0x70,0xa9,0xd9}, {0x8e,0x89,0x07,0x8e}, {0x94,0xa7,0x33,0x94}, -{0x9b,0xb6,0x2d,0x9b}, {0x1e,0x22,0x3c,0x1e}, {0x87,0x92,0x15,0x87}, {0xe9,0x20,0xc9,0xe9}, -{0xce,0x49,0x87,0xce}, {0x55,0xff,0xaa,0x55}, {0x28,0x78,0x50,0x28}, {0xdf,0x7a,0xa5,0xdf}, -{0x8c,0x8f,0x03,0x8c}, {0xa1,0xf8,0x59,0xa1}, {0x89,0x80,0x09,0x89}, {0x0d,0x17,0x1a,0x0d}, -{0xbf,0xda,0x65,0xbf}, {0xe6,0x31,0xd7,0xe6}, {0x42,0xc6,0x84,0x42}, {0x68,0xb8,0xd0,0x68}, -{0x41,0xc3,0x82,0x41}, {0x99,0xb0,0x29,0x99}, {0x2d,0x77,0x5a,0x2d}, {0x0f,0x11,0x1e,0x0f}, -{0xb0,0xcb,0x7b,0xb0}, {0x54,0xfc,0xa8,0x54}, {0xbb,0xd6,0x6d,0xbb}, {0x16,0x3a,0x2c,0x16} - } -}; -#define T3 xT3.xt8 - -static const union xtab xT4 = { - .xt8 = { -{0x63,0x63,0xa5,0xc6}, {0x7c,0x7c,0x84,0xf8}, {0x77,0x77,0x99,0xee}, {0x7b,0x7b,0x8d,0xf6}, -{0xf2,0xf2,0x0d,0xff}, {0x6b,0x6b,0xbd,0xd6}, {0x6f,0x6f,0xb1,0xde}, {0xc5,0xc5,0x54,0x91}, -{0x30,0x30,0x50,0x60}, {0x01,0x01,0x03,0x02}, {0x67,0x67,0xa9,0xce}, {0x2b,0x2b,0x7d,0x56}, -{0xfe,0xfe,0x19,0xe7}, {0xd7,0xd7,0x62,0xb5}, {0xab,0xab,0xe6,0x4d}, {0x76,0x76,0x9a,0xec}, -{0xca,0xca,0x45,0x8f}, {0x82,0x82,0x9d,0x1f}, {0xc9,0xc9,0x40,0x89}, {0x7d,0x7d,0x87,0xfa}, -{0xfa,0xfa,0x15,0xef}, {0x59,0x59,0xeb,0xb2}, {0x47,0x47,0xc9,0x8e}, {0xf0,0xf0,0x0b,0xfb}, -{0xad,0xad,0xec,0x41}, {0xd4,0xd4,0x67,0xb3}, {0xa2,0xa2,0xfd,0x5f}, {0xaf,0xaf,0xea,0x45}, -{0x9c,0x9c,0xbf,0x23}, {0xa4,0xa4,0xf7,0x53}, {0x72,0x72,0x96,0xe4}, {0xc0,0xc0,0x5b,0x9b}, -{0xb7,0xb7,0xc2,0x75}, {0xfd,0xfd,0x1c,0xe1}, {0x93,0x93,0xae,0x3d}, {0x26,0x26,0x6a,0x4c}, -{0x36,0x36,0x5a,0x6c}, {0x3f,0x3f,0x41,0x7e}, {0xf7,0xf7,0x02,0xf5}, {0xcc,0xcc,0x4f,0x83}, -{0x34,0x34,0x5c,0x68}, {0xa5,0xa5,0xf4,0x51}, {0xe5,0xe5,0x34,0xd1}, {0xf1,0xf1,0x08,0xf9}, -{0x71,0x71,0x93,0xe2}, {0xd8,0xd8,0x73,0xab}, {0x31,0x31,0x53,0x62}, {0x15,0x15,0x3f,0x2a}, -{0x04,0x04,0x0c,0x08}, {0xc7,0xc7,0x52,0x95}, {0x23,0x23,0x65,0x46}, {0xc3,0xc3,0x5e,0x9d}, -{0x18,0x18,0x28,0x30}, {0x96,0x96,0xa1,0x37}, {0x05,0x05,0x0f,0x0a}, {0x9a,0x9a,0xb5,0x2f}, -{0x07,0x07,0x09,0x0e}, {0x12,0x12,0x36,0x24}, {0x80,0x80,0x9b,0x1b}, {0xe2,0xe2,0x3d,0xdf}, -{0xeb,0xeb,0x26,0xcd}, {0x27,0x27,0x69,0x4e}, {0xb2,0xb2,0xcd,0x7f}, {0x75,0x75,0x9f,0xea}, -{0x09,0x09,0x1b,0x12}, {0x83,0x83,0x9e,0x1d}, {0x2c,0x2c,0x74,0x58}, {0x1a,0x1a,0x2e,0x34}, -{0x1b,0x1b,0x2d,0x36}, {0x6e,0x6e,0xb2,0xdc}, {0x5a,0x5a,0xee,0xb4}, {0xa0,0xa0,0xfb,0x5b}, -{0x52,0x52,0xf6,0xa4}, {0x3b,0x3b,0x4d,0x76}, {0xd6,0xd6,0x61,0xb7}, {0xb3,0xb3,0xce,0x7d}, -{0x29,0x29,0x7b,0x52}, {0xe3,0xe3,0x3e,0xdd}, {0x2f,0x2f,0x71,0x5e}, {0x84,0x84,0x97,0x13}, -{0x53,0x53,0xf5,0xa6}, {0xd1,0xd1,0x68,0xb9}, {0x00,0x00,0x00,0x00}, {0xed,0xed,0x2c,0xc1}, -{0x20,0x20,0x60,0x40}, {0xfc,0xfc,0x1f,0xe3}, {0xb1,0xb1,0xc8,0x79}, {0x5b,0x5b,0xed,0xb6}, -{0x6a,0x6a,0xbe,0xd4}, {0xcb,0xcb,0x46,0x8d}, {0xbe,0xbe,0xd9,0x67}, {0x39,0x39,0x4b,0x72}, -{0x4a,0x4a,0xde,0x94}, {0x4c,0x4c,0xd4,0x98}, {0x58,0x58,0xe8,0xb0}, {0xcf,0xcf,0x4a,0x85}, -{0xd0,0xd0,0x6b,0xbb}, {0xef,0xef,0x2a,0xc5}, {0xaa,0xaa,0xe5,0x4f}, {0xfb,0xfb,0x16,0xed}, -{0x43,0x43,0xc5,0x86}, {0x4d,0x4d,0xd7,0x9a}, {0x33,0x33,0x55,0x66}, {0x85,0x85,0x94,0x11}, -{0x45,0x45,0xcf,0x8a}, {0xf9,0xf9,0x10,0xe9}, {0x02,0x02,0x06,0x04}, {0x7f,0x7f,0x81,0xfe}, -{0x50,0x50,0xf0,0xa0}, {0x3c,0x3c,0x44,0x78}, {0x9f,0x9f,0xba,0x25}, {0xa8,0xa8,0xe3,0x4b}, -{0x51,0x51,0xf3,0xa2}, {0xa3,0xa3,0xfe,0x5d}, {0x40,0x40,0xc0,0x80}, {0x8f,0x8f,0x8a,0x05}, -{0x92,0x92,0xad,0x3f}, {0x9d,0x9d,0xbc,0x21}, {0x38,0x38,0x48,0x70}, {0xf5,0xf5,0x04,0xf1}, -{0xbc,0xbc,0xdf,0x63}, {0xb6,0xb6,0xc1,0x77}, {0xda,0xda,0x75,0xaf}, {0x21,0x21,0x63,0x42}, -{0x10,0x10,0x30,0x20}, {0xff,0xff,0x1a,0xe5}, {0xf3,0xf3,0x0e,0xfd}, {0xd2,0xd2,0x6d,0xbf}, -{0xcd,0xcd,0x4c,0x81}, {0x0c,0x0c,0x14,0x18}, {0x13,0x13,0x35,0x26}, {0xec,0xec,0x2f,0xc3}, -{0x5f,0x5f,0xe1,0xbe}, {0x97,0x97,0xa2,0x35}, {0x44,0x44,0xcc,0x88}, {0x17,0x17,0x39,0x2e}, -{0xc4,0xc4,0x57,0x93}, {0xa7,0xa7,0xf2,0x55}, {0x7e,0x7e,0x82,0xfc}, {0x3d,0x3d,0x47,0x7a}, -{0x64,0x64,0xac,0xc8}, {0x5d,0x5d,0xe7,0xba}, {0x19,0x19,0x2b,0x32}, {0x73,0x73,0x95,0xe6}, -{0x60,0x60,0xa0,0xc0}, {0x81,0x81,0x98,0x19}, {0x4f,0x4f,0xd1,0x9e}, {0xdc,0xdc,0x7f,0xa3}, -{0x22,0x22,0x66,0x44}, {0x2a,0x2a,0x7e,0x54}, {0x90,0x90,0xab,0x3b}, {0x88,0x88,0x83,0x0b}, -{0x46,0x46,0xca,0x8c}, {0xee,0xee,0x29,0xc7}, {0xb8,0xb8,0xd3,0x6b}, {0x14,0x14,0x3c,0x28}, -{0xde,0xde,0x79,0xa7}, {0x5e,0x5e,0xe2,0xbc}, {0x0b,0x0b,0x1d,0x16}, {0xdb,0xdb,0x76,0xad}, -{0xe0,0xe0,0x3b,0xdb}, {0x32,0x32,0x56,0x64}, {0x3a,0x3a,0x4e,0x74}, {0x0a,0x0a,0x1e,0x14}, -{0x49,0x49,0xdb,0x92}, {0x06,0x06,0x0a,0x0c}, {0x24,0x24,0x6c,0x48}, {0x5c,0x5c,0xe4,0xb8}, -{0xc2,0xc2,0x5d,0x9f}, {0xd3,0xd3,0x6e,0xbd}, {0xac,0xac,0xef,0x43}, {0x62,0x62,0xa6,0xc4}, -{0x91,0x91,0xa8,0x39}, {0x95,0x95,0xa4,0x31}, {0xe4,0xe4,0x37,0xd3}, {0x79,0x79,0x8b,0xf2}, -{0xe7,0xe7,0x32,0xd5}, {0xc8,0xc8,0x43,0x8b}, {0x37,0x37,0x59,0x6e}, {0x6d,0x6d,0xb7,0xda}, -{0x8d,0x8d,0x8c,0x01}, {0xd5,0xd5,0x64,0xb1}, {0x4e,0x4e,0xd2,0x9c}, {0xa9,0xa9,0xe0,0x49}, -{0x6c,0x6c,0xb4,0xd8}, {0x56,0x56,0xfa,0xac}, {0xf4,0xf4,0x07,0xf3}, {0xea,0xea,0x25,0xcf}, -{0x65,0x65,0xaf,0xca}, {0x7a,0x7a,0x8e,0xf4}, {0xae,0xae,0xe9,0x47}, {0x08,0x08,0x18,0x10}, -{0xba,0xba,0xd5,0x6f}, {0x78,0x78,0x88,0xf0}, {0x25,0x25,0x6f,0x4a}, {0x2e,0x2e,0x72,0x5c}, -{0x1c,0x1c,0x24,0x38}, {0xa6,0xa6,0xf1,0x57}, {0xb4,0xb4,0xc7,0x73}, {0xc6,0xc6,0x51,0x97}, -{0xe8,0xe8,0x23,0xcb}, {0xdd,0xdd,0x7c,0xa1}, {0x74,0x74,0x9c,0xe8}, {0x1f,0x1f,0x21,0x3e}, -{0x4b,0x4b,0xdd,0x96}, {0xbd,0xbd,0xdc,0x61}, {0x8b,0x8b,0x86,0x0d}, {0x8a,0x8a,0x85,0x0f}, -{0x70,0x70,0x90,0xe0}, {0x3e,0x3e,0x42,0x7c}, {0xb5,0xb5,0xc4,0x71}, {0x66,0x66,0xaa,0xcc}, -{0x48,0x48,0xd8,0x90}, {0x03,0x03,0x05,0x06}, {0xf6,0xf6,0x01,0xf7}, {0x0e,0x0e,0x12,0x1c}, -{0x61,0x61,0xa3,0xc2}, {0x35,0x35,0x5f,0x6a}, {0x57,0x57,0xf9,0xae}, {0xb9,0xb9,0xd0,0x69}, -{0x86,0x86,0x91,0x17}, {0xc1,0xc1,0x58,0x99}, {0x1d,0x1d,0x27,0x3a}, {0x9e,0x9e,0xb9,0x27}, -{0xe1,0xe1,0x38,0xd9}, {0xf8,0xf8,0x13,0xeb}, {0x98,0x98,0xb3,0x2b}, {0x11,0x11,0x33,0x22}, -{0x69,0x69,0xbb,0xd2}, {0xd9,0xd9,0x70,0xa9}, {0x8e,0x8e,0x89,0x07}, {0x94,0x94,0xa7,0x33}, -{0x9b,0x9b,0xb6,0x2d}, {0x1e,0x1e,0x22,0x3c}, {0x87,0x87,0x92,0x15}, {0xe9,0xe9,0x20,0xc9}, -{0xce,0xce,0x49,0x87}, {0x55,0x55,0xff,0xaa}, {0x28,0x28,0x78,0x50}, {0xdf,0xdf,0x7a,0xa5}, -{0x8c,0x8c,0x8f,0x03}, {0xa1,0xa1,0xf8,0x59}, {0x89,0x89,0x80,0x09}, {0x0d,0x0d,0x17,0x1a}, -{0xbf,0xbf,0xda,0x65}, {0xe6,0xe6,0x31,0xd7}, {0x42,0x42,0xc6,0x84}, {0x68,0x68,0xb8,0xd0}, -{0x41,0x41,0xc3,0x82}, {0x99,0x99,0xb0,0x29}, {0x2d,0x2d,0x77,0x5a}, {0x0f,0x0f,0x11,0x1e}, -{0xb0,0xb0,0xcb,0x7b}, {0x54,0x54,0xfc,0xa8}, {0xbb,0xbb,0xd6,0x6d}, {0x16,0x16,0x3a,0x2c} - } -}; -#define T4 xT4.xt8 - -static const union xtab xT5 = { - .xt8 = { -{0x51,0xf4,0xa7,0x50}, {0x7e,0x41,0x65,0x53}, {0x1a,0x17,0xa4,0xc3}, {0x3a,0x27,0x5e,0x96}, -{0x3b,0xab,0x6b,0xcb}, {0x1f,0x9d,0x45,0xf1}, {0xac,0xfa,0x58,0xab}, {0x4b,0xe3,0x03,0x93}, -{0x20,0x30,0xfa,0x55}, {0xad,0x76,0x6d,0xf6}, {0x88,0xcc,0x76,0x91}, {0xf5,0x02,0x4c,0x25}, -{0x4f,0xe5,0xd7,0xfc}, {0xc5,0x2a,0xcb,0xd7}, {0x26,0x35,0x44,0x80}, {0xb5,0x62,0xa3,0x8f}, -{0xde,0xb1,0x5a,0x49}, {0x25,0xba,0x1b,0x67}, {0x45,0xea,0x0e,0x98}, {0x5d,0xfe,0xc0,0xe1}, -{0xc3,0x2f,0x75,0x02}, {0x81,0x4c,0xf0,0x12}, {0x8d,0x46,0x97,0xa3}, {0x6b,0xd3,0xf9,0xc6}, -{0x03,0x8f,0x5f,0xe7}, {0x15,0x92,0x9c,0x95}, {0xbf,0x6d,0x7a,0xeb}, {0x95,0x52,0x59,0xda}, -{0xd4,0xbe,0x83,0x2d}, {0x58,0x74,0x21,0xd3}, {0x49,0xe0,0x69,0x29}, {0x8e,0xc9,0xc8,0x44}, -{0x75,0xc2,0x89,0x6a}, {0xf4,0x8e,0x79,0x78}, {0x99,0x58,0x3e,0x6b}, {0x27,0xb9,0x71,0xdd}, -{0xbe,0xe1,0x4f,0xb6}, {0xf0,0x88,0xad,0x17}, {0xc9,0x20,0xac,0x66}, {0x7d,0xce,0x3a,0xb4}, -{0x63,0xdf,0x4a,0x18}, {0xe5,0x1a,0x31,0x82}, {0x97,0x51,0x33,0x60}, {0x62,0x53,0x7f,0x45}, -{0xb1,0x64,0x77,0xe0}, {0xbb,0x6b,0xae,0x84}, {0xfe,0x81,0xa0,0x1c}, {0xf9,0x08,0x2b,0x94}, -{0x70,0x48,0x68,0x58}, {0x8f,0x45,0xfd,0x19}, {0x94,0xde,0x6c,0x87}, {0x52,0x7b,0xf8,0xb7}, -{0xab,0x73,0xd3,0x23}, {0x72,0x4b,0x02,0xe2}, {0xe3,0x1f,0x8f,0x57}, {0x66,0x55,0xab,0x2a}, -{0xb2,0xeb,0x28,0x07}, {0x2f,0xb5,0xc2,0x03}, {0x86,0xc5,0x7b,0x9a}, {0xd3,0x37,0x08,0xa5}, -{0x30,0x28,0x87,0xf2}, {0x23,0xbf,0xa5,0xb2}, {0x02,0x03,0x6a,0xba}, {0xed,0x16,0x82,0x5c}, -{0x8a,0xcf,0x1c,0x2b}, {0xa7,0x79,0xb4,0x92}, {0xf3,0x07,0xf2,0xf0}, {0x4e,0x69,0xe2,0xa1}, -{0x65,0xda,0xf4,0xcd}, {0x06,0x05,0xbe,0xd5}, {0xd1,0x34,0x62,0x1f}, {0xc4,0xa6,0xfe,0x8a}, -{0x34,0x2e,0x53,0x9d}, {0xa2,0xf3,0x55,0xa0}, {0x05,0x8a,0xe1,0x32}, {0xa4,0xf6,0xeb,0x75}, -{0x0b,0x83,0xec,0x39}, {0x40,0x60,0xef,0xaa}, {0x5e,0x71,0x9f,0x06}, {0xbd,0x6e,0x10,0x51}, -{0x3e,0x21,0x8a,0xf9}, {0x96,0xdd,0x06,0x3d}, {0xdd,0x3e,0x05,0xae}, {0x4d,0xe6,0xbd,0x46}, -{0x91,0x54,0x8d,0xb5}, {0x71,0xc4,0x5d,0x05}, {0x04,0x06,0xd4,0x6f}, {0x60,0x50,0x15,0xff}, -{0x19,0x98,0xfb,0x24}, {0xd6,0xbd,0xe9,0x97}, {0x89,0x40,0x43,0xcc}, {0x67,0xd9,0x9e,0x77}, -{0xb0,0xe8,0x42,0xbd}, {0x07,0x89,0x8b,0x88}, {0xe7,0x19,0x5b,0x38}, {0x79,0xc8,0xee,0xdb}, -{0xa1,0x7c,0x0a,0x47}, {0x7c,0x42,0x0f,0xe9}, {0xf8,0x84,0x1e,0xc9}, {0x00,0x00,0x00,0x00}, -{0x09,0x80,0x86,0x83}, {0x32,0x2b,0xed,0x48}, {0x1e,0x11,0x70,0xac}, {0x6c,0x5a,0x72,0x4e}, -{0xfd,0x0e,0xff,0xfb}, {0x0f,0x85,0x38,0x56}, {0x3d,0xae,0xd5,0x1e}, {0x36,0x2d,0x39,0x27}, -{0x0a,0x0f,0xd9,0x64}, {0x68,0x5c,0xa6,0x21}, {0x9b,0x5b,0x54,0xd1}, {0x24,0x36,0x2e,0x3a}, -{0x0c,0x0a,0x67,0xb1}, {0x93,0x57,0xe7,0x0f}, {0xb4,0xee,0x96,0xd2}, {0x1b,0x9b,0x91,0x9e}, -{0x80,0xc0,0xc5,0x4f}, {0x61,0xdc,0x20,0xa2}, {0x5a,0x77,0x4b,0x69}, {0x1c,0x12,0x1a,0x16}, -{0xe2,0x93,0xba,0x0a}, {0xc0,0xa0,0x2a,0xe5}, {0x3c,0x22,0xe0,0x43}, {0x12,0x1b,0x17,0x1d}, -{0x0e,0x09,0x0d,0x0b}, {0xf2,0x8b,0xc7,0xad}, {0x2d,0xb6,0xa8,0xb9}, {0x14,0x1e,0xa9,0xc8}, -{0x57,0xf1,0x19,0x85}, {0xaf,0x75,0x07,0x4c}, {0xee,0x99,0xdd,0xbb}, {0xa3,0x7f,0x60,0xfd}, -{0xf7,0x01,0x26,0x9f}, {0x5c,0x72,0xf5,0xbc}, {0x44,0x66,0x3b,0xc5}, {0x5b,0xfb,0x7e,0x34}, -{0x8b,0x43,0x29,0x76}, {0xcb,0x23,0xc6,0xdc}, {0xb6,0xed,0xfc,0x68}, {0xb8,0xe4,0xf1,0x63}, -{0xd7,0x31,0xdc,0xca}, {0x42,0x63,0x85,0x10}, {0x13,0x97,0x22,0x40}, {0x84,0xc6,0x11,0x20}, -{0x85,0x4a,0x24,0x7d}, {0xd2,0xbb,0x3d,0xf8}, {0xae,0xf9,0x32,0x11}, {0xc7,0x29,0xa1,0x6d}, -{0x1d,0x9e,0x2f,0x4b}, {0xdc,0xb2,0x30,0xf3}, {0x0d,0x86,0x52,0xec}, {0x77,0xc1,0xe3,0xd0}, -{0x2b,0xb3,0x16,0x6c}, {0xa9,0x70,0xb9,0x99}, {0x11,0x94,0x48,0xfa}, {0x47,0xe9,0x64,0x22}, -{0xa8,0xfc,0x8c,0xc4}, {0xa0,0xf0,0x3f,0x1a}, {0x56,0x7d,0x2c,0xd8}, {0x22,0x33,0x90,0xef}, -{0x87,0x49,0x4e,0xc7}, {0xd9,0x38,0xd1,0xc1}, {0x8c,0xca,0xa2,0xfe}, {0x98,0xd4,0x0b,0x36}, -{0xa6,0xf5,0x81,0xcf}, {0xa5,0x7a,0xde,0x28}, {0xda,0xb7,0x8e,0x26}, {0x3f,0xad,0xbf,0xa4}, -{0x2c,0x3a,0x9d,0xe4}, {0x50,0x78,0x92,0x0d}, {0x6a,0x5f,0xcc,0x9b}, {0x54,0x7e,0x46,0x62}, -{0xf6,0x8d,0x13,0xc2}, {0x90,0xd8,0xb8,0xe8}, {0x2e,0x39,0xf7,0x5e}, {0x82,0xc3,0xaf,0xf5}, -{0x9f,0x5d,0x80,0xbe}, {0x69,0xd0,0x93,0x7c}, {0x6f,0xd5,0x2d,0xa9}, {0xcf,0x25,0x12,0xb3}, -{0xc8,0xac,0x99,0x3b}, {0x10,0x18,0x7d,0xa7}, {0xe8,0x9c,0x63,0x6e}, {0xdb,0x3b,0xbb,0x7b}, -{0xcd,0x26,0x78,0x09}, {0x6e,0x59,0x18,0xf4}, {0xec,0x9a,0xb7,0x01}, {0x83,0x4f,0x9a,0xa8}, -{0xe6,0x95,0x6e,0x65}, {0xaa,0xff,0xe6,0x7e}, {0x21,0xbc,0xcf,0x08}, {0xef,0x15,0xe8,0xe6}, -{0xba,0xe7,0x9b,0xd9}, {0x4a,0x6f,0x36,0xce}, {0xea,0x9f,0x09,0xd4}, {0x29,0xb0,0x7c,0xd6}, -{0x31,0xa4,0xb2,0xaf}, {0x2a,0x3f,0x23,0x31}, {0xc6,0xa5,0x94,0x30}, {0x35,0xa2,0x66,0xc0}, -{0x74,0x4e,0xbc,0x37}, {0xfc,0x82,0xca,0xa6}, {0xe0,0x90,0xd0,0xb0}, {0x33,0xa7,0xd8,0x15}, -{0xf1,0x04,0x98,0x4a}, {0x41,0xec,0xda,0xf7}, {0x7f,0xcd,0x50,0x0e}, {0x17,0x91,0xf6,0x2f}, -{0x76,0x4d,0xd6,0x8d}, {0x43,0xef,0xb0,0x4d}, {0xcc,0xaa,0x4d,0x54}, {0xe4,0x96,0x04,0xdf}, -{0x9e,0xd1,0xb5,0xe3}, {0x4c,0x6a,0x88,0x1b}, {0xc1,0x2c,0x1f,0xb8}, {0x46,0x65,0x51,0x7f}, -{0x9d,0x5e,0xea,0x04}, {0x01,0x8c,0x35,0x5d}, {0xfa,0x87,0x74,0x73}, {0xfb,0x0b,0x41,0x2e}, -{0xb3,0x67,0x1d,0x5a}, {0x92,0xdb,0xd2,0x52}, {0xe9,0x10,0x56,0x33}, {0x6d,0xd6,0x47,0x13}, -{0x9a,0xd7,0x61,0x8c}, {0x37,0xa1,0x0c,0x7a}, {0x59,0xf8,0x14,0x8e}, {0xeb,0x13,0x3c,0x89}, -{0xce,0xa9,0x27,0xee}, {0xb7,0x61,0xc9,0x35}, {0xe1,0x1c,0xe5,0xed}, {0x7a,0x47,0xb1,0x3c}, -{0x9c,0xd2,0xdf,0x59}, {0x55,0xf2,0x73,0x3f}, {0x18,0x14,0xce,0x79}, {0x73,0xc7,0x37,0xbf}, -{0x53,0xf7,0xcd,0xea}, {0x5f,0xfd,0xaa,0x5b}, {0xdf,0x3d,0x6f,0x14}, {0x78,0x44,0xdb,0x86}, -{0xca,0xaf,0xf3,0x81}, {0xb9,0x68,0xc4,0x3e}, {0x38,0x24,0x34,0x2c}, {0xc2,0xa3,0x40,0x5f}, -{0x16,0x1d,0xc3,0x72}, {0xbc,0xe2,0x25,0x0c}, {0x28,0x3c,0x49,0x8b}, {0xff,0x0d,0x95,0x41}, -{0x39,0xa8,0x01,0x71}, {0x08,0x0c,0xb3,0xde}, {0xd8,0xb4,0xe4,0x9c}, {0x64,0x56,0xc1,0x90}, -{0x7b,0xcb,0x84,0x61}, {0xd5,0x32,0xb6,0x70}, {0x48,0x6c,0x5c,0x74}, {0xd0,0xb8,0x57,0x42} - } -}; -#define T5 xT5.xt8 - -static const union xtab xT6 = { - .xt8 = { -{0x50,0x51,0xf4,0xa7}, {0x53,0x7e,0x41,0x65}, {0xc3,0x1a,0x17,0xa4}, {0x96,0x3a,0x27,0x5e}, -{0xcb,0x3b,0xab,0x6b}, {0xf1,0x1f,0x9d,0x45}, {0xab,0xac,0xfa,0x58}, {0x93,0x4b,0xe3,0x03}, -{0x55,0x20,0x30,0xfa}, {0xf6,0xad,0x76,0x6d}, {0x91,0x88,0xcc,0x76}, {0x25,0xf5,0x02,0x4c}, -{0xfc,0x4f,0xe5,0xd7}, {0xd7,0xc5,0x2a,0xcb}, {0x80,0x26,0x35,0x44}, {0x8f,0xb5,0x62,0xa3}, -{0x49,0xde,0xb1,0x5a}, {0x67,0x25,0xba,0x1b}, {0x98,0x45,0xea,0x0e}, {0xe1,0x5d,0xfe,0xc0}, -{0x02,0xc3,0x2f,0x75}, {0x12,0x81,0x4c,0xf0}, {0xa3,0x8d,0x46,0x97}, {0xc6,0x6b,0xd3,0xf9}, -{0xe7,0x03,0x8f,0x5f}, {0x95,0x15,0x92,0x9c}, {0xeb,0xbf,0x6d,0x7a}, {0xda,0x95,0x52,0x59}, -{0x2d,0xd4,0xbe,0x83}, {0xd3,0x58,0x74,0x21}, {0x29,0x49,0xe0,0x69}, {0x44,0x8e,0xc9,0xc8}, -{0x6a,0x75,0xc2,0x89}, {0x78,0xf4,0x8e,0x79}, {0x6b,0x99,0x58,0x3e}, {0xdd,0x27,0xb9,0x71}, -{0xb6,0xbe,0xe1,0x4f}, {0x17,0xf0,0x88,0xad}, {0x66,0xc9,0x20,0xac}, {0xb4,0x7d,0xce,0x3a}, -{0x18,0x63,0xdf,0x4a}, {0x82,0xe5,0x1a,0x31}, {0x60,0x97,0x51,0x33}, {0x45,0x62,0x53,0x7f}, -{0xe0,0xb1,0x64,0x77}, {0x84,0xbb,0x6b,0xae}, {0x1c,0xfe,0x81,0xa0}, {0x94,0xf9,0x08,0x2b}, -{0x58,0x70,0x48,0x68}, {0x19,0x8f,0x45,0xfd}, {0x87,0x94,0xde,0x6c}, {0xb7,0x52,0x7b,0xf8}, -{0x23,0xab,0x73,0xd3}, {0xe2,0x72,0x4b,0x02}, {0x57,0xe3,0x1f,0x8f}, {0x2a,0x66,0x55,0xab}, -{0x07,0xb2,0xeb,0x28}, {0x03,0x2f,0xb5,0xc2}, {0x9a,0x86,0xc5,0x7b}, {0xa5,0xd3,0x37,0x08}, -{0xf2,0x30,0x28,0x87}, {0xb2,0x23,0xbf,0xa5}, {0xba,0x02,0x03,0x6a}, {0x5c,0xed,0x16,0x82}, -{0x2b,0x8a,0xcf,0x1c}, {0x92,0xa7,0x79,0xb4}, {0xf0,0xf3,0x07,0xf2}, {0xa1,0x4e,0x69,0xe2}, -{0xcd,0x65,0xda,0xf4}, {0xd5,0x06,0x05,0xbe}, {0x1f,0xd1,0x34,0x62}, {0x8a,0xc4,0xa6,0xfe}, -{0x9d,0x34,0x2e,0x53}, {0xa0,0xa2,0xf3,0x55}, {0x32,0x05,0x8a,0xe1}, {0x75,0xa4,0xf6,0xeb}, -{0x39,0x0b,0x83,0xec}, {0xaa,0x40,0x60,0xef}, {0x06,0x5e,0x71,0x9f}, {0x51,0xbd,0x6e,0x10}, -{0xf9,0x3e,0x21,0x8a}, {0x3d,0x96,0xdd,0x06}, {0xae,0xdd,0x3e,0x05}, {0x46,0x4d,0xe6,0xbd}, -{0xb5,0x91,0x54,0x8d}, {0x05,0x71,0xc4,0x5d}, {0x6f,0x04,0x06,0xd4}, {0xff,0x60,0x50,0x15}, -{0x24,0x19,0x98,0xfb}, {0x97,0xd6,0xbd,0xe9}, {0xcc,0x89,0x40,0x43}, {0x77,0x67,0xd9,0x9e}, -{0xbd,0xb0,0xe8,0x42}, {0x88,0x07,0x89,0x8b}, {0x38,0xe7,0x19,0x5b}, {0xdb,0x79,0xc8,0xee}, -{0x47,0xa1,0x7c,0x0a}, {0xe9,0x7c,0x42,0x0f}, {0xc9,0xf8,0x84,0x1e}, {0x00,0x00,0x00,0x00}, -{0x83,0x09,0x80,0x86}, {0x48,0x32,0x2b,0xed}, {0xac,0x1e,0x11,0x70}, {0x4e,0x6c,0x5a,0x72}, -{0xfb,0xfd,0x0e,0xff}, {0x56,0x0f,0x85,0x38}, {0x1e,0x3d,0xae,0xd5}, {0x27,0x36,0x2d,0x39}, -{0x64,0x0a,0x0f,0xd9}, {0x21,0x68,0x5c,0xa6}, {0xd1,0x9b,0x5b,0x54}, {0x3a,0x24,0x36,0x2e}, -{0xb1,0x0c,0x0a,0x67}, {0x0f,0x93,0x57,0xe7}, {0xd2,0xb4,0xee,0x96}, {0x9e,0x1b,0x9b,0x91}, -{0x4f,0x80,0xc0,0xc5}, {0xa2,0x61,0xdc,0x20}, {0x69,0x5a,0x77,0x4b}, {0x16,0x1c,0x12,0x1a}, -{0x0a,0xe2,0x93,0xba}, {0xe5,0xc0,0xa0,0x2a}, {0x43,0x3c,0x22,0xe0}, {0x1d,0x12,0x1b,0x17}, -{0x0b,0x0e,0x09,0x0d}, {0xad,0xf2,0x8b,0xc7}, {0xb9,0x2d,0xb6,0xa8}, {0xc8,0x14,0x1e,0xa9}, -{0x85,0x57,0xf1,0x19}, {0x4c,0xaf,0x75,0x07}, {0xbb,0xee,0x99,0xdd}, {0xfd,0xa3,0x7f,0x60}, -{0x9f,0xf7,0x01,0x26}, {0xbc,0x5c,0x72,0xf5}, {0xc5,0x44,0x66,0x3b}, {0x34,0x5b,0xfb,0x7e}, -{0x76,0x8b,0x43,0x29}, {0xdc,0xcb,0x23,0xc6}, {0x68,0xb6,0xed,0xfc}, {0x63,0xb8,0xe4,0xf1}, -{0xca,0xd7,0x31,0xdc}, {0x10,0x42,0x63,0x85}, {0x40,0x13,0x97,0x22}, {0x20,0x84,0xc6,0x11}, -{0x7d,0x85,0x4a,0x24}, {0xf8,0xd2,0xbb,0x3d}, {0x11,0xae,0xf9,0x32}, {0x6d,0xc7,0x29,0xa1}, -{0x4b,0x1d,0x9e,0x2f}, {0xf3,0xdc,0xb2,0x30}, {0xec,0x0d,0x86,0x52}, {0xd0,0x77,0xc1,0xe3}, -{0x6c,0x2b,0xb3,0x16}, {0x99,0xa9,0x70,0xb9}, {0xfa,0x11,0x94,0x48}, {0x22,0x47,0xe9,0x64}, -{0xc4,0xa8,0xfc,0x8c}, {0x1a,0xa0,0xf0,0x3f}, {0xd8,0x56,0x7d,0x2c}, {0xef,0x22,0x33,0x90}, -{0xc7,0x87,0x49,0x4e}, {0xc1,0xd9,0x38,0xd1}, {0xfe,0x8c,0xca,0xa2}, {0x36,0x98,0xd4,0x0b}, -{0xcf,0xa6,0xf5,0x81}, {0x28,0xa5,0x7a,0xde}, {0x26,0xda,0xb7,0x8e}, {0xa4,0x3f,0xad,0xbf}, -{0xe4,0x2c,0x3a,0x9d}, {0x0d,0x50,0x78,0x92}, {0x9b,0x6a,0x5f,0xcc}, {0x62,0x54,0x7e,0x46}, -{0xc2,0xf6,0x8d,0x13}, {0xe8,0x90,0xd8,0xb8}, {0x5e,0x2e,0x39,0xf7}, {0xf5,0x82,0xc3,0xaf}, -{0xbe,0x9f,0x5d,0x80}, {0x7c,0x69,0xd0,0x93}, {0xa9,0x6f,0xd5,0x2d}, {0xb3,0xcf,0x25,0x12}, -{0x3b,0xc8,0xac,0x99}, {0xa7,0x10,0x18,0x7d}, {0x6e,0xe8,0x9c,0x63}, {0x7b,0xdb,0x3b,0xbb}, -{0x09,0xcd,0x26,0x78}, {0xf4,0x6e,0x59,0x18}, {0x01,0xec,0x9a,0xb7}, {0xa8,0x83,0x4f,0x9a}, -{0x65,0xe6,0x95,0x6e}, {0x7e,0xaa,0xff,0xe6}, {0x08,0x21,0xbc,0xcf}, {0xe6,0xef,0x15,0xe8}, -{0xd9,0xba,0xe7,0x9b}, {0xce,0x4a,0x6f,0x36}, {0xd4,0xea,0x9f,0x09}, {0xd6,0x29,0xb0,0x7c}, -{0xaf,0x31,0xa4,0xb2}, {0x31,0x2a,0x3f,0x23}, {0x30,0xc6,0xa5,0x94}, {0xc0,0x35,0xa2,0x66}, -{0x37,0x74,0x4e,0xbc}, {0xa6,0xfc,0x82,0xca}, {0xb0,0xe0,0x90,0xd0}, {0x15,0x33,0xa7,0xd8}, -{0x4a,0xf1,0x04,0x98}, {0xf7,0x41,0xec,0xda}, {0x0e,0x7f,0xcd,0x50}, {0x2f,0x17,0x91,0xf6}, -{0x8d,0x76,0x4d,0xd6}, {0x4d,0x43,0xef,0xb0}, {0x54,0xcc,0xaa,0x4d}, {0xdf,0xe4,0x96,0x04}, -{0xe3,0x9e,0xd1,0xb5}, {0x1b,0x4c,0x6a,0x88}, {0xb8,0xc1,0x2c,0x1f}, {0x7f,0x46,0x65,0x51}, -{0x04,0x9d,0x5e,0xea}, {0x5d,0x01,0x8c,0x35}, {0x73,0xfa,0x87,0x74}, {0x2e,0xfb,0x0b,0x41}, -{0x5a,0xb3,0x67,0x1d}, {0x52,0x92,0xdb,0xd2}, {0x33,0xe9,0x10,0x56}, {0x13,0x6d,0xd6,0x47}, -{0x8c,0x9a,0xd7,0x61}, {0x7a,0x37,0xa1,0x0c}, {0x8e,0x59,0xf8,0x14}, {0x89,0xeb,0x13,0x3c}, -{0xee,0xce,0xa9,0x27}, {0x35,0xb7,0x61,0xc9}, {0xed,0xe1,0x1c,0xe5}, {0x3c,0x7a,0x47,0xb1}, -{0x59,0x9c,0xd2,0xdf}, {0x3f,0x55,0xf2,0x73}, {0x79,0x18,0x14,0xce}, {0xbf,0x73,0xc7,0x37}, -{0xea,0x53,0xf7,0xcd}, {0x5b,0x5f,0xfd,0xaa}, {0x14,0xdf,0x3d,0x6f}, {0x86,0x78,0x44,0xdb}, -{0x81,0xca,0xaf,0xf3}, {0x3e,0xb9,0x68,0xc4}, {0x2c,0x38,0x24,0x34}, {0x5f,0xc2,0xa3,0x40}, -{0x72,0x16,0x1d,0xc3}, {0x0c,0xbc,0xe2,0x25}, {0x8b,0x28,0x3c,0x49}, {0x41,0xff,0x0d,0x95}, -{0x71,0x39,0xa8,0x01}, {0xde,0x08,0x0c,0xb3}, {0x9c,0xd8,0xb4,0xe4}, {0x90,0x64,0x56,0xc1}, -{0x61,0x7b,0xcb,0x84}, {0x70,0xd5,0x32,0xb6}, {0x74,0x48,0x6c,0x5c}, {0x42,0xd0,0xb8,0x57} - } -}; -#define T6 xT6.xt8 - -static const union xtab xT7 = { - .xt8 = { -{0xa7,0x50,0x51,0xf4}, {0x65,0x53,0x7e,0x41}, {0xa4,0xc3,0x1a,0x17}, {0x5e,0x96,0x3a,0x27}, -{0x6b,0xcb,0x3b,0xab}, {0x45,0xf1,0x1f,0x9d}, {0x58,0xab,0xac,0xfa}, {0x03,0x93,0x4b,0xe3}, -{0xfa,0x55,0x20,0x30}, {0x6d,0xf6,0xad,0x76}, {0x76,0x91,0x88,0xcc}, {0x4c,0x25,0xf5,0x02}, -{0xd7,0xfc,0x4f,0xe5}, {0xcb,0xd7,0xc5,0x2a}, {0x44,0x80,0x26,0x35}, {0xa3,0x8f,0xb5,0x62}, -{0x5a,0x49,0xde,0xb1}, {0x1b,0x67,0x25,0xba}, {0x0e,0x98,0x45,0xea}, {0xc0,0xe1,0x5d,0xfe}, -{0x75,0x02,0xc3,0x2f}, {0xf0,0x12,0x81,0x4c}, {0x97,0xa3,0x8d,0x46}, {0xf9,0xc6,0x6b,0xd3}, -{0x5f,0xe7,0x03,0x8f}, {0x9c,0x95,0x15,0x92}, {0x7a,0xeb,0xbf,0x6d}, {0x59,0xda,0x95,0x52}, -{0x83,0x2d,0xd4,0xbe}, {0x21,0xd3,0x58,0x74}, {0x69,0x29,0x49,0xe0}, {0xc8,0x44,0x8e,0xc9}, -{0x89,0x6a,0x75,0xc2}, {0x79,0x78,0xf4,0x8e}, {0x3e,0x6b,0x99,0x58}, {0x71,0xdd,0x27,0xb9}, -{0x4f,0xb6,0xbe,0xe1}, {0xad,0x17,0xf0,0x88}, {0xac,0x66,0xc9,0x20}, {0x3a,0xb4,0x7d,0xce}, -{0x4a,0x18,0x63,0xdf}, {0x31,0x82,0xe5,0x1a}, {0x33,0x60,0x97,0x51}, {0x7f,0x45,0x62,0x53}, -{0x77,0xe0,0xb1,0x64}, {0xae,0x84,0xbb,0x6b}, {0xa0,0x1c,0xfe,0x81}, {0x2b,0x94,0xf9,0x08}, -{0x68,0x58,0x70,0x48}, {0xfd,0x19,0x8f,0x45}, {0x6c,0x87,0x94,0xde}, {0xf8,0xb7,0x52,0x7b}, -{0xd3,0x23,0xab,0x73}, {0x02,0xe2,0x72,0x4b}, {0x8f,0x57,0xe3,0x1f}, {0xab,0x2a,0x66,0x55}, -{0x28,0x07,0xb2,0xeb}, {0xc2,0x03,0x2f,0xb5}, {0x7b,0x9a,0x86,0xc5}, {0x08,0xa5,0xd3,0x37}, -{0x87,0xf2,0x30,0x28}, {0xa5,0xb2,0x23,0xbf}, {0x6a,0xba,0x02,0x03}, {0x82,0x5c,0xed,0x16}, -{0x1c,0x2b,0x8a,0xcf}, {0xb4,0x92,0xa7,0x79}, {0xf2,0xf0,0xf3,0x07}, {0xe2,0xa1,0x4e,0x69}, -{0xf4,0xcd,0x65,0xda}, {0xbe,0xd5,0x06,0x05}, {0x62,0x1f,0xd1,0x34}, {0xfe,0x8a,0xc4,0xa6}, -{0x53,0x9d,0x34,0x2e}, {0x55,0xa0,0xa2,0xf3}, {0xe1,0x32,0x05,0x8a}, {0xeb,0x75,0xa4,0xf6}, -{0xec,0x39,0x0b,0x83}, {0xef,0xaa,0x40,0x60}, {0x9f,0x06,0x5e,0x71}, {0x10,0x51,0xbd,0x6e}, -{0x8a,0xf9,0x3e,0x21}, {0x06,0x3d,0x96,0xdd}, {0x05,0xae,0xdd,0x3e}, {0xbd,0x46,0x4d,0xe6}, -{0x8d,0xb5,0x91,0x54}, {0x5d,0x05,0x71,0xc4}, {0xd4,0x6f,0x04,0x06}, {0x15,0xff,0x60,0x50}, -{0xfb,0x24,0x19,0x98}, {0xe9,0x97,0xd6,0xbd}, {0x43,0xcc,0x89,0x40}, {0x9e,0x77,0x67,0xd9}, -{0x42,0xbd,0xb0,0xe8}, {0x8b,0x88,0x07,0x89}, {0x5b,0x38,0xe7,0x19}, {0xee,0xdb,0x79,0xc8}, -{0x0a,0x47,0xa1,0x7c}, {0x0f,0xe9,0x7c,0x42}, {0x1e,0xc9,0xf8,0x84}, {0x00,0x00,0x00,0x00}, -{0x86,0x83,0x09,0x80}, {0xed,0x48,0x32,0x2b}, {0x70,0xac,0x1e,0x11}, {0x72,0x4e,0x6c,0x5a}, -{0xff,0xfb,0xfd,0x0e}, {0x38,0x56,0x0f,0x85}, {0xd5,0x1e,0x3d,0xae}, {0x39,0x27,0x36,0x2d}, -{0xd9,0x64,0x0a,0x0f}, {0xa6,0x21,0x68,0x5c}, {0x54,0xd1,0x9b,0x5b}, {0x2e,0x3a,0x24,0x36}, -{0x67,0xb1,0x0c,0x0a}, {0xe7,0x0f,0x93,0x57}, {0x96,0xd2,0xb4,0xee}, {0x91,0x9e,0x1b,0x9b}, -{0xc5,0x4f,0x80,0xc0}, {0x20,0xa2,0x61,0xdc}, {0x4b,0x69,0x5a,0x77}, {0x1a,0x16,0x1c,0x12}, -{0xba,0x0a,0xe2,0x93}, {0x2a,0xe5,0xc0,0xa0}, {0xe0,0x43,0x3c,0x22}, {0x17,0x1d,0x12,0x1b}, -{0x0d,0x0b,0x0e,0x09}, {0xc7,0xad,0xf2,0x8b}, {0xa8,0xb9,0x2d,0xb6}, {0xa9,0xc8,0x14,0x1e}, -{0x19,0x85,0x57,0xf1}, {0x07,0x4c,0xaf,0x75}, {0xdd,0xbb,0xee,0x99}, {0x60,0xfd,0xa3,0x7f}, -{0x26,0x9f,0xf7,0x01}, {0xf5,0xbc,0x5c,0x72}, {0x3b,0xc5,0x44,0x66}, {0x7e,0x34,0x5b,0xfb}, -{0x29,0x76,0x8b,0x43}, {0xc6,0xdc,0xcb,0x23}, {0xfc,0x68,0xb6,0xed}, {0xf1,0x63,0xb8,0xe4}, -{0xdc,0xca,0xd7,0x31}, {0x85,0x10,0x42,0x63}, {0x22,0x40,0x13,0x97}, {0x11,0x20,0x84,0xc6}, -{0x24,0x7d,0x85,0x4a}, {0x3d,0xf8,0xd2,0xbb}, {0x32,0x11,0xae,0xf9}, {0xa1,0x6d,0xc7,0x29}, -{0x2f,0x4b,0x1d,0x9e}, {0x30,0xf3,0xdc,0xb2}, {0x52,0xec,0x0d,0x86}, {0xe3,0xd0,0x77,0xc1}, -{0x16,0x6c,0x2b,0xb3}, {0xb9,0x99,0xa9,0x70}, {0x48,0xfa,0x11,0x94}, {0x64,0x22,0x47,0xe9}, -{0x8c,0xc4,0xa8,0xfc}, {0x3f,0x1a,0xa0,0xf0}, {0x2c,0xd8,0x56,0x7d}, {0x90,0xef,0x22,0x33}, -{0x4e,0xc7,0x87,0x49}, {0xd1,0xc1,0xd9,0x38}, {0xa2,0xfe,0x8c,0xca}, {0x0b,0x36,0x98,0xd4}, -{0x81,0xcf,0xa6,0xf5}, {0xde,0x28,0xa5,0x7a}, {0x8e,0x26,0xda,0xb7}, {0xbf,0xa4,0x3f,0xad}, -{0x9d,0xe4,0x2c,0x3a}, {0x92,0x0d,0x50,0x78}, {0xcc,0x9b,0x6a,0x5f}, {0x46,0x62,0x54,0x7e}, -{0x13,0xc2,0xf6,0x8d}, {0xb8,0xe8,0x90,0xd8}, {0xf7,0x5e,0x2e,0x39}, {0xaf,0xf5,0x82,0xc3}, -{0x80,0xbe,0x9f,0x5d}, {0x93,0x7c,0x69,0xd0}, {0x2d,0xa9,0x6f,0xd5}, {0x12,0xb3,0xcf,0x25}, -{0x99,0x3b,0xc8,0xac}, {0x7d,0xa7,0x10,0x18}, {0x63,0x6e,0xe8,0x9c}, {0xbb,0x7b,0xdb,0x3b}, -{0x78,0x09,0xcd,0x26}, {0x18,0xf4,0x6e,0x59}, {0xb7,0x01,0xec,0x9a}, {0x9a,0xa8,0x83,0x4f}, -{0x6e,0x65,0xe6,0x95}, {0xe6,0x7e,0xaa,0xff}, {0xcf,0x08,0x21,0xbc}, {0xe8,0xe6,0xef,0x15}, -{0x9b,0xd9,0xba,0xe7}, {0x36,0xce,0x4a,0x6f}, {0x09,0xd4,0xea,0x9f}, {0x7c,0xd6,0x29,0xb0}, -{0xb2,0xaf,0x31,0xa4}, {0x23,0x31,0x2a,0x3f}, {0x94,0x30,0xc6,0xa5}, {0x66,0xc0,0x35,0xa2}, -{0xbc,0x37,0x74,0x4e}, {0xca,0xa6,0xfc,0x82}, {0xd0,0xb0,0xe0,0x90}, {0xd8,0x15,0x33,0xa7}, -{0x98,0x4a,0xf1,0x04}, {0xda,0xf7,0x41,0xec}, {0x50,0x0e,0x7f,0xcd}, {0xf6,0x2f,0x17,0x91}, -{0xd6,0x8d,0x76,0x4d}, {0xb0,0x4d,0x43,0xef}, {0x4d,0x54,0xcc,0xaa}, {0x04,0xdf,0xe4,0x96}, -{0xb5,0xe3,0x9e,0xd1}, {0x88,0x1b,0x4c,0x6a}, {0x1f,0xb8,0xc1,0x2c}, {0x51,0x7f,0x46,0x65}, -{0xea,0x04,0x9d,0x5e}, {0x35,0x5d,0x01,0x8c}, {0x74,0x73,0xfa,0x87}, {0x41,0x2e,0xfb,0x0b}, -{0x1d,0x5a,0xb3,0x67}, {0xd2,0x52,0x92,0xdb}, {0x56,0x33,0xe9,0x10}, {0x47,0x13,0x6d,0xd6}, -{0x61,0x8c,0x9a,0xd7}, {0x0c,0x7a,0x37,0xa1}, {0x14,0x8e,0x59,0xf8}, {0x3c,0x89,0xeb,0x13}, -{0x27,0xee,0xce,0xa9}, {0xc9,0x35,0xb7,0x61}, {0xe5,0xed,0xe1,0x1c}, {0xb1,0x3c,0x7a,0x47}, -{0xdf,0x59,0x9c,0xd2}, {0x73,0x3f,0x55,0xf2}, {0xce,0x79,0x18,0x14}, {0x37,0xbf,0x73,0xc7}, -{0xcd,0xea,0x53,0xf7}, {0xaa,0x5b,0x5f,0xfd}, {0x6f,0x14,0xdf,0x3d}, {0xdb,0x86,0x78,0x44}, -{0xf3,0x81,0xca,0xaf}, {0xc4,0x3e,0xb9,0x68}, {0x34,0x2c,0x38,0x24}, {0x40,0x5f,0xc2,0xa3}, -{0xc3,0x72,0x16,0x1d}, {0x25,0x0c,0xbc,0xe2}, {0x49,0x8b,0x28,0x3c}, {0x95,0x41,0xff,0x0d}, -{0x01,0x71,0x39,0xa8}, {0xb3,0xde,0x08,0x0c}, {0xe4,0x9c,0xd8,0xb4}, {0xc1,0x90,0x64,0x56}, -{0x84,0x61,0x7b,0xcb}, {0xb6,0x70,0xd5,0x32}, {0x5c,0x74,0x48,0x6c}, {0x57,0x42,0xd0,0xb8} - } -}; -#define T7 xT7.xt8 - -static const union xtab xT8 = { - .xt8 = { -{0xf4,0xa7,0x50,0x51}, {0x41,0x65,0x53,0x7e}, {0x17,0xa4,0xc3,0x1a}, {0x27,0x5e,0x96,0x3a}, -{0xab,0x6b,0xcb,0x3b}, {0x9d,0x45,0xf1,0x1f}, {0xfa,0x58,0xab,0xac}, {0xe3,0x03,0x93,0x4b}, -{0x30,0xfa,0x55,0x20}, {0x76,0x6d,0xf6,0xad}, {0xcc,0x76,0x91,0x88}, {0x02,0x4c,0x25,0xf5}, -{0xe5,0xd7,0xfc,0x4f}, {0x2a,0xcb,0xd7,0xc5}, {0x35,0x44,0x80,0x26}, {0x62,0xa3,0x8f,0xb5}, -{0xb1,0x5a,0x49,0xde}, {0xba,0x1b,0x67,0x25}, {0xea,0x0e,0x98,0x45}, {0xfe,0xc0,0xe1,0x5d}, -{0x2f,0x75,0x02,0xc3}, {0x4c,0xf0,0x12,0x81}, {0x46,0x97,0xa3,0x8d}, {0xd3,0xf9,0xc6,0x6b}, -{0x8f,0x5f,0xe7,0x03}, {0x92,0x9c,0x95,0x15}, {0x6d,0x7a,0xeb,0xbf}, {0x52,0x59,0xda,0x95}, -{0xbe,0x83,0x2d,0xd4}, {0x74,0x21,0xd3,0x58}, {0xe0,0x69,0x29,0x49}, {0xc9,0xc8,0x44,0x8e}, -{0xc2,0x89,0x6a,0x75}, {0x8e,0x79,0x78,0xf4}, {0x58,0x3e,0x6b,0x99}, {0xb9,0x71,0xdd,0x27}, -{0xe1,0x4f,0xb6,0xbe}, {0x88,0xad,0x17,0xf0}, {0x20,0xac,0x66,0xc9}, {0xce,0x3a,0xb4,0x7d}, -{0xdf,0x4a,0x18,0x63}, {0x1a,0x31,0x82,0xe5}, {0x51,0x33,0x60,0x97}, {0x53,0x7f,0x45,0x62}, -{0x64,0x77,0xe0,0xb1}, {0x6b,0xae,0x84,0xbb}, {0x81,0xa0,0x1c,0xfe}, {0x08,0x2b,0x94,0xf9}, -{0x48,0x68,0x58,0x70}, {0x45,0xfd,0x19,0x8f}, {0xde,0x6c,0x87,0x94}, {0x7b,0xf8,0xb7,0x52}, -{0x73,0xd3,0x23,0xab}, {0x4b,0x02,0xe2,0x72}, {0x1f,0x8f,0x57,0xe3}, {0x55,0xab,0x2a,0x66}, -{0xeb,0x28,0x07,0xb2}, {0xb5,0xc2,0x03,0x2f}, {0xc5,0x7b,0x9a,0x86}, {0x37,0x08,0xa5,0xd3}, -{0x28,0x87,0xf2,0x30}, {0xbf,0xa5,0xb2,0x23}, {0x03,0x6a,0xba,0x02}, {0x16,0x82,0x5c,0xed}, -{0xcf,0x1c,0x2b,0x8a}, {0x79,0xb4,0x92,0xa7}, {0x07,0xf2,0xf0,0xf3}, {0x69,0xe2,0xa1,0x4e}, -{0xda,0xf4,0xcd,0x65}, {0x05,0xbe,0xd5,0x06}, {0x34,0x62,0x1f,0xd1}, {0xa6,0xfe,0x8a,0xc4}, -{0x2e,0x53,0x9d,0x34}, {0xf3,0x55,0xa0,0xa2}, {0x8a,0xe1,0x32,0x05}, {0xf6,0xeb,0x75,0xa4}, -{0x83,0xec,0x39,0x0b}, {0x60,0xef,0xaa,0x40}, {0x71,0x9f,0x06,0x5e}, {0x6e,0x10,0x51,0xbd}, -{0x21,0x8a,0xf9,0x3e}, {0xdd,0x06,0x3d,0x96}, {0x3e,0x05,0xae,0xdd}, {0xe6,0xbd,0x46,0x4d}, -{0x54,0x8d,0xb5,0x91}, {0xc4,0x5d,0x05,0x71}, {0x06,0xd4,0x6f,0x04}, {0x50,0x15,0xff,0x60}, -{0x98,0xfb,0x24,0x19}, {0xbd,0xe9,0x97,0xd6}, {0x40,0x43,0xcc,0x89}, {0xd9,0x9e,0x77,0x67}, -{0xe8,0x42,0xbd,0xb0}, {0x89,0x8b,0x88,0x07}, {0x19,0x5b,0x38,0xe7}, {0xc8,0xee,0xdb,0x79}, -{0x7c,0x0a,0x47,0xa1}, {0x42,0x0f,0xe9,0x7c}, {0x84,0x1e,0xc9,0xf8}, {0x00,0x00,0x00,0x00}, -{0x80,0x86,0x83,0x09}, {0x2b,0xed,0x48,0x32}, {0x11,0x70,0xac,0x1e}, {0x5a,0x72,0x4e,0x6c}, -{0x0e,0xff,0xfb,0xfd}, {0x85,0x38,0x56,0x0f}, {0xae,0xd5,0x1e,0x3d}, {0x2d,0x39,0x27,0x36}, -{0x0f,0xd9,0x64,0x0a}, {0x5c,0xa6,0x21,0x68}, {0x5b,0x54,0xd1,0x9b}, {0x36,0x2e,0x3a,0x24}, -{0x0a,0x67,0xb1,0x0c}, {0x57,0xe7,0x0f,0x93}, {0xee,0x96,0xd2,0xb4}, {0x9b,0x91,0x9e,0x1b}, -{0xc0,0xc5,0x4f,0x80}, {0xdc,0x20,0xa2,0x61}, {0x77,0x4b,0x69,0x5a}, {0x12,0x1a,0x16,0x1c}, -{0x93,0xba,0x0a,0xe2}, {0xa0,0x2a,0xe5,0xc0}, {0x22,0xe0,0x43,0x3c}, {0x1b,0x17,0x1d,0x12}, -{0x09,0x0d,0x0b,0x0e}, {0x8b,0xc7,0xad,0xf2}, {0xb6,0xa8,0xb9,0x2d}, {0x1e,0xa9,0xc8,0x14}, -{0xf1,0x19,0x85,0x57}, {0x75,0x07,0x4c,0xaf}, {0x99,0xdd,0xbb,0xee}, {0x7f,0x60,0xfd,0xa3}, -{0x01,0x26,0x9f,0xf7}, {0x72,0xf5,0xbc,0x5c}, {0x66,0x3b,0xc5,0x44}, {0xfb,0x7e,0x34,0x5b}, -{0x43,0x29,0x76,0x8b}, {0x23,0xc6,0xdc,0xcb}, {0xed,0xfc,0x68,0xb6}, {0xe4,0xf1,0x63,0xb8}, -{0x31,0xdc,0xca,0xd7}, {0x63,0x85,0x10,0x42}, {0x97,0x22,0x40,0x13}, {0xc6,0x11,0x20,0x84}, -{0x4a,0x24,0x7d,0x85}, {0xbb,0x3d,0xf8,0xd2}, {0xf9,0x32,0x11,0xae}, {0x29,0xa1,0x6d,0xc7}, -{0x9e,0x2f,0x4b,0x1d}, {0xb2,0x30,0xf3,0xdc}, {0x86,0x52,0xec,0x0d}, {0xc1,0xe3,0xd0,0x77}, -{0xb3,0x16,0x6c,0x2b}, {0x70,0xb9,0x99,0xa9}, {0x94,0x48,0xfa,0x11}, {0xe9,0x64,0x22,0x47}, -{0xfc,0x8c,0xc4,0xa8}, {0xf0,0x3f,0x1a,0xa0}, {0x7d,0x2c,0xd8,0x56}, {0x33,0x90,0xef,0x22}, -{0x49,0x4e,0xc7,0x87}, {0x38,0xd1,0xc1,0xd9}, {0xca,0xa2,0xfe,0x8c}, {0xd4,0x0b,0x36,0x98}, -{0xf5,0x81,0xcf,0xa6}, {0x7a,0xde,0x28,0xa5}, {0xb7,0x8e,0x26,0xda}, {0xad,0xbf,0xa4,0x3f}, -{0x3a,0x9d,0xe4,0x2c}, {0x78,0x92,0x0d,0x50}, {0x5f,0xcc,0x9b,0x6a}, {0x7e,0x46,0x62,0x54}, -{0x8d,0x13,0xc2,0xf6}, {0xd8,0xb8,0xe8,0x90}, {0x39,0xf7,0x5e,0x2e}, {0xc3,0xaf,0xf5,0x82}, -{0x5d,0x80,0xbe,0x9f}, {0xd0,0x93,0x7c,0x69}, {0xd5,0x2d,0xa9,0x6f}, {0x25,0x12,0xb3,0xcf}, -{0xac,0x99,0x3b,0xc8}, {0x18,0x7d,0xa7,0x10}, {0x9c,0x63,0x6e,0xe8}, {0x3b,0xbb,0x7b,0xdb}, -{0x26,0x78,0x09,0xcd}, {0x59,0x18,0xf4,0x6e}, {0x9a,0xb7,0x01,0xec}, {0x4f,0x9a,0xa8,0x83}, -{0x95,0x6e,0x65,0xe6}, {0xff,0xe6,0x7e,0xaa}, {0xbc,0xcf,0x08,0x21}, {0x15,0xe8,0xe6,0xef}, -{0xe7,0x9b,0xd9,0xba}, {0x6f,0x36,0xce,0x4a}, {0x9f,0x09,0xd4,0xea}, {0xb0,0x7c,0xd6,0x29}, -{0xa4,0xb2,0xaf,0x31}, {0x3f,0x23,0x31,0x2a}, {0xa5,0x94,0x30,0xc6}, {0xa2,0x66,0xc0,0x35}, -{0x4e,0xbc,0x37,0x74}, {0x82,0xca,0xa6,0xfc}, {0x90,0xd0,0xb0,0xe0}, {0xa7,0xd8,0x15,0x33}, -{0x04,0x98,0x4a,0xf1}, {0xec,0xda,0xf7,0x41}, {0xcd,0x50,0x0e,0x7f}, {0x91,0xf6,0x2f,0x17}, -{0x4d,0xd6,0x8d,0x76}, {0xef,0xb0,0x4d,0x43}, {0xaa,0x4d,0x54,0xcc}, {0x96,0x04,0xdf,0xe4}, -{0xd1,0xb5,0xe3,0x9e}, {0x6a,0x88,0x1b,0x4c}, {0x2c,0x1f,0xb8,0xc1}, {0x65,0x51,0x7f,0x46}, -{0x5e,0xea,0x04,0x9d}, {0x8c,0x35,0x5d,0x01}, {0x87,0x74,0x73,0xfa}, {0x0b,0x41,0x2e,0xfb}, -{0x67,0x1d,0x5a,0xb3}, {0xdb,0xd2,0x52,0x92}, {0x10,0x56,0x33,0xe9}, {0xd6,0x47,0x13,0x6d}, -{0xd7,0x61,0x8c,0x9a}, {0xa1,0x0c,0x7a,0x37}, {0xf8,0x14,0x8e,0x59}, {0x13,0x3c,0x89,0xeb}, -{0xa9,0x27,0xee,0xce}, {0x61,0xc9,0x35,0xb7}, {0x1c,0xe5,0xed,0xe1}, {0x47,0xb1,0x3c,0x7a}, -{0xd2,0xdf,0x59,0x9c}, {0xf2,0x73,0x3f,0x55}, {0x14,0xce,0x79,0x18}, {0xc7,0x37,0xbf,0x73}, -{0xf7,0xcd,0xea,0x53}, {0xfd,0xaa,0x5b,0x5f}, {0x3d,0x6f,0x14,0xdf}, {0x44,0xdb,0x86,0x78}, -{0xaf,0xf3,0x81,0xca}, {0x68,0xc4,0x3e,0xb9}, {0x24,0x34,0x2c,0x38}, {0xa3,0x40,0x5f,0xc2}, -{0x1d,0xc3,0x72,0x16}, {0xe2,0x25,0x0c,0xbc}, {0x3c,0x49,0x8b,0x28}, {0x0d,0x95,0x41,0xff}, -{0xa8,0x01,0x71,0x39}, {0x0c,0xb3,0xde,0x08}, {0xb4,0xe4,0x9c,0xd8}, {0x56,0xc1,0x90,0x64}, -{0xcb,0x84,0x61,0x7b}, {0x32,0xb6,0x70,0xd5}, {0x6c,0x5c,0x74,0x48}, {0xb8,0x57,0x42,0xd0} - } -}; -#define T8 xT8.xt8 - -static const word8 S5[256] = { -0x52,0x09,0x6a,0xd5, -0x30,0x36,0xa5,0x38, -0xbf,0x40,0xa3,0x9e, -0x81,0xf3,0xd7,0xfb, -0x7c,0xe3,0x39,0x82, -0x9b,0x2f,0xff,0x87, -0x34,0x8e,0x43,0x44, -0xc4,0xde,0xe9,0xcb, -0x54,0x7b,0x94,0x32, -0xa6,0xc2,0x23,0x3d, -0xee,0x4c,0x95,0x0b, -0x42,0xfa,0xc3,0x4e, -0x08,0x2e,0xa1,0x66, -0x28,0xd9,0x24,0xb2, -0x76,0x5b,0xa2,0x49, -0x6d,0x8b,0xd1,0x25, -0x72,0xf8,0xf6,0x64, -0x86,0x68,0x98,0x16, -0xd4,0xa4,0x5c,0xcc, -0x5d,0x65,0xb6,0x92, -0x6c,0x70,0x48,0x50, -0xfd,0xed,0xb9,0xda, -0x5e,0x15,0x46,0x57, -0xa7,0x8d,0x9d,0x84, -0x90,0xd8,0xab,0x00, -0x8c,0xbc,0xd3,0x0a, -0xf7,0xe4,0x58,0x05, -0xb8,0xb3,0x45,0x06, -0xd0,0x2c,0x1e,0x8f, -0xca,0x3f,0x0f,0x02, -0xc1,0xaf,0xbd,0x03, -0x01,0x13,0x8a,0x6b, -0x3a,0x91,0x11,0x41, -0x4f,0x67,0xdc,0xea, -0x97,0xf2,0xcf,0xce, -0xf0,0xb4,0xe6,0x73, -0x96,0xac,0x74,0x22, -0xe7,0xad,0x35,0x85, -0xe2,0xf9,0x37,0xe8, -0x1c,0x75,0xdf,0x6e, -0x47,0xf1,0x1a,0x71, -0x1d,0x29,0xc5,0x89, -0x6f,0xb7,0x62,0x0e, -0xaa,0x18,0xbe,0x1b, -0xfc,0x56,0x3e,0x4b, -0xc6,0xd2,0x79,0x20, -0x9a,0xdb,0xc0,0xfe, -0x78,0xcd,0x5a,0xf4, -0x1f,0xdd,0xa8,0x33, -0x88,0x07,0xc7,0x31, -0xb1,0x12,0x10,0x59, -0x27,0x80,0xec,0x5f, -0x60,0x51,0x7f,0xa9, -0x19,0xb5,0x4a,0x0d, -0x2d,0xe5,0x7a,0x9f, -0x93,0xc9,0x9c,0xef, -0xa0,0xe0,0x3b,0x4d, -0xae,0x2a,0xf5,0xb0, -0xc8,0xeb,0xbb,0x3c, -0x83,0x53,0x99,0x61, -0x17,0x2b,0x04,0x7e, -0xba,0x77,0xd6,0x26, -0xe1,0x69,0x14,0x63, -0x55,0x21,0x0c,0x7d -}; - -static const union xtab xU1 = { - .xt8 = { -{0x00,0x00,0x00,0x00}, {0x0e,0x09,0x0d,0x0b}, {0x1c,0x12,0x1a,0x16}, {0x12,0x1b,0x17,0x1d}, -{0x38,0x24,0x34,0x2c}, {0x36,0x2d,0x39,0x27}, {0x24,0x36,0x2e,0x3a}, {0x2a,0x3f,0x23,0x31}, -{0x70,0x48,0x68,0x58}, {0x7e,0x41,0x65,0x53}, {0x6c,0x5a,0x72,0x4e}, {0x62,0x53,0x7f,0x45}, -{0x48,0x6c,0x5c,0x74}, {0x46,0x65,0x51,0x7f}, {0x54,0x7e,0x46,0x62}, {0x5a,0x77,0x4b,0x69}, -{0xe0,0x90,0xd0,0xb0}, {0xee,0x99,0xdd,0xbb}, {0xfc,0x82,0xca,0xa6}, {0xf2,0x8b,0xc7,0xad}, -{0xd8,0xb4,0xe4,0x9c}, {0xd6,0xbd,0xe9,0x97}, {0xc4,0xa6,0xfe,0x8a}, {0xca,0xaf,0xf3,0x81}, -{0x90,0xd8,0xb8,0xe8}, {0x9e,0xd1,0xb5,0xe3}, {0x8c,0xca,0xa2,0xfe}, {0x82,0xc3,0xaf,0xf5}, -{0xa8,0xfc,0x8c,0xc4}, {0xa6,0xf5,0x81,0xcf}, {0xb4,0xee,0x96,0xd2}, {0xba,0xe7,0x9b,0xd9}, -{0xdb,0x3b,0xbb,0x7b}, {0xd5,0x32,0xb6,0x70}, {0xc7,0x29,0xa1,0x6d}, {0xc9,0x20,0xac,0x66}, -{0xe3,0x1f,0x8f,0x57}, {0xed,0x16,0x82,0x5c}, {0xff,0x0d,0x95,0x41}, {0xf1,0x04,0x98,0x4a}, -{0xab,0x73,0xd3,0x23}, {0xa5,0x7a,0xde,0x28}, {0xb7,0x61,0xc9,0x35}, {0xb9,0x68,0xc4,0x3e}, -{0x93,0x57,0xe7,0x0f}, {0x9d,0x5e,0xea,0x04}, {0x8f,0x45,0xfd,0x19}, {0x81,0x4c,0xf0,0x12}, -{0x3b,0xab,0x6b,0xcb}, {0x35,0xa2,0x66,0xc0}, {0x27,0xb9,0x71,0xdd}, {0x29,0xb0,0x7c,0xd6}, -{0x03,0x8f,0x5f,0xe7}, {0x0d,0x86,0x52,0xec}, {0x1f,0x9d,0x45,0xf1}, {0x11,0x94,0x48,0xfa}, -{0x4b,0xe3,0x03,0x93}, {0x45,0xea,0x0e,0x98}, {0x57,0xf1,0x19,0x85}, {0x59,0xf8,0x14,0x8e}, -{0x73,0xc7,0x37,0xbf}, {0x7d,0xce,0x3a,0xb4}, {0x6f,0xd5,0x2d,0xa9}, {0x61,0xdc,0x20,0xa2}, -{0xad,0x76,0x6d,0xf6}, {0xa3,0x7f,0x60,0xfd}, {0xb1,0x64,0x77,0xe0}, {0xbf,0x6d,0x7a,0xeb}, -{0x95,0x52,0x59,0xda}, {0x9b,0x5b,0x54,0xd1}, {0x89,0x40,0x43,0xcc}, {0x87,0x49,0x4e,0xc7}, -{0xdd,0x3e,0x05,0xae}, {0xd3,0x37,0x08,0xa5}, {0xc1,0x2c,0x1f,0xb8}, {0xcf,0x25,0x12,0xb3}, -{0xe5,0x1a,0x31,0x82}, {0xeb,0x13,0x3c,0x89}, {0xf9,0x08,0x2b,0x94}, {0xf7,0x01,0x26,0x9f}, -{0x4d,0xe6,0xbd,0x46}, {0x43,0xef,0xb0,0x4d}, {0x51,0xf4,0xa7,0x50}, {0x5f,0xfd,0xaa,0x5b}, -{0x75,0xc2,0x89,0x6a}, {0x7b,0xcb,0x84,0x61}, {0x69,0xd0,0x93,0x7c}, {0x67,0xd9,0x9e,0x77}, -{0x3d,0xae,0xd5,0x1e}, {0x33,0xa7,0xd8,0x15}, {0x21,0xbc,0xcf,0x08}, {0x2f,0xb5,0xc2,0x03}, -{0x05,0x8a,0xe1,0x32}, {0x0b,0x83,0xec,0x39}, {0x19,0x98,0xfb,0x24}, {0x17,0x91,0xf6,0x2f}, -{0x76,0x4d,0xd6,0x8d}, {0x78,0x44,0xdb,0x86}, {0x6a,0x5f,0xcc,0x9b}, {0x64,0x56,0xc1,0x90}, -{0x4e,0x69,0xe2,0xa1}, {0x40,0x60,0xef,0xaa}, {0x52,0x7b,0xf8,0xb7}, {0x5c,0x72,0xf5,0xbc}, -{0x06,0x05,0xbe,0xd5}, {0x08,0x0c,0xb3,0xde}, {0x1a,0x17,0xa4,0xc3}, {0x14,0x1e,0xa9,0xc8}, -{0x3e,0x21,0x8a,0xf9}, {0x30,0x28,0x87,0xf2}, {0x22,0x33,0x90,0xef}, {0x2c,0x3a,0x9d,0xe4}, -{0x96,0xdd,0x06,0x3d}, {0x98,0xd4,0x0b,0x36}, {0x8a,0xcf,0x1c,0x2b}, {0x84,0xc6,0x11,0x20}, -{0xae,0xf9,0x32,0x11}, {0xa0,0xf0,0x3f,0x1a}, {0xb2,0xeb,0x28,0x07}, {0xbc,0xe2,0x25,0x0c}, -{0xe6,0x95,0x6e,0x65}, {0xe8,0x9c,0x63,0x6e}, {0xfa,0x87,0x74,0x73}, {0xf4,0x8e,0x79,0x78}, -{0xde,0xb1,0x5a,0x49}, {0xd0,0xb8,0x57,0x42}, {0xc2,0xa3,0x40,0x5f}, {0xcc,0xaa,0x4d,0x54}, -{0x41,0xec,0xda,0xf7}, {0x4f,0xe5,0xd7,0xfc}, {0x5d,0xfe,0xc0,0xe1}, {0x53,0xf7,0xcd,0xea}, -{0x79,0xc8,0xee,0xdb}, {0x77,0xc1,0xe3,0xd0}, {0x65,0xda,0xf4,0xcd}, {0x6b,0xd3,0xf9,0xc6}, -{0x31,0xa4,0xb2,0xaf}, {0x3f,0xad,0xbf,0xa4}, {0x2d,0xb6,0xa8,0xb9}, {0x23,0xbf,0xa5,0xb2}, -{0x09,0x80,0x86,0x83}, {0x07,0x89,0x8b,0x88}, {0x15,0x92,0x9c,0x95}, {0x1b,0x9b,0x91,0x9e}, -{0xa1,0x7c,0x0a,0x47}, {0xaf,0x75,0x07,0x4c}, {0xbd,0x6e,0x10,0x51}, {0xb3,0x67,0x1d,0x5a}, -{0x99,0x58,0x3e,0x6b}, {0x97,0x51,0x33,0x60}, {0x85,0x4a,0x24,0x7d}, {0x8b,0x43,0x29,0x76}, -{0xd1,0x34,0x62,0x1f}, {0xdf,0x3d,0x6f,0x14}, {0xcd,0x26,0x78,0x09}, {0xc3,0x2f,0x75,0x02}, -{0xe9,0x10,0x56,0x33}, {0xe7,0x19,0x5b,0x38}, {0xf5,0x02,0x4c,0x25}, {0xfb,0x0b,0x41,0x2e}, -{0x9a,0xd7,0x61,0x8c}, {0x94,0xde,0x6c,0x87}, {0x86,0xc5,0x7b,0x9a}, {0x88,0xcc,0x76,0x91}, -{0xa2,0xf3,0x55,0xa0}, {0xac,0xfa,0x58,0xab}, {0xbe,0xe1,0x4f,0xb6}, {0xb0,0xe8,0x42,0xbd}, -{0xea,0x9f,0x09,0xd4}, {0xe4,0x96,0x04,0xdf}, {0xf6,0x8d,0x13,0xc2}, {0xf8,0x84,0x1e,0xc9}, -{0xd2,0xbb,0x3d,0xf8}, {0xdc,0xb2,0x30,0xf3}, {0xce,0xa9,0x27,0xee}, {0xc0,0xa0,0x2a,0xe5}, -{0x7a,0x47,0xb1,0x3c}, {0x74,0x4e,0xbc,0x37}, {0x66,0x55,0xab,0x2a}, {0x68,0x5c,0xa6,0x21}, -{0x42,0x63,0x85,0x10}, {0x4c,0x6a,0x88,0x1b}, {0x5e,0x71,0x9f,0x06}, {0x50,0x78,0x92,0x0d}, -{0x0a,0x0f,0xd9,0x64}, {0x04,0x06,0xd4,0x6f}, {0x16,0x1d,0xc3,0x72}, {0x18,0x14,0xce,0x79}, -{0x32,0x2b,0xed,0x48}, {0x3c,0x22,0xe0,0x43}, {0x2e,0x39,0xf7,0x5e}, {0x20,0x30,0xfa,0x55}, -{0xec,0x9a,0xb7,0x01}, {0xe2,0x93,0xba,0x0a}, {0xf0,0x88,0xad,0x17}, {0xfe,0x81,0xa0,0x1c}, -{0xd4,0xbe,0x83,0x2d}, {0xda,0xb7,0x8e,0x26}, {0xc8,0xac,0x99,0x3b}, {0xc6,0xa5,0x94,0x30}, -{0x9c,0xd2,0xdf,0x59}, {0x92,0xdb,0xd2,0x52}, {0x80,0xc0,0xc5,0x4f}, {0x8e,0xc9,0xc8,0x44}, -{0xa4,0xf6,0xeb,0x75}, {0xaa,0xff,0xe6,0x7e}, {0xb8,0xe4,0xf1,0x63}, {0xb6,0xed,0xfc,0x68}, -{0x0c,0x0a,0x67,0xb1}, {0x02,0x03,0x6a,0xba}, {0x10,0x18,0x7d,0xa7}, {0x1e,0x11,0x70,0xac}, -{0x34,0x2e,0x53,0x9d}, {0x3a,0x27,0x5e,0x96}, {0x28,0x3c,0x49,0x8b}, {0x26,0x35,0x44,0x80}, -{0x7c,0x42,0x0f,0xe9}, {0x72,0x4b,0x02,0xe2}, {0x60,0x50,0x15,0xff}, {0x6e,0x59,0x18,0xf4}, -{0x44,0x66,0x3b,0xc5}, {0x4a,0x6f,0x36,0xce}, {0x58,0x74,0x21,0xd3}, {0x56,0x7d,0x2c,0xd8}, -{0x37,0xa1,0x0c,0x7a}, {0x39,0xa8,0x01,0x71}, {0x2b,0xb3,0x16,0x6c}, {0x25,0xba,0x1b,0x67}, -{0x0f,0x85,0x38,0x56}, {0x01,0x8c,0x35,0x5d}, {0x13,0x97,0x22,0x40}, {0x1d,0x9e,0x2f,0x4b}, -{0x47,0xe9,0x64,0x22}, {0x49,0xe0,0x69,0x29}, {0x5b,0xfb,0x7e,0x34}, {0x55,0xf2,0x73,0x3f}, -{0x7f,0xcd,0x50,0x0e}, {0x71,0xc4,0x5d,0x05}, {0x63,0xdf,0x4a,0x18}, {0x6d,0xd6,0x47,0x13}, -{0xd7,0x31,0xdc,0xca}, {0xd9,0x38,0xd1,0xc1}, {0xcb,0x23,0xc6,0xdc}, {0xc5,0x2a,0xcb,0xd7}, -{0xef,0x15,0xe8,0xe6}, {0xe1,0x1c,0xe5,0xed}, {0xf3,0x07,0xf2,0xf0}, {0xfd,0x0e,0xff,0xfb}, -{0xa7,0x79,0xb4,0x92}, {0xa9,0x70,0xb9,0x99}, {0xbb,0x6b,0xae,0x84}, {0xb5,0x62,0xa3,0x8f}, -{0x9f,0x5d,0x80,0xbe}, {0x91,0x54,0x8d,0xb5}, {0x83,0x4f,0x9a,0xa8}, {0x8d,0x46,0x97,0xa3} - } -}; -#define U1 xU1.xt8 - -static const union xtab xU2 = { - .xt8 = { -{0x00,0x00,0x00,0x00}, {0x0b,0x0e,0x09,0x0d}, {0x16,0x1c,0x12,0x1a}, {0x1d,0x12,0x1b,0x17}, -{0x2c,0x38,0x24,0x34}, {0x27,0x36,0x2d,0x39}, {0x3a,0x24,0x36,0x2e}, {0x31,0x2a,0x3f,0x23}, -{0x58,0x70,0x48,0x68}, {0x53,0x7e,0x41,0x65}, {0x4e,0x6c,0x5a,0x72}, {0x45,0x62,0x53,0x7f}, -{0x74,0x48,0x6c,0x5c}, {0x7f,0x46,0x65,0x51}, {0x62,0x54,0x7e,0x46}, {0x69,0x5a,0x77,0x4b}, -{0xb0,0xe0,0x90,0xd0}, {0xbb,0xee,0x99,0xdd}, {0xa6,0xfc,0x82,0xca}, {0xad,0xf2,0x8b,0xc7}, -{0x9c,0xd8,0xb4,0xe4}, {0x97,0xd6,0xbd,0xe9}, {0x8a,0xc4,0xa6,0xfe}, {0x81,0xca,0xaf,0xf3}, -{0xe8,0x90,0xd8,0xb8}, {0xe3,0x9e,0xd1,0xb5}, {0xfe,0x8c,0xca,0xa2}, {0xf5,0x82,0xc3,0xaf}, -{0xc4,0xa8,0xfc,0x8c}, {0xcf,0xa6,0xf5,0x81}, {0xd2,0xb4,0xee,0x96}, {0xd9,0xba,0xe7,0x9b}, -{0x7b,0xdb,0x3b,0xbb}, {0x70,0xd5,0x32,0xb6}, {0x6d,0xc7,0x29,0xa1}, {0x66,0xc9,0x20,0xac}, -{0x57,0xe3,0x1f,0x8f}, {0x5c,0xed,0x16,0x82}, {0x41,0xff,0x0d,0x95}, {0x4a,0xf1,0x04,0x98}, -{0x23,0xab,0x73,0xd3}, {0x28,0xa5,0x7a,0xde}, {0x35,0xb7,0x61,0xc9}, {0x3e,0xb9,0x68,0xc4}, -{0x0f,0x93,0x57,0xe7}, {0x04,0x9d,0x5e,0xea}, {0x19,0x8f,0x45,0xfd}, {0x12,0x81,0x4c,0xf0}, -{0xcb,0x3b,0xab,0x6b}, {0xc0,0x35,0xa2,0x66}, {0xdd,0x27,0xb9,0x71}, {0xd6,0x29,0xb0,0x7c}, -{0xe7,0x03,0x8f,0x5f}, {0xec,0x0d,0x86,0x52}, {0xf1,0x1f,0x9d,0x45}, {0xfa,0x11,0x94,0x48}, -{0x93,0x4b,0xe3,0x03}, {0x98,0x45,0xea,0x0e}, {0x85,0x57,0xf1,0x19}, {0x8e,0x59,0xf8,0x14}, -{0xbf,0x73,0xc7,0x37}, {0xb4,0x7d,0xce,0x3a}, {0xa9,0x6f,0xd5,0x2d}, {0xa2,0x61,0xdc,0x20}, -{0xf6,0xad,0x76,0x6d}, {0xfd,0xa3,0x7f,0x60}, {0xe0,0xb1,0x64,0x77}, {0xeb,0xbf,0x6d,0x7a}, -{0xda,0x95,0x52,0x59}, {0xd1,0x9b,0x5b,0x54}, {0xcc,0x89,0x40,0x43}, {0xc7,0x87,0x49,0x4e}, -{0xae,0xdd,0x3e,0x05}, {0xa5,0xd3,0x37,0x08}, {0xb8,0xc1,0x2c,0x1f}, {0xb3,0xcf,0x25,0x12}, -{0x82,0xe5,0x1a,0x31}, {0x89,0xeb,0x13,0x3c}, {0x94,0xf9,0x08,0x2b}, {0x9f,0xf7,0x01,0x26}, -{0x46,0x4d,0xe6,0xbd}, {0x4d,0x43,0xef,0xb0}, {0x50,0x51,0xf4,0xa7}, {0x5b,0x5f,0xfd,0xaa}, -{0x6a,0x75,0xc2,0x89}, {0x61,0x7b,0xcb,0x84}, {0x7c,0x69,0xd0,0x93}, {0x77,0x67,0xd9,0x9e}, -{0x1e,0x3d,0xae,0xd5}, {0x15,0x33,0xa7,0xd8}, {0x08,0x21,0xbc,0xcf}, {0x03,0x2f,0xb5,0xc2}, -{0x32,0x05,0x8a,0xe1}, {0x39,0x0b,0x83,0xec}, {0x24,0x19,0x98,0xfb}, {0x2f,0x17,0x91,0xf6}, -{0x8d,0x76,0x4d,0xd6}, {0x86,0x78,0x44,0xdb}, {0x9b,0x6a,0x5f,0xcc}, {0x90,0x64,0x56,0xc1}, -{0xa1,0x4e,0x69,0xe2}, {0xaa,0x40,0x60,0xef}, {0xb7,0x52,0x7b,0xf8}, {0xbc,0x5c,0x72,0xf5}, -{0xd5,0x06,0x05,0xbe}, {0xde,0x08,0x0c,0xb3}, {0xc3,0x1a,0x17,0xa4}, {0xc8,0x14,0x1e,0xa9}, -{0xf9,0x3e,0x21,0x8a}, {0xf2,0x30,0x28,0x87}, {0xef,0x22,0x33,0x90}, {0xe4,0x2c,0x3a,0x9d}, -{0x3d,0x96,0xdd,0x06}, {0x36,0x98,0xd4,0x0b}, {0x2b,0x8a,0xcf,0x1c}, {0x20,0x84,0xc6,0x11}, -{0x11,0xae,0xf9,0x32}, {0x1a,0xa0,0xf0,0x3f}, {0x07,0xb2,0xeb,0x28}, {0x0c,0xbc,0xe2,0x25}, -{0x65,0xe6,0x95,0x6e}, {0x6e,0xe8,0x9c,0x63}, {0x73,0xfa,0x87,0x74}, {0x78,0xf4,0x8e,0x79}, -{0x49,0xde,0xb1,0x5a}, {0x42,0xd0,0xb8,0x57}, {0x5f,0xc2,0xa3,0x40}, {0x54,0xcc,0xaa,0x4d}, -{0xf7,0x41,0xec,0xda}, {0xfc,0x4f,0xe5,0xd7}, {0xe1,0x5d,0xfe,0xc0}, {0xea,0x53,0xf7,0xcd}, -{0xdb,0x79,0xc8,0xee}, {0xd0,0x77,0xc1,0xe3}, {0xcd,0x65,0xda,0xf4}, {0xc6,0x6b,0xd3,0xf9}, -{0xaf,0x31,0xa4,0xb2}, {0xa4,0x3f,0xad,0xbf}, {0xb9,0x2d,0xb6,0xa8}, {0xb2,0x23,0xbf,0xa5}, -{0x83,0x09,0x80,0x86}, {0x88,0x07,0x89,0x8b}, {0x95,0x15,0x92,0x9c}, {0x9e,0x1b,0x9b,0x91}, -{0x47,0xa1,0x7c,0x0a}, {0x4c,0xaf,0x75,0x07}, {0x51,0xbd,0x6e,0x10}, {0x5a,0xb3,0x67,0x1d}, -{0x6b,0x99,0x58,0x3e}, {0x60,0x97,0x51,0x33}, {0x7d,0x85,0x4a,0x24}, {0x76,0x8b,0x43,0x29}, -{0x1f,0xd1,0x34,0x62}, {0x14,0xdf,0x3d,0x6f}, {0x09,0xcd,0x26,0x78}, {0x02,0xc3,0x2f,0x75}, -{0x33,0xe9,0x10,0x56}, {0x38,0xe7,0x19,0x5b}, {0x25,0xf5,0x02,0x4c}, {0x2e,0xfb,0x0b,0x41}, -{0x8c,0x9a,0xd7,0x61}, {0x87,0x94,0xde,0x6c}, {0x9a,0x86,0xc5,0x7b}, {0x91,0x88,0xcc,0x76}, -{0xa0,0xa2,0xf3,0x55}, {0xab,0xac,0xfa,0x58}, {0xb6,0xbe,0xe1,0x4f}, {0xbd,0xb0,0xe8,0x42}, -{0xd4,0xea,0x9f,0x09}, {0xdf,0xe4,0x96,0x04}, {0xc2,0xf6,0x8d,0x13}, {0xc9,0xf8,0x84,0x1e}, -{0xf8,0xd2,0xbb,0x3d}, {0xf3,0xdc,0xb2,0x30}, {0xee,0xce,0xa9,0x27}, {0xe5,0xc0,0xa0,0x2a}, -{0x3c,0x7a,0x47,0xb1}, {0x37,0x74,0x4e,0xbc}, {0x2a,0x66,0x55,0xab}, {0x21,0x68,0x5c,0xa6}, -{0x10,0x42,0x63,0x85}, {0x1b,0x4c,0x6a,0x88}, {0x06,0x5e,0x71,0x9f}, {0x0d,0x50,0x78,0x92}, -{0x64,0x0a,0x0f,0xd9}, {0x6f,0x04,0x06,0xd4}, {0x72,0x16,0x1d,0xc3}, {0x79,0x18,0x14,0xce}, -{0x48,0x32,0x2b,0xed}, {0x43,0x3c,0x22,0xe0}, {0x5e,0x2e,0x39,0xf7}, {0x55,0x20,0x30,0xfa}, -{0x01,0xec,0x9a,0xb7}, {0x0a,0xe2,0x93,0xba}, {0x17,0xf0,0x88,0xad}, {0x1c,0xfe,0x81,0xa0}, -{0x2d,0xd4,0xbe,0x83}, {0x26,0xda,0xb7,0x8e}, {0x3b,0xc8,0xac,0x99}, {0x30,0xc6,0xa5,0x94}, -{0x59,0x9c,0xd2,0xdf}, {0x52,0x92,0xdb,0xd2}, {0x4f,0x80,0xc0,0xc5}, {0x44,0x8e,0xc9,0xc8}, -{0x75,0xa4,0xf6,0xeb}, {0x7e,0xaa,0xff,0xe6}, {0x63,0xb8,0xe4,0xf1}, {0x68,0xb6,0xed,0xfc}, -{0xb1,0x0c,0x0a,0x67}, {0xba,0x02,0x03,0x6a}, {0xa7,0x10,0x18,0x7d}, {0xac,0x1e,0x11,0x70}, -{0x9d,0x34,0x2e,0x53}, {0x96,0x3a,0x27,0x5e}, {0x8b,0x28,0x3c,0x49}, {0x80,0x26,0x35,0x44}, -{0xe9,0x7c,0x42,0x0f}, {0xe2,0x72,0x4b,0x02}, {0xff,0x60,0x50,0x15}, {0xf4,0x6e,0x59,0x18}, -{0xc5,0x44,0x66,0x3b}, {0xce,0x4a,0x6f,0x36}, {0xd3,0x58,0x74,0x21}, {0xd8,0x56,0x7d,0x2c}, -{0x7a,0x37,0xa1,0x0c}, {0x71,0x39,0xa8,0x01}, {0x6c,0x2b,0xb3,0x16}, {0x67,0x25,0xba,0x1b}, -{0x56,0x0f,0x85,0x38}, {0x5d,0x01,0x8c,0x35}, {0x40,0x13,0x97,0x22}, {0x4b,0x1d,0x9e,0x2f}, -{0x22,0x47,0xe9,0x64}, {0x29,0x49,0xe0,0x69}, {0x34,0x5b,0xfb,0x7e}, {0x3f,0x55,0xf2,0x73}, -{0x0e,0x7f,0xcd,0x50}, {0x05,0x71,0xc4,0x5d}, {0x18,0x63,0xdf,0x4a}, {0x13,0x6d,0xd6,0x47}, -{0xca,0xd7,0x31,0xdc}, {0xc1,0xd9,0x38,0xd1}, {0xdc,0xcb,0x23,0xc6}, {0xd7,0xc5,0x2a,0xcb}, -{0xe6,0xef,0x15,0xe8}, {0xed,0xe1,0x1c,0xe5}, {0xf0,0xf3,0x07,0xf2}, {0xfb,0xfd,0x0e,0xff}, -{0x92,0xa7,0x79,0xb4}, {0x99,0xa9,0x70,0xb9}, {0x84,0xbb,0x6b,0xae}, {0x8f,0xb5,0x62,0xa3}, -{0xbe,0x9f,0x5d,0x80}, {0xb5,0x91,0x54,0x8d}, {0xa8,0x83,0x4f,0x9a}, {0xa3,0x8d,0x46,0x97} - } -}; -#define U2 xU2.xt8 - -static const union xtab xU3 = { - .xt8 = { -{0x00,0x00,0x00,0x00}, {0x0d,0x0b,0x0e,0x09}, {0x1a,0x16,0x1c,0x12}, {0x17,0x1d,0x12,0x1b}, -{0x34,0x2c,0x38,0x24}, {0x39,0x27,0x36,0x2d}, {0x2e,0x3a,0x24,0x36}, {0x23,0x31,0x2a,0x3f}, -{0x68,0x58,0x70,0x48}, {0x65,0x53,0x7e,0x41}, {0x72,0x4e,0x6c,0x5a}, {0x7f,0x45,0x62,0x53}, -{0x5c,0x74,0x48,0x6c}, {0x51,0x7f,0x46,0x65}, {0x46,0x62,0x54,0x7e}, {0x4b,0x69,0x5a,0x77}, -{0xd0,0xb0,0xe0,0x90}, {0xdd,0xbb,0xee,0x99}, {0xca,0xa6,0xfc,0x82}, {0xc7,0xad,0xf2,0x8b}, -{0xe4,0x9c,0xd8,0xb4}, {0xe9,0x97,0xd6,0xbd}, {0xfe,0x8a,0xc4,0xa6}, {0xf3,0x81,0xca,0xaf}, -{0xb8,0xe8,0x90,0xd8}, {0xb5,0xe3,0x9e,0xd1}, {0xa2,0xfe,0x8c,0xca}, {0xaf,0xf5,0x82,0xc3}, -{0x8c,0xc4,0xa8,0xfc}, {0x81,0xcf,0xa6,0xf5}, {0x96,0xd2,0xb4,0xee}, {0x9b,0xd9,0xba,0xe7}, -{0xbb,0x7b,0xdb,0x3b}, {0xb6,0x70,0xd5,0x32}, {0xa1,0x6d,0xc7,0x29}, {0xac,0x66,0xc9,0x20}, -{0x8f,0x57,0xe3,0x1f}, {0x82,0x5c,0xed,0x16}, {0x95,0x41,0xff,0x0d}, {0x98,0x4a,0xf1,0x04}, -{0xd3,0x23,0xab,0x73}, {0xde,0x28,0xa5,0x7a}, {0xc9,0x35,0xb7,0x61}, {0xc4,0x3e,0xb9,0x68}, -{0xe7,0x0f,0x93,0x57}, {0xea,0x04,0x9d,0x5e}, {0xfd,0x19,0x8f,0x45}, {0xf0,0x12,0x81,0x4c}, -{0x6b,0xcb,0x3b,0xab}, {0x66,0xc0,0x35,0xa2}, {0x71,0xdd,0x27,0xb9}, {0x7c,0xd6,0x29,0xb0}, -{0x5f,0xe7,0x03,0x8f}, {0x52,0xec,0x0d,0x86}, {0x45,0xf1,0x1f,0x9d}, {0x48,0xfa,0x11,0x94}, -{0x03,0x93,0x4b,0xe3}, {0x0e,0x98,0x45,0xea}, {0x19,0x85,0x57,0xf1}, {0x14,0x8e,0x59,0xf8}, -{0x37,0xbf,0x73,0xc7}, {0x3a,0xb4,0x7d,0xce}, {0x2d,0xa9,0x6f,0xd5}, {0x20,0xa2,0x61,0xdc}, -{0x6d,0xf6,0xad,0x76}, {0x60,0xfd,0xa3,0x7f}, {0x77,0xe0,0xb1,0x64}, {0x7a,0xeb,0xbf,0x6d}, -{0x59,0xda,0x95,0x52}, {0x54,0xd1,0x9b,0x5b}, {0x43,0xcc,0x89,0x40}, {0x4e,0xc7,0x87,0x49}, -{0x05,0xae,0xdd,0x3e}, {0x08,0xa5,0xd3,0x37}, {0x1f,0xb8,0xc1,0x2c}, {0x12,0xb3,0xcf,0x25}, -{0x31,0x82,0xe5,0x1a}, {0x3c,0x89,0xeb,0x13}, {0x2b,0x94,0xf9,0x08}, {0x26,0x9f,0xf7,0x01}, -{0xbd,0x46,0x4d,0xe6}, {0xb0,0x4d,0x43,0xef}, {0xa7,0x50,0x51,0xf4}, {0xaa,0x5b,0x5f,0xfd}, -{0x89,0x6a,0x75,0xc2}, {0x84,0x61,0x7b,0xcb}, {0x93,0x7c,0x69,0xd0}, {0x9e,0x77,0x67,0xd9}, -{0xd5,0x1e,0x3d,0xae}, {0xd8,0x15,0x33,0xa7}, {0xcf,0x08,0x21,0xbc}, {0xc2,0x03,0x2f,0xb5}, -{0xe1,0x32,0x05,0x8a}, {0xec,0x39,0x0b,0x83}, {0xfb,0x24,0x19,0x98}, {0xf6,0x2f,0x17,0x91}, -{0xd6,0x8d,0x76,0x4d}, {0xdb,0x86,0x78,0x44}, {0xcc,0x9b,0x6a,0x5f}, {0xc1,0x90,0x64,0x56}, -{0xe2,0xa1,0x4e,0x69}, {0xef,0xaa,0x40,0x60}, {0xf8,0xb7,0x52,0x7b}, {0xf5,0xbc,0x5c,0x72}, -{0xbe,0xd5,0x06,0x05}, {0xb3,0xde,0x08,0x0c}, {0xa4,0xc3,0x1a,0x17}, {0xa9,0xc8,0x14,0x1e}, -{0x8a,0xf9,0x3e,0x21}, {0x87,0xf2,0x30,0x28}, {0x90,0xef,0x22,0x33}, {0x9d,0xe4,0x2c,0x3a}, -{0x06,0x3d,0x96,0xdd}, {0x0b,0x36,0x98,0xd4}, {0x1c,0x2b,0x8a,0xcf}, {0x11,0x20,0x84,0xc6}, -{0x32,0x11,0xae,0xf9}, {0x3f,0x1a,0xa0,0xf0}, {0x28,0x07,0xb2,0xeb}, {0x25,0x0c,0xbc,0xe2}, -{0x6e,0x65,0xe6,0x95}, {0x63,0x6e,0xe8,0x9c}, {0x74,0x73,0xfa,0x87}, {0x79,0x78,0xf4,0x8e}, -{0x5a,0x49,0xde,0xb1}, {0x57,0x42,0xd0,0xb8}, {0x40,0x5f,0xc2,0xa3}, {0x4d,0x54,0xcc,0xaa}, -{0xda,0xf7,0x41,0xec}, {0xd7,0xfc,0x4f,0xe5}, {0xc0,0xe1,0x5d,0xfe}, {0xcd,0xea,0x53,0xf7}, -{0xee,0xdb,0x79,0xc8}, {0xe3,0xd0,0x77,0xc1}, {0xf4,0xcd,0x65,0xda}, {0xf9,0xc6,0x6b,0xd3}, -{0xb2,0xaf,0x31,0xa4}, {0xbf,0xa4,0x3f,0xad}, {0xa8,0xb9,0x2d,0xb6}, {0xa5,0xb2,0x23,0xbf}, -{0x86,0x83,0x09,0x80}, {0x8b,0x88,0x07,0x89}, {0x9c,0x95,0x15,0x92}, {0x91,0x9e,0x1b,0x9b}, -{0x0a,0x47,0xa1,0x7c}, {0x07,0x4c,0xaf,0x75}, {0x10,0x51,0xbd,0x6e}, {0x1d,0x5a,0xb3,0x67}, -{0x3e,0x6b,0x99,0x58}, {0x33,0x60,0x97,0x51}, {0x24,0x7d,0x85,0x4a}, {0x29,0x76,0x8b,0x43}, -{0x62,0x1f,0xd1,0x34}, {0x6f,0x14,0xdf,0x3d}, {0x78,0x09,0xcd,0x26}, {0x75,0x02,0xc3,0x2f}, -{0x56,0x33,0xe9,0x10}, {0x5b,0x38,0xe7,0x19}, {0x4c,0x25,0xf5,0x02}, {0x41,0x2e,0xfb,0x0b}, -{0x61,0x8c,0x9a,0xd7}, {0x6c,0x87,0x94,0xde}, {0x7b,0x9a,0x86,0xc5}, {0x76,0x91,0x88,0xcc}, -{0x55,0xa0,0xa2,0xf3}, {0x58,0xab,0xac,0xfa}, {0x4f,0xb6,0xbe,0xe1}, {0x42,0xbd,0xb0,0xe8}, -{0x09,0xd4,0xea,0x9f}, {0x04,0xdf,0xe4,0x96}, {0x13,0xc2,0xf6,0x8d}, {0x1e,0xc9,0xf8,0x84}, -{0x3d,0xf8,0xd2,0xbb}, {0x30,0xf3,0xdc,0xb2}, {0x27,0xee,0xce,0xa9}, {0x2a,0xe5,0xc0,0xa0}, -{0xb1,0x3c,0x7a,0x47}, {0xbc,0x37,0x74,0x4e}, {0xab,0x2a,0x66,0x55}, {0xa6,0x21,0x68,0x5c}, -{0x85,0x10,0x42,0x63}, {0x88,0x1b,0x4c,0x6a}, {0x9f,0x06,0x5e,0x71}, {0x92,0x0d,0x50,0x78}, -{0xd9,0x64,0x0a,0x0f}, {0xd4,0x6f,0x04,0x06}, {0xc3,0x72,0x16,0x1d}, {0xce,0x79,0x18,0x14}, -{0xed,0x48,0x32,0x2b}, {0xe0,0x43,0x3c,0x22}, {0xf7,0x5e,0x2e,0x39}, {0xfa,0x55,0x20,0x30}, -{0xb7,0x01,0xec,0x9a}, {0xba,0x0a,0xe2,0x93}, {0xad,0x17,0xf0,0x88}, {0xa0,0x1c,0xfe,0x81}, -{0x83,0x2d,0xd4,0xbe}, {0x8e,0x26,0xda,0xb7}, {0x99,0x3b,0xc8,0xac}, {0x94,0x30,0xc6,0xa5}, -{0xdf,0x59,0x9c,0xd2}, {0xd2,0x52,0x92,0xdb}, {0xc5,0x4f,0x80,0xc0}, {0xc8,0x44,0x8e,0xc9}, -{0xeb,0x75,0xa4,0xf6}, {0xe6,0x7e,0xaa,0xff}, {0xf1,0x63,0xb8,0xe4}, {0xfc,0x68,0xb6,0xed}, -{0x67,0xb1,0x0c,0x0a}, {0x6a,0xba,0x02,0x03}, {0x7d,0xa7,0x10,0x18}, {0x70,0xac,0x1e,0x11}, -{0x53,0x9d,0x34,0x2e}, {0x5e,0x96,0x3a,0x27}, {0x49,0x8b,0x28,0x3c}, {0x44,0x80,0x26,0x35}, -{0x0f,0xe9,0x7c,0x42}, {0x02,0xe2,0x72,0x4b}, {0x15,0xff,0x60,0x50}, {0x18,0xf4,0x6e,0x59}, -{0x3b,0xc5,0x44,0x66}, {0x36,0xce,0x4a,0x6f}, {0x21,0xd3,0x58,0x74}, {0x2c,0xd8,0x56,0x7d}, -{0x0c,0x7a,0x37,0xa1}, {0x01,0x71,0x39,0xa8}, {0x16,0x6c,0x2b,0xb3}, {0x1b,0x67,0x25,0xba}, -{0x38,0x56,0x0f,0x85}, {0x35,0x5d,0x01,0x8c}, {0x22,0x40,0x13,0x97}, {0x2f,0x4b,0x1d,0x9e}, -{0x64,0x22,0x47,0xe9}, {0x69,0x29,0x49,0xe0}, {0x7e,0x34,0x5b,0xfb}, {0x73,0x3f,0x55,0xf2}, -{0x50,0x0e,0x7f,0xcd}, {0x5d,0x05,0x71,0xc4}, {0x4a,0x18,0x63,0xdf}, {0x47,0x13,0x6d,0xd6}, -{0xdc,0xca,0xd7,0x31}, {0xd1,0xc1,0xd9,0x38}, {0xc6,0xdc,0xcb,0x23}, {0xcb,0xd7,0xc5,0x2a}, -{0xe8,0xe6,0xef,0x15}, {0xe5,0xed,0xe1,0x1c}, {0xf2,0xf0,0xf3,0x07}, {0xff,0xfb,0xfd,0x0e}, -{0xb4,0x92,0xa7,0x79}, {0xb9,0x99,0xa9,0x70}, {0xae,0x84,0xbb,0x6b}, {0xa3,0x8f,0xb5,0x62}, -{0x80,0xbe,0x9f,0x5d}, {0x8d,0xb5,0x91,0x54}, {0x9a,0xa8,0x83,0x4f}, {0x97,0xa3,0x8d,0x46} - } -}; -#define U3 xU3.xt8 - -static const union xtab xU4 = { - .xt8 = { -{0x00,0x00,0x00,0x00}, {0x09,0x0d,0x0b,0x0e}, {0x12,0x1a,0x16,0x1c}, {0x1b,0x17,0x1d,0x12}, -{0x24,0x34,0x2c,0x38}, {0x2d,0x39,0x27,0x36}, {0x36,0x2e,0x3a,0x24}, {0x3f,0x23,0x31,0x2a}, -{0x48,0x68,0x58,0x70}, {0x41,0x65,0x53,0x7e}, {0x5a,0x72,0x4e,0x6c}, {0x53,0x7f,0x45,0x62}, -{0x6c,0x5c,0x74,0x48}, {0x65,0x51,0x7f,0x46}, {0x7e,0x46,0x62,0x54}, {0x77,0x4b,0x69,0x5a}, -{0x90,0xd0,0xb0,0xe0}, {0x99,0xdd,0xbb,0xee}, {0x82,0xca,0xa6,0xfc}, {0x8b,0xc7,0xad,0xf2}, -{0xb4,0xe4,0x9c,0xd8}, {0xbd,0xe9,0x97,0xd6}, {0xa6,0xfe,0x8a,0xc4}, {0xaf,0xf3,0x81,0xca}, -{0xd8,0xb8,0xe8,0x90}, {0xd1,0xb5,0xe3,0x9e}, {0xca,0xa2,0xfe,0x8c}, {0xc3,0xaf,0xf5,0x82}, -{0xfc,0x8c,0xc4,0xa8}, {0xf5,0x81,0xcf,0xa6}, {0xee,0x96,0xd2,0xb4}, {0xe7,0x9b,0xd9,0xba}, -{0x3b,0xbb,0x7b,0xdb}, {0x32,0xb6,0x70,0xd5}, {0x29,0xa1,0x6d,0xc7}, {0x20,0xac,0x66,0xc9}, -{0x1f,0x8f,0x57,0xe3}, {0x16,0x82,0x5c,0xed}, {0x0d,0x95,0x41,0xff}, {0x04,0x98,0x4a,0xf1}, -{0x73,0xd3,0x23,0xab}, {0x7a,0xde,0x28,0xa5}, {0x61,0xc9,0x35,0xb7}, {0x68,0xc4,0x3e,0xb9}, -{0x57,0xe7,0x0f,0x93}, {0x5e,0xea,0x04,0x9d}, {0x45,0xfd,0x19,0x8f}, {0x4c,0xf0,0x12,0x81}, -{0xab,0x6b,0xcb,0x3b}, {0xa2,0x66,0xc0,0x35}, {0xb9,0x71,0xdd,0x27}, {0xb0,0x7c,0xd6,0x29}, -{0x8f,0x5f,0xe7,0x03}, {0x86,0x52,0xec,0x0d}, {0x9d,0x45,0xf1,0x1f}, {0x94,0x48,0xfa,0x11}, -{0xe3,0x03,0x93,0x4b}, {0xea,0x0e,0x98,0x45}, {0xf1,0x19,0x85,0x57}, {0xf8,0x14,0x8e,0x59}, -{0xc7,0x37,0xbf,0x73}, {0xce,0x3a,0xb4,0x7d}, {0xd5,0x2d,0xa9,0x6f}, {0xdc,0x20,0xa2,0x61}, -{0x76,0x6d,0xf6,0xad}, {0x7f,0x60,0xfd,0xa3}, {0x64,0x77,0xe0,0xb1}, {0x6d,0x7a,0xeb,0xbf}, -{0x52,0x59,0xda,0x95}, {0x5b,0x54,0xd1,0x9b}, {0x40,0x43,0xcc,0x89}, {0x49,0x4e,0xc7,0x87}, -{0x3e,0x05,0xae,0xdd}, {0x37,0x08,0xa5,0xd3}, {0x2c,0x1f,0xb8,0xc1}, {0x25,0x12,0xb3,0xcf}, -{0x1a,0x31,0x82,0xe5}, {0x13,0x3c,0x89,0xeb}, {0x08,0x2b,0x94,0xf9}, {0x01,0x26,0x9f,0xf7}, -{0xe6,0xbd,0x46,0x4d}, {0xef,0xb0,0x4d,0x43}, {0xf4,0xa7,0x50,0x51}, {0xfd,0xaa,0x5b,0x5f}, -{0xc2,0x89,0x6a,0x75}, {0xcb,0x84,0x61,0x7b}, {0xd0,0x93,0x7c,0x69}, {0xd9,0x9e,0x77,0x67}, -{0xae,0xd5,0x1e,0x3d}, {0xa7,0xd8,0x15,0x33}, {0xbc,0xcf,0x08,0x21}, {0xb5,0xc2,0x03,0x2f}, -{0x8a,0xe1,0x32,0x05}, {0x83,0xec,0x39,0x0b}, {0x98,0xfb,0x24,0x19}, {0x91,0xf6,0x2f,0x17}, -{0x4d,0xd6,0x8d,0x76}, {0x44,0xdb,0x86,0x78}, {0x5f,0xcc,0x9b,0x6a}, {0x56,0xc1,0x90,0x64}, -{0x69,0xe2,0xa1,0x4e}, {0x60,0xef,0xaa,0x40}, {0x7b,0xf8,0xb7,0x52}, {0x72,0xf5,0xbc,0x5c}, -{0x05,0xbe,0xd5,0x06}, {0x0c,0xb3,0xde,0x08}, {0x17,0xa4,0xc3,0x1a}, {0x1e,0xa9,0xc8,0x14}, -{0x21,0x8a,0xf9,0x3e}, {0x28,0x87,0xf2,0x30}, {0x33,0x90,0xef,0x22}, {0x3a,0x9d,0xe4,0x2c}, -{0xdd,0x06,0x3d,0x96}, {0xd4,0x0b,0x36,0x98}, {0xcf,0x1c,0x2b,0x8a}, {0xc6,0x11,0x20,0x84}, -{0xf9,0x32,0x11,0xae}, {0xf0,0x3f,0x1a,0xa0}, {0xeb,0x28,0x07,0xb2}, {0xe2,0x25,0x0c,0xbc}, -{0x95,0x6e,0x65,0xe6}, {0x9c,0x63,0x6e,0xe8}, {0x87,0x74,0x73,0xfa}, {0x8e,0x79,0x78,0xf4}, -{0xb1,0x5a,0x49,0xde}, {0xb8,0x57,0x42,0xd0}, {0xa3,0x40,0x5f,0xc2}, {0xaa,0x4d,0x54,0xcc}, -{0xec,0xda,0xf7,0x41}, {0xe5,0xd7,0xfc,0x4f}, {0xfe,0xc0,0xe1,0x5d}, {0xf7,0xcd,0xea,0x53}, -{0xc8,0xee,0xdb,0x79}, {0xc1,0xe3,0xd0,0x77}, {0xda,0xf4,0xcd,0x65}, {0xd3,0xf9,0xc6,0x6b}, -{0xa4,0xb2,0xaf,0x31}, {0xad,0xbf,0xa4,0x3f}, {0xb6,0xa8,0xb9,0x2d}, {0xbf,0xa5,0xb2,0x23}, -{0x80,0x86,0x83,0x09}, {0x89,0x8b,0x88,0x07}, {0x92,0x9c,0x95,0x15}, {0x9b,0x91,0x9e,0x1b}, -{0x7c,0x0a,0x47,0xa1}, {0x75,0x07,0x4c,0xaf}, {0x6e,0x10,0x51,0xbd}, {0x67,0x1d,0x5a,0xb3}, -{0x58,0x3e,0x6b,0x99}, {0x51,0x33,0x60,0x97}, {0x4a,0x24,0x7d,0x85}, {0x43,0x29,0x76,0x8b}, -{0x34,0x62,0x1f,0xd1}, {0x3d,0x6f,0x14,0xdf}, {0x26,0x78,0x09,0xcd}, {0x2f,0x75,0x02,0xc3}, -{0x10,0x56,0x33,0xe9}, {0x19,0x5b,0x38,0xe7}, {0x02,0x4c,0x25,0xf5}, {0x0b,0x41,0x2e,0xfb}, -{0xd7,0x61,0x8c,0x9a}, {0xde,0x6c,0x87,0x94}, {0xc5,0x7b,0x9a,0x86}, {0xcc,0x76,0x91,0x88}, -{0xf3,0x55,0xa0,0xa2}, {0xfa,0x58,0xab,0xac}, {0xe1,0x4f,0xb6,0xbe}, {0xe8,0x42,0xbd,0xb0}, -{0x9f,0x09,0xd4,0xea}, {0x96,0x04,0xdf,0xe4}, {0x8d,0x13,0xc2,0xf6}, {0x84,0x1e,0xc9,0xf8}, -{0xbb,0x3d,0xf8,0xd2}, {0xb2,0x30,0xf3,0xdc}, {0xa9,0x27,0xee,0xce}, {0xa0,0x2a,0xe5,0xc0}, -{0x47,0xb1,0x3c,0x7a}, {0x4e,0xbc,0x37,0x74}, {0x55,0xab,0x2a,0x66}, {0x5c,0xa6,0x21,0x68}, -{0x63,0x85,0x10,0x42}, {0x6a,0x88,0x1b,0x4c}, {0x71,0x9f,0x06,0x5e}, {0x78,0x92,0x0d,0x50}, -{0x0f,0xd9,0x64,0x0a}, {0x06,0xd4,0x6f,0x04}, {0x1d,0xc3,0x72,0x16}, {0x14,0xce,0x79,0x18}, -{0x2b,0xed,0x48,0x32}, {0x22,0xe0,0x43,0x3c}, {0x39,0xf7,0x5e,0x2e}, {0x30,0xfa,0x55,0x20}, -{0x9a,0xb7,0x01,0xec}, {0x93,0xba,0x0a,0xe2}, {0x88,0xad,0x17,0xf0}, {0x81,0xa0,0x1c,0xfe}, -{0xbe,0x83,0x2d,0xd4}, {0xb7,0x8e,0x26,0xda}, {0xac,0x99,0x3b,0xc8}, {0xa5,0x94,0x30,0xc6}, -{0xd2,0xdf,0x59,0x9c}, {0xdb,0xd2,0x52,0x92}, {0xc0,0xc5,0x4f,0x80}, {0xc9,0xc8,0x44,0x8e}, -{0xf6,0xeb,0x75,0xa4}, {0xff,0xe6,0x7e,0xaa}, {0xe4,0xf1,0x63,0xb8}, {0xed,0xfc,0x68,0xb6}, -{0x0a,0x67,0xb1,0x0c}, {0x03,0x6a,0xba,0x02}, {0x18,0x7d,0xa7,0x10}, {0x11,0x70,0xac,0x1e}, -{0x2e,0x53,0x9d,0x34}, {0x27,0x5e,0x96,0x3a}, {0x3c,0x49,0x8b,0x28}, {0x35,0x44,0x80,0x26}, -{0x42,0x0f,0xe9,0x7c}, {0x4b,0x02,0xe2,0x72}, {0x50,0x15,0xff,0x60}, {0x59,0x18,0xf4,0x6e}, -{0x66,0x3b,0xc5,0x44}, {0x6f,0x36,0xce,0x4a}, {0x74,0x21,0xd3,0x58}, {0x7d,0x2c,0xd8,0x56}, -{0xa1,0x0c,0x7a,0x37}, {0xa8,0x01,0x71,0x39}, {0xb3,0x16,0x6c,0x2b}, {0xba,0x1b,0x67,0x25}, -{0x85,0x38,0x56,0x0f}, {0x8c,0x35,0x5d,0x01}, {0x97,0x22,0x40,0x13}, {0x9e,0x2f,0x4b,0x1d}, -{0xe9,0x64,0x22,0x47}, {0xe0,0x69,0x29,0x49}, {0xfb,0x7e,0x34,0x5b}, {0xf2,0x73,0x3f,0x55}, -{0xcd,0x50,0x0e,0x7f}, {0xc4,0x5d,0x05,0x71}, {0xdf,0x4a,0x18,0x63}, {0xd6,0x47,0x13,0x6d}, -{0x31,0xdc,0xca,0xd7}, {0x38,0xd1,0xc1,0xd9}, {0x23,0xc6,0xdc,0xcb}, {0x2a,0xcb,0xd7,0xc5}, -{0x15,0xe8,0xe6,0xef}, {0x1c,0xe5,0xed,0xe1}, {0x07,0xf2,0xf0,0xf3}, {0x0e,0xff,0xfb,0xfd}, -{0x79,0xb4,0x92,0xa7}, {0x70,0xb9,0x99,0xa9}, {0x6b,0xae,0x84,0xbb}, {0x62,0xa3,0x8f,0xb5}, -{0x5d,0x80,0xbe,0x9f}, {0x54,0x8d,0xb5,0x91}, {0x4f,0x9a,0xa8,0x83}, {0x46,0x97,0xa3,0x8d} - } -}; -#define U4 xU4.xt8 - -static const word32 rcon[30] = { - 0x01,0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91 -}; diff --git a/kame/kame/racoon/missing/crypto/rijndael/rijndael-alg-fst.c b/kame/kame/racoon/missing/crypto/rijndael/rijndael-alg-fst.c deleted file mode 100644 index fc74edf94b..0000000000 --- a/kame/kame/racoon/missing/crypto/rijndael/rijndael-alg-fst.c +++ /dev/null @@ -1,492 +0,0 @@ -/* $KAME: rijndael-alg-fst.c,v 1.1 2001/08/08 09:56:23 sakane Exp $ */ - -/* - * rijndael-alg-fst.c v2.3 April '2000 - * - * Optimised ANSI C code - * - * authors: v1.0: Antoon Bosselaers - * v2.0: Vincent Rijmen - * v2.3: Paulo Barreto - * - * This code is placed in the public domain. - */ - -#include -#include -#ifdef _KERNEL -#include -#else -#include -#endif -#include -#include - -#include - -#include -#define bcopy(a, b, c) memcpy((b), (a), (c)) -#define bzero(a, b) memset((a), 0, (b)) -#define panic(a) err(1, (a)) - -int rijndaelKeySched(word8 k[MAXKC][4], word8 W[MAXROUNDS+1][4][4], int ROUNDS) { - /* Calculate the necessary round keys - * The number of calculations depends on keyBits and blockBits - */ - int j, r, t, rconpointer = 0; - union { - word8 x8[MAXKC][4]; - word32 x32[MAXKC]; - } xtk; -#define tk xtk.x8 - int KC = ROUNDS - 6; - - for (j = KC-1; j >= 0; j--) { - *((word32*)tk[j]) = *((word32*)k[j]); - } - r = 0; - t = 0; - /* copy values into round key array */ - for (j = 0; (j < KC) && (r < ROUNDS + 1); ) { - for (; (j < KC) && (t < 4); j++, t++) { - *((word32*)W[r][t]) = *((word32*)tk[j]); - } - if (t == 4) { - r++; - t = 0; - } - } - - while (r < ROUNDS + 1) { /* while not enough round key material calculated */ - /* calculate new values */ - tk[0][0] ^= S[tk[KC-1][1]]; - tk[0][1] ^= S[tk[KC-1][2]]; - tk[0][2] ^= S[tk[KC-1][3]]; - tk[0][3] ^= S[tk[KC-1][0]]; - tk[0][0] ^= rcon[rconpointer++]; - - if (KC != 8) { - for (j = 1; j < KC; j++) { - *((word32*)tk[j]) ^= *((word32*)tk[j-1]); - } - } else { - for (j = 1; j < KC/2; j++) { - *((word32*)tk[j]) ^= *((word32*)tk[j-1]); - } - tk[KC/2][0] ^= S[tk[KC/2 - 1][0]]; - tk[KC/2][1] ^= S[tk[KC/2 - 1][1]]; - tk[KC/2][2] ^= S[tk[KC/2 - 1][2]]; - tk[KC/2][3] ^= S[tk[KC/2 - 1][3]]; - for (j = KC/2 + 1; j < KC; j++) { - *((word32*)tk[j]) ^= *((word32*)tk[j-1]); - } - } - /* copy values into round key array */ - for (j = 0; (j < KC) && (r < ROUNDS + 1); ) { - for (; (j < KC) && (t < 4); j++, t++) { - *((word32*)W[r][t]) = *((word32*)tk[j]); - } - if (t == 4) { - r++; - t = 0; - } - } - } - return 0; -#undef tk -} - -int rijndaelKeyEncToDec(word8 W[MAXROUNDS+1][4][4], int ROUNDS) { - int r; - word8 *w; - - for (r = 1; r < ROUNDS; r++) { - w = W[r][0]; - *((word32*)w) = - *((const word32*)U1[w[0]]) - ^ *((const word32*)U2[w[1]]) - ^ *((const word32*)U3[w[2]]) - ^ *((const word32*)U4[w[3]]); - - w = W[r][1]; - *((word32*)w) = - *((const word32*)U1[w[0]]) - ^ *((const word32*)U2[w[1]]) - ^ *((const word32*)U3[w[2]]) - ^ *((const word32*)U4[w[3]]); - - w = W[r][2]; - *((word32*)w) = - *((const word32*)U1[w[0]]) - ^ *((const word32*)U2[w[1]]) - ^ *((const word32*)U3[w[2]]) - ^ *((const word32*)U4[w[3]]); - - w = W[r][3]; - *((word32*)w) = - *((const word32*)U1[w[0]]) - ^ *((const word32*)U2[w[1]]) - ^ *((const word32*)U3[w[2]]) - ^ *((const word32*)U4[w[3]]); - } - return 0; -} - -/** - * Encrypt a single block. - */ -int rijndaelEncrypt(word8 in[16], word8 out[16], word8 rk[MAXROUNDS+1][4][4], int ROUNDS) { - int r; - union { - word8 x8[16]; - word32 x32[4]; - } xa, xb; -#define a xa.x8 -#define b xb.x8 - union { - word8 x8[4][4]; - word32 x32[4]; - } xtemp; -#define temp xtemp.x8 - - memcpy(a, in, sizeof a); - - *((word32*)temp[0]) = *((word32*)(a )) ^ *((word32*)rk[0][0]); - *((word32*)temp[1]) = *((word32*)(a+ 4)) ^ *((word32*)rk[0][1]); - *((word32*)temp[2]) = *((word32*)(a+ 8)) ^ *((word32*)rk[0][2]); - *((word32*)temp[3]) = *((word32*)(a+12)) ^ *((word32*)rk[0][3]); - *((word32*)(b )) = *((const word32*)T1[temp[0][0]]) - ^ *((const word32*)T2[temp[1][1]]) - ^ *((const word32*)T3[temp[2][2]]) - ^ *((const word32*)T4[temp[3][3]]); - *((word32*)(b + 4)) = *((const word32*)T1[temp[1][0]]) - ^ *((const word32*)T2[temp[2][1]]) - ^ *((const word32*)T3[temp[3][2]]) - ^ *((const word32*)T4[temp[0][3]]); - *((word32*)(b + 8)) = *((const word32*)T1[temp[2][0]]) - ^ *((const word32*)T2[temp[3][1]]) - ^ *((const word32*)T3[temp[0][2]]) - ^ *((const word32*)T4[temp[1][3]]); - *((word32*)(b +12)) = *((const word32*)T1[temp[3][0]]) - ^ *((const word32*)T2[temp[0][1]]) - ^ *((const word32*)T3[temp[1][2]]) - ^ *((const word32*)T4[temp[2][3]]); - for (r = 1; r < ROUNDS-1; r++) { - *((word32*)temp[0]) = *((word32*)(b )) ^ *((word32*)rk[r][0]); - *((word32*)temp[1]) = *((word32*)(b+ 4)) ^ *((word32*)rk[r][1]); - *((word32*)temp[2]) = *((word32*)(b+ 8)) ^ *((word32*)rk[r][2]); - *((word32*)temp[3]) = *((word32*)(b+12)) ^ *((word32*)rk[r][3]); - - *((word32*)(b )) = *((const word32*)T1[temp[0][0]]) - ^ *((const word32*)T2[temp[1][1]]) - ^ *((const word32*)T3[temp[2][2]]) - ^ *((const word32*)T4[temp[3][3]]); - *((word32*)(b + 4)) = *((const word32*)T1[temp[1][0]]) - ^ *((const word32*)T2[temp[2][1]]) - ^ *((const word32*)T3[temp[3][2]]) - ^ *((const word32*)T4[temp[0][3]]); - *((word32*)(b + 8)) = *((const word32*)T1[temp[2][0]]) - ^ *((const word32*)T2[temp[3][1]]) - ^ *((const word32*)T3[temp[0][2]]) - ^ *((const word32*)T4[temp[1][3]]); - *((word32*)(b +12)) = *((const word32*)T1[temp[3][0]]) - ^ *((const word32*)T2[temp[0][1]]) - ^ *((const word32*)T3[temp[1][2]]) - ^ *((const word32*)T4[temp[2][3]]); - } - /* last round is special */ - *((word32*)temp[0]) = *((word32*)(b )) ^ *((word32*)rk[ROUNDS-1][0]); - *((word32*)temp[1]) = *((word32*)(b+ 4)) ^ *((word32*)rk[ROUNDS-1][1]); - *((word32*)temp[2]) = *((word32*)(b+ 8)) ^ *((word32*)rk[ROUNDS-1][2]); - *((word32*)temp[3]) = *((word32*)(b+12)) ^ *((word32*)rk[ROUNDS-1][3]); - b[ 0] = T1[temp[0][0]][1]; - b[ 1] = T1[temp[1][1]][1]; - b[ 2] = T1[temp[2][2]][1]; - b[ 3] = T1[temp[3][3]][1]; - b[ 4] = T1[temp[1][0]][1]; - b[ 5] = T1[temp[2][1]][1]; - b[ 6] = T1[temp[3][2]][1]; - b[ 7] = T1[temp[0][3]][1]; - b[ 8] = T1[temp[2][0]][1]; - b[ 9] = T1[temp[3][1]][1]; - b[10] = T1[temp[0][2]][1]; - b[11] = T1[temp[1][3]][1]; - b[12] = T1[temp[3][0]][1]; - b[13] = T1[temp[0][1]][1]; - b[14] = T1[temp[1][2]][1]; - b[15] = T1[temp[2][3]][1]; - *((word32*)(b )) ^= *((word32*)rk[ROUNDS][0]); - *((word32*)(b+ 4)) ^= *((word32*)rk[ROUNDS][1]); - *((word32*)(b+ 8)) ^= *((word32*)rk[ROUNDS][2]); - *((word32*)(b+12)) ^= *((word32*)rk[ROUNDS][3]); - - memcpy(out, b, sizeof b /* XXX out */); - - return 0; -#undef a -#undef b -#undef temp -} - -#ifdef INTERMEDIATE_VALUE_KAT -/** - * Encrypt only a certain number of rounds. - * Only used in the Intermediate Value Known Answer Test. - */ -int rijndaelEncryptRound(word8 a[4][4], word8 rk[MAXROUNDS+1][4][4], int ROUNDS, int rounds) { - int r; - word8 temp[4][4]; - - /* make number of rounds sane */ - if (rounds > ROUNDS) { - rounds = ROUNDS; - } - - *((word32*)a[0]) = *((word32*)a[0]) ^ *((word32*)rk[0][0]); - *((word32*)a[1]) = *((word32*)a[1]) ^ *((word32*)rk[0][1]); - *((word32*)a[2]) = *((word32*)a[2]) ^ *((word32*)rk[0][2]); - *((word32*)a[3]) = *((word32*)a[3]) ^ *((word32*)rk[0][3]); - - for (r = 1; (r <= rounds) && (r < ROUNDS); r++) { - *((word32*)temp[0]) = *((const word32*)T1[a[0][0]]) - ^ *((const word32*)T2[a[1][1]]) - ^ *((const word32*)T3[a[2][2]]) - ^ *((const word32*)T4[a[3][3]]); - *((word32*)temp[1]) = *((const word32*)T1[a[1][0]]) - ^ *((const word32*)T2[a[2][1]]) - ^ *((const word32*)T3[a[3][2]]) - ^ *((const word32*)T4[a[0][3]]); - *((word32*)temp[2]) = *((const word32*)T1[a[2][0]]) - ^ *((const word32*)T2[a[3][1]]) - ^ *((const word32*)T3[a[0][2]]) - ^ *((const word32*)T4[a[1][3]]); - *((word32*)temp[3]) = *((const word32*)T1[a[3][0]]) - ^ *((const word32*)T2[a[0][1]]) - ^ *((const word32*)T3[a[1][2]]) - ^ *((const word32*)T4[a[2][3]]); - *((word32*)a[0]) = *((word32*)temp[0]) ^ *((word32*)rk[r][0]); - *((word32*)a[1]) = *((word32*)temp[1]) ^ *((word32*)rk[r][1]); - *((word32*)a[2]) = *((word32*)temp[2]) ^ *((word32*)rk[r][2]); - *((word32*)a[3]) = *((word32*)temp[3]) ^ *((word32*)rk[r][3]); - } - if (rounds == ROUNDS) { - /* last round is special */ - temp[0][0] = T1[a[0][0]][1]; - temp[0][1] = T1[a[1][1]][1]; - temp[0][2] = T1[a[2][2]][1]; - temp[0][3] = T1[a[3][3]][1]; - temp[1][0] = T1[a[1][0]][1]; - temp[1][1] = T1[a[2][1]][1]; - temp[1][2] = T1[a[3][2]][1]; - temp[1][3] = T1[a[0][3]][1]; - temp[2][0] = T1[a[2][0]][1]; - temp[2][1] = T1[a[3][1]][1]; - temp[2][2] = T1[a[0][2]][1]; - temp[2][3] = T1[a[1][3]][1]; - temp[3][0] = T1[a[3][0]][1]; - temp[3][1] = T1[a[0][1]][1]; - temp[3][2] = T1[a[1][2]][1]; - temp[3][3] = T1[a[2][3]][1]; - *((word32*)a[0]) = *((word32*)temp[0]) ^ *((word32*)rk[ROUNDS][0]); - *((word32*)a[1]) = *((word32*)temp[1]) ^ *((word32*)rk[ROUNDS][1]); - *((word32*)a[2]) = *((word32*)temp[2]) ^ *((word32*)rk[ROUNDS][2]); - *((word32*)a[3]) = *((word32*)temp[3]) ^ *((word32*)rk[ROUNDS][3]); - } - - return 0; -} -#endif /* INTERMEDIATE_VALUE_KAT */ - -/** - * Decrypt a single block. - */ -int rijndaelDecrypt(word8 in[16], word8 out[16], word8 rk[MAXROUNDS+1][4][4], int ROUNDS) { - int r; - union { - word8 x8[16]; - word32 x32[4]; - } xa, xb; -#define a xa.x8 -#define b xb.x8 - union { - word8 x8[4][4]; - word32 x32[4]; - } xtemp; -#define temp xtemp.x8 - - memcpy(a, in, sizeof a); - - *((word32*)temp[0]) = *((word32*)(a )) ^ *((word32*)rk[ROUNDS][0]); - *((word32*)temp[1]) = *((word32*)(a+ 4)) ^ *((word32*)rk[ROUNDS][1]); - *((word32*)temp[2]) = *((word32*)(a+ 8)) ^ *((word32*)rk[ROUNDS][2]); - *((word32*)temp[3]) = *((word32*)(a+12)) ^ *((word32*)rk[ROUNDS][3]); - - *((word32*)(b )) = *((const word32*)T5[temp[0][0]]) - ^ *((const word32*)T6[temp[3][1]]) - ^ *((const word32*)T7[temp[2][2]]) - ^ *((const word32*)T8[temp[1][3]]); - *((word32*)(b+ 4)) = *((const word32*)T5[temp[1][0]]) - ^ *((const word32*)T6[temp[0][1]]) - ^ *((const word32*)T7[temp[3][2]]) - ^ *((const word32*)T8[temp[2][3]]); - *((word32*)(b+ 8)) = *((const word32*)T5[temp[2][0]]) - ^ *((const word32*)T6[temp[1][1]]) - ^ *((const word32*)T7[temp[0][2]]) - ^ *((const word32*)T8[temp[3][3]]); - *((word32*)(b+12)) = *((const word32*)T5[temp[3][0]]) - ^ *((const word32*)T6[temp[2][1]]) - ^ *((const word32*)T7[temp[1][2]]) - ^ *((const word32*)T8[temp[0][3]]); - for (r = ROUNDS-1; r > 1; r--) { - *((word32*)temp[0]) = *((word32*)(b )) ^ *((word32*)rk[r][0]); - *((word32*)temp[1]) = *((word32*)(b+ 4)) ^ *((word32*)rk[r][1]); - *((word32*)temp[2]) = *((word32*)(b+ 8)) ^ *((word32*)rk[r][2]); - *((word32*)temp[3]) = *((word32*)(b+12)) ^ *((word32*)rk[r][3]); - *((word32*)(b )) = *((const word32*)T5[temp[0][0]]) - ^ *((const word32*)T6[temp[3][1]]) - ^ *((const word32*)T7[temp[2][2]]) - ^ *((const word32*)T8[temp[1][3]]); - *((word32*)(b+ 4)) = *((const word32*)T5[temp[1][0]]) - ^ *((const word32*)T6[temp[0][1]]) - ^ *((const word32*)T7[temp[3][2]]) - ^ *((const word32*)T8[temp[2][3]]); - *((word32*)(b+ 8)) = *((const word32*)T5[temp[2][0]]) - ^ *((const word32*)T6[temp[1][1]]) - ^ *((const word32*)T7[temp[0][2]]) - ^ *((const word32*)T8[temp[3][3]]); - *((word32*)(b+12)) = *((const word32*)T5[temp[3][0]]) - ^ *((const word32*)T6[temp[2][1]]) - ^ *((const word32*)T7[temp[1][2]]) - ^ *((const word32*)T8[temp[0][3]]); - } - /* last round is special */ - *((word32*)temp[0]) = *((word32*)(b )) ^ *((word32*)rk[1][0]); - *((word32*)temp[1]) = *((word32*)(b+ 4)) ^ *((word32*)rk[1][1]); - *((word32*)temp[2]) = *((word32*)(b+ 8)) ^ *((word32*)rk[1][2]); - *((word32*)temp[3]) = *((word32*)(b+12)) ^ *((word32*)rk[1][3]); - b[ 0] = S5[temp[0][0]]; - b[ 1] = S5[temp[3][1]]; - b[ 2] = S5[temp[2][2]]; - b[ 3] = S5[temp[1][3]]; - b[ 4] = S5[temp[1][0]]; - b[ 5] = S5[temp[0][1]]; - b[ 6] = S5[temp[3][2]]; - b[ 7] = S5[temp[2][3]]; - b[ 8] = S5[temp[2][0]]; - b[ 9] = S5[temp[1][1]]; - b[10] = S5[temp[0][2]]; - b[11] = S5[temp[3][3]]; - b[12] = S5[temp[3][0]]; - b[13] = S5[temp[2][1]]; - b[14] = S5[temp[1][2]]; - b[15] = S5[temp[0][3]]; - *((word32*)(b )) ^= *((word32*)rk[0][0]); - *((word32*)(b+ 4)) ^= *((word32*)rk[0][1]); - *((word32*)(b+ 8)) ^= *((word32*)rk[0][2]); - *((word32*)(b+12)) ^= *((word32*)rk[0][3]); - - memcpy(out, b, sizeof b /* XXX out */); - - return 0; -#undef a -#undef b -#undef temp -} - - -#ifdef INTERMEDIATE_VALUE_KAT -/** - * Decrypt only a certain number of rounds. - * Only used in the Intermediate Value Known Answer Test. - * Operations rearranged such that the intermediate values - * of decryption correspond with the intermediate values - * of encryption. - */ -int rijndaelDecryptRound(word8 a[4][4], word8 rk[MAXROUNDS+1][4][4], int ROUNDS, int rounds) { - int r, i; - word8 temp[4], shift; - - /* make number of rounds sane */ - if (rounds > ROUNDS) { - rounds = ROUNDS; - } - /* first round is special: */ - *(word32 *)a[0] ^= *(word32 *)rk[ROUNDS][0]; - *(word32 *)a[1] ^= *(word32 *)rk[ROUNDS][1]; - *(word32 *)a[2] ^= *(word32 *)rk[ROUNDS][2]; - *(word32 *)a[3] ^= *(word32 *)rk[ROUNDS][3]; - for (i = 0; i < 4; i++) { - a[i][0] = Si[a[i][0]]; - a[i][1] = Si[a[i][1]]; - a[i][2] = Si[a[i][2]]; - a[i][3] = Si[a[i][3]]; - } - for (i = 1; i < 4; i++) { - shift = (4 - i) & 3; - temp[0] = a[(0 + shift) & 3][i]; - temp[1] = a[(1 + shift) & 3][i]; - temp[2] = a[(2 + shift) & 3][i]; - temp[3] = a[(3 + shift) & 3][i]; - a[0][i] = temp[0]; - a[1][i] = temp[1]; - a[2][i] = temp[2]; - a[3][i] = temp[3]; - } - /* ROUNDS-1 ordinary rounds */ - for (r = ROUNDS-1; r > rounds; r--) { - *(word32 *)a[0] ^= *(word32 *)rk[r][0]; - *(word32 *)a[1] ^= *(word32 *)rk[r][1]; - *(word32 *)a[2] ^= *(word32 *)rk[r][2]; - *(word32 *)a[3] ^= *(word32 *)rk[r][3]; - - *((word32*)a[0]) = - *((const word32*)U1[a[0][0]]) - ^ *((const word32*)U2[a[0][1]]) - ^ *((const word32*)U3[a[0][2]]) - ^ *((const word32*)U4[a[0][3]]); - - *((word32*)a[1]) = - *((const word32*)U1[a[1][0]]) - ^ *((const word32*)U2[a[1][1]]) - ^ *((const word32*)U3[a[1][2]]) - ^ *((const word32*)U4[a[1][3]]); - - *((word32*)a[2]) = - *((const word32*)U1[a[2][0]]) - ^ *((const word32*)U2[a[2][1]]) - ^ *((const word32*)U3[a[2][2]]) - ^ *((const word32*)U4[a[2][3]]); - - *((word32*)a[3]) = - *((const word32*)U1[a[3][0]]) - ^ *((const word32*)U2[a[3][1]]) - ^ *((const word32*)U3[a[3][2]]) - ^ *((const word32*)U4[a[3][3]]); - for (i = 0; i < 4; i++) { - a[i][0] = Si[a[i][0]]; - a[i][1] = Si[a[i][1]]; - a[i][2] = Si[a[i][2]]; - a[i][3] = Si[a[i][3]]; - } - for (i = 1; i < 4; i++) { - shift = (4 - i) & 3; - temp[0] = a[(0 + shift) & 3][i]; - temp[1] = a[(1 + shift) & 3][i]; - temp[2] = a[(2 + shift) & 3][i]; - temp[3] = a[(3 + shift) & 3][i]; - a[0][i] = temp[0]; - a[1][i] = temp[1]; - a[2][i] = temp[2]; - a[3][i] = temp[3]; - } - } - if (rounds == 0) { - /* End with the extra key addition */ - *(word32 *)a[0] ^= *(word32 *)rk[0][0]; - *(word32 *)a[1] ^= *(word32 *)rk[0][1]; - *(word32 *)a[2] ^= *(word32 *)rk[0][2]; - *(word32 *)a[3] ^= *(word32 *)rk[0][3]; - } - return 0; -} -#endif /* INTERMEDIATE_VALUE_KAT */ diff --git a/kame/kame/racoon/missing/crypto/rijndael/rijndael-alg-fst.h b/kame/kame/racoon/missing/crypto/rijndael/rijndael-alg-fst.h deleted file mode 100644 index 267b92c7be..0000000000 --- a/kame/kame/racoon/missing/crypto/rijndael/rijndael-alg-fst.h +++ /dev/null @@ -1,33 +0,0 @@ -/* $KAME: rijndael-alg-fst.h,v 1.1 2001/08/08 09:56:23 sakane Exp $ */ - -/* - * rijndael-alg-fst.h v2.3 April '2000 - * - * Optimised ANSI C code - * - * #define INTERMEDIATE_VALUE_KAT to generate the Intermediate Value Known Answer Test. - */ - -#ifndef __RIJNDAEL_ALG_FST_H -#define __RIJNDAEL_ALG_FST_H - -#define RIJNDAEL_MAXKC (256/32) -#define RIJNDAEL_MAXROUNDS 14 - -int rijndaelKeySched(u_int8_t k[RIJNDAEL_MAXKC][4], u_int8_t rk[RIJNDAEL_MAXROUNDS+1][4][4], int ROUNDS); - -int rijndaelKeyEncToDec(u_int8_t W[RIJNDAEL_MAXROUNDS+1][4][4], int ROUNDS); - -int rijndaelEncrypt(u_int8_t a[16], u_int8_t b[16], u_int8_t rk[RIJNDAEL_MAXROUNDS+1][4][4], int ROUNDS); - -#ifdef INTERMEDIATE_VALUE_KAT -int rijndaelEncryptRound(u_int8_t a[4][4], u_int8_t rk[RIJNDAEL_MAXROUNDS+1][4][4], int ROUNDS, int rounds); -#endif /* INTERMEDIATE_VALUE_KAT */ - -int rijndaelDecrypt(u_int8_t a[16], u_int8_t b[16], u_int8_t rk[RIJNDAEL_MAXROUNDS+1][4][4], int ROUNDS); - -#ifdef INTERMEDIATE_VALUE_KAT -int rijndaelDecryptRound(u_int8_t a[4][4], u_int8_t rk[RIJNDAEL_MAXROUNDS+1][4][4], int ROUNDS, int rounds); -#endif /* INTERMEDIATE_VALUE_KAT */ - -#endif /* __RIJNDAEL_ALG_FST_H */ diff --git a/kame/kame/racoon/missing/crypto/rijndael/rijndael-api-fst.c b/kame/kame/racoon/missing/crypto/rijndael/rijndael-api-fst.c deleted file mode 100644 index 2d9481a30e..0000000000 --- a/kame/kame/racoon/missing/crypto/rijndael/rijndael-api-fst.c +++ /dev/null @@ -1,490 +0,0 @@ -/* $KAME: rijndael-api-fst.c,v 1.8 2002/11/18 23:32:54 itojun Exp $ */ - -/* - * rijndael-api-fst.c v2.3 April '2000 - * - * Optimised ANSI C code - * - * authors: v1.0: Antoon Bosselaers - * v2.0: Vincent Rijmen - * v2.1: Vincent Rijmen - * v2.2: Vincent Rijmen - * v2.3: Paulo Barreto - * v2.4: Vincent Rijmen - * - * This code is placed in the public domain. - */ - -#include -#include -#ifdef _KERNEL -#include -#include -#else -#include -#endif -#include -#include -#include - -#include -#define bcopy(a, b, c) memcpy(b, a, c) -#define bzero(a, b) memset(a, 0, b) -#define panic(a) err(1, (a)) - -int rijndael_makeKey(keyInstance *key, BYTE direction, int keyLen, char *keyMaterial) { - word8 k[MAXKC][4]; - int i; - char *keyMat; - - if (key == NULL) { - return BAD_KEY_INSTANCE; - } - - if ((direction == DIR_ENCRYPT) || (direction == DIR_DECRYPT)) { - key->direction = direction; - } else { - return BAD_KEY_DIR; - } - - if ((keyLen == 128) || (keyLen == 192) || (keyLen == 256)) { - key->keyLen = keyLen; - } else { - return BAD_KEY_MAT; - } - - if (keyMaterial != NULL) { - bcopy(keyMaterial, key->keyMaterial, keyLen/8); - } - - key->ROUNDS = keyLen/32 + 6; - - /* initialize key schedule: */ - keyMat = key->keyMaterial; - for (i = 0; i < key->keyLen/8; i++) { - k[i >> 2][i & 3] = (word8)keyMat[i]; - } - rijndaelKeySched(k, key->keySched, key->ROUNDS); - if (direction == DIR_DECRYPT) { - rijndaelKeyEncToDec(key->keySched, key->ROUNDS); - } - - return TRUE; -} - -int rijndael_cipherInit(cipherInstance *cipher, BYTE mode, char *IV) { - if ((mode == MODE_ECB) || (mode == MODE_CBC) || (mode == MODE_CFB1)) { - cipher->mode = mode; - } else { - return BAD_CIPHER_MODE; - } - if (IV != NULL) { - bcopy(IV, cipher->IV, MAX_IV_SIZE); - } else { - bzero(cipher->IV, MAX_IV_SIZE); - } - return TRUE; -} - -int rijndael_blockEncrypt(cipherInstance *cipher, keyInstance *key, - BYTE *input, int inputLen, BYTE *outBuffer) { - int i, k, numBlocks; - word8 block[16], iv[4][4]; - - if (cipher == NULL || - key == NULL || - key->direction == DIR_DECRYPT) { - return BAD_CIPHER_STATE; - } - if (input == NULL || inputLen <= 0) { - return 0; /* nothing to do */ - } - - numBlocks = inputLen/128; - - switch (cipher->mode) { - case MODE_ECB: - for (i = numBlocks; i > 0; i--) { - rijndaelEncrypt(input, outBuffer, key->keySched, key->ROUNDS); - input += 16; - outBuffer += 16; - } - break; - - case MODE_CBC: -#if 1 /*STRICT_ALIGN*/ - bcopy(cipher->IV, block, 16); - bcopy(input, iv, 16); - ((word32*)block)[0] ^= ((word32*)iv)[0]; - ((word32*)block)[1] ^= ((word32*)iv)[1]; - ((word32*)block)[2] ^= ((word32*)iv)[2]; - ((word32*)block)[3] ^= ((word32*)iv)[3]; -#else - ((word32*)block)[0] = ((word32*)cipher->IV)[0] ^ ((word32*)input)[0]; - ((word32*)block)[1] = ((word32*)cipher->IV)[1] ^ ((word32*)input)[1]; - ((word32*)block)[2] = ((word32*)cipher->IV)[2] ^ ((word32*)input)[2]; - ((word32*)block)[3] = ((word32*)cipher->IV)[3] ^ ((word32*)input)[3]; -#endif - rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS); - input += 16; - for (i = numBlocks - 1; i > 0; i--) { -#if 1 /*STRICT_ALIGN*/ - bcopy(outBuffer, block, 16); - bcopy(input, iv, 16); - ((word32*)block)[0] ^= ((word32*)iv)[0]; - ((word32*)block)[1] ^= ((word32*)iv)[1]; - ((word32*)block)[2] ^= ((word32*)iv)[2]; - ((word32*)block)[3] ^= ((word32*)iv)[3]; -#else - ((word32*)block)[0] = ((word32*)outBuffer)[0] ^ ((word32*)input)[0]; - ((word32*)block)[1] = ((word32*)outBuffer)[1] ^ ((word32*)input)[1]; - ((word32*)block)[2] = ((word32*)outBuffer)[2] ^ ((word32*)input)[2]; - ((word32*)block)[3] = ((word32*)outBuffer)[3] ^ ((word32*)input)[3]; -#endif - outBuffer += 16; - rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS); - input += 16; - } - break; - - case MODE_CFB1: -#if 1 /*STRICT_ALIGN*/ - bcopy(cipher->IV, iv, 16); -#else /* !STRICT_ALIGN */ - *((word32*)iv[0]) = *((word32*)(cipher->IV )); - *((word32*)iv[1]) = *((word32*)(cipher->IV+ 4)); - *((word32*)iv[2]) = *((word32*)(cipher->IV+ 8)); - *((word32*)iv[3]) = *((word32*)(cipher->IV+12)); -#endif /* ?STRICT_ALIGN */ - for (i = numBlocks; i > 0; i--) { - for (k = 0; k < 128; k++) { - *((word32*) block ) = *((word32*)iv[0]); - *((word32*)(block+ 4)) = *((word32*)iv[1]); - *((word32*)(block+ 8)) = *((word32*)iv[2]); - *((word32*)(block+12)) = *((word32*)iv[3]); - rijndaelEncrypt(block, block, key->keySched, key->ROUNDS); - outBuffer[k/8] ^= (block[0] & 0x80) >> (k & 7); - iv[0][0] = (iv[0][0] << 1) | (iv[0][1] >> 7); - iv[0][1] = (iv[0][1] << 1) | (iv[0][2] >> 7); - iv[0][2] = (iv[0][2] << 1) | (iv[0][3] >> 7); - iv[0][3] = (iv[0][3] << 1) | (iv[1][0] >> 7); - iv[1][0] = (iv[1][0] << 1) | (iv[1][1] >> 7); - iv[1][1] = (iv[1][1] << 1) | (iv[1][2] >> 7); - iv[1][2] = (iv[1][2] << 1) | (iv[1][3] >> 7); - iv[1][3] = (iv[1][3] << 1) | (iv[2][0] >> 7); - iv[2][0] = (iv[2][0] << 1) | (iv[2][1] >> 7); - iv[2][1] = (iv[2][1] << 1) | (iv[2][2] >> 7); - iv[2][2] = (iv[2][2] << 1) | (iv[2][3] >> 7); - iv[2][3] = (iv[2][3] << 1) | (iv[3][0] >> 7); - iv[3][0] = (iv[3][0] << 1) | (iv[3][1] >> 7); - iv[3][1] = (iv[3][1] << 1) | (iv[3][2] >> 7); - iv[3][2] = (iv[3][2] << 1) | (iv[3][3] >> 7); - iv[3][3] = (iv[3][3] << 1) | ((outBuffer[k/8] >> (7-(k&7))) & 1); - } - } - break; - - default: - return BAD_CIPHER_STATE; - } - - return 128*numBlocks; -} - -/** - * Encrypt data partitioned in octets, using RFC 2040-like padding. - * - * @param input data to be encrypted (octet sequence) - * @param inputOctets input length in octets (not bits) - * @param outBuffer encrypted output data - * - * @return length in octets (not bits) of the encrypted output buffer. - */ -int rijndael_padEncrypt(cipherInstance *cipher, keyInstance *key, - BYTE *input, int inputOctets, BYTE *outBuffer) { - int i, numBlocks, padLen; - word8 block[16], *iv, *cp; - - if (cipher == NULL || - key == NULL || - key->direction == DIR_DECRYPT) { - return BAD_CIPHER_STATE; - } - if (input == NULL || inputOctets <= 0) { - return 0; /* nothing to do */ - } - - numBlocks = inputOctets/16; - - switch (cipher->mode) { - case MODE_ECB: - for (i = numBlocks; i > 0; i--) { - rijndaelEncrypt(input, outBuffer, key->keySched, key->ROUNDS); - input += 16; - outBuffer += 16; - } - padLen = 16 - (inputOctets - 16*numBlocks); - if (padLen <= 0 || padLen > 16) - panic("rijndael_padEncrypt(ECB)"); - bcopy(input, block, 16 - padLen); - for (cp = block + 16 - padLen; cp < block + 16; cp++) - *cp = padLen; - rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS); - break; - - case MODE_CBC: - iv = cipher->IV; - for (i = numBlocks; i > 0; i--) { - ((word32*)block)[0] = ((word32*)input)[0] ^ ((word32*)iv)[0]; - ((word32*)block)[1] = ((word32*)input)[1] ^ ((word32*)iv)[1]; - ((word32*)block)[2] = ((word32*)input)[2] ^ ((word32*)iv)[2]; - ((word32*)block)[3] = ((word32*)input)[3] ^ ((word32*)iv)[3]; - rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS); - iv = outBuffer; - input += 16; - outBuffer += 16; - } - padLen = 16 - (inputOctets - 16*numBlocks); - if (padLen <= 0 || padLen > 16) - panic("rijndael_padEncrypt(CBC)"); - for (i = 0; i < 16 - padLen; i++) { - block[i] = input[i] ^ iv[i]; - } - for (i = 16 - padLen; i < 16; i++) { - block[i] = (BYTE)padLen ^ iv[i]; - } - rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS); - break; - - default: - return BAD_CIPHER_STATE; - } - - return 16*(numBlocks + 1); -} - -int rijndael_blockDecrypt(cipherInstance *cipher, keyInstance *key, - BYTE *input, int inputLen, BYTE *outBuffer) { - int i, k, numBlocks; - word8 block[16], iv[4][4]; - - if (cipher == NULL || - key == NULL || - (cipher->mode != MODE_CFB1 && key->direction == DIR_ENCRYPT)) { - return BAD_CIPHER_STATE; - } - if (input == NULL || inputLen <= 0) { - return 0; /* nothing to do */ - } - - numBlocks = inputLen/128; - - switch (cipher->mode) { - case MODE_ECB: - for (i = numBlocks; i > 0; i--) { - rijndaelDecrypt(input, outBuffer, key->keySched, key->ROUNDS); - input += 16; - outBuffer += 16; - } - break; - - case MODE_CBC: -#if 1 /*STRICT_ALIGN */ - bcopy(cipher->IV, iv, 16); -#else - *((word32*)iv[0]) = *((word32*)(cipher->IV )); - *((word32*)iv[1]) = *((word32*)(cipher->IV+ 4)); - *((word32*)iv[2]) = *((word32*)(cipher->IV+ 8)); - *((word32*)iv[3]) = *((word32*)(cipher->IV+12)); -#endif - for (i = numBlocks; i > 0; i--) { - rijndaelDecrypt(input, block, key->keySched, key->ROUNDS); - ((word32*)block)[0] ^= *((word32*)iv[0]); - ((word32*)block)[1] ^= *((word32*)iv[1]); - ((word32*)block)[2] ^= *((word32*)iv[2]); - ((word32*)block)[3] ^= *((word32*)iv[3]); -#if 1 /*STRICT_ALIGN*/ - bcopy(input, iv, 16); - bcopy(block, outBuffer, 16); -#else - *((word32*)iv[0]) = ((word32*)input)[0]; ((word32*)outBuffer)[0] = ((word32*)block)[0]; - *((word32*)iv[1]) = ((word32*)input)[1]; ((word32*)outBuffer)[1] = ((word32*)block)[1]; - *((word32*)iv[2]) = ((word32*)input)[2]; ((word32*)outBuffer)[2] = ((word32*)block)[2]; - *((word32*)iv[3]) = ((word32*)input)[3]; ((word32*)outBuffer)[3] = ((word32*)block)[3]; -#endif - input += 16; - outBuffer += 16; - } - break; - - case MODE_CFB1: -#if 1 /*STRICT_ALIGN */ - bcopy(cipher->IV, iv, 16); -#else - *((word32*)iv[0]) = *((word32*)(cipher->IV)); - *((word32*)iv[1]) = *((word32*)(cipher->IV+ 4)); - *((word32*)iv[2]) = *((word32*)(cipher->IV+ 8)); - *((word32*)iv[3]) = *((word32*)(cipher->IV+12)); -#endif - for (i = numBlocks; i > 0; i--) { - for (k = 0; k < 128; k++) { - *((word32*) block ) = *((word32*)iv[0]); - *((word32*)(block+ 4)) = *((word32*)iv[1]); - *((word32*)(block+ 8)) = *((word32*)iv[2]); - *((word32*)(block+12)) = *((word32*)iv[3]); - rijndaelEncrypt(block, block, key->keySched, key->ROUNDS); - iv[0][0] = (iv[0][0] << 1) | (iv[0][1] >> 7); - iv[0][1] = (iv[0][1] << 1) | (iv[0][2] >> 7); - iv[0][2] = (iv[0][2] << 1) | (iv[0][3] >> 7); - iv[0][3] = (iv[0][3] << 1) | (iv[1][0] >> 7); - iv[1][0] = (iv[1][0] << 1) | (iv[1][1] >> 7); - iv[1][1] = (iv[1][1] << 1) | (iv[1][2] >> 7); - iv[1][2] = (iv[1][2] << 1) | (iv[1][3] >> 7); - iv[1][3] = (iv[1][3] << 1) | (iv[2][0] >> 7); - iv[2][0] = (iv[2][0] << 1) | (iv[2][1] >> 7); - iv[2][1] = (iv[2][1] << 1) | (iv[2][2] >> 7); - iv[2][2] = (iv[2][2] << 1) | (iv[2][3] >> 7); - iv[2][3] = (iv[2][3] << 1) | (iv[3][0] >> 7); - iv[3][0] = (iv[3][0] << 1) | (iv[3][1] >> 7); - iv[3][1] = (iv[3][1] << 1) | (iv[3][2] >> 7); - iv[3][2] = (iv[3][2] << 1) | (iv[3][3] >> 7); - iv[3][3] = (iv[3][3] << 1) | ((input[k/8] >> (7-(k&7))) & 1); - outBuffer[k/8] ^= (block[0] & 0x80) >> (k & 7); - } - } - break; - - default: - return BAD_CIPHER_STATE; - } - - return 128*numBlocks; -} - -int rijndael_padDecrypt(cipherInstance *cipher, keyInstance *key, - BYTE *input, int inputOctets, BYTE *outBuffer) { - int i, numBlocks, padLen; - word8 block[16]; - word32 iv[4]; - - if (cipher == NULL || - key == NULL || - key->direction == DIR_ENCRYPT) { - return BAD_CIPHER_STATE; - } - if (input == NULL || inputOctets <= 0) { - return 0; /* nothing to do */ - } - if (inputOctets % 16 != 0) { - return BAD_DATA; - } - - numBlocks = inputOctets/16; - - switch (cipher->mode) { - case MODE_ECB: - /* all blocks but last */ - for (i = numBlocks - 1; i > 0; i--) { - rijndaelDecrypt(input, outBuffer, key->keySched, key->ROUNDS); - input += 16; - outBuffer += 16; - } - /* last block */ - rijndaelDecrypt(input, block, key->keySched, key->ROUNDS); - padLen = block[15]; - if (padLen >= 16) { - return BAD_DATA; - } - for (i = 16 - padLen; i < 16; i++) { - if (block[i] != padLen) { - return BAD_DATA; - } - } - bcopy(block, outBuffer, 16 - padLen); - break; - - case MODE_CBC: - bcopy(cipher->IV, iv, 16); - /* all blocks but last */ - for (i = numBlocks - 1; i > 0; i--) { - rijndaelDecrypt(input, block, key->keySched, key->ROUNDS); - ((word32*)block)[0] ^= iv[0]; - ((word32*)block)[1] ^= iv[1]; - ((word32*)block)[2] ^= iv[2]; - ((word32*)block)[3] ^= iv[3]; - bcopy(input, iv, 16); - bcopy(block, outBuffer, 16); - input += 16; - outBuffer += 16; - } - /* last block */ - rijndaelDecrypt(input, block, key->keySched, key->ROUNDS); - ((word32*)block)[0] ^= iv[0]; - ((word32*)block)[1] ^= iv[1]; - ((word32*)block)[2] ^= iv[2]; - ((word32*)block)[3] ^= iv[3]; - padLen = block[15]; - if (padLen <= 0 || padLen > 16) { - return BAD_DATA; - } - for (i = 16 - padLen; i < 16; i++) { - if (block[i] != padLen) { - return BAD_DATA; - } - } - bcopy(block, outBuffer, 16 - padLen); - break; - - default: - return BAD_CIPHER_STATE; - } - - return 16*numBlocks - padLen; -} - -#ifdef INTERMEDIATE_VALUE_KAT -/** - * cipherUpdateRounds: - * - * Encrypts/Decrypts exactly one full block a specified number of rounds. - * Only used in the Intermediate Value Known Answer Test. - * - * Returns: - * TRUE - on success - * BAD_CIPHER_STATE - cipher in bad state (e.g., not initialized) - */ -int rijndael_cipherUpdateRounds(cipherInstance *cipher, keyInstance *key, - BYTE *input, int inputLen, BYTE *outBuffer, int rounds) { - int j; - word8 block[4][4]; - - if (cipher == NULL || key == NULL) { - return BAD_CIPHER_STATE; - } - - for (j = 3; j >= 0; j--) { - /* parse input stream into rectangular array */ - *((word32*)block[j]) = *((word32*)(input+4*j)); - } - - switch (key->direction) { - case DIR_ENCRYPT: - rijndaelEncryptRound(block, key->keySched, key->ROUNDS, rounds); - break; - - case DIR_DECRYPT: - rijndaelDecryptRound(block, key->keySched, key->ROUNDS, rounds); - break; - - default: - return BAD_KEY_DIR; - } - - for (j = 3; j >= 0; j--) { - /* parse rectangular array into output ciphertext bytes */ - *((word32*)(outBuffer+4*j)) = *((word32*)block[j]); - } - - return TRUE; -} -#endif /* INTERMEDIATE_VALUE_KAT */ diff --git a/kame/kame/racoon/missing/crypto/rijndael/rijndael-api-fst.h b/kame/kame/racoon/missing/crypto/rijndael/rijndael-api-fst.h deleted file mode 100644 index a820a994a1..0000000000 --- a/kame/kame/racoon/missing/crypto/rijndael/rijndael-api-fst.h +++ /dev/null @@ -1,103 +0,0 @@ -/* $KAME: rijndael-api-fst.h,v 1.1 2001/08/08 09:56:27 sakane Exp $ */ - -/* - * rijndael-api-fst.h v2.3 April '2000 - * - * Optimised ANSI C code - * - * #define INTERMEDIATE_VALUE_KAT to generate the Intermediate Value Known Answer Test. - */ - -#ifndef __RIJNDAEL_API_FST_H -#define __RIJNDAEL_API_FST_H - -#include - -/* Defines: - Add any additional defines you need -*/ - -#define DIR_ENCRYPT 0 /* Are we encrpyting? */ -#define DIR_DECRYPT 1 /* Are we decrpyting? */ -#define MODE_ECB 1 /* Are we ciphering in ECB mode? */ -#define MODE_CBC 2 /* Are we ciphering in CBC mode? */ -#define MODE_CFB1 3 /* Are we ciphering in 1-bit CFB mode? */ -#define TRUE 1 -#define FALSE 0 -#define BITSPERBLOCK 128 /* Default number of bits in a cipher block */ - -/* Error Codes - CHANGE POSSIBLE: inclusion of additional error codes */ -#define BAD_KEY_DIR -1 /* Key direction is invalid, e.g., unknown value */ -#define BAD_KEY_MAT -2 /* Key material not of correct length */ -#define BAD_KEY_INSTANCE -3 /* Key passed is not valid */ -#define BAD_CIPHER_MODE -4 /* Params struct passed to cipherInit invalid */ -#define BAD_CIPHER_STATE -5 /* Cipher in wrong state (e.g., not initialized) */ -#define BAD_BLOCK_LENGTH -6 -#define BAD_CIPHER_INSTANCE -7 -#define BAD_DATA -8 /* Data contents are invalid, e.g., invalid padding */ -#define BAD_OTHER -9 /* Unknown error */ - -/* CHANGE POSSIBLE: inclusion of algorithm specific defines */ -#define MAX_KEY_SIZE 64 /* # of ASCII char's needed to represent a key */ -#define MAX_IV_SIZE 16 /* # bytes needed to represent an IV */ - -/* Typedefs: - - Typedef'ed data storage elements. Add any algorithm specific -parameters at the bottom of the structs as appropriate. -*/ - -/* The structure for key information */ -typedef struct { - u_int8_t direction; /* Key used for encrypting or decrypting? */ - int keyLen; /* Length of the key */ - char keyMaterial[MAX_KEY_SIZE+1]; /* Raw key data in ASCII, e.g., user input or KAT values */ - /* The following parameters are algorithm dependent, replace or add as necessary */ - int ROUNDS; /* key-length-dependent number of rounds */ - int blockLen; /* block length */ - union { - u_int8_t xkS8[RIJNDAEL_MAXROUNDS+1][4][4]; /* key schedule */ - u_int32_t xkS32[RIJNDAEL_MAXROUNDS+1][4]; /* key schedule */ - } xKeySched; -#define keySched xKeySched.xkS8 -} keyInstance; - -/* The structure for cipher information */ -typedef struct { /* changed order of the components */ - u_int8_t mode; /* MODE_ECB, MODE_CBC, or MODE_CFB1 */ - u_int8_t IV[MAX_IV_SIZE]; /* A possible Initialization Vector for ciphering */ - /* Add any algorithm specific parameters needed here */ - int blockLen; /* Sample: Handles non-128 bit block sizes (if available) */ -} cipherInstance; - -/* Function prototypes */ -/* CHANGED: nothing - TODO: implement the following extensions to setup 192-bit and 256-bit block lengths: - makeKeyEx(): parameter blockLen added - -- this parameter is absolutely necessary if you want to - setup the round keys in a variable block length setting - cipherInitEx(): parameter blockLen added (for obvious reasons) - */ - -int rijndael_makeKey(keyInstance *key, u_int8_t direction, int keyLen, char *keyMaterial); - -int rijndael_cipherInit(cipherInstance *cipher, u_int8_t mode, char *IV); - -int rijndael_blockEncrypt(cipherInstance *cipher, keyInstance *key, - u_int8_t *input, int inputLen, u_int8_t *outBuffer); - -int rijndael_padEncrypt(cipherInstance *cipher, keyInstance *key, - u_int8_t *input, int inputOctets, u_int8_t *outBuffer); - -int rijndael_blockDecrypt(cipherInstance *cipher, keyInstance *key, - u_int8_t *input, int inputLen, u_int8_t *outBuffer); - -int rijndael_padDecrypt(cipherInstance *cipher, keyInstance *key, - u_int8_t *input, int inputOctets, u_int8_t *outBuffer); - -#ifdef INTERMEDIATE_VALUE_KAT -int rijndael_cipherUpdateRounds(cipherInstance *cipher, keyInstance *key, - u_int8_t *input, int inputLen, u_int8_t *outBuffer, int Rounds); -#endif /* INTERMEDIATE_VALUE_KAT */ - -#endif /* __RIJNDAEL_API_FST_H */ diff --git a/kame/kame/racoon/missing/crypto/rijndael/rijndael.h b/kame/kame/racoon/missing/crypto/rijndael/rijndael.h deleted file mode 100644 index dcbfb81c86..0000000000 --- a/kame/kame/racoon/missing/crypto/rijndael/rijndael.h +++ /dev/null @@ -1,3 +0,0 @@ -/* $KAME: rijndael.h,v 1.1 2001/08/08 09:56:27 sakane Exp $ */ - -#include diff --git a/kame/kame/racoon/missing/crypto/rijndael/rijndael_local.h b/kame/kame/racoon/missing/crypto/rijndael/rijndael_local.h deleted file mode 100644 index 92db79b7bd..0000000000 --- a/kame/kame/racoon/missing/crypto/rijndael/rijndael_local.h +++ /dev/null @@ -1,10 +0,0 @@ -/* $KAME: rijndael_local.h,v 1.1 2001/08/08 09:56:27 sakane Exp $ */ - -/* the file should not be used from outside */ -typedef u_int8_t BYTE; -typedef u_int8_t word8; -typedef u_int16_t word16; -typedef u_int32_t word32; - -#define MAXKC RIJNDAEL_MAXKC -#define MAXROUNDS RIJNDAEL_MAXROUNDS diff --git a/kame/kame/racoon/missing/crypto/sha2/sha2.c b/kame/kame/racoon/missing/crypto/sha2/sha2.c deleted file mode 100644 index c8ada8e231..0000000000 --- a/kame/kame/racoon/missing/crypto/sha2/sha2.c +++ /dev/null @@ -1,1102 +0,0 @@ -/* $KAME: sha2.c,v 1.6 2003/09/04 00:12:12 itojun Exp $ */ - -/* - * sha2.c - * - * Version 1.0.0beta1 - * - * Written by Aaron D. Gifford - * - * Copyright 2000 Aaron D. Gifford. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the copyright holder nor the names of contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - */ - - -#include -#include -#include -#include -#include - -#include -#include -#define bcopy(a, b, c) memcpy((b), (a), (c)) -#define bzero(a, b) memset((a), 0, (b)) -#define panic(a) err(1, (a)) - -/* - * ASSERT NOTE: - * Some sanity checking code is included using assert(). On my FreeBSD - * system, this additional code can be removed by compiling with NDEBUG - * defined. Check your own systems manpage on assert() to see how to - * compile WITHOUT the sanity checking code on your system. - * - * UNROLLED TRANSFORM LOOP NOTE: - * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform - * loop version for the hash transform rounds (defined using macros - * later in this file). Either define on the command line, for example: - * - * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c - * - * or define below: - * - * #define SHA2_UNROLL_TRANSFORM - * - */ - -#define assert(x) - - -/*** SHA-256/384/512 Machine Architecture Definitions *****************/ -/* - * BYTE_ORDER NOTE: - * - * Please make sure that your system defines BYTE_ORDER. If your - * architecture is little-endian, make sure it also defines - * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are - * equivilent. - * - * If your system does not define the above, then you can do so by - * hand like this: - * - * #define LITTLE_ENDIAN 1234 - * #define BIG_ENDIAN 4321 - * - * And for little-endian machines, add: - * - * #define BYTE_ORDER LITTLE_ENDIAN - * - * Or for big-endian machines: - * - * #define BYTE_ORDER BIG_ENDIAN - * - * The FreeBSD machine this was written on defines BYTE_ORDER - * appropriately by including (which in turn includes - * where the appropriate definitions are actually - * made). - */ -#if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN) -#error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN -#endif - -/* - * Define the followingsha2_* types to types of the correct length on - * the native archtecture. Most BSD systems and Linux define u_intXX_t - * types. Machines with very recent ANSI C headers, can use the - * uintXX_t definintions from inttypes.h by defining SHA2_USE_INTTYPES_H - * during compile or in the sha.h header file. - * - * Machines that support neither u_intXX_t nor inttypes.h's uintXX_t - * will need to define these three typedefs below (and the appropriate - * ones in sha.h too) by hand according to their system architecture. - * - * Thank you, Jun-ichiro itojun Hagino, for suggesting using u_intXX_t - * types and pointing out recent ANSI C support for uintXX_t in inttypes.h. - */ -#if 0 /*def SHA2_USE_INTTYPES_H*/ - -typedef uint8_t sha2_byte; /* Exactly 1 byte */ -typedef uint32_t sha2_word32; /* Exactly 4 bytes */ -typedef uint64_t sha2_word64; /* Exactly 8 bytes */ - -#else /* SHA2_USE_INTTYPES_H */ - -typedef u_int8_t sha2_byte; /* Exactly 1 byte */ -typedef u_int32_t sha2_word32; /* Exactly 4 bytes */ -typedef u_int64_t sha2_word64; /* Exactly 8 bytes */ - -#endif /* SHA2_USE_INTTYPES_H */ - - -/*** SHA-256/384/512 Various Length Definitions ***********************/ -/* NOTE: Most of these are in sha2.h */ -#define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8) -#define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16) -#define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16) - - -/*** ENDIAN REVERSAL MACROS *******************************************/ -#if BYTE_ORDER == LITTLE_ENDIAN -#define REVERSE32(w,x) { \ - sha2_word32 tmp = (w); \ - tmp = (tmp >> 16) | (tmp << 16); \ - (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \ -} -#define REVERSE64(w,x) { \ - sha2_word64 tmp = (w); \ - tmp = (tmp >> 32) | (tmp << 32); \ - tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \ - ((tmp & 0x00ff00ff00ff00ffULL) << 8); \ - (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \ - ((tmp & 0x0000ffff0000ffffULL) << 16); \ -} -#endif /* BYTE_ORDER == LITTLE_ENDIAN */ - -/* - * Macro for incrementally adding the unsigned 64-bit integer n to the - * unsigned 128-bit integer (represented using a two-element array of - * 64-bit words): - */ -#define ADDINC128(w,n) { \ - (w)[0] += (sha2_word64)(n); \ - if ((w)[0] < (n)) { \ - (w)[1]++; \ - } \ -} - -/*** THE SIX LOGICAL FUNCTIONS ****************************************/ -/* - * Bit shifting and rotation (used by the six SHA-XYZ logical functions: - * - * NOTE: The naming of R and S appears backwards here (R is a SHIFT and - * S is a ROTATION) because the SHA-256/384/512 description document - * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this - * same "backwards" definition. - */ -/* Shift-right (used in SHA-256, SHA-384, and SHA-512): */ -#define R(b,x) ((x) >> (b)) -/* 32-bit Rotate-right (used in SHA-256): */ -#define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b)))) -/* 64-bit Rotate-right (used in SHA-384 and SHA-512): */ -#define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b)))) - -/* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */ -#define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) -#define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) - -/* Four of six logical functions used in SHA-256: */ -#define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x))) -#define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x))) -#define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x))) -#define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x))) - -/* Four of six logical functions used in SHA-384 and SHA-512: */ -#define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x))) -#define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x))) -#define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x))) -#define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x))) - -/*** INTERNAL FUNCTION PROTOTYPES *************************************/ -/* NOTE: These should not be accessed directly from outside this - * library -- they are intended for private internal visibility/use - * only. - */ -void SHA512_Last(SHA512_CTX*); -void SHA256_Transform(SHA256_CTX*, const sha2_word32*); -void SHA512_Transform(SHA512_CTX*, const sha2_word64*); - - -/*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/ -/* Hash constant words K for SHA-256: */ -const static sha2_word32 K256[64] = { - 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, - 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, - 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, - 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, - 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, - 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, - 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, - 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, - 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, - 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, - 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, - 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, - 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, - 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, - 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, - 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL -}; - -/* Initial hash value H for SHA-256: */ -const static sha2_word32 sha256_initial_hash_value[8] = { - 0x6a09e667UL, - 0xbb67ae85UL, - 0x3c6ef372UL, - 0xa54ff53aUL, - 0x510e527fUL, - 0x9b05688cUL, - 0x1f83d9abUL, - 0x5be0cd19UL -}; - -/* Hash constant words K for SHA-384 and SHA-512: */ -const static sha2_word64 K512[80] = { - 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, - 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, - 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, - 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, - 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, - 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, - 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, - 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, - 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, - 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, - 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, - 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, - 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, - 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, - 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, - 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, - 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, - 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, - 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, - 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, - 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, - 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, - 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, - 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, - 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, - 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, - 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, - 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, - 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, - 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, - 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, - 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, - 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, - 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, - 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, - 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, - 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, - 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, - 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, - 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL -}; - -/* Initial hash value H for SHA-384 */ -const static sha2_word64 sha384_initial_hash_value[8] = { - 0xcbbb9d5dc1059ed8ULL, - 0x629a292a367cd507ULL, - 0x9159015a3070dd17ULL, - 0x152fecd8f70e5939ULL, - 0x67332667ffc00b31ULL, - 0x8eb44a8768581511ULL, - 0xdb0c2e0d64f98fa7ULL, - 0x47b5481dbefa4fa4ULL -}; - -/* Initial hash value H for SHA-512 */ -const static sha2_word64 sha512_initial_hash_value[8] = { - 0x6a09e667f3bcc908ULL, - 0xbb67ae8584caa73bULL, - 0x3c6ef372fe94f82bULL, - 0xa54ff53a5f1d36f1ULL, - 0x510e527fade682d1ULL, - 0x9b05688c2b3e6c1fULL, - 0x1f83d9abfb41bd6bULL, - 0x5be0cd19137e2179ULL -}; - -/* - * Constant used by SHA256/384/512_End() functions for converting the - * digest to a readable hexadecimal character string: - */ -static const char *sha2_hex_digits = "0123456789abcdef"; - - -/*** SHA-256: *********************************************************/ -void SHA256_Init(SHA256_CTX* context) { - if (context == (SHA256_CTX*)0) { - return; - } - bcopy(sha256_initial_hash_value, context->state, SHA256_DIGEST_LENGTH); - bzero(context->buffer, SHA256_BLOCK_LENGTH); - context->bitcount = 0; -} - -#ifdef SHA2_UNROLL_TRANSFORM - -/* Unrolled SHA-256 round macros: */ - -#if BYTE_ORDER == LITTLE_ENDIAN - -#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \ - REVERSE32(*data++, W256[j]); \ - T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \ - K256[j] + W256[j]; \ - (d) += T1; \ - (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ - j++ - - -#else /* BYTE_ORDER == LITTLE_ENDIAN */ - -#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \ - T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \ - K256[j] + (W256[j] = *data++); \ - (d) += T1; \ - (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ - j++ - -#endif /* BYTE_ORDER == LITTLE_ENDIAN */ - -#define ROUND256(a,b,c,d,e,f,g,h) \ - s0 = W256[(j+1)&0x0f]; \ - s0 = sigma0_256(s0); \ - s1 = W256[(j+14)&0x0f]; \ - s1 = sigma1_256(s1); \ - T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \ - (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \ - (d) += T1; \ - (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \ - j++ - -void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) { - sha2_word32 a, b, c, d, e, f, g, h, s0, s1; - sha2_word32 T1, *W256; - int j; - - W256 = (sha2_word32*)context->buffer; - - /* Initialize registers with the prev. intermediate value */ - a = context->state[0]; - b = context->state[1]; - c = context->state[2]; - d = context->state[3]; - e = context->state[4]; - f = context->state[5]; - g = context->state[6]; - h = context->state[7]; - - j = 0; - do { - /* Rounds 0 to 15 (unrolled): */ - ROUND256_0_TO_15(a,b,c,d,e,f,g,h); - ROUND256_0_TO_15(h,a,b,c,d,e,f,g); - ROUND256_0_TO_15(g,h,a,b,c,d,e,f); - ROUND256_0_TO_15(f,g,h,a,b,c,d,e); - ROUND256_0_TO_15(e,f,g,h,a,b,c,d); - ROUND256_0_TO_15(d,e,f,g,h,a,b,c); - ROUND256_0_TO_15(c,d,e,f,g,h,a,b); - ROUND256_0_TO_15(b,c,d,e,f,g,h,a); - } while (j < 16); - - /* Now for the remaining rounds to 64: */ - do { - ROUND256(a,b,c,d,e,f,g,h); - ROUND256(h,a,b,c,d,e,f,g); - ROUND256(g,h,a,b,c,d,e,f); - ROUND256(f,g,h,a,b,c,d,e); - ROUND256(e,f,g,h,a,b,c,d); - ROUND256(d,e,f,g,h,a,b,c); - ROUND256(c,d,e,f,g,h,a,b); - ROUND256(b,c,d,e,f,g,h,a); - } while (j < 64); - - /* Compute the current intermediate hash value */ - context->state[0] += a; - context->state[1] += b; - context->state[2] += c; - context->state[3] += d; - context->state[4] += e; - context->state[5] += f; - context->state[6] += g; - context->state[7] += h; - - /* Clean up */ - a = b = c = d = e = f = g = h = T1 = 0; -} - -#else /* SHA2_UNROLL_TRANSFORM */ - -void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) { - sha2_word32 a, b, c, d, e, f, g, h, s0, s1; - sha2_word32 T1, T2, *W256; - int j; - - W256 = (sha2_word32*)context->buffer; - - /* Initialize registers with the prev. intermediate value */ - a = context->state[0]; - b = context->state[1]; - c = context->state[2]; - d = context->state[3]; - e = context->state[4]; - f = context->state[5]; - g = context->state[6]; - h = context->state[7]; - - j = 0; - do { -#if BYTE_ORDER == LITTLE_ENDIAN - /* Copy data while converting to host byte order */ - REVERSE32(*data++,W256[j]); - /* Apply the SHA-256 compression function to update a..h */ - T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j]; -#else /* BYTE_ORDER == LITTLE_ENDIAN */ - /* Apply the SHA-256 compression function to update a..h with copy */ - T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + (W256[j] = *data++); -#endif /* BYTE_ORDER == LITTLE_ENDIAN */ - T2 = Sigma0_256(a) + Maj(a, b, c); - h = g; - g = f; - f = e; - e = d + T1; - d = c; - c = b; - b = a; - a = T1 + T2; - - j++; - } while (j < 16); - - do { - /* Part of the message block expansion: */ - s0 = W256[(j+1)&0x0f]; - s0 = sigma0_256(s0); - s1 = W256[(j+14)&0x0f]; - s1 = sigma1_256(s1); - - /* Apply the SHA-256 compression function to update a..h */ - T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + - (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); - T2 = Sigma0_256(a) + Maj(a, b, c); - h = g; - g = f; - f = e; - e = d + T1; - d = c; - c = b; - b = a; - a = T1 + T2; - - j++; - } while (j < 64); - - /* Compute the current intermediate hash value */ - context->state[0] += a; - context->state[1] += b; - context->state[2] += c; - context->state[3] += d; - context->state[4] += e; - context->state[5] += f; - context->state[6] += g; - context->state[7] += h; - - /* Clean up */ - a = b = c = d = e = f = g = h = T1 = T2 = 0; -} - -#endif /* SHA2_UNROLL_TRANSFORM */ - -void SHA256_Update(SHA256_CTX* context, const sha2_byte *data, size_t len) { - unsigned int freespace, usedspace; - - if (len == 0) { - /* Calling with no data is valid - we do nothing */ - return; - } - - /* Sanity check: */ - assert(context != (SHA256_CTX*)0 && data != (sha2_byte*)0); - - usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH; - if (usedspace > 0) { - /* Calculate how much free space is available in the buffer */ - freespace = SHA256_BLOCK_LENGTH - usedspace; - - if (len >= freespace) { - /* Fill the buffer completely and process it */ - bcopy(data, &context->buffer[usedspace], freespace); - context->bitcount += freespace << 3; - len -= freespace; - data += freespace; - SHA256_Transform(context, (sha2_word32*)context->buffer); - } else { - /* The buffer is not yet full */ - bcopy(data, &context->buffer[usedspace], len); - context->bitcount += len << 3; - /* Clean up: */ - usedspace = freespace = 0; - return; - } - } - while (len >= SHA256_BLOCK_LENGTH) { - /* Process as many complete blocks as we can */ - SHA256_Transform(context, (const sha2_word32*)data); - context->bitcount += SHA256_BLOCK_LENGTH << 3; - len -= SHA256_BLOCK_LENGTH; - data += SHA256_BLOCK_LENGTH; - } - if (len > 0) { - /* There's left-overs, so save 'em */ - bcopy(data, context->buffer, len); - context->bitcount += len << 3; - } - /* Clean up: */ - usedspace = freespace = 0; -} - -void SHA256_Final(sha2_byte digest[], SHA256_CTX* context) { - sha2_word32 *d = (sha2_word32*)digest; - unsigned int usedspace; - - /* Sanity check: */ - assert(context != (SHA256_CTX*)0); - - /* If no digest buffer is passed, we don't bother doing this: */ - if (digest != (sha2_byte*)0) { - usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH; -#if BYTE_ORDER == LITTLE_ENDIAN - /* Convert FROM host byte order */ - REVERSE64(context->bitcount,context->bitcount); -#endif - if (usedspace > 0) { - /* Begin padding with a 1 bit: */ - context->buffer[usedspace++] = 0x80; - - if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) { - /* Set-up for the last transform: */ - bzero(&context->buffer[usedspace], SHA256_SHORT_BLOCK_LENGTH - usedspace); - } else { - if (usedspace < SHA256_BLOCK_LENGTH) { - bzero(&context->buffer[usedspace], SHA256_BLOCK_LENGTH - usedspace); - } - /* Do second-to-last transform: */ - SHA256_Transform(context, (sha2_word32*)context->buffer); - - /* And set-up for the last transform: */ - bzero(context->buffer, SHA256_SHORT_BLOCK_LENGTH); - } - } else { - /* Set-up for the last transform: */ - bzero(context->buffer, SHA256_SHORT_BLOCK_LENGTH); - - /* Begin padding with a 1 bit: */ - *context->buffer = 0x80; - } - /* Set the bit count: */ - *(sha2_word64*)&context->buffer[SHA256_SHORT_BLOCK_LENGTH] = context->bitcount; - - /* Final transform: */ - SHA256_Transform(context, (sha2_word32*)context->buffer); - -#if BYTE_ORDER == LITTLE_ENDIAN - { - /* Convert TO host byte order */ - int j; - for (j = 0; j < 8; j++) { - REVERSE32(context->state[j],context->state[j]); - *d++ = context->state[j]; - } - } -#else - bcopy(context->state, d, SHA256_DIGEST_LENGTH); -#endif - } - - /* Clean up state data: */ - bzero(context, sizeof(*context)); - usedspace = 0; -} - -char *SHA256_End(SHA256_CTX* context, char buffer[]) { - sha2_byte digest[SHA256_DIGEST_LENGTH], *d = digest; - int i; - - /* Sanity check: */ - assert(context != (SHA256_CTX*)0); - - if (buffer != (char*)0) { - SHA256_Final(digest, context); - - for (i = 0; i < SHA256_DIGEST_LENGTH; i++) { - *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4]; - *buffer++ = sha2_hex_digits[*d & 0x0f]; - d++; - } - *buffer = (char)0; - } else { - bzero(context, sizeof(*context)); - } - bzero(digest, SHA256_DIGEST_LENGTH); - return buffer; -} - -char* SHA256_Data(const sha2_byte* data, size_t len, char digest[SHA256_DIGEST_STRING_LENGTH]) { - SHA256_CTX context; - - SHA256_Init(&context); - SHA256_Update(&context, data, len); - return SHA256_End(&context, digest); -} - - -/*** SHA-512: *********************************************************/ -void SHA512_Init(SHA512_CTX* context) { - if (context == (SHA512_CTX*)0) { - return; - } - bcopy(sha512_initial_hash_value, context->state, SHA512_DIGEST_LENGTH); - bzero(context->buffer, SHA512_BLOCK_LENGTH); - context->bitcount[0] = context->bitcount[1] = 0; -} - -#ifdef SHA2_UNROLL_TRANSFORM - -/* Unrolled SHA-512 round macros: */ -#if BYTE_ORDER == LITTLE_ENDIAN - -#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \ - REVERSE64(*data++, W512[j]); \ - T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \ - K512[j] + W512[j]; \ - (d) += T1, \ - (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \ - j++ - - -#else /* BYTE_ORDER == LITTLE_ENDIAN */ - -#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \ - T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \ - K512[j] + (W512[j] = *data++); \ - (d) += T1; \ - (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \ - j++ - -#endif /* BYTE_ORDER == LITTLE_ENDIAN */ - -#define ROUND512(a,b,c,d,e,f,g,h) \ - s0 = W512[(j+1)&0x0f]; \ - s0 = sigma0_512(s0); \ - s1 = W512[(j+14)&0x0f]; \ - s1 = sigma1_512(s1); \ - T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \ - (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \ - (d) += T1; \ - (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \ - j++ - -void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) { - sha2_word64 a, b, c, d, e, f, g, h, s0, s1; - sha2_word64 T1, *W512 = (sha2_word64*)context->buffer; - int j; - - /* Initialize registers with the prev. intermediate value */ - a = context->state[0]; - b = context->state[1]; - c = context->state[2]; - d = context->state[3]; - e = context->state[4]; - f = context->state[5]; - g = context->state[6]; - h = context->state[7]; - - j = 0; - do { - ROUND512_0_TO_15(a,b,c,d,e,f,g,h); - ROUND512_0_TO_15(h,a,b,c,d,e,f,g); - ROUND512_0_TO_15(g,h,a,b,c,d,e,f); - ROUND512_0_TO_15(f,g,h,a,b,c,d,e); - ROUND512_0_TO_15(e,f,g,h,a,b,c,d); - ROUND512_0_TO_15(d,e,f,g,h,a,b,c); - ROUND512_0_TO_15(c,d,e,f,g,h,a,b); - ROUND512_0_TO_15(b,c,d,e,f,g,h,a); - } while (j < 16); - - /* Now for the remaining rounds up to 79: */ - do { - ROUND512(a,b,c,d,e,f,g,h); - ROUND512(h,a,b,c,d,e,f,g); - ROUND512(g,h,a,b,c,d,e,f); - ROUND512(f,g,h,a,b,c,d,e); - ROUND512(e,f,g,h,a,b,c,d); - ROUND512(d,e,f,g,h,a,b,c); - ROUND512(c,d,e,f,g,h,a,b); - ROUND512(b,c,d,e,f,g,h,a); - } while (j < 80); - - /* Compute the current intermediate hash value */ - context->state[0] += a; - context->state[1] += b; - context->state[2] += c; - context->state[3] += d; - context->state[4] += e; - context->state[5] += f; - context->state[6] += g; - context->state[7] += h; - - /* Clean up */ - a = b = c = d = e = f = g = h = T1 = 0; -} - -#else /* SHA2_UNROLL_TRANSFORM */ - -void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) { - sha2_word64 a, b, c, d, e, f, g, h, s0, s1; - sha2_word64 T1, T2, *W512 = (sha2_word64*)context->buffer; - int j; - - /* Initialize registers with the prev. intermediate value */ - a = context->state[0]; - b = context->state[1]; - c = context->state[2]; - d = context->state[3]; - e = context->state[4]; - f = context->state[5]; - g = context->state[6]; - h = context->state[7]; - - j = 0; - do { -#if BYTE_ORDER == LITTLE_ENDIAN - /* Convert TO host byte order */ - REVERSE64(*data++, W512[j]); - /* Apply the SHA-512 compression function to update a..h */ - T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j]; -#else /* BYTE_ORDER == LITTLE_ENDIAN */ - /* Apply the SHA-512 compression function to update a..h with copy */ - T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + (W512[j] = *data++); -#endif /* BYTE_ORDER == LITTLE_ENDIAN */ - T2 = Sigma0_512(a) + Maj(a, b, c); - h = g; - g = f; - f = e; - e = d + T1; - d = c; - c = b; - b = a; - a = T1 + T2; - - j++; - } while (j < 16); - - do { - /* Part of the message block expansion: */ - s0 = W512[(j+1)&0x0f]; - s0 = sigma0_512(s0); - s1 = W512[(j+14)&0x0f]; - s1 = sigma1_512(s1); - - /* Apply the SHA-512 compression function to update a..h */ - T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + - (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); - T2 = Sigma0_512(a) + Maj(a, b, c); - h = g; - g = f; - f = e; - e = d + T1; - d = c; - c = b; - b = a; - a = T1 + T2; - - j++; - } while (j < 80); - - /* Compute the current intermediate hash value */ - context->state[0] += a; - context->state[1] += b; - context->state[2] += c; - context->state[3] += d; - context->state[4] += e; - context->state[5] += f; - context->state[6] += g; - context->state[7] += h; - - /* Clean up */ - a = b = c = d = e = f = g = h = T1 = T2 = 0; -} - -#endif /* SHA2_UNROLL_TRANSFORM */ - -void SHA512_Update(SHA512_CTX* context, const sha2_byte *data, size_t len) { - unsigned int freespace, usedspace; - - if (len == 0) { - /* Calling with no data is valid - we do nothing */ - return; - } - - /* Sanity check: */ - assert(context != (SHA512_CTX*)0 && data != (sha2_byte*)0); - - usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH; - if (usedspace > 0) { - /* Calculate how much free space is available in the buffer */ - freespace = SHA512_BLOCK_LENGTH - usedspace; - - if (len >= freespace) { - /* Fill the buffer completely and process it */ - bcopy(data, &context->buffer[usedspace], freespace); - ADDINC128(context->bitcount, freespace << 3); - len -= freespace; - data += freespace; - SHA512_Transform(context, (sha2_word64*)context->buffer); - } else { - /* The buffer is not yet full */ - bcopy(data, &context->buffer[usedspace], len); - ADDINC128(context->bitcount, len << 3); - /* Clean up: */ - usedspace = freespace = 0; - return; - } - } - while (len >= SHA512_BLOCK_LENGTH) { - /* Process as many complete blocks as we can */ - SHA512_Transform(context, (const sha2_word64*)data); - ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3); - len -= SHA512_BLOCK_LENGTH; - data += SHA512_BLOCK_LENGTH; - } - if (len > 0) { - /* There's left-overs, so save 'em */ - bcopy(data, context->buffer, len); - ADDINC128(context->bitcount, len << 3); - } - /* Clean up: */ - usedspace = freespace = 0; -} - -void SHA512_Last(SHA512_CTX* context) { - unsigned int usedspace; - - usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH; -#if BYTE_ORDER == LITTLE_ENDIAN - /* Convert FROM host byte order */ - REVERSE64(context->bitcount[0],context->bitcount[0]); - REVERSE64(context->bitcount[1],context->bitcount[1]); -#endif - if (usedspace > 0) { - /* Begin padding with a 1 bit: */ - context->buffer[usedspace++] = 0x80; - - if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) { - /* Set-up for the last transform: */ - bzero(&context->buffer[usedspace], SHA512_SHORT_BLOCK_LENGTH - usedspace); - } else { - if (usedspace < SHA512_BLOCK_LENGTH) { - bzero(&context->buffer[usedspace], SHA512_BLOCK_LENGTH - usedspace); - } - /* Do second-to-last transform: */ - SHA512_Transform(context, (sha2_word64*)context->buffer); - - /* And set-up for the last transform: */ - bzero(context->buffer, SHA512_BLOCK_LENGTH - 2); - } - } else { - /* Prepare for final transform: */ - bzero(context->buffer, SHA512_SHORT_BLOCK_LENGTH); - - /* Begin padding with a 1 bit: */ - *context->buffer = 0x80; - } - /* Store the length of input data (in bits): */ - *(sha2_word64*)&context->buffer[SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1]; - *(sha2_word64*)&context->buffer[SHA512_SHORT_BLOCK_LENGTH+8] = context->bitcount[0]; - - /* Final transform: */ - SHA512_Transform(context, (sha2_word64*)context->buffer); -} - -void SHA512_Final(sha2_byte digest[], SHA512_CTX* context) { - sha2_word64 *d = (sha2_word64*)digest; - - /* Sanity check: */ - assert(context != (SHA512_CTX*)0); - - /* If no digest buffer is passed, we don't bother doing this: */ - if (digest != (sha2_byte*)0) { - SHA512_Last(context); - - /* Save the hash data for output: */ -#if BYTE_ORDER == LITTLE_ENDIAN - { - /* Convert TO host byte order */ - int j; - for (j = 0; j < 8; j++) { - REVERSE64(context->state[j],context->state[j]); - *d++ = context->state[j]; - } - } -#else - bcopy(context->state, d, SHA512_DIGEST_LENGTH); -#endif - } - - /* Zero out state data */ - bzero(context, sizeof(*context)); -} - -char *SHA512_End(SHA512_CTX* context, char buffer[]) { - sha2_byte digest[SHA512_DIGEST_LENGTH], *d = digest; - int i; - - /* Sanity check: */ - assert(context != (SHA512_CTX*)0); - - if (buffer != (char*)0) { - SHA512_Final(digest, context); - - for (i = 0; i < SHA512_DIGEST_LENGTH; i++) { - *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4]; - *buffer++ = sha2_hex_digits[*d & 0x0f]; - d++; - } - *buffer = (char)0; - } else { - bzero(context, sizeof(*context)); - } - bzero(digest, SHA512_DIGEST_LENGTH); - return buffer; -} - -char* SHA512_Data(const sha2_byte* data, size_t len, char digest[SHA512_DIGEST_STRING_LENGTH]) { - SHA512_CTX context; - - SHA512_Init(&context); - SHA512_Update(&context, data, len); - return SHA512_End(&context, digest); -} - - -/*** SHA-384: *********************************************************/ -void SHA384_Init(SHA384_CTX* context) { - if (context == (SHA384_CTX*)0) { - return; - } - bcopy(sha384_initial_hash_value, context->state, SHA512_DIGEST_LENGTH); - bzero(context->buffer, SHA384_BLOCK_LENGTH); - context->bitcount[0] = context->bitcount[1] = 0; -} - -void SHA384_Update(SHA384_CTX* context, const sha2_byte* data, size_t len) { - SHA512_Update((SHA512_CTX*)context, data, len); -} - -void SHA384_Final(sha2_byte digest[], SHA384_CTX* context) { - sha2_word64 *d = (sha2_word64*)digest; - - /* Sanity check: */ - assert(context != (SHA384_CTX*)0); - - /* If no digest buffer is passed, we don't bother doing this: */ - if (digest != (sha2_byte*)0) { - SHA512_Last((SHA512_CTX*)context); - - /* Save the hash data for output: */ -#if BYTE_ORDER == LITTLE_ENDIAN - { - /* Convert TO host byte order */ - int j; - for (j = 0; j < 6; j++) { - REVERSE64(context->state[j],context->state[j]); - *d++ = context->state[j]; - } - } -#else - bcopy(context->state, d, SHA384_DIGEST_LENGTH); -#endif - } - - /* Zero out state data */ - bzero(context, sizeof(*context)); -} - -char *SHA384_End(SHA384_CTX* context, char buffer[]) { - sha2_byte digest[SHA384_DIGEST_LENGTH], *d = digest; - int i; - - /* Sanity check: */ - assert(context != (SHA384_CTX*)0); - - if (buffer != (char*)0) { - SHA384_Final(digest, context); - - for (i = 0; i < SHA384_DIGEST_LENGTH; i++) { - *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4]; - *buffer++ = sha2_hex_digits[*d & 0x0f]; - d++; - } - *buffer = (char)0; - } else { - bzero(context, sizeof(*context)); - } - bzero(digest, SHA384_DIGEST_LENGTH); - return buffer; -} - -char* SHA384_Data(const sha2_byte* data, size_t len, char digest[SHA384_DIGEST_STRING_LENGTH]) { - SHA384_CTX context; - - SHA384_Init(&context); - SHA384_Update(&context, data, len); - return SHA384_End(&context, digest); -} - -/*glue*/ -static struct env_md_st sha2_256_md = { - 0, /*NID_sha1*/ - 0, /*NID_sha1WithRSAEncryption*/ - SHA256_DIGEST_LENGTH, - SHA256_Init, - SHA256_Update, - SHA256_Final, - NULL, NULL, {0, 0, 0, 0}, - SHA256_BLOCK_LENGTH, - sizeof(struct env_md_st *) + sizeof(SHA256_CTX), -}; - -struct env_md_st *EVP_sha2_256(void) -{ - return(&sha2_256_md); -} - -static struct env_md_st sha2_384_md = { - 0, /*NID_sha1*/ - 0, /*NID_sha1WithRSAEncryption*/ - SHA384_DIGEST_LENGTH, - SHA384_Init, - SHA384_Update, - SHA384_Final, - NULL, NULL, {0, 0, 0, 0}, - SHA384_BLOCK_LENGTH, - sizeof(struct env_md_st *) + sizeof(SHA384_CTX), -}; - -struct env_md_st *EVP_sha2_384(void) -{ - return(&sha2_384_md); -} - -static struct env_md_st sha2_512_md = { - 0, /*NID_sha1*/ - 0, /*NID_sha1WithRSAEncryption*/ - SHA512_DIGEST_LENGTH, - SHA512_Init, - SHA512_Update, - SHA512_Final, - NULL, NULL, {0, 0, 0, 0}, /*EVP_PKEY_RSA_method*/ - SHA512_BLOCK_LENGTH, - sizeof(struct env_md_st *) + sizeof(SHA512_CTX), -}; - -struct env_md_st *EVP_sha2_512(void) -{ - return(&sha2_512_md); -} diff --git a/kame/kame/racoon/missing/crypto/sha2/sha2.h b/kame/kame/racoon/missing/crypto/sha2/sha2.h deleted file mode 100644 index 42f28782ae..0000000000 --- a/kame/kame/racoon/missing/crypto/sha2/sha2.h +++ /dev/null @@ -1,144 +0,0 @@ -/* $KAME: sha2.h,v 1.2 2001/08/08 22:09:27 sakane Exp $ */ - -/* - * sha2.h - * - * Version 1.0.0beta1 - * - * Written by Aaron D. Gifford - * - * Copyright 2000 Aaron D. Gifford. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the copyright holder nor the names of contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - */ - -#ifndef __SHA2_H__ -#define __SHA2_H__ - -#ifdef __cplusplus -extern "C" { -#endif - - -/*** SHA-256/384/512 Various Length Definitions ***********************/ -#define SHA256_BLOCK_LENGTH 64 -#define SHA256_DIGEST_LENGTH 32 -#define SHA256_DIGEST_STRING_LENGTH (SHA256_DIGEST_LENGTH * 2 + 1) -#define SHA384_BLOCK_LENGTH 128 -#define SHA384_DIGEST_LENGTH 48 -#define SHA384_DIGEST_STRING_LENGTH (SHA384_DIGEST_LENGTH * 2 + 1) -#define SHA512_BLOCK_LENGTH 128 -#define SHA512_DIGEST_LENGTH 64 -#define SHA512_DIGEST_STRING_LENGTH (SHA512_DIGEST_LENGTH * 2 + 1) - - -/*** SHA-256/384/512 Context Structures *******************************/ -/* NOTE: If your architecture does not define either u_intXX_t types or - * uintXX_t (from inttypes.h), you may need to define things by hand - * for your system: - */ -#if 0 -typedef unsigned char u_int8_t; /* 1-byte (8-bits) */ -typedef unsigned int u_int32_t; /* 4-bytes (32-bits) */ -typedef unsigned long long u_int64_t; /* 8-bytes (64-bits) */ -#endif -/* - * Most BSD systems already define u_intXX_t types, as does Linux. - * Some systems, however, like Compaq's Tru64 Unix instead can use - * uintXX_t types defined by very recent ANSI C standards and included - * in the file: - * - * #include - * - * If you choose to use then please define: - * - * #define SHA2_USE_INTTYPES_H - * - * Or on the command line during compile: - * - * cc -DSHA2_USE_INTTYPES_H ... - */ -#if 0 /*def SHA2_USE_INTTYPES_H*/ - -typedef struct _SHA256_CTX { - uint32_t state[8]; - uint64_t bitcount; - uint8_t buffer[SHA256_BLOCK_LENGTH]; -} SHA256_CTX; -typedef struct _SHA512_CTX { - uint64_t state[8]; - uint64_t bitcount[2]; - uint8_t buffer[SHA512_BLOCK_LENGTH]; -} SHA512_CTX; - -#else /* SHA2_USE_INTTYPES_H */ - -typedef struct _SHA256_CTX { - u_int32_t state[8]; - u_int64_t bitcount; - u_int8_t buffer[SHA256_BLOCK_LENGTH]; -} SHA256_CTX; -typedef struct _SHA512_CTX { - u_int64_t state[8]; - u_int64_t bitcount[2]; - u_int8_t buffer[SHA512_BLOCK_LENGTH]; -} SHA512_CTX; - -#endif /* SHA2_USE_INTTYPES_H */ - -typedef SHA512_CTX SHA384_CTX; - - -/*** SHA-256/384/512 Function Prototypes ******************************/ - -void SHA256_Init __P((SHA256_CTX *)); -void SHA256_Update __P((SHA256_CTX*, const u_int8_t*, size_t)); -void SHA256_Final __P((u_int8_t[SHA256_DIGEST_LENGTH], SHA256_CTX*)); -char* SHA256_End __P((SHA256_CTX*, char[SHA256_DIGEST_STRING_LENGTH])); -char* SHA256_Data __P((const u_int8_t*, size_t, char[SHA256_DIGEST_STRING_LENGTH])); - -void SHA384_Init __P((SHA384_CTX*)); -void SHA384_Update __P((SHA384_CTX*, const u_int8_t*, size_t)); -void SHA384_Final __P((u_int8_t[SHA384_DIGEST_LENGTH], SHA384_CTX*)); -char* SHA384_End __P((SHA384_CTX*, char[SHA384_DIGEST_STRING_LENGTH])); -char* SHA384_Data __P((const u_int8_t*, size_t, char[SHA384_DIGEST_STRING_LENGTH])); - -void SHA512_Init __P((SHA512_CTX*)); -void SHA512_Update __P((SHA512_CTX*, const u_int8_t*, size_t)); -void SHA512_Final __P((u_int8_t[SHA512_DIGEST_LENGTH], SHA512_CTX*)); -char* SHA512_End __P((SHA512_CTX*, char[SHA512_DIGEST_STRING_LENGTH])); -char* SHA512_Data __P((const u_int8_t*, size_t, char[SHA512_DIGEST_STRING_LENGTH])); - -struct env_md_st *EVP_sha2_256 __P((void)); -struct env_md_st *EVP_sha2_384 __P((void)); -struct env_md_st *EVP_sha2_512 __P((void)); - -#ifdef __cplusplus -} -#endif /* __cplusplus */ - -#endif /* __SHA2_H__ */ - diff --git a/kame/kame/racoon/missing/getaddrinfo.c b/kame/kame/racoon/missing/getaddrinfo.c deleted file mode 100644 index 4e903b797d..0000000000 --- a/kame/kame/racoon/missing/getaddrinfo.c +++ /dev/null @@ -1,697 +0,0 @@ -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * "#ifdef FAITH" part is local hack for supporting IPv4-v6 translator. - * - * Issues to be discussed: - * - Thread safe-ness must be checked. - * - Return values. There are nonstandard return values defined and used - * in the source code. This is because RFC2553 is silent about which error - * code must be returned for which situation. - * - PF_UNSPEC case would be handled in getipnodebyname() with the AI_ALL flag. - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include "missing/addrinfo.h" - -#if defined(__KAME__) && defined(INET6) -# define FAITH -#endif - -#define SUCCESS 0 -#define ANY 0 -#define YES 1 -#define NO 0 - -#ifdef FAITH -static int translate = NO; -static struct in6_addr faith_prefix = IN6ADDR_ANY_INIT; -#endif - -static const char in_addrany[] = { 0, 0, 0, 0 }; -static const char in6_addrany[] = { - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 -}; -static const char in_loopback[] = { 127, 0, 0, 1 }; -static const char in6_loopback[] = { - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1 -}; - -struct sockinet { - u_char si_len; - u_char si_family; - u_short si_port; -}; - -static struct afd { - int a_af; - int a_addrlen; - int a_socklen; - int a_off; - const char *a_addrany; - const char *a_loopback; -} afdl [] = { -#ifdef INET6 -#define N_INET6 0 - {PF_INET6, sizeof(struct in6_addr), - sizeof(struct sockaddr_in6), - offsetof(struct sockaddr_in6, sin6_addr), - in6_addrany, in6_loopback}, -#define N_INET 1 -#else -#define N_INET 0 -#endif - {PF_INET, sizeof(struct in_addr), - sizeof(struct sockaddr_in), - offsetof(struct sockaddr_in, sin_addr), - in_addrany, in_loopback}, - {0, 0, 0, 0, NULL, NULL}, -}; - -#ifdef INET6 -#define PTON_MAX 16 -#else -#define PTON_MAX 4 -#endif - - -static int get_name __P((const char *, struct afd *, - struct addrinfo **, char *, struct addrinfo *, - int)); -static int get_addr __P((const char *, int, struct addrinfo **, - struct addrinfo *, int)); -static int get_addr0 __P((const char *, int, struct addrinfo **, - struct addrinfo *, int)); -static int str_isnumber __P((const char *)); - -static char *ai_errlist[] = { - "Success", - "Address family for hostname not supported", /* EAI_ADDRFAMILY */ - "Temporary failure in name resolution", /* EAI_AGAIN */ - "Invalid value for ai_flags", /* EAI_BADFLAGS */ - "Non-recoverable failure in name resolution", /* EAI_FAIL */ - "ai_family not supported", /* EAI_FAMILY */ - "Memory allocation failure", /* EAI_MEMORY */ - "No address associated with hostname", /* EAI_NODATA */ - "hostname nor servname provided, or not known",/* EAI_NONAME */ - "servname not supported for ai_socktype", /* EAI_SERVICE */ - "ai_socktype not supported", /* EAI_SOCKTYPE */ - "System error returned in errno", /* EAI_SYSTEM */ - "Invalid value for hints", /* EAI_BADHINTS */ - "Resolved protocol is unknown", /* EAI_PROTOCOL */ - "Unknown error", /* EAI_MAX */ -}; - -#define GET_CANONNAME(ai, str) \ -if (pai->ai_flags & AI_CANONNAME) {\ - if (((ai)->ai_canonname = (char *)malloc(strlen(str) + 1)) != NULL) {\ - strcpy((ai)->ai_canonname, (str));\ - } else {\ - error = EAI_MEMORY;\ - goto free;\ - }\ -} - -#define GET_AI(ai, afd, addr, port) {\ - char *p;\ - if (((ai) = (struct addrinfo *)malloc(sizeof(struct addrinfo) +\ - ((afd)->a_socklen)))\ - == NULL) {\ - error = EAI_MEMORY;\ - goto free;\ - }\ - memcpy(ai, pai, sizeof(struct addrinfo));\ - (ai)->ai_addr = (struct sockaddr *)((ai) + 1);\ - memset((ai)->ai_addr, 0, (afd)->a_socklen);\ - (ai)->ai_addr->sa_len = (ai)->ai_addrlen = (afd)->a_socklen;\ - (ai)->ai_addr->sa_family = (ai)->ai_family = (afd)->a_af;\ - ((struct sockinet *)(ai)->ai_addr)->si_port = port;\ - p = (char *)((ai)->ai_addr);\ - memcpy(p + (afd)->a_off, (addr), (afd)->a_addrlen);\ -} - -#define ERR(err) { error = (err); goto bad; } - -char * -gai_strerror(ecode) - int ecode; -{ - if (ecode < 0 || ecode > EAI_MAX) - ecode = EAI_MAX; - return ai_errlist[ecode]; -} - -void -freeaddrinfo(ai) - struct addrinfo *ai; -{ - struct addrinfo *next; - - do { - next = ai->ai_next; - if (ai->ai_canonname) - free(ai->ai_canonname); - /* no need to free(ai->ai_addr) */ - free(ai); - } while ((ai = next) != NULL); -} - -static int -str_isnumber(p) - const char *p; -{ - char *q = (char *)p; - while (*q) { - if (! isdigit(*q)) - return NO; - q++; - } - return YES; -} - -int -getaddrinfo(hostname, servname, hints, res) - const char *hostname, *servname; - const struct addrinfo *hints; - struct addrinfo **res; -{ - struct addrinfo sentinel; - struct addrinfo *top = NULL; - struct addrinfo *cur; - int i, error = 0; - char pton[PTON_MAX]; - struct addrinfo ai; - struct addrinfo *pai; - u_short port; - -#ifdef FAITH - static int firsttime = 1; - - if (firsttime) { - /* translator hack */ - { - char *q = getenv("GAI"); - if (q && inet_pton(AF_INET6, q, &faith_prefix) == 1) - translate = YES; - } - firsttime = 0; - } -#endif - - /* initialize file static vars */ - sentinel.ai_next = NULL; - cur = &sentinel; - pai = &ai; - pai->ai_flags = 0; - pai->ai_family = PF_UNSPEC; - pai->ai_socktype = ANY; - pai->ai_protocol = ANY; - pai->ai_addrlen = 0; - pai->ai_canonname = NULL; - pai->ai_addr = NULL; - pai->ai_next = NULL; - port = ANY; - - if (hostname == NULL && servname == NULL) - return EAI_NONAME; - if (hints) { - /* error check for hints */ - if (hints->ai_addrlen || hints->ai_canonname || - hints->ai_addr || hints->ai_next) - ERR(EAI_BADHINTS); /* xxx */ - if (hints->ai_flags & ~AI_MASK) - ERR(EAI_BADFLAGS); - switch (hints->ai_family) { - case PF_UNSPEC: - case PF_INET: -#ifdef INET6 - case PF_INET6: -#endif - break; - default: - ERR(EAI_FAMILY); - } - memcpy(pai, hints, sizeof(*pai)); - switch (pai->ai_socktype) { - case ANY: - switch (pai->ai_protocol) { - case ANY: - break; - case IPPROTO_UDP: - pai->ai_socktype = SOCK_DGRAM; - break; - case IPPROTO_TCP: - pai->ai_socktype = SOCK_STREAM; - break; - default: - pai->ai_socktype = SOCK_RAW; - break; - } - break; - case SOCK_RAW: - break; - case SOCK_DGRAM: - if (pai->ai_protocol != IPPROTO_UDP && - pai->ai_protocol != ANY) - ERR(EAI_BADHINTS); /*xxx*/ - pai->ai_protocol = IPPROTO_UDP; - break; - case SOCK_STREAM: - if (pai->ai_protocol != IPPROTO_TCP && - pai->ai_protocol != ANY) - ERR(EAI_BADHINTS); /*xxx*/ - pai->ai_protocol = IPPROTO_TCP; - break; - default: - ERR(EAI_SOCKTYPE); - break; - } - } - - /* - * service port - */ - if (servname) { - if (str_isnumber(servname)) { - if (pai->ai_socktype == ANY) { - /* caller accept *ANY* socktype */ - pai->ai_socktype = SOCK_DGRAM; - pai->ai_protocol = IPPROTO_UDP; - } - port = htons(atoi(servname)); - } else { - struct servent *sp; - char *proto; - - proto = NULL; - switch (pai->ai_socktype) { - case ANY: - proto = NULL; - break; - case SOCK_DGRAM: - proto = "udp"; - break; - case SOCK_STREAM: - proto = "tcp"; - break; - default: - fprintf(stderr, "panic!\n"); - break; - } - if ((sp = getservbyname(servname, proto)) == NULL) - ERR(EAI_SERVICE); - port = sp->s_port; - if (pai->ai_socktype == ANY) { - if (strcmp(sp->s_proto, "udp") == 0) { - pai->ai_socktype = SOCK_DGRAM; - pai->ai_protocol = IPPROTO_UDP; - } else if (strcmp(sp->s_proto, "tcp") == 0) { - pai->ai_socktype = SOCK_STREAM; - pai->ai_protocol = IPPROTO_TCP; - } else - ERR(EAI_PROTOCOL); /*xxx*/ - } - } - } - - /* - * hostname == NULL. - * passive socket -> anyaddr (0.0.0.0 or ::) - * non-passive socket -> localhost (127.0.0.1 or ::1) - */ - if (hostname == NULL) { - struct afd *afd; - int s; - - for (afd = &afdl[0]; afd->a_af; afd++) { - if (!(pai->ai_family == PF_UNSPEC - || pai->ai_family == afd->a_af)) { - continue; - } - - /* - * filter out AFs that are not supported by the kernel - * XXX errno? - */ - s = socket(afd->a_af, SOCK_DGRAM, 0); - if (s < 0) - continue; - close(s); - - if (pai->ai_flags & AI_PASSIVE) { - GET_AI(cur->ai_next, afd, afd->a_addrany, port); - /* xxx meaningless? - * GET_CANONNAME(cur->ai_next, "anyaddr"); - */ - } else { - GET_AI(cur->ai_next, afd, afd->a_loopback, - port); - /* xxx meaningless? - * GET_CANONNAME(cur->ai_next, "localhost"); - */ - } - cur = cur->ai_next; - } - top = sentinel.ai_next; - if (top) - goto good; - else - ERR(EAI_FAMILY); - } - - /* hostname as numeric name */ - for (i = 0; afdl[i].a_af; i++) { - if (inet_pton(afdl[i].a_af, hostname, pton) == 1) { - u_long v4a; - u_char pfx; - - switch (afdl[i].a_af) { - case AF_INET: - v4a = ntohl(((struct in_addr *)pton)->s_addr); - if (IN_MULTICAST(v4a) || IN_EXPERIMENTAL(v4a)) - pai->ai_flags &= ~AI_CANONNAME; - v4a >>= IN_CLASSA_NSHIFT; - if (v4a == 0 || v4a == IN_LOOPBACKNET) - pai->ai_flags &= ~AI_CANONNAME; - break; -#ifdef INET6 - case AF_INET6: - pfx = ((struct in6_addr *)pton)->s6_addr[0]; - if (pfx == 0 || pfx == 0xfe || pfx == 0xff) - pai->ai_flags &= ~AI_CANONNAME; - break; -#endif - } - - if (pai->ai_family == afdl[i].a_af || - pai->ai_family == PF_UNSPEC) { - if (! (pai->ai_flags & AI_CANONNAME)) { - GET_AI(top, &afdl[i], pton, port); - goto good; - } - /* - * if AI_CANONNAME and if reverse lookup - * fail, return ai anyway to pacify - * calling application. - * - * XXX getaddrinfo() is a name->address - * translation function, and it looks strange - * that we do addr->name translation here. - */ - get_name(pton, &afdl[i], &top, pton, pai, port); - goto good; - } else - ERR(EAI_FAMILY); /*xxx*/ - } - } - - if (pai->ai_flags & AI_NUMERICHOST) - ERR(EAI_NONAME); - - /* hostname as alphabetical name */ - error = get_addr(hostname, pai->ai_family, &top, pai, port); - if (error == 0) { - if (top) { - good: - *res = top; - return SUCCESS; - } else - error = EAI_FAIL; - } - free: - if (top) - freeaddrinfo(top); - bad: - *res = NULL; - return error; -} - -static int -get_name(addr, afd, res, numaddr, pai, port0) - const char *addr; - struct afd *afd; - struct addrinfo **res; - char *numaddr; - struct addrinfo *pai; - int port0; -{ - u_short port = port0 & 0xffff; - struct hostent *hp; - struct addrinfo *cur; - int error = 0; -#ifdef USE_GETIPNODEBY - int h_error; - - hp = getipnodebyaddr(addr, afd->a_addrlen, afd->a_af, &h_error); -#else - hp = gethostbyaddr(addr, afd->a_addrlen, afd->a_af); -#endif - if (hp && hp->h_name && hp->h_name[0] && hp->h_addr_list[0]) { - GET_AI(cur, afd, hp->h_addr_list[0], port); - GET_CANONNAME(cur, hp->h_name); - } else - GET_AI(cur, afd, numaddr, port); - -#ifdef USE_GETIPNODEBY - if (hp) - freehostent(hp); -#endif - *res = cur; - return SUCCESS; - free: - if (cur) - freeaddrinfo(cur); -#ifdef USE_GETIPNODEBY - if (hp) - freehostent(hp); -#endif - /* bad: */ - *res = NULL; - return error; -} - -static int -get_addr(hostname, af, res0, pai, port0) - const char *hostname; - int af; - struct addrinfo **res0; - struct addrinfo *pai; - int port0; -{ -#ifdef USE_GETIPNODEBY - return get_addr0(hostname, af, res0, pai, port0); -#else - int i, error, ekeep; - struct addrinfo *cur; - struct addrinfo **res; - int retry; - int s; - - res = res0; - ekeep = 0; - error = 0; - for (i = 0; afdl[i].a_af; i++) { - retry = 0; - if (af == AF_UNSPEC) { - /* - * filter out AFs that are not supported by the kernel - * XXX errno? - */ - s = socket(afdl[i].a_af, SOCK_DGRAM, 0); - if (s < 0) - continue; - close(s); - } else { - if (af != afdl[i].a_af) - continue; - } - /* It is WRONG, we need getipnodebyname(). */ -again: - error = get_addr0(hostname, afdl[i].a_af, res, pai, port0); - switch (error) { - case EAI_AGAIN: - if (++retry < 3) - goto again; - /* FALL THROUGH*/ - default: - if (ekeep == 0) - ekeep = error; - break; - } - if (*res) { - /* make chain of addrs */ - for (cur = *res; - cur && cur->ai_next; - cur = cur->ai_next) - ; - if (!cur) - return EAI_FAIL; - res = &cur->ai_next; - } - } - - /* if we got something, it's okay */ - if (*res0) - return 0; - - return error ? error : ekeep; -#endif -} - -static int -get_addr0(hostname, af, res, pai, port0) - const char *hostname; - int af; - struct addrinfo **res; - struct addrinfo *pai; - int port0; -{ - u_short port = port0 & 0xffff; - struct addrinfo sentinel; - struct hostent *hp; - struct addrinfo *top, *cur; - struct afd *afd; - int i, error = 0, h_error; - char *ap; -#ifndef USE_GETIPNODEBY - extern int h_errno; -#endif - - top = NULL; - sentinel.ai_next = NULL; - cur = &sentinel; -#ifdef USE_GETIPNODEBY - if (af == AF_UNSPEC) { - hp = getipnodebyname(hostname, AF_INET6, - AI_ADDRCONFIG|AI_ALL|AI_V4MAPPED, &h_error); - } else - hp = getipnodebyname(hostname, af, AI_ADDRCONFIG, &h_error); -#else - if (af == AF_UNSPEC) { - error = EAI_FAIL; - goto bad; - } - hp = gethostbyname2(hostname, af); - h_error = h_errno; -#endif - if (hp == NULL) { - switch (h_error) { - case HOST_NOT_FOUND: - case NO_DATA: - error = EAI_NODATA; - break; - case TRY_AGAIN: - error = EAI_AGAIN; - break; - case NO_RECOVERY: - case NETDB_INTERNAL: - default: - error = EAI_FAIL; - break; - } - goto bad; - } - - if ((hp->h_name == NULL) || (hp->h_name[0] == 0) || - (hp->h_addr_list[0] == NULL)) - ERR(EAI_FAIL); - - for (i = 0; (ap = hp->h_addr_list[i]) != NULL; i++) { - switch (af) { -#ifdef INET6 - case AF_INET6: - afd = &afdl[N_INET6]; - break; -#endif -#ifndef INET6 - default: /* AF_UNSPEC */ -#endif - case AF_INET: - afd = &afdl[N_INET]; - break; -#ifdef INET6 - default: /* AF_UNSPEC */ - if (IN6_IS_ADDR_V4MAPPED((struct in6_addr *)ap)) { - ap += sizeof(struct in6_addr) - - sizeof(struct in_addr); - afd = &afdl[N_INET]; - } else - afd = &afdl[N_INET6]; - break; -#endif - } -#ifdef FAITH - if (translate && afd->a_af == AF_INET) { - struct in6_addr *in6; - - GET_AI(cur->ai_next, &afdl[N_INET6], ap, port); - in6 = &((struct sockaddr_in6 *)cur->ai_next->ai_addr)->sin6_addr; - memcpy(&in6->s6_addr[0], &faith_prefix, - sizeof(struct in6_addr) - sizeof(struct in_addr)); - memcpy(&in6->s6_addr[12], ap, sizeof(struct in_addr)); - } else -#endif /* FAITH */ - GET_AI(cur->ai_next, afd, ap, port); - if (cur == &sentinel) { - top = cur->ai_next; - GET_CANONNAME(top, hp->h_name); - } - cur = cur->ai_next; - } -#ifdef USE_GETIPNODEBY - freehostent(hp); -#endif - *res = top; - return SUCCESS; - free: - if (top) - freeaddrinfo(top); -#ifdef USE_GETIPNODEBY - if (hp) - freehostent(hp); -#endif - bad: - *res = NULL; - return error; -} diff --git a/kame/kame/racoon/missing/getnameinfo.c b/kame/kame/racoon/missing/getnameinfo.c deleted file mode 100644 index 8b10692228..0000000000 --- a/kame/kame/racoon/missing/getnameinfo.c +++ /dev/null @@ -1,222 +0,0 @@ -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * Issues to be discussed: - * - Thread safe-ness must be checked - * - Return values. There seems to be no standard for return value (RFC2553) - * but INRIA implementation returns EAI_xxx defined for getaddrinfo(). - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include "missing/addrinfo.h" - -#define SUCCESS 0 -#define ANY 0 -#define YES 1 -#define NO 0 - -static struct afd { - int a_af; - int a_addrlen; - int a_socklen; - int a_off; -} afdl [] = { -#ifdef INET6 - {PF_INET6, sizeof(struct in6_addr), sizeof(struct sockaddr_in6), - offsetof(struct sockaddr_in6, sin6_addr)}, -#endif - {PF_INET, sizeof(struct in_addr), sizeof(struct sockaddr_in), - offsetof(struct sockaddr_in, sin_addr)}, - {0, 0, 0}, -}; - -struct sockinet { - u_char si_len; - u_char si_family; - u_short si_port; -}; - -#define ENI_NOSOCKET 0 -#define ENI_NOSERVNAME 1 -#define ENI_NOHOSTNAME 2 -#define ENI_MEMORY 3 -#define ENI_SYSTEM 4 -#define ENI_FAMILY 5 -#define ENI_SALEN 6 - -int -getnameinfo(sa, salen, host, hostlen, serv, servlen, flags) - const struct sockaddr *sa; - size_t salen; - char *host; - size_t hostlen; - char *serv; - size_t servlen; - int flags; -{ - struct afd *afd; - struct servent *sp; - struct hostent *hp; - u_short port; - int family, len, i; - char *addr, *p; - u_long v4a; - int h_error; - char numserv[512]; - char numaddr[512]; - - if (sa == NULL) - return ENI_NOSOCKET; - - len = sa->sa_len; - if (len != salen) return ENI_SALEN; - - family = sa->sa_family; - for (i = 0; afdl[i].a_af; i++) - if (afdl[i].a_af == family) { - afd = &afdl[i]; - goto found; - } - return ENI_FAMILY; - - found: - if (len != afd->a_socklen) return ENI_SALEN; - - port = ((struct sockinet *)sa)->si_port; /* network byte order */ - addr = (char *)sa + afd->a_off; - - if (serv == NULL || servlen == 0) { - /* what we should do? */ - } else if (flags & NI_NUMERICSERV) { - snprintf(numserv, sizeof(numserv), "%d", ntohs(port)); - if (strlen(numserv) > servlen) - return ENI_MEMORY; - strcpy(serv, numserv); - } else { - sp = getservbyport(port, (flags & NI_DGRAM) ? "udp" : "tcp"); - if (sp) { - if (strlen(sp->s_name) > servlen) - return ENI_MEMORY; - strcpy(serv, sp->s_name); - } else - return ENI_NOSERVNAME; - } - - switch (sa->sa_family) { - case AF_INET: - v4a = ntohl(((struct sockaddr_in *)sa)->sin_addr.s_addr); - if (IN_MULTICAST(v4a) || IN_EXPERIMENTAL(v4a)) - flags |= NI_NUMERICHOST; - v4a >>= IN_CLASSA_NSHIFT; - if (v4a == 0 || v4a == IN_LOOPBACKNET) - flags |= NI_NUMERICHOST; - break; -#ifdef INET6 - case AF_INET6: - { - struct sockaddr_in6 *sin6; - sin6 = (struct sockaddr_in6 *)sa; - switch (sin6->sin6_addr.s6_addr[0]) { - case 0x00: - if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) - ; - else if (IN6_IS_ADDR_LOOPBACK(&sin6->sin6_addr)) - ; - else - flags |= NI_NUMERICHOST; - break; - default: - if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) - flags |= NI_NUMERICHOST; - else if (IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr)) - flags |= NI_NUMERICHOST; - break; - } - } - break; -#endif - } - if (host == NULL || hostlen == 0) { - /* what should we do? */ - } else if (flags & NI_NUMERICHOST) { - /* NUMERICHOST and NAMEREQD conflicts with each other */ - if (flags & NI_NAMEREQD) - return ENI_NOHOSTNAME; - if (inet_ntop(afd->a_af, addr, numaddr, sizeof(numaddr)) - == NULL) - return ENI_SYSTEM; - if (strlen(numaddr) > hostlen) - return ENI_MEMORY; - strcpy(host, numaddr); - } else { -#ifdef USE_GETIPNODEBY - hp = getipnodebyaddr(addr, afd->a_addrlen, afd->a_af, &h_error); -#else - hp = gethostbyaddr(addr, afd->a_addrlen, afd->a_af); - h_error = h_errno; -#endif - - if (hp) { - if (flags & NI_NOFQDN) { - p = strchr(hp->h_name, '.'); - if (p) *p = '\0'; - } - if (strlen(hp->h_name) > hostlen) { -#ifdef USE_GETIPNODEBY - freehostent(hp); -#endif - return ENI_MEMORY; - } - strcpy(host, hp->h_name); -#ifdef USE_GETIPNODEBY - freehostent(hp); -#endif - } else { - if (flags & NI_NAMEREQD) - return ENI_NOHOSTNAME; - if (inet_ntop(afd->a_af, addr, numaddr, sizeof(numaddr)) - == NULL) - return ENI_NOHOSTNAME; - if (strlen(numaddr) > hostlen) - return ENI_MEMORY; - strcpy(host, numaddr); - } - } - return SUCCESS; -} diff --git a/kame/kame/racoon/missing/strdup.c b/kame/kame/racoon/missing/strdup.c deleted file mode 100644 index 39df3f9c21..0000000000 --- a/kame/kame/racoon/missing/strdup.c +++ /dev/null @@ -1,45 +0,0 @@ -/* $KAME: strdup.c,v 1.2 2000/10/04 17:41:07 itojun Exp $ */ - -/* - * Copyright (C) 1997 and 1998 WIDE Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include - -char * -strdup(str) - const char *str; -{ - char *p; - - p = (char *)malloc(strlen(str) + 1); - if (p) - strcpy(p, str); - return p; -} diff --git a/kame/kame/racoon/netdb_dnssec.h b/kame/kame/racoon/netdb_dnssec.h deleted file mode 100644 index 94c933f540..0000000000 --- a/kame/kame/racoon/netdb_dnssec.h +++ /dev/null @@ -1,67 +0,0 @@ -/* $KAME: netdb_dnssec.h,v 1.2 2001/04/11 09:52:00 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifndef T_CERT -#define T_CERT 37 /* defined by RFC2538 section 2 */ -#endif - -/* RFC2538 section 2.1 */ -#define DNSSEC_TYPE_PKIX 1 -#define DNSSEC_TYPE_SPKI 2 -#define DNSSEC_TYPE_PGP 3 -#define DNSSEC_TYPE_URI 4 -#define DNSSEC_TYPE_OID 5 - -/* RFC2535 section 3.2 */ -#define DNSSEC_ALG_RSAMD5 1 -#define DNSSEC_ALG_DH 2 -#define DNSSEC_ALG_DSA 3 -#define DNSSEC_ALG_ECC 4 -#define DNSSEC_ALG_PRIVATEDNS 5 -#define DNSSEC_ALG_PRIVATEOID 6 - -/* - * Structures returned by network data base library. All addresses are - * supplied in host order, and returned in network order (suitable for - * use in system calls). - */ -struct certinfo { - int ci_type; /* certificate type */ - int ci_keytag; /* keytag */ - int ci_algorithm; /* algorithm */ - int ci_flags; /* currently, 1:valid or 0:uncertain */ - size_t ci_certlen; /* length of certificate */ - char *ci_cert; /* certificate */ - struct certinfo *ci_next; /* next structure */ -}; - -extern void freecertinfo __P((struct certinfo *)); -extern int getcertsbyname __P((char *, struct certinfo **)); diff --git a/kame/kame/racoon/oakley.c b/kame/kame/racoon/oakley.c deleted file mode 100644 index bb80f33d42..0000000000 --- a/kame/kame/racoon/oakley.c +++ /dev/null @@ -1,2918 +0,0 @@ -/* $KAME: oakley.c,v 1.121 2004/12/09 08:31:39 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include /* XXX for subjectaltname */ -#include /* XXX for subjectaltname */ - -#include -#include -#include -#include - -#if TIME_WITH_SYS_TIME -# include -# include -#else -# if HAVE_SYS_TIME_H -# include -# else -# include -# endif -#endif - -#include "var.h" -#include "misc.h" -#include "vmbuf.h" -#include "str2val.h" -#include "plog.h" -#include "debug.h" - -#include "isakmp_var.h" -#include "isakmp.h" -#include "oakley.h" -#include "localconf.h" -#include "remoteconf.h" -#include "policy.h" -#include "handler.h" -#include "ipsec_doi.h" -#include "algorithm.h" -#include "dhgroup.h" -#include "sainfo.h" -#include "proposal.h" -#include "crypto_openssl.h" -#include "dnssec.h" -#include "sockmisc.h" -#include "strnames.h" -#include "gcmalloc.h" -#ifndef HAVE_ARC4RANDOM -#include "arc4random.h" -#endif - -#ifdef HAVE_GSSAPI -#include "auth_gssapi.h" -#endif - -#define OUTBOUND_SA 0 -#define INBOUND_SA 1 - -#define INITDHVAL(a, s, d, t) \ -do { \ - vchar_t buf; \ - buf.v = str2val((s), 16, &buf.l); \ - memset(&a, 0, sizeof(struct dhgroup)); \ - a.type = (t); \ - a.prime = vdup(&buf); \ - a.gen1 = 2; \ - a.gen2 = 0; \ - racoon_free(buf.v); \ -} while(0); - -struct dhgroup dh_modp768; -struct dhgroup dh_modp1024; -struct dhgroup dh_modp1536; -struct dhgroup dh_modp2048; -struct dhgroup dh_modp3072; -struct dhgroup dh_modp4096; -struct dhgroup dh_modp6144; -struct dhgroup dh_modp8192; - - -static int oakley_check_dh_pub __P((vchar_t *, vchar_t **)); -static int oakley_compute_keymat_x __P((struct ph2handle *, int, int)); -#ifdef HAVE_SIGNING_C -static int get_cert_fromlocal __P((struct ph1handle *, int)); -static int oakley_check_certid __P((struct ph1handle *iph1)); -static int check_typeofcertname __P((int, int)); -static cert_t *save_certbuf __P((struct isakmp_gen *)); -#endif -static int oakley_padlen __P((int, int)); - -int -oakley_get_defaultlifetime() -{ - return OAKLEY_ATTR_SA_LD_SEC_DEFAULT; -} - -int -oakley_dhinit() -{ - /* set DH MODP */ - INITDHVAL(dh_modp768, OAKLEY_PRIME_MODP768, - OAKLEY_ATTR_GRP_DESC_MODP768, OAKLEY_ATTR_GRP_TYPE_MODP); - INITDHVAL(dh_modp1024, OAKLEY_PRIME_MODP1024, - OAKLEY_ATTR_GRP_DESC_MODP1024, OAKLEY_ATTR_GRP_TYPE_MODP); - INITDHVAL(dh_modp1536, OAKLEY_PRIME_MODP1536, - OAKLEY_ATTR_GRP_DESC_MODP1536, OAKLEY_ATTR_GRP_TYPE_MODP); - INITDHVAL(dh_modp2048, OAKLEY_PRIME_MODP2048, - OAKLEY_ATTR_GRP_DESC_MODP2048, OAKLEY_ATTR_GRP_TYPE_MODP); - INITDHVAL(dh_modp3072, OAKLEY_PRIME_MODP3072, - OAKLEY_ATTR_GRP_DESC_MODP3072, OAKLEY_ATTR_GRP_TYPE_MODP); - INITDHVAL(dh_modp4096, OAKLEY_PRIME_MODP4096, - OAKLEY_ATTR_GRP_DESC_MODP4096, OAKLEY_ATTR_GRP_TYPE_MODP); - INITDHVAL(dh_modp6144, OAKLEY_PRIME_MODP6144, - OAKLEY_ATTR_GRP_DESC_MODP6144, OAKLEY_ATTR_GRP_TYPE_MODP); - INITDHVAL(dh_modp8192, OAKLEY_PRIME_MODP8192, - OAKLEY_ATTR_GRP_DESC_MODP8192, OAKLEY_ATTR_GRP_TYPE_MODP); - - return 0; -} - -void -oakley_dhclean() -{ - vfree(dh_modp768.prime); - vfree(dh_modp1024.prime); - vfree(dh_modp1536.prime); - vfree(dh_modp2048.prime); - vfree(dh_modp3072.prime); - vfree(dh_modp4096.prime); - vfree(dh_modp6144.prime); - vfree(dh_modp8192.prime); -} - -void -oakley_dhgrp_free(dhgrp) - struct dhgroup *dhgrp; -{ - if (dhgrp->prime) - vfree(dhgrp->prime); - if (dhgrp->curve_a) - vfree(dhgrp->curve_a); - if (dhgrp->curve_b) - vfree(dhgrp->curve_b); - if (dhgrp->order) - vfree(dhgrp->order); - racoon_free(dhgrp); -} - -/* - * RFC2409 5 - * The length of the Diffie-Hellman public value MUST be equal to the - * length of the prime modulus over which the exponentiation was - * performed, prepending zero bits to the value if necessary. - */ -static int -oakley_check_dh_pub(prime, pub0) - vchar_t *prime, **pub0; -{ - vchar_t *tmp; - vchar_t *pub = *pub0; - - if (prime->l == pub->l) - return 0; - - if (prime->l < pub->l) { - /* what should i do ? */ - plog(LLV_ERROR, LOCATION, NULL, - "invalid public information was generated.\n"); - return -1; - } - - /* prime->l > pub->l */ - tmp = vmalloc(prime->l); - if (tmp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get DH buffer.\n"); - return -1; - } - memcpy(tmp->v + prime->l - pub->l, pub->v, pub->l); - - vfree(*pub0); - *pub0 = tmp; - - return 0; -} - -/* - * compute sharing secret of DH - * IN: *dh, *pub, *priv, *pub_p - * OUT: **gxy - */ -int -oakley_dh_compute(dh, pub, priv, pub_p, gxy) - const struct dhgroup *dh; - vchar_t *pub, *priv, *pub_p, **gxy; -{ -#ifdef ENABLE_STATS - struct timeval start, end; -#endif - if ((*gxy = vmalloc(dh->prime->l)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get DH buffer.\n"); - return -1; - } - -#ifdef ENABLE_STATS - gettimeofday(&start, NULL); -#endif - switch (dh->type) { - case OAKLEY_ATTR_GRP_TYPE_MODP: - if (eay_dh_compute(dh->prime, dh->gen1, pub, priv, pub_p, gxy) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to compute dh value.\n"); - return -1; - } - break; - case OAKLEY_ATTR_GRP_TYPE_ECP: - case OAKLEY_ATTR_GRP_TYPE_EC2N: - plog(LLV_ERROR, LOCATION, NULL, - "dh type %d isn't supported.\n", dh->type); - return -1; - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid dh type %d.\n", dh->type); - return -1; - } - -#ifdef ENABLE_STATS - gettimeofday(&end, NULL); - syslog(LOG_NOTICE, "%s(%s%d): %8.6f", __func__, - s_attr_isakmp_group(dh->type), dh->prime->l << 3, - timedelta(&start, &end)); -#endif - - plog(LLV_DEBUG, LOCATION, NULL, "compute DH's shared.\n"); - plogdump(LLV_DEBUG, (*gxy)->v, (*gxy)->l); - - return 0; -} - -/* - * generate values of DH - * IN: *dh - * OUT: **pub, **priv - */ -int -oakley_dh_generate(dh, pub, priv) - const struct dhgroup *dh; - vchar_t **pub, **priv; -{ -#ifdef ENABLE_STATS - struct timeval start, end; - gettimeofday(&start, NULL); -#endif - switch (dh->type) { - case OAKLEY_ATTR_GRP_TYPE_MODP: - if (eay_dh_generate(dh->prime, dh->gen1, dh->gen2, pub, priv) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to compute dh value.\n"); - return -1; - } - break; - - case OAKLEY_ATTR_GRP_TYPE_ECP: - case OAKLEY_ATTR_GRP_TYPE_EC2N: - plog(LLV_ERROR, LOCATION, NULL, - "dh type %d isn't supported.\n", dh->type); - return -1; - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid dh type %d.\n", dh->type); - return -1; - } - -#ifdef ENABLE_STATS - gettimeofday(&end, NULL); - syslog(LOG_NOTICE, "%s(%s%d): %8.6f", __func__, - s_attr_isakmp_group(dh->type), dh->prime->l << 3, - timedelta(&start, &end)); -#endif - - if (oakley_check_dh_pub(dh->prime, pub) != 0) - return -1; - - plog(LLV_DEBUG, LOCATION, NULL, "compute DH's private.\n"); - plogdump(LLV_DEBUG, (*priv)->v, (*priv)->l); - plog(LLV_DEBUG, LOCATION, NULL, "compute DH's public.\n"); - plogdump(LLV_DEBUG, (*pub)->v, (*pub)->l); - - return 0; -} - -/* - * copy pre-defined dhgroup values. - */ -int -oakley_setdhgroup(group, dhgrp) - int group; - struct dhgroup **dhgrp; -{ - struct dhgroup *g; - - *dhgrp = NULL; /* just make sure, initialize */ - - g = alg_oakley_dhdef_group(group); - if (g == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid DH parameter grp=%d.\n", group); - return -1; - } - - if (!g->type || !g->prime || !g->gen1) { - /* unsuported */ - plog(LLV_ERROR, LOCATION, NULL, - "unsupported DH parameters grp=%d.\n", group); - return -1; - } - - *dhgrp = racoon_calloc(1, sizeof(struct dhgroup)); - if (*dhgrp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get DH buffer.\n"); - return 0; - } - - /* set defined dh vlaues */ - memcpy(*dhgrp, g, sizeof(*g)); - (*dhgrp)->prime = vdup(g->prime); - - return 0; -} - -/* - * PRF - * - * NOTE: we do not support prf with different input/output bitwidth, - * so we do not implement RFC2409 Appendix B (DOORAK-MAC example) in - * oakley_compute_keymat(). If you add support for such prf function, - * modify oakley_compute_keymat() accordingly. - */ -vchar_t * -oakley_prf(key, buf, iph1) - vchar_t *key, *buf; - struct ph1handle *iph1; -{ - vchar_t *res = NULL; - int type; - - if (iph1->approval == NULL) { - /* - * it's before negotiating hash algorithm. - * We use md5 as default. - */ - type = OAKLEY_ATTR_HASH_ALG_MD5; - } else - type = iph1->approval->hashtype; - - res = alg_oakley_hmacdef_one(type, key, buf); - if (res == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid hmac algorithm %d.\n", type); - return NULL; - } - - return res; -} - -/* - * hash - */ -vchar_t * -oakley_hash(buf, iph1) - vchar_t *buf; - struct ph1handle *iph1; -{ - vchar_t *res = NULL; - int type; - - if (iph1->approval == NULL) { - /* - * it's before negotiating hash algorithm. - * We use md5 as default. - */ - type = OAKLEY_ATTR_HASH_ALG_MD5; - } else - type = iph1->approval->hashtype; - - res = alg_oakley_hashdef_one(type, buf); - if (res == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid hash algoriym %d.\n", type); - return NULL; - } - - return res; -} - -/* - * compute KEYMAT - * see seciton 5.5 Phase 2 - Quick Mode in isakmp-oakley-05. - */ -int -oakley_compute_keymat(iph2, side) - struct ph2handle *iph2; - int side; -{ - int error = -1; - - /* compute sharing secret of DH when PFS */ - if (iph2->approval->pfs_group && iph2->dhpub_p) { - if (oakley_dh_compute(iph2->pfsgrp, iph2->dhpub, - iph2->dhpriv, iph2->dhpub_p, &iph2->dhgxy) < 0) - goto end; - } - - /* compute keymat */ - if (oakley_compute_keymat_x(iph2, side, INBOUND_SA) < 0 - || oakley_compute_keymat_x(iph2, side, OUTBOUND_SA) < 0) - goto end; - - plog(LLV_DEBUG, LOCATION, NULL, "KEYMAT computed.\n"); - - error = 0; - -end: - return error; -} - -/* - * compute KEYMAT. - * KEYMAT = prf(SKEYID_d, protocol | SPI | Ni_b | Nr_b). - * If PFS is desired and KE payloads were exchanged, - * KEYMAT = prf(SKEYID_d, g(qm)^xy | protocol | SPI | Ni_b | Nr_b) - * - * NOTE: we do not support prf with different input/output bitwidth, - * so we do not implement RFC2409 Appendix B (DOORAK-MAC example). - */ -static int -oakley_compute_keymat_x(iph2, side, sa_dir) - struct ph2handle *iph2; - int side; - int sa_dir; -{ - vchar_t *buf = NULL, *res = NULL, *bp; - char *p; - int len; - int error = -1; - int pfs = 0; - int dupkeymat; /* generate K[1-dupkeymat] */ - struct saproto *pr; - struct satrns *tr; - int encklen, authklen, l; - - pfs = ((iph2->approval->pfs_group && iph2->dhgxy) ? 1 : 0); - - len = pfs ? iph2->dhgxy->l : 0; - len += (1 - + sizeof(u_int32_t) /* XXX SPI size */ - + iph2->nonce->l - + iph2->nonce_p->l); - buf = vmalloc(len); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get keymat buffer.\n"); - goto end; - } - - for (pr = iph2->approval->head; pr != NULL; pr = pr->next) { - p = buf->v; - - /* if PFS */ - if (pfs) { - memcpy(p, iph2->dhgxy->v, iph2->dhgxy->l); - p += iph2->dhgxy->l; - } - - p[0] = pr->proto_id; - p += 1; - - memcpy(p, (sa_dir == INBOUND_SA ? &pr->spi : &pr->spi_p), - sizeof(pr->spi)); - p += sizeof(pr->spi); - - bp = (side == INITIATOR ? iph2->nonce : iph2->nonce_p); - memcpy(p, bp->v, bp->l); - p += bp->l; - - bp = (side == INITIATOR ? iph2->nonce_p : iph2->nonce); - memcpy(p, bp->v, bp->l); - p += bp->l; - - /* compute IV */ - plog(LLV_DEBUG, LOCATION, NULL, "KEYMAT compute with\n"); - plogdump(LLV_DEBUG, buf->v, buf->l); - - /* res = K1 */ - res = oakley_prf(iph2->ph1->skeyid_d, buf, iph2->ph1); - if (res == NULL) - goto end; - - /* compute key length needed */ - encklen = authklen = 0; - switch (pr->proto_id) { - case IPSECDOI_PROTO_IPSEC_ESP: - for (tr = pr->head; tr; tr = tr->next) { - l = alg_ipsec_encdef_keylen(tr->trns_id, - tr->encklen); - if (l > encklen) - encklen = l; - - l = alg_ipsec_hmacdef_hashlen(tr->authtype); - if (l > authklen) - authklen = l; - } - break; - case IPSECDOI_PROTO_IPSEC_AH: - for (tr = pr->head; tr; tr = tr->next) { - l = alg_ipsec_hmacdef_hashlen(tr->trns_id); - if (l > authklen) - authklen = l; - } - break; - default: - break; - } - plog(LLV_DEBUG, LOCATION, NULL, "encklen=%d authklen=%d\n", - encklen, authklen); - - dupkeymat = (encklen + authklen) / 8 / res->l; - dupkeymat += 2; /* safety mergin */ - if (dupkeymat < 3) - dupkeymat = 3; - plog(LLV_DEBUG, LOCATION, NULL, - "generating %d bits of key (dupkeymat=%d)\n", - dupkeymat * 8 * res->l, dupkeymat); - if (0 < --dupkeymat) { - vchar_t *prev = res; /* K(n-1) */ - vchar_t *seed = NULL; /* seed for Kn */ - size_t l; - - /* - * generating long key (isakmp-oakley-08 5.5) - * KEYMAT = K1 | K2 | K3 | ... - * where - * src = [ g(qm)^xy | ] protocol | SPI | Ni_b | Nr_b - * K1 = prf(SKEYID_d, src) - * K2 = prf(SKEYID_d, K1 | src) - * K3 = prf(SKEYID_d, K2 | src) - * Kn = prf(SKEYID_d, K(n-1) | src) - */ - plog(LLV_DEBUG, LOCATION, NULL, - "generating K1...K%d for KEYMAT.\n", - dupkeymat + 1); - - seed = vmalloc(prev->l + buf->l); - if (seed == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get keymat buffer.\n"); - if (prev && prev != res) - vfree(prev); - goto end; - } - - while (dupkeymat--) { - vchar_t *this = NULL; /* Kn */ - - memcpy(seed->v, prev->v, prev->l); - memcpy(seed->v + prev->l, buf->v, buf->l); - this = oakley_prf(iph2->ph1->skeyid_d, seed, - iph2->ph1); - if (!this) { - plog(LLV_ERROR, LOCATION, NULL, - "oakley_prf memory overflow\n"); - if (prev && prev != res) - vfree(prev); - vfree(this); - vfree(seed); - goto end; - } - - l = res->l; - res = vrealloc(res, l + this->l); - if (res == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get keymat buffer.\n"); - if (prev && prev != res) - vfree(prev); - vfree(this); - vfree(seed); - goto end; - } - memcpy(res->v + l, this->v, this->l); - - if (prev && prev != res) - vfree(prev); - prev = this; - this = NULL; - } - - if (prev && prev != res) - vfree(prev); - vfree(seed); - } - - plogdump(LLV_DEBUG, res->v, res->l); - - if (sa_dir == INBOUND_SA) - pr->keymat = res; - else - pr->keymat_p = res; - res = NULL; - } - - error = 0; - -end: - if (error) { - for (pr = iph2->approval->head; pr != NULL; pr = pr->next) { - if (pr->keymat) { - vfree(pr->keymat); - pr->keymat = NULL; - } - if (pr->keymat_p) { - vfree(pr->keymat_p); - pr->keymat_p = NULL; - } - } - } - - if (buf != NULL) - vfree(buf); - if (res) - vfree(res); - - return error; -} - -#if notyet -/* - * NOTE: Must terminate by NULL. - */ -vchar_t * -oakley_compute_hashx(struct ph1handle *iph1, ...) -{ - vchar_t *buf, *res; - vchar_t *s; - caddr_t p; - int len; - - va_list ap; - - /* get buffer length */ - va_start(ap, iph1); - len = 0; - while ((s = va_arg(ap, vchar_t *)) != NULL) { - len += s->l - } - va_end(ap); - - buf = vmalloc(len); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get hash buffer\n"); - return NULL; - } - - /* set buffer */ - va_start(ap, iph1); - p = buf->v; - while ((s = va_arg(ap, char *)) != NULL) { - memcpy(p, s->v, s->l); - p += s->l; - } - va_end(ap); - - plog(LLV_DEBUG, LOCATION, NULL, "HASH with: \n"); - plogdump(LLV_DEBUG, buf->v, buf->l); - - /* compute HASH */ - res = oakley_prf(iph1->skeyid_a, buf, iph1); - vfree(buf); - if (res == NULL) - return NULL; - - plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n"); - plogdump(LLV_DEBUG, res->v, res->l); - - return res; -} -#endif - -/* - * compute HASH(3) prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b) - * see seciton 5.5 Phase 2 - Quick Mode in isakmp-oakley-05. - */ -vchar_t * -oakley_compute_hash3(iph1, msgid, body) - struct ph1handle *iph1; - u_int32_t msgid; - vchar_t *body; -{ - vchar_t *buf = 0, *res = 0; - int len; - int error = -1; - - /* create buffer */ - len = 1 + sizeof(u_int32_t) + body->l; - buf = vmalloc(len); - if (buf == NULL) { - plog(LLV_DEBUG, LOCATION, NULL, - "failed to get hash buffer\n"); - goto end; - } - - buf->v[0] = 0; - - memcpy(buf->v + 1, (char *)&msgid, sizeof(msgid)); - - memcpy(buf->v + 1 + sizeof(u_int32_t), body->v, body->l); - - plog(LLV_DEBUG, LOCATION, NULL, "HASH with: \n"); - plogdump(LLV_DEBUG, buf->v, buf->l); - - /* compute HASH */ - res = oakley_prf(iph1->skeyid_a, buf, iph1); - if (res == NULL) - goto end; - - error = 0; - - plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n"); - plogdump(LLV_DEBUG, res->v, res->l); - -end: - if (buf != NULL) - vfree(buf); - return res; -} - -/* - * compute HASH type of prf(SKEYID_a, M-ID | buffer) - * e.g. - * for quick mode HASH(1): - * prf(SKEYID_a, M-ID | SA | Ni [ | KE ] [ | IDci | IDcr ]) - * for quick mode HASH(2): - * prf(SKEYID_a, M-ID | Ni_b | SA | Nr [ | KE ] [ | IDci | IDcr ]) - * for Informational exchange: - * prf(SKEYID_a, M-ID | N/D) - */ -vchar_t * -oakley_compute_hash1(iph1, msgid, body) - struct ph1handle *iph1; - u_int32_t msgid; - vchar_t *body; -{ - vchar_t *buf = NULL, *res = NULL; - char *p; - int len; - int error = -1; - - /* create buffer */ - len = sizeof(u_int32_t) + body->l; - buf = vmalloc(len); - if (buf == NULL) { - plog(LLV_DEBUG, LOCATION, NULL, - "failed to get hash buffer\n"); - goto end; - } - - p = buf->v; - - memcpy(buf->v, (char *)&msgid, sizeof(msgid)); - p += sizeof(u_int32_t); - - memcpy(p, body->v, body->l); - - plog(LLV_DEBUG, LOCATION, NULL, "HASH with:\n"); - plogdump(LLV_DEBUG, buf->v, buf->l); - - /* compute HASH */ - res = oakley_prf(iph1->skeyid_a, buf, iph1); - if (res == NULL) - goto end; - - error = 0; - - plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n"); - plogdump(LLV_DEBUG, res->v, res->l); - -end: - if (buf != NULL) - vfree(buf); - return res; -} - -/* - * compute phase1 HASH - * main/aggressive - * I-digest = prf(SKEYID, g^i | g^r | CKY-I | CKY-R | SAi_b | ID_i1_b) - * R-digest = prf(SKEYID, g^r | g^i | CKY-R | CKY-I | SAi_b | ID_r1_b) - * for gssapi, also include all GSS tokens, and call gss_wrap on the result - */ -vchar_t * -oakley_ph1hash_common(iph1, sw) - struct ph1handle *iph1; - int sw; -{ - vchar_t *buf = NULL, *res = NULL, *bp; - char *p, *bp2; - int len, bl; - int error = -1; -#ifdef HAVE_GSSAPI - vchar_t *gsstokens = NULL; -#endif - - /* create buffer */ - len = iph1->dhpub->l - + iph1->dhpub_p->l - + sizeof(cookie_t) * 2 - + iph1->sa->l - + (sw == GENERATE ? iph1->id->l : iph1->id_p->l); - -#ifdef HAVE_GSSAPI - if (iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) { - if (iph1->gi_i != NULL && iph1->gi_r != NULL) { - bp = (sw == GENERATE ? iph1->gi_i : iph1->gi_r); - len += bp->l; - } - if (sw == GENERATE) - gssapi_get_itokens(iph1, &gsstokens); - else - gssapi_get_rtokens(iph1, &gsstokens); - if (gsstokens == NULL) - return NULL; - len += gsstokens->l; - } -#endif - - buf = vmalloc(len); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get hash buffer\n"); - goto end; - } - - p = buf->v; - - bp = (sw == GENERATE ? iph1->dhpub : iph1->dhpub_p); - memcpy(p, bp->v, bp->l); - p += bp->l; - - bp = (sw == GENERATE ? iph1->dhpub_p : iph1->dhpub); - memcpy(p, bp->v, bp->l); - p += bp->l; - - if (iph1->side == INITIATOR) - bp2 = (sw == GENERATE ? - (char *)&iph1->index.i_ck : (char *)&iph1->index.r_ck); - else - bp2 = (sw == GENERATE ? - (char *)&iph1->index.r_ck : (char *)&iph1->index.i_ck); - bl = sizeof(cookie_t); - memcpy(p, bp2, bl); - p += bl; - - if (iph1->side == INITIATOR) - bp2 = (sw == GENERATE ? - (char *)&iph1->index.r_ck : (char *)&iph1->index.i_ck); - else - bp2 = (sw == GENERATE ? - (char *)&iph1->index.i_ck : (char *)&iph1->index.r_ck); - bl = sizeof(cookie_t); - memcpy(p, bp2, bl); - p += bl; - - bp = iph1->sa; - memcpy(p, bp->v, bp->l); - p += bp->l; - - bp = (sw == GENERATE ? iph1->id : iph1->id_p); - memcpy(p, bp->v, bp->l); - p += bp->l; - -#ifdef HAVE_GSSAPI - if (iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) { - if (iph1->gi_i != NULL && iph1->gi_r != NULL) { - bp = (sw == GENERATE ? iph1->gi_i : iph1->gi_r); - memcpy(p, bp->v, bp->l); - p += bp->l; - } - memcpy(p, gsstokens->v, gsstokens->l); - p += gsstokens->l; - } -#endif - - plog(LLV_DEBUG, LOCATION, NULL, "HASH with:\n"); - plogdump(LLV_DEBUG, buf->v, buf->l); - - /* compute HASH */ - res = oakley_prf(iph1->skeyid, buf, iph1); - if (res == NULL) - goto end; - - error = 0; - - plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n"); - plogdump(LLV_DEBUG, res->v, res->l); - -end: - if (buf != NULL) - vfree(buf); -#ifdef HAVE_GSSAPI - if (gsstokens != NULL) - vfree(gsstokens); -#endif - return res; -} - -/* - * compute HASH_I on base mode. - * base:psk,rsa - * HASH_I = prf(SKEYID, g^xi | CKY-I | CKY-R | SAi_b | IDii_b) - * base:sig - * HASH_I = prf(hash(Ni_b | Nr_b), g^xi | CKY-I | CKY-R | SAi_b | IDii_b) - */ -vchar_t * -oakley_ph1hash_base_i(iph1, sw) - struct ph1handle *iph1; - int sw; -{ - vchar_t *buf = NULL, *res = NULL, *bp; - vchar_t *hashkey = NULL; - vchar_t *hash = NULL; /* for signature mode */ - char *p; - int len; - int error = -1; - - /* sanity check */ - if (iph1->etype != ISAKMP_ETYPE_BASE) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid etype for this hash function\n"); - return NULL; - } - - switch (iph1->approval->authmethod) { - case OAKLEY_ATTR_AUTH_METHOD_PSKEY: - case OAKLEY_ATTR_AUTH_METHOD_RSAENC: - case OAKLEY_ATTR_AUTH_METHOD_RSAREV: - if (iph1->skeyid == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "no SKEYID found.\n"); - return NULL; - } - hashkey = iph1->skeyid; - break; - - case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: - case OAKLEY_ATTR_AUTH_METHOD_RSASIG: - case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: - /* make hash for seed */ - len = iph1->nonce->l + iph1->nonce_p->l; - buf = vmalloc(len); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get hash buffer\n"); - goto end; - } - p = buf->v; - - bp = (sw == GENERATE ? iph1->nonce_p : iph1->nonce); - memcpy(p, bp->v, bp->l); - p += bp->l; - - bp = (sw == GENERATE ? iph1->nonce : iph1->nonce_p); - memcpy(p, bp->v, bp->l); - p += bp->l; - - hash = oakley_hash(buf, iph1); - if (hash == NULL) - goto end; - vfree(buf); - buf = NULL; - - hashkey = hash; - break; - - default: - plog(LLV_ERROR, LOCATION, NULL, - "not supported authentication method %d\n", - iph1->approval->authmethod); - return NULL; - - } - - len = (sw == GENERATE ? iph1->dhpub->l : iph1->dhpub_p->l) - + sizeof(cookie_t) * 2 - + iph1->sa->l - + (sw == GENERATE ? iph1->id->l : iph1->id_p->l); - buf = vmalloc(len); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get hash buffer\n"); - goto end; - } - p = buf->v; - - bp = (sw == GENERATE ? iph1->dhpub : iph1->dhpub_p); - memcpy(p, bp->v, bp->l); - p += bp->l; - - memcpy(p, &iph1->index.i_ck, sizeof(cookie_t)); - p += sizeof(cookie_t); - memcpy(p, &iph1->index.r_ck, sizeof(cookie_t)); - p += sizeof(cookie_t); - - memcpy(p, iph1->sa->v, iph1->sa->l); - p += iph1->sa->l; - - bp = (sw == GENERATE ? iph1->id : iph1->id_p); - memcpy(p, bp->v, bp->l); - p += bp->l; - - plog(LLV_DEBUG, LOCATION, NULL, "HASH_I with:\n"); - plogdump(LLV_DEBUG, buf->v, buf->l); - - /* compute HASH */ - res = oakley_prf(hashkey, buf, iph1); - if (res == NULL) - goto end; - - error = 0; - - plog(LLV_DEBUG, LOCATION, NULL, "HASH_I computed:\n"); - plogdump(LLV_DEBUG, res->v, res->l); - -end: - if (hash != NULL) - vfree(hash); - if (buf != NULL) - vfree(buf); - return res; -} - -/* - * compute HASH_R on base mode for signature method. - * base: - * HASH_R = prf(hash(Ni_b | Nr_b), g^xi | g^xr | CKY-I | CKY-R | SAi_b | IDii_b) - */ -vchar_t * -oakley_ph1hash_base_r(iph1, sw) - struct ph1handle *iph1; - int sw; -{ - vchar_t *buf = NULL, *res = NULL, *bp; - vchar_t *hash = NULL; - char *p; - int len; - int error = -1; - - /* sanity check */ - if (iph1->etype != ISAKMP_ETYPE_BASE) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid etype for this hash function\n"); - return NULL; - } - if (iph1->approval->authmethod != OAKLEY_ATTR_AUTH_METHOD_DSSSIG - && iph1->approval->authmethod != OAKLEY_ATTR_AUTH_METHOD_RSASIG) { - plog(LLV_ERROR, LOCATION, NULL, - "not supported authentication method %d\n", - iph1->approval->authmethod); - return NULL; - } - - /* make hash for seed */ - len = iph1->nonce->l + iph1->nonce_p->l; - buf = vmalloc(len); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get hash buffer\n"); - goto end; - } - p = buf->v; - - bp = (sw == GENERATE ? iph1->nonce_p : iph1->nonce); - memcpy(p, bp->v, bp->l); - p += bp->l; - - bp = (sw == GENERATE ? iph1->nonce : iph1->nonce_p); - memcpy(p, bp->v, bp->l); - p += bp->l; - - hash = oakley_hash(buf, iph1); - if (hash == NULL) - goto end; - vfree(buf); - buf = NULL; - - /* make really hash */ - len = (sw == GENERATE ? iph1->dhpub_p->l : iph1->dhpub->l) - + (sw == GENERATE ? iph1->dhpub->l : iph1->dhpub_p->l) - + sizeof(cookie_t) * 2 - + iph1->sa->l - + (sw == GENERATE ? iph1->id_p->l : iph1->id->l); - buf = vmalloc(len); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get hash buffer\n"); - goto end; - } - p = buf->v; - - - bp = (sw == GENERATE ? iph1->dhpub_p : iph1->dhpub); - memcpy(p, bp->v, bp->l); - p += bp->l; - - bp = (sw == GENERATE ? iph1->dhpub : iph1->dhpub_p); - memcpy(p, bp->v, bp->l); - p += bp->l; - - memcpy(p, &iph1->index.i_ck, sizeof(cookie_t)); - p += sizeof(cookie_t); - memcpy(p, &iph1->index.r_ck, sizeof(cookie_t)); - p += sizeof(cookie_t); - - memcpy(p, iph1->sa->v, iph1->sa->l); - p += iph1->sa->l; - - bp = (sw == GENERATE ? iph1->id_p : iph1->id); - memcpy(p, bp->v, bp->l); - p += bp->l; - - plog(LLV_DEBUG, LOCATION, NULL, "HASH with:\n"); - plogdump(LLV_DEBUG, buf->v, buf->l); - - /* compute HASH */ - res = oakley_prf(hash, buf, iph1); - if (res == NULL) - goto end; - - error = 0; - - plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n"); - plogdump(LLV_DEBUG, res->v, res->l); - -end: - if (buf != NULL) - vfree(buf); - if (hash) - vfree(hash); - return res; -} - -/* - * compute each authentication method in phase 1. - * OUT: - * 0: OK - * -1: error - * other: error to be reply with notification. - * the value is notification type. - */ -int -oakley_validate_auth(iph1) - struct ph1handle *iph1; -{ - vchar_t *my_hash = NULL; - int result; -#ifdef HAVE_GSSAPI - vchar_t *gsshash = NULL; -#endif -#ifdef ENABLE_STATS - struct timeval start, end; -#endif - -#ifdef ENABLE_STATS - gettimeofday(&start, NULL); -#endif - switch (iph1->approval->authmethod) { - case OAKLEY_ATTR_AUTH_METHOD_PSKEY: - /* validate HASH */ - { - char *r_hash; - - if (iph1->id_p == NULL || iph1->pl_hash == NULL) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "few isakmp message received.\n"); - return ISAKMP_NTYPE_PAYLOAD_MALFORMED; - } - - r_hash = (caddr_t)(iph1->pl_hash + 1); - - plog(LLV_DEBUG, LOCATION, NULL, "HASH received:"); - plogdump(LLV_DEBUG, r_hash, - ntohs(iph1->pl_hash->h.len) - sizeof(*iph1->pl_hash)); - - switch (iph1->etype) { - case ISAKMP_ETYPE_IDENT: - case ISAKMP_ETYPE_AGG: - my_hash = oakley_ph1hash_common(iph1, VALIDATE); - break; - case ISAKMP_ETYPE_BASE: - if (iph1->side == INITIATOR) - my_hash = oakley_ph1hash_common(iph1, VALIDATE); - else - my_hash = oakley_ph1hash_base_i(iph1, VALIDATE); - break; - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid etype %d\n", iph1->etype); - return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE; - } - if (my_hash == NULL) - return ISAKMP_INTERNAL_ERROR; - - result = memcmp(my_hash->v, r_hash, my_hash->l); - vfree(my_hash); - - if (result) { - plog(LLV_ERROR, LOCATION, NULL, "HASH mismatched\n"); - return ISAKMP_NTYPE_INVALID_HASH_INFORMATION; - } - - plog(LLV_DEBUG, LOCATION, NULL, "HASH for PSK validated.\n"); - } - break; -#ifdef HAVE_SIGNING_C - case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: - case OAKLEY_ATTR_AUTH_METHOD_RSASIG: - { - int error = 0; - - /* validation */ - if (iph1->id_p == NULL) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "no ID payload was passed.\n"); - return ISAKMP_NTYPE_PAYLOAD_MALFORMED; - } - if (iph1->sig_p == NULL) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "no SIG payload was passed.\n"); - return ISAKMP_NTYPE_PAYLOAD_MALFORMED; - } - - plog(LLV_DEBUG, LOCATION, NULL, "SIGN passed:\n"); - plogdump(LLV_DEBUG, iph1->sig_p->v, iph1->sig_p->l); - - /* get peer's cert */ - switch (iph1->rmconf->getcert_method) { - case ISAKMP_GETCERT_PAYLOAD: - if (iph1->cert_p == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "no peer's CERT payload found.\n"); - return ISAKMP_INTERNAL_ERROR; - } - break; - case ISAKMP_GETCERT_LOCALFILE: - if (iph1->rmconf->peerscertfile == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "no peer's CERT file found.\n"); - return ISAKMP_INTERNAL_ERROR; - } - - /* don't use cached cert */ - if (iph1->cert_p != NULL) { - oakley_delcert(iph1->cert_p); - iph1->cert_p = NULL; - } - - error = get_cert_fromlocal(iph1, 0); - if (error) - return ISAKMP_INTERNAL_ERROR; - break; - case ISAKMP_GETCERT_DNS: - if (iph1->rmconf->peerscertfile != NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "why peer's CERT file is defined " - "though getcert method is dns ?\n"); - return ISAKMP_INTERNAL_ERROR; - } - - /* don't use cached cert */ - if (iph1->cert_p != NULL) { - oakley_delcert(iph1->cert_p); - iph1->cert_p = NULL; - } - - iph1->cert_p = dnssec_getcert(iph1->id_p); - if (iph1->cert_p == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "no CERT RR found.\n"); - return ISAKMP_INTERNAL_ERROR; - } - break; - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid getcert_mothod: %d\n", - iph1->rmconf->getcert_method); - return ISAKMP_INTERNAL_ERROR; - } - - /* compare ID payload and certificate name */ - if (iph1->rmconf->verify_cert && - (error = oakley_check_certid(iph1)) != 0) - return error; - - /* verify certificate */ - if (iph1->rmconf->verify_cert - && iph1->rmconf->getcert_method == ISAKMP_GETCERT_PAYLOAD) { - switch (iph1->rmconf->certtype) { - case ISAKMP_CERT_X509SIGN: - error = eay_check_x509cert(&iph1->cert_p->cert, - lcconf->pathinfo[LC_PATHTYPE_CERT], 0); - break; - default: - plog(LLV_ERROR, LOCATION, NULL, - "no supported certtype %d\n", - iph1->rmconf->certtype); - return ISAKMP_INTERNAL_ERROR; - } - if (error != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "the peer's certificate is not verified.\n"); - return ISAKMP_NTYPE_INVALID_CERT_AUTHORITY; - } - } - - plog(LLV_DEBUG, LOCATION, NULL, "CERT validated\n"); - - /* compute hash */ - switch (iph1->etype) { - case ISAKMP_ETYPE_IDENT: - case ISAKMP_ETYPE_AGG: - my_hash = oakley_ph1hash_common(iph1, VALIDATE); - break; - case ISAKMP_ETYPE_BASE: - if (iph1->side == INITIATOR) - my_hash = oakley_ph1hash_base_r(iph1, VALIDATE); - else - my_hash = oakley_ph1hash_base_i(iph1, VALIDATE); - break; - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid etype %d\n", iph1->etype); - return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE; - } - if (my_hash == NULL) - return ISAKMP_INTERNAL_ERROR; - - /* check signature */ - switch (iph1->rmconf->certtype) { - case ISAKMP_CERT_X509SIGN: - case ISAKMP_CERT_DNS: - error = eay_check_x509sign(my_hash, - iph1->sig_p, - &iph1->cert_p->cert); - break; - default: - plog(LLV_ERROR, LOCATION, NULL, - "no supported certtype %d\n", - iph1->rmconf->certtype); - vfree(my_hash); - return ISAKMP_INTERNAL_ERROR; - } - - vfree(my_hash); - if (error != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "Invalid SIG.\n"); - return ISAKMP_NTYPE_INVALID_SIGNATURE; - } - plog(LLV_DEBUG, LOCATION, NULL, "SIG authenticated\n"); - } - break; -#endif -#ifdef HAVE_GSSAPI - case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: - switch (iph1->etype) { - case ISAKMP_ETYPE_IDENT: - case ISAKMP_ETYPE_AGG: - my_hash = oakley_ph1hash_common(iph1, VALIDATE); - break; - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid etype %d\n", iph1->etype); - return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE; - } - - if (my_hash == NULL) { - if (gssapi_more_tokens(iph1)) - return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE; - else - return ISAKMP_NTYPE_INVALID_HASH_INFORMATION; - } - - gsshash = gssapi_unwraphash(iph1); - if (gsshash == NULL) { - vfree(my_hash); - return ISAKMP_NTYPE_INVALID_HASH_INFORMATION; - } - - result = memcmp(my_hash->v, gsshash->v, my_hash->l); - vfree(my_hash); - vfree(gsshash); - - if (result) { - plog(LLV_ERROR, LOCATION, NULL, "HASH mismatched\n"); - return ISAKMP_NTYPE_INVALID_HASH_INFORMATION; - } - plog(LLV_DEBUG, LOCATION, NULL, "hash compared OK\n"); - break; -#endif - case OAKLEY_ATTR_AUTH_METHOD_RSAENC: - case OAKLEY_ATTR_AUTH_METHOD_RSAREV: - if (iph1->id_p == NULL || iph1->pl_hash == NULL) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "few isakmp message received.\n"); - return ISAKMP_NTYPE_PAYLOAD_MALFORMED; - } - plog(LLV_ERROR, LOCATION, iph1->remote, - "not supported authmethod type %s\n", - s_oakley_attr_method(iph1->approval->authmethod)); - return ISAKMP_INTERNAL_ERROR; - default: - plog(LLV_ERROR, LOCATION, iph1->remote, - "invalid authmethod %d why ?\n", - iph1->approval->authmethod); - return ISAKMP_INTERNAL_ERROR; - } -#ifdef ENABLE_STATS - gettimeofday(&end, NULL); - syslog(LOG_NOTICE, "%s(%s): %8.6f", __func__, - s_oakley_attr_method(iph1->approval->authmethod), - timedelta(&start, &end)); -#endif - - return 0; -} - -#ifdef HAVE_SIGNING_C -/* get my certificate - * NOTE: include certificate type. - */ -int -oakley_getmycert(iph1) - struct ph1handle *iph1; -{ - if (iph1->cert) - return 0; /* There is CERT. */ - - return get_cert_fromlocal(iph1, 1); -} - -/* - * get a CERT from local file. - * IN: - * my != 0 my cert. - * my == 0 peer's cert. - */ -static int -get_cert_fromlocal(iph1, my) - struct ph1handle *iph1; - int my; -{ - char path[MAXPATHLEN]; - vchar_t *cert = NULL; - cert_t **certpl; - char *certfile; - int error = -1; - - if (my) { - certfile = iph1->rmconf->mycertfile; - certpl = &iph1->cert; - } else { - certfile = iph1->rmconf->peerscertfile; - certpl = &iph1->cert_p; - } - if (!certfile) { - plog(LLV_ERROR, LOCATION, NULL, "no CERT defined.\n"); - return 0; - } - - switch (iph1->rmconf->certtype) { - case ISAKMP_CERT_X509SIGN: - case ISAKMP_CERT_DNS: - /* make public file name */ - getpathname(path, sizeof(path), LC_PATHTYPE_CERT, certfile); - cert = eay_get_x509cert(path); - if (cert) { - char *p = NULL; - p = eay_get_x509text(cert); - plog(LLV_DEBUG, LOCATION, NULL, "%s", p ? p : "\n"); - racoon_free(p); - }; - break; - - default: - plog(LLV_ERROR, LOCATION, NULL, - "not supported certtype %d\n", - iph1->rmconf->certtype); - goto end; - } - - if (!cert) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get %s CERT.\n", - my ? "my" : "peers"); - goto end; - } - - *certpl = oakley_newcert(); - if (!*certpl) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get cert buffer.\n"); - goto end; - } - (*certpl)->pl = vmalloc(cert->l + 1); - if ((*certpl)->pl == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get cert buffer\n"); - oakley_delcert(*certpl); - *certpl = NULL; - goto end; - } - memcpy((*certpl)->pl->v + 1, cert->v, cert->l); - (*certpl)->pl->v[0] = iph1->rmconf->certtype; - (*certpl)->type = iph1->rmconf->certtype; - (*certpl)->cert.v = (*certpl)->pl->v + 1; - (*certpl)->cert.l = (*certpl)->pl->l - 1; - - plog(LLV_DEBUG, LOCATION, NULL, "created CERT payload:\n"); - plogdump(LLV_DEBUG, (*certpl)->pl->v, (*certpl)->pl->l); - - error = 0; - -end: - if (cert != NULL) - vfree(cert); - - return error; -} - -/* get signature */ -int -oakley_getsign(iph1) - struct ph1handle *iph1; -{ - char path[MAXPATHLEN]; - vchar_t *privkey = NULL; - int error = -1; - - switch (iph1->rmconf->certtype) { - case ISAKMP_CERT_X509SIGN: - case ISAKMP_CERT_DNS: - if (iph1->rmconf->myprivfile == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "no cert defined.\n"); - goto end; - } - - /* make private file name */ - getpathname(path, sizeof(path), - LC_PATHTYPE_CERT, - iph1->rmconf->myprivfile); - privkey = eay_get_pkcs1privkey(path); - if (privkey == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get private key.\n"); - goto end; - } - plog(LLV_DEBUG2, LOCATION, NULL, "private key:\n"); - plogdump(LLV_DEBUG2, privkey->v, privkey->l); - - iph1->sig = eay_get_x509sign(iph1->hash, - privkey, &iph1->cert->cert); - break; - default: - goto end; - } - - if (iph1->sig == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "failed to sign.\n"); - goto end; - } - - plog(LLV_DEBUG, LOCATION, NULL, "SIGN computed:\n"); - plogdump(LLV_DEBUG, iph1->sig->v, iph1->sig->l); - - error = 0; - -end: - if (privkey != NULL) - vfree(privkey); - - return error; -} - -/* - * compare certificate name and ID value. - */ -static int -oakley_check_certid(iph1) - struct ph1handle *iph1; -{ - struct ipsecdoi_id_b *id_b; - vchar_t *name = NULL; - char *altname = NULL; - int idlen, type; - int error; - - if (iph1->id_p == NULL || iph1->cert_p == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "no ID nor CERT found.\n"); - return ISAKMP_NTYPE_INVALID_ID_INFORMATION; - } - - id_b = (struct ipsecdoi_id_b *)iph1->id_p->v; - idlen = iph1->id_p->l - sizeof(*id_b); - - switch (id_b->type) { - case IPSECDOI_ID_DER_ASN1_DN: - name = eay_get_x509asn1subjectname(&iph1->cert_p->cert); - if (!name) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get subjectName\n"); - return ISAKMP_NTYPE_INVALID_CERTIFICATE; - } - if (idlen != name->l) { - plog(LLV_ERROR, LOCATION, NULL, - "Invalid ID length in phase 1.\n"); - vfree(name); - return ISAKMP_NTYPE_INVALID_ID_INFORMATION; - } - error = memcmp(id_b + 1, name->v, idlen); - vfree(name); - if (error != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "ID mismatched with subjectAltName.\n"); - return ISAKMP_NTYPE_INVALID_ID_INFORMATION; - } - return 0; - case IPSECDOI_ID_IPV4_ADDR: - case IPSECDOI_ID_IPV6_ADDR: - { - /* - * converting to binary from string because openssl return - * a string even if object is a binary. - * XXX fix it ! access by ASN.1 directly without. - */ - struct addrinfo hints, *res; - caddr_t a = NULL; - int pos; - - for (pos = 1; ; pos++) { - if (eay_get_x509subjectaltname(&iph1->cert_p->cert, - &altname, &type, pos) !=0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get subjectAltName\n"); - return ISAKMP_NTYPE_INVALID_CERTIFICATE; - } - - /* it's the end condition of the loop. */ - if (!altname) { - plog(LLV_ERROR, LOCATION, NULL, - "no proper subjectAltName.\n"); - return ISAKMP_NTYPE_INVALID_CERTIFICATE; - } - - if (check_typeofcertname(id_b->type, type) == 0) - break; - - /* next name */ - racoon_free(altname); - altname = NULL; - } - memset(&hints, 0, sizeof(hints)); - hints.ai_family = PF_UNSPEC; - hints.ai_socktype = SOCK_RAW; - hints.ai_flags = AI_NUMERICHOST; - error = getaddrinfo(altname, NULL, &hints, &res); - if (error != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "no proper subjectAltName.\n"); - racoon_free(altname); - return ISAKMP_NTYPE_INVALID_CERTIFICATE; - } - switch (res->ai_family) { - case AF_INET: - a = (caddr_t)&((struct sockaddr_in *)res->ai_addr)->sin_addr.s_addr; - break; -#ifdef INET6 - case AF_INET6: - a = (caddr_t)&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr.s6_addr; - break; -#endif - default: - plog(LLV_ERROR, LOCATION, NULL, - "family not supported: %d.\n", res->ai_family); - racoon_free(altname); - freeaddrinfo(res); - return ISAKMP_NTYPE_INVALID_CERTIFICATE; - } - error = memcmp(id_b + 1, a, idlen); - freeaddrinfo(res); - vfree(name); - if (error != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "ID mismatched with subjectAltName.\n"); - return ISAKMP_NTYPE_INVALID_ID_INFORMATION; - } - return 0; - } - case IPSECDOI_ID_FQDN: - case IPSECDOI_ID_USER_FQDN: - { - int pos; - - for (pos = 1; ; pos++) { - if (eay_get_x509subjectaltname(&iph1->cert_p->cert, - &altname, &type, pos) != 0){ - plog(LLV_ERROR, LOCATION, NULL, - "failed to get subjectAltName\n"); - return ISAKMP_NTYPE_INVALID_CERTIFICATE; - } - - /* it's the end condition of the loop. */ - if (!altname) { - plog(LLV_ERROR, LOCATION, NULL, - "no proper subjectAltName.\n"); - return ISAKMP_NTYPE_INVALID_CERTIFICATE; - } - - if (check_typeofcertname(id_b->type, type) == 0) - break; - - /* next name */ - racoon_free(altname); - altname = NULL; - } - if (idlen != strlen(altname)) { - plog(LLV_ERROR, LOCATION, NULL, - "Invalid ID length in phase 1.\n"); - racoon_free(altname); - return ISAKMP_NTYPE_INVALID_ID_INFORMATION; - } - if (check_typeofcertname(id_b->type, type) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "ID type mismatched. ID: %s CERT: %s.\n", - s_ipsecdoi_ident(id_b->type), - s_ipsecdoi_ident(type)); - racoon_free(altname); - return ISAKMP_NTYPE_INVALID_ID_INFORMATION; - } - error = memcmp(id_b + 1, altname, idlen); - if (error) { - plog(LLV_ERROR, LOCATION, NULL, "ID mismatched.\n"); - racoon_free(altname); - return ISAKMP_NTYPE_INVALID_ID_INFORMATION; - } - racoon_free(altname); - return 0; - } - default: - plog(LLV_ERROR, LOCATION, NULL, - "Inpropper ID type passed: %s.\n", - s_ipsecdoi_ident(id_b->type)); - return ISAKMP_NTYPE_INVALID_ID_INFORMATION; - } - /*NOTREACHED*/ -} - -static int -check_typeofcertname(doi, genid) - int doi, genid; -{ - switch (doi) { - case IPSECDOI_ID_IPV4_ADDR: - case IPSECDOI_ID_IPV4_ADDR_SUBNET: - case IPSECDOI_ID_IPV6_ADDR: - case IPSECDOI_ID_IPV6_ADDR_SUBNET: - case IPSECDOI_ID_IPV4_ADDR_RANGE: - case IPSECDOI_ID_IPV6_ADDR_RANGE: - if (genid != GENT_IPADD) - return -1; - return 0; - case IPSECDOI_ID_FQDN: - if (genid != GENT_DNS) - return -1; - return 0; - case IPSECDOI_ID_USER_FQDN: - if (genid != GENT_EMAIL) - return -1; - return 0; - case IPSECDOI_ID_DER_ASN1_DN: /* should not be passed to this function*/ - case IPSECDOI_ID_DER_ASN1_GN: - case IPSECDOI_ID_KEY_ID: - default: - return -1; - } - /*NOTREACHED*/ -} - -/* - * save certificate including certificate type. - */ -int -oakley_savecert(iph1, gen) - struct ph1handle *iph1; - struct isakmp_gen *gen; -{ - cert_t **c; - u_int8_t type; - - type = *(u_int8_t *)(gen + 1) & 0xff; - - switch (type) { - case ISAKMP_CERT_DNS: - plog(LLV_WARNING, LOCATION, NULL, - "CERT payload is unnecessary in DNSSEC. " - "ignore this CERT payload.\n"); - return 0; - case ISAKMP_CERT_PKCS7: - case ISAKMP_CERT_PGP: - case ISAKMP_CERT_X509SIGN: - case ISAKMP_CERT_KERBEROS: - case ISAKMP_CERT_SPKI: - c = &iph1->cert_p; - break; - case ISAKMP_CERT_CRL: - c = &iph1->crl_p; - break; - case ISAKMP_CERT_X509KE: - case ISAKMP_CERT_X509ATTR: - case ISAKMP_CERT_ARL: - plog(LLV_ERROR, LOCATION, NULL, - "No supported such CERT type %d\n", type); - return -1; - default: - plog(LLV_ERROR, LOCATION, NULL, - "Invalid CERT type %d\n", type); - return -1; - } - - /* XXX choice the 1th cert, ignore after the cert. */ - /* XXX should be processed. */ - if (*c) { - plog(LLV_WARNING, LOCATION, NULL, - "ignore 2nd CERT payload.\n"); - return 0; - } - - *c = save_certbuf(gen); - if (!*c) { - plog(LLV_ERROR, LOCATION, NULL, - "Failed to get CERT buffer.\n"); - return -1; - } - - switch ((*c)->type) { - case ISAKMP_CERT_DNS: - plog(LLV_WARNING, LOCATION, NULL, - "CERT payload is unnecessary in DNSSEC. " - "ignore it.\n"); - return 0; - case ISAKMP_CERT_PKCS7: - case ISAKMP_CERT_PGP: - case ISAKMP_CERT_X509SIGN: - case ISAKMP_CERT_KERBEROS: - case ISAKMP_CERT_SPKI: - plog(LLV_DEBUG, LOCATION, NULL, "CERT saved:\n"); - plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l); - { - char *p = eay_get_x509text(&(*c)->cert); - plog(LLV_DEBUG, LOCATION, NULL, "%s", p ? p : "\n"); - racoon_free(p); - } - break; - case ISAKMP_CERT_CRL: - plog(LLV_DEBUG, LOCATION, NULL, "CRL saved:\n"); - plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l); - break; - case ISAKMP_CERT_X509KE: - case ISAKMP_CERT_X509ATTR: - case ISAKMP_CERT_ARL: - default: - /* XXX */ - oakley_delcert((*c)); - *c = NULL; - return 0; - } - - return 0; -} - -/* - * save certificate including certificate type. - */ -int -oakley_savecr(iph1, gen) - struct ph1handle *iph1; - struct isakmp_gen *gen; -{ - cert_t **c; - u_int8_t type; - - type = *(u_int8_t *)(gen + 1) & 0xff; - - switch (type) { - case ISAKMP_CERT_DNS: - plog(LLV_WARNING, LOCATION, NULL, - "CERT payload is unnecessary in DNSSEC\n"); - /*FALLTHRU*/ - case ISAKMP_CERT_PKCS7: - case ISAKMP_CERT_PGP: - case ISAKMP_CERT_X509SIGN: - case ISAKMP_CERT_KERBEROS: - case ISAKMP_CERT_SPKI: - c = &iph1->cr_p; - break; - case ISAKMP_CERT_X509KE: - case ISAKMP_CERT_X509ATTR: - case ISAKMP_CERT_ARL: - plog(LLV_ERROR, LOCATION, NULL, - "No supported such CR type %d\n", type); - return -1; - case ISAKMP_CERT_CRL: - plog(LLV_WARNING, LOCATION, NULL, - "dont supported CRL type, just ignore\n"); - return -1; - return 0; /* just ignore the CRL */ - default: - plog(LLV_ERROR, LOCATION, NULL, - "Invalid CR type %d\n", type); - return -1; - } - - *c = save_certbuf(gen); - if (!*c) { - plog(LLV_ERROR, LOCATION, NULL, - "Failed to get CR buffer.\n"); - return -1; - } - - plog(LLV_DEBUG, LOCATION, NULL, "CR saved:\n"); - plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l); - - return 0; -} - -static cert_t * -save_certbuf(gen) - struct isakmp_gen *gen; -{ - cert_t *new; - - new = oakley_newcert(); - if (!new) { - plog(LLV_ERROR, LOCATION, NULL, - "Failed to get CERT buffer.\n"); - return NULL; - } - - new->pl = vmalloc(ntohs(gen->len) - sizeof(*gen)); - if (new->pl == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "Failed to copy CERT from packet.\n"); - oakley_delcert(new); - new = NULL; - return NULL; - } - memcpy(new->pl->v, gen + 1, new->pl->l); - new->type = new->pl->v[0] & 0xff; - new->cert.v = new->pl->v + 1; - new->cert.l = new->pl->l - 1; - - return new; -} - -/* - * get my CR. - * NOTE: No Certificate Authority field is included to CR payload at the - * moment. Becuase any certificate authority are accepted without any check. - * The section 3.10 in RFC2408 says that this field SHOULD not be included, - * if there is no specific certificate authority requested. - */ -vchar_t * -oakley_getcr(iph1) - struct ph1handle *iph1; -{ - vchar_t *buf; - - buf = vmalloc(1); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get cr buffer\n"); - return NULL; - } - buf->v[0] = iph1->rmconf->certtype; - - plog(LLV_DEBUG, LOCATION, NULL, "create my CR: %s\n", - s_isakmp_certtype(iph1->rmconf->certtype)); - if (buf->l > 1) - plogdump(LLV_DEBUG, buf->v, buf->l); - - return buf; -} - -/* - * check peer's CR. - */ -int -oakley_checkcr(iph1) - struct ph1handle *iph1; -{ - if (iph1->cr_p == NULL) - return 0; - - plog(LLV_DEBUG, LOCATION, iph1->remote, - "peer transmitted CR: %s\n", - s_isakmp_certtype(iph1->cr_p->type)); - - if (iph1->cr_p->type != iph1->rmconf->certtype) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "such a cert type isn't supported: %d\n", - (char)iph1->cr_p->type); - return -1; - } - - return 0; -} - -/* - * check to need CR payload. - */ -int -oakley_needcr(type) - int type; -{ - switch (type) { - case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: - case OAKLEY_ATTR_AUTH_METHOD_RSASIG: - return 1; - default: - return 0; - } - /*NOTREACHED*/ -} -#endif /*HAVE_SIGNING_C*/ - -/* - * compute SKEYID - * see seciton 5. Exchanges in RFC 2409 - * psk: SKEYID = prf(pre-shared-key, Ni_b | Nr_b) - * sig: SKEYID = prf(Ni_b | Nr_b, g^ir) - * enc: SKEYID = prf(H(Ni_b | Nr_b), CKY-I | CKY-R) - */ -int -oakley_skeyid(iph1) - struct ph1handle *iph1; -{ - vchar_t *buf = NULL, *bp; - char *p; - int len; - int error = -1; - - /* SKEYID */ - switch(iph1->approval->authmethod) { - case OAKLEY_ATTR_AUTH_METHOD_PSKEY: - if (iph1->etype != ISAKMP_ETYPE_IDENT) { - iph1->authstr = getpskbyname(iph1->id_p); - if (iph1->authstr == NULL) { - if (iph1->rmconf->verify_identifier) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "couldn't find the pskey.\n"); - goto end; - } - plog(LLV_NOTIFY, LOCATION, iph1->remote, - "couldn't find the proper pskey, " - "try to get one by the peer's address.\n"); - } - } - if (iph1->authstr == NULL) { - /* - * If the exchange type is the main mode or if it's - * failed to get the psk by ID, racoon try to get - * the psk by remote IP address. - * It may be nonsense. - */ - iph1->authstr = getpskbyaddr(iph1->remote); - if (iph1->authstr == NULL) { - plog(LLV_ERROR, LOCATION, iph1->remote, - "couldn't find the pskey for %s.\n", - saddrwop2str(iph1->remote)); - goto end; - } - } - plog(LLV_DEBUG, LOCATION, NULL, "the psk found.\n"); - /* should be secret PSK */ - plog(LLV_DEBUG2, LOCATION, NULL, "psk: "); - plogdump(LLV_DEBUG2, iph1->authstr->v, iph1->authstr->l); - - len = iph1->nonce->l + iph1->nonce_p->l; - buf = vmalloc(len); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get skeyid buffer\n"); - goto end; - } - p = buf->v; - - bp = (iph1->side == INITIATOR ? iph1->nonce : iph1->nonce_p); - plog(LLV_DEBUG, LOCATION, NULL, "nonce 1: "); - plogdump(LLV_DEBUG, bp->v, bp->l); - memcpy(p, bp->v, bp->l); - p += bp->l; - - bp = (iph1->side == INITIATOR ? iph1->nonce_p : iph1->nonce); - plog(LLV_DEBUG, LOCATION, NULL, "nonce 2: "); - plogdump(LLV_DEBUG, bp->v, bp->l); - memcpy(p, bp->v, bp->l); - p += bp->l; - - iph1->skeyid = oakley_prf(iph1->authstr, buf, iph1); - if (iph1->skeyid == NULL) - goto end; - break; - - case OAKLEY_ATTR_AUTH_METHOD_DSSSIG: - case OAKLEY_ATTR_AUTH_METHOD_RSASIG: -#ifdef HAVE_GSSAPI - case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB: -#endif - len = iph1->nonce->l + iph1->nonce_p->l; - buf = vmalloc(len); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get nonce buffer\n"); - goto end; - } - p = buf->v; - - bp = (iph1->side == INITIATOR ? iph1->nonce : iph1->nonce_p); - plog(LLV_DEBUG, LOCATION, NULL, "nonce1: "); - plogdump(LLV_DEBUG, bp->v, bp->l); - memcpy(p, bp->v, bp->l); - p += bp->l; - - bp = (iph1->side == INITIATOR ? iph1->nonce_p : iph1->nonce); - plog(LLV_DEBUG, LOCATION, NULL, "nonce2: "); - plogdump(LLV_DEBUG, bp->v, bp->l); - memcpy(p, bp->v, bp->l); - p += bp->l; - - iph1->skeyid = oakley_prf(buf, iph1->dhgxy, iph1); - if (iph1->skeyid == NULL) - goto end; - break; - case OAKLEY_ATTR_AUTH_METHOD_RSAENC: - case OAKLEY_ATTR_AUTH_METHOD_RSAREV: - plog(LLV_WARNING, LOCATION, NULL, - "not supported authentication method %s\n", - s_oakley_attr_method(iph1->approval->authmethod)); - goto end; - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid authentication method %d\n", - iph1->approval->authmethod); - goto end; - } - - plog(LLV_DEBUG, LOCATION, NULL, "SKEYID computed:\n"); - plogdump(LLV_DEBUG, iph1->skeyid->v, iph1->skeyid->l); - - error = 0; - -end: - if (buf != NULL) - vfree(buf); - return error; -} - -/* - * compute SKEYID_[dae] - * see seciton 5. Exchanges in RFC 2409 - * SKEYID_d = prf(SKEYID, g^ir | CKY-I | CKY-R | 0) - * SKEYID_a = prf(SKEYID, SKEYID_d | g^ir | CKY-I | CKY-R | 1) - * SKEYID_e = prf(SKEYID, SKEYID_a | g^ir | CKY-I | CKY-R | 2) - */ -int -oakley_skeyid_dae(iph1) - struct ph1handle *iph1; -{ - vchar_t *buf = NULL; - char *p; - int len; - int error = -1; - - if (iph1->skeyid == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "no SKEYID found.\n"); - goto end; - } - - /* SKEYID D */ - /* SKEYID_d = prf(SKEYID, g^xy | CKY-I | CKY-R | 0) */ - len = iph1->dhgxy->l + sizeof(cookie_t) * 2 + 1; - buf = vmalloc(len); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get skeyid buffer\n"); - goto end; - } - p = buf->v; - - memcpy(p, iph1->dhgxy->v, iph1->dhgxy->l); - p += iph1->dhgxy->l; - memcpy(p, (caddr_t)&iph1->index.i_ck, sizeof(cookie_t)); - p += sizeof(cookie_t); - memcpy(p, (caddr_t)&iph1->index.r_ck, sizeof(cookie_t)); - p += sizeof(cookie_t); - *p = 0; - iph1->skeyid_d = oakley_prf(iph1->skeyid, buf, iph1); - if (iph1->skeyid_d == NULL) - goto end; - - vfree(buf); - buf = NULL; - - plog(LLV_DEBUG, LOCATION, NULL, "SKEYID_d computed:\n"); - plogdump(LLV_DEBUG, iph1->skeyid_d->v, iph1->skeyid->l); - - /* SKEYID A */ - /* SKEYID_a = prf(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R | 1) */ - len = iph1->skeyid_d->l + iph1->dhgxy->l + sizeof(cookie_t) * 2 + 1; - buf = vmalloc(len); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get skeyid buffer\n"); - goto end; - } - p = buf->v; - memcpy(p, iph1->skeyid_d->v, iph1->skeyid_d->l); - p += iph1->skeyid_d->l; - memcpy(p, iph1->dhgxy->v, iph1->dhgxy->l); - p += iph1->dhgxy->l; - memcpy(p, (caddr_t)&iph1->index.i_ck, sizeof(cookie_t)); - p += sizeof(cookie_t); - memcpy(p, (caddr_t)&iph1->index.r_ck, sizeof(cookie_t)); - p += sizeof(cookie_t); - *p = 1; - iph1->skeyid_a = oakley_prf(iph1->skeyid, buf, iph1); - if (iph1->skeyid_a == NULL) - goto end; - - vfree(buf); - buf = NULL; - - plog(LLV_DEBUG, LOCATION, NULL, "SKEYID_a computed:\n"); - plogdump(LLV_DEBUG, iph1->skeyid_a->v, iph1->skeyid_a->l); - - /* SKEYID E */ - /* SKEYID_e = prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2) */ - len = iph1->skeyid_a->l + iph1->dhgxy->l + sizeof(cookie_t) * 2 + 1; - buf = vmalloc(len); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get skeyid buffer\n"); - goto end; - } - p = buf->v; - memcpy(p, iph1->skeyid_a->v, iph1->skeyid_a->l); - p += iph1->skeyid_a->l; - memcpy(p, iph1->dhgxy->v, iph1->dhgxy->l); - p += iph1->dhgxy->l; - memcpy(p, (caddr_t)&iph1->index.i_ck, sizeof(cookie_t)); - p += sizeof(cookie_t); - memcpy(p, (caddr_t)&iph1->index.r_ck, sizeof(cookie_t)); - p += sizeof(cookie_t); - *p = 2; - iph1->skeyid_e = oakley_prf(iph1->skeyid, buf, iph1); - if (iph1->skeyid_e == NULL) - goto end; - - vfree(buf); - buf = NULL; - - plog(LLV_DEBUG, LOCATION, NULL, "SKEYID_e computed:\n"); - plogdump(LLV_DEBUG, iph1->skeyid_e->v, iph1->skeyid_e->l); - - error = 0; - -end: - if (buf != NULL) - vfree(buf); - return error; -} - -/* - * compute final encryption key. - * see Appendix B. - */ -int -oakley_compute_enckey(iph1) - struct ph1handle *iph1; -{ - u_int keylen, prflen; - int error = -1; - - /* RFC2409 p39 */ - keylen = alg_oakley_encdef_keylen(iph1->approval->enctype, - iph1->approval->encklen); - if (keylen == -1) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid encryption algoritym %d, " - "or invalid key length %d.\n", - iph1->approval->enctype, - iph1->approval->encklen); - goto end; - } - iph1->key = vmalloc(keylen >> 3); - if (iph1->key == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get key buffer\n"); - goto end; - } - - /* set prf length */ - prflen = alg_oakley_hashdef_hashlen(iph1->approval->hashtype); - if (prflen == -1) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid hash type %d.\n", iph1->approval->hashtype); - goto end; - } - - /* see isakmp-oakley-08 5.3. */ - if (iph1->key->l <= iph1->skeyid_e->l) { - /* - * if length(Ka) <= length(SKEYID_e) - * Ka = first length(K) bit of SKEYID_e - */ - memcpy(iph1->key->v, iph1->skeyid_e->v, iph1->key->l); - } else { - vchar_t *buf = NULL, *res = NULL; - u_char *p, *ep; - int cplen; - int subkey; - - /* - * otherwise, - * Ka = K1 | K2 | K3 - * where - * K1 = prf(SKEYID_e, 0) - * K2 = prf(SKEYID_e, K1) - * K3 = prf(SKEYID_e, K2) - */ - plog(LLV_DEBUG, LOCATION, NULL, - "len(SKEYID_e) < len(Ka) (%d < %d), " - "generating long key (Ka = K1 | K2 | ...)\n", - iph1->skeyid_e->l, iph1->key->l); - - if ((buf = vmalloc(prflen >> 3)) == 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get key buffer\n"); - goto end; - } - p = (u_char *)iph1->key->v; - ep = p + iph1->key->l; - - subkey = 1; - while (p < ep) { - if (p == (u_char *)iph1->key->v) { - /* just for computing K1 */ - buf->v[0] = 0; - buf->l = 1; - } - res = oakley_prf(iph1->skeyid_e, buf, iph1); - if (res == NULL) { - vfree(buf); - goto end; - } - plog(LLV_DEBUG, LOCATION, NULL, - "compute intermediate encryption key K%d\n", - subkey); - plogdump(LLV_DEBUG, buf->v, buf->l); - plogdump(LLV_DEBUG, res->v, res->l); - - cplen = (res->l < ep - p) ? res->l : ep - p; - memcpy(p, res->v, cplen); - p += cplen; - - buf->l = prflen >> 3; /* to cancel K1 speciality */ - if (res->l != buf->l) { - plog(LLV_ERROR, LOCATION, NULL, - "internal error: res->l=%d buf->l=%d\n", - res->l, buf->l); - vfree(res); - vfree(buf); - goto end; - } - memcpy(buf->v, res->v, res->l); - vfree(res); - subkey++; - } - - vfree(buf); - } - - /* - * don't check any weak key or not. - * draft-ietf-ipsec-ike-01.txt Appendix B. - * draft-ietf-ipsec-ciph-aes-cbc-00.txt Section 2.3. - */ -#if 0 - /* weakkey check */ - if (iph1->approval->enctype > ARRAYLEN(oakley_encdef) - || oakley_encdef[iph1->approval->enctype].weakkey == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "encryption algoritym %d isn't supported.\n", - iph1->approval->enctype); - goto end; - } - if ((oakley_encdef[iph1->approval->enctype].weakkey)(iph1->key)) { - plog(LLV_ERROR, LOCATION, NULL, - "weakkey was generated.\n"); - goto end; - } -#endif - - plog(LLV_DEBUG, LOCATION, NULL, "final encryption key computed:\n"); - plogdump(LLV_DEBUG, iph1->key->v, iph1->key->l); - - error = 0; - -end: - return error; -} - -/* allocated new buffer for CERT */ -cert_t * -oakley_newcert() -{ - cert_t *new; - - new = racoon_calloc(1, sizeof(*new)); - if (new == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get cert's buffer\n"); - return NULL; - } - - new->pl = NULL; - - return new; -} - -/* delete buffer for CERT */ -void -oakley_delcert(cert) - cert_t *cert; -{ - if (!cert) - return; - if (cert->pl) - VPTRINIT(cert->pl); - racoon_free(cert); -} - -/* - * compute IV and set to ph1handle - * IV = hash(g^xi | g^xr) - * see 4.1 Phase 1 state in draft-ietf-ipsec-ike. - */ -int -oakley_newiv(iph1) - struct ph1handle *iph1; -{ - struct isakmp_ivm *newivm = NULL; - vchar_t *buf = NULL, *bp; - char *p; - int len; - - /* create buffer */ - len = iph1->dhpub->l + iph1->dhpub_p->l; - buf = vmalloc(len); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get iv buffer\n"); - return -1; - } - - p = buf->v; - - bp = (iph1->side == INITIATOR ? iph1->dhpub : iph1->dhpub_p); - memcpy(p, bp->v, bp->l); - p += bp->l; - - bp = (iph1->side == INITIATOR ? iph1->dhpub_p : iph1->dhpub); - memcpy(p, bp->v, bp->l); - p += bp->l; - - /* allocate IVm */ - newivm = racoon_calloc(1, sizeof(struct isakmp_ivm)); - if (newivm == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get iv buffer\n"); - vfree(buf); - return -1; - } - - /* compute IV */ - newivm->iv = oakley_hash(buf, iph1); - if (newivm->iv == NULL) { - vfree(buf); - oakley_delivm(newivm); - return -1; - } - - /* adjust length of iv */ - newivm->iv->l = alg_oakley_encdef_blocklen(iph1->approval->enctype); - if (newivm->iv->l == -1) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid encryption algoriym %d.\n", - iph1->approval->enctype); - vfree(buf); - oakley_delivm(newivm); - return -1; - } - - /* create buffer to save iv */ - if ((newivm->ive = vdup(newivm->iv)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "vdup (%s)\n", strerror(errno)); - vfree(buf); - oakley_delivm(newivm); - return -1; - } - - vfree(buf); - - plog(LLV_DEBUG, LOCATION, NULL, "IV computed:\n"); - plogdump(LLV_DEBUG, newivm->iv->v, newivm->iv->l); - - iph1->ivm = newivm; - - return 0; -} - -/* - * compute IV for the payload after phase 1. - * It's not limited for phase 2. - * if pahse 1 was encrypted. - * IV = hash(last CBC block of Phase 1 | M-ID) - * if phase 1 was not encrypted. - * IV = hash(phase 1 IV | M-ID) - * see 4.2 Phase 2 state in draft-ietf-ipsec-ike. - */ -struct isakmp_ivm * -oakley_newiv2(iph1, msgid) - struct ph1handle *iph1; - u_int32_t msgid; -{ - struct isakmp_ivm *newivm = NULL; - vchar_t *buf = NULL; - char *p; - int len; - int error = -1; - - /* create buffer */ - len = iph1->ivm->iv->l + sizeof(msgid_t); - buf = vmalloc(len); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get iv buffer\n"); - goto end; - } - - p = buf->v; - - memcpy(p, iph1->ivm->iv->v, iph1->ivm->iv->l); - p += iph1->ivm->iv->l; - - memcpy(p, &msgid, sizeof(msgid)); - - plog(LLV_DEBUG, LOCATION, NULL, "compute IV for phase2\n"); - plog(LLV_DEBUG, LOCATION, NULL, "phase1 last IV:\n"); - plogdump(LLV_DEBUG, buf->v, buf->l); - - /* allocate IVm */ - newivm = racoon_calloc(1, sizeof(struct isakmp_ivm)); - if (newivm == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get iv buffer\n"); - goto end; - } - - /* compute IV */ - if ((newivm->iv = oakley_hash(buf, iph1)) == NULL) - goto end; - - /* adjust length of iv */ - newivm->iv->l = alg_oakley_encdef_blocklen(iph1->approval->enctype); - if (newivm->iv->l == -1) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid encryption algoriym %d.\n", - iph1->approval->enctype); - goto end; - } - - /* create buffer to save new iv */ - if ((newivm->ive = vdup(newivm->iv)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "vdup (%s)\n", strerror(errno)); - goto end; - } - - error = 0; - - plog(LLV_DEBUG, LOCATION, NULL, "phase2 IV computed:\n"); - plogdump(LLV_DEBUG, newivm->iv->v, newivm->iv->l); - -end: - if (error && newivm != NULL) - oakley_delivm(newivm); - if (buf != NULL) - vfree(buf); - return newivm; -} - -void -oakley_delivm(ivm) - struct isakmp_ivm *ivm; -{ - if (ivm == NULL) - return; - - if (ivm->iv != NULL) - vfree(ivm->iv); - if (ivm->ive != NULL) - vfree(ivm->ive); - racoon_free(ivm); - - return; -} - -/* - * decrypt packet. - * save new iv and old iv. - */ -vchar_t * -oakley_do_decrypt(iph1, msg, ivdp, ivep) - struct ph1handle *iph1; - vchar_t *msg, *ivdp, *ivep; -{ - vchar_t *buf = NULL, *new = NULL; - char *pl; - int len; - u_int8_t padlen; - int blen; - int error = -1; - - plog(LLV_DEBUG, LOCATION, NULL, "begin decryption.\n"); - - blen = alg_oakley_encdef_blocklen(iph1->approval->enctype); - if (blen == -1) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid encryption algoriym %d.\n", - iph1->approval->enctype); - goto end; - } - - /* save IV for next, but not sync. */ - memset(ivep->v, 0, ivep->l); - memcpy(ivep->v, (caddr_t)&msg->v[msg->l - blen], blen); - - plog(LLV_DEBUG, LOCATION, NULL, - "IV was saved for next processing:\n"); - plogdump(LLV_DEBUG, ivep->v, ivep->l); - - pl = msg->v + sizeof(struct isakmp); - - len = msg->l - sizeof(struct isakmp); - - /* create buffer */ - buf = vmalloc(len); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to decrypt.\n"); - goto end; - } - memcpy(buf->v, pl, len); - - /* do decrypt */ - new = alg_oakley_encdef_decrypt(iph1->approval->enctype, - buf, iph1->key, ivdp); - if (new == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "decryption %d failed.\n", iph1->approval->enctype); - goto end; - } - plog(LLV_DEBUG, LOCATION, NULL, "with key:\n"); - plogdump(LLV_DEBUG, iph1->key->v, iph1->key->l); - - vfree(buf); - buf = NULL; - if (new == NULL) - goto end; - - plog(LLV_DEBUG, LOCATION, NULL, "decrypted payload by IV:\n"); - plogdump(LLV_DEBUG, ivdp->v, ivdp->l); - - plog(LLV_DEBUG, LOCATION, NULL, - "decrypted payload, but not trimed.\n"); - plogdump(LLV_DEBUG, new->v, new->l); - - /* get padding length */ - if (lcconf->pad_excltail) - padlen = new->v[new->l - 1] + 1; - else - padlen = new->v[new->l - 1]; - plog(LLV_DEBUG, LOCATION, NULL, "padding len=%u\n", padlen); - - /* trim padding */ - if (lcconf->pad_strict) { - if (padlen > new->l) { - plog(LLV_ERROR, LOCATION, NULL, - "invalied padding len=%u, buflen=%u.\n", - padlen, new->l); - plogdump(LLV_ERROR, new->v, new->l); - goto end; - } - new->l -= padlen; - plog(LLV_DEBUG, LOCATION, NULL, "trimmed padding\n"); - } else { - plog(LLV_DEBUG, LOCATION, NULL, "skip to trim padding.\n"); - } - - /* create new buffer */ - len = sizeof(struct isakmp) + new->l; - buf = vmalloc(len); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to decrypt.\n"); - goto end; - } - memcpy(buf->v, msg->v, sizeof(struct isakmp)); - memcpy(buf->v + sizeof(struct isakmp), new->v, new->l); - ((struct isakmp *)buf->v)->len = htonl(buf->l); - - plog(LLV_DEBUG, LOCATION, NULL, "decrypted.\n"); - plogdump(LLV_DEBUG, buf->v, buf->l); - -#ifdef HAVE_PRINT_ISAKMP_C - isakmp_printpacket(buf, iph1->remote, iph1->local, 1); -#endif - - error = 0; - -end: - if (error && buf != NULL) { - vfree(buf); - buf = NULL; - } - if (new != NULL) - vfree(new); - - return buf; -} - -/* - * encrypt packet. - */ -vchar_t * -oakley_do_encrypt(iph1, msg, ivep, ivp) - struct ph1handle *iph1; - vchar_t *msg, *ivep, *ivp; -{ - vchar_t *buf = 0, *new = 0; - char *pl; - int len; - u_int padlen; - int blen; - int error = -1; - - plog(LLV_DEBUG, LOCATION, NULL, "begin encryption.\n"); - - /* set cbc block length */ - blen = alg_oakley_encdef_blocklen(iph1->approval->enctype); - if (blen == -1) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid encryption algoriym %d.\n", - iph1->approval->enctype); - goto end; - } - - pl = msg->v + sizeof(struct isakmp); - len = msg->l - sizeof(struct isakmp); - - /* add padding */ - padlen = oakley_padlen(len, blen); - plog(LLV_DEBUG, LOCATION, NULL, "pad length = %u\n", padlen); - - /* create buffer */ - buf = vmalloc(len + padlen); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to encrypt.\n"); - goto end; - } - if (padlen) { - int i; - char *p = &buf->v[len]; - if (lcconf->pad_random) { - for (i = 0; i < padlen; i++) - *p++ = arc4random() & 0xff; - } - } - memcpy(buf->v, pl, len); - - /* make pad into tail */ - if (lcconf->pad_excltail) - buf->v[len + padlen - 1] = padlen - 1; - else - buf->v[len + padlen - 1] = padlen; - - plogdump(LLV_DEBUG, buf->v, buf->l); - - /* do encrypt */ - new = alg_oakley_encdef_encrypt(iph1->approval->enctype, - buf, iph1->key, ivep); - if (new == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "encryption %d failed.\n", iph1->approval->enctype); - goto end; - } - plog(LLV_DEBUG, LOCATION, NULL, "with key:\n"); - plogdump(LLV_DEBUG, iph1->key->v, iph1->key->l); - - vfree(buf); - buf = NULL; - if (new == NULL) - goto end; - - plog(LLV_DEBUG, LOCATION, NULL, "encrypted payload by IV:\n"); - plogdump(LLV_DEBUG, ivep->v, ivep->l); - - /* save IV for next */ - memset(ivp->v, 0, ivp->l); - memcpy(ivp->v, (caddr_t)&new->v[new->l - blen], blen); - - plog(LLV_DEBUG, LOCATION, NULL, "save IV for next:\n"); - plogdump(LLV_DEBUG, ivp->v, ivp->l); - - /* create new buffer */ - len = sizeof(struct isakmp) + new->l; - buf = vmalloc(len); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to encrypt.\n"); - goto end; - } - memcpy(buf->v, msg->v, sizeof(struct isakmp)); - memcpy(buf->v + sizeof(struct isakmp), new->v, new->l); - ((struct isakmp *)buf->v)->len = htonl(buf->l); - - error = 0; - - plog(LLV_DEBUG, LOCATION, NULL, "encrypted.\n"); - -end: - if (error && buf != NULL) { - vfree(buf); - buf = NULL; - } - if (new != NULL) - vfree(new); - - return buf; -} - -/* culculate padding length */ -static int -oakley_padlen(len, base) - int len, base; -{ - int padlen; - - padlen = base - len % base; - - if (lcconf->pad_randomlen) - padlen += ((arc4random() % (lcconf->pad_maxsize + 1) + 1) * - base); - - return padlen; -} - diff --git a/kame/kame/racoon/oakley.h b/kame/kame/racoon/oakley.h deleted file mode 100644 index fa7838960e..0000000000 --- a/kame/kame/racoon/oakley.h +++ /dev/null @@ -1,194 +0,0 @@ -/* $KAME: oakley.h,v 1.31 2004/08/24 06:52:41 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* refer to RFC 2409 */ - -/* Attribute Classes */ -#define OAKLEY_ATTR_ENC_ALG 1 /* B */ -#define OAKLEY_ATTR_ENC_ALG_DES 1 -#define OAKLEY_ATTR_ENC_ALG_IDEA 2 -#define OAKLEY_ATTR_ENC_ALG_BLOWFISH 3 -#define OAKLEY_ATTR_ENC_ALG_RC5 4 -#define OAKLEY_ATTR_ENC_ALG_3DES 5 -#define OAKLEY_ATTR_ENC_ALG_CAST 6 -#define OAKLEY_ATTR_ENC_ALG_RIJNDAEL 7 -#define OAKLEY_ATTR_ENC_ALG_AES 7 - /* 65001 - 65535 Private Use */ -#define OAKLEY_ATTR_HASH_ALG 2 /* B */ -#define OAKLEY_ATTR_HASH_ALG_MD5 1 -#define OAKLEY_ATTR_HASH_ALG_SHA 2 -#define OAKLEY_ATTR_HASH_ALG_TIGER 3 -#if defined(WITH_SHA2) -#define OAKLEY_ATTR_HASH_ALG_SHA2_256 4 -#define OAKLEY_ATTR_HASH_ALG_SHA2_384 5 -#define OAKLEY_ATTR_HASH_ALG_SHA2_512 6 -#endif - /* 65001 - 65535 Private Use */ -#define OAKLEY_ATTR_AUTH_METHOD 3 /* B */ -#define OAKLEY_ATTR_AUTH_METHOD_PSKEY 1 -#define OAKLEY_ATTR_AUTH_METHOD_DSSSIG 2 -#define OAKLEY_ATTR_AUTH_METHOD_RSASIG 3 -#define OAKLEY_ATTR_AUTH_METHOD_RSAENC 4 -#define OAKLEY_ATTR_AUTH_METHOD_RSAREV 5 -#define OAKLEY_ATTR_AUTH_METHOD_EGENC 6 -#define OAKLEY_ATTR_AUTH_METHOD_EGREV 7 - /* 65001 - 65535 Private Use */ - /* - * The following are valid when the Vendor ID is one of - * the following: - * - * MD5("A GSS-API Authentication Method for IKE") - * MD5("GSSAPI") (recognized by Windows 2000) - * MD5("MS NT5 ISAKMPOAKLEY") (sent by Windows 2000) - */ -#define OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB 65001 -#define OAKLEY_ATTR_GRP_DESC 4 /* B */ -#define OAKLEY_ATTR_GRP_DESC_MODP768 1 -#define OAKLEY_ATTR_GRP_DESC_MODP1024 2 -#define OAKLEY_ATTR_GRP_DESC_EC2N155 3 -#define OAKLEY_ATTR_GRP_DESC_EC2N185 4 -#define OAKLEY_ATTR_GRP_DESC_MODP1536 5 -#define OAKLEY_ATTR_GRP_DESC_MODP2048 14 -#define OAKLEY_ATTR_GRP_DESC_MODP3072 15 -#define OAKLEY_ATTR_GRP_DESC_MODP4096 16 -#define OAKLEY_ATTR_GRP_DESC_MODP6144 17 -#define OAKLEY_ATTR_GRP_DESC_MODP8192 18 - /* 32768 - 65535 Private Use */ -#define OAKLEY_ATTR_GRP_TYPE 5 /* B */ -#define OAKLEY_ATTR_GRP_TYPE_MODP 1 -#define OAKLEY_ATTR_GRP_TYPE_ECP 2 -#define OAKLEY_ATTR_GRP_TYPE_EC2N 3 - /* 65001 - 65535 Private Use */ -#define OAKLEY_ATTR_GRP_PI 6 /* V */ -#define OAKLEY_ATTR_GRP_GEN_ONE 7 /* V */ -#define OAKLEY_ATTR_GRP_GEN_TWO 8 /* V */ -#define OAKLEY_ATTR_GRP_CURVE_A 9 /* V */ -#define OAKLEY_ATTR_GRP_CURVE_B 10 /* V */ -#define OAKLEY_ATTR_SA_LD_TYPE 11 /* B */ -#define OAKLEY_ATTR_SA_LD_TYPE_DEFAULT 1 -#define OAKLEY_ATTR_SA_LD_TYPE_SEC 1 -#define OAKLEY_ATTR_SA_LD_TYPE_KB 2 -#define OAKLEY_ATTR_SA_LD_TYPE_MAX 3 - /* 65001 - 65535 Private Use */ -#define OAKLEY_ATTR_SA_LD 12 /* V */ -#define OAKLEY_ATTR_SA_LD_SEC_DEFAULT 28800 /* 8 hours */ -#define OAKLEY_ATTR_PRF 13 /* B */ -#define OAKLEY_ATTR_KEY_LEN 14 /* B */ -#define OAKLEY_ATTR_FIELD_SIZE 15 /* B */ -#define OAKLEY_ATTR_GRP_ORDER 16 /* V */ -#define OAKLEY_ATTR_BLOCK_SIZE 17 /* B */ - /* 16384 - 32767 Private Use */ - - /* - * The following are valid when the Vendor ID is one of - * the following: - * - * MD5("A GSS-API Authentication Method for IKE") - * MD5("GSSAPI") (recognized by Windows 2000) - * MD5("MS NT5 ISAKMPOAKLEY") (sent by Windows 2000) - */ -#define OAKLEY_ATTR_GSS_ID 16384 - -#define MAXPADLWORD 20 - -struct dhgroup { - int type; - vchar_t *prime; - int gen1; - int gen2; - vchar_t *curve_a; - vchar_t *curve_b; - vchar_t *order; -}; - -/* certificate holder */ -typedef struct cert_t_tag { - u_int8_t type; /* type of CERT, must be same to pl->v[0]*/ - vchar_t cert; /* pointer to the CERT */ - vchar_t *pl; /* CERT payload minus isakmp general header */ -} cert_t; - -struct ph1handle; -struct ph2handle; -struct isakmp_ivm; - -extern int oakley_get_defaultlifetime __P((void)); - -extern int oakley_dhinit __P((void)); -extern void oakley_dhclean __P((void)); -extern void oakley_dhgrp_free __P((struct dhgroup *)); -extern int oakley_dh_compute __P((const struct dhgroup *, - vchar_t *, vchar_t *, vchar_t *, vchar_t **)); -extern int oakley_dh_generate __P((const struct dhgroup *, - vchar_t **, vchar_t **)); -extern int oakley_setdhgroup __P((int, struct dhgroup **)); - -extern vchar_t *oakley_prf __P((vchar_t *, vchar_t *, struct ph1handle *)); -extern vchar_t *oakley_hash __P((vchar_t *, struct ph1handle *)); - -extern int oakley_compute_keymat __P((struct ph2handle *, int)); - -#if notyet -extern vchar_t *oakley_compute_hashx __P((void)); -#endif -extern vchar_t *oakley_compute_hash3 __P((struct ph1handle *, - u_int32_t, vchar_t *)); -extern vchar_t *oakley_compute_hash1 __P((struct ph1handle *, - u_int32_t, vchar_t *)); -extern vchar_t *oakley_ph1hash_common __P((struct ph1handle *, int)); -extern vchar_t *oakley_ph1hash_base_i __P((struct ph1handle *, int)); -extern vchar_t *oakley_ph1hash_base_r __P((struct ph1handle *, int)); - -extern int oakley_validate_auth __P((struct ph1handle *)); -#ifdef HAVE_SIGNING_C -extern int oakley_getmycert __P((struct ph1handle *)); -extern int oakley_getsign __P((struct ph1handle *)); -extern vchar_t *oakley_getcr __P((struct ph1handle *)); -extern int oakley_checkcr __P((struct ph1handle *)); -#endif -extern int oakley_needcr __P((int)); -struct isakmp_gen; -extern int oakley_savecert __P((struct ph1handle *, struct isakmp_gen *)); -extern int oakley_savecr __P((struct ph1handle *, struct isakmp_gen *)); - -extern int oakley_skeyid __P((struct ph1handle *)); -extern int oakley_skeyid_dae __P((struct ph1handle *)); - -extern int oakley_compute_enckey __P((struct ph1handle *)); -extern cert_t *oakley_newcert __P((void)); -extern void oakley_delcert __P((cert_t *)); -extern int oakley_newiv __P((struct ph1handle *)); -extern struct isakmp_ivm *oakley_newiv2 __P((struct ph1handle *, u_int32_t)); -extern void oakley_delivm __P((struct isakmp_ivm *)); -extern vchar_t *oakley_do_decrypt __P((struct ph1handle *, - vchar_t *, vchar_t *, vchar_t *)); -extern vchar_t *oakley_do_encrypt __P((struct ph1handle *, - vchar_t *, vchar_t *, vchar_t *)); diff --git a/kame/kame/racoon/pfkey.c b/kame/kame/racoon/pfkey.c deleted file mode 100644 index 6d326b267d..0000000000 --- a/kame/kame/racoon/pfkey.c +++ /dev/null @@ -1,2685 +0,0 @@ -/* $KAME: pfkey.c,v 1.143 2004/12/09 03:17:47 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#define _PFKEY_C_ - -#include -#include -#include -#include -#include - -#include -#include -#include -#include - -#include -#ifdef IPV6_INRIA_VERSION -#include -#else -#include -#endif - -#include -#include -#include -#include -#include -#ifdef HAVE_UNISTD_H -#include -#endif -#include - -#include "libpfkey.h" - -#include "var.h" -#include "misc.h" -#include "vmbuf.h" -#include "plog.h" -#include "sockmisc.h" -#include "debug.h" - -#include "schedule.h" -#include "localconf.h" -#include "remoteconf.h" -#include "isakmp_var.h" -#include "isakmp.h" -#include "isakmp_inf.h" -#include "ipsec_doi.h" -#include "oakley.h" -#include "pfkey.h" -#include "handler.h" -#include "policy.h" -#include "algorithm.h" -#include "sainfo.h" -#include "proposal.h" -#include "admin.h" -#include "strnames.h" -#include "backupsa.h" -#include "gcmalloc.h" -#ifndef HAVE_ARC4RANDOM -#include "arc4random.h" -#endif - -/* prototype */ -static u_int ipsecdoi2pfkey_aalg __P((u_int)); -static u_int ipsecdoi2pfkey_ealg __P((u_int)); -static u_int ipsecdoi2pfkey_calg __P((u_int)); -static u_int ipsecdoi2pfkey_alg __P((u_int, u_int)); -static u_int keylen_aalg __P((u_int)); -static u_int keylen_ealg __P((u_int, int)); - -static int pk_recvgetspi __P((caddr_t *)); -static int pk_recvupdate __P((caddr_t *)); -static int pk_recvadd __P((caddr_t *)); -static int pk_recvdelete __P((caddr_t *)); -static int pk_recvacquire __P((caddr_t *)); -static int pk_recvexpire __P((caddr_t *)); -static int pk_recvflush __P((caddr_t *)); -static int getsadbpolicy __P((caddr_t *, int *, int, struct ph2handle *)); -static int pk_recvspdupdate __P((caddr_t *)); -static int pk_recvspdadd __P((caddr_t *)); -static int pk_recvspddelete __P((caddr_t *)); -static int pk_recvspdexpire __P((caddr_t *)); -static int pk_recvspdget __P((caddr_t *)); -static int pk_recvspddump __P((caddr_t *)); -static int pk_recvspdflush __P((caddr_t *)); -static struct sadb_msg *pk_recv __P((int, int *)); - -static int (*pkrecvf[]) __P((caddr_t *)) = { -NULL, -pk_recvgetspi, -pk_recvupdate, -pk_recvadd, -pk_recvdelete, -NULL, /* SADB_GET */ -pk_recvacquire, -NULL, /* SABD_REGISTER */ -pk_recvexpire, -pk_recvflush, -NULL, /* SADB_DUMP */ -NULL, /* SADB_X_PROMISC */ -NULL, /* SADB_X_PCHANGE */ -pk_recvspdupdate, -pk_recvspdadd, -pk_recvspddelete, -pk_recvspdget, -NULL, /* SADB_X_SPDACQUIRE */ -pk_recvspddump, -pk_recvspdflush, -NULL, /* SADB_X_SPDSETIDX */ -pk_recvspdexpire, -NULL, /* SADB_X_SPDDELETE2 */ -}; - -static int addnewsp __P((caddr_t *)); - -/* cope with old kame headers - ugly */ -#ifndef SADB_X_AALG_MD5 -#define SADB_X_AALG_MD5 SADB_AALG_MD5 -#endif -#ifndef SADB_X_AALG_SHA -#define SADB_X_AALG_SHA SADB_AALG_SHA -#endif -#ifndef SADB_X_AALG_NULL -#define SADB_X_AALG_NULL SADB_AALG_NULL -#endif - -#ifndef SADB_X_EALG_BLOWFISHCBC -#define SADB_X_EALG_BLOWFISHCBC SADB_EALG_BLOWFISHCBC -#endif -#ifndef SADB_X_EALG_CAST128CBC -#define SADB_X_EALG_CAST128CBC SADB_EALG_CAST128CBC -#endif -#ifndef SADB_X_EALG_RC5CBC -#ifdef SADB_EALG_RC5CBC -#define SADB_X_EALG_RC5CBC SADB_EALG_RC5CBC -#endif -#endif - -/* - * PF_KEY packet handler - * 0: success - * -1: fail - */ -int -pfkey_handler() -{ - struct sadb_msg *msg; - int len; - caddr_t mhp[SADB_EXT_MAX + 1]; - int error = -1; - - /* receive pfkey message. */ - len = 0; - msg = (struct sadb_msg *)pk_recv(lcconf->sock_pfkey, &len); - if (msg == NULL) { - if (len < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to recv from pfkey (%s)\n", - strerror(errno)); - goto end; - } else { - /* short message - msg not ready */ - return 0; - } - } - - plog(LLV_DEBUG, LOCATION, NULL, "get pfkey %s message\n", - s_pfkey_type(msg->sadb_msg_type)); - plogdump(LLV_DEBUG2, msg, msg->sadb_msg_len << 3); - - /* validity check */ - if (msg->sadb_msg_errno) { - int pri; - - /* when SPD is empty, treat the state as no error. */ - if (msg->sadb_msg_type == SADB_X_SPDDUMP && - msg->sadb_msg_errno == ENOENT) - pri = LLV_DEBUG; - else - pri = LLV_ERROR; - - plog(pri, LOCATION, NULL, - "pfkey %s failed: %s\n", - s_pfkey_type(msg->sadb_msg_type), - strerror(msg->sadb_msg_errno)); - - goto end; - } - - /* check pfkey message. */ - if (pfkey_align(msg, mhp)) { - plog(LLV_ERROR, LOCATION, NULL, - "libipsec failed pfkey align (%s)\n", - ipsec_strerror()); - goto end; - } - if (pfkey_check(mhp)) { - plog(LLV_ERROR, LOCATION, NULL, - "libipsec failed pfkey check (%s)\n", - ipsec_strerror()); - goto end; - } - msg = (struct sadb_msg *)mhp[0]; - - if (pkrecvf[msg->sadb_msg_type] == NULL) { - plog(LLV_DEBUG, LOCATION, NULL, - "not supported command %s\n", - s_pfkey_type(msg->sadb_msg_type)); - goto end; - } - - if ((pkrecvf[msg->sadb_msg_type])(mhp) < 0) - goto end; - - error = 0; -end: - if (msg) - racoon_free(msg); - return(error); -} - -/* - * dump SADB - */ -vchar_t * -pfkey_dump_sadb(satype) - int satype; -{ -#ifdef KEYCTL_DUMPSA - vchar_t *buf = NULL; - int mib[] = { CTL_NET, PF_KEY, KEYCTL_DUMPSA, 0 }; - size_t len; - struct sadb_msg *msg; - int error; - - mib[3] = satype; - if (sysctl(mib, 4, NULL, &len, NULL, 0) < 0) { - error = errno; - plog(LLV_ERROR, LOCATION, NULL, - "libipsec failed sysctl: %s\n", strerror(errno)); - goto goterror; - } - - buf = vmalloc(len); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to reallocate buffer to dump.\n"); - goto fail; - } - - if (sysctl(mib, 4, buf->v, &len, NULL, 0) < 0) { - error = errno; - plog(LLV_ERROR, LOCATION, NULL, - "libipsec failed sysctl: %s\n", strerror(errno)); - goto goterror; - } - - return buf; - -fail: - if (buf) - vfree(buf); - return (NULL); - -goterror: - buf = vrealloc(buf, sizeof(*msg)); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to reallocate buffer for error msg.\n"); - goto fail; - } - - /* - * mimic an error from keysock - */ - msg = (struct sadb_msg *)buf->v; - memset(msg, 0, sizeof(*msg)); - msg->sadb_msg_version = PF_KEY_V2; - msg->sadb_msg_type = SADB_DUMP; - msg->sadb_msg_errno = error; - msg->sadb_msg_satype = satype; - msg->sadb_msg_len = PFKEY_UNIT64(sizeof(struct sadb_msg)); - msg->sadb_msg_reserved = 0; - msg->sadb_msg_seq = 0; - msg->sadb_msg_pid = getpid(); - - return buf; -#else - int s = -1; - vchar_t *buf = NULL; - pid_t pid = getpid(); - struct sadb_msg *msg = NULL; - size_t bl, ml; - int len; - - if ((s = pfkey_open()) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "libipsec failed pfkey open: %s\n", - ipsec_strerror()); - return NULL; - } - - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_dump\n"); - if (pfkey_send_dump(s, satype) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "libipsec failed dump: %s\n", ipsec_strerror()); - goto fail; - } - - while (1) { - if (msg) - racoon_free(msg); - msg = pk_recv(s, &len); - if (msg == NULL) { - if (len < 0) - goto done; - else - continue; - } - - if (msg->sadb_msg_type != SADB_DUMP || msg->sadb_msg_pid != pid) - continue; - - ml = msg->sadb_msg_len << 3; - bl = buf ? buf->l : 0; - buf = vrealloc(buf, bl + ml); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to reallocate buffer to dump.\n"); - goto fail; - } - memcpy(buf->v + bl, msg, ml); - - if (msg->sadb_msg_seq == 0) - break; - } - goto done; - -fail: - if (buf) - vfree(buf); - buf = NULL; -done: - if (msg) - racoon_free(msg); - if (s >= 0) - close(s); - return buf; -#endif -} - -/* - * flush SADB - */ -void -pfkey_flush_sadb(proto) - u_int proto; -{ - int satype; - - /* convert to SADB_SATYPE */ - if ((satype = admin2pfkey_proto(proto)) < 0) - return; - - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_flush\n"); - if (pfkey_send_flush(lcconf->sock_pfkey, satype) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "libipsec failed send flush (%s)\n", ipsec_strerror()); - return; - } - - return; -} - -/* - * These are the SATYPEs that we manage. We register to get - * PF_KEY messages related to these SATYPEs, and we also use - * this list to determine which SATYPEs to delete SAs for when - * we receive an INITIAL-CONTACT. - */ -const struct pfkey_satype pfkey_satypes[] = { - { SADB_SATYPE_AH, "AH" }, - { SADB_SATYPE_ESP, "ESP" }, - { SADB_X_SATYPE_IPCOMP, "IPCOMP" }, -}; -const int pfkey_nsatypes = - sizeof(pfkey_satypes) / sizeof(pfkey_satypes[0]); - -/* - * PF_KEY initialization - */ -int -pfkey_init() -{ - int i, reg_fail; - - if ((lcconf->sock_pfkey = pfkey_open()) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "libipsec failed pfkey open (%s)", ipsec_strerror()); - return -1; - } - - for (i = 0, reg_fail = 0; i < pfkey_nsatypes; i++) { - plog(LLV_DEBUG, LOCATION, NULL, - "call pfkey_send_register for %s\n", - pfkey_satypes[i].ps_name); - if (pfkey_send_register(lcconf->sock_pfkey, - pfkey_satypes[i].ps_satype) < 0 || - pfkey_recv_register(lcconf->sock_pfkey) < 0) { - plog(LLV_WARNING, LOCATION, NULL, - "failed to register %s (%s)", - pfkey_satypes[i].ps_name, - ipsec_strerror()); - reg_fail++; - } - } - - if (reg_fail == pfkey_nsatypes) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to regist any protocol."); - pfkey_close(lcconf->sock_pfkey); - return -1; - } - - initsp(); - - if (pfkey_send_spddump(lcconf->sock_pfkey) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "libipsec sending spddump failed: %s", - ipsec_strerror()); - pfkey_close(lcconf->sock_pfkey); - return -1; - } -#if 0 - if (pfkey_promisc_toggle(1) < 0) { - pfkey_close(lcconf->sock_pfkey); - return -1; - } -#endif - return 0; -} - -/* %%% for conversion */ -/* IPSECDOI_ATTR_AUTH -> SADB_AALG */ -static u_int -ipsecdoi2pfkey_aalg(hashtype) - u_int hashtype; -{ - switch (hashtype) { - case IPSECDOI_ATTR_AUTH_HMAC_MD5: - return SADB_AALG_MD5HMAC; - case IPSECDOI_ATTR_AUTH_HMAC_SHA1: - return SADB_AALG_SHA1HMAC; - case IPSECDOI_ATTR_AUTH_KPDK: /* need special care */ - return SADB_AALG_NONE; - - /* not supported */ - case IPSECDOI_ATTR_AUTH_DES_MAC: - plog(LLV_ERROR, LOCATION, NULL, - "Not supported hash type: %u\n", hashtype); - return ~0; - - case 0: /* reserved */ - default: - return SADB_AALG_NONE; - - plog(LLV_ERROR, LOCATION, NULL, - "Invalid hash type: %u\n", hashtype); - return ~0; - } - /*NOTREACHED*/ -} - -/* IPSECDOI_ESP -> SADB_EALG */ -static u_int -ipsecdoi2pfkey_ealg(t_id) - u_int t_id; -{ - switch (t_id) { - case IPSECDOI_ESP_DES_IV64: /* sa_flags |= SADB_X_EXT_OLD */ - return SADB_EALG_DESCBC; - case IPSECDOI_ESP_DES: - return SADB_EALG_DESCBC; - case IPSECDOI_ESP_3DES: - return SADB_EALG_3DESCBC; -#ifdef SADB_X_EALG_RC5CBC - case IPSECDOI_ESP_RC5: - return SADB_X_EALG_RC5CBC; -#endif - case IPSECDOI_ESP_CAST: - return SADB_X_EALG_CAST128CBC; - case IPSECDOI_ESP_BLOWFISH: - return SADB_X_EALG_BLOWFISHCBC; - case IPSECDOI_ESP_DES_IV32: /* flags |= (SADB_X_EXT_OLD| - SADB_X_EXT_IV4B)*/ - return SADB_EALG_DESCBC; - case IPSECDOI_ESP_NULL: - return SADB_EALG_NULL; -#ifdef SADB_X_EALG_RIJNDAELCBC - case IPSECDOI_ESP_RIJNDAEL: - return SADB_X_EALG_RIJNDAELCBC; -#endif -#ifdef SADB_X_EALG_TWOFISHCBC - case IPSECDOI_ESP_TWOFISH: - return SADB_X_EALG_TWOFISHCBC; -#endif - - /* not supported */ - case IPSECDOI_ESP_3IDEA: - case IPSECDOI_ESP_IDEA: - case IPSECDOI_ESP_RC4: - plog(LLV_ERROR, LOCATION, NULL, - "Not supported transform: %u\n", t_id); - return ~0; - - case 0: /* reserved */ - default: - plog(LLV_ERROR, LOCATION, NULL, - "Invalid transform id: %u\n", t_id); - return ~0; - } - /*NOTREACHED*/ -} - -/* IPCOMP -> SADB_CALG */ -static u_int -ipsecdoi2pfkey_calg(t_id) - u_int t_id; -{ - switch (t_id) { - case IPSECDOI_IPCOMP_OUI: - return SADB_X_CALG_OUI; - case IPSECDOI_IPCOMP_DEFLATE: - return SADB_X_CALG_DEFLATE; - case IPSECDOI_IPCOMP_LZS: - return SADB_X_CALG_LZS; - - case 0: /* reserved */ - default: - plog(LLV_ERROR, LOCATION, NULL, - "Invalid transform id: %u\n", t_id); - return ~0; - } - /*NOTREACHED*/ -} - -/* IPSECDOI_PROTO -> SADB_SATYPE */ -u_int -ipsecdoi2pfkey_proto(proto) - u_int proto; -{ - switch (proto) { - case IPSECDOI_PROTO_IPSEC_AH: - return SADB_SATYPE_AH; - case IPSECDOI_PROTO_IPSEC_ESP: - return SADB_SATYPE_ESP; - case IPSECDOI_PROTO_IPCOMP: - return SADB_X_SATYPE_IPCOMP; - - default: - plog(LLV_ERROR, LOCATION, NULL, - "Invalid ipsec_doi proto: %u\n", proto); - return ~0; - } - /*NOTREACHED*/ -} - -static u_int -ipsecdoi2pfkey_alg(algclass, type) - u_int algclass, type; -{ - switch (algclass) { - case IPSECDOI_ATTR_AUTH: - return ipsecdoi2pfkey_aalg(type); - case IPSECDOI_PROTO_IPSEC_ESP: - return ipsecdoi2pfkey_ealg(type); - case IPSECDOI_PROTO_IPCOMP: - return ipsecdoi2pfkey_calg(type); - default: - plog(LLV_ERROR, LOCATION, NULL, - "Invalid ipsec_doi algclass: %u\n", algclass); - return ~0; - } - /*NOTREACHED*/ -} - -/* SADB_SATYPE -> IPSECDOI_PROTO */ -u_int -pfkey2ipsecdoi_proto(satype) - u_int satype; -{ - switch (satype) { - case SADB_SATYPE_AH: - return IPSECDOI_PROTO_IPSEC_AH; - case SADB_SATYPE_ESP: - return IPSECDOI_PROTO_IPSEC_ESP; - case SADB_X_SATYPE_IPCOMP: - return IPSECDOI_PROTO_IPCOMP; - - default: - plog(LLV_ERROR, LOCATION, NULL, - "Invalid pfkey proto: %u\n", satype); - return ~0; - } - /*NOTREACHED*/ -} - -/* IPSECDOI_ATTR_ENC_MODE -> IPSEC_MODE */ -u_int -ipsecdoi2pfkey_mode(mode) - u_int mode; -{ - switch (mode) { - case IPSECDOI_ATTR_ENC_MODE_TUNNEL: - return IPSEC_MODE_TUNNEL; - case IPSECDOI_ATTR_ENC_MODE_TRNS: - return IPSEC_MODE_TRANSPORT; - default: - plog(LLV_ERROR, LOCATION, NULL, "Invalid mode type: %u\n", mode); - return ~0; - } - /*NOTREACHED*/ -} - -/* IPSECDOI_ATTR_ENC_MODE -> IPSEC_MODE */ -u_int -pfkey2ipsecdoi_mode(mode) - u_int mode; -{ - switch (mode) { - case IPSEC_MODE_TUNNEL: - return IPSECDOI_ATTR_ENC_MODE_TUNNEL; - case IPSEC_MODE_TRANSPORT: - return IPSECDOI_ATTR_ENC_MODE_TRNS; - case IPSEC_MODE_ANY: - return IPSECDOI_ATTR_ENC_MODE_ANY; - default: - plog(LLV_ERROR, LOCATION, NULL, "Invalid mode type: %u\n", mode); - return ~0; - } - /*NOTREACHED*/ -} - -/* default key length for encryption algorithm */ -static u_int -keylen_aalg(hashtype) - u_int hashtype; -{ - int res; - - if (hashtype == 0) - return SADB_AALG_NONE; - - res = alg_ipsec_hmacdef_hashlen(hashtype); - if (res == -1) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid hmac algorithm %u.\n", hashtype); - return ~0; - } - return res; -} - -/* default key length for encryption algorithm */ -static u_int -keylen_ealg(enctype, encklen) - u_int enctype; - int encklen; -{ - int res; - - res = alg_ipsec_encdef_keylen(enctype, encklen); - if (res == -1) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid encryption algorithm %u.\n", enctype); - return ~0; - } - return res; -} - -int -pfkey_convertfromipsecdoi(proto_id, t_id, hashtype, - e_type, e_keylen, a_type, a_keylen, flags) - u_int proto_id; - u_int t_id; - u_int hashtype; - u_int *e_type; - u_int *e_keylen; - u_int *a_type; - u_int *a_keylen; - u_int *flags; -{ - *flags = 0; - switch (proto_id) { - case IPSECDOI_PROTO_IPSEC_ESP: - if ((*e_type = ipsecdoi2pfkey_ealg(t_id)) == ~0) - goto bad; - if ((*e_keylen = keylen_ealg(t_id, *e_keylen)) == ~0) - goto bad; - *e_keylen >>= 3; - - if ((*a_type = ipsecdoi2pfkey_aalg(hashtype)) == ~0) - goto bad; - if ((*a_keylen = keylen_aalg(hashtype)) == ~0) - goto bad; - *a_keylen >>= 3; - - if (*e_type == SADB_EALG_NONE) { - plog(LLV_ERROR, LOCATION, NULL, "no ESP algorithm.\n"); - goto bad; - } - break; - - case IPSECDOI_PROTO_IPSEC_AH: - if ((*a_type = ipsecdoi2pfkey_aalg(hashtype)) == ~0) - goto bad; - if ((*a_keylen = keylen_aalg(hashtype)) == ~0) - goto bad; - *a_keylen >>= 3; - - if (t_id == IPSECDOI_ATTR_AUTH_HMAC_MD5 - && hashtype == IPSECDOI_ATTR_AUTH_KPDK) { - /* AH_MD5 + Auth(KPDK) = RFC1826 keyed-MD5 */ - *a_type = SADB_X_AALG_MD5; - *flags |= SADB_X_EXT_OLD; - } - *e_type = SADB_EALG_NONE; - *e_keylen = 0; - if (*a_type == SADB_AALG_NONE) { - plog(LLV_ERROR, LOCATION, NULL, "no AH algorithm.\n"); - goto bad; - } - break; - - case IPSECDOI_PROTO_IPCOMP: - if ((*e_type = ipsecdoi2pfkey_calg(t_id)) == ~0) - goto bad; - *e_keylen = 0; - - *flags = SADB_X_EXT_RAWCPI; - - *a_type = SADB_AALG_NONE; - *a_keylen = 0; - if (*e_type == SADB_X_CALG_NONE) { - plog(LLV_ERROR, LOCATION, NULL, "no IPCOMP algorithm.\n"); - goto bad; - } - break; - - default: - plog(LLV_ERROR, LOCATION, NULL, "unknown IPsec protocol.\n"); - goto bad; - } - - return 0; - - bad: - errno = EINVAL; - return -1; -} - -/* called from scheduler */ -void -pfkey_timeover_stub(p) - void *p; -{ - - pfkey_timeover((struct ph2handle *)p); -} - -void -pfkey_timeover(iph2) - struct ph2handle *iph2; -{ - plog(LLV_ERROR, LOCATION, NULL, - "%s give up to get IPsec-SA due to time up to wait.\n", - saddrwop2str(iph2->dst)); - SCHED_KILL(iph2->sce); - - /* If initiator side, send error to kernel by SADB_ACQUIRE. */ - if (iph2->side == INITIATOR) - pk_sendeacquire(iph2); - - unbindph12(iph2); - remph2(iph2); - delph2(iph2); - - return; -} - -/*%%%*/ -/* send getspi message per ipsec protocol per remote address */ -/* - * the local address and remote address in ph1handle are dealed - * with destination address and source address respectively. - * Because SPI is decided by responder. - */ -int -pk_sendgetspi(iph2) - struct ph2handle *iph2; -{ - struct sockaddr *src = NULL, *dst = NULL; - u_int satype, mode; - struct saprop *pp; - struct saproto *pr; - int proxy = 0; - - if (iph2->side == INITIATOR) { - pp = iph2->proposal; - proxy = iph2->ph1->rmconf->support_proxy; - } else { - pp = iph2->approval; - if (iph2->sainfo && iph2->sainfo->id_i) - proxy = 1; - } - - /* for mobile IPv6 */ - if (proxy && iph2->src_id && iph2->dst_id && - ipsecdoi_transportmode(pp)) { - src = iph2->src_id; - dst = iph2->dst_id; - } else { - src = iph2->src; - dst = iph2->dst; - } - - for (pr = pp->head; pr != NULL; pr = pr->next) { - - /* validity check */ - satype = ipsecdoi2pfkey_proto(pr->proto_id); - if (satype == ~0) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid proto_id %d\n", pr->proto_id); - return -1; - } - mode = ipsecdoi2pfkey_mode(pr->encmode); - if (mode == ~0) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid encmode %d\n", pr->encmode); - return -1; - } - - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_getspi\n"); - if (pfkey_send_getspi( - lcconf->sock_pfkey, - satype, - mode, - dst, /* src of SA */ - src, /* dst of SA */ - 0, 0, pr->reqid_in, iph2->seq) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "ipseclib failed send getspi (%s)\n", - ipsec_strerror()); - return -1; - } - plog(LLV_DEBUG, LOCATION, NULL, - "pfkey GETSPI sent: %s\n", - sadbsecas2str(dst, src, satype, 0, mode)); - } - - return 0; -} - -/* - * receive GETSPI from kernel. - */ -static int -pk_recvgetspi(mhp) - caddr_t *mhp; -{ - struct sadb_msg *msg; - struct sadb_sa *sa; - struct ph2handle *iph2; - struct sockaddr *dst; - int proto_id; - int allspiok, notfound; - struct saprop *pp; - struct saproto *pr; - - /* validity check */ - if (mhp[SADB_EXT_SA] == NULL - || mhp[SADB_EXT_ADDRESS_DST] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "inappropriate sadb getspi message passed.\n"); - return -1; - } - msg = (struct sadb_msg *)mhp[0]; - sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); /* note SA dir */ - - /* the message has to be processed or not ? */ - if (msg->sadb_msg_pid != getpid()) { - plog(LLV_DEBUG, LOCATION, NULL, - "%s message is not interesting " - "because pid %d is not mine.\n", - s_pfkey_type(msg->sadb_msg_type), - msg->sadb_msg_pid); - return -1; - } - - iph2 = getph2byseq(msg->sadb_msg_seq); - if (iph2 == NULL) { - plog(LLV_DEBUG, LOCATION, NULL, - "seq %d of %s message not interesting.\n", - msg->sadb_msg_seq, - s_pfkey_type(msg->sadb_msg_type)); - return -1; - } - - if (iph2->status != PHASE2ST_GETSPISENT) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatch (db:%d msg:%d)\n", - iph2->status, PHASE2ST_GETSPISENT); - return -1; - } - - /* set SPI, and check to get all spi whether or not */ - allspiok = 1; - notfound = 1; - proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype); - pp = iph2->side == INITIATOR ? iph2->proposal : iph2->approval; - - for (pr = pp->head; pr != NULL; pr = pr->next) { - if (pr->proto_id == proto_id && pr->spi == 0) { - pr->spi = sa->sadb_sa_spi; - notfound = 0; - plog(LLV_DEBUG, LOCATION, NULL, - "pfkey GETSPI succeeded: %s\n", - sadbsecas2str(iph2->dst, iph2->src, - msg->sadb_msg_satype, - sa->sadb_sa_spi, - ipsecdoi2pfkey_mode(pr->encmode))); - } - if (pr->spi == 0) - allspiok = 0; /* not get all spi */ - } - - if (notfound) { - plog(LLV_ERROR, LOCATION, NULL, - "get spi for unknown address %s\n", - saddrwop2str(iph2->dst)); - return -1; - } - - if (allspiok) { - /* update status */ - iph2->status = PHASE2ST_GETSPIDONE; - if (isakmp_post_getspi(iph2) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to start post getspi.\n"); - unbindph12(iph2); - remph2(iph2); - delph2(iph2); - iph2 = NULL; - return -1; - } - } - - return 0; -} - -/* - * set inbound SA - */ -int -pk_sendupdate(iph2) - struct ph2handle *iph2; -{ - struct saproto *pr; - struct sockaddr *src = NULL, *dst = NULL; - int e_type, e_keylen, a_type, a_keylen, flags; - u_int satype, mode; - u_int64_t lifebyte = 0; - int proxy = 0; - - /* sanity check */ - if (iph2->approval == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "no approvaled SAs found.\n"); - } - - if (iph2->side == INITIATOR) - proxy = iph2->ph1->rmconf->support_proxy; - else if (iph2->sainfo && iph2->sainfo->id_i) - proxy = 1; - - /* for mobile IPv6 */ - if (proxy && iph2->src_id && iph2->dst_id && - ipsecdoi_transportmode(iph2->approval)) { - src = iph2->src_id; - dst = iph2->dst_id; - } else { - src = iph2->src; - dst = iph2->dst; - } - - for (pr = iph2->approval->head; pr != NULL; pr = pr->next) { - /* validity check */ - satype = ipsecdoi2pfkey_proto(pr->proto_id); - if (satype == ~0) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid proto_id %d\n", pr->proto_id); - return -1; - } -#ifdef ENABLE_SAMODE_UNSPECIFIED - mode = IPSEC_MODE_ANY; -#else - mode = ipsecdoi2pfkey_mode(pr->encmode); - if (mode == ~0) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid encmode %d\n", pr->encmode); - return -1; - } -#endif - - /* set algorithm type and key length */ - e_keylen = pr->head->encklen; - if (pfkey_convertfromipsecdoi( - pr->proto_id, - pr->head->trns_id, - pr->head->authtype, - &e_type, &e_keylen, - &a_type, &a_keylen, &flags) < 0) - return -1; - -#if 0 - lifebyte = iph2->approval->lifebyte * 1024, -#else - lifebyte = 0; -#endif - - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_update\n"); - - if (pfkey_send_update( - lcconf->sock_pfkey, - satype, - mode, - dst, - src, - pr->spi, - pr->reqid_in, - 4, /* XXX static size of window */ - pr->keymat->v, - e_type, e_keylen, a_type, a_keylen, flags, - 0, lifebyte, iph2->approval->lifetime, 0, - iph2->seq) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "libipsec failed send update (%s)\n", - ipsec_strerror()); - return -1; - } - - if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]) - continue; - - /* - * It maybe good idea to call backupsa_to_file() after - * racoon will receive the sadb_update messages. - * But it is impossible because there is not key in the - * information from the kernel. - */ - if (backupsa_to_file(satype, mode, dst, src, - pr->spi, pr->reqid_in, 4, - pr->keymat->v, - e_type, e_keylen, a_type, a_keylen, flags, - 0, iph2->approval->lifebyte * 1024, - iph2->approval->lifetime, 0, - iph2->seq) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "backuped SA failed: %s\n", - sadbsecas2str(dst, src, - satype, pr->spi, mode)); - } - plog(LLV_DEBUG, LOCATION, NULL, - "backuped SA: %s\n", - sadbsecas2str(dst, src, - satype, pr->spi, mode)); - } - - return 0; -} - -static int -pk_recvupdate(mhp) - caddr_t *mhp; -{ - struct sadb_msg *msg; - struct sadb_sa *sa; - struct sockaddr *src, *dst; - struct ph2handle *iph2; - u_int proto_id, encmode, sa_mode; - int incomplete = 0; - struct saproto *pr; - - /* ignore this message because of local test mode. */ - if (f_local) - return 0; - - /* sanity check */ - if (mhp[0] == NULL - || mhp[SADB_EXT_SA] == NULL - || mhp[SADB_EXT_ADDRESS_SRC] == NULL - || mhp[SADB_EXT_ADDRESS_DST] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "inappropriate sadb update message passed.\n"); - return -1; - } - msg = (struct sadb_msg *)mhp[0]; - src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); - sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; - - sa_mode = mhp[SADB_X_EXT_SA2] == NULL - ? IPSEC_MODE_ANY - : ((struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode; - - /* the message has to be processed or not ? */ - if (msg->sadb_msg_pid != getpid()) { - plog(LLV_DEBUG, LOCATION, NULL, - "%s message is not interesting " - "because pid %d is not mine.\n", - s_pfkey_type(msg->sadb_msg_type), - msg->sadb_msg_pid); - return -1; - } - - iph2 = getph2byseq(msg->sadb_msg_seq); - if (iph2 == NULL) { - plog(LLV_DEBUG, LOCATION, NULL, - "seq %d of %s message not interesting.\n", - msg->sadb_msg_seq, - s_pfkey_type(msg->sadb_msg_type)); - return -1; - } - - if (iph2->status != PHASE2ST_ADDSA) { - plog(LLV_ERROR, LOCATION, NULL, - "status mismatch (db:%d msg:%d)\n", - iph2->status, PHASE2ST_ADDSA); - return -1; - } - - /* check to complete all keys ? */ - for (pr = iph2->approval->head; pr != NULL; pr = pr->next) { - proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype); - if (proto_id == ~0) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid proto_id %d\n", msg->sadb_msg_satype); - return -1; - } - encmode = pfkey2ipsecdoi_mode(sa_mode); - if (encmode == ~0) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid encmode %d\n", sa_mode); - return -1; - } - - if (pr->proto_id == proto_id - && pr->spi == sa->sadb_sa_spi) { - pr->ok = 1; - plog(LLV_DEBUG, LOCATION, NULL, - "pfkey UPDATE succeeded: %s\n", - sadbsecas2str(iph2->dst, iph2->src, - msg->sadb_msg_satype, - sa->sadb_sa_spi, - sa_mode)); - - plog(LLV_INFO, LOCATION, NULL, - "IPsec-SA established: %s\n", - sadbsecas2str(iph2->dst, iph2->src, - msg->sadb_msg_satype, sa->sadb_sa_spi, - sa_mode)); - } - - if (pr->ok == 0) - incomplete = 1; - } - - if (incomplete) - return 0; - - /* turn off the timer for calling pfkey_timeover() */ - SCHED_KILL(iph2->sce); - - /* update status */ - iph2->status = PHASE2ST_ESTABLISHED; - -#ifdef ENABLE_STATS - gettimeofday(&iph2->end, NULL); - syslog(LOG_NOTICE, "%s(%s): %8.6f", - "phase2", "quick", timedelta(&iph2->start, &iph2->end)); -#endif - - /* count up */ - iph2->ph1->ph2cnt++; - - /* turn off schedule */ - if (iph2->scr) - SCHED_KILL(iph2->scr); - - /* - * since we are going to reuse the phase2 handler, we need to - * remain it and refresh all the references between ph1 and ph2 to use. - */ - unbindph12(iph2); - - iph2->sce = sched_new(iph2->approval->lifetime, - isakmp_ph2expire_stub, iph2); - - plog(LLV_DEBUG, LOCATION, NULL, "===\n"); - return 0; -} - -/* - * set outbound SA - */ -int -pk_sendadd(iph2) - struct ph2handle *iph2; -{ - struct saproto *pr; - struct sockaddr *src = NULL, *dst = NULL; - int e_type, e_keylen, a_type, a_keylen, flags; - u_int satype, mode; - u_int64_t lifebyte = 0; - int proxy = 0; - - /* sanity check */ - if (iph2->approval == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "no approvaled SAs found.\n"); - } - - if (iph2->side == INITIATOR) - proxy = iph2->ph1->rmconf->support_proxy; - else if (iph2->sainfo && iph2->sainfo->id_i) - proxy = 1; - - /* for mobile IPv6 */ - if (proxy && iph2->src_id && iph2->dst_id && - ipsecdoi_transportmode(iph2->approval)) { - src = iph2->src_id; - dst = iph2->dst_id; - } else { - src = iph2->src; - dst = iph2->dst; - } - - for (pr = iph2->approval->head; pr != NULL; pr = pr->next) { - /* validity check */ - satype = ipsecdoi2pfkey_proto(pr->proto_id); - if (satype == ~0) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid proto_id %d\n", pr->proto_id); - return -1; - } -#ifdef ENABLE_SAMODE_UNSPECIFIED - mode = IPSEC_MODE_ANY; -#else - mode = ipsecdoi2pfkey_mode(pr->encmode); - if (mode == ~0) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid encmode %d\n", pr->encmode); - return -1; - } -#endif - - /* set algorithm type and key length */ - e_keylen = pr->head->encklen; - if (pfkey_convertfromipsecdoi( - pr->proto_id, - pr->head->trns_id, - pr->head->authtype, - &e_type, &e_keylen, - &a_type, &a_keylen, &flags) < 0) - return -1; - -#if 0 - lifebyte = iph2->approval->lifebyte * 1024, -#else - lifebyte = 0; -#endif - - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_add\n"); - - if (pfkey_send_add( - lcconf->sock_pfkey, - satype, - mode, - src, - dst, - pr->spi_p, - pr->reqid_out, - 4, /* XXX static size of window */ - pr->keymat_p->v, - e_type, e_keylen, a_type, a_keylen, flags, - 0, lifebyte, iph2->approval->lifetime, 0, - iph2->seq) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "libipsec failed send add (%s)\n", - ipsec_strerror()); - return -1; - } - - if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]) - continue; - - /* - * It maybe good idea to call backupsa_to_file() after - * racoon will receive the sadb_update messages. - * But it is impossible because there is not key in the - * information from the kernel. - */ - if (backupsa_to_file(satype, mode, src, dst, - pr->spi_p, pr->reqid_out, 4, - pr->keymat_p->v, - e_type, e_keylen, a_type, a_keylen, flags, - 0, iph2->approval->lifebyte * 1024, - iph2->approval->lifetime, 0, - iph2->seq) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "backuped SA failed: %s\n", - sadbsecas2str(src, dst, - satype, pr->spi_p, mode)); - } - plog(LLV_DEBUG, LOCATION, NULL, - "backuped SA: %s\n", - sadbsecas2str(src, dst, - satype, pr->spi_p, mode)); - } - - return 0; -} - -static int -pk_recvadd(mhp) - caddr_t *mhp; -{ - struct sadb_msg *msg; - struct sadb_sa *sa; - struct sockaddr *src, *dst; - struct ph2handle *iph2; - u_int sa_mode; - - /* ignore this message because of local test mode. */ - if (f_local) - return 0; - - /* sanity check */ - if (mhp[0] == NULL - || mhp[SADB_EXT_SA] == NULL - || mhp[SADB_EXT_ADDRESS_SRC] == NULL - || mhp[SADB_EXT_ADDRESS_DST] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "inappropriate sadb add message passed.\n"); - return -1; - } - msg = (struct sadb_msg *)mhp[0]; - src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); - sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; - - sa_mode = mhp[SADB_X_EXT_SA2] == NULL - ? IPSEC_MODE_ANY - : ((struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode; - - /* the message has to be processed or not ? */ - if (msg->sadb_msg_pid != getpid()) { - plog(LLV_DEBUG, LOCATION, NULL, - "%s message is not interesting " - "because pid %d is not mine.\n", - s_pfkey_type(msg->sadb_msg_type), - msg->sadb_msg_pid); - return -1; - } - - iph2 = getph2byseq(msg->sadb_msg_seq); - if (iph2 == NULL) { - plog(LLV_DEBUG, LOCATION, NULL, - "seq %d of %s message not interesting.\n", - msg->sadb_msg_seq, - s_pfkey_type(msg->sadb_msg_type)); - return -1; - } - - /* - * NOTE don't update any status of phase2 handle - * because they must be updated by SADB_UPDATE message - */ - - plog(LLV_INFO, LOCATION, NULL, - "IPsec-SA established: %s\n", - sadbsecas2str(iph2->src, iph2->dst, - msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode)); - - plog(LLV_DEBUG, LOCATION, NULL, "===\n"); - return 0; -} - -static int -pk_recvexpire(mhp) - caddr_t *mhp; -{ - struct sadb_msg *msg; - struct sadb_sa *sa; - struct sockaddr *src, *dst; - struct ph2handle *iph2; - u_int proto_id, sa_mode; - - /* sanity check */ - if (mhp[0] == NULL - || mhp[SADB_EXT_SA] == NULL - || mhp[SADB_EXT_ADDRESS_SRC] == NULL - || mhp[SADB_EXT_ADDRESS_DST] == NULL - || (mhp[SADB_EXT_LIFETIME_HARD] != NULL - && mhp[SADB_EXT_LIFETIME_SOFT] != NULL)) { - plog(LLV_ERROR, LOCATION, NULL, - "inappropriate sadb expire message passed.\n"); - return -1; - } - msg = (struct sadb_msg *)mhp[0]; - sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; - src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); - - sa_mode = mhp[SADB_X_EXT_SA2] == NULL - ? IPSEC_MODE_ANY - : ((struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode; - - proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype); - if (proto_id == ~0) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid proto_id %d\n", msg->sadb_msg_satype); - return -1; - } - - plog(LLV_INFO, LOCATION, NULL, - "IPsec-SA expired: %s\n", - sadbsecas2str(src, dst, - msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode)); - - iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi); - if (iph2 == NULL) { - /* - * Ignore it because two expire messages are come up. - * phase2 handler has been deleted already when 2nd message - * is received. - */ - plog(LLV_DEBUG, LOCATION, NULL, - "no such a SA found: %s\n", - sadbsecas2str(src, dst, - msg->sadb_msg_satype, sa->sadb_sa_spi, - sa_mode)); - return 0; - } - if (iph2->status != PHASE2ST_ESTABLISHED) { - /* - * If the status is not equal to PHASE2ST_ESTABLISHED, - * racoon ignores this expire message. There are two reason. - * One is that the phase 2 probably starts because there is - * a potential that racoon receives the acquire message - * without receiving a expire message. Another is that racoon - * may receive the multiple expire messages from the kernel. - */ - plog(LLV_WARNING, LOCATION, NULL, - "the expire message is received " - "but the handler has not been established.\n"); - return 0; - } - - /* turn off the timer for calling isakmp_ph2expire() */ - SCHED_KILL(iph2->sce); - - iph2->status = PHASE2ST_EXPIRED; - - /* INITIATOR, begin phase 2 exchange. */ - /* allocate buffer for status management of pfkey message */ - if (iph2->side == INITIATOR) { - - initph2(iph2); - - /* update status for re-use */ - iph2->status = PHASE2ST_STATUS2; - - /* start isakmp initiation by using ident exchange */ - if (isakmp_post_acquire(iph2) < 0) { - plog(LLV_ERROR, LOCATION, iph2->dst, - "failed to begin ipsec sa " - "re-negotication.\n"); - unbindph12(iph2); - remph2(iph2); - delph2(iph2); - return -1; - } - - return 0; - /*NOTREACHED*/ - } - - /* If not received SADB_EXPIRE, INITIATOR delete ph2handle. */ - /* RESPONDER always delete ph2handle, keep silent. RESPONDER doesn't - * manage IPsec SA, so delete the list */ - unbindph12(iph2); - remph2(iph2); - delph2(iph2); - - return 0; -} - -static int -pk_recvacquire(mhp) - caddr_t *mhp; -{ - struct sadb_msg *msg; - struct sadb_x_policy *xpl; - struct secpolicy *sp_out = NULL, *sp_in = NULL; -#define MAXNESTEDSA 5 /* XXX */ - struct ph2handle *iph2[MAXNESTEDSA]; - int n; /* # of phase 2 handler */ - - /* ignore this message because of local test mode. */ - if (f_local) - return 0; - - /* sanity check */ - if (mhp[0] == NULL - || mhp[SADB_EXT_ADDRESS_SRC] == NULL - || mhp[SADB_EXT_ADDRESS_DST] == NULL - || mhp[SADB_X_EXT_POLICY] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "inappropriate sadb acquire message passed.\n"); - return -1; - } - msg = (struct sadb_msg *)mhp[0]; - xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; - - /* ignore if type is not IPSEC_POLICY_IPSEC */ - if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) { - plog(LLV_DEBUG, LOCATION, NULL, - "ignore ACQUIRE message. type is not IPsec.\n"); - return 0; - } - - /* ignore it if src is multicast address */ - { - struct sockaddr *sa = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); - - if ((sa->sa_family == AF_INET - && IN_MULTICAST(ntohl(((struct sockaddr_in *)sa)->sin_addr.s_addr))) -#ifdef INET6 - || (sa->sa_family == AF_INET6 - && IN6_IS_ADDR_MULTICAST(&((struct sockaddr_in6 *)sa)->sin6_addr)) -#endif - ) { - plog(LLV_DEBUG, LOCATION, NULL, - "ignore due to multicast address: %s.\n", - saddrwop2str(sa)); - return 0; - } - } - - /* - * If there is a phase 2 handler against the policy identifier in - * the acquire message, and if - * 1. its state is less than PHASE2ST_ESTABLISHED, then racoon - * should ignore such a acquire message because the phase 2 - * is just negotiating. - * 2. its state is equal to PHASE2ST_ESTABLISHED, then racoon - * has to prcesss such a acquire message because racoon may - * lost the expire message. - */ - iph2[0] = getph2byspid(xpl->sadb_x_policy_id); - if (iph2[0] != NULL) { - if (iph2[0]->status < PHASE2ST_ESTABLISHED) { - plog(LLV_DEBUG, LOCATION, NULL, - "ignore the acquire because ph2 found\n"); - return -1; - } - if (iph2[0]->status == PHASE2ST_EXPIRED) - iph2[0] = NULL; - /*FALLTHROUGH*/ - } - - /* search for proper policyindex */ - sp_out = getspbyspid(xpl->sadb_x_policy_id); - if (sp_out == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "no policy found: id:%d.\n", - xpl->sadb_x_policy_id); - return -1; - } - plog(LLV_DEBUG, LOCATION, NULL, - "suitable outbound SP found: %s.\n", spidx2str(&sp_out->spidx)); - - /* get inbound policy */ - { - struct policyindex spidx; - - spidx.dir = IPSEC_DIR_INBOUND; - memcpy(&spidx.src, &sp_out->spidx.dst, sizeof(spidx.src)); - memcpy(&spidx.dst, &sp_out->spidx.src, sizeof(spidx.dst)); - spidx.prefs = sp_out->spidx.prefd; - spidx.prefd = sp_out->spidx.prefs; - spidx.ul_proto = sp_out->spidx.ul_proto; - - sp_in = getsp(&spidx); - if (sp_in) { - plog(LLV_DEBUG, LOCATION, NULL, - "suitable inbound SP found: %s.\n", - spidx2str(&sp_in->spidx)); - } else { - plog(LLV_NOTIFY, LOCATION, NULL, - "no in-bound policy found: %s\n", - spidx2str(&spidx)); - } - } - - memset(iph2, 0, MAXNESTEDSA); - - n = 0; - - /* allocate a phase 2 */ - iph2[n] = newph2(); - if (iph2[n] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate phase2 entry.\n"); - return -1; - } - iph2[n]->side = INITIATOR; - iph2[n]->spid = xpl->sadb_x_policy_id; - iph2[n]->satype = msg->sadb_msg_satype; - iph2[n]->seq = msg->sadb_msg_seq; - iph2[n]->status = PHASE2ST_STATUS2; - - /* set end addresses of SA */ - iph2[n]->dst = dupsaddr(PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST])); - if (iph2[n]->dst == NULL) { - delph2(iph2[n]); - return -1; - } - iph2[n]->src = dupsaddr(PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC])); - if (iph2[n]->src == NULL) { - delph2(iph2[n]); - return -1; - } - - plog(LLV_DEBUG, LOCATION, NULL, - "new acquire %s\n", spidx2str(&sp_out->spidx)); - - /* get sainfo */ - { - vchar_t *idsrc, *iddst; - - idsrc = ipsecdoi_sockaddr2id((struct sockaddr *)&sp_out->spidx.src, - sp_out->spidx.prefs, sp_out->spidx.ul_proto); - if (idsrc == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get ID for %s\n", - spidx2str(&sp_out->spidx)); - delph2(iph2[n]); - return -1; - } - iddst = ipsecdoi_sockaddr2id((struct sockaddr *)&sp_out->spidx.dst, - sp_out->spidx.prefd, sp_out->spidx.ul_proto); - if (iddst == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get ID for %s\n", - spidx2str(&sp_out->spidx)); - vfree(idsrc); - delph2(iph2[n]); - return -1; - } - iph2[n]->sainfo = getsainfo(idsrc, iddst, NULL); - vfree(idsrc); - vfree(iddst); - if (iph2[n]->sainfo == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get sainfo.\n"); - delph2(iph2[n]); - return -1; - /* XXX should use the algorithm list from register message */ - } - } - - if (set_proposal_from_policy(iph2[n], sp_out, sp_in) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to create saprop.\n"); - delph2(iph2[n]); - return -1; - } - insph2(iph2[n]); - - /* start isakmp initiation by using ident exchange */ - /* XXX should be looped if there are multiple phase 2 handler. */ - if (isakmp_post_acquire(iph2[n]) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to begin ipsec sa negotication.\n"); - goto err; - } - - return 0; - -err: - while (n >= 0) { - unbindph12(iph2[n]); - remph2(iph2[n]); - delph2(iph2[n]); - iph2[n] = NULL; - n--; - } - return -1; -} - -static int -pk_recvdelete(mhp) - caddr_t *mhp; -{ - struct sadb_msg *msg; - struct sadb_sa *sa; - struct sockaddr *src, *dst; - struct ph2handle *iph2 = NULL; - u_int proto_id; - - /* ignore this message because of local test mode. */ - if (f_local) - return 0; - - /* sanity check */ - if (mhp[0] == NULL - || mhp[SADB_EXT_SA] == NULL - || mhp[SADB_EXT_ADDRESS_SRC] == NULL - || mhp[SADB_EXT_ADDRESS_DST] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "inappropriate sadb delete message passed.\n"); - return -1; - } - msg = (struct sadb_msg *)mhp[0]; - sa = (struct sadb_sa *)mhp[SADB_EXT_SA]; - src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); - dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]); - - /* the message has to be processed or not ? */ - if (msg->sadb_msg_pid == getpid()) { - plog(LLV_DEBUG, LOCATION, NULL, - "%s message is not interesting " - "because the message was originated by me.\n", - s_pfkey_type(msg->sadb_msg_type), - msg->sadb_msg_pid); - return -1; - } - - proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype); - if (proto_id == ~0) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid proto_id %d\n", msg->sadb_msg_satype); - return -1; - } - - iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi); - if (iph2 == NULL) { - /* ignore */ - plog(LLV_ERROR, LOCATION, NULL, - "no iph2 found: %s\n", - sadbsecas2str(src, dst, msg->sadb_msg_satype, - sa->sadb_sa_spi, IPSEC_MODE_ANY)); - return 0; - } - - plog(LLV_ERROR, LOCATION, NULL, - "pfkey DELETE received: %s\n", - sadbsecas2str(iph2->src, iph2->dst, - msg->sadb_msg_satype, sa->sadb_sa_spi, IPSEC_MODE_ANY)); - - /* send delete information */ - if (iph2->status == PHASE2ST_ESTABLISHED) - isakmp_info_send_d2(iph2); - - unbindph12(iph2); - remph2(iph2); - delph2(iph2); - - return 0; -} - -static int -pk_recvflush(mhp) - caddr_t *mhp; -{ - /* ignore this message because of local test mode. */ - if (f_local) - return 0; - - /* sanity check */ - if (mhp[0] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "inappropriate sadb flush message passed.\n"); - return -1; - } - - flushph2(); - - return 0; -} - -static int -getsadbpolicy(policy0, policylen0, type, iph2) - caddr_t *policy0; - int *policylen0, type; - struct ph2handle *iph2; -{ - struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen; - struct sadb_x_policy *xpl; - struct sadb_x_ipsecrequest *xisr; - struct saproto *pr; - caddr_t policy, p; - int policylen; - int xisrlen; - u_int satype, mode; - - /* get policy buffer size */ - policylen = sizeof(struct sadb_x_policy); - if (type != SADB_X_SPDDELETE) { - for (pr = iph2->approval->head; pr; pr = pr->next) { - xisrlen = sizeof(*xisr); - if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL) { - xisrlen += (iph2->src->sa_len - + iph2->dst->sa_len); - } - - policylen += PFKEY_ALIGN8(xisrlen); - } - } - - /* make policy structure */ - policy = racoon_malloc(policylen); - if (!policy) { - plog(LLV_ERROR, LOCATION, NULL, - "buffer allocation failed.\n"); - return -1; - } - - xpl = (struct sadb_x_policy *)policy; - xpl->sadb_x_policy_len = PFKEY_UNIT64(policylen); - xpl->sadb_x_policy_exttype = SADB_X_EXT_POLICY; - xpl->sadb_x_policy_type = IPSEC_POLICY_IPSEC; - xpl->sadb_x_policy_dir = spidx->dir; - xpl->sadb_x_policy_id = 0; - - /* no need to append policy information any more if type is SPDDELETE */ - if (type == SADB_X_SPDDELETE) - goto end; - - xisr = (struct sadb_x_ipsecrequest *)(xpl + 1); - - for (pr = iph2->approval->head; pr; pr = pr->next) { - - satype = doi2ipproto(pr->proto_id); - if (satype == ~0) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid proto_id %d\n", pr->proto_id); - goto err; - } - mode = ipsecdoi2pfkey_mode(pr->encmode); - if (mode == ~0) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid encmode %d\n", pr->encmode); - goto err; - } - - /* - * the policy level cannot be unique because the policy - * is defined later than SA, so req_id cannot be bound to SA. - */ - xisr->sadb_x_ipsecrequest_proto = satype; - xisr->sadb_x_ipsecrequest_mode = mode; - xisr->sadb_x_ipsecrequest_level = IPSEC_LEVEL_REQUIRE; - xisr->sadb_x_ipsecrequest_reqid = 0; - p = (caddr_t)(xisr + 1); - - xisrlen = sizeof(*xisr); - - if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL) { - xisrlen += (iph2->src->sa_len + iph2->dst->sa_len); - - memcpy(p, iph2->src, iph2->src->sa_len); - p += iph2->src->sa_len; - - memcpy(p, iph2->dst, iph2->dst->sa_len); - p += iph2->dst->sa_len; - } - - xisr->sadb_x_ipsecrequest_len = PFKEY_ALIGN8(xisrlen); - } - -end: - *policy0 = policy; - *policylen0 = policylen; - - return 0; - -err: - if (policy) - racoon_free(policy); - - return -1; -} - -int -pk_sendspdupdate2(iph2) - struct ph2handle *iph2; -{ - struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen; - caddr_t policy = NULL; - int policylen = 0; - u_int64_t ltime, vtime; - - ltime = iph2->approval->lifetime; - vtime = 0; - - if (getsadbpolicy(&policy, &policylen, SADB_X_SPDUPDATE, iph2)) { - plog(LLV_ERROR, LOCATION, NULL, - "getting sadb policy failed.\n"); - return -1; - } - - if (pfkey_send_spdupdate2( - lcconf->sock_pfkey, - (struct sockaddr *)&spidx->src, - spidx->prefs, - (struct sockaddr *)&spidx->dst, - spidx->prefd, - spidx->ul_proto, - ltime, vtime, - policy, policylen, 0) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "libipsec failed send spdupdate2 (%s)\n", - ipsec_strerror()); - goto end; - } - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_spdupdate2\n"); - -end: - if (policy) - racoon_free(policy); - - return 0; -} - -static int -pk_recvspdupdate(mhp) - caddr_t *mhp; -{ - struct sadb_address *saddr, *daddr; - struct sadb_x_policy *xpl; - struct policyindex spidx; - struct secpolicy *sp; - - /* sanity check */ - if (mhp[0] == NULL - || mhp[SADB_EXT_ADDRESS_SRC] == NULL - || mhp[SADB_EXT_ADDRESS_DST] == NULL - || mhp[SADB_X_EXT_POLICY] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "inappropriate sadb spdupdate message passed.\n"); - return -1; - } - saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; - daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; - xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; - - KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, - saddr + 1, - daddr + 1, - saddr->sadb_address_prefixlen, - daddr->sadb_address_prefixlen, - saddr->sadb_address_proto, - &spidx); - - sp = getsp(&spidx); - if (sp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "such policy does not already exist: %s\n", - spidx2str(&spidx)); - } else { - remsp(sp); - delsp(sp); - } - - if (addnewsp(mhp) < 0) - return -1; - - return 0; -} - -/* - * this function has to be used by responder side. - */ -int -pk_sendspdadd2(iph2) - struct ph2handle *iph2; -{ - struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen; - caddr_t policy = NULL; - int policylen = 0; - u_int64_t ltime, vtime; - - ltime = iph2->approval->lifetime; - vtime = 0; - - if (getsadbpolicy(&policy, &policylen, SADB_X_SPDADD, iph2)) { - plog(LLV_ERROR, LOCATION, NULL, - "getting sadb policy failed.\n"); - return -1; - } - - if (pfkey_send_spdadd2( - lcconf->sock_pfkey, - (struct sockaddr *)&spidx->src, - spidx->prefs, - (struct sockaddr *)&spidx->dst, - spidx->prefd, - spidx->ul_proto, - ltime, vtime, - policy, policylen, 0) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "libipsec failed send spdadd2 (%s)\n", - ipsec_strerror()); - goto end; - } - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_spdadd2\n"); - -end: - if (policy) - racoon_free(policy); - - return 0; -} - -static int -pk_recvspdadd(mhp) - caddr_t *mhp; -{ - struct sadb_address *saddr, *daddr; - struct sadb_x_policy *xpl; - struct policyindex spidx; - struct secpolicy *sp; - - /* sanity check */ - if (mhp[0] == NULL - || mhp[SADB_EXT_ADDRESS_SRC] == NULL - || mhp[SADB_EXT_ADDRESS_DST] == NULL - || mhp[SADB_X_EXT_POLICY] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "inappropriate sadb spdadd message passed.\n"); - return -1; - } - saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; - daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; - xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; - - KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, - saddr + 1, - daddr + 1, - saddr->sadb_address_prefixlen, - daddr->sadb_address_prefixlen, - saddr->sadb_address_proto, - &spidx); - - sp = getsp(&spidx); - if (sp != NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "such policy already exists. " - "anyway replace it: %s\n", - spidx2str(&spidx)); - remsp(sp); - delsp(sp); - } - - if (addnewsp(mhp) < 0) - return -1; - - return 0; -} - -/* - * this function has to be used by responder side. - */ -int -pk_sendspddelete(iph2) - struct ph2handle *iph2; -{ - struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen; - caddr_t policy = NULL; - int policylen; - - if (getsadbpolicy(&policy, &policylen, SADB_X_SPDDELETE, iph2)) { - plog(LLV_ERROR, LOCATION, NULL, - "getting sadb policy failed.\n"); - return -1; - } - - if (pfkey_send_spddelete( - lcconf->sock_pfkey, - (struct sockaddr *)&spidx->src, - spidx->prefs, - (struct sockaddr *)&spidx->dst, - spidx->prefd, - spidx->ul_proto, - policy, policylen, 0) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "libipsec failed send spddelete (%s)\n", - ipsec_strerror()); - goto end; - } - plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_spddelete\n"); - -end: - if (policy) - racoon_free(policy); - - return 0; -} - -static int -pk_recvspddelete(mhp) - caddr_t *mhp; -{ - struct sadb_address *saddr, *daddr; - struct sadb_x_policy *xpl; - struct policyindex spidx; - struct secpolicy *sp; - - /* sanity check */ - if (mhp[0] == NULL - || mhp[SADB_EXT_ADDRESS_SRC] == NULL - || mhp[SADB_EXT_ADDRESS_DST] == NULL - || mhp[SADB_X_EXT_POLICY] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "inappropriate sadb spddelete message passed.\n"); - return -1; - } - saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; - daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; - xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; - - KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, - saddr + 1, - daddr + 1, - saddr->sadb_address_prefixlen, - daddr->sadb_address_prefixlen, - saddr->sadb_address_proto, - &spidx); - - sp = getsp(&spidx); - if (sp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "no policy found: %s\n", - spidx2str(&spidx)); - return -1; - } - - remsp(sp); - delsp(sp); - - return 0; -} - -static int -pk_recvspdexpire(mhp) - caddr_t *mhp; -{ - struct sadb_address *saddr, *daddr; - struct sadb_x_policy *xpl; - struct policyindex spidx; - struct secpolicy *sp; - - /* sanity check */ - if (mhp[0] == NULL - || mhp[SADB_EXT_ADDRESS_SRC] == NULL - || mhp[SADB_EXT_ADDRESS_DST] == NULL - || mhp[SADB_X_EXT_POLICY] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "inappropriate sadb spdexpire message passed.\n"); - return -1; - } - saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; - daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; - xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; - - KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, - saddr + 1, - daddr + 1, - saddr->sadb_address_prefixlen, - daddr->sadb_address_prefixlen, - saddr->sadb_address_proto, - &spidx); - - sp = getsp(&spidx); - if (sp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "no policy found: %s\n", - spidx2str(&spidx)); - return -1; - } - - remsp(sp); - delsp(sp); - - return 0; -} - -static int -pk_recvspdget(mhp) - caddr_t *mhp; -{ - /* sanity check */ - if (mhp[0] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "inappropriate sadb spdget message passed.\n"); - return -1; - } - - return 0; -} - -static int -pk_recvspddump(mhp) - caddr_t *mhp; -{ - struct sadb_msg *msg; - struct sadb_address *saddr, *daddr; - struct sadb_x_policy *xpl; - struct policyindex spidx; - struct secpolicy *sp; - - /* sanity check */ - if (mhp[0] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "inappropriate sadb spddump message passed.\n"); - return -1; - } - msg = (struct sadb_msg *)mhp[0]; - - saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; - daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; - xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; - - if (saddr == NULL || daddr == NULL || xpl == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "inappropriate sadb spddump message passed.\n"); - return -1; - } - - KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, - saddr + 1, - daddr + 1, - saddr->sadb_address_prefixlen, - daddr->sadb_address_prefixlen, - saddr->sadb_address_proto, - &spidx); - - sp = getsp(&spidx); - if (sp != NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "such policy already exists. " - "anyway replace it: %s\n", - spidx2str(&spidx)); - remsp(sp); - delsp(sp); - } - - if (addnewsp(mhp) < 0) - return -1; - - return 0; -} - -static int -pk_recvspdflush(mhp) - caddr_t *mhp; -{ - /* sanity check */ - if (mhp[0] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "inappropriate sadb spdflush message passed.\n"); - return -1; - } - - flushsp(); - - return 0; -} - -/* - * send error against acquire message to kenrel. - */ -int -pk_sendeacquire(iph2) - struct ph2handle *iph2; -{ - struct sadb_msg *newmsg; - int len; - - len = sizeof(struct sadb_msg); - newmsg = racoon_calloc(1, len); - if (newmsg == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get buffer to send acquire.\n"); - return -1; - } - - memset(newmsg, 0, len); - newmsg->sadb_msg_version = PF_KEY_V2; - newmsg->sadb_msg_type = SADB_ACQUIRE; - newmsg->sadb_msg_errno = ENOENT; /* XXX */ - newmsg->sadb_msg_satype = iph2->satype; - newmsg->sadb_msg_len = PFKEY_UNIT64(len); - newmsg->sadb_msg_reserved = 0; - newmsg->sadb_msg_seq = iph2->seq; - newmsg->sadb_msg_pid = (u_int32_t)getpid(); - - /* send message */ - len = pfkey_send(lcconf->sock_pfkey, newmsg, len); - - racoon_free(newmsg); - - return 0; -} - -/* - * check if the algorithm is supported or not. - * OUT 0: ok - * -1: ng - */ -int -pk_checkalg(class, calg, keylen) - int class, calg, keylen; -{ - int sup, error; - u_int alg; - struct sadb_alg alg0; - - switch (algclass2doi(class)) { - case IPSECDOI_PROTO_IPSEC_ESP: - sup = SADB_EXT_SUPPORTED_ENCRYPT; - break; - case IPSECDOI_ATTR_AUTH: - sup = SADB_EXT_SUPPORTED_AUTH; - break; - case IPSECDOI_PROTO_IPCOMP: - plog(LLV_DEBUG, LOCATION, NULL, - "compression algorithm can not be checked " - "because sadb message doesn't support it.\n"); - return 0; - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid algorithm class.\n"); - return -1; - } - alg = ipsecdoi2pfkey_alg(algclass2doi(class), algtype2doi(class, calg)); - if (alg == ~0) - return -1; - - if (keylen == 0) { - if (ipsec_get_keylen(sup, alg, &alg0)) { - plog(LLV_ERROR, LOCATION, NULL, - "%s.\n", ipsec_strerror()); - return -1; - } - keylen = alg0.sadb_alg_minbits; - } - - error = ipsec_check_keylen(sup, alg, keylen); - if (error) - plog(LLV_ERROR, LOCATION, NULL, - "%s.\n", ipsec_strerror()); - - return error; -} - -/* - * differences with pfkey_recv() in libipsec/pfkey.c: - * - never performs busy wait loop. - * - returns NULL and set *lenp to negative on fatal failures - * - returns NULL and set *lenp to non-negative on non-fatal failures - * - returns non-NULL on success - */ -static struct sadb_msg * -pk_recv(so, lenp) - int so; - int *lenp; -{ - struct sadb_msg buf, *newmsg; - int reallen; - - *lenp = recv(so, (caddr_t)&buf, sizeof(buf), MSG_PEEK); - if (*lenp < 0) - return NULL; /*fatal*/ - else if (*lenp < sizeof(buf)) - return NULL; - - reallen = PFKEY_UNUNIT64(buf.sadb_msg_len); - if ((newmsg = racoon_calloc(1, reallen)) == NULL) - return NULL; - - *lenp = recv(so, (caddr_t)newmsg, reallen, MSG_PEEK); - if (*lenp < 0) { - racoon_free(newmsg); - return NULL; /*fatal*/ - } else if (*lenp != reallen) { - racoon_free(newmsg); - return NULL; - } - - *lenp = recv(so, (caddr_t)newmsg, reallen, 0); - if (*lenp < 0) { - racoon_free(newmsg); - return NULL; /*fatal*/ - } else if (*lenp != reallen) { - racoon_free(newmsg); - return NULL; - } - - return newmsg; -} - -/* see handler.h */ -u_int32_t -pk_getseq() -{ - return arc4random(); -} - -static int -addnewsp(mhp) - caddr_t *mhp; -{ - struct secpolicy *new; - struct sadb_address *saddr, *daddr; - struct sadb_x_policy *xpl; - - /* sanity check */ - if (mhp[SADB_EXT_ADDRESS_SRC] == NULL - || mhp[SADB_EXT_ADDRESS_DST] == NULL - || mhp[SADB_X_EXT_POLICY] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "inappropriate sadb spd management message passed.\n"); - return -1; - } - - saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC]; - daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST]; - xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY]; - - new = newsp(); - if (new == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate buffer\n"); - return -1; - } - - new->spidx.dir = xpl->sadb_x_policy_dir; - new->id = xpl->sadb_x_policy_id; - new->policy = xpl->sadb_x_policy_type; - new->req = NULL; - - /* check policy */ - switch (xpl->sadb_x_policy_type) { - case IPSEC_POLICY_DISCARD: - case IPSEC_POLICY_NONE: - case IPSEC_POLICY_ENTRUST: - case IPSEC_POLICY_BYPASS: - break; - - case IPSEC_POLICY_IPSEC: - { - int tlen; - struct sadb_x_ipsecrequest *xisr; - struct ipsecrequest **p_isr = &new->req; - - /* validity check */ - if (PFKEY_EXTLEN(xpl) < sizeof(*xpl)) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid msg length.\n"); - return -1; - } - - tlen = PFKEY_EXTLEN(xpl) - sizeof(*xpl); - xisr = (struct sadb_x_ipsecrequest *)(xpl + 1); - - while (tlen > 0) { - - /* length check */ - if (xisr->sadb_x_ipsecrequest_len < sizeof(*xisr)) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid msg length.\n"); - return -1; - } - - /* allocate request buffer */ - *p_isr = newipsecreq(); - if (*p_isr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get new ipsecreq.\n"); - return -1; - } - - /* set values */ - (*p_isr)->next = NULL; - - switch (xisr->sadb_x_ipsecrequest_proto) { - case IPPROTO_ESP: - case IPPROTO_AH: - case IPPROTO_IPCOMP: - break; - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid proto type: %u\n", - xisr->sadb_x_ipsecrequest_proto); - return -1; - } - (*p_isr)->saidx.proto = xisr->sadb_x_ipsecrequest_proto; - - switch (xisr->sadb_x_ipsecrequest_mode) { - case IPSEC_MODE_TRANSPORT: - case IPSEC_MODE_TUNNEL: - break; - case IPSEC_MODE_ANY: - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid mode: %u\n", - xisr->sadb_x_ipsecrequest_mode); - return -1; - } - (*p_isr)->saidx.mode = xisr->sadb_x_ipsecrequest_mode; - - switch (xisr->sadb_x_ipsecrequest_level) { - case IPSEC_LEVEL_DEFAULT: - case IPSEC_LEVEL_USE: - case IPSEC_LEVEL_REQUIRE: - break; - case IPSEC_LEVEL_UNIQUE: - (*p_isr)->saidx.reqid = - xisr->sadb_x_ipsecrequest_reqid; - break; - - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid level: %u\n", - xisr->sadb_x_ipsecrequest_level); - return -1; - } - (*p_isr)->level = xisr->sadb_x_ipsecrequest_level; - - /* set IP addresses if there */ - if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) { - struct sockaddr *paddr; - - paddr = (struct sockaddr *)(xisr + 1); - bcopy(paddr, &(*p_isr)->saidx.src, - paddr->sa_len); - - paddr = (struct sockaddr *)((caddr_t)paddr - + paddr->sa_len); - bcopy(paddr, &(*p_isr)->saidx.dst, - paddr->sa_len); - } - - (*p_isr)->sp = new; - - /* initialization for the next. */ - p_isr = &(*p_isr)->next; - tlen -= xisr->sadb_x_ipsecrequest_len; - - /* validity check */ - if (tlen < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "becoming tlen < 0\n"); - } - - xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr - + xisr->sadb_x_ipsecrequest_len); - } - } - break; - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid policy type.\n"); - return -1; - } - - KEY_SETSECSPIDX(xpl->sadb_x_policy_dir, - saddr + 1, - daddr + 1, - saddr->sadb_address_prefixlen, - daddr->sadb_address_prefixlen, - saddr->sadb_address_proto, - &new->spidx); - - inssp(new); - - return 0; -} - -/* proto/mode/src->dst spi */ -const char * -sadbsecas2str(src, dst, proto, spi, mode) - struct sockaddr *src, *dst; - int proto; - u_int32_t spi; - int mode; -{ - static char buf[256]; - u_int doi_proto, doi_mode = 0; - char *p; - int blen, i; - - doi_proto = pfkey2ipsecdoi_proto(proto); - if (doi_proto == ~0) - return NULL; - if (mode) { - doi_mode = pfkey2ipsecdoi_mode(mode); - if (doi_mode == ~0) - return NULL; - } - - blen = sizeof(buf) - 1; - p = buf; - - i = snprintf(p, blen, "%s%s%s ", - s_ipsecdoi_proto(doi_proto), - mode ? "/" : "", - mode ? s_ipsecdoi_encmode(doi_mode) : ""); - if (i < 0 || i >= blen) - return NULL; - p += i; - blen -= i; - - i = snprintf(p, blen, "%s->", saddrwop2str(src)); - if (i < 0 || i >= blen) - return NULL; - p += i; - blen -= i; - - i = snprintf(p, blen, "%s ", saddrwop2str(dst)); - if (i < 0 || i >= blen) - return NULL; - p += i; - blen -= i; - - if (spi) { - snprintf(p, blen, "spi=%lu(0x%lx)", (unsigned long)ntohl(spi), - (unsigned long)ntohl(spi)); - } - - return buf; -} diff --git a/kame/kame/racoon/pfkey.h b/kame/kame/racoon/pfkey.h deleted file mode 100644 index 8ea4f0b915..0000000000 --- a/kame/kame/racoon/pfkey.h +++ /dev/null @@ -1,70 +0,0 @@ -/* $KAME: pfkey.h,v 1.20 2001/06/28 06:21:04 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -struct pfkey_satype { - u_int8_t ps_satype; - const char *ps_name; -}; - -extern const struct pfkey_satype pfkey_satypes[]; -extern const int pfkey_nsatypes; - -extern int pfkey_handler __P((void)); -extern vchar_t *pfkey_dump_sadb __P((int)); -extern void pfkey_flush_sadb __P((u_int)); -extern int pfkey_init __P((void)); - -extern struct pfkey_st *pfkey_getpst __P((caddr_t *, int, int)); - -extern int pk_checkalg __P((int, int, int)); - -struct ph2handle; -extern int pk_sendgetspi __P((struct ph2handle *)); -extern int pk_sendupdate __P((struct ph2handle *)); -extern int pk_sendadd __P((struct ph2handle *)); -extern int pk_sendeacquire __P((struct ph2handle *)); -extern int pk_sendspdupdate2 __P((struct ph2handle *)); -extern int pk_sendspdadd2 __P((struct ph2handle *)); -extern int pk_sendspddelete __P((struct ph2handle *)); - -extern void pfkey_timeover_stub __P((void *)); -extern void pfkey_timeover __P((struct ph2handle *)); - -extern u_int pfkey2ipsecdoi_proto __P((u_int)); -extern u_int ipsecdoi2pfkey_proto __P((u_int)); -extern u_int pfkey2ipsecdoi_mode __P((u_int)); -extern u_int ipsecdoi2pfkey_mode __P((u_int)); - -extern int pfkey_convertfromipsecdoi __P(( u_int, u_int, u_int, - u_int *, u_int *, u_int *, u_int *, u_int *)); -extern u_int32_t pk_getseq __P((void)); -extern const char *sadbsecas2str - __P((struct sockaddr *, struct sockaddr *, int, u_int32_t, int)); diff --git a/kame/kame/racoon/plog.c b/kame/kame/racoon/plog.c deleted file mode 100644 index d226c63129..0000000000 --- a/kame/kame/racoon/plog.c +++ /dev/null @@ -1,219 +0,0 @@ -/* $KAME: plog.c,v 1.23 2002/05/07 08:56:19 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include - -#include -#include -#include -#include -#ifdef HAVE_STDARG_H -#include -#else -#include -#endif -#if TIME_WITH_SYS_TIME -# include -# include -#else -# if HAVE_SYS_TIME_H -# include -# else -# include -# endif -#endif -#include -#include - -#include "var.h" -#include "misc.h" -#include "plog.h" -#include "logger.h" -#include "debug.h" -#include "gcmalloc.h" - -char *pname = NULL; -u_int32_t loglevel = LLV_BASE; - -static struct log *logp = NULL; -static char *logfile = NULL; - -static char *plog_common __P((int, const char *, const char *)); - -static struct plogtags { - char *name; - int priority; -} ptab[] = { - { "(not defined)", 0, }, - { "INFO", LOG_INFO, }, - { "NOTIFY", LOG_INFO, }, - { "WARNING", LOG_INFO, }, - { "ERROR", LOG_INFO, }, - { "DEBUG", LOG_DEBUG, }, - { "DEBUG2", LOG_DEBUG, }, -}; - -static char * -plog_common(pri, fmt, func) - int pri; - const char *fmt, *func; -{ - static char buf[800]; /* XXX shoule be allocated every time ? */ - char *p; - int reslen, len; - - p = buf; - reslen = sizeof(buf); - - if (logfile || f_foreground) { - time_t t; - struct tm *tm; - - t = time(0); - tm = localtime(&t); - len = strftime(p, reslen, "%Y-%m-%d %T: ", tm); - p += len; - reslen -= len; - } - - if (pri < ARRAYLEN(ptab)) { - len = snprintf(p, reslen, "%s: ", ptab[pri].name); - if (len >= 0 && len < reslen) { - p += len; - reslen -= len; - } else - *p = '\0'; - } - - snprintf(p, reslen, "%s: %s", func, fmt); - - return buf; -} - -void -plog(int pri, const char *func, struct sockaddr *sa, const char *fmt, ...) -{ - va_list ap; - - va_start(ap, fmt); - plogv(pri, func, sa, fmt, ap); - va_end(ap); -} - -void -plogv(int pri, const char *func, struct sockaddr *sa, - const char *fmt, va_list ap) -{ - char *newfmt; - - if (pri > loglevel) - return; - - newfmt = plog_common(pri, fmt, func); - - if (f_foreground) - vprintf(newfmt, ap); - - if (logfile) - log_vaprint(logp, newfmt, ap); - else { - if (pri < ARRAYLEN(ptab)) - vsyslog(ptab[pri].priority, newfmt, ap); - else - vsyslog(LOG_ALERT, newfmt, ap); - } -} - -void -plogdump(pri, data, len) - int pri; - void *data; - size_t len; -{ - caddr_t buf; - size_t buflen; - int i, j; - - if (pri > loglevel) - return; - - /* - * 2 words a bytes + 1 space 4 bytes + 1 newline 32 bytes - * + 2 newline + '\0' - */ - buflen = (len * 2) + (len / 4) + (len / 32) + 3; - buf = racoon_malloc(buflen); - - i = 0; - j = 0; - while (j < len) { - if (j % 32 == 0) - buf[i++] = '\n'; - else - if (j % 4 == 0) - buf[i++] = ' '; - snprintf(&buf[i], buflen - i, "%02x", - ((unsigned char *)data)[j] & 0xff); - i += 2; - j++; - } - if (buflen - i >= 2) { - buf[i++] = '\n'; - buf[i] = '\0'; - } - plog(pri, LOCATION, NULL, "%s", buf); - - racoon_free(buf); -} - -void -ploginit() -{ - if (logfile) { - logp = log_open(250, logfile); - if (logp == NULL) - errx(1, "ERROR: failed to open log file %s.", logfile); - return; - } - - openlog(pname, LOG_NDELAY, LOG_DAEMON); -} - -void -plogset(file) - char *file; -{ - if (logfile != NULL) - racoon_free(logfile); - logfile = strdup(file); -} - diff --git a/kame/kame/racoon/plog.h b/kame/kame/racoon/plog.h deleted file mode 100644 index 1302bd4a8a..0000000000 --- a/kame/kame/racoon/plog.h +++ /dev/null @@ -1,68 +0,0 @@ -/* $KAME: plog.h,v 1.10 2002/05/07 08:56:19 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#define LC_DEFAULT_LOGF "/var/log/racoon.log" - -#ifdef HAVE_STDARG_H -#include -#else -#include -#endif -#include - -/* - * INFO: begin negotiation, SA establishment/deletion/expiration. - * NOTIFY: just notifiable. - * WARNING: not error strictly. - * ERROR: system call error. also invalid parameter/format. - * DEBUG1: debugging informatioin. - * DEBUG2: too more verbose. e.g. parsing config. - */ -#define LLV_INFO 1 -#define LLV_NOTIFY 2 -#define LLV_WARNING 3 -#define LLV_ERROR 4 -#define LLV_DEBUG 5 -#define LLV_DEBUG2 6 - -#define LLV_BASE 4 /* always logging less than this value. */ - -extern char *pname; -extern u_int32_t loglevel; -extern int f_foreground; - -struct sockaddr; -extern void plog __P((int, const char *, struct sockaddr *, const char *, ...)); -extern void plogv __P((int, const char *, struct sockaddr *, - const char *, va_list)); -extern void plogdump __P((int, void *, size_t)); -extern void ploginit __P((void)); -extern void plogset __P((char *)); diff --git a/kame/kame/racoon/policy.c b/kame/kame/racoon/policy.c deleted file mode 100644 index 8bb16a7dbb..0000000000 --- a/kame/kame/racoon/policy.c +++ /dev/null @@ -1,416 +0,0 @@ -/* $KAME: policy.c,v 1.46 2001/11/16 04:08:10 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include -#include - -#include -#include -#include - -#include -#include -#include -#include - -#include "var.h" -#include "misc.h" -#include "vmbuf.h" -#include "plog.h" -#include "sockmisc.h" -#include "debug.h" - -#include "policy.h" -#include "localconf.h" -#include "isakmp_var.h" -#include "isakmp.h" -#include "oakley.h" -#include "handler.h" -#include "strnames.h" -#include "gcmalloc.h" - -static TAILQ_HEAD(_sptree, secpolicy) sptree; - -/* perform exact match against security policy table. */ -struct secpolicy * -getsp(spidx) - struct policyindex *spidx; -{ - struct secpolicy *p; - - for (p = TAILQ_FIRST(&sptree); p; p = TAILQ_NEXT(p, chain)) { - if (!cmpspidxstrict(spidx, &p->spidx)) - return p; - } - - return NULL; -} - -/* - * perform non-exact match against security policy table, only if this is - * transport mode SA negotiation. for example, 0.0.0.0/0 -> 0.0.0.0/0 - * entry in policy.txt can be returned when we're negotiating transport - * mode SA. this is how the kernel works. - */ -#if 1 -struct secpolicy * -getsp_r(spidx) - struct policyindex *spidx; -{ - struct secpolicy *p; - - for (p = TAILQ_FIRST(&sptree); p; p = TAILQ_NEXT(p, chain)) { - if (!cmpspidxwild(spidx, &p->spidx)) - return p; - } - - return NULL; -} -#else -struct secpolicy * -getsp_r(spidx, iph2) - struct policyindex *spidx; - struct ph2handle *iph2; -{ - struct secpolicy *p; - u_int8_t prefixlen; - - plog(LLV_DEBUG, LOCATION, NULL, "checking for transport mode\n"); - - if (spidx->src.ss_family != spidx->dst.ss_family) { - plog(LLV_ERROR, LOCATION, NULL, - "address family mismatch, src:%d dst:%d\n", - spidx->src.ss_family, - spidx->dst.ss_family); - return NULL; - } - switch (spidx->src.ss_family) { - case AF_INET: - prefixlen = sizeof(struct in_addr) << 3; - break; -#ifdef INET6 - case AF_INET6: - prefixlen = sizeof(struct in6_addr) << 3; - break; -#endif - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid family: %d\n", spidx->src.ss_family); - return NULL; - } - - /* is it transport mode SA negotiation? */ - plog(LLV_DEBUG, LOCATION, NULL, "src1: %s\n", - saddr2str(iph2->src)); - plog(LLV_DEBUG, LOCATION, NULL, "src2: %s\n", - saddr2str((struct sockaddr *)&spidx->src)); - if (cmpsaddrwop(iph2->src, (struct sockaddr *)&spidx->src) - || spidx->prefs != prefixlen) - return NULL; - - plog(LLV_DEBUG, LOCATION, NULL, "dst1: %s\n", - saddr2str(iph2->dst)); - plog(LLV_DEBUG, LOCATION, NULL, "dst2: %s\n", - saddr2str((struct sockaddr *)&spidx->dst)); - if (cmpsaddrwop(iph2->dst, (struct sockaddr *)&spidx->dst) - || spidx->prefd != prefixlen) - return NULL; - - plog(LLV_DEBUG, LOCATION, NULL, "looks to be transport mode\n"); - - for (p = TAILQ_FIRST(&sptree); p; p = TAILQ_NEXT(p, chain)) { - if (!cmpspidx_wild(spidx, &p->spidx)) - return p; - } - - return NULL; -} -#endif - -struct secpolicy * -getspbyspid(spid) - u_int32_t spid; -{ - struct secpolicy *p; - - for (p = TAILQ_FIRST(&sptree); p; p = TAILQ_NEXT(p, chain)) { - if (p->id == spid) - return p; - } - - return NULL; -} - -/* - * compare policyindex. - * a: subject b: db - * OUT: 0: equal - * 1: not equal - */ -int -cmpspidxstrict(a, b) - struct policyindex *a, *b; -{ - plog(LLV_DEBUG, LOCATION, NULL, "sub:%p: %s\n", a, spidx2str(a)); - plog(LLV_DEBUG, LOCATION, NULL, "db :%p: %s\n", b, spidx2str(b)); - - /* XXX don't check direction now, but it's to be checked carefully. */ - if (a->dir != b->dir - || a->prefs != b->prefs - || a->prefd != b->prefd - || a->ul_proto != b->ul_proto) - return 1; - - if (cmpsaddrstrict((struct sockaddr *)&a->src, - (struct sockaddr *)&b->src)) - return 1; - if (cmpsaddrstrict((struct sockaddr *)&a->dst, - (struct sockaddr *)&b->dst)) - return 1; - - return 0; -} - -/* - * compare policyindex, with wildcard address/protocol match. - * a: subject b: db, can contain wildcard things. - * OUT: 0: equal - * 1: not equal - */ -int -cmpspidxwild(a, b) - struct policyindex *a, *b; -{ - struct sockaddr_storage sa1, sa2; - - plog(LLV_DEBUG, LOCATION, NULL, "sub:%p: %s\n", a, spidx2str(a)); - plog(LLV_DEBUG, LOCATION, NULL, "db: %p: %s\n", b, spidx2str(b)); - - if (!(b->dir == IPSEC_DIR_ANY || a->dir == b->dir)) - return 1; - - if (!(a->ul_proto == IPSEC_ULPROTO_ANY || - b->ul_proto == IPSEC_ULPROTO_ANY || - a->ul_proto == b->ul_proto)) - return 1; - - if (a->src.ss_family != b->src.ss_family) - return 1; - if (a->dst.ss_family != b->dst.ss_family) - return 1; - - /* compare src address */ - if (sizeof(sa1) < a->src.ss_len || sizeof(sa2) < b->src.ss_len) { - plog(LLV_ERROR, LOCATION, NULL, - "unexpected error: " - "src.ss_len:%d dst.ss_len:%d\n", - a->src.ss_len, b->src.ss_len); - return 1; - } - mask_sockaddr((struct sockaddr *)&sa1, (struct sockaddr *)&a->src, - b->prefs); - mask_sockaddr((struct sockaddr *)&sa2, (struct sockaddr *)&b->src, - b->prefs); - plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n", - a, b->prefs, saddr2str((struct sockaddr *)&sa1)); - plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n", - b, b->prefs, saddr2str((struct sockaddr *)&sa2)); - if (cmpsaddrwild((struct sockaddr *)&sa1, (struct sockaddr *)&sa2)) - return 1; - - /* compare dst address */ - if (sizeof(sa1) < a->dst.ss_len || sizeof(sa2) < b->dst.ss_len) { - plog(LLV_ERROR, LOCATION, NULL, "unexpected error\n"); - exit(1); - } - mask_sockaddr((struct sockaddr *)&sa1, (struct sockaddr *)&a->dst, - b->prefd); - mask_sockaddr((struct sockaddr *)&sa2, (struct sockaddr *)&b->dst, - b->prefd); - plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n", - a, b->prefd, saddr2str((struct sockaddr *)&sa1)); - plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n", - b, b->prefd, saddr2str((struct sockaddr *)&sa2)); - if (cmpsaddrwild((struct sockaddr *)&sa1, (struct sockaddr *)&sa2)) - return 1; - - return 0; -} - -struct secpolicy * -newsp() -{ - struct secpolicy *new; - - new = racoon_calloc(1, sizeof(*new)); - if (new == NULL) - return NULL; - - return new; -} - -void -delsp(sp) - struct secpolicy *sp; -{ - struct ipsecrequest *req = NULL, *next; - - for (req = sp->req; req; req = next) { - next = req->next; - racoon_free(req); - } - - racoon_free(sp); -} - -void -delsp_bothdir(spidx0) - struct policyindex *spidx0; -{ - struct policyindex spidx; - struct secpolicy *sp; - struct sockaddr_storage addr; - u_int8_t pref; - - memcpy(&spidx, spidx0, sizeof(spidx)); - - sp = getsp(&spidx); - if (sp) { - remsp(sp); - delsp(sp); - } - - spidx.dir = spidx.dir == IPSEC_DIR_OUTBOUND - ? IPSEC_DIR_INBOUND - : IPSEC_DIR_OUTBOUND ; - addr = spidx.src; - spidx.src = spidx.dst; - spidx.dst = addr; - pref = spidx.prefs; - spidx.prefs = spidx.prefd; - spidx.prefd = pref; - - sp = getsp(&spidx); - if (sp) { - remsp(sp); - delsp(sp); - } -} - -void -inssp(new) - struct secpolicy *new; -{ - TAILQ_INSERT_TAIL(&sptree, new, chain); -} - -void -remsp(sp) - struct secpolicy *sp; -{ - TAILQ_REMOVE(&sptree, sp, chain); -} - -void -flushsp() -{ - struct secpolicy *p, *next; - - for (p = TAILQ_FIRST(&sptree); p; p = next) { - next = TAILQ_NEXT(p, chain); - remsp(p); - delsp(p); - } -} - -void -initsp() -{ - TAILQ_INIT(&sptree); -} - -struct ipsecrequest * -newipsecreq() -{ - struct ipsecrequest *new; - - new = racoon_calloc(1, sizeof(*new)); - if (new == NULL) - return NULL; - - return new; -} - -const char * -spidx2str(spidx) - const struct policyindex *spidx; -{ - /* addr/pref[port] addr/pref[port] ul dir act */ - static char buf[256]; - char *p, *a, *b; - int blen, i; - - blen = sizeof(buf) - 1; - p = buf; - - a = saddr2str((const struct sockaddr *)&spidx->src); - for (b = a; *b != '\0'; b++) - if (*b == '[') { - *b = '\0'; - b++; - break; - } - i = snprintf(p, blen, "%s/%d[%s ", a, spidx->prefs, b); - if (i < 0 || i >= blen) - return NULL; - p += i; - blen -= i; - - a = saddr2str((const struct sockaddr *)&spidx->dst); - for (b = a; *b != '\0'; b++) - if (*b == '[') { - *b = '\0'; - b++; - break; - } - i = snprintf(p, blen, "%s/%d[%s ", a, spidx->prefd, b); - if (i < 0 || i >= blen) - return NULL; - p += i; - blen -= i; - - snprintf(p, blen, "proto=%s dir=%s", - s_proto(spidx->ul_proto), s_direction(spidx->dir)); - - return buf; -} diff --git a/kame/kame/racoon/policy.h b/kame/kame/racoon/policy.h deleted file mode 100644 index e43ded073a..0000000000 --- a/kame/kame/racoon/policy.h +++ /dev/null @@ -1,115 +0,0 @@ -/* $KAME: policy.h,v 1.18 2001/10/02 04:10:17 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include - -/* refs. ipsec.h */ -/* - * Security Policy Index - * NOTE: Ensure to be same address family and upper layer protocol. - * NOTE: ul_proto, port number, uid, gid: - * ANY: reserved for waldcard. - * 0 to (~0 - 1): is one of the number of each value. - */ -struct policyindex { - u_int8_t dir; /* direction of packet flow, see blow */ - struct sockaddr_storage src; /* IP src address for SP */ - struct sockaddr_storage dst; /* IP dst address for SP */ - u_int8_t prefs; /* prefix length in bits for src */ - u_int8_t prefd; /* prefix length in bits for dst */ - u_int16_t ul_proto; /* upper layer Protocol */ -}; - -/* Security Policy Data Base */ -struct secpolicy { - TAILQ_ENTRY(secpolicy) chain; - - struct policyindex spidx; /* selector */ - u_int32_t id; /* It's unique number on the system. */ - - u_int policy; /* DISCARD, NONE or IPSEC, see keyv2.h */ - struct ipsecrequest *req; - /* pointer to the ipsec request tree, */ - /* if policy == IPSEC else this value == NULL.*/ -}; - -/* Security Assocciation Index */ -/* NOTE: Ensure to be same address family */ -struct secasindex { - struct sockaddr_storage src; /* srouce address for SA */ - struct sockaddr_storage dst; /* destination address for SA */ - u_int16_t proto; /* IPPROTO_ESP or IPPROTO_AH */ - u_int8_t mode; /* mode of protocol, see ipsec.h */ - u_int32_t reqid; /* reqid id who owned this SA */ - /* see IPSEC_MANUAL_REQID_MAX. */ -}; - -/* Request for IPsec */ -struct ipsecrequest { - struct ipsecrequest *next; - /* pointer to next structure */ - /* If NULL, it means the end of chain. */ - - struct secasindex saidx;/* hint for search proper SA */ - /* if __ss_len == 0 then no address specified.*/ - u_int level; /* IPsec level defined below. */ - - struct secpolicy *sp; /* back pointer to SP */ -}; - -#define KEY_SETSECSPIDX(_dir, s, d, ps, pd, ulp, idx) \ -do { \ - bzero((idx), sizeof(struct policyindex)); \ - (idx)->dir = (_dir); \ - (idx)->prefs = (ps); \ - (idx)->prefd = (pd); \ - (idx)->ul_proto = (ulp); \ - memcpy(&(idx)->src, (s), ((struct sockaddr *)(s))->sa_len); \ - memcpy(&(idx)->dst, (d), ((struct sockaddr *)(d))->sa_len); \ -} while (0) - -struct ph2handle; -struct policyindex; -extern struct secpolicy *getsp __P((struct policyindex *)); -extern struct secpolicy *getsp_r __P((struct policyindex *)); -struct secpolicy *getspbyspid __P((u_int32_t)); -extern int cmpspidxstrict __P((struct policyindex *, struct policyindex *)); -extern int cmpspidxwild __P((struct policyindex *, struct policyindex *)); -extern struct secpolicy *newsp __P((void)); -extern void delsp __P((struct secpolicy *)); -extern void delsp_bothdir __P((struct policyindex *)); -extern void inssp __P((struct secpolicy *)); -extern void remsp __P((struct secpolicy *)); -extern void flushsp __P((void)); -extern void initsp __P((void)); -extern struct ipsecrequest *newipsecreq __P((void)); - -extern const char *spidx2str __P((const struct policyindex *)); diff --git a/kame/kame/racoon/print-isakmp.c b/kame/kame/racoon/print-isakmp.c deleted file mode 100644 index 377496e238..0000000000 --- a/kame/kame/racoon/print-isakmp.c +++ /dev/null @@ -1,1392 +0,0 @@ -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - */ - -#define _U_ __attribute__((unused)) -#ifdef __FreeBSD__ -#define IP_V(x) IP_VHL_V(x) -#else -#define IP_V(x) (x)->ip_v -#endif - -#ifndef lint -static const char rcsid[] _U_ = - "@(#) $Header: /usr/home/sumikawa/kame/kame/kame/kame/racoon/Attic/print-isakmp.c,v 1.1 2004/04/12 08:52:29 itojun Exp $ (LBL)"; -#endif - -#ifdef HAVE_CONFIG_H -#include "config.h" -#endif - -#include -#include -#include - -#include - -#include -#include - -#include "tcpdump/isakmp.h" -#include "tcpdump/ipsec_doi.h" -#include "tcpdump/oakley.h" -#include "tcpdump/interface.h" -#include "tcpdump/addrtoname.h" -#include "tcpdump/extract.h" /* must come after interface.h */ - -#include -#include -#include -#ifdef INET6 -#include -#endif - -#ifndef HAVE_SOCKADDR_STORAGE -#define sockaddr_storage sockaddr -#endif - -static const u_char *isakmp_sa_print(const struct isakmp_gen *, - u_int, const u_char *, u_int32_t, u_int32_t, u_int32_t, int); -static const u_char *isakmp_p_print(const struct isakmp_gen *, - u_int, const u_char *, u_int32_t, u_int32_t, u_int32_t, int); -static const u_char *isakmp_t_print(const struct isakmp_gen *, - u_int, const u_char *, u_int32_t, u_int32_t, u_int32_t, int); -static const u_char *isakmp_ke_print(const struct isakmp_gen *, - u_int, const u_char *, u_int32_t, u_int32_t, u_int32_t, int); -static const u_char *isakmp_id_print(const struct isakmp_gen *, - u_int, const u_char *, u_int32_t, u_int32_t, u_int32_t, int); -static const u_char *isakmp_cert_print(const struct isakmp_gen *, - u_int, const u_char *, u_int32_t, u_int32_t, u_int32_t, int); -static const u_char *isakmp_cr_print(const struct isakmp_gen *, - u_int, const u_char *, u_int32_t, u_int32_t, u_int32_t, int); -static const u_char *isakmp_sig_print(const struct isakmp_gen *, - u_int, const u_char *, u_int32_t, u_int32_t, u_int32_t, int); -static const u_char *isakmp_hash_print(const struct isakmp_gen *, - u_int, const u_char *, u_int32_t, u_int32_t, u_int32_t, int); -static const u_char *isakmp_nonce_print(const struct isakmp_gen *, - u_int, const u_char *, u_int32_t, u_int32_t, u_int32_t, int); -static const u_char *isakmp_n_print(const struct isakmp_gen *, - u_int, const u_char *, u_int32_t, u_int32_t, u_int32_t, int); -static const u_char *isakmp_d_print(const struct isakmp_gen *, - u_int, const u_char *, u_int32_t, u_int32_t, u_int32_t, int); -static const u_char *isakmp_vid_print(const struct isakmp_gen *, - u_int, const u_char *, u_int32_t, u_int32_t, u_int32_t, int); -static const u_char *isakmp_sub0_print(u_char, const struct isakmp_gen *, - const u_char *, u_int32_t, u_int32_t, u_int32_t, int); -static const u_char *isakmp_sub_print(u_char, const struct isakmp_gen *, - const u_char *, u_int32_t, u_int32_t, u_int32_t, int); -static char *numstr(int); -static void safememcpy(void *, const void *, size_t); - -#define MAXINITIATORS 20 -int ninitiator = 0; -struct { - cookie_t initiator; - struct sockaddr_storage iaddr; - struct sockaddr_storage raddr; -} cookiecache[MAXINITIATORS]; - -/* protocol id */ -static const char *protoidstr[] = { - NULL, "isakmp", "ipsec-ah", "ipsec-esp", "ipcomp", -}; - -/* isakmp->np */ -static const char *npstr[] = { - "none", "sa", "p", "t", "ke", "id", "cert", "cr", "hash", - "sig", "nonce", "n", "d", "vid" -}; - -/* isakmp->np */ -static const u_char *(*npfunc[])(const struct isakmp_gen *, u_int, - const u_char *, u_int32_t, u_int32_t, u_int32_t, int) = { - NULL, - isakmp_sa_print, - isakmp_p_print, - isakmp_t_print, - isakmp_ke_print, - isakmp_id_print, - isakmp_cert_print, - isakmp_cr_print, - isakmp_hash_print, - isakmp_sig_print, - isakmp_nonce_print, - isakmp_n_print, - isakmp_d_print, - isakmp_vid_print, -}; - -/* isakmp->etype */ -static const char *etypestr[] = { - "none", "base", "ident", "auth", "agg", "inf", NULL, NULL, - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, - "oakley-quick", "oakley-newgroup", -}; - -#define STR_OR_ID(x, tab) \ - (((x) < sizeof(tab)/sizeof(tab[0]) && tab[(x)]) ? tab[(x)] : numstr(x)) -#define PROTOIDSTR(x) STR_OR_ID(x, protoidstr) -#define NPSTR(x) STR_OR_ID(x, npstr) -#define ETYPESTR(x) STR_OR_ID(x, etypestr) - -#define NPFUNC(x) \ - (((x) < sizeof(npfunc)/sizeof(npfunc[0]) && npfunc[(x)]) \ - ? npfunc[(x)] : NULL) - -static int -iszero(u_char *p, size_t l) -{ - while (l--) { - if (*p++) - return 0; - } - return 1; -} - -/* find cookie from initiator cache */ -static int -cookie_find(cookie_t *in) -{ - int i; - - for (i = 0; i < MAXINITIATORS; i++) { - if (memcmp(in, &cookiecache[i].initiator, sizeof(*in)) == 0) - return i; - } - - return -1; -} - -/* record initiator */ -static void -cookie_record(cookie_t *in, const u_char *bp2) -{ - int i; - struct ip *ip; - struct sockaddr_in *sin; -#ifdef INET6 - struct ip6_hdr *ip6; - struct sockaddr_in6 *sin6; -#endif - - i = cookie_find(in); - if (0 <= i) { - ninitiator = (i + 1) % MAXINITIATORS; - return; - } - - ip = (struct ip *)bp2; - switch (IP_V(ip)) { - case 4: - memset(&cookiecache[ninitiator].iaddr, 0, - sizeof(cookiecache[ninitiator].iaddr)); - memset(&cookiecache[ninitiator].raddr, 0, - sizeof(cookiecache[ninitiator].raddr)); - - sin = (struct sockaddr_in *)&cookiecache[ninitiator].iaddr; -#ifdef HAVE_SOCKADDR_SA_LEN - sin->sin_len = sizeof(struct sockaddr_in); -#endif - sin->sin_family = AF_INET; - memcpy(&sin->sin_addr, &ip->ip_src, sizeof(ip->ip_src)); - sin = (struct sockaddr_in *)&cookiecache[ninitiator].raddr; -#ifdef HAVE_SOCKADDR_SA_LEN - sin->sin_len = sizeof(struct sockaddr_in); -#endif - sin->sin_family = AF_INET; - memcpy(&sin->sin_addr, &ip->ip_dst, sizeof(ip->ip_dst)); - break; -#ifdef INET6 - case 6: - memset(&cookiecache[ninitiator].iaddr, 0, - sizeof(cookiecache[ninitiator].iaddr)); - memset(&cookiecache[ninitiator].raddr, 0, - sizeof(cookiecache[ninitiator].raddr)); - - ip6 = (struct ip6_hdr *)bp2; - sin6 = (struct sockaddr_in6 *)&cookiecache[ninitiator].iaddr; -#ifdef HAVE_SOCKADDR_SA_LEN - sin6->sin6_len = sizeof(struct sockaddr_in6); -#endif - sin6->sin6_family = AF_INET6; - memcpy(&sin6->sin6_addr, &ip6->ip6_src, sizeof(ip6->ip6_src)); - sin6 = (struct sockaddr_in6 *)&cookiecache[ninitiator].raddr; -#ifdef HAVE_SOCKADDR_SA_LEN - sin6->sin6_len = sizeof(struct sockaddr_in6); -#endif - sin6->sin6_family = AF_INET6; - memcpy(&sin6->sin6_addr, &ip6->ip6_dst, sizeof(ip6->ip6_dst)); - break; -#endif - default: - return; - } - memcpy(&cookiecache[ninitiator].initiator, in, sizeof(*in)); - ninitiator = (ninitiator + 1) % MAXINITIATORS; -} - -#define cookie_isinitiator(x, y) cookie_sidecheck((x), (y), 1) -#define cookie_isresponder(x, y) cookie_sidecheck((x), (y), 0) -static int -cookie_sidecheck(int i, const u_char *bp2, int initiator) -{ - struct sockaddr_storage ss; - struct sockaddr *sa; - struct ip *ip; - struct sockaddr_in *sin; -#ifdef INET6 - struct ip6_hdr *ip6; - struct sockaddr_in6 *sin6; -#endif - int salen; - - memset(&ss, 0, sizeof(ss)); - ip = (struct ip *)bp2; - switch (IP_V(ip)) { - case 4: - sin = (struct sockaddr_in *)&ss; -#ifdef HAVE_SOCKADDR_SA_LEN - sin->sin_len = sizeof(struct sockaddr_in); -#endif - sin->sin_family = AF_INET; - memcpy(&sin->sin_addr, &ip->ip_src, sizeof(ip->ip_src)); - break; -#ifdef INET6 - case 6: - ip6 = (struct ip6_hdr *)bp2; - sin6 = (struct sockaddr_in6 *)&ss; -#ifdef HAVE_SOCKADDR_SA_LEN - sin6->sin6_len = sizeof(struct sockaddr_in6); -#endif - sin6->sin6_family = AF_INET6; - memcpy(&sin6->sin6_addr, &ip6->ip6_src, sizeof(ip6->ip6_src)); - break; -#endif - default: - return 0; - } - - sa = (struct sockaddr *)&ss; - if (initiator) { - if (sa->sa_family != ((struct sockaddr *)&cookiecache[i].iaddr)->sa_family) - return 0; -#ifdef HAVE_SOCKADDR_SA_LEN - salen = sa->sa_len; -#else -#ifdef INET6 - if (sa->sa_family == AF_INET6) - salen = sizeof(struct sockaddr_in6); - else - salen = sizeof(struct sockaddr); -#else - salen = sizeof(struct sockaddr); -#endif -#endif - if (memcmp(&ss, &cookiecache[i].iaddr, salen) == 0) - return 1; - } else { - if (sa->sa_family != ((struct sockaddr *)&cookiecache[i].raddr)->sa_family) - return 0; -#ifdef HAVE_SOCKADDR_SA_LEN - salen = sa->sa_len; -#else -#ifdef INET6 - if (sa->sa_family == AF_INET6) - salen = sizeof(struct sockaddr_in6); - else - salen = sizeof(struct sockaddr); -#else - salen = sizeof(struct sockaddr); -#endif -#endif - if (memcmp(&ss, &cookiecache[i].raddr, salen) == 0) - return 1; - } - return 0; -} - -static int -rawprint(caddr_t loc, size_t len) -{ - static u_char *p; - size_t i; - - TCHECK2(*loc, len); - - p = (u_char *)loc; - for (i = 0; i < len; i++) - printf("%02x", p[i] & 0xff); - return 1; -trunc: - return 0; -} - -struct attrmap { - const char *type; - u_int nvalue; - const char *value[30]; /*XXX*/ -}; - -static const u_char * -isakmp_attrmap_print(const u_char *p, const u_char *ep, - const struct attrmap *map, size_t nmap) -{ - u_int16_t *q; - int totlen; - u_int32_t t, v; - - q = (u_int16_t *)p; - if (p[0] & 0x80) - totlen = 4; - else - totlen = 4 + EXTRACT_16BITS(&q[1]); - if (ep < p + totlen) { - printf("[|attr]"); - return ep + 1; - } - - printf("("); - t = EXTRACT_16BITS(&q[0]) & 0x7fff; - if (map && t < nmap && map[t].type) - printf("type=%s ", map[t].type); - else - printf("type=#%d ", t); - if (p[0] & 0x80) { - printf("value="); - v = EXTRACT_16BITS(&q[1]); - if (map && t < nmap && v < map[t].nvalue && map[t].value[v]) - printf("%s", map[t].value[v]); - else - rawprint((caddr_t)&q[1], 2); - } else { - printf("len=%d value=", EXTRACT_16BITS(&q[1])); - rawprint((caddr_t)&p[4], EXTRACT_16BITS(&q[1])); - } - printf(")"); - return p + totlen; -} - -static const u_char * -isakmp_attr_print(const u_char *p, const u_char *ep) -{ - u_int16_t *q; - int totlen; - u_int32_t t; - - q = (u_int16_t *)p; - if (p[0] & 0x80) - totlen = 4; - else - totlen = 4 + EXTRACT_16BITS(&q[1]); - if (ep < p + totlen) { - printf("[|attr]"); - return ep + 1; - } - - printf("("); - t = EXTRACT_16BITS(&q[0]) & 0x7fff; - printf("type=#%d ", t); - if (p[0] & 0x80) { - printf("value="); - t = q[1]; - rawprint((caddr_t)&q[1], 2); - } else { - printf("len=%d value=", EXTRACT_16BITS(&q[1])); - rawprint((caddr_t)&p[2], EXTRACT_16BITS(&q[1])); - } - printf(")"); - return p + totlen; -} - -static const u_char * -isakmp_sa_print(const struct isakmp_gen *ext, u_int item_len, - const u_char *ep, u_int32_t phase, u_int32_t doi0 _U_, - u_int32_t proto0, int depth) -{ - const struct isakmp_pl_sa *p; - struct isakmp_pl_sa sa; - const u_int32_t *q; - u_int32_t doi, sit, ident; - const u_char *cp, *np; - int t; - - printf("%s:", NPSTR(ISAKMP_NPTYPE_SA)); - - p = (struct isakmp_pl_sa *)ext; - TCHECK(*p); - safememcpy(&sa, ext, sizeof(sa)); - doi = ntohl(sa.doi); - sit = ntohl(sa.sit); - if (doi != 1) { - printf(" doi=%d", doi); - printf(" situation=%u", (u_int32_t)ntohl(sa.sit)); - return (u_char *)(p + 1); - } - - printf(" doi=ipsec"); - q = (u_int32_t *)&sa.sit; - printf(" situation="); - t = 0; - if (sit & 0x01) { - printf("identity"); - t++; - } - if (sit & 0x02) { - printf("%ssecrecy", t ? "+" : ""); - t++; - } - if (sit & 0x04) - printf("%sintegrity", t ? "+" : ""); - - np = (u_char *)ext + sizeof(sa); - if (sit != 0x01) { - TCHECK2(*(ext + 1), sizeof(ident)); - safememcpy(&ident, ext + 1, sizeof(ident)); - printf(" ident=%u", (u_int32_t)ntohl(ident)); - np += sizeof(ident); - } - - ext = (struct isakmp_gen *)np; - TCHECK(*ext); - - cp = isakmp_sub_print(ISAKMP_NPTYPE_P, ext, ep, phase, doi, proto0, - depth); - - return cp; -trunc: - printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_SA)); - return NULL; -} - -static const u_char * -isakmp_p_print(const struct isakmp_gen *ext, u_int item_len, - const u_char *ep, u_int32_t phase, u_int32_t doi0, - u_int32_t proto0 _U_, int depth) -{ - const struct isakmp_pl_p *p; - struct isakmp_pl_p prop; - const u_char *cp; - - printf("%s:", NPSTR(ISAKMP_NPTYPE_P)); - - p = (struct isakmp_pl_p *)ext; - TCHECK(*p); - safememcpy(&prop, ext, sizeof(prop)); - printf(" #%d protoid=%s transform=%d", - prop.p_no, PROTOIDSTR(prop.prot_id), prop.num_t); - if (prop.spi_size) { - printf(" spi="); - if (!rawprint((caddr_t)(p + 1), prop.spi_size)) - goto trunc; - } - - ext = (struct isakmp_gen *)((u_char *)(p + 1) + prop.spi_size); - TCHECK(*ext); - - cp = isakmp_sub_print(ISAKMP_NPTYPE_T, ext, ep, phase, doi0, - prop.prot_id, depth); - - return cp; -trunc: - printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_P)); - return NULL; -} - -static const char *isakmp_p_map[] = { - NULL, "ike", -}; - -static const char *ah_p_map[] = { - NULL, "(reserved)", "md5", "sha", "1des", - "sha2-256", "sha2-384", "sha2-512", -}; - -static const char *esp_p_map[] = { - NULL, "1des-iv64", "1des", "3des", "rc5", "idea", "cast", - "blowfish", "3idea", "1des-iv32", "rc4", "null", "aes" -}; - -static const char *ipcomp_p_map[] = { - NULL, "oui", "deflate", "lzs", -}; - -const struct attrmap ipsec_t_map[] = { - { NULL, 0, { NULL } }, - { "lifetype", 3, { NULL, "sec", "kb", }, }, - { "life", 0, { NULL } }, - { "group desc", 5, { NULL, "modp768", "modp1024", "EC2N 2^155", - "EC2N 2^185", }, }, - { "enc mode", 3, { NULL, "tunnel", "transport", }, }, - { "auth", 5, { NULL, "hmac-md5", "hmac-sha1", "1des-mac", "keyed", }, }, - { "keylen", 0, { NULL } }, - { "rounds", 0, { NULL } }, - { "dictsize", 0, { NULL } }, - { "privalg", 0, { NULL } }, -}; - -const struct attrmap oakley_t_map[] = { - { NULL, 0, { NULL } }, - { "enc", 8, { NULL, "1des", "idea", "blowfish", "rc5", - "3des", "cast", "aes", }, }, - { "hash", 7, { NULL, "md5", "sha1", "tiger", - "sha2-256", "sha2-384", "sha2-512", }, }, - { "auth", 6, { NULL, "preshared", "dss", "rsa sig", "rsa enc", - "rsa enc revised", }, }, - { "group desc", 5, { NULL, "modp768", "modp1024", "EC2N 2^155", - "EC2N 2^185", }, }, - { "group type", 4, { NULL, "MODP", "ECP", "EC2N", }, }, - { "group prime", 0, { NULL } }, - { "group gen1", 0, { NULL } }, - { "group gen2", 0, { NULL } }, - { "group curve A", 0, { NULL } }, - { "group curve B", 0, { NULL } }, - { "lifetype", 3, { NULL, "sec", "kb", }, }, - { "lifeduration", 0, { NULL } }, - { "prf", 0, { NULL } }, - { "keylen", 0, { NULL } }, - { "field", 0, { NULL } }, - { "order", 0, { NULL } }, -}; - -static const u_char * -isakmp_t_print(const struct isakmp_gen *ext, u_int item_len, - const u_char *ep, u_int32_t phase _U_, u_int32_t doi _U_, - u_int32_t proto, int depth _U_) -{ - const struct isakmp_pl_t *p; - struct isakmp_pl_t t; - const u_char *cp; - const char *idstr; - const struct attrmap *map; - size_t nmap; - const u_char *ep2; - - printf("%s:", NPSTR(ISAKMP_NPTYPE_T)); - - p = (struct isakmp_pl_t *)ext; - TCHECK(*p); - safememcpy(&t, ext, sizeof(t)); - - switch (proto) { - case 1: - idstr = STR_OR_ID(t.t_id, isakmp_p_map); - map = oakley_t_map; - nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]); - break; - case 2: - idstr = STR_OR_ID(t.t_id, ah_p_map); - map = ipsec_t_map; - nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]); - break; - case 3: - idstr = STR_OR_ID(t.t_id, esp_p_map); - map = ipsec_t_map; - nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]); - break; - case 4: - idstr = STR_OR_ID(t.t_id, ipcomp_p_map); - map = ipsec_t_map; - nmap = sizeof(ipsec_t_map)/sizeof(ipsec_t_map[0]); - break; - default: - idstr = NULL; - map = NULL; - nmap = 0; - break; - } - - if (idstr) - printf(" #%d id=%s ", t.t_no, idstr); - else - printf(" #%d id=%d ", t.t_no, t.t_id); - cp = (u_char *)(p + 1); - ep2 = (u_char *)p + item_len; - while (cp < ep && cp < ep2) { - if (map && nmap) { - cp = isakmp_attrmap_print(cp, (ep < ep2) ? ep : ep2, - map, nmap); - } else - cp = isakmp_attr_print(cp, (ep < ep2) ? ep : ep2); - } - if (ep < ep2) - printf("..."); - return cp; -trunc: - printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_T)); - return NULL; -} - -static const u_char * -isakmp_ke_print(const struct isakmp_gen *ext, u_int item_len, - const u_char *ep, u_int32_t phase _U_, u_int32_t doi _U_, - u_int32_t proto _U_, int depth _U_) -{ - struct isakmp_gen e; - - printf("%s:", NPSTR(ISAKMP_NPTYPE_KE)); - - TCHECK(*ext); - safememcpy(&e, ext, sizeof(e)); - printf(" key len=%d", ntohs(e.len) - 4); - if (2 < vflag && 4 < ntohs(e.len)) { - printf(" "); - if (!rawprint((caddr_t)(ext + 1), ntohs(e.len) - 4)) - goto trunc; - } - return (u_char *)ext + ntohs(e.len); -trunc: - printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_KE)); - return NULL; -} - -static const u_char * -isakmp_id_print(const struct isakmp_gen *ext, u_int item_len, - const u_char *ep, u_int32_t phase, u_int32_t doi _U_, - u_int32_t proto _U_, int depth _U_) -{ -#define USE_IPSECDOI_IN_PHASE1 1 - const struct isakmp_pl_id *p; - struct isakmp_pl_id id; - static const char *idtypestr[] = { - "IPv4", "IPv4net", "IPv6", "IPv6net", - }; - static const char *ipsecidtypestr[] = { - NULL, "IPv4", "FQDN", "user FQDN", "IPv4net", "IPv6", - "IPv6net", "IPv4range", "IPv6range", "ASN1 DN", "ASN1 GN", - "keyid", - }; - int len; - const u_char *data; - - printf("%s:", NPSTR(ISAKMP_NPTYPE_ID)); - - p = (struct isakmp_pl_id *)ext; - TCHECK(*p); - safememcpy(&id, ext, sizeof(id)); - if (sizeof(*p) < item_len) { - data = (u_char *)(p + 1); - len = item_len - sizeof(*p); - } else { - data = NULL; - len = 0; - } - -#if 0 /*debug*/ - printf(" [phase=%d doi=%d proto=%d]", phase, doi, proto); -#endif - switch (phase) { -#ifndef USE_IPSECDOI_IN_PHASE1 - case 1: -#endif - default: - printf(" idtype=%s", STR_OR_ID(id.d.id_type, idtypestr)); - printf(" doi_data=%u", - (u_int32_t)(ntohl(id.d.doi_data) & 0xffffff)); - break; - -#ifdef USE_IPSECDOI_IN_PHASE1 - case 1: -#endif - case 2: - { - const struct ipsecdoi_id *p; - struct ipsecdoi_id id; - struct protoent *pe; - - p = (struct ipsecdoi_id *)ext; - TCHECK(*p); - safememcpy(&id, ext, sizeof(id)); - printf(" idtype=%s", STR_OR_ID(id.type, ipsecidtypestr)); - if (id.proto_id) { -#ifndef WIN32 - setprotoent(1); -#endif /* WIN32 */ - pe = getprotobynumber(id.proto_id); - if (pe) - printf(" protoid=%s", pe->p_name); -#ifndef WIN32 - endprotoent(); -#endif /* WIN32 */ - } else { - /* it DOES NOT mean IPPROTO_IP! */ - printf(" protoid=%s", "0"); - } - printf(" port=%d", ntohs(id.port)); - if (!len) - break; - if (data == NULL) - goto trunc; - TCHECK2(*data, len); - switch (id.type) { - case IPSECDOI_ID_IPV4_ADDR: - if (len < 4) - printf(" len=%d [bad: < 4]", len); - else - printf(" len=%d %s", len, ipaddr_string(data)); - len = 0; - break; - case IPSECDOI_ID_FQDN: - case IPSECDOI_ID_USER_FQDN: - { - int i; - printf(" len=%d ", len); - for (i = 0; i < len; i++) - safeputchar(data[i]); - len = 0; - break; - } - case IPSECDOI_ID_IPV4_ADDR_SUBNET: - { - const u_char *mask; - if (len < 8) - printf(" len=%d [bad: < 8]", len); - else { - mask = data + sizeof(struct in_addr); - printf(" len=%d %s/%u.%u.%u.%u", len, - ipaddr_string(data), - mask[0], mask[1], mask[2], mask[3]); - } - len = 0; - break; - } -#ifdef INET6 - case IPSECDOI_ID_IPV6_ADDR: - if (len < 16) - printf(" len=%d [bad: < 16]", len); - else - printf(" len=%d %s", len, ip6addr_string(data)); - len = 0; - break; - case IPSECDOI_ID_IPV6_ADDR_SUBNET: - { - const u_int32_t *mask; - if (len < 20) - printf(" len=%d [bad: < 20]", len); - else { - mask = (u_int32_t *)(data + sizeof(struct in6_addr)); - /*XXX*/ - printf(" len=%d %s/0x%08x%08x%08x%08x", len, - ip6addr_string(data), - mask[0], mask[1], mask[2], mask[3]); - } - len = 0; - break; - } -#endif /*INET6*/ - case IPSECDOI_ID_IPV4_ADDR_RANGE: - if (len < 8) - printf(" len=%d [bad: < 8]", len); - else { - printf(" len=%d %s-%s", len, - ipaddr_string(data), - ipaddr_string(data + sizeof(struct in_addr))); - } - len = 0; - break; -#ifdef INET6 - case IPSECDOI_ID_IPV6_ADDR_RANGE: - if (len < 32) - printf(" len=%d [bad: < 32]", len); - else { - printf(" len=%d %s-%s", len, - ip6addr_string(data), - ip6addr_string(data + sizeof(struct in6_addr))); - } - len = 0; - break; -#endif /*INET6*/ - case IPSECDOI_ID_DER_ASN1_DN: - case IPSECDOI_ID_DER_ASN1_GN: - case IPSECDOI_ID_KEY_ID: - break; - } - break; - } - } - if (data && len) { - printf(" len=%d", len); - if (2 < vflag) { - printf(" "); - if (!rawprint((caddr_t)data, len)) - goto trunc; - } - } - return (u_char *)ext + item_len; -trunc: - printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_ID)); - return NULL; -} - -static const u_char * -isakmp_cert_print(const struct isakmp_gen *ext, u_int item_len, - const u_char *ep, u_int32_t phase _U_, u_int32_t doi0 _U_, - u_int32_t proto0 _U_, int depth _U_) -{ - const struct isakmp_pl_cert *p; - struct isakmp_pl_cert cert; - static const char *certstr[] = { - "none", "pkcs7", "pgp", "dns", - "x509sign", "x509ke", "kerberos", "crl", - "arl", "spki", "x509attr", - }; - - printf("%s:", NPSTR(ISAKMP_NPTYPE_CERT)); - - p = (struct isakmp_pl_cert *)ext; - TCHECK(*p); - safememcpy(&cert, ext, sizeof(cert)); - printf(" len=%d", item_len - 4); - printf(" type=%s", STR_OR_ID((cert.encode), certstr)); - if (2 < vflag && 4 < item_len) { - printf(" "); - if (!rawprint((caddr_t)(ext + 1), item_len - 4)) - goto trunc; - } - return (u_char *)ext + item_len; -trunc: - printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_CERT)); - return NULL; -} - -static const u_char * -isakmp_cr_print(const struct isakmp_gen *ext, u_int item_len, - const u_char *ep, u_int32_t phase _U_, u_int32_t doi0 _U_, - u_int32_t proto0 _U_, int depth _U_) -{ - const struct isakmp_pl_cert *p; - struct isakmp_pl_cert cert; - static const char *certstr[] = { - "none", "pkcs7", "pgp", "dns", - "x509sign", "x509ke", "kerberos", "crl", - "arl", "spki", "x509attr", - }; - - printf("%s:", NPSTR(ISAKMP_NPTYPE_CR)); - - p = (struct isakmp_pl_cert *)ext; - TCHECK(*p); - safememcpy(&cert, ext, sizeof(cert)); - printf(" len=%d", item_len - 4); - printf(" type=%s", STR_OR_ID((cert.encode), certstr)); - if (2 < vflag && 4 < item_len) { - printf(" "); - if (!rawprint((caddr_t)(ext + 1), item_len - 4)) - goto trunc; - } - return (u_char *)ext + item_len; -trunc: - printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_CR)); - return NULL; -} - -static const u_char * -isakmp_hash_print(const struct isakmp_gen *ext, u_int item_len, - const u_char *ep, u_int32_t phase _U_, u_int32_t doi _U_, - u_int32_t proto _U_, int depth _U_) -{ - struct isakmp_gen e; - - printf("%s:", NPSTR(ISAKMP_NPTYPE_HASH)); - - TCHECK(*ext); - safememcpy(&e, ext, sizeof(e)); - printf(" len=%d", ntohs(e.len) - 4); - if (2 < vflag && 4 < ntohs(e.len)) { - printf(" "); - if (!rawprint((caddr_t)(ext + 1), ntohs(e.len) - 4)) - goto trunc; - } - return (u_char *)ext + ntohs(e.len); -trunc: - printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_HASH)); - return NULL; -} - -static const u_char * -isakmp_sig_print(const struct isakmp_gen *ext, u_int item_len, - const u_char *ep, u_int32_t phase _U_, u_int32_t doi _U_, - u_int32_t proto _U_, int depth _U_) -{ - struct isakmp_gen e; - - printf("%s:", NPSTR(ISAKMP_NPTYPE_SIG)); - - TCHECK(*ext); - safememcpy(&e, ext, sizeof(e)); - printf(" len=%d", ntohs(e.len) - 4); - if (2 < vflag && 4 < ntohs(e.len)) { - printf(" "); - if (!rawprint((caddr_t)(ext + 1), ntohs(e.len) - 4)) - goto trunc; - } - return (u_char *)ext + ntohs(e.len); -trunc: - printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_SIG)); - return NULL; -} - -static const u_char * -isakmp_nonce_print(const struct isakmp_gen *ext, u_int item_len, - const u_char *ep, u_int32_t phase _U_, u_int32_t doi _U_, - u_int32_t proto _U_, int depth _U_) -{ - struct isakmp_gen e; - - printf("%s:", NPSTR(ISAKMP_NPTYPE_NONCE)); - - TCHECK(*ext); - safememcpy(&e, ext, sizeof(e)); - printf(" n len=%d", ntohs(e.len) - 4); - if (2 < vflag && 4 < ntohs(e.len)) { - printf(" "); - if (!rawprint((caddr_t)(ext + 1), ntohs(e.len) - 4)) - goto trunc; - } - return (u_char *)ext + ntohs(e.len); -trunc: - printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_NONCE)); - return NULL; -} - -static const u_char * -isakmp_n_print(const struct isakmp_gen *ext, u_int item_len, - const u_char *ep, u_int32_t phase, u_int32_t doi0 _U_, - u_int32_t proto0 _U_, int depth) -{ - struct isakmp_pl_n *p, n; - const u_char *cp; - u_char *ep2; - u_int32_t doi; - u_int32_t proto; - static const char *notify_error_str[] = { - NULL, "INVALID-PAYLOAD-TYPE", - "DOI-NOT-SUPPORTED", "SITUATION-NOT-SUPPORTED", - "INVALID-COOKIE", "INVALID-MAJOR-VERSION", - "INVALID-MINOR-VERSION", "INVALID-EXCHANGE-TYPE", - "INVALID-FLAGS", "INVALID-MESSAGE-ID", - "INVALID-PROTOCOL-ID", "INVALID-SPI", - "INVALID-TRANSFORM-ID", "ATTRIBUTES-NOT-SUPPORTED", - "NO-PROPOSAL-CHOSEN", "BAD-PROPOSAL-SYNTAX", - "PAYLOAD-MALFORMED", "INVALID-KEY-INFORMATION", - "INVALID-ID-INFORMATION", "INVALID-CERT-ENCODING", - "INVALID-CERTIFICATE", "CERT-TYPE-UNSUPPORTED", - "INVALID-CERT-AUTHORITY", "INVALID-HASH-INFORMATION", - "AUTHENTICATION-FAILED", "INVALID-SIGNATURE", - "ADDRESS-NOTIFICATION", "NOTIFY-SA-LIFETIME", - "CERTIFICATE-UNAVAILABLE", "UNSUPPORTED-EXCHANGE-TYPE", - "UNEQUAL-PAYLOAD-LENGTHS", - }; - static const char *ipsec_notify_error_str[] = { - "RESERVED", - }; - static const char *notify_status_str[] = { - "CONNECTED", - }; - static const char *ipsec_notify_status_str[] = { - "RESPONDER-LIFETIME", "REPLAY-STATUS", - "INITIAL-CONTACT", - }; -/* NOTE: these macro must be called with x in proper range */ - -/* 0 - 8191 */ -#define NOTIFY_ERROR_STR(x) \ - STR_OR_ID((x), notify_error_str) - -/* 8192 - 16383 */ -#define IPSEC_NOTIFY_ERROR_STR(x) \ - STR_OR_ID((u_int)((x) - 8192), ipsec_notify_error_str) - -/* 16384 - 24575 */ -#define NOTIFY_STATUS_STR(x) \ - STR_OR_ID((u_int)((x) - 16384), notify_status_str) - -/* 24576 - 32767 */ -#define IPSEC_NOTIFY_STATUS_STR(x) \ - STR_OR_ID((u_int)((x) - 24576), ipsec_notify_status_str) - - printf("%s:", NPSTR(ISAKMP_NPTYPE_N)); - - p = (struct isakmp_pl_n *)ext; - TCHECK(*p); - safememcpy(&n, ext, sizeof(n)); - doi = ntohl(n.doi); - proto = n.prot_id; - if (doi != 1) { - printf(" doi=%d", doi); - printf(" proto=%d", proto); - if (ntohs(n.type) < 8192) - printf(" type=%s", NOTIFY_ERROR_STR(ntohs(n.type))); - else if (ntohs(n.type) < 16384) - printf(" type=%s", numstr(ntohs(n.type))); - else if (ntohs(n.type) < 24576) - printf(" type=%s", NOTIFY_STATUS_STR(ntohs(n.type))); - else - printf(" type=%s", numstr(ntohs(n.type))); - if (n.spi_size) { - printf(" spi="); - if (!rawprint((caddr_t)(p + 1), n.spi_size)) - goto trunc; - } - return (u_char *)(p + 1) + n.spi_size; - } - - printf(" doi=ipsec"); - printf(" proto=%s", PROTOIDSTR(proto)); - if (ntohs(n.type) < 8192) - printf(" type=%s", NOTIFY_ERROR_STR(ntohs(n.type))); - else if (ntohs(n.type) < 16384) - printf(" type=%s", IPSEC_NOTIFY_ERROR_STR(ntohs(n.type))); - else if (ntohs(n.type) < 24576) - printf(" type=%s", NOTIFY_STATUS_STR(ntohs(n.type))); - else if (ntohs(n.type) < 32768) - printf(" type=%s", IPSEC_NOTIFY_STATUS_STR(ntohs(n.type))); - else - printf(" type=%s", numstr(ntohs(n.type))); - if (n.spi_size) { - printf(" spi="); - if (!rawprint((caddr_t)(p + 1), n.spi_size)) - goto trunc; - } - - cp = (u_char *)(p + 1) + n.spi_size; - ep2 = (u_char *)p + item_len; - - if (cp < ep) { - printf(" orig=("); - switch (ntohs(n.type)) { - case IPSECDOI_NTYPE_RESPONDER_LIFETIME: - { - const struct attrmap *map = oakley_t_map; - size_t nmap = sizeof(oakley_t_map)/sizeof(oakley_t_map[0]); - while (cp < ep && cp < ep2) { - cp = isakmp_attrmap_print(cp, - (ep < ep2) ? ep : ep2, map, nmap); - } - break; - } - case IPSECDOI_NTYPE_REPLAY_STATUS: - printf("replay detection %sabled", - (*(u_int32_t *)cp) ? "en" : "dis"); - break; - case ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN: - if (isakmp_sub_print(ISAKMP_NPTYPE_SA, - (struct isakmp_gen *)cp, ep, phase, doi, proto, - depth) == NULL) - return NULL; - break; - default: - /* NULL is dummy */ - isakmp_print(cp, item_len - sizeof(*p) - n.spi_size, - NULL); - } - printf(")"); - } - return (u_char *)ext + item_len; -trunc: - printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_N)); - return NULL; -} - -static const u_char * -isakmp_d_print(const struct isakmp_gen *ext, u_int item_len, - const u_char *ep, u_int32_t phase _U_, u_int32_t doi0 _U_, - u_int32_t proto0 _U_, int depth _U_) -{ - const struct isakmp_pl_d *p; - struct isakmp_pl_d d; - const u_int8_t *q; - u_int32_t doi; - u_int32_t proto; - int i; - - printf("%s:", NPSTR(ISAKMP_NPTYPE_D)); - - p = (struct isakmp_pl_d *)ext; - TCHECK(*p); - safememcpy(&d, ext, sizeof(d)); - doi = ntohl(d.doi); - proto = d.prot_id; - if (doi != 1) { - printf(" doi=%u", doi); - printf(" proto=%u", proto); - } else { - printf(" doi=ipsec"); - printf(" proto=%s", PROTOIDSTR(proto)); - } - printf(" spilen=%u", d.spi_size); - printf(" nspi=%u", ntohs(d.num_spi)); - printf(" spi="); - q = (u_int8_t *)(p + 1); - for (i = 0; i < ntohs(d.num_spi); i++) { - if (i != 0) - printf(","); - if (!rawprint((caddr_t)q, d.spi_size)) - goto trunc; - q += d.spi_size; - } - return q; -trunc: - printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_D)); - return NULL; -} - -static const u_char * -isakmp_vid_print(const struct isakmp_gen *ext, u_int item_len, - const u_char *ep, u_int32_t phase _U_, u_int32_t doi _U_, - u_int32_t proto _U_, int depth _U_) -{ - struct isakmp_gen e; - - printf("%s:", NPSTR(ISAKMP_NPTYPE_VID)); - - TCHECK(*ext); - safememcpy(&e, ext, sizeof(e)); - printf(" len=%d", ntohs(e.len) - 4); - if (2 < vflag && 4 < ntohs(e.len)) { - printf(" "); - if (!rawprint((caddr_t)(ext + 1), ntohs(e.len) - 4)) - goto trunc; - } - return (u_char *)ext + ntohs(e.len); -trunc: - printf(" [|%s]", NPSTR(ISAKMP_NPTYPE_VID)); - return NULL; -} - -static const u_char * -isakmp_sub0_print(u_char np, const struct isakmp_gen *ext, const u_char *ep, - u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth) -{ - const u_char *cp; - struct isakmp_gen e; - u_int item_len; - - cp = (u_char *)ext; - TCHECK(*ext); - safememcpy(&e, ext, sizeof(e)); - - /* - * Since we can't have a payload length of less than 4 bytes, - * we need to bail out here if the generic header is nonsensical - * or truncated, otherwise we could loop forever processing - * zero-length items or otherwise misdissect the packet. - */ - item_len = ntohs(e.len); - if (item_len <= 4) - return NULL; - - if (NPFUNC(np)) { - /* - * XXX - what if item_len is too short, or too long, - * for this payload type? - */ - cp = (*NPFUNC(np))(ext, item_len, ep, phase, doi, proto, depth); - } else { - printf("%s", NPSTR(np)); - cp += item_len; - } - - return cp; -trunc: - printf(" [|isakmp]"); - return NULL; -} - -static const u_char * -isakmp_sub_print(u_char np, const struct isakmp_gen *ext, const u_char *ep, - u_int32_t phase, u_int32_t doi, u_int32_t proto, int depth) -{ - const u_char *cp; - int i; - struct isakmp_gen e; - - cp = (const u_char *)ext; - - while (np) { - TCHECK(*ext); - - safememcpy(&e, ext, sizeof(e)); - - TCHECK2(*ext, ntohs(e.len)); - - depth++; - printf("\n"); - for (i = 0; i < depth; i++) - printf(" "); - printf("("); - cp = isakmp_sub0_print(np, ext, ep, phase, doi, proto, depth); - printf(")"); - depth--; - - if (cp == NULL) { - /* Zero-length subitem */ - return NULL; - } - - np = e.np; - ext = (struct isakmp_gen *)cp; - } - return cp; -trunc: - printf(" [|%s]", NPSTR(np)); - return NULL; -} - -static char * -numstr(int x) -{ - static char buf[20]; - snprintf(buf, sizeof(buf), "#%d", x); - return buf; -} - -/* - * some compiler tries to optimize memcpy(), using the alignment constraint - * on the argument pointer type. by using this function, we try to avoid the - * optimization. - */ -static void -safememcpy(void *p, const void *q, size_t l) -{ - memcpy(p, q, l); -} - -void -isakmp_print(const u_char *bp, u_int length, const u_char *bp2) -{ - const struct isakmp *p; - struct isakmp base; - const u_char *ep; - u_char np; - int i; - int phase; - int major, minor; - - p = (const struct isakmp *)bp; - ep = snapend; - - if ((struct isakmp *)ep < p + 1) { - printf("[|isakmp]"); - return; - } - - safememcpy(&base, p, sizeof(base)); - - printf("isakmp"); - if (vflag) { - major = (base.vers & ISAKMP_VERS_MAJOR) - >> ISAKMP_VERS_MAJOR_SHIFT; - minor = (base.vers & ISAKMP_VERS_MINOR) - >> ISAKMP_VERS_MINOR_SHIFT; - printf(" %d.%d", major, minor); - } - - if (vflag) { - printf(" msgid "); - rawprint((caddr_t)&base.msgid, sizeof(base.msgid)); - } - - if (1 < vflag) { - printf(" cookie "); - rawprint((caddr_t)&base.i_ck, sizeof(base.i_ck)); - printf("->"); - rawprint((caddr_t)&base.r_ck, sizeof(base.r_ck)); - } - printf(":"); - - phase = (*(u_int32_t *)base.msgid == 0) ? 1 : 2; - if (phase == 1) - printf(" phase %d", phase); - else - printf(" phase %d/others", phase); - - i = cookie_find(&base.i_ck); - if (i < 0) { - if (iszero((u_char *)&base.r_ck, sizeof(base.r_ck))) { - /* the first packet */ - printf(" I"); - if (bp2) - cookie_record(&base.i_ck, bp2); - } else - printf(" ?"); - } else { - if (bp2 && cookie_isinitiator(i, bp2)) - printf(" I"); - else if (bp2 && cookie_isresponder(i, bp2)) - printf(" R"); - else - printf(" ?"); - } - - printf(" %s", ETYPESTR(base.etype)); - if (base.flags) { - printf("[%s%s]", base.flags & ISAKMP_FLAG_E ? "E" : "", - base.flags & ISAKMP_FLAG_C ? "C" : ""); - } - - if (vflag) { - const struct isakmp_gen *ext; - int nparen; - -#define CHECKLEN(p, np) \ - if (ep < (u_char *)(p)) { \ - printf(" [|%s]", NPSTR(np)); \ - goto done; \ - } - - printf(":"); - - /* regardless of phase... */ - if (base.flags & ISAKMP_FLAG_E) { - /* - * encrypted, nothing we can do right now. - * we hope to decrypt the packet in the future... - */ - printf(" [encrypted %s]", NPSTR(base.np)); - goto done; - } - - nparen = 0; - CHECKLEN(p + 1, base.np) - - np = base.np; - ext = (struct isakmp_gen *)(p + 1); - isakmp_sub_print(np, ext, ep, phase, 0, 0, 0); - } - -done: - if (vflag) { - if (ntohl(base.len) != length) { - printf(" (len mismatch: isakmp %u/ip %u)", - (u_int32_t)ntohl(base.len), length); - } - } -} diff --git a/kame/kame/racoon/proposal.c b/kame/kame/racoon/proposal.c deleted file mode 100644 index 35ba242191..0000000000 --- a/kame/kame/racoon/proposal.c +++ /dev/null @@ -1,1120 +0,0 @@ -/* $KAME: proposal.c,v 1.52 2004/12/25 09:35:34 jinmei Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include -#include - -#include -#include -#include - -#include -#include -#include -#include - -#include "var.h" -#include "misc.h" -#include "vmbuf.h" -#include "plog.h" -#include "sockmisc.h" -#include "debug.h" - -#include "policy.h" -#include "pfkey.h" -#include "isakmp_var.h" -#include "isakmp.h" -#include "ipsec_doi.h" -#include "algorithm.h" -#include "proposal.h" -#include "sainfo.h" -#include "localconf.h" -#include "remoteconf.h" -#include "oakley.h" -#include "handler.h" -#include "strnames.h" -#include "gcmalloc.h" - -/* %%% - * modules for ipsec sa spec - */ -struct saprop * -newsaprop() -{ - struct saprop *new; - - new = racoon_calloc(1, sizeof(*new)); - if (new == NULL) - return NULL; - - return new; -} - -struct saproto * -newsaproto() -{ - struct saproto *new; - - new = racoon_calloc(1, sizeof(*new)); - if (new == NULL) - return NULL; - - return new; -} - -/* set saprop to last part of the prop tree */ -void -inssaprop(head, new) - struct saprop **head; - struct saprop *new; -{ - struct saprop *p; - - if (*head == NULL) { - *head = new; - return; - } - - for (p = *head; p->next; p = p->next) - ; - p->next = new; - - return; -} - -/* set saproto to the end of the proto tree in saprop */ -void -inssaproto(pp, new) - struct saprop *pp; - struct saproto *new; -{ - struct saproto *p; - - for (p = pp->head; p && p->next; p = p->next) - ; - if (p == NULL) - pp->head = new; - else - p->next = new; - - return; -} - -/* set saproto to the top of the proto tree in saprop */ -void -inssaprotorev(pp, new) - struct saprop *pp; - struct saproto *new; -{ - new->next = pp->head; - pp->head = new; - - return; -} - -struct satrns * -newsatrns() -{ - struct satrns *new; - - new = racoon_calloc(1, sizeof(*new)); - if (new == NULL) - return NULL; - - return new; -} - -/* set saproto to last part of the proto tree in saprop */ -void -inssatrns(pr, new) - struct saproto *pr; - struct satrns *new; -{ - struct satrns *tr; - - for (tr = pr->head; tr && tr->next; tr = tr->next) - ; - if (tr == NULL) - pr->head = new; - else - tr->next = new; - - return; -} - -/* - * compare my proposals to a peers one. - * allocate a new saprop if a suitable proposal is found. - * pp1: peer's proposal. - * pp2: my proposal. - */ -struct saprop * -cmpsaprop_alloc(ph1, pp1, pp2, side) - struct ph1handle *ph1; - const struct saprop *pp1, *pp2; - int side; -{ - struct saprop *newpp = NULL; - struct saproto *pr1, *pr2, *newpr = NULL; - struct satrns *tr1, *tr2, *newtr; - const int ordermatters = 0; - int npr1, npr2; - int spisizematch; - - newpp = newsaprop(); - if (newpp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate saprop.\n"); - return NULL; - } - newpp->prop_no = pp1->prop_no; - - /* see proposal.h about lifetime/key length and PFS selection. */ - - /* check time/bytes lifetime and PFS */ - switch (ph1->rmconf->pcheck_level) { - case PROP_CHECK_OBEY: - newpp->lifetime = pp1->lifetime; - newpp->lifebyte = pp1->lifebyte; - newpp->pfs_group = pp1->pfs_group; - break; - case PROP_CHECK_STRICT: - if (pp1->lifetime > pp2->lifetime) { - plog(LLV_ERROR, LOCATION, NULL, - "long lifetime proposed: " - "my:%d peer:%d\n", - pp2->lifetime, pp1->lifetime); - goto err; - } - if (pp1->lifebyte > pp2->lifebyte) { - plog(LLV_ERROR, LOCATION, NULL, - "long lifebyte proposed: " - "my:%d peer:%d\n", - pp2->lifebyte, pp1->lifebyte); - goto err; - } - newpp->lifetime = pp1->lifetime; - newpp->lifebyte = pp1->lifebyte; - - prop_pfs_check: - if (pp2->pfs_group != 0 && pp1->pfs_group != pp2->pfs_group) { - plog(LLV_ERROR, LOCATION, NULL, - "pfs group mismatched: " - "my:%d peer:%d\n", - pp2->pfs_group, pp1->pfs_group); - goto err; - } - newpp->pfs_group = pp1->pfs_group; - break; - case PROP_CHECK_CLAIM: - /* lifetime */ - if (pp1->lifetime <= pp2->lifetime) { - newpp->lifetime = pp1->lifetime; - } else { - newpp->lifetime = pp2->lifetime; - newpp->claim |= IPSECDOI_ATTR_SA_LD_TYPE_SEC; - plog(LLV_NOTIFY, LOCATION, NULL, - "use own lifetime: " - "my:%d peer:%d\n", - pp2->lifetime, pp1->lifetime); - } - - /* lifebyte */ - if (pp1->lifebyte > pp2->lifebyte) { - newpp->lifebyte = pp2->lifebyte; - newpp->claim |= IPSECDOI_ATTR_SA_LD_TYPE_SEC; - plog(LLV_NOTIFY, LOCATION, NULL, - "use own lifebyte: " - "my:%d peer:%d\n", - pp2->lifebyte, pp1->lifebyte); - } - newpp->lifebyte = pp1->lifebyte; - - goto prop_pfs_check; - break; - case PROP_CHECK_EXACT: - if (pp1->lifetime != pp2->lifetime) { - plog(LLV_ERROR, LOCATION, NULL, - "lifetime mismatched: " - "my:%d peer:%d\n", - pp2->lifetime, pp1->lifetime); - goto err; - } - if (pp1->lifebyte != pp2->lifebyte) { - plog(LLV_ERROR, LOCATION, NULL, - "lifebyte mismatched: " - "my:%d peer:%d\n", - pp2->lifebyte, pp1->lifebyte); - goto err; - } - if (pp1->pfs_group != pp2->pfs_group) { - plog(LLV_ERROR, LOCATION, NULL, - "pfs group mismatched: " - "my:%d peer:%d\n", - pp2->pfs_group, pp1->pfs_group); - goto err; - } - newpp->lifebyte = pp1->lifebyte; - newpp->lifetime = pp1->lifetime; - newpp->pfs_group = pp1->pfs_group; - break; - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid pcheck_level why?.\n"); - goto err; - } - - npr1 = npr2 = 0; - for (pr1 = pp1->head; pr1; pr1 = pr1->next) - npr1++; - for (pr2 = pp2->head; pr2; pr2 = pr2->next) - npr2++; - if (npr1 != npr2) - goto err; - - /* check protocol order */ - pr1 = pp1->head; - pr2 = pp2->head; - - while (1) { - if (!ordermatters) { - /* - * XXX does not work if we have multiple proposals - * with the same proto_id - */ - switch (side) { - case RESPONDER: - if (!pr2) - break; - for (pr1 = pp1->head; pr1; pr1 = pr1->next) { - if (pr1->proto_id == pr2->proto_id) - break; - } - break; - case INITIATOR: - if (!pr1) - break; - for (pr2 = pp2->head; pr2; pr2 = pr2->next) { - if (pr2->proto_id == pr1->proto_id) - break; - } - break; - } - } - if (!pr1 || !pr2) - break; - - if (pr1->proto_id != pr2->proto_id) { - plog(LLV_ERROR, LOCATION, NULL, - "proto_id mismatched: " - "my:%s peer:%s\n", - s_ipsecdoi_proto(pr2->proto_id), - s_ipsecdoi_proto(pr1->proto_id)); - goto err; - } - spisizematch = 0; - if (pr1->spisize == pr2->spisize) - spisizematch = 1; - else if (pr1->proto_id == IPSECDOI_PROTO_IPCOMP) { - /* - * draft-shacham-ippcp-rfc2393bis-05.txt: - * need to accept 16bit and 32bit SPI (CPI) for IPComp. - */ - if (pr1->spisize == sizeof(u_int16_t) && - pr2->spisize == sizeof(u_int32_t)) { - spisizematch = 1; - } else if (pr1->spisize == sizeof(u_int16_t) && - pr2->spisize == sizeof(u_int32_t)) { - spisizematch = 1; - } - if (spisizematch) { - plog(LLV_ERROR, LOCATION, NULL, - "IPComp SPI size promoted " - "from 16bit to 32bit\n"); - } - } - if (!spisizematch) { - plog(LLV_ERROR, LOCATION, NULL, - "spisize mismatched: " - "my:%d peer:%d\n", - pr2->spisize, pr1->spisize); - goto err; - } - if (pr1->encmode != pr2->encmode) { - plog(LLV_ERROR, LOCATION, NULL, - "encmode mismatched: " - "my:%s peer:%s\n", - s_ipsecdoi_encmode(pr2->encmode), - s_ipsecdoi_encmode(pr1->encmode)); - goto err; - } - - for (tr1 = pr1->head; tr1; tr1 = tr1->next) { - for (tr2 = pr2->head; tr2; tr2 = tr2->next) { - if (cmpsatrns(tr1, tr2) == 0) - goto found; - } - } - - goto err; - - found: - newpr = newsaproto(); - if (newpr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate saproto.\n"); - goto err; - } - newpr->proto_id = pr1->proto_id; - newpr->spisize = pr1->spisize; - newpr->encmode = pr1->encmode; - newpr->spi = pr2->spi; /* copy my SPI */ - newpr->spi_p = pr1->spi; /* copy peer's SPI */ - newpr->reqid_in = pr2->reqid_in; - newpr->reqid_out = pr2->reqid_out; - - newtr = newsatrns(); - if (newtr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate satrns.\n"); - goto err; - } - newtr->trns_no = tr1->trns_no; - newtr->trns_id = tr1->trns_id; - newtr->encklen = tr1->encklen; - newtr->authtype = tr1->authtype; - - inssatrns(newpr, newtr); - inssaproto(newpp, newpr); - - pr1 = pr1->next; - pr2 = pr2->next; - } - - /* XXX should check if we have visited all items or not */ - if (!ordermatters) { - switch (side) { - case RESPONDER: - if (!pr2) - pr1 = NULL; - break; - case INITIATOR: - if (!pr1) - pr2 = NULL; - break; - } - } - - /* should be matched all protocols in a proposal */ - if (pr1 != NULL || pr2 != NULL) - goto err; - - return newpp; - -err: - flushsaprop(newpp); - return NULL; -} - -/* take a single match between saprop. returns 0 if pp1 equals to pp2. */ -int -cmpsaprop(pp1, pp2) - const struct saprop *pp1, *pp2; -{ - if (pp1->pfs_group != pp2->pfs_group) { - plog(LLV_WARNING, LOCATION, NULL, - "pfs_group mismatch. mine:%d peer:%d\n", - pp1->pfs_group, pp2->pfs_group); - /* FALLTHRU */ - } - - if (pp1->lifetime > pp2->lifetime) { - plog(LLV_WARNING, LOCATION, NULL, - "less lifetime proposed. mine:%d peer:%d\n", - pp1->lifetime, pp2->lifetime); - /* FALLTHRU */ - } - if (pp1->lifebyte > pp2->lifebyte) { - plog(LLV_WARNING, LOCATION, NULL, - "less lifebyte proposed. mine:%d peer:%d\n", - pp1->lifebyte, pp2->lifebyte); - /* FALLTHRU */ - } - - return 0; -} - -/* - * take a single match between satrns. returns 0 if tr1 equals to tr2. - * tr1: peer's satrns - * tr2: my satrns - */ -int -cmpsatrns(tr1, tr2) - const struct satrns *tr1, *tr2; -{ - if (tr1->trns_id != tr2->trns_id) { - plog(LLV_ERROR, LOCATION, NULL, - "trns_id mismatched: " - "my:%d peer:%d\n", - tr2->trns_id, tr1->trns_id); - return 1; - } - if (tr1->authtype != tr2->authtype) { - plog(LLV_ERROR, LOCATION, NULL, - "authtype mismatched: " - "my:%s peer:%s\n", - s_ipsecdoi_attr_v(IPSECDOI_ATTR_AUTH, tr2->authtype), - s_ipsecdoi_attr_v(IPSECDOI_ATTR_AUTH, tr1->authtype)); - return 1; - } - - /* XXX - * At this moment for interoperability, the responder obey - * the initiator. It should be defined a notify message. - */ - if (tr1->encklen > tr2->encklen) { - plog(LLV_WARNING, LOCATION, NULL, - "less key length proposed, " - "mine:%d peer:%d. Use initiaotr's one.\n", - tr2->encklen, tr1->encklen); - /* FALLTHRU */ - } - - return 0; -} - -int -set_satrnsbysainfo(pr, sainfo) - struct saproto *pr; - struct sainfo *sainfo; -{ - struct sainfoalg *a, *b; - struct satrns *newtr; - int t; - - switch (pr->proto_id) { - case IPSECDOI_PROTO_IPSEC_AH: - if (sainfo->algs[algclass_ipsec_auth] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "no auth algorithm found\n"); - goto err; - } - t = 1; - for (a = sainfo->algs[algclass_ipsec_auth]; a; a = a->next) { - - if (a->alg == IPSECDOI_ATTR_AUTH_NONE) - continue; - - /* allocate satrns */ - newtr = newsatrns(); - if (newtr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate satrns.\n"); - goto err; - } - - newtr->trns_no = t++; - newtr->trns_id = ipsecdoi_authalg2trnsid(a->alg); - newtr->authtype = a->alg; - - inssatrns(pr, newtr); - } - break; - case IPSECDOI_PROTO_IPSEC_ESP: - if (sainfo->algs[algclass_ipsec_enc] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "no encryption algorithm found\n"); - goto err; - } - t = 1; - for (a = sainfo->algs[algclass_ipsec_enc]; a; a = a->next) { - for (b = sainfo->algs[algclass_ipsec_auth]; b; b = b->next) { - /* allocate satrns */ - newtr = newsatrns(); - if (newtr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate satrns.\n"); - goto err; - } - - newtr->trns_no = t++; - newtr->trns_id = a->alg; - newtr->encklen = a->encklen; - newtr->authtype = b->alg; - - inssatrns(pr, newtr); - } - } - break; - case IPSECDOI_PROTO_IPCOMP: - if (sainfo->algs[algclass_ipsec_comp] == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "no ipcomp algorithm found\n"); - goto err; - } - t = 1; - for (a = sainfo->algs[algclass_ipsec_comp]; a; a = a->next) { - - /* allocate satrns */ - newtr = newsatrns(); - if (newtr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate satrns.\n"); - goto err; - } - - newtr->trns_no = t++; - newtr->trns_id = a->alg; - newtr->authtype = IPSECDOI_ATTR_AUTH_NONE; /*no auth*/ - - inssatrns(pr, newtr); - } - break; - default: - plog(LLV_ERROR, LOCATION, NULL, - "unknown proto_id (%d).\n", pr->proto_id); - goto err; - } - - /* no proposal found */ - if (pr->head == NULL) { - plog(LLV_ERROR, LOCATION, NULL, "no algorithms found.\n"); - return -1; - } - - return 0; - -err: - flushsatrns(pr->head); - return -1; -} - -struct saprop * -aproppair2saprop(p0) - struct prop_pair *p0; -{ - struct prop_pair *p, *t; - struct saprop *newpp; - struct saproto *newpr; - struct satrns *newtr; - u_int8_t *spi; - - if (p0 == NULL) - return NULL; - - /* allocate ipsec a sa proposal */ - newpp = newsaprop(); - if (newpp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate saprop.\n"); - return NULL; - } - newpp->prop_no = p0->prop->p_no; - /* lifetime & lifebyte must be updated later */ - - for (p = p0; p; p = p->next) { - - /* allocate ipsec sa protocol */ - newpr = newsaproto(); - if (newpr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate saproto.\n"); - goto err; - } - - /* check spi size */ - /* XXX should be handled isakmp cookie */ - if (sizeof(newpr->spi) < p->prop->spi_size) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid spi size %d.\n", p->prop->spi_size); - goto err; - } - - /* - * XXX SPI bits are left-filled, for use with IPComp. - * we should be switching to variable-length spi field... - */ - newpr->proto_id = p->prop->proto_id; - newpr->spisize = p->prop->spi_size; - memset(&newpr->spi, 0, sizeof(newpr->spi)); - spi = (u_int8_t *)&newpr->spi; - spi += sizeof(newpr->spi); - spi -= p->prop->spi_size; - memcpy(spi, p->prop + 1, p->prop->spi_size); - newpr->reqid_in = 0; - newpr->reqid_out = 0; - - for (t = p; t; t = t->tnext) { - - plog(LLV_DEBUG, LOCATION, NULL, - "prop#=%d prot-id=%s spi-size=%d " - "#trns=%d trns#=%d trns-id=%s\n", - t->prop->p_no, - s_ipsecdoi_proto(t->prop->proto_id), - t->prop->spi_size, t->prop->num_t, - t->trns->t_no, - s_ipsecdoi_trns(t->prop->proto_id, - t->trns->t_id)); - - /* allocate ipsec sa transform */ - newtr = newsatrns(); - if (newtr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate satrns.\n"); - goto err; - } - - if (ipsecdoi_t2satrns(t->trns, newpp, newpr, newtr) < 0) { - flushsaprop(newpp); - return NULL; - } - - inssatrns(newpr, newtr); - } - - /* - * If the peer does not specify encryption mode, use - * transport mode by default. This is to conform to - * draft-shacham-ippcp-rfc2393bis-08.txt (explicitly specifies - * that unspecified == transport), as well as RFC2407 - * (unspecified == implementation dependent default). - */ - if (newpr->encmode == 0) - newpr->encmode = IPSECDOI_ATTR_ENC_MODE_TRNS; - - inssaproto(newpp, newpr); - } - - return newpp; - -err: - flushsaprop(newpp); - return NULL; -} - -void -flushsaprop(head) - struct saprop *head; -{ - struct saprop *p, *save; - - for (p = head; p != NULL; p = save) { - save = p->next; - flushsaproto(p->head); - racoon_free(p); - } - - return; -} - -void -flushsaproto(head) - struct saproto *head; -{ - struct saproto *p, *save; - - for (p = head; p != NULL; p = save) { - save = p->next; - flushsatrns(p->head); - vfree(p->keymat); - vfree(p->keymat_p); - racoon_free(p); - } - - return; -} - -void -flushsatrns(head) - struct satrns *head; -{ - struct satrns *p, *save; - - for (p = head; p != NULL; p = save) { - save = p->next; - racoon_free(p); - } - - return; -} - -/* - * print multiple proposals - */ -void -printsaprop(pri, pp) - const int pri; - const struct saprop *pp; -{ - const struct saprop *p; - - if (pp == NULL) { - plog(pri, LOCATION, NULL, "(null)"); - return; - } - - for (p = pp; p; p = p->next) { - printsaprop0(pri, p); - } - - return; -} - -/* - * print one proposal. - */ -void -printsaprop0(pri, pp) - int pri; - const struct saprop *pp; -{ - const struct saproto *p; - - if (pp == NULL) - return; - - for (p = pp->head; p; p = p->next) { - printsaproto(pri, p); - } - - return; -} - -void -printsaproto(pri, pr) - const int pri; - const struct saproto *pr; -{ - struct satrns *tr; - - if (pr == NULL) - return; - - plog(pri, LOCATION, NULL, - " (proto_id=%s spisize=%d spi=%08lx spi_p=%08lx " - "encmode=%s reqid=%d:%d)\n", - s_ipsecdoi_proto(pr->proto_id), - pr->spisize, - (unsigned long)ntohl(pr->spi), - (unsigned long)ntohl(pr->spi_p), - s_ipsecdoi_attr_v(IPSECDOI_ATTR_ENC_MODE, pr->encmode), - pr->reqid_in, pr->reqid_out); - - for (tr = pr->head; tr; tr = tr->next) { - printsatrns(pri, pr->proto_id, tr); - } - - return; -} - -void -printsatrns(pri, proto_id, tr) - const int pri; - const int proto_id; - const struct satrns *tr; -{ - if (tr == NULL) - return; - - switch (proto_id) { - case IPSECDOI_PROTO_IPSEC_AH: - plog(pri, LOCATION, NULL, - " (trns_id=%s authtype=%s)\n", - s_ipsecdoi_trns(proto_id, tr->trns_id), - s_ipsecdoi_attr_v(IPSECDOI_ATTR_AUTH, tr->authtype)); - break; - case IPSECDOI_PROTO_IPSEC_ESP: - plog(pri, LOCATION, NULL, - " (trns_id=%s encklen=%d authtype=%s)\n", - s_ipsecdoi_trns(proto_id, tr->trns_id), - tr->encklen, - s_ipsecdoi_attr_v(IPSECDOI_ATTR_AUTH, tr->authtype)); - break; - case IPSECDOI_PROTO_IPCOMP: - plog(pri, LOCATION, NULL, - " (trns_id=%s)\n", - s_ipsecdoi_trns(proto_id, tr->trns_id)); - break; - default: - plog(pri, LOCATION, NULL, - "(unknown proto_id %d)\n", proto_id); - } - - return; -} - -void -print_proppair0(pri, p, level) - int pri; - struct prop_pair *p; - int level; -{ - char spc[21]; - - memset(spc, ' ', sizeof(spc)); - spc[sizeof(spc) - 1] = '\0'; - if (level < 20) { - spc[level] = '\0'; - } - - plog(pri, LOCATION, NULL, - "%s%p: next=%p tnext=%p\n", spc, p, p->next, p->tnext); - if (p->next) - print_proppair0(pri, p->next, level + 1); - if (p->tnext) - print_proppair0(pri, p->tnext, level + 1); -} - -void -print_proppair(pri, p) - int pri; - struct prop_pair *p; -{ - print_proppair0(pri, p, 1); -} - -int -set_proposal_from_policy(iph2, sp_main, sp_sub) - struct ph2handle *iph2; - struct secpolicy *sp_main, *sp_sub; -{ - struct saprop *newpp; - struct ipsecrequest *req; - int encmodesv = IPSEC_MODE_TRANSPORT; /* use only when complex_bundle */ - - newpp = newsaprop(); - if (newpp == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate saprop.\n"); - goto err; - } - newpp->prop_no = 1; - newpp->lifetime = iph2->sainfo->lifetime; - newpp->lifebyte = iph2->sainfo->lifebyte; - newpp->pfs_group = iph2->sainfo->pfs_group; - - if (lcconf->complex_bundle) - goto skip1; - - /* - * decide the encryption mode of this SA bundle. - * the mode becomes tunnel mode when there is even one policy - * of tunnel mode in the SPD. otherwise the mode becomes - * transport mode. - */ - encmodesv = IPSEC_MODE_TRANSPORT; - for (req = sp_main->req; req; req = req->next) { - if (req->saidx.mode == IPSEC_MODE_TUNNEL) { - encmodesv = pfkey2ipsecdoi_mode(req->saidx.mode); - break; - } - } - - skip1: - for (req = sp_main->req; req; req = req->next) { - struct saproto *newpr; - caddr_t paddr = NULL; - - /* - * check if SA bundle ? - * nested SAs negotiation is NOT supported. - * me +--- SA1 ---+ peer1 - * me +--- SA2 --------------+ peer2 - */ - if (req->saidx.src.ss_len && req->saidx.dst.ss_len) { - - /* check the end of ip addresses of SA */ - if (iph2->side == INITIATOR) - paddr = (caddr_t)&req->saidx.dst; - else - paddr = (caddr_t)&req->saidx.src; - - if (memcmp(iph2->dst, paddr, iph2->dst->sa_len)){ - plog(LLV_ERROR, LOCATION, NULL, - "not supported nested SA.\n"); - goto err; - } - } - - /* allocate ipsec sa protocol */ - newpr = newsaproto(); - if (newpr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate saproto.\n"); - goto err; - } - - newpr->proto_id = ipproto2doi(req->saidx.proto); - newpr->spisize = 4; - if (lcconf->complex_bundle) - newpr->encmode = pfkey2ipsecdoi_mode(req->saidx.mode); - else - newpr->encmode = encmodesv; - - if (iph2->side == INITIATOR) - newpr->reqid_out = req->saidx.reqid; - else - newpr->reqid_in = req->saidx.reqid; - - if (set_satrnsbysainfo(newpr, iph2->sainfo) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get algorithms.\n"); - goto err; - } - - /* set new saproto */ - inssaprotorev(newpp, newpr); - } - - /* get reqid_in from inbound policy */ - if (sp_sub) { - struct saproto *pr; - - req = sp_sub->req; - pr = newpp->head; - while (req && pr) { - if (iph2->side == INITIATOR) - pr->reqid_in = req->saidx.reqid; - else - pr->reqid_out = req->saidx.reqid; - pr = pr->next; - req = req->next; - } - if (pr || req) { - plog(LLV_NOTIFY, LOCATION, NULL, - "There is a difference " - "between the in/out bound policies in SPD.\n"); - } - } - - iph2->proposal = newpp; - - printsaprop0(LLV_DEBUG, newpp); - - return 0; -err: - return -1; -} - -/* - * generate a policy from peer's proposal. - * this function unconditionally choices first proposal in SA payload - * passed by peer. - */ -int -set_proposal_from_proposal(iph2) - struct ph2handle *iph2; -{ - struct saprop *newpp = NULL, *pp0, *pp_peer = NULL; - struct saproto *newpr = NULL, *pr; - struct prop_pair **pair; - int error = -1; - int i; - - /* get proposal pair */ - pair = get_proppair(iph2->sa, IPSECDOI_TYPE_PH2); - if (pair == NULL) - goto end; - - /* - * make my proposal according as the client proposal. - * XXX assumed there is only one proposal even if it's the SA bundle. - */ - for (i = 0; i < MAXPROPPAIRLEN; i++) { - if (pair[i] == NULL) - continue; - pp_peer = aproppair2saprop(pair[i]); - if (pp_peer == NULL) - goto end; - - pp0 = newsaprop(); - if (pp0 == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate saprop.\n"); - goto end; - } - pp0->prop_no = 1; - pp0->lifetime = iph2->sainfo->lifetime; - pp0->lifebyte = iph2->sainfo->lifebyte; - pp0->pfs_group = iph2->sainfo->pfs_group; - - if (pp_peer->next != NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "pp_peer is inconsistency, ignore it.\n"); - /*FALLTHROUGH*/ - } - - for (pr = pp_peer->head; pr; pr = pr->next) { - - newpr = newsaproto(); - if (newpr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate saproto.\n"); - goto end; - } - newpr->proto_id = pr->proto_id; - newpr->spisize = pr->spisize; - newpr->encmode = pr->encmode; - newpr->spi = 0; - newpr->spi_p = pr->spi; /* copy peer's SPI */ - newpr->reqid_in = 0; - newpr->reqid_out = 0; - } - - if (set_satrnsbysainfo(newpr, iph2->sainfo) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get algorithms.\n"); - goto end; - } - - inssaproto(pp0, newpr); - inssaprop(&newpp, pp0); - } - - plog(LLV_DEBUG, LOCATION, NULL, "make a proposal from peer's:\n"); - printsaprop0(LLV_DEBUG, newpp); - - iph2->proposal = newpp; - - error = 0; - -end: - if (error && newpp) - flushsaprop(newpp); - - if (pp_peer) - flushsaprop(pp_peer); - free_proppair(pair); - return error; -} diff --git a/kame/kame/racoon/proposal.h b/kame/kame/racoon/proposal.h deleted file mode 100644 index d38291e6f9..0000000000 --- a/kame/kame/racoon/proposal.h +++ /dev/null @@ -1,203 +0,0 @@ -/* $KAME: proposal.h,v 1.16 2001/08/16 05:02:13 itojun Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include - -/* - * A. chained list of transform, only for single proto_id - * (this is same as set of transforms in single proposal payload) - * B. proposal. this will point to multiple (A) items (order is important - * here so pointer to (A) must be ordered array, or chained list). - * this covers multiple proposal on a packet if proposal # is the same. - * C. finally, (B) needs to be connected as chained list. - * - * head ---> prop[.......] ---> prop[...] ---> prop[...] ---> ... - * | | | | - * | | | +- proto4 <== must preserve order here - * | | +--- proto3 - * | +----- proto2 - * +------- proto1[trans1, trans2, trans3, ...] - * - * incoming packets needs to be parsed to construct the same structure - * (check "prop_pair" too). - */ -/* SA proposal specification */ -struct saprop { - int prop_no; - time_t lifetime; - int lifebyte; - int pfs_group; /* pfs group */ - int claim; /* flag to send RESPONDER-LIFETIME. */ - /* XXX assumed DOI values are 1 or 2. */ - - struct saproto *head; - struct saprop *next; -}; - -/* SA protocol specification */ -struct saproto { - int proto_id; - size_t spisize; /* spi size */ - int encmode; /* encryption mode */ - - /* XXX should be vchar_t * */ - /* these are network byte order */ - u_int32_t spi; /* inbound. i.e. --SA-> me */ - u_int32_t spi_p; /* outbound. i.e. me -SA-> */ - - vchar_t *keymat; /* KEYMAT */ - vchar_t *keymat_p; /* peer's KEYMAT */ - - int reqid_out; /* request id (outbound) */ - int reqid_in; /* request id (inbound) */ - - int ok; /* if 1, success to set SA in kenrel */ - - struct satrns *head; /* header of transform */ - struct saproto *next; /* next protocol */ -}; - -/* SA algorithm specification */ -struct satrns { - int trns_no; - int trns_id; /* transform id */ - int encklen; /* key length of encryption algorithm */ - int authtype; /* authentication algorithm if ESP */ - - struct satrns *next; /* next transform */ -}; - -/* - * prop_pair: (proposal number, transform number) - * - * (SA (P1 (T1 T2)) (P1' (T1' T2')) (P2 (T1" T2"))) - * - * p[1] p[2] - * top (P1,T1) (P2",T1") - * | |tnext |tnext - * | v v - * | (P1, T2) (P2", T2") - * v next - * (P1', T1') - * |tnext - * v - * (P1', T2') - * - * when we convert it to saprop in prop2saprop(), it should become like: - * - * (next) - * saprop --------------------> saprop - * | (head) | (head) - * +-> saproto +-> saproto - * | | (head) | (head) - * | +-> satrns(P1 T1) +-> satrns(P2" T1") - * | | (next) | (next) - * | v v - * | satrns(P1, T2) satrns(P2", T2") - * v (next) - * saproto - * | (head) - * +-> satrns(P1' T1') - * | (next) - * v - * satrns(P1', T2') - */ -struct prop_pair { - struct isakmp_pl_p *prop; - struct isakmp_pl_t *trns; - struct prop_pair *next; /* next prop_pair with same proposal # */ - /* (bundle case) */ - struct prop_pair *tnext; /* next prop_pair in same proposal payload */ - /* (multiple tranform case) */ -}; -#define MAXPROPPAIRLEN 256 /* It's enough because field size is 1 octet. */ - -/* - * Lifetime length selection refered to the section 4.5.4 of RFC2407. It does - * not completely conform to the description of RFC. There are four types of - * the behavior. If the value of "proposal_check" in "remote" directive is; - * "obey" - * the responder obey the initiator anytime. - * "strict" - * If the responder's length is longer than the initiator's one, the - * responder uses the intitiator's one. Otherwise rejects the proposal. - * If PFS is not required by the responder, the responder obeys the - * proposal. If PFS is required by both sides and if the responder's - * group is not equal to the initiator's one, then the responder reject - * the proposal. - * "claim" - * If the responder's length is longer than the initiator's one, the - * responder use the intitiator's one. If the responder's length is - * shorter than the initiator's one, the responder uses own length - * AND send RESPONDER-LIFETIME notify message to a initiator in the - * case of lifetime. - * About PFS, this directive is same as "strict". - * "exact" - * If the initiator's length is not equal to the responder's one, the - * responder rejects the proposal. - * If PFS is required and if the responder's group is not equal to - * the initiator's one, then the responder reject the proposal. - * XXX should be defined the behavior of key length. - */ -#define PROP_CHECK_OBEY 1 -#define PROP_CHECK_STRICT 2 -#define PROP_CHECK_CLAIM 3 -#define PROP_CHECK_EXACT 4 - -struct sainfo; -struct ph1handle; -struct secpolicy; -extern struct saprop *newsaprop __P((void)); -extern struct saproto *newsaproto __P((void)); -extern void inssaprop __P((struct saprop **, struct saprop *)); -extern void inssaproto __P((struct saprop *, struct saproto *)); -extern void inssaprotorev __P((struct saprop *, struct saproto *)); -extern struct satrns *newsatrns __P((void)); -extern void inssatrns __P((struct saproto *, struct satrns *)); -extern struct saprop *cmpsaprop_alloc __P((struct ph1handle *, - const struct saprop *, const struct saprop *, int)); -extern int cmpsaprop __P((const struct saprop *, const struct saprop *)); -extern int cmpsatrns __P((const struct satrns *, const struct satrns *)); -extern int set_satrnsbysainfo __P((struct saproto *, struct sainfo *)); -extern struct saprop *aproppair2saprop __P((struct prop_pair *)); -extern void free_proppair __P((struct prop_pair **)); -extern void flushsaprop __P((struct saprop *)); -extern void flushsaproto __P((struct saproto *)); -extern void flushsatrns __P((struct satrns *)); -extern void printsaprop __P((const int, const struct saprop *)); -extern void printsaprop0 __P((const int, const struct saprop *)); -extern void printsaproto __P((const int, const struct saproto *)); -extern void printsatrns __P((const int, const int, const struct satrns *)); -extern void print_proppair0 __P((int, struct prop_pair *, int)); -extern void print_proppair __P((int, struct prop_pair *)); -extern int set_proposal_from_policy __P((struct ph2handle *, - struct secpolicy *, struct secpolicy *)); -extern int set_proposal_from_proposal __P((struct ph2handle *)); diff --git a/kame/kame/racoon/racoon.8 b/kame/kame/racoon/racoon.8 deleted file mode 100644 index 7c52ad69d9..0000000000 --- a/kame/kame/racoon/racoon.8 +++ /dev/null @@ -1,143 +0,0 @@ -.\" $KAME: racoon.8,v 1.31 2003/06/16 08:39:18 itojun Exp $ -.\" -.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. Neither the name of the project nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.Dd November 20, 2000 -.Dt RACOON 8 -.Os KAME -.\" -.Sh NAME -.Nm racoon -.Nd IKE (ISAKMP/Oakley) key management daemon -.\" -.Sh SYNOPSIS -.Nm racoon -.Bk -words -.Op Fl BdFv46 -.Ek -.Bk -words -.Op Fl f Ar configfile -.Ek -.Bk -words -.Op Fl l Ar logfile -.Ek -.Bk -words -.Op Fl p Ar isakmp-port -.Ek -.\" -.Sh DESCRIPTION -.Nm -speaks IKE -.Pq ISAKMP/Oakley -key management protocol, -to establish security association with other hosts. -SPD -.Pq Security Policy Database -in the kernel usually triggers to start -.Nm racoon . -.Nm racoon -usually sends all of informational messages, warnings and error messages to -.Xr syslogd 8 -with the facility LOG_DAEMON, the priority LOG_INFO. -Debugging messages are sent with the priority LOG_DEBUG. -You should configure -.Xr syslog.conf 5 -appropriately to see these messages. -.Bl -tag -width Ds -.It Fl B -Install SA(s) from the file which is specified in -.Xr racoon.conf 5 . -.It Fl d -Increase the debug level. -Multiple -.Fl d -will increase the debug level even more. -.It Fl F -Run -.Nm racoon -in the foreground. -.It Fl f Ar configfile -Use -.Ar configfile -as the configuration file instead of the default. -.It Fl l Ar logfile -Use -.Ar logfile -as the logging file instead of -.Xr syslogd 8 . -.It Fl p Ar isakmp-port -Listen to ISAKMP key exchange on port -.Ar isakmp-port -instead of the default port number, 500. -.It Fl v -The flag causes the packet dump be more verbose, with higher debugging level. -.It Fl 4 -.It Fl 6 -Specifies the default address family for the sockets. -.El -.Pp -.Nm -assumes the presence of kernel random number device -.Xr rnd 4 -at -.Pa /dev/urandom . -Informational messages are labeled -.Em info , -and debugging messages are labeled -.Em debug . -You have to configure -.Xr syslog.conf 5 -if you want to see them in a logging file. -.\" -.Sh RETURN VALUES -The command exits with 0 on success, and non-zero on errors. -.\" -.Sh FILES -.Bl -tag -width /usr/local/v6/etc/racoon.conf -compact -.It Pa /usr/local/v6/etc/racoon.conf -default configuration file. -.El -.\" -.Sh SEE ALSO -.Xr ipsec 4 , -.Xr racoon.conf 5 , -.Xr syslog.conf 5 , -.Xr setkey 8 , -.Xr syslogd 8 -.\" -.Sh HISTORY -The -.Nm -command first appeared in -.Dq YIPS -Yokogawa IPsec implementation. -.\" -.Sh SECURITY CONSIDERATIONS -The use of IKE phase 1 aggressive mode is not recommended, -as describved in -.Li http://www.kb.cert.org/vuls/id/886601 . diff --git a/kame/kame/racoon/racoon.conf.5 b/kame/kame/racoon/racoon.conf.5 deleted file mode 100644 index b79334b5ce..0000000000 --- a/kame/kame/racoon/racoon.conf.5 +++ /dev/null @@ -1,739 +0,0 @@ -.\" $KAME: racoon.conf.5,v 1.109 2003/12/17 01:43:57 itojun Exp $ -.\" -.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. Neither the name of the project nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.Dd November 20, 2000 -.Dt RACOON.CONF 5 -.Os KAME -.\" -.Sh NAME -.Nm racoon.conf -.Nd configuration file for racoon -.\" -.\" .Sh SYNOPSIS -.\" -.Sh DESCRIPTION -.Nm -is the configuration file for the -.Xr racoon 8 -ISAKMP daemon. -.Xr racoon 8 -negotiates security associations for itself (ISAKMP SA, or phase 1 SA) -and for kernel IPsec (IPsec SA, or phase 2 SA). -The file consists of a sequence of directives and statements. -Each directive is composed by a tag, and statements are enclosed by -.Ql { -and -.Ql } . -Lines beginning with -.Ql # -are comments. -.\" -.Ss Meta Syntax -Keywords and special characters that the parser expects exactly are -displayed using -.Ic this -font. -Parameters are specified with -.Ar this -font. -Square brackets -.Po -.Ql \&[ -and -.Ql \&] -.Pc -are used to show optional keywords and parameters. -Note that -you have to pay attention when this manual is describing -.Ar port -numbers. -The -.Ar port -number is always enclosed by -.Ql \&[ -and -.Ql \&] . -In this case, the port number is not an optional keyword. -If it is possible to omit -.Ar port -number, -the expression becomes -.Bq Bq Ar port . -The vertical bar -.Pq Ql \*(Ba -is used to indicate -a choice between optional parameters. -Parentheses -.Po -.Ql \&( -and -.Ql \&) -.Pc -are used to group keywords and parameters when necessary. -Major parameters are listed below. -.Pp -.Bl -tag -width addressx -compact -.It Ar number -means a hexadecimal or a decimal number. -The former must be prefixed with -.Ql Li 0x . -.It Ar string -.It Ar path -.It Ar file -means any string enclosed in -.Ql \&" -.Pq double quote . -.It Ar address -means IPv6 and/or IPv4 address. -.It Ar port -means a TCP/UDP port number. -The port number is always enclosed by -.Ql \&[ -and -.Ql \&] . -.It Ar timeunit -is one of following: -.Ic sec , secs , second , seconds , -.Ic min , mins , minute , minutes , -.Ic hour , hours . -.El -.\" -.Ss Path Specification -.Bl -tag -width Ds -compact -.It Ic path include Ar path ; -specifies a path to include a file. -See -.Sx File Inclusion . -.It Ic path pre_shared_key Ar file ; -specifies a file containing pre-shared key(s) for various ID(s). -See -.Sx Pre-shared key File . -.It Ic path certificate Ar path ; -.Xr racoon 8 -will search this directory if a certificate or certificate request is received. -.It Ic path backupsa Ar file ; -specifies a file to be stored a SA information which is negotiated by racoon. -.Xr racoon 8 -will install SA(s) from the file with a boot option -.Fl B . -The file is increasing because -.Xr racoon 8 -simply add a SA to the file at the moment. -You should maintain the file manually. -.El -.\" -.Ss File Inclusion -.Bl -tag -width Ds -compact -.It Ic include Ar file -other configuration files can be included. -.El -.\" -.Ss Identifier Specification -is obsolete. -It must be defined at each -.Ic remote -directive. -.\" -.Ss Timer Specification -.Bl -tag -width Ds -compact -.It Ic timer { Ar statements Ic } -specifies various timer values. -.Pp -.Bl -tag -width Ds -compact -.It Ic counter Ar number ; -the maximum number of retries to send. -The default is 5. -.It Ic interval Ar number Ar timeunit ; -the interval to resend, in seconds. -The default time is 10 seconds. -.It Ic persend Ar number ; -the number of packets per send. -The default is 1. -.It Ic phase1 Ar number Ar timeunit ; -the maximum time it should take to complete phase 1. -The default time is 15 seconds. -.It Ic phase2 Ar number Ar timeunit ; -the maximum time it should take to complete phase 2. -The default time is 10 seconds. -.El -.El -.\" -.Ss Listening Port Specification -.Bl -tag -width Ds -compact -.It Ic listen { Ar statements Ic } -If no -.Ar listen -directive is specified, -.Xr racoon 8 -will listen on all of the available interface addresses. -The following is the list of valid statements: -.Pp -.Bl -tag -width Ds -compact -.\" How do I express bold brackets; `[' and `]' . -.\" Is the "Bq Ic [ Ar port ] ;" buggy ? -.It Ic isakmp Ar address Bq Bq Ar port ; -If this is specified, -.Xr racoon 8 -will only listen on -.Ar address . -The default port is 500, which is specified by IANA. -You can provide more than one address definition. -.It Ic strict_address ; -require that all addresses for ISAKMP must be bound. -This statement will be ignored if you do not specify any addresses. -.El -.El -.\" -.Ss Remote Nodes Specifications -.Bl -tag -width Ds -compact -.It Xo -.Ic remote ( Ar address \*(Ba Ic anonymous ) -.Bq Bq Ar port -.Ic { Ar statements Ic } -.Xc -specifies the parameters for IKE phase 1 for each remote node. -The default port is 500. -If -.Ic anonymous -is specified, the statements apply to all peers which do not match -any other -.Ic remote -directive. -.Pp -The following are valid statements. -.Pp -.Bl -tag -width Ds -compact -.\" -.It Ic exchange_mode ( main \*(Ba aggressive \*(Ba base ) ; -defines the exchange mode for phase 1 when racoon is the initiator. -Also it means the acceptable exchange mode when racoon is responder. -More than one mode can be specified by separating them with a comma. -All of the modes are acceptable. -The first exchange mode is what racoon uses when it is the initiator. -.\" -.It Ic doi Ic ipsec_doi ; -means to use IPsec DOI as specified RFC 2407. -You can omit this statement. -.\" -.It Ic situation Ic identity_only ; -means to use SIT_IDENTITY_ONLY as specified RFC 2407. -You can omit this statement. -.\" -.It Ic identifier Ar idtype ; -is obsolete. -Instead, use -.Ic my_identifier . -.\" -.It Ic my_identifier Ar idtype ... ; -specifies the identifier sent to the remote host -and the type to use in the phase 1 negotiation. -.Ic address, fqdn , user_fqdn , keyid and asn1dn -can be used as an -.Ar idtype . -they are used like: -.Bl -tag -width Ds -compact -.It Ic my_identifier Ic address Bq Ar address ; -the type is the IP address. -This is the default type if you do not specify an identifier to use. -.It Ic my_identifier Ic user_fqdn Ar string ; -the type is a USER_FQDN (user fully-qualified domain name). -.It Ic my_identifier Ic fqdn Ar string ; -the type is a FQDN (fully-qualified domain name). -.It Ic my_identifier Ic keyid Ar file ; -the type is a KEY_ID. -.It Ic my_identifier Ic asn1dn Bq Ar string ; -the type is an ASN.1 distinguished name. -If -.Ar string -is omitted, -.Xr racoon 8 -will get DN from Subject field in the certificate. -.El -.\" -.It Ic peers_identifier Ar idtype ... ; -specifies the peer's identifier to be received. -If it is not defined then -.Xr racoon 8 -will not verify the peer's identifier in ID payload transmitted from the peer. -If it is defined, the behavior of the verification depends on the flag of -.Ic verify_identifier . -The usage of -.Ar idtype -is same to -.Ic my_identifier . -.\" -.It Ic verify_identifier (on \(ba off) ; -If you want to verify the peer's identifier, -set this to on. -In this case, if the value defined by -.Ic peers_identifier -is not same to the peer's identifier in the ID payload, -the negotiation will failed. -The default is off. -.\" -.It Ic certificate_type Ar certspec ; -specifies a certificate specification. -.Ar certspec -is one of followings: -.Bl -tag -width Ds -compact -.It Ic x509 Ar certfile Ar privkeyfile ; -.Ar certfile -means a file name of certificate. -.Ar privkeyfile -means a file name of secret key. -.El -.\" -.It Ic peers_certfile ( dnssec \*(Ba Ar certfile ) ; -If -.Ic dnssec -is defined, -.Xr racoon 8 -will ignore the CERT payload from the peer, -and try to get the peer's certificate from DNS instead. -If -.Ar certfile -is defined, -.Xr racoon 8 -will ignore the CERT payload from the peer, -and will use this certificate as the peer's certificate. -.\" -.It Ic send_cert (on \(ba off) ; -If you do not want to send a certificate for some reason, set this to off. -The default is on. -.\" -.It Ic send_cr (on \(ba off) ; -If you do not want to send a certificate request for some reason, set this to off. -The default is on. -.\" -.It Ic verify_cert (on \(ba off) ; -If you do not want to verify the peer's certificate for some reason, -set this to off. -The default is on. -.\" -.It Ic lifetime time Ar number Ar timeunit ; -define a lifetime of a certain time -which will be proposed in the phase 1 negotiations. -Any proposal will be accepted, and the attribute(s) will be not proposed to -the peer if you do not specify it(them). -They can be individually specified in each proposal. -.\" -.It Ic initial_contact (on \(ba off) ; -enable this to send an INITIAL-CONTACT message. -The default value is -.Ic on . -This message is useful only when -the implementation of the responder choices an old SA when there are multiple -SAs which are different established time, and the initiator reboots. -If racoon did not use the message, -the responder would use an old SA even when an new SA was established. -The KAME stack has the switch in the system wide value, -net.key.preferred_oldsa. -when the value is zero, the stack always use an new SA. -.\" -.It Ic passive (on \(ba off) ; -If you do not want to initiate the negotiation, set this to on. -The default value is -.Ic off . -It is useful for a server. -.\" -.It Ic proposal_check Ar level ; -specifies the action of lifetime length and PFS of the phase 2 -selection on the responder side. -The default level is -.Ic strict . -If the -.Ar level -is; -.Bl -tag -width Ds -compact -.It Ic obey -the responder will obey the initiator anytime. -.It Ic strict -If the responder's length is longer than the initiator's one, the -responder uses the initiator's one. -Otherwise it rejects the proposal. -If PFS is not required by the responder, the responder will obey the proposal. -If PFS is required by both sides and if the responder's group is not equal to -the initiator's one, then the responder will reject the proposal. -.It Ic claim -If the responder's length is longer than the initiator's one, the -responder will use the initiator's one. -If the responder's length is -shorter than the initiator's one, the responder uses its own length -AND sends a RESPONDER-LIFETIME notify message to an initiator in the -case of lifetime. -About PFS, this directive is same as -.Ic strict . -.It Ic exact -If the initiator's length is not equal to the responder's one, the -responder will reject the proposal. -If PFS is required by both sides and if the responder's group is not equal to -the initiator's one, then the responder will reject the proposal. -.El -.\" -.It Ic support_proxy (on \(ba off) ; -If this value is set on then both values of ID payloads in phase 2 exchange -are always used as the addresses of end-point of IPsec-SAs. -The default is off. -.\" -.It Ic generate_policy (on \(ba off) ; -This directive is for the responder. -Therefore you should set -.Ic passive -on in order that -.Xr racoon 8 -only becomes a responder. -If the responder does not have any policy in SPD during phase 2 negotiation, -and the directive is set on, then -.Xr racoon 8 -will choice the first proposal in the -SA payload from the initiator, and generate policy entries from the proposal. -It is useful to negotiate with the client which is allocated IP address -dynamically. -Note that inappropriate policy might be installed into the responder's SPD -by the initiator. -So that other communication might fail if such policies installed -due to some policy mismatches between the initiator and the responder. -This directive is ignored in the initiator case. -The default value is -.Ic off . -.\" -.It Ic nonce_size Ar number ; -define the byte size of nonce value. -Racoon can send any value although -RFC2409 specifies that the value MUST be between 8 and 256 bytes. -The default size is 16 bytes. -.\" -.It Xo -.Ic proposal { Ar sub-substatements Ic } -.Xc -.Bl -tag -width Ds -compact -.\" -.It Ic encryption_algorithm Ar algorithm ; -specify the encryption algorithm used for the phase 1 negotiation. -This directive must be defined. -.Ar algorithm -is one of following: -.Ic des , 3des , blowfish , cast128 -.\".Ic rc5 , idea -for oakley. -For other transforms, this statement should not be used. -.\" -.It Ic hash_algorithm Ar algorithm ; -define the hash algorithm used for the phase 1 negotiation. -This directive must be defined. -.Ar algorithm -is one of following: -.Ic md5, sha1 -for oakley. -.\" -.It Ic authentication_method Ar type ; -defines the authentication method used for the phase 1 negotiation. -This directive must be defined. -.Ar type -is one of: -.Ic pre_shared_key, rsasig , gssapi_krb . -.\" -.It Ic dh_group Ar group ; -define the group used for the Diffie-Hellman exponentiations. -This directive must be defined. -.Ar group -is one of following: -.Ic modp768 , modp1024 , modp1536 , -.Ic modp2048 , modp3072 , modp4096 , -.Ic modp6144 , modp8192 . -Or you can define 1, 2, 5, 14, 15, 16, 17 or 18 as the DH group number. -When you want to use aggressive mode, -you must define same DH group in each proposal. -.It Ic lifetime time Ar number Ar timeunit ; -define lifetime of the phase 1 SA proposal. -Refer to the description of -.Ic lifetime -directive immediately defined in -.Ic remote -directive. -.It Ic gssapi_id Ar string ; -define the GSS-API endpoint name, to be included as an attribute in the SA, -if the -.Ic gssapi_krb -authentication method is used. If this is not defined, the default value of -.Ql ike/hostname -is used, where hostname is the FQDN of the interface being used. -.El -.El -.El -.\" -.Ss Policy Specifications -The policy directive is obsolete, policies are now in the SPD. -.Xr racoon 8 -will obey the policy configured into the kernel by -.Xr setkey 8 , -and will construct phase 2 proposals by combining -.Ic sainfo -specifications in -.Nm Ns , -and policies in the kernel. -.\" -.Ss Sainfo Specifications -.Bl -tag -width Ds -compact -.It Xo -.Ic sainfo ( Ar source_id destination_id \*(Ba Ic anonymous ) -.Ic { Ar statements Ic } -.Xc -defines the parameters of the IKE phase 2 (IPsec-SA establishment). -.Ar source_id -and -.Ar destination_id -are constructed like: -.Pp -.Ic address Ar address -.Bq Ic / Ar prefix -.Bq Ic [ Ar port ] -.Ar ul_proto -.Pp -or -.Pp -.Ar idtype Ar string -.Pp -It means exactly the content of ID payload. -This is not like a filter rule. -For example, if you define 3ffe:501:4819::/48 as -.Ar source_id . -3ffe:501:4819:1000:/64 will not match. -.Pp -.Bl -tag -width Ds -compact -.\" -.It Ic pfs_group Ar group ; -define the group of Diffie-Hellman exponentiations. -If you do not require PFS then you can omit this directive. -Any proposal will be accepted if you do not specify one. -.Ar group -is one of following: -.Ic modp768 , modp1024 , modp1536 , -.Ic modp2048 , modp3072 , modp4096 , -.Ic modp6144 , modp8192 . -Or you can define 1, 2, 5, 14, 15, 16, 17 or 18 as the DH group number. -.\" -.It Ic lifetime time Ar number Ar timeunit ; -define the lifetime of amount of time -which are to be used IPsec-SA. -Any proposal will be accepted, and no attribute(s) will be proposed to -the peer if you do not specify it(them). -See the -.Ic proposal_check -directive. -.\" -.It Ic my_identifier Ar idtype ... ; -is obsolete. -It does not make sense to specify a identifier in the phase 2. -.El -.\" -.Pp -.Xr racoon 8 -does not have the list of security protocols to be negotiated. -The list of security protocols are passed by SPD in the kernel. -Therefore you have to define all of the potential algorithms -in the phase 2 proposals even if there is a algorithm which will not be used. -These algorithms are define by using the following three directives, -and they are lined with single comma as the separator. -For algorithms that can take variable-length keys, algorithm names -can be followed by a key length, like -.Dq Li blowfish 448 . -.Xr racoon 8 -will compute the actual phase 2 proposals by computing -the permutation of the specified algorithms, -and then combining them with the security protocol specified by the SPD. -For example, if -.Ic des , 3des , hmac_md5 , -and -.Ic hmac_sha1 -are specified as algorithms, we have four combinations for use with ESP, -and two for AH. -Then, based on the SPD settings, -.Xr racoon 8 -will construct the actual proposals. -If the SPD entry asks for ESP only, there will be 4 proposals. -If it asks for both AH and ESP, there will be 8 proposals. -Note that the kernel may not support the algorithm you have specified. -.\" -.Bl -tag -width Ds -compact -.It Ic encryption_algorithm Ar algorithms ; -.Ic des , 3des , des_iv64 , des_iv32 , -.Ic rc5 , rc4 , idea , 3idea , -.Ic cast128 , blowfish , null_enc , -.Ic twofish , rijndael -.Pq used with ESP -.\" -.It Ic authentication_algorithm Ar algorithms ; -.Ic des , 3des , des_iv64 , des_iv32 , -.Ic hmac_md5 , hmac_sha1 , non_auth -.Pq used with ESP authentication and AH -.\" -.It Ic compression_algorithm Ar algorithms ; -.Ic deflate -.Pq used with IPComp -.El -.El -.\" -.Ss Logging level -.Bl -tag -width Ds -compact -.It Ic log Ar level ; -define logging level. -.Ar level -is one of following: -.Ic notify , debug -and -.Ic debug2 . -The default is -.Ic notify . -If you put too high logging level on slower machines, -IKE negotiation can fail due to timing constraint changes. -.El -.\" -.Ss Specifying the way to pad -.Bl -tag -width Ds -compact -.It Ic padding { Ar statements Ic } -specified padding format. -The following are valid statements: -.Bl -tag -width Ds -compact -.It Ic randomize (on \(ba off) ; -enable using a randomized value for padding. -The default is on. -.It Ic randomize_length (on \(ba off) ; -the pad length is random. -The default is off. -.It Ic maximum_length Ar number ; -define a maximum padding length. -If -.Ic randomize_length -is off, this is ignored. -The default is 20 bytes. -.It Ic exclusive_tail (on \(ba off) ; -means to put the number of pad bytes minus one into last part of the padding. -The default is on. -.It Ic strict_check (on \(ba off) ; -means to be constrained the peer to set the number of pad bytes. -The default is off. -.El -.El -.Ss Special directives -.Bl -tag -width Ds -compact -.It Ic complex_bundle (on \(ba off) ; -defines the interpretation of proposal in the case of SA bundle. -Normally -.Dq IP AH ESP IP payload -is proposed as -.Dq AH tunnel and ESP tunnel . -The interpretation is more common to other IKE implementations, however, -it allows very limited set of combinations for proposals. -With the option enabled, it will be proposed as -.Dq AH transport and ESP tunnel . -The default value is -.Ic off . -.El -.\" -.Ss Pre-shared key File -Pre-shared key file defines a pair of the identifier and the shared secret key -which are used at Pre-shared key authentication method in phase 1. -The pair in each lines are separated by some number of blanks and/or tab -characters like -.Xr hosts 5 . -Key can be included any blanks because all of the words after 2nd column -are interpreted as a secret key. -Lines start with -.Ql # -are ignored. -Keys which start with -.Ql 0x -are hexa-decimal strings. -Note that the file must be owned by the user ID running -.Xr racoon 8 -.Pq usually the privileged user , -and must not be accessible by others. -.\" -.Sh EXAMPLES -The following shows how the remote directive should be configured. -.Bd -literal -offset -path pre_shared_key "/usr/local/v6/etc/psk.txt" ; -remote anonymous -{ - exchange_mode aggressive,main,base; - lifetime time 24 hour; - proposal { - encryption_algorithm 3des; - hash_algorithm sha1; - authentication_method pre_shared_key; - dh_group 2; - } -} - -sainfo anonymous -{ - pfs_group 2; - lifetime time 12 hour ; - encryption_algorithm 3des, blowfish 448, twofish, rijndael ; - authentication_algorithm hmac_sha1, hmac_md5 ; - compression_algorithm deflate ; -} -.Ed -.Pp -The following is a sample of the file defined pre-shared key. -.Bd -literal -offset -10.160.94.3 mekmitasdigoat -172.16.1.133 0x12345678 -194.100.55.1 whatcertificatereally -3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat -3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat -foo@kame.net mekmitasdigoat -foo.kame.net hoge -.Ed -.\" -.Sh SEE ALSO -.\".Xr racoonctl 8 , -.Xr racoon 8 , -.Xr setkey 8 -.\" -.Sh HISTORY -The -.Nm -configuration file first appeared in -.Dq YIPS -Yokogawa IPsec implementation. -.\" -.Sh BUGS -Some statements may not be handled by -.Xr racoon 8 -yet. -.Pp -Diffie-Hellman computation can take a very long time, -and may cause unwanted timeouts, specifically when large D-H group is used. -.\" -.Sh SECURITY CONSIDERATIONS -The use of IKE phase 1 aggressive mode is not recommended, -as describved in -.Li http://www.kb.cert.org/vuls/id/886601 . diff --git a/kame/kame/racoon/remoteconf.c b/kame/kame/racoon/remoteconf.c deleted file mode 100644 index 7bef03cfa3..0000000000 --- a/kame/kame/racoon/remoteconf.c +++ /dev/null @@ -1,317 +0,0 @@ -/* $KAME: remoteconf.c,v 1.30 2003/06/27 07:32:39 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include -#include - -#include -#include - -#ifdef IPV6_INRIA_VERSION -#include -#else -#include -#endif - -#include -#include -#include -#include - -#include "var.h" -#include "misc.h" -#include "vmbuf.h" -#include "plog.h" -#include "sockmisc.h" -#include "debug.h" - -#include "isakmp_var.h" -#include "isakmp.h" -#include "ipsec_doi.h" -#include "oakley.h" -#include "remoteconf.h" -#include "localconf.h" -#include "grabmyaddr.h" -#include "proposal.h" -#include "vendorid.h" -#include "gcmalloc.h" - -static LIST_HEAD(_rmtree, remoteconf) rmtree; - -/*%%%*/ -/* - * search remote configuration. - * don't use port number to search if its value is either IPSEC_PORT_ANY. - * If matching anonymous entry, then new entry is copied from anonymous entry. - * If no anonymous entry found, then return NULL. - * OUT: NULL: NG - * Other: remote configuration entry. - */ -struct remoteconf * -getrmconf(remote) - struct sockaddr *remote; -{ - struct remoteconf *p; - struct remoteconf *anon = NULL; - int withport; - char buf[NI_MAXHOST + NI_MAXSERV + 10]; - char addr[NI_MAXHOST], port[NI_MAXSERV]; - - withport = 0; - - switch (remote->sa_family) { - case AF_INET: - if (((struct sockaddr_in *)remote)->sin_port != IPSEC_PORT_ANY) - withport = 1; - break; -#ifdef INET6 - case AF_INET6: - if (((struct sockaddr_in6 *)remote)->sin6_port != IPSEC_PORT_ANY) - withport = 1; - break; -#endif - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid family: %d\n", remote->sa_family); - exit(1); - } - - GETNAMEINFO(remote, addr, port); - snprintf(buf, sizeof(buf), "%s%s%s%s", addr, - withport ? "[" : "", - withport ? port : "", - withport ? "]" : ""); - - LIST_FOREACH(p, &rmtree, chain) { - if ((!withport && cmpsaddrwop(remote, p->remote) == 0) - || (withport && cmpsaddrstrict(remote, p->remote) == 0)) { - plog(LLV_DEBUG, LOCATION, NULL, - "configuration found for %s.\n", buf); - return p; - } - - /* save the pointer to the anonymous configuration */ - if (p->remote->sa_family == AF_UNSPEC) - anon = p; - } - - if (anon != NULL) { - plog(LLV_DEBUG, LOCATION, NULL, - "anonymous configuration selected for %s.\n", buf); - return anon; - } - - plog(LLV_DEBUG, LOCATION, NULL, - "no remote configuration found.\n"); - return NULL; -} - -struct remoteconf * -newrmconf() -{ - struct remoteconf *new; - - new = racoon_calloc(1, sizeof(*new)); - if (new == NULL) - return NULL; - - new->proposal = NULL; - - /* set default */ - new->doitype = IPSEC_DOI; - new->sittype = IPSECDOI_SIT_IDENTITY_ONLY; - new->idvtype = IDTYPE_ADDRESS; - new->idvtype_p = IDTYPE_ADDRESS; - new->nonce_size = DEFAULT_NONCE_SIZE; - new->keepalive = FALSE; - new->passive = FALSE; - new->ini_contact = TRUE; - new->pcheck_level = PROP_CHECK_STRICT; - new->verify_identifier = FALSE; - new->verify_cert = TRUE; - new->getcert_method = ISAKMP_GETCERT_PAYLOAD; - new->send_cert = TRUE; - new->send_cr = TRUE; - new->support_proxy = FALSE; - new->gen_policy = FALSE; - new->retry_counter = lcconf->retry_counter; - new->retry_interval = lcconf->retry_interval; - - return new; -} - -void -delrmconf(rmconf) - struct remoteconf *rmconf; -{ - if (rmconf->etypes) - deletypes(rmconf->etypes); - if (rmconf->dhgrp) - oakley_dhgrp_free(rmconf->dhgrp); - if (rmconf->proposal) - delisakmpsa(rmconf->proposal); - racoon_free(rmconf); -} - -void -delisakmpsa(sa) - struct isakmpsa *sa; -{ - if (sa->dhgrp) - oakley_dhgrp_free(sa->dhgrp); - if (sa->next) - delisakmpsa(sa->next); -#ifdef HAVE_GSSAPI - if (sa->gssid) - vfree(sa->gssid); -#endif - racoon_free(sa); -} - -void -deletypes(e) - struct etypes *e; -{ - if (e->next) - deletypes(e->next); - racoon_free(e); -} - -/* - * insert into head of list. - */ -void -insrmconf(new) - struct remoteconf *new; -{ - LIST_INSERT_HEAD(&rmtree, new, chain); -} - -void -remrmconf(rmconf) - struct remoteconf *rmconf; -{ - LIST_REMOVE(rmconf, chain); -} - -void -flushrmconf() -{ - struct remoteconf *p, *next; - - for (p = LIST_FIRST(&rmtree); p; p = next) { - next = LIST_NEXT(p, chain); - remrmconf(p); - delrmconf(p); - } -} - -void -initrmconf() -{ - LIST_INIT(&rmtree); -} - -/* check exchange type to be acceptable */ -struct etypes * -check_etypeok(rmconf, etype) - struct remoteconf *rmconf; - u_int8_t etype; -{ - struct etypes *e; - - for (e = rmconf->etypes; e != NULL; e = e->next) { - if (e->type == etype) - break; - } - - return e; -} - -/*%%%*/ -struct isakmpsa * -newisakmpsa() -{ - struct isakmpsa *new; - - new = racoon_calloc(1, sizeof(*new)); - if (new == NULL) - return NULL; - - /* - * Just for sanity, make sure this is initialized. This is - * filled in for real when the ISAKMP proposal is configured. - */ - new->vendorid = VENDORID_UNKNOWN; - - new->next = NULL; - new->rmconf = NULL; -#ifdef HAVE_GSSAPI - new->gssid = NULL; -#endif - - return new; -} - -/* - * insert into tail of list. - */ -void -insisakmpsa(new, rmconf) - struct isakmpsa *new; - struct remoteconf *rmconf; -{ - struct isakmpsa *p; - - new->rmconf = rmconf; - - if (rmconf->proposal == NULL) { - rmconf->proposal = new; - return; - } - - for (p = rmconf->proposal; p->next != NULL; p = p->next) - ; - p->next = new; - - return; -} - -const char * -rm2str(rmconf) - const struct remoteconf *rmconf; -{ - if (rmconf->remote->sa_family == AF_UNSPEC) - return "anonymous"; - return saddr2str(rmconf->remote); -} diff --git a/kame/kame/racoon/remoteconf.h b/kame/kame/racoon/remoteconf.h deleted file mode 100644 index 3542e0037f..0000000000 --- a/kame/kame/racoon/remoteconf.h +++ /dev/null @@ -1,122 +0,0 @@ -/* $KAME: remoteconf.h,v 1.28 2003/06/27 07:32:39 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* remote configuration */ - -#include - -struct etypes { - int type; - struct etypes *next; -}; - -struct remoteconf { - struct sockaddr *remote; /* remote IP address */ - /* if family is AF_UNSPEC, that is - * for anonymous configuration. */ - - struct etypes *etypes; /* exchange type list. the head - * is a type to be sent first. */ - int doitype; /* doi type */ - int sittype; /* situation type */ - - int idvtype; /* my identifier type */ - vchar_t *idv; /* my identifier */ - int idvtype_p; /* peer's identifier type */ - vchar_t *idv_p; /* peer's identifier */ - - int certtype; /* certificate type if need */ - char *mycertfile; /* file name of my certificate */ - char *myprivfile; /* file name of my private key file */ - char *peerscertfile; /* file name of peer's certifcate */ - int getcert_method; /* the way to get peer's certificate */ - int send_cert; /* send to CERT or not */ - int send_cr; /* send to CR or not */ - int verify_cert; /* verify a CERT strictly */ - int verify_identifier; /* vefify the peer's identifier */ - int nonce_size; /* the number of bytes of nonce */ - int keepalive; /* XXX may not use */ - int passive; /* never initiate */ - int support_proxy; /* support mip6/proxy */ - int gen_policy; /* generate policy if no policy found */ - int ini_contact; /* initial contact */ - int pcheck_level; /* level of propocl checking */ - - int dh_group; /* use it when only aggressive mode */ - struct dhgroup *dhgrp; /* use it when only aggressive mode */ - /* avobe two cann't be defined by user*/ - - int retry_counter; /* times to retry. */ - int retry_interval; /* interval each retry. */ - /* above 2 values are copied from localconf. */ - - struct isakmpsa *proposal; /* proposal list */ - LIST_ENTRY(remoteconf) chain; /* next remote conf */ -}; - -struct dhgroup; - -/* ISAKMP SA specification */ -struct isakmpsa { - int prop_no; - int trns_no; - time_t lifetime; - int lifebyte; - int enctype; - int encklen; - int authmethod; - int hashtype; - int vendorid; -#ifdef HAVE_GSSAPI - vchar_t *gssid; -#endif - int dh_group; /* don't use it if aggressive mode */ - struct dhgroup *dhgrp; /* don't use it if aggressive mode */ - - struct isakmpsa *next; /* next transform */ - struct remoteconf *rmconf; /* backpointer to remoteconf */ -}; - -struct remoteconf *getrmconf __P((struct sockaddr *)); -extern struct remoteconf *newrmconf __P((void)); -extern void delrmconf __P((struct remoteconf *)); -extern void delisakmpsa __P((struct isakmpsa *)); -extern void deletypes __P((struct etypes *)); -extern void insrmconf __P((struct remoteconf *)); -extern void remrmconf __P((struct remoteconf *)); -extern void flushrmconf __P((void)); -extern void initrmconf __P((void)); -extern struct etypes *check_etypeok - __P((struct remoteconf *, u_int8_t)); - -extern struct isakmpsa *newisakmpsa __P((void)); -extern void insisakmpsa __P((struct isakmpsa *, struct remoteconf *)); -extern const char *rm2str __P((const struct remoteconf *)); diff --git a/kame/kame/racoon/safefile.c b/kame/kame/racoon/safefile.c deleted file mode 100644 index 19dd9fbe22..0000000000 --- a/kame/kame/racoon/safefile.c +++ /dev/null @@ -1,89 +0,0 @@ -/* $KAME: safefile.c,v 1.5 2001/03/05 19:54:06 thorpej Exp $ */ - -/* - * Copyright (C) 2000 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include -#include -#include - -#include "plog.h" -#include "debug.h" -#include "misc.h" -#include "safefile.h" - -int -safefile(path, secret) - const char *path; - int secret; -{ - struct stat s; - uid_t me; - - /* no setuid */ - if (getuid() != geteuid()) { - plog(LLV_ERROR, LOCATION, NULL, - "setuid'ed execution not allowed\n"); - return -1; - } - - if (stat(path, &s) != 0) - return -1; - - /* the file must be owned by the running uid */ - me = getuid(); - if (s.st_uid != me) { - plog(LLV_ERROR, LOCATION, NULL, - "%s has invalid owner uid\n", path); - return -1; - } - - switch (s.st_mode & S_IFMT) { - case S_IFREG: - break; - default: - plog(LLV_ERROR, LOCATION, NULL, - "%s is an invalid file type 0x%x\n", path, - (s.st_mode & S_IFMT)); - return -1; - } - - /* secret file should not be read by others */ - if (secret) { - if ((s.st_mode & S_IRWXG) != 0 || (s.st_mode & S_IRWXO) != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "%s has weak file permission\n", path); - return -1; - } - } - - return 0; -} diff --git a/kame/kame/racoon/safefile.h b/kame/kame/racoon/safefile.h deleted file mode 100644 index aa61ecbbe7..0000000000 --- a/kame/kame/racoon/safefile.h +++ /dev/null @@ -1,34 +0,0 @@ -/* $KAME: safefile.h,v 1.2 2000/09/13 04:50:28 itojun Exp $ */ - -/* $KAME: safefile.h,v 1.2 2000/09/13 04:50:28 itojun Exp $ */ - -/* - * Copyright (C) 2000 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -extern int safefile __P((const char *, int)); diff --git a/kame/kame/racoon/sainfo.c b/kame/kame/racoon/sainfo.c deleted file mode 100644 index f290f7a481..0000000000 --- a/kame/kame/racoon/sainfo.c +++ /dev/null @@ -1,244 +0,0 @@ -/* $KAME: sainfo.c,v 1.17 2005/02/07 04:19:45 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include -#include - -#include -#include -#include - -#include -#include -#include -#include - -#include "var.h" -#include "misc.h" -#include "vmbuf.h" -#include "plog.h" -#include "sockmisc.h" -#include "debug.h" - -#include "localconf.h" -#include "isakmp_var.h" -#include "isakmp.h" -#include "ipsec_doi.h" -#include "oakley.h" -#include "handler.h" -#include "algorithm.h" -#include "sainfo.h" -#include "gcmalloc.h" - -static LIST_HEAD(_sitree, sainfo) sitree; - -/* %%% - * modules for ipsec sa info - */ -/* - * return matching entry. - * no matching entry found and if there is anonymous entry, return it. - * else return NULL. - * XXX by each data type, should be changed to compare the buffer. - * First pass is for sainfo from a specified peer, second for others. - */ -struct sainfo * -getsainfo(src, dst, peer) - const vchar_t *src, *dst, *peer; -{ - struct sainfo *s = NULL; - struct sainfo *anonymous = NULL; - int pass = 1; - - if (peer == NULL) - pass = 2; - again: - LIST_FOREACH(s, &sitree, chain) { - if (s->id_i != NULL) { - if (pass == 2) - continue; - if (memcmp(peer->v + 4, s->id_i->v + 4, s->id_i->l - 4) != 0) - continue; - } else if (pass == 1) - continue; - if (s->idsrc == NULL) { - anonymous = s; - continue; - } - - /* anonymous ? */ - if (src == NULL) { - if (anonymous != NULL) - break; - continue; - } - - if (memcmp(src->v, s->idsrc->v, s->idsrc->l) == 0 - && memcmp(dst->v, s->iddst->v, s->iddst->l) == 0) - return s; - } - - if (anonymous) { - plog(LLV_DEBUG, LOCATION, NULL, - "anonymous sainfo selected.\n"); - } else if (pass == 1) { - pass = 2; - goto again; - } - - return anonymous; -} - -struct sainfo * -newsainfo() -{ - struct sainfo *new; - - new = racoon_calloc(1, sizeof(*new)); - if (new == NULL) - return NULL; - - new->lifetime = IPSECDOI_ATTR_SA_LD_SEC_DEFAULT; - new->lifebyte = IPSECDOI_ATTR_SA_LD_KB_MAX; - - return new; -} - -void -delsainfo(si) - struct sainfo *si; -{ - int i; - - for (i = 0; i < MAXALGCLASS; i++) - delsainfoalg(si->algs[i]); - - if (si->idsrc) - vfree(si->idsrc); - if (si->iddst) - vfree(si->iddst); - - racoon_free(si); -} - -void -inssainfo(new) - struct sainfo *new; -{ - LIST_INSERT_HEAD(&sitree, new, chain); -} - -void -remsainfo(si) - struct sainfo *si; -{ - LIST_REMOVE(si, chain); -} - -void -flushsainfo() -{ - struct sainfo *s, *next; - - for (s = LIST_FIRST(&sitree); s; s = next) { - next = LIST_NEXT(s, chain); - remsainfo(s); - delsainfo(s); - } -} - -void -initsainfo() -{ - LIST_INIT(&sitree); -} - -struct sainfoalg * -newsainfoalg() -{ - struct sainfoalg *new; - - new = racoon_calloc(1, sizeof(*new)); - if (new == NULL) - return NULL; - - return new; -} - -void -delsainfoalg(alg) - struct sainfoalg *alg; -{ - struct sainfoalg *a, *next; - - for (a = alg; a; a = next) { - next = a->next; - racoon_free(a); - } -} - -void -inssainfoalg(head, new) - struct sainfoalg **head; - struct sainfoalg *new; -{ - struct sainfoalg *a; - - for (a = *head; a && a->next; a = a->next) - ; - if (a) - a->next = new; - else - *head = new; -} - -const char * -sainfo2str(si) - const struct sainfo *si; -{ - static char buf[256]; - - if (si->idsrc == NULL) - snprintf(buf, sizeof(buf), "anonymous"); - else { - snprintf(buf, sizeof(buf), "%s", ipsecdoi_id2str(si->idsrc)); - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), - " %s", ipsecdoi_id2str(si->iddst)); - } - - if (si->id_i != NULL) - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), - " from %s", ipsecdoi_id2str(si->id_i)); - - return buf; -} diff --git a/kame/kame/racoon/sainfo.h b/kame/kame/racoon/sainfo.h deleted file mode 100644 index 015d4d0059..0000000000 --- a/kame/kame/racoon/sainfo.h +++ /dev/null @@ -1,71 +0,0 @@ -/* $KAME: sainfo.h,v 1.8 2003/06/27 07:32:39 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include - -/* SA info */ -struct sainfo { - vchar_t *idsrc; - vchar_t *iddst; - /* - * idsrc and iddst are constructed body of ID payload. - * that is (struct ipsecdoi_id_b) + ID value. - * If idsrc == NULL, that is anonymous entry. - */ - - time_t lifetime; - int lifebyte; - int pfs_group; /* only use when pfs is required. */ - vchar_t *id_i; /* identifier of the authorized initiator */ - struct sainfoalg *algs[MAXALGCLASS]; - - LIST_ENTRY(sainfo) chain; -}; - -/* algorithm type */ -struct sainfoalg { - int alg; - int encklen; /* key length if encryption algorithm */ - struct sainfoalg *next; -}; - -extern struct sainfo *getsainfo __P((const vchar_t *, - const vchar_t *, const vchar_t *)); -extern struct sainfo *newsainfo __P((void)); -extern void delsainfo __P((struct sainfo *)); -extern void inssainfo __P((struct sainfo *)); -extern void remsainfo __P((struct sainfo *)); -extern void flushsainfo __P((void)); -extern void initsainfo __P((void)); -extern struct sainfoalg *newsainfoalg __P((void)); -extern void delsainfoalg __P((struct sainfoalg *)); -extern void inssainfoalg __P((struct sainfoalg **, struct sainfoalg *)); -extern const char * sainfo2str __P((const struct sainfo *)); diff --git a/kame/kame/racoon/samples/.cvsignore b/kame/kame/racoon/samples/.cvsignore deleted file mode 100644 index 971a5fcc05..0000000000 --- a/kame/kame/racoon/samples/.cvsignore +++ /dev/null @@ -1,5 +0,0 @@ -basic.conf -policy.conf -psk.txt -racoon.conf -sa.conf diff --git a/kame/kame/racoon/samples/Makefile b/kame/kame/racoon/samples/Makefile deleted file mode 100644 index 5781482533..0000000000 --- a/kame/kame/racoon/samples/Makefile +++ /dev/null @@ -1,31 +0,0 @@ -HOSTNAME!= /bin/hostname - -.if ${HOSTNAME} == "lychee.itojun.org" -SRC= 206.175.160.20 -SRC6= 3ffe:501:410:ffff:200:86ff:fe05:80fa -.elif ${HOSTNAME} == "cardamom.itojun.org" -SRC= 206.175.160.21 -SRC6= 3ffe:501:410:ffff:210:4bff:fea2:8baa -.endif - -TARGETS= cardamom.conf lychee.conf cardamom6.conf lychee6.conf ssh.conf - -all: $(TARGETS) - -lychee.conf: sandiego.pl - perl sandiego.pl $(SRC) 206.175.160.20 > lychee.conf -cardamom.conf: sandiego.pl - perl sandiego.pl $(SRC) 206.175.160.21 > cardamom.conf -lychee6.conf: sandiego.pl - perl sandiego.pl $(SRC6) 3ffe:501:410:ffff:200:86ff:fe05:80fa > lychee6.conf -cardamom6.conf: sandiego.pl - perl sandiego.pl $(SRC6) 3ffe:501:410:ffff:210:4bff:fea2:8baa > cardamom6.conf -ssh.conf: sandiego.pl - perl sandiego.pl $(SRC) 194.100.55.1 > ssh.conf - -# itojun -ms.conf: sandiego.pl - perl sandiego.pl $(SRC) 206.175.161.182 > ms.conf - -clean: - -rm -f $(TARGETS) diff --git a/kame/kame/racoon/samples/psk.txt.in b/kame/kame/racoon/samples/psk.txt.in deleted file mode 100644 index 52f1a55059..0000000000 --- a/kame/kame/racoon/samples/psk.txt.in +++ /dev/null @@ -1,21 +0,0 @@ -# IPv4/v6 addresses -10.160.94.3 mekmitasdigoat -172.16.1.133 mekmitasdigoat -194.100.55.1 whatcertificatereally -203.178.141.208 mekmitasdigoat -206.175.160.18 mekmitasdigoat -206.175.160.20 mekmitasdigoat -206.175.160.21 mekmitasdigoat -206.175.160.22 mekmitasdigoat -206.175.160.23 mekmitasdigoat -206.175.160.36 mekmitasdigoat -206.175.161.125 mekmitasdigoat -206.175.161.154 mekmitasdigoat -206.175.161.156 mekmitasdigoat -206.175.161.182 mekmitasdigoat -3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat -3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat -# USER_FQDN -sakane@kame.net mekmitasdigoat -# FQDN -kame hoge diff --git a/kame/kame/racoon/samples/psk.txt.sample b/kame/kame/racoon/samples/psk.txt.sample deleted file mode 100644 index 2ad1d0b441..0000000000 --- a/kame/kame/racoon/samples/psk.txt.sample +++ /dev/null @@ -1,10 +0,0 @@ -# IPv4/v6 addresses -10.160.94.3 mekmitasdigoat -172.16.1.133 0x12345678 -194.100.55.1 whatcertificatereally -3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat -3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat -# USER_FQDN -foo@kame.net mekmitasdigoat -# FQDN -foo.kame.net hoge diff --git a/kame/kame/racoon/samples/racoon.conf.in b/kame/kame/racoon/samples/racoon.conf.in deleted file mode 100644 index b0fe087f2c..0000000000 --- a/kame/kame/racoon/samples/racoon.conf.in +++ /dev/null @@ -1,125 +0,0 @@ -# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $ - -# "path" must be placed before it should be used. -# You can overwrite which you defined, but it should not use due to confusing. -path include "@sysconfdir_x@/racoon" ; -#include "remote.conf" ; - -# search this file for pre_shared_key with various ID key. -path pre_shared_key "@sysconfdir_x@/racoon/psk.txt" ; - -# racoon will look for certificate file in the directory, -# if the certificate/certificate request payload is received. -path certificate "@sysconfdir_x@/cert" ; - -# "log" specifies logging level. It is followed by either "notify", "debug" -# or "debug2". -#log debug; - -# "padding" defines some parameter of padding. You should not touch these. -padding -{ - maximum_length 20; # maximum padding length. - randomize off; # enable randomize length. - strict_check off; # enable strict check. - exclusive_tail off; # extract last one octet. -} - -# if no listen directive is specified, racoon will listen to all -# available interface addresses. -listen -{ - #isakmp ::1 [7000]; - #isakmp 202.249.11.124 [500]; - #admin [7002]; # administrative's port by kmpstat. - #strict_address; # required all addresses must be bound. -} - -# Specification of default various timer. -timer -{ - # These value can be changed per remote node. - counter 5; # maximum trying count to send. - interval 20 sec; # maximum interval to resend. - persend 1; # the number of packets per a send. - - # timer for waiting to complete each phase. - phase1 30 sec; - phase2 15 sec; -} - -remote anonymous -{ - #exchange_mode main,aggressive; - exchange_mode aggressive,main; - doi ipsec_doi; - situation identity_only; - - #my_identifier address; - my_identifier user_fqdn "sakane@kame.net"; - peers_identifier user_fqdn "sakane@kame.net"; - #certificate_type x509 "mycert" "mypriv"; - - nonce_size 16; - lifetime time 1 min; # sec,min,hour - initial_contact on; - support_mip6 on; - proposal_check obey; # obey, strict or claim - - proposal { - encryption_algorithm 3des; - hash_algorithm sha1; - authentication_method pre_shared_key ; - dh_group 2 ; - } -} - -remote ::1 [8000] -{ - #exchange_mode main,aggressive; - exchange_mode aggressive,main; - doi ipsec_doi; - situation identity_only; - - my_identifier user_fqdn "sakane@kame.net"; - peers_identifier user_fqdn "sakane@kame.net"; - #certificate_type x509 "mycert" "mypriv"; - - nonce_size 16; - lifetime time 1 min; # sec,min,hour - - proposal { - encryption_algorithm 3des; - hash_algorithm sha1; - authentication_method pre_shared_key ; - dh_group 2 ; - } -} - -sainfo anonymous -{ - pfs_group 1; - lifetime time 30 sec; - encryption_algorithm 3des ; - authentication_algorithm hmac_sha1; - compression_algorithm deflate ; -} - -sainfo address 203.178.141.209 any address 203.178.141.218 any -{ - pfs_group 1; - lifetime time 30 sec; - encryption_algorithm des ; - authentication_algorithm hmac_md5; - compression_algorithm deflate ; -} - -sainfo address ::1 icmp6 address ::1 icmp6 -{ - pfs_group 1; - lifetime time 60 sec; - encryption_algorithm 3des, cast128, blowfish 448, des ; - authentication_algorithm hmac_sha1, hmac_md5 ; - compression_algorithm deflate ; -} - diff --git a/kame/kame/racoon/samples/racoon.conf.sample b/kame/kame/racoon/samples/racoon.conf.sample deleted file mode 100644 index 1b50dc8c89..0000000000 --- a/kame/kame/racoon/samples/racoon.conf.sample +++ /dev/null @@ -1,59 +0,0 @@ -# $KAME: racoon.conf.sample,v 1.28 2002/10/18 14:33:28 itojun Exp $ - -# "path" affects "include" directive. "path" must be specified before any -# "include" directive with relative file path. -# you can overwrite "path" directive afterwards, however, doing so may add -# more confusion. -#path include "/usr/local/v6/etc" ; -#include "remote.conf" ; - -# the file should contain key ID/key pairs, for pre-shared key authentication. -path pre_shared_key "/usr/local/v6/etc/psk.txt" ; - -# racoon will look for certificate file in the directory, -# if the certificate/certificate request payload is received. -#path certificate "/usr/local/openssl/certs" ; - -# "log" specifies logging level. It is followed by either "notify", "debug" -# or "debug2". -#log debug; - -remote anonymous -{ - #exchange_mode main,aggressive,base; - exchange_mode main,base; - - #my_identifier fqdn "server.kame.net"; - #certificate_type x509 "foo@kame.net.cert" "foo@kame.net.priv" ; - - lifetime time 24 hour ; # sec,min,hour - - #initial_contact off ; - #passive on ; - - # phase 1 proposal (for ISAKMP SA) - proposal { - encryption_algorithm 3des; - hash_algorithm sha1; - authentication_method pre_shared_key ; - dh_group 2 ; - } - - # the configuration makes racoon (as a responder) to obey the - # initiator's lifetime and PFS group proposal. - # this makes testing so much easier. - proposal_check obey; -} - -# phase 2 proposal (for IPsec SA). -# actual phase 2 proposal will obey the following items: -# - kernel IPsec policy configuration (like "esp/transport//use) -# - permutation of the crypto/hash/compression algorithms presented below -sainfo anonymous -{ - pfs_group 2; - lifetime time 12 hour ; - encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ; - authentication_algorithm hmac_sha1, hmac_md5 ; - compression_algorithm deflate ; -} diff --git a/kame/kame/racoon/samples/racoon.conf.sample-gssapi b/kame/kame/racoon/samples/racoon.conf.sample-gssapi deleted file mode 100644 index f8d215239f..0000000000 --- a/kame/kame/racoon/samples/racoon.conf.sample-gssapi +++ /dev/null @@ -1,39 +0,0 @@ -# $KAME: racoon.conf.sample-gssapi,v 1.5 2001/08/16 06:33:40 itojun Exp $ - -# sample configuration for GSSAPI authentication (basically, kerberos). -# doc/README.gssapi gives some idea on how to configure it. -# TODO: more documentation. - -#listen { -# strict_address; -#} - -remote anonymous { - exchange_mode main; - #exchange_mode aggressive; - - # specify the identifier type - my_identifier fqdn "foo.kame.net"; - - lifetime time 1 min; - - proposal { - encryption_algorithm blowfish; - hash_algorithm sha1; - #authentication_method pre_shared_key; - authentication_method gssapi_krb; - gssapi_id "ike/myidentification"; - - dh_group 1; - } -} - -sainfo anonymous { - my_identifier fqdn "foo.kame.net"; - - lifetime time 30 min; - - encryption_algorithm blowfish 448; - authentication_algorithm hmac_sha1; - compression_algorithm deflate; -} diff --git a/kame/kame/racoon/samples/sandiego.pl b/kame/kame/racoon/samples/sandiego.pl deleted file mode 100644 index bb2d882852..0000000000 --- a/kame/kame/racoon/samples/sandiego.pl +++ /dev/null @@ -1,175 +0,0 @@ -die "too few arguments" if (scalar(@ARGV) != 2); -$me = $ARGV[0]; -$you = $ARGV[1]; -$hostname = `hostname`; -$hostname =~ s/\n$//; -$userfqdn = `whoami`; -$userfqdn =~ s/\n$//; -$userfqdn .= '@' . $hostname; -$rcsid = '$KAME: sandiego.pl,v 1.11 2000/03/26 10:52:59 itojun Exp $'; - -print < -#include -#include -#include - -#include -#include -#include -#include - -#include "misc.h" -#include "plog.h" -#include "schedule.h" -#include "var.h" -#include "gcmalloc.h" - -#define FIXY2038PROBLEM - -#ifndef TAILQ_FOREACH -#define TAILQ_FOREACH(elm, head, field) \ - for (elm = TAILQ_FIRST(head); elm; elm = TAILQ_NEXT(elm, field)) -#endif - -static struct timeval timeout; - -#ifdef FIXY2038PROBLEM -#define Y2038TIME_T 0x7fffffff -static time_t launched; /* time when the program launched. */ -static time_t deltaY2038; -#endif - -static TAILQ_HEAD(_schedtree, sched) sctree; - -static void sched_add __P((struct sched *)); -static time_t current_time __P((void)); - -/* - * schedule handler - * OUT: - * time to block until next event. - * if no entry, NULL returned. - */ -struct timeval * -schedular() -{ - time_t now, delta; - struct sched *p, *next = NULL; - - now = current_time(); - - for (p = TAILQ_FIRST(&sctree); p; p = next) { - /* if the entry has been daed, remove it */ - if (p->dead) - goto next_schedule; - - /* if the time hasn't come, proceed to the next entry */ - if (now < p->xtime) { - next = TAILQ_NEXT(p, chain); - continue; - } - - /* mark it with dead. and call the function. */ - p->dead = 1; - if (p->func != NULL) - (p->func)(p->param); - - next_schedule: - next = TAILQ_NEXT(p, chain); - TAILQ_REMOVE(&sctree, p, chain); - racoon_free(p); - } - - p = TAILQ_FIRST(&sctree); - if (p == NULL) - return NULL; - - now = current_time(); - - delta = p->xtime - now; - timeout.tv_sec = delta < 0 ? 0 : delta; - timeout.tv_usec = 0; - - return &timeout; -} - -/* - * add new schedule to schedule table. - */ -struct sched * -sched_new(tick, func, param) - time_t tick; - void (*func) __P((void *)); - void *param; -{ - static long id = 1; - struct sched *new; - - new = (struct sched *)racoon_malloc(sizeof(*new)); - if (new == NULL) - return NULL; - - memset(new, 0, sizeof(*new)); - new->func = func; - new->param = param; - - new->id = id++; - time(&new->created); - new->tick = tick; - - new->xtime = current_time() + tick; - new->dead = 0; - - /* add to schedule table */ - sched_add(new); - - return(new); -} - -/* add new schedule to schedule table */ -static void -sched_add(sc) - struct sched *sc; -{ - struct sched *p; - - TAILQ_FOREACH(p, &sctree, chain) { - if (sc->xtime < p->xtime) { - TAILQ_INSERT_BEFORE(p, sc, chain); - return; - } - } - if (p == NULL) - TAILQ_INSERT_TAIL(&sctree, sc, chain); - - return; -} - -/* get current time. - * if defined FIXY2038PROBLEM, base time is the time when called sched_init(). - * Otherwise, conform to time(3). - */ -static time_t -current_time() -{ - time_t n; -#ifdef FIXY2038PROBLEM - time_t t; - - time(&n); - t = n - launched; - if (t < 0) - t += deltaY2038; - - return t; -#else - return time(&n); -#endif -} - -void -sched_kill(sc) - struct sched *sc; -{ - sc->dead = 1; - - return; -} - -/* XXX this function is probably unnecessary. */ -void -sched_scrub_param(param) - void *param; -{ - struct sched *sc; - - TAILQ_FOREACH(sc, &sctree, chain) { - if (sc->param == param) { - if (!sc->dead) { - plog(LLV_DEBUG, LOCATION, NULL, - "an undead schedule has been deleted.\n"); - } - sched_kill(sc); - } - } -} - -/* - * for debug - */ -int -sched_dump(buf, len) - caddr_t *buf; - int *len; -{ - caddr_t new; - struct sched *p; - struct scheddump *dst; - int cnt = 0; - - /* initialize */ - *len = 0; - *buf = NULL; - - TAILQ_FOREACH(p, &sctree, chain) - cnt++; - - /* no entry */ - if (cnt == 0) - return -1; - - *len = cnt * sizeof(*dst); - - new = racoon_malloc(*len); - if (new == NULL) - return -1; - dst = (struct scheddump *)new; - - p = TAILQ_FIRST(&sctree); - while (p) { - dst->xtime = p->xtime; - dst->id = p->id; - dst->created = p->created; - dst->tick = p->tick; - - p = TAILQ_NEXT(p, chain); - if (p == NULL) - break; - dst++; - } - - *buf = new; - - return 0; -} - -/* initialize schedule table */ -void -sched_init() -{ -#ifdef FIXY2038PROBLEM - time(&launched); - - deltaY2038 = Y2038TIME_T - launched; -#endif - - TAILQ_INIT(&sctree); - - return; -} - -#ifdef STEST -#include -#include -#include -#include - -void -test(tick) - int *tick; -{ - printf("execute %d\n", *tick); - racoon_free(tick); -} - -void -getstdin() -{ - int *tick; - char buf[16]; - - read(0, buf, sizeof(buf)); - if (buf[0] == 'd') { - struct scheddump *scbuf, *p; - int len; - sched_dump((caddr_t *)&scbuf, &len); - if (buf == NULL) - return; - for (p = scbuf; len; p++) { - printf("xtime=%ld\n", p->xtime); - len -= sizeof(*p); - } - racoon_free(scbuf); - return; - } - - tick = (int *)racoon_malloc(sizeof(*tick)); - *tick = atoi(buf); - printf("new queue tick = %d\n", *tick); - sched_new(*tick, test, tick); -} - -int -main() -{ - static fd_set mask0; - int nfds = 0; - fd_set rfds; - struct timeval *timeout; - int error; - - FD_ZERO(&mask0); - FD_SET(0, &mask0); - nfds = 1; - - /* initialize */ - sched_init(); - - while (1) { - rfds = mask0; - - timeout = schedular(); - - error = select(nfds, &rfds, (fd_set *)0, (fd_set *)0, timeout); - if (error < 0) { - switch (errno) { - case EINTR: continue; - default: - err(1, "select"); - } - /*NOTREACHED*/ - } - - if (FD_ISSET(0, &rfds)) - getstdin(); - } -} -#endif diff --git a/kame/kame/racoon/schedule.h b/kame/kame/racoon/schedule.h deleted file mode 100644 index b793bb6cdb..0000000000 --- a/kame/kame/racoon/schedule.h +++ /dev/null @@ -1,75 +0,0 @@ -/* $KAME: schedule.h,v 1.12 2001/03/06 20:41:02 thorpej Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include - -/* scheduling table */ -/* the head is the nearest event. */ -struct sched { - time_t xtime; /* event time which is as time(3). */ - /* - * if defined FIXY2038PROBLEM, this time - * is from the time when called sched_init(). - */ - void (*func) __P((void *)); /* call this function when timeout. */ - void *param; /* pointer to parameter */ - - int dead; /* dead or alive */ - long id; /* for debug */ - time_t created; /* for debug */ - time_t tick; /* for debug */ - - TAILQ_ENTRY(sched) chain; -}; - -/* cancel schedule */ -#define SCHED_KILL(s) \ -do { \ - sched_kill(s); \ - s = NULL; \ -} while(0) - -/* must be called after it's called from scheduler. */ -#define SCHED_INIT(s) (s) = NULL - -struct scheddump { - time_t xtime; - long id; - time_t created; - time_t tick; -}; - -struct timeval *schedular __P((void)); -struct sched *sched_new __P((time_t, void (*func) __P((void *)), void *)); -void sched_kill __P((struct sched *)); -int sched_dump __P((caddr_t *, int *)); -void sched_init __P((void)); -void sched_scrub_param __P((void *)); diff --git a/kame/kame/racoon/session.c b/kame/kame/racoon/session.c deleted file mode 100644 index bf46fb7153..0000000000 --- a/kame/kame/racoon/session.c +++ /dev/null @@ -1,443 +0,0 @@ -/* $KAME: session.c,v 1.35 2004/08/25 08:04:02 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include -#include -#if HAVE_SYS_WAIT_H -# include -#endif -#ifndef WEXITSTATUS -# define WEXITSTATUS(s) ((unsigned)(s) >> 8) -#endif -#ifndef WIFEXITED -# define WIFEXITED(s) (((s) & 255) == 0) -#endif - -#ifdef IPV6_INRIA_VERSION -#include -#else -#include -#endif - -#include -#include -#include -#include -#ifdef HAVE_UNISTD_H -#include -#endif -#include -#include - -#include "libpfkey.h" - -#include "var.h" -#include "misc.h" -#include "vmbuf.h" -#include "plog.h" -#include "debug.h" - -#include "schedule.h" -#include "session.h" -#include "grabmyaddr.h" -#include "cfparse_proto.h" -#include "isakmp_var.h" -#include "admin_var.h" -#include "oakley.h" -#include "pfkey.h" -#include "handler.h" -#include "localconf.h" -#include "remoteconf.h" -#include "crypto_openssl.h" -#include "backupsa.h" - -static void close_session __P((void)); -static void check_rtsock __P((void *)); -static void initfds __P((void)); -static void init_signal __P((void)); -static int set_signal __P((int sig, RETSIGTYPE (*func) __P((int)))); -static void check_sigreq __P((void)); -static void check_flushsa_stub __P((void *)); -static void check_flushsa __P((void)); -static int close_sockets __P((void)); - -static fd_set mask0; -static int nfds = 0; -static int sigreq = 0; - -int -session(void) -{ - fd_set rfds; - struct timeval *timeout; - int error; - struct myaddrs *p; - - /* initialize schedular */ - sched_init(); - - init_signal(); - -#ifdef ENABLE_ADMINPORT - /* debug port has no authentication, do not open it */ - if (admin_init() < 0) - return -1; -#endif - - initmyaddr(); - - if (isakmp_init() < 0) - return -1; - - initfds(); - - sigreq = 0; - while (1) { - rfds = mask0; - - /* - * asynchronous requests via signal. - * make sure to reset sigreq to 0. - */ - check_sigreq(); - - /* scheduling */ - timeout = schedular(); - - error = select(nfds, &rfds, (fd_set *)0, (fd_set *)0, timeout); - if (error < 0) { - switch (errno) { - case EINTR: - continue; - default: - plog(LLV_ERROR, LOCATION, NULL, - "failed to select (%s)\n", - strerror(errno)); - return -1; - } - /*NOTREACHED*/ - } - -#ifdef ENABLE_ADMINPORT - if (FD_ISSET(lcconf->sock_admin, &rfds)) - admin_handler(); -#endif - - for (p = lcconf->myaddrs; p; p = p->next) { - if (!p->addr) - continue; - if (FD_ISSET(p->sock, &rfds)) - isakmp_handler(p->sock); - } - - if (FD_ISSET(lcconf->sock_pfkey, &rfds)) - pfkey_handler(); - - if (lcconf->rtsock >= 0 && FD_ISSET(lcconf->rtsock, &rfds)) { - if (update_myaddrs() && lcconf->autograbaddr) - sched_new(5, check_rtsock, NULL); - initfds(); - } - } - /*NOTREACHED*/ -} - -/* clear all status and exit program. */ -static void -close_session() -{ - flushph1(); - close_sockets(); - backupsa_clean(); - - plog(LLV_INFO, LOCATION, NULL, "racoon shutdown\n"); - exit_program(0, NULL); -} - -void -exit_program(int code, const char *fmt, ...) -{ - va_list ap; - - eay_close_error(); - oakley_dhclean(); - - if (fmt == NULL) - exit(code); - else { - va_start(ap, fmt); - verrx(code, fmt, ap); - va_end(ap); - } -} - -static void -check_rtsock(p) - void *p; -{ - isakmp_close(); - grab_myaddrs(); - autoconf_myaddrsport(); - isakmp_open(); - - /* initialize socket list again */ - initfds(); -} - -static void -initfds() -{ - struct myaddrs *p; - - nfds = 0; - - FD_ZERO(&mask0); - -#ifdef ENABLE_ADMINPORT - if (lcconf->sock_admin >= FD_SETSIZE) { - plog(LLV_ERROR, LOCATION, NULL, "fd_set overrun\n"); - exit(1); - } - FD_SET(lcconf->sock_admin, &mask0); - nfds = (nfds > lcconf->sock_admin ? nfds : lcconf->sock_admin); -#endif - if (lcconf->sock_pfkey >= FD_SETSIZE) { - plog(LLV_ERROR, LOCATION, NULL, "fd_set overrun\n"); - exit(1); - } - FD_SET(lcconf->sock_pfkey, &mask0); - nfds = (nfds > lcconf->sock_pfkey ? nfds : lcconf->sock_pfkey); - if (lcconf->rtsock >= 0) { - if (lcconf->rtsock >= FD_SETSIZE) { - plog(LLV_ERROR, LOCATION, NULL, "fd_set overrun\n"); - exit(1); - } - FD_SET(lcconf->rtsock, &mask0); - nfds = (nfds > lcconf->rtsock ? nfds : lcconf->rtsock); - } - - for (p = lcconf->myaddrs; p; p = p->next) { - if (!p->addr) - continue; - if (p->sock >= FD_SETSIZE) { - plog(LLV_ERROR, LOCATION, NULL, "fd_set overrun\n"); - exit(1); - } - FD_SET(p->sock, &mask0); - nfds = (nfds > p->sock ? nfds : p->sock); - } - nfds++; -} - -static int signals[] = { - SIGHUP, - SIGINT, - SIGTERM, - SIGUSR1, - SIGUSR2, - SIGCHLD, - 0 -}; - -/* - * asynchronous requests will actually dispatched in the - * main loop in session(). - */ -RETSIGTYPE -signal_handler(sig) - int sig; -{ - switch (sig) { - case SIGCHLD: - { - pid_t pid; - int s; - - pid = wait(&s); - } - break; - -#ifdef DEBUG_RECORD_MALLOCATION - case SIGUSR2: - DRM_dump(); - break; -#endif - default: - /* XXX should be blocked any signal ? */ - sigreq = sig; - break; - } -} - -static void -check_sigreq() -{ - switch (sigreq) { - case 0: - return; - - case SIGHUP: - if (cfreparse()) { - plog(LLV_ERROR, LOCATION, NULL, - "configuration read failed\n"); - exit(1); - } - sigreq = 0; - break; - - default: - plog(LLV_INFO, LOCATION, NULL, "caught signal %d\n", sigreq); - pfkey_send_flush(lcconf->sock_pfkey, SADB_SATYPE_UNSPEC); - sched_new(1, check_flushsa_stub, NULL); - sigreq = 0; - break; - } -} - -/* - * waiting the termination of processing until sending DELETE message - * for all inbound SA will complete. - */ -static void -check_flushsa_stub(p) - void *p; -{ - - check_flushsa(); -} - -static void -check_flushsa() -{ - vchar_t *buf; - struct sadb_msg *msg, *end, *next; - struct sadb_sa *sa; - caddr_t mhp[SADB_EXT_MAX + 1]; - int n; - - buf = pfkey_dump_sadb(SADB_SATYPE_UNSPEC); - if (buf == NULL) { - plog(LLV_DEBUG, LOCATION, NULL, - "pfkey_dump_sadb: returned nothing.\n"); - return; - } - - msg = (struct sadb_msg *)buf->v; - end = (struct sadb_msg *)(buf->v + buf->l); - - /* counting SA except of dead one. */ - n = 0; - while (msg < end) { - if (PFKEY_UNUNIT64(msg->sadb_msg_len) < sizeof(*msg)) - break; - next = (struct sadb_msg *)((caddr_t)msg + PFKEY_UNUNIT64(msg->sadb_msg_len)); - if (msg->sadb_msg_type != SADB_DUMP) { - msg = next; - continue; - } - - if (pfkey_align(msg, mhp) || pfkey_check(mhp)) { - plog(LLV_ERROR, LOCATION, NULL, - "pfkey_check (%s)\n", ipsec_strerror()); - msg = next; - continue; - } - - sa = (struct sadb_sa *)(mhp[SADB_EXT_SA]); - if (!sa) { - msg = next; - continue; - } - - if (sa->sadb_sa_state != SADB_SASTATE_DEAD) { - n++; - msg = next; - continue; - } - - msg = next; - } - - if (n) { - sched_new(1, check_flushsa_stub, NULL); - return; - } - - close_session(); -} - -static void -init_signal() -{ - int i; - - for (i = 0; signals[i] != 0; i++) - if (set_signal(signals[i], signal_handler) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to set_signal (%s)\n", - strerror(errno)); - exit(1); - } -} - -static int -set_signal(sig, func) - int sig; - RETSIGTYPE (*func) __P((int)); -{ - struct sigaction sa; - - memset((caddr_t)&sa, 0, sizeof(sa)); - sa.sa_handler = func; - sa.sa_flags = SA_RESTART; - - if (sigemptyset(&sa.sa_mask) < 0) - return -1; - - if (sigaction(sig, &sa, (struct sigaction *)0) < 0) - return(-1); - - return 0; -} - -static int -close_sockets() -{ - isakmp_close(); - pfkey_close(lcconf->sock_pfkey); -#ifdef ENABLE_ADMINPORT - (void)admin_close(); -#endif - return 0; -} - diff --git a/kame/kame/racoon/session.h b/kame/kame/racoon/session.h deleted file mode 100644 index ebffef485e..0000000000 --- a/kame/kame/racoon/session.h +++ /dev/null @@ -1,34 +0,0 @@ -/* $KAME: session.h,v 1.5 2004/08/24 06:52:41 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -extern int session __P((void)); -extern RETSIGTYPE signal_handler __P((int)); -extern void exit_program __P((int, const char *, ...)); diff --git a/kame/kame/racoon/sockmisc.c b/kame/kame/racoon/sockmisc.c deleted file mode 100644 index 0bf99ba532..0000000000 --- a/kame/kame/racoon/sockmisc.c +++ /dev/null @@ -1,793 +0,0 @@ -/* $KAME: sockmisc.c,v 1.40 2003/11/11 16:08:03 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include -#include - -#include -#ifdef IPV6_INRIA_VERSION -#include -#define IPV6_RECVDSTADDR IP_RECVDSTADDR -#else -#include -#endif -#include - -#include -#include -#include -#include -#ifdef HAVE_UNISTD_H -#include -#endif - -#include "var.h" -#include "misc.h" -#include "plog.h" -#include "sockmisc.h" -#include "debug.h" -#include "gcmalloc.h" - -const int niflags = 0; - -/* - * compare two sockaddr without port number. - * OUT: 0: equal. - * 1: not equal. - */ -int -cmpsaddrwop(addr1, addr2) - struct sockaddr *addr1; - struct sockaddr *addr2; -{ - caddr_t sa1, sa2; - - if (addr1 == 0 && addr2 == 0) - return 0; - if (addr1 == 0 || addr2 == 0) - return 1; - - if (addr1->sa_len != addr2->sa_len - || addr1->sa_family != addr2->sa_family) - return 1; - - switch (addr1->sa_family) { - case AF_INET: - sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr; - sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr; - if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0) - return 1; - break; -#ifdef INET6 - case AF_INET6: - sa1 = (caddr_t)&((struct sockaddr_in6 *)addr1)->sin6_addr; - sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr; - if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0) - return 1; - if (((struct sockaddr_in6 *)addr1)->sin6_scope_id != - ((struct sockaddr_in6 *)addr2)->sin6_scope_id) - return 1; - break; -#endif - default: - return 1; - } - - return 0; -} - -/* - * compare two sockaddr with port, taking care wildcard. - * addr1 is a subject address, addr2 is in a database entry. - * OUT: 0: equal. - * 1: not equal. - */ -int -cmpsaddrwild(addr1, addr2) - struct sockaddr *addr1; - struct sockaddr *addr2; -{ - caddr_t sa1, sa2; - u_short port1, port2; - - if (addr1 == 0 && addr2 == 0) - return 0; - if (addr1 == 0 || addr2 == 0) - return 1; - - if (addr1->sa_len != addr2->sa_len - || addr1->sa_family != addr2->sa_family) - return 1; - - switch (addr1->sa_family) { - case AF_INET: - sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr; - sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr; - port1 = ((struct sockaddr_in *)addr1)->sin_port; - port2 = ((struct sockaddr_in *)addr2)->sin_port; - if (!(port1 == IPSEC_PORT_ANY || - port2 == IPSEC_PORT_ANY || - port1 == port2)) - return 1; - if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0) - return 1; - break; -#ifdef INET6 - case AF_INET6: - sa1 = (caddr_t)&((struct sockaddr_in6 *)addr1)->sin6_addr; - sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr; - port1 = ((struct sockaddr_in6 *)addr1)->sin6_port; - port2 = ((struct sockaddr_in6 *)addr2)->sin6_port; - if (!(port1 == IPSEC_PORT_ANY || - port2 == IPSEC_PORT_ANY || - port1 == port2)) - return 1; - if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0) - return 1; - if (((struct sockaddr_in6 *)addr1)->sin6_scope_id != - ((struct sockaddr_in6 *)addr2)->sin6_scope_id) - return 1; - break; -#endif - default: - return 1; - } - - return 0; -} - -/* - * compare two sockaddr with strict match on port. - * OUT: 0: equal. - * 1: not equal. - */ -int -cmpsaddrstrict(addr1, addr2) - struct sockaddr *addr1; - struct sockaddr *addr2; -{ - caddr_t sa1, sa2; - u_short port1, port2; - - if (addr1 == 0 && addr2 == 0) - return 0; - if (addr1 == 0 || addr2 == 0) - return 1; - - if (addr1->sa_len != addr2->sa_len - || addr1->sa_family != addr2->sa_family) - return 1; - - switch (addr1->sa_family) { - case AF_INET: - sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr; - sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr; - port1 = ((struct sockaddr_in *)addr1)->sin_port; - port2 = ((struct sockaddr_in *)addr2)->sin_port; - if (port1 != port2) - return 1; - if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0) - return 1; - break; -#ifdef INET6 - case AF_INET6: - sa1 = (caddr_t)&((struct sockaddr_in6 *)addr1)->sin6_addr; - sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr; - port1 = ((struct sockaddr_in6 *)addr1)->sin6_port; - port2 = ((struct sockaddr_in6 *)addr2)->sin6_port; - if (port1 != port2) - return 1; - if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0) - return 1; - if (((struct sockaddr_in6 *)addr1)->sin6_scope_id != - ((struct sockaddr_in6 *)addr2)->sin6_scope_id) - return 1; - break; -#endif - default: - return 1; - } - - return 0; -} - -/* get local address against the destination. */ -struct sockaddr * -getlocaladdr(remote) - struct sockaddr *remote; -{ - struct sockaddr *local; - int local_len = sizeof(struct sockaddr_storage); - int s; /* for dummy connection */ - - /* allocate buffer */ - if ((local = racoon_calloc(1, local_len)) == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to get address buffer.\n"); - goto err; - } - - /* get real interface received packet */ - if ((s = socket(remote->sa_family, SOCK_DGRAM, 0)) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "socket (%s)\n", strerror(errno)); - goto err; - } - - if (connect(s, remote, remote->sa_len) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "connect (%s)\n", strerror(errno)); - close(s); - goto err; - } - - if (getsockname(s, local, &local_len) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "getsockname (%s)\n", strerror(errno)); - close(s); - return NULL; - } - - close(s); - return local; - - err: - if (local != NULL) - racoon_free(local); - return NULL; -} - -/* - * Receive packet, with src/dst information. It is assumed that necessary - * setsockopt() have already performed on socket. - */ -int -recvfromto(s, buf, buflen, flags, from, fromlen, to, tolen) - int s; - void *buf; - size_t buflen; - int flags; - struct sockaddr *from; - int *fromlen; - struct sockaddr *to; - int *tolen; -{ - int otolen; - int len; - struct sockaddr_storage ss; - struct msghdr m; - struct cmsghdr *cm; - struct iovec iov[2]; - u_char cmsgbuf[256]; -#if defined(INET6) && defined(ADVAPI) - struct in6_pktinfo *pi; -#endif /*ADVAPI*/ - struct sockaddr_in *sin; -#ifdef INET6 - struct sockaddr_in6 *sin6; -#endif - - len = sizeof(ss); - if (getsockname(s, (struct sockaddr *)&ss, &len) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "getsockname (%s)\n", strerror(errno)); - return -1; - } - - m.msg_name = (caddr_t)from; - m.msg_namelen = *fromlen; - iov[0].iov_base = (caddr_t)buf; - iov[0].iov_len = buflen; - m.msg_iov = iov; - m.msg_iovlen = 1; - memset(cmsgbuf, 0, sizeof(cmsgbuf)); - cm = (struct cmsghdr *)cmsgbuf; - m.msg_control = (caddr_t)cm; - m.msg_controllen = sizeof(cmsgbuf); - if ((len = recvmsg(s, &m, flags)) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "recvmsg (%s)\n", strerror(errno)); - return -1; - } - *fromlen = m.msg_namelen; - - otolen = *tolen; - *tolen = 0; - for (cm = (struct cmsghdr *)CMSG_FIRSTHDR(&m); - m.msg_controllen != 0 && cm; - cm = (struct cmsghdr *)CMSG_NXTHDR(&m, cm)) { -#if 0 - plog(LLV_ERROR, LOCATION, NULL, - "cmsg %d %d\n", cm->cmsg_level, cm->cmsg_type);) -#endif -#if defined(INET6) && defined(ADVAPI) - if (ss.ss_family == AF_INET6 - && cm->cmsg_level == IPPROTO_IPV6 - && cm->cmsg_type == IPV6_PKTINFO - && otolen >= sizeof(*sin6)) { - pi = (struct in6_pktinfo *)(CMSG_DATA(cm)); - *tolen = sizeof(*sin6); - sin6 = (struct sockaddr_in6 *)to; - memset(sin6, 0, sizeof(*sin6)); - sin6->sin6_family = AF_INET6; - sin6->sin6_len = sizeof(*sin6); - memcpy(&sin6->sin6_addr, &pi->ipi6_addr, - sizeof(sin6->sin6_addr)); - /* XXX other cases, such as site-local? */ - if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)) - sin6->sin6_scope_id = pi->ipi6_ifindex; - else - sin6->sin6_scope_id = 0; - sin6->sin6_port = - ((struct sockaddr_in6 *)&ss)->sin6_port; - otolen = -1; /* "to" already set */ - continue; - } -#endif -#if defined(INET6) && defined(IPV6_RECVDSTADDR) - if (ss.ss_family == AF_INET6 - && cm->cmsg_level == IPPROTO_IPV6 - && cm->cmsg_type == IPV6_RECVDSTADDR - && otolen >= sizeof(*sin6)) { - *tolen = sizeof(*sin6); - sin6 = (struct sockaddr_in6 *)to; - memset(sin6, 0, sizeof(*sin6)); - sin6->sin6_family = AF_INET6; - sin6->sin6_len = sizeof(*sin6); - memcpy(&sin6->sin6_addr, CMSG_DATA(cm), - sizeof(sin6->sin6_addr)); - sin6->sin6_port = - ((struct sockaddr_in6 *)&ss)->sin6_port; - otolen = -1; /* "to" already set */ - continue; - } -#endif - if (ss.ss_family == AF_INET - && cm->cmsg_level == IPPROTO_IP - && cm->cmsg_type == IP_RECVDSTADDR - && otolen >= sizeof(*sin)) { - *tolen = sizeof(*sin); - sin = (struct sockaddr_in *)to; - memset(sin, 0, sizeof(*sin)); - sin->sin_family = AF_INET; - sin->sin_len = sizeof(*sin); - memcpy(&sin->sin_addr, CMSG_DATA(cm), - sizeof(sin->sin_addr)); - sin->sin_port = ((struct sockaddr_in *)&ss)->sin_port; - otolen = -1; /* "to" already set */ - continue; - } - } - - return len; -} - -/* send packet, with fixing src/dst address pair. */ -int -sendfromto(s, buf, buflen, src, dst, cnt) - int s, cnt; - const void *buf; - size_t buflen; - struct sockaddr *src; - struct sockaddr *dst; -{ - struct sockaddr_storage ss; - int len; - int i; - - if (src->sa_family != dst->sa_family) { - plog(LLV_ERROR, LOCATION, NULL, - "address family mismatch\n"); - return -1; - } - - len = sizeof(ss); - if (getsockname(s, (struct sockaddr *)&ss, &len) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "getsockname (%s)\n", strerror(errno)); - return -1; - } - - plog(LLV_DEBUG, LOCATION, NULL, - "sockname %s\n", saddr2str((struct sockaddr *)&ss)); - plog(LLV_DEBUG, LOCATION, NULL, - "send packet from %s\n", saddr2str(src)); - plog(LLV_DEBUG, LOCATION, NULL, - "send packet to %s\n", saddr2str(dst)); - - if (src->sa_family != ss.ss_family) { - plog(LLV_ERROR, LOCATION, NULL, - "address family mismatch\n"); - return -1; - } - - switch (src->sa_family) { -#if defined(INET6) && defined(ADVAPI) && !defined(IPV6_INRIA_VERSION) - case AF_INET6: - { - struct msghdr m; - struct cmsghdr *cm; - struct iovec iov[2]; - u_char cmsgbuf[256]; - struct in6_pktinfo *pi; - int ifindex; - struct sockaddr_in6 src6, dst6; - - memcpy(&src6, src, sizeof(src6)); - memcpy(&dst6, dst, sizeof(dst6)); - - /* XXX take care of other cases, such as site-local */ - ifindex = 0; - if (IN6_IS_ADDR_LINKLOCAL(&src6.sin6_addr) - || IN6_IS_ADDR_MULTICAST(&src6.sin6_addr)) { - ifindex = src6.sin6_scope_id; /*???*/ - } - - /* XXX some sanity check on dst6.sin6_scope_id */ - - /* flowinfo for IKE? mmm, maybe useful but for now make it 0 */ - src6.sin6_flowinfo = dst6.sin6_flowinfo = 0; - - memset(&m, 0, sizeof(m)); - m.msg_name = (caddr_t)&dst6; - m.msg_namelen = sizeof(dst6); - iov[0].iov_base = (char *)buf; - iov[0].iov_len = buflen; - m.msg_iov = iov; - m.msg_iovlen = 1; - - memset(cmsgbuf, 0, sizeof(cmsgbuf)); - cm = (struct cmsghdr *)cmsgbuf; - m.msg_control = (caddr_t)cm; - m.msg_controllen = CMSG_SPACE(sizeof(struct in6_pktinfo)); - - cm->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo)); - cm->cmsg_level = IPPROTO_IPV6; - cm->cmsg_type = IPV6_PKTINFO; - pi = (struct in6_pktinfo *)CMSG_DATA(cm); - memcpy(&pi->ipi6_addr, &src6.sin6_addr, sizeof(src6.sin6_addr)); - pi->ipi6_ifindex = ifindex; - - plog(LLV_DEBUG, LOCATION, NULL, - "src6 %s %d\n", - saddr2str((struct sockaddr *)&src6), - src6.sin6_scope_id); - plog(LLV_DEBUG, LOCATION, NULL, - "dst6 %s %d\n", - saddr2str((struct sockaddr *)&dst6), - dst6.sin6_scope_id); - - for (i = 0; i < cnt; i++) { - len = sendmsg(s, &m, 0 /*MSG_DONTROUTE*/); - if (len < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "sendmsg (%s)\n", strerror(errno)); - return -1; - } - plog(LLV_DEBUG, LOCATION, NULL, - "%d times of %d bytes message will be sent " - "to %s\n", - i + 1, len, saddr2str(dst)); - } - plogdump(LLV_DEBUG, (char *)buf, buflen); - - return len; - } -#endif - default: - { - int needclose = 0; - int sendsock; - - if (ss.ss_family == src->sa_family && memcmp(&ss, src, src->sa_len) == 0) { - sendsock = s; - needclose = 0; - } else { - int yes = 1; - /* - * Use newly opened socket for sending packets. - * NOTE: this is unsafe, because if the peer is quick enough - * the packet from the peer may be queued into sendsock. - * Better approach is to prepare bind'ed udp sockets for - * each of the interface addresses. - */ - sendsock = socket(src->sa_family, SOCK_DGRAM, 0); - if (sendsock < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "socket (%s)\n", strerror(errno)); - return -1; - } - if (setsockopt(sendsock, SOL_SOCKET, SO_REUSEPORT, - (void *)&yes, sizeof(yes)) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "setsockopt (%s)\n", strerror(errno)); - close(sendsock); - return -1; - } -#ifdef IPV6_USE_MIN_MTU - if (src->sa_family == AF_INET6 && - setsockopt(sendsock, IPPROTO_IPV6, IPV6_USE_MIN_MTU, - (void *)&yes, sizeof(yes)) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "setsockopt (%s)\n", strerror(errno)); - close(sendsock); - return -1; - } -#endif - if (setsockopt_bypass(sendsock, src->sa_family) < 0) { - close(sendsock); - return -1; - } - - if (bind(sendsock, (struct sockaddr *)src, src->sa_len) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "bind 1 (%s)\n", strerror(errno)); - close(sendsock); - return -1; - } - needclose = 1; - } - - for (i = 0; i < cnt; i++) { - len = sendto(sendsock, buf, buflen, 0, dst, dst->sa_len); - if (len < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "sendto (%s)\n", strerror(errno)); - if (needclose) - close(sendsock); - return len; - } - plog(LLV_DEBUG, LOCATION, NULL, - "%d times of %d bytes message will be sent " - "to %s\n", - i + 1, len, saddr2str(dst)); - } - plogdump(LLV_DEBUG, (char *)buf, buflen); - - if (needclose) - close(sendsock); - - return len; - } - } -} - -int -setsockopt_bypass(so, family) - int so, family; -{ - int level; - char *buf; - char *policy; - - switch (family) { - case AF_INET: - level = IPPROTO_IP; - break; -#ifdef INET6 - case AF_INET6: - level = IPPROTO_IPV6; - break; -#endif - default: - plog(LLV_ERROR, LOCATION, NULL, - "unsupported address family %d\n", family); - return -1; - } - - policy = "in bypass"; - buf = ipsec_set_policy(policy, strlen(policy)); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "ipsec_set_policy (%s)\n", - ipsec_strerror()); - return -1; - } - if (setsockopt(so, level, - (level == IPPROTO_IP ? - IP_IPSEC_POLICY : IPV6_IPSEC_POLICY), - buf, ipsec_get_policylen(buf)) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "setsockopt (%s)\n", - strerror(errno)); - return -1; - } - racoon_free(buf); - - policy = "out bypass"; - buf = ipsec_set_policy(policy, strlen(policy)); - if (buf == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "ipsec_set_policy (%s)\n", - ipsec_strerror()); - return -1; - } - if (setsockopt(so, level, - (level == IPPROTO_IP ? - IP_IPSEC_POLICY : IPV6_IPSEC_POLICY), - buf, ipsec_get_policylen(buf)) < 0) { - plog(LLV_ERROR, LOCATION, NULL, - "setsockopt (%s)\n", - strerror(errno)); - return -1; - } - racoon_free(buf); - - return 0; -} - -struct sockaddr * -newsaddr(len) - int len; -{ - struct sockaddr *new; - - new = racoon_calloc(1, len); - if (new == NULL) - plog(LLV_ERROR, LOCATION, NULL, - "%s\n", strerror(errno)); - - /* initial */ - new->sa_len = len; - - return new; -} - -struct sockaddr * -dupsaddr(src) - struct sockaddr *src; -{ - struct sockaddr *dst; - - dst = racoon_calloc(1, src->sa_len); - if (dst == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "%s\n", strerror(errno)); - return NULL; - } - - memcpy(dst, src, src->sa_len); - - return dst; -} - -char * -saddr2str(saddr) - const struct sockaddr *saddr; -{ - static char buf[NI_MAXHOST + NI_MAXSERV + 10]; - char addr[NI_MAXHOST], port[NI_MAXSERV]; - - if (saddr == NULL) - return NULL; - - GETNAMEINFO(saddr, addr, port); - snprintf(buf, sizeof(buf), "%s[%s]", addr, port); - - return buf; -} - -char * -saddrwop2str(saddr) - struct sockaddr *saddr; -{ - static char buf[NI_MAXHOST + NI_MAXSERV + 10]; - char addr[NI_MAXHOST]; - - if (saddr == NULL) - return NULL; - - GETNAMEINFO(saddr, addr, NULL); - snprintf(buf, sizeof(buf), "%s", addr); - - return buf; -} - -struct sockaddr * -str2saddr(host, port) - char *host; - char *port; -{ - struct addrinfo hints, *res; - struct sockaddr *saddr; - int error; - - memset(&hints, 0, sizeof(hints)); - hints.ai_family = PF_UNSPEC; - hints.ai_socktype = SOCK_DGRAM; - hints.ai_flags = AI_NUMERICHOST; - error = getaddrinfo(host, port, &hints, &res); - if (error != 0) { - plog(LLV_ERROR, LOCATION, NULL, - "getaddrinfo(%s%s%s): %s\n", - host, port ? "," : "", port ? port : "", - gai_strerror(error)); - return NULL; - } - if (res->ai_next != NULL) { - plog(LLV_WARNING, LOCATION, NULL, - "getaddrinfo(%s%s%s): " - "resolved to multiple address, " - "taking the first one\n", - host, port ? "," : "", port ? port : ""); - } - saddr = racoon_malloc(res->ai_addrlen); - if (saddr == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "failed to allocate buffer.\n"); - freeaddrinfo(res); - return NULL; - } - memcpy(saddr, res->ai_addr, res->ai_addrlen); - freeaddrinfo(res); - - return saddr; -} - -void -mask_sockaddr(a, b, l) - struct sockaddr *a; - const struct sockaddr *b; - size_t l; -{ - size_t i; - u_int8_t *p, alen; - - switch (b->sa_family) { - case AF_INET: - alen = sizeof(struct in_addr); - p = (u_int8_t *)&((struct sockaddr_in *)a)->sin_addr; - break; -#ifdef INET6 - case AF_INET6: - alen = sizeof(struct in6_addr); - p = (u_int8_t *)&((struct sockaddr_in6 *)a)->sin6_addr; - break; -#endif - default: - plog(LLV_ERROR, LOCATION, NULL, - "invalid family: %d\n", b->sa_family); - exit(1); - } - - if ((alen << 3) < l) { - plog(LLV_ERROR, LOCATION, NULL, - "unexpected inconsistency: %d %d\n", b->sa_family, l); - exit(1); - } - - memcpy(a, b, b->sa_len); - p[l / 8] &= (0xff00 >> (l % 8)) & 0xff; - for (i = l / 8 + 1; i < alen; i++) - p[i] = 0x00; -} diff --git a/kame/kame/racoon/sockmisc.h b/kame/kame/racoon/sockmisc.h deleted file mode 100644 index 5b786dfbc4..0000000000 --- a/kame/kame/racoon/sockmisc.h +++ /dev/null @@ -1,53 +0,0 @@ -/* $KAME: sockmisc.h,v 1.12 2001/12/07 08:39:39 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -extern const int niflags; - -extern int cmpsaddrwop __P((struct sockaddr *, struct sockaddr *)); -extern int cmpsaddrwild __P((struct sockaddr *, struct sockaddr *)); -extern int cmpsaddrstrict __P((struct sockaddr *, struct sockaddr *)); - -extern struct sockaddr *getlocaladdr __P((struct sockaddr *)); - -extern int recvfromto __P((int, void *, size_t, int, - struct sockaddr *, int *, struct sockaddr *, int *)); -extern int sendfromto __P((int, const void *, size_t, - struct sockaddr *, struct sockaddr *, int)); - -extern int setsockopt_bypass __P((int, int)); - -extern struct sockaddr *newsaddr __P((int)); -extern struct sockaddr *dupsaddr __P((struct sockaddr *)); -extern char *saddr2str __P((const struct sockaddr *)); -extern char *saddrwop2str __P((struct sockaddr *)); -extern struct sockaddr *str2saddr __P((char *, char *)); -extern void mask_sockaddr __P((struct sockaddr *, const struct sockaddr *, - size_t)); diff --git a/kame/kame/racoon/stats.pl b/kame/kame/racoon/stats.pl deleted file mode 100644 index f509512ef7..0000000000 --- a/kame/kame/racoon/stats.pl +++ /dev/null @@ -1,15 +0,0 @@ -#!/usr/bin/perl -# usage: -# % cat /var/log/racoon-stats.log | perl stats.pl - -while() { - chomp; - ($a, $a, $a, $a, $a, $b) = split(/\s+/, $_, 6); - ($a, $c) = split(/:/, $b, 2); - $r{$a} += $c; - $t{$a}++; -} - -foreach (sort keys %t) { - printf "%s: total=%d avg=%8.6f\n", $_, $t{$_}, $r{$_}/$t{$_}; -} diff --git a/kame/kame/racoon/str2val.c b/kame/kame/racoon/str2val.c deleted file mode 100644 index fa8c6cfc34..0000000000 --- a/kame/kame/racoon/str2val.c +++ /dev/null @@ -1,122 +0,0 @@ -/* $KAME: str2val.c,v 1.11 2001/08/16 14:37:29 itojun Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include - -#include -#include - -#include "str2val.h" -#include "gcmalloc.h" - -/* - * exchange a value to a hex string. - * must free buffer allocated later. - */ -caddr_t -val2str(buf, mlen) - const char *buf; - size_t mlen; -{ - caddr_t new; - size_t len = (mlen * 2) + mlen / 8 + 10; - size_t i, j; - - if ((new = racoon_malloc(len)) == 0) return(0); - - for (i = 0, j = 0; i < mlen; i++) { - snprintf(&new[j], len - j, "%02x", (u_char)buf[i]); - j += 2; - if (i % 8 == 7) { - new[j++] = ' '; - new[j] = '\0'; - } - } - new[j] = '\0'; - - return(new); -} - -/* - * exchange a string based "base" to a value. - */ -char * -str2val(str, base, len) - const char *str; - int base; - size_t *len; -{ - int f; - size_t i; - char *dst; - char *rp; - const char *p; - char b[3]; - - i = 0; - for (p = str; *p != '\0'; p++) { - if (isxdigit(*p)) - i++; - else if (isspace(*p)) - ; - else - return NULL; - } - if (i == 0 || (i % 2) != 0) - return NULL; - i /= 2; - - if ((dst = racoon_malloc(i)) == NULL) - return NULL; - - i = 0; - f = 0; - for (rp = dst, p = str; *p != '\0'; p++) { - if (isxdigit(*p)) { - if (!f) { - b[0] = *p; - f = 1; - } else { - b[1] = *p; - b[2] = '\0'; - *rp++ = (char)strtol(b, NULL, base); - i++; - f = 0; - } - } - } - - *len = i; - - return(dst); -} diff --git a/kame/kame/racoon/str2val.h b/kame/kame/racoon/str2val.h deleted file mode 100644 index a100da8ee3..0000000000 --- a/kame/kame/racoon/str2val.h +++ /dev/null @@ -1,33 +0,0 @@ -/* $KAME: str2val.h,v 1.6 2001/08/16 14:37:29 itojun Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -extern caddr_t val2str __P((const char *, size_t)); -extern char *str2val __P((const char *, int, size_t *)); diff --git a/kame/kame/racoon/strnames.c b/kame/kame/racoon/strnames.c deleted file mode 100644 index 28870a9fcf..0000000000 --- a/kame/kame/racoon/strnames.c +++ /dev/null @@ -1,832 +0,0 @@ -/* $KAME: strnames.c,v 1.25 2003/11/13 10:53:26 itojun Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include - -#include -#include - -#include - -#include "var.h" -#include "misc.h" -#include "vmbuf.h" - -#include "isakmp_var.h" -#include "isakmp.h" -#include "ipsec_doi.h" -#include "oakley.h" -#include "handler.h" -#include "pfkey.h" -#include "strnames.h" -#include "algorithm.h" - -struct ksmap { - int key; - char *str; - char *(*f) __P((int)); -}; - -static char *num2str __P((int n)); - -static char * -num2str(n) - int n; -{ - static char buf[20]; - - snprintf(buf, sizeof(buf), "%d", n); - - return buf; -} - -/* isakmp.h */ -char * -s_isakmp_state(t, d, s) - int t, d, s; -{ - switch (t) { - case ISAKMP_ETYPE_AGG: - switch (d) { - case INITIATOR: - switch (s) { - case PHASE1ST_MSG1SENT: - return "agg I msg1"; - case PHASE1ST_ESTABLISHED: - return "agg I msg2"; - default: - break; - } - case RESPONDER: - switch (s) { - case PHASE1ST_MSG1SENT: - return "agg R msg1"; - default: - break; - } - } - break; - case ISAKMP_ETYPE_BASE: - switch (d) { - case INITIATOR: - switch (s) { - case PHASE1ST_MSG1SENT: - return "base I msg1"; - case PHASE1ST_MSG2SENT: - return "base I msg2"; - default: - break; - } - case RESPONDER: - switch (s) { - case PHASE1ST_MSG1SENT: - return "base R msg1"; - case PHASE1ST_ESTABLISHED: - return "base R msg2"; - default: - break; - } - } - break; - case ISAKMP_ETYPE_IDENT: - switch (d) { - case INITIATOR: - switch (s) { - case PHASE1ST_MSG1SENT: - return "ident I msg1"; - case PHASE1ST_MSG2SENT: - return "ident I msg2"; - case PHASE1ST_MSG3SENT: - return "ident I msg3"; - default: - break; - } - case RESPONDER: - switch (s) { - case PHASE1ST_MSG1SENT: - return "ident R msg1"; - case PHASE1ST_MSG2SENT: - return "ident R msg2"; - case PHASE1ST_ESTABLISHED: - return "ident R msg3"; - default: - break; - } - } - break; - case ISAKMP_ETYPE_QUICK: - switch (d) { - case INITIATOR: - switch (s) { - case PHASE2ST_MSG1SENT: - return "quick I msg1"; - case PHASE2ST_ADDSA: - return "quick I msg2"; - default: - break; - } - case RESPONDER: - switch (s) { - case PHASE2ST_MSG1SENT: - return "quick R msg1"; - case PHASE2ST_COMMIT: - return "quick R msg2"; - default: - break; - } - } - break; - default: - case ISAKMP_ETYPE_NONE: - case ISAKMP_ETYPE_AUTH: - case ISAKMP_ETYPE_INFO: - case ISAKMP_ETYPE_NEWGRP: - case ISAKMP_ETYPE_ACKINFO: - break; - } - /*NOTREACHED*/ - - return "???"; -} - -static struct ksmap name_isakmp_certtype[] = { -{ ISAKMP_CERT_NONE, "NONE", NULL }, -{ ISAKMP_CERT_PKCS7, "PKCS #7 wrapped X.509 certificate", NULL }, -{ ISAKMP_CERT_PGP, "PGP Certificate", NULL }, -{ ISAKMP_CERT_DNS, "DNS Signed Key", NULL }, -{ ISAKMP_CERT_X509SIGN, "X.509 Certificate Signature", NULL }, -{ ISAKMP_CERT_X509KE, "X.509 Certificate Key Exchange", NULL }, -{ ISAKMP_CERT_KERBEROS, "Kerberos Tokens", NULL }, -{ ISAKMP_CERT_CRL, "Certificate Revocation List (CRL)", NULL }, -{ ISAKMP_CERT_ARL, "Authority Revocation List (ARL)", NULL }, -{ ISAKMP_CERT_SPKI, "SPKI Certificate", NULL }, -{ ISAKMP_CERT_X509ATTR, "X.509 Certificate Attribute", NULL }, -}; - -char * -s_isakmp_certtype(k) - int k; -{ - int i; - for (i = 0; i < ARRAYLEN(name_isakmp_certtype); i++) - if (name_isakmp_certtype[i].key == k) - return name_isakmp_certtype[i].str; - return num2str(k); -} - -static struct ksmap name_isakmp_etype[] = { -{ ISAKMP_ETYPE_NONE, "None", NULL }, -{ ISAKMP_ETYPE_BASE, "Base", NULL }, -{ ISAKMP_ETYPE_IDENT, "Identity Protection", NULL }, -{ ISAKMP_ETYPE_AUTH, "Authentication Only", NULL }, -{ ISAKMP_ETYPE_AGG, "Aggressive", NULL }, -{ ISAKMP_ETYPE_INFO, "Informational", NULL }, -{ ISAKMP_ETYPE_QUICK, "Quick", NULL }, -{ ISAKMP_ETYPE_NEWGRP, "New Group", NULL }, -{ ISAKMP_ETYPE_ACKINFO, "Acknowledged Informational", NULL }, -}; - -char * -s_isakmp_etype(k) - int k; -{ - int i; - for (i = 0; i < ARRAYLEN(name_isakmp_etype); i++) - if (name_isakmp_etype[i].key == k) - return name_isakmp_etype[i].str; - return num2str(k); -} - -static struct ksmap name_isakmp_notify_msg[] = { -{ ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE, "INVALID-PAYLOAD-TYPE", NULL }, -{ ISAKMP_NTYPE_DOI_NOT_SUPPORTED, "DOI-NOT-SUPPORTED", NULL }, -{ ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED, "SITUATION-NOT-SUPPORTED", NULL }, -{ ISAKMP_NTYPE_INVALID_COOKIE, "INVALID-COOKIE", NULL }, -{ ISAKMP_NTYPE_INVALID_MAJOR_VERSION, "INVALID-MAJOR-VERSION", NULL }, -{ ISAKMP_NTYPE_INVALID_MINOR_VERSION, "INVALID-MINOR-VERSION", NULL }, -{ ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, "INVALID-EXCHANGE-TYPE", NULL }, -{ ISAKMP_NTYPE_INVALID_FLAGS, "INVALID-FLAGS", NULL }, -{ ISAKMP_NTYPE_INVALID_MESSAGE_ID, "INVALID-MESSAGE-ID", NULL }, -{ ISAKMP_NTYPE_INVALID_PROTOCOL_ID, "INVALID-PROTOCOL-ID", NULL }, -{ ISAKMP_NTYPE_INVALID_SPI, "INVALID-SPI", NULL }, -{ ISAKMP_NTYPE_INVALID_TRANSFORM_ID, "INVALID-TRANSFORM-ID", NULL }, -{ ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED, "ATTRIBUTES-NOT-SUPPORTED", NULL }, -{ ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN, "NO-PROPOSAL-CHOSEN", NULL }, -{ ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX, "BAD-PROPOSAL-SYNTAX", NULL }, -{ ISAKMP_NTYPE_PAYLOAD_MALFORMED, "PAYLOAD-MALFORMED", NULL }, -{ ISAKMP_NTYPE_INVALID_KEY_INFORMATION, "INVALID-KEY-INFORMATION", NULL }, -{ ISAKMP_NTYPE_INVALID_ID_INFORMATION, "INVALID-ID-INFORMATION", NULL }, -{ ISAKMP_NTYPE_INVALID_CERT_ENCODING, "INVALID-CERT-ENCODING", NULL }, -{ ISAKMP_NTYPE_INVALID_CERTIFICATE, "INVALID-CERTIFICATE", NULL }, -{ ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX, "BAD-CERT-REQUEST-SYNTAX", NULL }, -{ ISAKMP_NTYPE_INVALID_CERT_AUTHORITY, "INVALID-CERT-AUTHORITY", NULL }, -{ ISAKMP_NTYPE_INVALID_HASH_INFORMATION, "INVALID-HASH-INFORMATION", NULL }, -{ ISAKMP_NTYPE_AUTHENTICATION_FAILED, "AUTHENTICATION-FAILED", NULL }, -{ ISAKMP_NTYPE_INVALID_SIGNATURE, "INVALID-SIGNATURE", NULL }, -{ ISAKMP_NTYPE_ADDRESS_NOTIFICATION, "ADDRESS-NOTIFICATION", NULL }, -{ ISAKMP_NTYPE_NOTIFY_SA_LIFETIME, "NOTIFY-SA-LIFETIME", NULL }, -{ ISAKMP_NTYPE_CERTIFICATE_UNAVAILABLE, "CERTIFICATE-UNAVAILABLE", NULL }, -{ ISAKMP_NTYPE_UNSUPPORTED_EXCHANGE_TYPE, "UNSUPPORTED-EXCHANGE-TYPE", NULL }, -{ ISAKMP_NTYPE_UNEQUAL_PAYLOAD_LENGTHS, "UNEQUAL-PAYLOAD-LENGTHS", NULL }, -{ ISAKMP_NTYPE_CONNECTED, "CONNECTED", NULL }, -{ ISAKMP_NTYPE_RESPONDER_LIFETIME, "RESPONDER-LIFETIME", NULL }, -{ ISAKMP_NTYPE_REPLAY_STATUS, "REPLAY-STATUS", NULL }, -{ ISAKMP_NTYPE_INITIAL_CONTACT, "INITIAL-CONTACT", NULL }, -{ ISAKMP_LOG_RETRY_LIMIT_REACHED, "RETRY-LIMIT-REACHED", NULL }, -}; - -char * -s_isakmp_notify_msg(k) - int k; -{ - int i; - for (i = 0; i < ARRAYLEN(name_isakmp_notify_msg); i++) - if (name_isakmp_notify_msg[i].key == k) - return name_isakmp_notify_msg[i].str; - - return num2str(k); -} - -static struct ksmap name_isakmp_nptype[] = { -{ ISAKMP_NPTYPE_NONE, "none", NULL }, -{ ISAKMP_NPTYPE_SA, "sa", NULL }, -{ ISAKMP_NPTYPE_P, "prop", NULL }, -{ ISAKMP_NPTYPE_T, "trns", NULL }, -{ ISAKMP_NPTYPE_KE, "ke", NULL }, -{ ISAKMP_NPTYPE_ID, "id", NULL }, -{ ISAKMP_NPTYPE_CERT, "cert", NULL }, -{ ISAKMP_NPTYPE_CR, "cr", NULL }, -{ ISAKMP_NPTYPE_HASH, "hash", NULL }, -{ ISAKMP_NPTYPE_SIG, "sig", NULL }, -{ ISAKMP_NPTYPE_NONCE, "nonce", NULL }, -{ ISAKMP_NPTYPE_N, "notify", NULL }, -{ ISAKMP_NPTYPE_D, "delete", NULL }, -{ ISAKMP_NPTYPE_VID, "vid", NULL }, -{ ISAKMP_NPTYPE_GSS, "gss id", NULL }, -}; - -char * -s_isakmp_nptype(k) - int k; -{ - int i; - for (i = 0; i < ARRAYLEN(name_isakmp_nptype); i++) - if (name_isakmp_nptype[i].key == k) - return name_isakmp_nptype[i].str; - return num2str(k); -} - -/* ipsec_doi.h */ -static struct ksmap name_ipsecdoi_proto[] = { -{ IPSECDOI_PROTO_ISAKMP, "ISAKMP", s_ipsecdoi_trns_isakmp }, -{ IPSECDOI_PROTO_IPSEC_AH, "AH", s_ipsecdoi_trns_ah }, -{ IPSECDOI_PROTO_IPSEC_ESP, "ESP", s_ipsecdoi_trns_esp }, -{ IPSECDOI_PROTO_IPCOMP, "IPCOMP", s_ipsecdoi_trns_ipcomp }, -}; - -char * -s_ipsecdoi_proto(k) - int k; -{ - int i; - for (i = 0; i < ARRAYLEN(name_ipsecdoi_proto); i++) - if (name_ipsecdoi_proto[i].key == k) - return name_ipsecdoi_proto[i].str; - return num2str(k); -} - -static struct ksmap name_ipsecdoi_trns_isakmp[] = { -{ IPSECDOI_KEY_IKE, "IKE", NULL }, -}; - -char * -s_ipsecdoi_trns_isakmp(k) - int k; -{ - int i; - for (i = 0; i < ARRAYLEN(name_ipsecdoi_trns_isakmp); i++) - if (name_ipsecdoi_trns_isakmp[i].key == k) - return name_ipsecdoi_trns_isakmp[i].str; - return num2str(k); -} - -static struct ksmap name_ipsecdoi_trns_ah[] = { -{ IPSECDOI_AH_MD5, "MD5", NULL }, -{ IPSECDOI_AH_SHA, "SHA", NULL }, -{ IPSECDOI_AH_DES, "DES", NULL }, -}; - -char * -s_ipsecdoi_trns_ah(k) - int k; -{ - int i; - for (i = 0; i < ARRAYLEN(name_ipsecdoi_trns_ah); i++) - if (name_ipsecdoi_trns_ah[i].key == k) - return name_ipsecdoi_trns_ah[i].str; - return num2str(k); -} - -static struct ksmap name_ipsecdoi_trns_esp[] = { -{ IPSECDOI_ESP_DES_IV64, "DES_IV64", NULL }, -{ IPSECDOI_ESP_DES, "DES", NULL }, -{ IPSECDOI_ESP_3DES, "3DES", NULL }, -{ IPSECDOI_ESP_RC5, "RC5", NULL }, -{ IPSECDOI_ESP_IDEA, "IDEA", NULL }, -{ IPSECDOI_ESP_CAST, "CAST", NULL }, -{ IPSECDOI_ESP_BLOWFISH, "BLOWFISH", NULL }, -{ IPSECDOI_ESP_3IDEA, "3IDEA", NULL }, -{ IPSECDOI_ESP_DES_IV32, "DES_IV32", NULL }, -{ IPSECDOI_ESP_RC4, "RC4", NULL }, -{ IPSECDOI_ESP_NULL, "NULL", NULL }, -{ IPSECDOI_ESP_RIJNDAEL, "RIJNDAEL", NULL }, -{ IPSECDOI_ESP_TWOFISH, "TWOFISH", NULL }, -}; - -char * -s_ipsecdoi_trns_esp(k) - int k; -{ - int i; - for (i = 0; i < ARRAYLEN(name_ipsecdoi_trns_esp); i++) - if (name_ipsecdoi_trns_esp[i].key == k) - return name_ipsecdoi_trns_esp[i].str; - return num2str(k); -} - -static struct ksmap name_ipsecdoi_trns_ipcomp[] = { -{ IPSECDOI_IPCOMP_OUI, "OUI", NULL}, -{ IPSECDOI_IPCOMP_DEFLATE, "DEFLATE", NULL}, -{ IPSECDOI_IPCOMP_LZS, "LZS", NULL}, -}; - -char * -s_ipsecdoi_trns_ipcomp(k) - int k; -{ - int i; - for (i = 0; i < ARRAYLEN(name_ipsecdoi_trns_ipcomp); i++) - if (name_ipsecdoi_trns_ipcomp[i].key == k) - return name_ipsecdoi_trns_ipcomp[i].str; - return num2str(k); -} - -char * -s_ipsecdoi_trns(proto, trns) - int proto, trns; -{ - int i; - for (i = 0; i < ARRAYLEN(name_ipsecdoi_proto); i++) - if (name_ipsecdoi_proto[i].key == proto - && name_ipsecdoi_proto[i].f) - return (name_ipsecdoi_proto[i].f)(trns); - return num2str(trns); -} - -static struct ksmap name_attr_ipsec[] = { -{ IPSECDOI_ATTR_SA_LD_TYPE, "SA Life Type", s_ipsecdoi_ltype }, -{ IPSECDOI_ATTR_SA_LD, "SA Life Duration", NULL }, -{ IPSECDOI_ATTR_GRP_DESC, "Group Description", NULL }, -{ IPSECDOI_ATTR_ENC_MODE, "Encryption Mode", s_ipsecdoi_encmode }, -{ IPSECDOI_ATTR_AUTH, "Authentication Algorithm", s_ipsecdoi_auth }, -{ IPSECDOI_ATTR_KEY_LENGTH, "Key Length", NULL }, -{ IPSECDOI_ATTR_KEY_ROUNDS, "Key Rounds", NULL }, -{ IPSECDOI_ATTR_COMP_DICT_SIZE, "Compression Dictionary Size", NULL }, -{ IPSECDOI_ATTR_COMP_PRIVALG, "Compression Private Algorithm", NULL }, -}; - -char * -s_ipsecdoi_attr(k) - int k; -{ - int i; - for (i = 0; i < ARRAYLEN(name_attr_ipsec); i++) - if (name_attr_ipsec[i].key == k) - return name_attr_ipsec[i].str; - return num2str(k); -} - -static struct ksmap name_attr_ipsec_ltype[] = { -{ IPSECDOI_ATTR_SA_LD_TYPE_SEC, "seconds", NULL }, -{ IPSECDOI_ATTR_SA_LD_TYPE_KB, "kilobytes", NULL }, -}; - -char * -s_ipsecdoi_ltype(k) - int k; -{ - int i; - for (i = 0; i < ARRAYLEN(name_attr_ipsec_ltype); i++) - if (name_attr_ipsec_ltype[i].key == k) - return name_attr_ipsec_ltype[i].str; - return num2str(k); -} - -static struct ksmap name_attr_ipsec_encmode[] = { -{ IPSECDOI_ATTR_ENC_MODE_ANY, "Any", NULL }, -{ IPSECDOI_ATTR_ENC_MODE_TUNNEL, "Tunnel", NULL }, -{ IPSECDOI_ATTR_ENC_MODE_TRNS, "Transport", NULL }, -}; - -char * -s_ipsecdoi_encmode(k) - int k; -{ - int i; - for (i = 0; i < ARRAYLEN(name_attr_ipsec_encmode); i++) - if (name_attr_ipsec_encmode[i].key == k) - return name_attr_ipsec_encmode[i].str; - return num2str(k); -} - -static struct ksmap name_attr_ipsec_auth[] = { -{ IPSECDOI_ATTR_AUTH_HMAC_MD5, "hmac-md5", NULL }, -{ IPSECDOI_ATTR_AUTH_HMAC_SHA1, "hmac-sha", NULL }, -{ IPSECDOI_ATTR_AUTH_DES_MAC, "des-mac", NULL }, -{ IPSECDOI_ATTR_AUTH_KPDK, "kpdk", NULL }, -}; - -char * -s_ipsecdoi_auth(k) - int k; -{ - int i; - for (i = 0; i < ARRAYLEN(name_attr_ipsec_auth); i++) - if (name_attr_ipsec_auth[i].key == k) - return name_attr_ipsec_auth[i].str; - return num2str(k); -} - -char * -s_ipsecdoi_attr_v(type, val) - int type, val; -{ - int i; - for (i = 0; i < ARRAYLEN(name_attr_ipsec); i++) - if (name_attr_ipsec[i].key == type - && name_attr_ipsec[i].f) - return (name_attr_ipsec[i].f)(val); - return num2str(val); -} - -static struct ksmap name_ipsecdoi_ident[] = { -{ IPSECDOI_ID_IPV4_ADDR, "IPv4_address", NULL }, -{ IPSECDOI_ID_FQDN, "FQDN", NULL }, -{ IPSECDOI_ID_USER_FQDN, "User_FQDN", NULL }, -{ IPSECDOI_ID_IPV4_ADDR_SUBNET, "IPv4_subnet", NULL }, -{ IPSECDOI_ID_IPV6_ADDR, "IPv6_address", NULL }, -{ IPSECDOI_ID_IPV6_ADDR_SUBNET, "IPv6_subnet", NULL }, -{ IPSECDOI_ID_IPV4_ADDR_RANGE, "IPv4_address_range", NULL }, -{ IPSECDOI_ID_IPV6_ADDR_RANGE, "IPv6_address_range", NULL }, -{ IPSECDOI_ID_DER_ASN1_DN, "DER_ASN1_DN", NULL }, -{ IPSECDOI_ID_DER_ASN1_GN, "DER_ASN1_GN", NULL }, -{ IPSECDOI_ID_KEY_ID, "KEY_ID", NULL }, -}; - -char * -s_ipsecdoi_ident(k) - int k; -{ - int i; - for (i = 0; i < ARRAYLEN(name_ipsecdoi_ident); i++) - if (name_ipsecdoi_ident[i].key == k) - return name_ipsecdoi_ident[i].str; - return num2str(k); -} - -/* oakley.h */ -static struct ksmap name_oakley_attr[] = { -{ OAKLEY_ATTR_ENC_ALG, "Encryption Algorithm", s_attr_isakmp_enc }, -{ OAKLEY_ATTR_HASH_ALG, "Hash Algorithm", s_attr_isakmp_hash }, -{ OAKLEY_ATTR_AUTH_METHOD, "Authentication Method", s_oakley_attr_method }, -{ OAKLEY_ATTR_GRP_DESC, "Group Description", s_attr_isakmp_desc }, -{ OAKLEY_ATTR_GRP_TYPE, "Group Type", s_attr_isakmp_group }, -{ OAKLEY_ATTR_GRP_PI, "Group Prime/Irreducible Polynomial", NULL }, -{ OAKLEY_ATTR_GRP_GEN_ONE, "Group Generator One", NULL }, -{ OAKLEY_ATTR_GRP_GEN_TWO, "Group Generator Two", NULL }, -{ OAKLEY_ATTR_GRP_CURVE_A, "Group Curve A", NULL }, -{ OAKLEY_ATTR_GRP_CURVE_B, "Group Curve B", NULL }, -{ OAKLEY_ATTR_SA_LD_TYPE, "Life Type", s_attr_isakmp_ltype }, -{ OAKLEY_ATTR_SA_LD, "Life Duration", NULL }, -{ OAKLEY_ATTR_PRF, "PRF", NULL }, -{ OAKLEY_ATTR_KEY_LEN, "Key Length", NULL }, -{ OAKLEY_ATTR_FIELD_SIZE, "Field Size", NULL }, -{ OAKLEY_ATTR_GRP_ORDER, "Group Order", NULL }, -{ OAKLEY_ATTR_BLOCK_SIZE, "Block Size", NULL }, -{ OAKLEY_ATTR_GSS_ID, "GSS-API endpoint name",NULL }, -}; - -char * -s_oakley_attr(k) - int k; -{ - int i; - for (i = 0; i < ARRAYLEN(name_oakley_attr); i++) - if (name_oakley_attr[i].key == k) - return name_oakley_attr[i].str; - return num2str(k); -} - -static struct ksmap name_attr_isakmp_enc[] = { -{ OAKLEY_ATTR_ENC_ALG_DES, "DES-CBC", NULL }, -{ OAKLEY_ATTR_ENC_ALG_IDEA, "IDEA-CBC", NULL }, -{ OAKLEY_ATTR_ENC_ALG_BLOWFISH, "Blowfish-CBC", NULL }, -{ OAKLEY_ATTR_ENC_ALG_RC5, "RC5-R16-B64-CBC", NULL }, -{ OAKLEY_ATTR_ENC_ALG_3DES, "3DES-CBC", NULL }, -{ OAKLEY_ATTR_ENC_ALG_CAST, "CAST-CBC", NULL }, -}; - -char * -s_attr_isakmp_enc(k) - int k; -{ - int i; - for (i = 0; i < ARRAYLEN(name_attr_isakmp_enc); i++) - if (name_attr_isakmp_enc[i].key == k) - return name_attr_isakmp_enc[i].str; - return num2str(k); -} - -static struct ksmap name_attr_isakmp_hash[] = { -{ OAKLEY_ATTR_HASH_ALG_MD5, "MD5", NULL }, -{ OAKLEY_ATTR_HASH_ALG_SHA, "SHA", NULL }, -{ OAKLEY_ATTR_HASH_ALG_TIGER, "Tiger", NULL }, -}; - -char * -s_attr_isakmp_hash(k) - int k; -{ - int i; - for (i = 0; i < ARRAYLEN(name_attr_isakmp_hash); i++) - if (name_attr_isakmp_hash[i].key == k) - return name_attr_isakmp_hash[i].str; - return num2str(k); -} - -static struct ksmap name_attr_isakmp_method[] = { -{ OAKLEY_ATTR_AUTH_METHOD_PSKEY, "pre-shared key", NULL }, -{ OAKLEY_ATTR_AUTH_METHOD_DSSSIG, "DSS signatures", NULL }, -{ OAKLEY_ATTR_AUTH_METHOD_RSASIG, "RSA signatures", NULL }, -{ OAKLEY_ATTR_AUTH_METHOD_RSAENC, "Encryption with RSA", NULL }, -{ OAKLEY_ATTR_AUTH_METHOD_RSAREV, "Revised encryption with RSA", NULL }, -{ OAKLEY_ATTR_AUTH_METHOD_EGENC, "Encryption with El-Gamal", NULL }, -{ OAKLEY_ATTR_AUTH_METHOD_EGREV, "Revised encryption with El-Gamal", NULL }, -{ OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB, "GSS-API on Kerberos 5", NULL }, -}; - -char * -s_oakley_attr_method(k) - int k; -{ - int i; - for (i = 0; i < ARRAYLEN(name_attr_isakmp_method); i++) - if (name_attr_isakmp_method[i].key == k) - return name_attr_isakmp_method[i].str; - return num2str(k); -} - -static struct ksmap name_attr_isakmp_desc[] = { -{ OAKLEY_ATTR_GRP_DESC_MODP768, "768-bit MODP group", NULL }, -{ OAKLEY_ATTR_GRP_DESC_MODP1024, "1024-bit MODP group", NULL }, -{ OAKLEY_ATTR_GRP_DESC_EC2N155, "EC2N group on GP[2^155]", NULL }, -{ OAKLEY_ATTR_GRP_DESC_EC2N185, "EC2N group on GP[2^185]", NULL }, -{ OAKLEY_ATTR_GRP_DESC_MODP1536, "1536-bit MODP group", NULL }, -{ OAKLEY_ATTR_GRP_DESC_MODP2048, "2048-bit MODP group", NULL }, -{ OAKLEY_ATTR_GRP_DESC_MODP3072, "3072-bit MODP group", NULL }, -{ OAKLEY_ATTR_GRP_DESC_MODP4096, "4096-bit MODP group", NULL }, -{ OAKLEY_ATTR_GRP_DESC_MODP6144, "6144-bit MODP group", NULL }, -{ OAKLEY_ATTR_GRP_DESC_MODP8192, "8192-bit MODP group", NULL }, -}; - -char * -s_attr_isakmp_desc(k) - int k; -{ - int i; - for (i = 0; i < ARRAYLEN(name_attr_isakmp_desc); i++) - if (name_attr_isakmp_desc[i].key == k) - return name_attr_isakmp_desc[i].str; - return num2str(k); -} - -static struct ksmap name_attr_isakmp_group[] = { -{ OAKLEY_ATTR_GRP_TYPE_MODP, "MODP", NULL }, -{ OAKLEY_ATTR_GRP_TYPE_ECP, "ECP", NULL }, -{ OAKLEY_ATTR_GRP_TYPE_EC2N, "EC2N", NULL }, -}; - -char * -s_attr_isakmp_group(k) - int k; -{ - int i; - for (i = 0; i < ARRAYLEN(name_attr_isakmp_group); i++) - if (name_attr_isakmp_group[i].key == k) - return name_attr_isakmp_group[i].str; - return num2str(k); -} - -static struct ksmap name_attr_isakmp_ltype[] = { -{ OAKLEY_ATTR_SA_LD_TYPE_SEC, "seconds", NULL }, -{ OAKLEY_ATTR_SA_LD_TYPE_KB, "kilobytes", NULL }, -}; - -char * -s_attr_isakmp_ltype(k) - int k; -{ - int i; - for (i = 0; i < ARRAYLEN(name_attr_isakmp_ltype); i++) - if (name_attr_isakmp_ltype[i].key == k) - return name_attr_isakmp_ltype[i].str; - return num2str(k); -} - -char * -s_oakley_attr_v(type, val) - int type, val; -{ - int i; - for (i = 0; i < ARRAYLEN(name_oakley_attr); i++) - if (name_oakley_attr[i].key == type - && name_oakley_attr[i].f) - return (name_oakley_attr[i].f)(val); - return num2str(val); -} - -/* netinet6/ipsec.h */ -static struct ksmap name_ipsec_level[] = { -{ IPSEC_LEVEL_USE, "use", NULL }, -{ IPSEC_LEVEL_REQUIRE, "require", NULL }, -{ IPSEC_LEVEL_UNIQUE, "unique", NULL }, -}; - -char * -s_ipsec_level(k) - int k; -{ - int i; - for (i = 0; i < ARRAYLEN(name_ipsec_level); i++) - if (name_ipsec_level[i].key == k) - return name_ipsec_level[i].str; - return num2str(k); -} - -static struct ksmap name_algclass[] = { -{ algclass_ipsec_enc, "ipsec enc", s_ipsecdoi_trns_esp }, -{ algclass_ipsec_auth, "ipsec auth", s_ipsecdoi_trns_ah }, -{ algclass_ipsec_comp, "ipsec comp", s_ipsecdoi_trns_ipcomp }, -{ algclass_isakmp_enc, "isakmp enc", s_attr_isakmp_enc }, -{ algclass_isakmp_hash, "isakmp hash", s_attr_isakmp_hash }, -{ algclass_isakmp_dh, "isakmp dh", s_attr_isakmp_desc }, -{ algclass_isakmp_ameth, "isakmp auth method", s_oakley_attr_method }, -}; - -char * -s_algclass(k) - int k; -{ - int i; - for (i = 0; i < ARRAYLEN(name_algclass); i++) - if (name_algclass[i].key == k) - return name_algclass[i].str; - return num2str(k); -} - -char * -s_algtype(class, n) - int class, n; -{ - int i; - for (i = 0; i < ARRAYLEN(name_algclass); i++) - if (name_algclass[i].key == class - && name_algclass[i].f) - return (name_algclass[i].f)(n); - return num2str(n); -} - -/* pfkey.h */ -static struct ksmap name_pfkey_type[] = { -{ SADB_GETSPI, "GETSPI", NULL }, -{ SADB_UPDATE, "UPDATE", NULL }, -{ SADB_ADD, "ADD", NULL }, -{ SADB_DELETE, "DELETE", NULL }, -{ SADB_GET, "GET", NULL }, -{ SADB_ACQUIRE, "ACQUIRE", NULL }, -{ SADB_REGISTER, "REGISTER", NULL }, -{ SADB_EXPIRE, "EXPIRE", NULL }, -{ SADB_FLUSH, "FLUSH", NULL }, -{ SADB_DUMP, "DUMP", NULL }, -{ SADB_X_PROMISC, "X_PRIMISC", NULL }, -{ SADB_X_PCHANGE, "X_PCHANGE", NULL }, -{ SADB_X_SPDUPDATE, "X_SPDUPDATE", NULL }, -{ SADB_X_SPDADD, "X_SPDADD", NULL }, -{ SADB_X_SPDDELETE, "X_SPDDELETE", NULL }, -{ SADB_X_SPDGET, "X_SPDGET", NULL }, -{ SADB_X_SPDACQUIRE, "X_SPDACQUIRE", NULL }, -{ SADB_X_SPDDUMP, "X_SPDDUMP", NULL }, -{ SADB_X_SPDFLUSH, "X_SPDFLUSH", NULL }, -{ SADB_X_SPDSETIDX, "X_SPDSETIDX", NULL }, -{ SADB_X_SPDEXPIRE, "X_SPDEXPIRE", NULL }, -{ SADB_X_SPDDELETE2, "X_SPDDELETE2", NULL }, -}; - -char * -s_pfkey_type(k) - int k; -{ - int i; - for (i = 0; i < ARRAYLEN(name_pfkey_type); i++) - if (name_pfkey_type[i].key == k) - return name_pfkey_type[i].str; - return num2str(k); -} - -static struct ksmap name_pfkey_satype[] = { -{ SADB_SATYPE_UNSPEC, "UNSPEC", NULL }, -{ SADB_SATYPE_AH, "AH", NULL }, -{ SADB_SATYPE_ESP, "ESP", NULL }, -{ SADB_SATYPE_RSVP, "RSVP", NULL }, -{ SADB_SATYPE_OSPFV2, "OSPFV2", NULL }, -{ SADB_SATYPE_RIPV2, "RIPV2", NULL }, -{ SADB_SATYPE_MIP, "MIP", NULL }, -{ SADB_X_SATYPE_IPCOMP, "IPCOMP", NULL }, -}; - -char * -s_pfkey_satype(k) - int k; -{ - int i; - for (i = 0; i < ARRAYLEN(name_pfkey_satype); i++) - if (name_pfkey_satype[i].key == k) - return name_pfkey_satype[i].str; - return num2str(k); -} - -static struct ksmap name_direction[] = { -{ IPSEC_DIR_INBOUND, "in", NULL }, -{ IPSEC_DIR_OUTBOUND, "out", NULL }, -}; - -char * -s_direction(k) - int k; -{ - int i; - for (i = 0; i < ARRAYLEN(name_direction); i++) - if (name_direction[i].key == k) - return name_direction[i].str; - return num2str(k); -} - -char * -s_proto(k) - int k; -{ - switch (k) { - case IPPROTO_ICMP: - return "icmp"; - case IPPROTO_TCP: - return "tcp"; - case IPPROTO_UDP: - return "udp"; - case IPPROTO_ICMPV6: - return "icmpv6"; - case IPSEC_ULPROTO_ANY: - return "any"; - } - - return num2str(k); -} diff --git a/kame/kame/racoon/strnames.h b/kame/kame/racoon/strnames.h deleted file mode 100644 index 587ada3ec3..0000000000 --- a/kame/kame/racoon/strnames.h +++ /dev/null @@ -1,63 +0,0 @@ -/* $KAME: strnames.h,v 1.12 2001/08/09 07:32:19 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -extern char * s_isakmp_state __P((int, int, int)); -extern char *s_isakmp_certtype __P((int)); -extern char *s_isakmp_etype __P((int)); -extern char *s_isakmp_notify_msg __P((int)); -extern char *s_isakmp_nptype __P((int)); -extern char *s_ipsecdoi_proto __P((int)); -extern char *s_ipsecdoi_trns_isakmp __P((int)); -extern char *s_ipsecdoi_trns_ah __P((int)); -extern char *s_ipsecdoi_trns_esp __P((int)); -extern char *s_ipsecdoi_trns_ipcomp __P((int)); -extern char *s_ipsecdoi_trns __P((int, int)); -extern char *s_ipsecdoi_attr __P((int)); -extern char *s_ipsecdoi_ltype __P((int)); -extern char *s_ipsecdoi_encmode __P((int)); -extern char *s_ipsecdoi_auth __P((int)); -extern char *s_ipsecdoi_attr_v __P((int, int)); -extern char *s_ipsecdoi_ident __P((int)); -extern char *s_oakley_attr __P((int)); -extern char *s_attr_isakmp_enc __P((int)); -extern char *s_attr_isakmp_hash __P((int)); -extern char *s_oakley_attr_method __P((int)); -extern char *s_attr_isakmp_desc __P((int)); -extern char *s_attr_isakmp_group __P((int)); -extern char *s_attr_isakmp_ltype __P((int)); -extern char *s_oakley_attr_v __P((int, int)); -extern char *s_ipsec_level __P((int)); -extern char *s_algclass __P((int)); -extern char *s_algtype __P((int, int)); -extern char *s_pfkey_type __P((int)); -extern char *s_pfkey_satype __P((int)); -extern char *s_direction __P((int)); -extern char *s_proto __P((int)); diff --git a/kame/kame/racoon/tcpdump/addrtoname.h b/kame/kame/racoon/tcpdump/addrtoname.h deleted file mode 100644 index 1db7ee06cb..0000000000 --- a/kame/kame/racoon/tcpdump/addrtoname.h +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright (c) 1990, 1992, 1993, 1994, 1995, 1996, 1997 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that: (1) source code distributions - * retain the above copyright notice and this paragraph in its entirety, (2) - * distributions including binary code include the above copyright notice and - * this paragraph in its entirety in the documentation or other materials - * provided with the distribution, and (3) all advertising materials mentioning - * features or use of this software display the following acknowledgement: - * ``This product includes software developed by the University of California, - * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of - * the University nor the names of its contributors may be used to endorse - * or promote products derived from this software without specific prior - * written permission. - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. - * - * @(#) $Header: /usr/home/sumikawa/kame/kame/kame/kame/racoon/tcpdump/Attic/addrtoname.h,v 1.1 2004/04/12 08:52:29 itojun Exp $ (LBL) - */ - -/* Name to address translation routines. */ - -extern const char *linkaddr_string(const u_char *, const unsigned int); -extern const char *etheraddr_string(const u_char *); -extern const char *etherproto_string(u_short); -extern const char *tcpport_string(u_short); -extern const char *udpport_string(u_short); -extern const char *getname(const u_char *); -#ifdef INET6 -extern const char *getname6(const u_char *); -#endif -extern const char *intoa(u_int32_t); - -extern void init_addrtoname(u_int32_t, u_int32_t); -extern struct hnamemem *newhnamemem(void); -#ifdef INET6 -extern struct h6namemem *newh6namemem(void); -#endif - -#define ipaddr_string(p) getname((const u_char *)(p)) -#ifdef INET6 -#define ip6addr_string(p) getname6((const u_char *)(p)) -#endif diff --git a/kame/kame/racoon/tcpdump/extract.h b/kame/kame/racoon/tcpdump/extract.h deleted file mode 100644 index 4585e57765..0000000000 --- a/kame/kame/racoon/tcpdump/extract.h +++ /dev/null @@ -1,98 +0,0 @@ -/* - * Copyright (c) 1992, 1993, 1994, 1995, 1996 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that: (1) source code distributions - * retain the above copyright notice and this paragraph in its entirety, (2) - * distributions including binary code include the above copyright notice and - * this paragraph in its entirety in the documentation or other materials - * provided with the distribution, and (3) all advertising materials mentioning - * features or use of this software display the following acknowledgement: - * ``This product includes software developed by the University of California, - * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of - * the University nor the names of its contributors may be used to endorse - * or promote products derived from this software without specific prior - * written permission. - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. - * - * @(#) $Header: /usr/home/sumikawa/kame/kame/kame/kame/racoon/tcpdump/Attic/extract.h,v 1.1 2004/04/12 08:52:29 itojun Exp $ (LBL) - */ - -/* Network to host order macros */ - -#ifdef LBL_ALIGN -/* - * The processor doesn't natively handle unaligned loads. - */ -#ifdef HAVE___ATTRIBUTE__ -/* - * We have __attribute__; we assume that means we have __attribute__((packed)). - * Declare packed structures containing a u_int16_t and a u_int32_t, - * cast the pointer to point to one of those, and fetch through it; - * the GCC manual doesn't appear to explicitly say that - * __attribute__((packed)) causes the compiler to generate unaligned-safe - * code, but it apppears to do so. - * - * We do this in case the compiler can generate, for this instruction set, - * better code to do an unaligned load and pass stuff to "ntohs()" or - * "ntohl()" than the code to fetch the bytes one at a time and - * assemble them. (That might not be the case on a little-endian platform, - * where "ntohs()" and "ntohl()" might not be done inline.) - */ -typedef struct { - u_int16_t val; -} __attribute__((packed)) unaligned_u_int16_t; - -typedef struct { - u_int32_t val; -} __attribute__((packed)) unaligned_u_int32_t; - -#define EXTRACT_16BITS(p) \ - ((u_int16_t)ntohs(((const unaligned_u_int16_t *)(p))->val)) -#define EXTRACT_32BITS(p) \ - ((u_int32_t)ntohl(((const unaligned_u_int32_t *)(p))->val)) -#else /* HAVE___ATTRIBUTE__ */ -/* - * We don't have __attribute__, so do unaligned loads of big-endian - * quantities the hard way - fetch the bytes one at a time and - * assemble them. - */ -#define EXTRACT_16BITS(p) \ - ((u_int16_t)((u_int16_t)*((const u_int8_t *)(p) + 0) << 8 | \ - (u_int16_t)*((const u_int8_t *)(p) + 1))) -#define EXTRACT_32BITS(p) \ - ((u_int32_t)((u_int32_t)*((const u_int8_t *)(p) + 0) << 24 | \ - (u_int32_t)*((const u_int8_t *)(p) + 1) << 16 | \ - (u_int32_t)*((const u_int8_t *)(p) + 2) << 8 | \ - (u_int32_t)*((const u_int8_t *)(p) + 3))) -#endif /* HAVE___ATTRIBUTE__ */ -#else /* LBL_ALIGN */ -/* - * The processor natively handles unaligned loads, so we can just - * cast the pointer and fetch through it. - */ -#define EXTRACT_16BITS(p) \ - ((u_int16_t)ntohs(*(const u_int16_t *)(p))) -#define EXTRACT_32BITS(p) \ - ((u_int32_t)ntohl(*(const u_int32_t *)(p))) -#endif /* LBL_ALIGN */ - -#define EXTRACT_24BITS(p) \ - ((u_int32_t)((u_int32_t)*((const u_int8_t *)(p) + 0) << 16 | \ - (u_int32_t)*((const u_int8_t *)(p) + 1) << 8 | \ - (u_int32_t)*((const u_int8_t *)(p) + 2))) - -/* Little endian protocol host order macros */ - -#define EXTRACT_LE_8BITS(p) (*(p)) -#define EXTRACT_LE_16BITS(p) \ - ((u_int16_t)((u_int16_t)*((const u_int8_t *)(p) + 1) << 8 | \ - (u_int16_t)*((const u_int8_t *)(p) + 0))) -#define EXTRACT_LE_32BITS(p) \ - ((u_int32_t)((u_int32_t)*((const u_int8_t *)(p) + 3) << 24 | \ - (u_int32_t)*((const u_int8_t *)(p) + 2) << 16 | \ - (u_int32_t)*((const u_int8_t *)(p) + 1) << 8 | \ - (u_int32_t)*((const u_int8_t *)(p) + 0))) diff --git a/kame/kame/racoon/tcpdump/interface.h b/kame/kame/racoon/tcpdump/interface.h deleted file mode 100644 index 70a3ed6991..0000000000 --- a/kame/kame/racoon/tcpdump/interface.h +++ /dev/null @@ -1,330 +0,0 @@ -/* - * Copyright (c) 1988-2002 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that: (1) source code distributions - * retain the above copyright notice and this paragraph in its entirety, (2) - * distributions including binary code include the above copyright notice and - * this paragraph in its entirety in the documentation or other materials - * provided with the distribution, and (3) all advertising materials mentioning - * features or use of this software display the following acknowledgement: - * ``This product includes software developed by the University of California, - * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of - * the University nor the names of its contributors may be used to endorse - * or promote products derived from this software without specific prior - * written permission. - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. - * - * @(#) $Header: /usr/home/sumikawa/kame/kame/kame/kame/racoon/tcpdump/Attic/interface.h,v 1.1 2004/04/12 08:52:29 itojun Exp $ (LBL) - */ - -#ifndef tcpdump_interface_h -#define tcpdump_interface_h - -#ifdef HAVE_OS_PROTO_H -#include "os-proto.h" -#endif - -#ifndef HAVE___ATTRIBUTE__ -#define __attribute__(x) -#endif - -/* snprintf et al */ - -#include - -#if !defined(HAVE_SNPRINTF) -int snprintf(char *, size_t, const char *, ...) - __attribute__((format(printf, 3, 4))); -#endif - -#if !defined(HAVE_VSNPRINTF) -int vsnprintf(char *, size_t, const char *, va_list) - __attribute__((format(printf, 3, 0))); -#endif - -#ifndef HAVE_STRLCAT -extern size_t strlcat(char *, const char *, size_t); -#endif -#ifndef HAVE_STRLCPY -extern size_t strlcpy(char *, const char *, size_t); -#endif - -#ifndef HAVE_STRDUP -extern char *strdup(const char *); -#endif - -#ifndef HAVE_STRSEP -extern char *strsep(char **, const char *); -#endif - -struct tok { - int v; /* value */ - const char *s; /* string */ -}; - -extern int aflag; /* translate network and broadcast addresses */ -extern int dflag; /* print filter code */ -extern int eflag; /* print ethernet header */ -extern int fflag; /* don't translate "foreign" IP address */ -extern int nflag; /* leave addresses as numbers */ -extern int Nflag; /* remove domains from printed host names */ -extern int qflag; /* quick (shorter) output */ -extern int Rflag; /* print sequence # field in AH/ESP*/ -extern int sflag; /* use the libsmi to translate OIDs */ -extern int Sflag; /* print raw TCP sequence numbers */ -extern int tflag; /* print packet arrival time */ -extern int uflag; /* Print undecoded NFS handles */ -extern int vflag; /* verbose */ -extern int xflag; /* print packet in hex */ -extern int Xflag; /* print packet in hex/ascii */ -extern int Aflag; /* print packet only in ascii observing TAB, LF, CR and SPACE as graphical chars */ -extern char *espsecret; - -extern int packettype; /* as specified by -T */ -#define PT_VAT 1 /* Visual Audio Tool */ -#define PT_WB 2 /* distributed White Board */ -#define PT_RPC 3 /* Remote Procedure Call */ -#define PT_RTP 4 /* Real-Time Applications protocol */ -#define PT_RTCP 5 /* Real-Time Applications control protocol */ -#define PT_SNMP 6 /* Simple Network Management Protocol */ -#define PT_CNFP 7 /* Cisco NetFlow protocol */ -#define PT_TFTP 8 /* trivial file transfer protocol */ -#define PT_AODV 9 /* Ad-hoc On-demand Distance Vector Protocol */ - -#ifndef min -#define min(a,b) ((a)>(b)?(b):(a)) -#endif -#ifndef max -#define max(a,b) ((b)>(a)?(b):(a)) -#endif - -/* - * The default snapshot length. This value allows most printers to print - * useful information while keeping the amount of unwanted data down. - */ -#ifndef INET6 -#define DEFAULT_SNAPLEN 68 /* ether + IPv4 + TCP + 14 */ -#else -#define DEFAULT_SNAPLEN 96 /* ether + IPv6 + TCP + 22 */ -#endif - -#ifndef BIG_ENDIAN -#define BIG_ENDIAN 4321 -#define LITTLE_ENDIAN 1234 -#endif - -#define ESRC(ep) ((ep)->ether_shost) -#define EDST(ep) ((ep)->ether_dhost) - -#ifndef NTOHL -#define NTOHL(x) (x) = ntohl(x) -#define NTOHS(x) (x) = ntohs(x) -#define HTONL(x) (x) = htonl(x) -#define HTONS(x) (x) = htons(x) -#endif -#endif - -extern char *program_name; /* used to generate self-identifying messages */ - -extern int32_t thiszone; /* seconds offset from gmt to local time */ - -extern int snaplen; -/* global pointer to end of current packet (during printing) */ -extern const u_char *snapend; - -/* - * True if "l" bytes of "var" were captured. - * - * The "snapend - (l) <= snapend" checks to make sure "l" isn't so large - * that "snapend - (l)" underflows. - * - * The check is for <= rather than < because "l" might be 0. - */ -#define TTEST2(var, l) (snapend - (l) <= snapend && \ - (const u_char *)&(var) <= snapend - (l)) - -/* True if "var" was captured */ -#define TTEST(var) TTEST2(var, sizeof(var)) - -/* Bail if "l" bytes of "var" were not captured */ -#define TCHECK2(var, l) if (!TTEST2(var, l)) goto trunc - -/* Bail if "var" was not captured */ -#define TCHECK(var) TCHECK2(var, sizeof(var)) - -extern void ts_print(const struct timeval *); -extern void relts_print(int); - -extern int fn_print(const u_char *, const u_char *); -extern int fn_printn(const u_char *, u_int, const u_char *); -extern const char *tok2str(const struct tok *, const char *, int); -extern int mask2plen(u_int32_t); -extern char *bittok2str(const struct tok *, const char *, int); -extern const char *tok2strary_internal(const char **, int, const char *, int); -#define tok2strary(a,f,i) tok2strary_internal(a, sizeof(a)/sizeof(a[0]),f,i) - -extern const char *dnaddr_string(u_short); - -extern void error(const char *, ...) - __attribute__((noreturn, format (printf, 1, 2))); -extern void warning(const char *, ...) __attribute__ ((format (printf, 1, 2))); - -extern char *read_infile(char *); -extern char *copy_argv(char **); - -extern void safeputchar(int); -extern void safeputs(const char *); - -extern const char *isonsap_string(const u_char *); -extern const char *llcsap_string(u_char); -extern const char *protoid_string(const u_char *); -extern const char *ipxsap_string(u_short); -extern const char *dnname_string(u_short); -extern const char *dnnum_string(u_short); - -/* The printer routines. */ - -#include - -extern int print_unknown_data(const u_char *, const char *,int); -extern void ascii_print_with_offset(const u_char *, const u_char *, u_int, u_int); -extern void ascii_print(const u_char *, const u_char *, u_int); -extern void hex_print_with_offset(const u_char *, const u_char *, u_int, u_int); -extern void telnet_print(const u_char *, u_int); -extern void hex_print(const u_char *, const u_char *, u_int); -extern int ether_encap_print(u_short, const u_char *, u_int, u_int, u_short *); -extern int llc_print(const u_char *, u_int, u_int, const u_char *, - const u_char *, u_short *); -extern int snap_print(const u_char *, u_int, u_int, u_short *, u_int32_t, - u_short, u_int); -extern void aarp_print(const u_char *, u_int); -extern void aodv_print(const u_char *, u_int, int); -extern void arp_print(const u_char *, u_int, u_int); -extern void atalk_print(const u_char *, u_int); -extern void atm_print(u_int, u_int, u_int, const u_char *, u_int, u_int); -extern u_int atm_if_print(const struct pcap_pkthdr *, const u_char *); -extern u_int sunatm_if_print(const struct pcap_pkthdr *, const u_char *); -extern void bootp_print(const u_char *, u_int); -extern void bgp_print(const u_char *, int); -extern void beep_print(const u_char *, u_int); -extern void cnfp_print(const u_char *, const u_char *); -extern void decnet_print(const u_char *, u_int, u_int); -extern void default_print(const u_char *, u_int); -extern void default_print_unaligned(const u_char *, u_int); -extern void dvmrp_print(const u_char *, u_int); -extern void egp_print(const u_char *); -extern u_int enc_if_print(const struct pcap_pkthdr *, const u_char *); -extern u_int pflog_if_print(const struct pcap_pkthdr *, const u_char *); -extern u_int arcnet_if_print(const struct pcap_pkthdr *, const u_char *); -extern u_int arcnet_linux_if_print(const struct pcap_pkthdr *, const u_char *); -extern void ether_print(const u_char *, u_int, u_int); -extern u_int ether_if_print(const struct pcap_pkthdr *, const u_char *); -extern u_int token_print(const u_char *, u_int, u_int); -extern u_int token_if_print(const struct pcap_pkthdr *, const u_char *); -extern void fddi_print(const u_char *, u_int, u_int); -extern u_int fddi_if_print(const struct pcap_pkthdr *, const u_char *); -extern u_int fr_if_print(const struct pcap_pkthdr *, const u_char *); -extern u_int ieee802_11_if_print(const struct pcap_pkthdr *, const u_char *); -extern u_int ieee802_11_radio_if_print(const struct pcap_pkthdr *, - const u_char *); -extern u_int ap1394_if_print(const struct pcap_pkthdr *, const u_char *); -extern void gre_print(const u_char *, u_int); -extern void icmp_print(const u_char *, u_int, const u_char *, int); -extern void igmp_print(const u_char *, u_int); -extern void igrp_print(const u_char *, u_int, const u_char *); -extern void ip_print(const u_char *, u_int); -extern void ipN_print(const u_char *, u_int); -extern u_int ipfc_if_print(const struct pcap_pkthdr *, const u_char *); -extern void ipx_print(const u_char *, u_int); -extern void isoclns_print(const u_char *, u_int, u_int); -extern void krb_print(const u_char *); -extern u_int llap_print(const u_char *, u_int); -extern u_int ltalk_if_print(const struct pcap_pkthdr *, const u_char *); -extern void msdp_print(const unsigned char *, u_int); -extern void nfsreply_print(const u_char *, u_int, const u_char *); -extern void nfsreq_print(const u_char *, u_int, const u_char *); -extern void ns_print(const u_char *, u_int, int); -extern void ntp_print(const u_char *, u_int); -extern u_int null_if_print(const struct pcap_pkthdr *, const u_char *); -extern void ospf_print(const u_char *, u_int, const u_char *); -extern void pimv1_print(const u_char *, u_int); -extern void cisco_autorp_print(const u_char *, u_int); -extern void rsvp_print(const u_char *, u_int); -extern void ldp_print(const u_char *, u_int); -extern void mobile_print(const u_char *, u_int); -extern void pim_print(const u_char *, u_int); -extern u_int pppoe_print(const u_char *, u_int); -extern u_int ppp_print(register const u_char *, u_int); -extern u_int ppp_if_print(const struct pcap_pkthdr *, const u_char *); -extern u_int ppp_hdlc_if_print(const struct pcap_pkthdr *, const u_char *); -extern u_int ppp_bsdos_if_print(const struct pcap_pkthdr *, const u_char *); -extern u_int pppoe_if_print(const struct pcap_pkthdr *, const u_char *); -extern u_int prism_if_print(const struct pcap_pkthdr *, const u_char *); -extern int vjc_print(register const char *, u_short); -extern u_int raw_if_print(const struct pcap_pkthdr *, const u_char *); -extern void rip_print(const u_char *, u_int); -extern u_int sl_if_print(const struct pcap_pkthdr *, const u_char *); -extern void lane_print(const u_char *, u_int, u_int); -extern u_int lane_if_print(const struct pcap_pkthdr *, const u_char *); -extern u_int cip_if_print(const struct pcap_pkthdr *, const u_char *); -extern u_int sl_bsdos_if_print(const struct pcap_pkthdr *, const u_char *); -extern u_int chdlc_if_print(const struct pcap_pkthdr *, const u_char *); -extern u_int sll_if_print(const struct pcap_pkthdr *, const u_char *); -extern void snmp_print(const u_char *, u_int); -extern void sunrpcrequest_print(const u_char *, u_int, const u_char *); -extern void tcp_print(const u_char *, u_int, const u_char *, int); -extern void tftp_print(const u_char *, u_int); -extern void timed_print(const u_char *); -extern void udp_print(const u_char *, u_int, const u_char *, int); -extern void wb_print(const void *, u_int); -extern int ah_print(register const u_char *); -extern int esp_print(register const u_char *, register const u_char *, int *, int *); -extern void isakmp_print(const u_char *, u_int, const u_char *); -extern int ipcomp_print(register const u_char *, int *); -extern void rx_print(register const u_char *, int, int, int, u_char *); -extern void netbeui_print(u_short, const u_char *, int); -extern void ipx_netbios_print(const u_char *, u_int); -extern void nbt_tcp_print(const u_char *, int); -extern void nbt_udp137_print(const u_char *, int); -extern void nbt_udp138_print(const u_char *, int); -extern char *smb_errstr(int, int); -extern void print_data(const unsigned char *, int); -extern void l2tp_print(const u_char *, u_int); -extern void vrrp_print(const u_char *, u_int, int); -extern void cdp_print(const u_char *, u_int, u_int); -extern void stp_print(const u_char *, u_int); -extern void radius_print(const u_char *, u_int); -extern void lwres_print(const u_char *, u_int); -extern void pptp_print(const u_char *); -extern void sctp_print(const u_char *, const u_char *, u_int); -extern void mpls_print(const u_char *, u_int); -extern void mpls_lsp_ping_print(const u_char *, u_int); -extern void zephyr_print(const u_char *, int); -extern void hsrp_print(const u_char *, u_int); -extern void bfd_print(const u_char *, u_int, u_int); - -#ifdef INET6 -extern void ip6_print(const u_char *, u_int); -extern void ip6_opt_print(const u_char *, int); -extern int hbhopt_print(const u_char *); -extern int dstopt_print(const u_char *); -extern int frag6_print(const u_char *, const u_char *); -extern int mobility_print(const u_char *, const u_char *); -extern void icmp6_print(const u_char *, u_int, const u_char *, int); -extern void ripng_print(const u_char *, unsigned int); -extern int rt6_print(const u_char *, const u_char *); -extern void ospf6_print(const u_char *, u_int); -extern void dhcp6_print(const u_char *, u_int); -#endif /*INET6*/ -extern u_short in_cksum(const u_short *, register u_int, int); -extern u_int16_t in_cksum_shouldbe(u_int16_t, u_int16_t); - -#ifndef HAVE_BPF_DUMP -struct bpf_program; - -extern void bpf_dump(struct bpf_program *, int); -#endif diff --git a/kame/kame/racoon/tcpdump/ipsec_doi.h b/kame/kame/racoon/tcpdump/ipsec_doi.h deleted file mode 100644 index 0f64dd1e64..0000000000 --- a/kame/kame/racoon/tcpdump/ipsec_doi.h +++ /dev/null @@ -1,151 +0,0 @@ -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ -/* YIPS @(#)$Id: ipsec_doi.h,v 1.1 2004/04/12 08:52:29 itojun Exp $ */ - -/* refer to RFC 2407 */ - -#if !defined(_IPSEC_DOI_H_) -#define _IPSEC_DOI_H_ - -#define IPSEC_DOI 1 - -/* 4.2 IPSEC Situation Definition */ -#define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001 -#define IPSECDOI_SIT_SECRECY 0x00000002 -#define IPSECDOI_SIT_INTEGRITY 0x00000004 - -/* 4.4.1 IPSEC Security Protocol Identifiers */ - /* 4.4.2 IPSEC ISAKMP Transform Values */ -#define IPSECDOI_PROTO_ISAKMP 1 -#define IPSECDOI_KEY_IKE 1 - -/* 4.4.1 IPSEC Security Protocol Identifiers */ -#define IPSECDOI_PROTO_IPSEC_AH 2 - /* 4.4.3 IPSEC AH Transform Values */ -#define IPSECDOI_AH_MD5 2 -#define IPSECDOI_AH_SHA 3 -#define IPSECDOI_AH_DES 4 -#define IPSECDOI_AH_SHA2_256 5 -#define IPSECDOI_AH_SHA2_384 6 -#define IPSECDOI_AH_SHA2_512 7 - -/* 4.4.1 IPSEC Security Protocol Identifiers */ -#define IPSECDOI_PROTO_IPSEC_ESP 3 - /* 4.4.4 IPSEC ESP Transform Identifiers */ -#define IPSECDOI_ESP_DES_IV64 1 -#define IPSECDOI_ESP_DES 2 -#define IPSECDOI_ESP_3DES 3 -#define IPSECDOI_ESP_RC5 4 -#define IPSECDOI_ESP_IDEA 5 -#define IPSECDOI_ESP_CAST 6 -#define IPSECDOI_ESP_BLOWFISH 7 -#define IPSECDOI_ESP_3IDEA 8 -#define IPSECDOI_ESP_DES_IV32 9 -#define IPSECDOI_ESP_RC4 10 -#define IPSECDOI_ESP_NULL 11 -#define IPSECDOI_ESP_RIJNDAEL 12 -#define IPSECDOI_ESP_AES 12 - -/* 4.4.1 IPSEC Security Protocol Identifiers */ -#define IPSECDOI_PROTO_IPCOMP 4 - /* 4.4.5 IPSEC IPCOMP Transform Identifiers */ -#define IPSECDOI_IPCOMP_OUI 1 -#define IPSECDOI_IPCOMP_DEFLATE 2 -#define IPSECDOI_IPCOMP_LZS 3 - -/* 4.5 IPSEC Security Association Attributes */ -#define IPSECDOI_ATTR_SA_LTYPE 1 /* B */ -#define IPSECDOI_ATTR_SA_LTYPE_DEFAULT 1 -#define IPSECDOI_ATTR_SA_LTYPE_SEC 1 -#define IPSECDOI_ATTR_SA_LTYPE_KB 2 -#define IPSECDOI_ATTR_SA_LDUR 2 /* V */ -#define IPSECDOI_ATTR_SA_LDUR_DEFAULT 28800 /* 8 hours */ -#define IPSECDOI_ATTR_GRP_DESC 3 /* B */ -#define IPSECDOI_ATTR_ENC_MODE 4 /* B */ - /* default value: host dependent */ -#define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1 -#define IPSECDOI_ATTR_ENC_MODE_TRNS 2 -#define IPSECDOI_ATTR_AUTH 5 /* B */ - /* 0 means not to use authentication. */ -#define IPSECDOI_ATTR_AUTH_HMAC_MD5 1 -#define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2 -#define IPSECDOI_ATTR_AUTH_DES_MAC 3 -#define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/ - /* - * When negotiating ESP without authentication, the Auth - * Algorithm attribute MUST NOT be included in the proposal. - * When negotiating ESP without confidentiality, the Auth - * Algorithm attribute MUST be included in the proposal and - * the ESP transform ID must be ESP_NULL. - */ -#define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */ -#define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */ -#define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */ -#define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */ - -/* 4.6.1 Security Association Payload */ -struct ipsecdoi_sa { - struct isakmp_gen h; - u_int32_t doi; /* Domain of Interpretation */ - u_int32_t sit; /* Situation */ -}; - -struct ipsecdoi_secrecy_h { - u_int16_t len; - u_int16_t reserved; -}; - -/* 4.6.2.1 Identification Type Values */ -struct ipsecdoi_id { - struct isakmp_gen h; - u_int8_t type; /* ID Type */ - u_int8_t proto_id; /* Protocol ID */ - u_int16_t port; /* Port */ - /* Identification Data */ -}; - -#define IPSECDOI_ID_IPV4_ADDR 1 -#define IPSECDOI_ID_FQDN 2 -#define IPSECDOI_ID_USER_FQDN 3 -#define IPSECDOI_ID_IPV4_ADDR_SUBNET 4 -#define IPSECDOI_ID_IPV6_ADDR 5 -#define IPSECDOI_ID_IPV6_ADDR_SUBNET 6 -#define IPSECDOI_ID_IPV4_ADDR_RANGE 7 -#define IPSECDOI_ID_IPV6_ADDR_RANGE 8 -#define IPSECDOI_ID_DER_ASN1_DN 9 -#define IPSECDOI_ID_DER_ASN1_GN 10 -#define IPSECDOI_ID_KEY_ID 11 - -/* 4.6.3 IPSEC DOI Notify Message Types */ -/* Notify Messages - Status Types */ -#define IPSECDOI_NTYPE_RESPONDER_LIFETIME 24576 -#define IPSECDOI_NTYPE_REPLAY_STATUS 24577 -#define IPSECDOI_NTYPE_INITIAL_CONTACT 24578 - -#endif /* !defined(_IPSEC_DOI_H_) */ diff --git a/kame/kame/racoon/tcpdump/isakmp.h b/kame/kame/racoon/tcpdump/isakmp.h deleted file mode 100644 index a3481353b8..0000000000 --- a/kame/kame/racoon/tcpdump/isakmp.h +++ /dev/null @@ -1,378 +0,0 @@ -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ -/* YIPS @(#)$Id: isakmp.h,v 1.1 2004/04/12 08:52:29 itojun Exp $ */ - -/* refer to RFC 2408 */ - -/* must include */ - -#if !defined(_ISAKMP_H_) -#define _ISAKMP_H_ - -typedef u_char cookie_t[8]; -typedef u_char msgid_t[4]; - -typedef struct { /* i_cookie + r_cookie */ - cookie_t i_ck; - cookie_t r_ck; -} isakmp_index; - -#define INITIATOR 1 -#define RESPONDER 2 - -#define PORT_ISAKMP 500 - -#define GENERATE 1 -#define VALIDATE 0 - -/* Phase of oakley definition */ -/* - 0000 0000 0000 0000 - | |||| |||| - | |||| ++++--> negosiation number in phase - | ++++-------> phase number - +---------------> expire ? - */ -#define ISAKMP_PH1 0x0010 -#define ISAKMP_PH2 0x0020 -#define ISAKMP_EXPIRED 0x0100 - -#define ISAKMP_NGP_0 0x0000 -#define ISAKMP_NGP_1 0x0001 -#define ISAKMP_NGP_2 0x0002 -#define ISAKMP_NGP_3 0x0003 -#define ISAKMP_NGP_4 0x0004 - -#define ISAKMP_PH1_N (ISAKMP_PH1 | ISAKMP_NGP_0) /* i.e. spawn */ -#define ISAKMP_PH1_1 (ISAKMP_PH1 | ISAKMP_NGP_1) -#define ISAKMP_PH1_2 (ISAKMP_PH1 | ISAKMP_NGP_2) -#define ISAKMP_PH1_3 (ISAKMP_PH1 | ISAKMP_NGP_3) -#define ISAKMP_PH2_N (ISAKMP_PH2 | ISAKMP_NGP_0) -#define ISAKMP_PH2_1 (ISAKMP_PH2 | ISAKMP_NGP_1) -#define ISAKMP_PH2_2 (ISAKMP_PH2 | ISAKMP_NGP_2) -#define ISAKMP_PH2_3 (ISAKMP_PH2 | ISAKMP_NGP_3) - -#define ISAKMP_TIMER_DEFAULT 10 /* seconds */ -#define ISAKMP_TRY_DEFAULT 3 /* times */ - -/* 3.1 ISAKMP Header Format - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - ! Initiator ! - ! Cookie ! - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - ! Responder ! - ! Cookie ! - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags ! - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - ! Message ID ! - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - ! Length ! - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -*/ -struct isakmp { - cookie_t i_ck; /* Initiator Cookie */ - cookie_t r_ck; /* Responder Cookie */ - u_int8_t np; /* Next Payload Type */ - u_int8_t vers; -#define ISAKMP_VERS_MAJOR 0xf0 -#define ISAKMP_VERS_MAJOR_SHIFT 4 -#define ISAKMP_VERS_MINOR 0x0f -#define ISAKMP_VERS_MINOR_SHIFT 0 - u_int8_t etype; /* Exchange Type */ - u_int8_t flags; /* Flags */ - msgid_t msgid; - u_int32_t len; /* Length */ -}; - -/* Next Payload Type */ -#define ISAKMP_NPTYPE_NONE 0 /* NONE*/ -#define ISAKMP_NPTYPE_SA 1 /* Security Association */ -#define ISAKMP_NPTYPE_P 2 /* Proposal */ -#define ISAKMP_NPTYPE_T 3 /* Transform */ -#define ISAKMP_NPTYPE_KE 4 /* Key Exchange */ -#define ISAKMP_NPTYPE_ID 5 /* Identification */ -#define ISAKMP_NPTYPE_CERT 6 /* Certificate */ -#define ISAKMP_NPTYPE_CR 7 /* Certificate Request */ -#define ISAKMP_NPTYPE_HASH 8 /* Hash */ -#define ISAKMP_NPTYPE_SIG 9 /* Signature */ -#define ISAKMP_NPTYPE_NONCE 10 /* Nonce */ -#define ISAKMP_NPTYPE_N 11 /* Notification */ -#define ISAKMP_NPTYPE_D 12 /* Delete */ -#define ISAKMP_NPTYPE_VID 13 /* Vendor ID */ - -#define ISAKMP_MAJOR_VERSION 1 -#define ISAKMP_MINOR_VERSION 0 - -/* Exchange Type */ -#define ISAKMP_ETYPE_NONE 0 /* NONE */ -#define ISAKMP_ETYPE_BASE 1 /* Base */ -#define ISAKMP_ETYPE_IDENT 2 /* Identity Proteciton */ -#define ISAKMP_ETYPE_AUTH 3 /* Authentication Only */ -#define ISAKMP_ETYPE_AGG 4 /* Aggressive */ -#define ISAKMP_ETYPE_INF 5 /* Informational */ - -/* Flags */ -#define ISAKMP_FLAG_E 0x01 /* Encryption Bit */ -#define ISAKMP_FLAG_C 0x02 /* Commit Bit */ - -/* 3.2 Payload Generic Header - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - ! Next Payload ! RESERVED ! Payload Length ! - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -*/ -struct isakmp_gen { - u_int8_t np; /* Next Payload */ - u_int8_t reserved; /* RESERVED, unused, must set to 0 */ - u_int16_t len; /* Payload Length */ -}; - -/* 3.3 Data Attributes - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - !A! Attribute Type ! AF=0 Attribute Length ! - !F! ! AF=1 Attribute Value ! - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - . AF=0 Attribute Value . - . AF=1 Not Transmitted . - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -*/ -struct isakmp_data { - u_int16_t type; /* defined by DOI-spec, and Attribute Format */ - u_int16_t lorv; /* if f equal 1, Attribute Length */ - /* if f equal 0, Attribute Value */ - /* if f equal 1, Attribute Value */ -}; -#define ISAKMP_GEN_TLV 0x0000 -#define ISAKMP_GEN_TV 0x8000 - /* mask for type of attribute format */ -#define ISAKMP_GEN_MASK 0x8000 - -/* 3.4 Security Association Payload */ - /* MAY NOT be used, because of being defined in ipsec-doi. */ - /* - If the current payload is the last in the message, - then the value of the next payload field will be 0. - This field MUST NOT contain the - values for the Proposal or Transform payloads as they are considered - part of the security association negotiation. For example, this - field would contain the value "10" (Nonce payload) in the first - message of a Base Exchange (see Section 4.4) and the value "0" in the - first message of an Identity Protect Exchange (see Section 4.5). - */ -struct isakmp_pl_sa { - struct isakmp_gen h; - u_int32_t doi; /* Domain of Interpretation */ - u_int32_t sit; /* Situation */ -}; - -/* 3.5 Proposal Payload */ - /* - The value of the next payload field MUST only contain the value "2" - or "0". If there are additional Proposal payloads in the message, - then this field will be 2. If the current Proposal payload is the - last within the security association proposal, then this field will - be 0. - */ -struct isakmp_pl_p { - struct isakmp_gen h; - u_int8_t p_no; /* Proposal # */ - u_int8_t prot_id; /* Protocol */ - u_int8_t spi_size; /* SPI Size */ - u_int8_t num_t; /* Number of Transforms */ - /* SPI */ -}; - -/* 3.6 Transform Payload */ - /* - The value of the next payload field MUST only contain the value "3" - or "0". If there are additional Transform payloads in the proposal, - then this field will be 3. If the current Transform payload is the - last within the proposal, then this field will be 0. - */ -struct isakmp_pl_t { - struct isakmp_gen h; - u_int8_t t_no; /* Transform # */ - u_int8_t t_id; /* Transform-Id */ - u_int16_t reserved; /* RESERVED2 */ - /* SA Attributes */ -}; - -/* 3.7 Key Exchange Payload */ -struct isakmp_pl_ke { - struct isakmp_gen h; - /* Key Exchange Data */ -}; - -/* 3.8 Identification Payload */ - /* MUST NOT to be used, because of being defined in ipsec-doi. */ -struct isakmp_pl_id { - struct isakmp_gen h; - union { - u_int8_t id_type; /* ID Type */ - u_int32_t doi_data; /* DOI Specific ID Data */ - } d; - /* Identification Data */ -}; - -/* 3.9 Certificate Payload */ -struct isakmp_pl_cert { - struct isakmp_gen h; - u_int8_t encode; /* Cert Encoding */ - char cert; /* Certificate Data */ - /* - This field indicates the type of - certificate or certificate-related information contained in the - Certificate Data field. - */ -}; - -/* Certificate Type */ -#define ISAKMP_CERT_NONE 0 -#define ISAKMP_CERT_PKCS 1 -#define ISAKMP_CERT_PGP 2 -#define ISAKMP_CERT_DNS 3 -#define ISAKMP_CERT_SIGN 4 -#define ISAKMP_CERT_KE 5 -#define ISAKMP_CERT_KT 6 -#define ISAKMP_CERT_CRL 7 -#define ISAKMP_CERT_ARL 8 -#define ISAKMP_CERT_SPKI 9 - -/* 3.10 Certificate Request Payload */ -struct isakmp_pl_cr { - struct isakmp_gen h; - u_int8_t num_cert; /* # Cert. Types */ - /* - Certificate Types (variable length) - -- Contains a list of the types of certificates requested, - sorted in order of preference. Each individual certificate - type is 1 octet. This field is NOT requiredo - */ - /* # Certificate Authorities (1 octet) */ - /* Certificate Authorities (variable length) */ -}; - -/* 3.11 Hash Payload */ - /* may not be used, because of having only data. */ -struct isakmp_pl_hash { - struct isakmp_gen h; - /* Hash Data */ -}; - -/* 3.12 Signature Payload */ - /* may not be used, because of having only data. */ -struct isakmp_pl_sig { - struct isakmp_gen h; - /* Signature Data */ -}; - -/* 3.13 Nonce Payload */ - /* may not be used, because of having only data. */ -struct isakmp_pl_nonce { - struct isakmp_gen h; - /* Nonce Data */ -}; - -/* 3.14 Notification Payload */ -struct isakmp_pl_n { - struct isakmp_gen h; - u_int32_t doi; /* Domain of Interpretation */ - u_int8_t prot_id; /* Protocol-ID */ - u_int8_t spi_size; /* SPI Size */ - u_int16_t type; /* Notify Message Type */ - /* SPI */ - /* Notification Data */ -}; - -/* 3.14.1 Notify Message Types */ -/* NOTIFY MESSAGES - ERROR TYPES */ -#define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1 -#define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2 -#define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3 -#define ISAKMP_NTYPE_INVALID_COOKIE 4 -#define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5 -#define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6 -#define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7 -#define ISAKMP_NTYPE_INVALID_FLAGS 8 -#define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9 -#define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10 -#define ISAKMP_NTYPE_INVALID_SPI 11 -#define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12 -#define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13 -#define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14 -#define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15 -#define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16 -#define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17 -#define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18 -#define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19 -#define ISAKMP_NTYPE_INVALID_CERTIFICATE 20 -#define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21 -#define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22 -#define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23 -#define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24 -#define ISAKMP_NTYPE_INVALID_SIGNATURE 25 -#define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26 -/* NOTIFY MESSAGES - STATUS TYPES */ -#define ISAKMP_NTYPE_CONNECTED 16384 -/* using only to log */ -#define ISAKMP_LOG_RETRY_LIMIT_REACHED 65530 - -/* 3.15 Delete Payload */ -struct isakmp_pl_d { - struct isakmp_gen h; - u_int32_t doi; /* Domain of Interpretation */ - u_int8_t prot_id; /* Protocol-Id */ - u_int8_t spi_size; /* SPI Size */ - u_int16_t num_spi; /* # of SPIs */ - /* SPI(es) */ -}; - - -struct isakmp_ph1tab { - struct isakmp_ph1 *head; - struct isakmp_ph1 *tail; - int len; -}; - -struct isakmp_ph2tab { - struct isakmp_ph2 *head; - struct isakmp_ph2 *tail; - int len; -}; - -#define EXCHANGE_PROXY 1 -#define EXCHANGE_MYSELF 0 - -#define PFS_NEED 1 -#define PFS_NONEED 0 - -#endif /* !defined(_ISAKMP_H_) */ diff --git a/kame/kame/racoon/tcpdump/oakley.h b/kame/kame/racoon/tcpdump/oakley.h deleted file mode 100644 index 8c5e3f7a19..0000000000 --- a/kame/kame/racoon/tcpdump/oakley.h +++ /dev/null @@ -1,126 +0,0 @@ -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ -/* YIPS @(#)$Id: oakley.h,v 1.1 2004/04/12 08:52:29 itojun Exp $ */ - -/* refer to RFC 2409 */ - -#if !defined(_ISAKMP_OAKLEY_H_) -#define _ISAKMP_OAKLEY_H_ - -/* Attribute Classes */ -#define OAKLEY_ATTR_ENC_ALG 1 /* B */ -#define OAKLEY_ATTR_ENC_ALG_DES 1 -#define OAKLEY_ATTR_ENC_ALG_IDEA 2 -#define OAKLEY_ATTR_ENC_ALG_BL 3 -#define OAKLEY_ATTR_ENC_ALG_RC5 4 -#define OAKLEY_ATTR_ENC_ALG_3DES 5 -#define OAKLEY_ATTR_ENC_ALG_CAST 6 -#define OAKLEY_ATTR_HASH_ALG 2 /* B */ -#define OAKLEY_ATTR_HASH_ALG_MD5 1 -#define OAKLEY_ATTR_HASH_ALG_SHA 2 -#define OAKLEY_ATTR_HASH_ALG_TIGER 3 -#define OAKLEY_ATTR_AUTH_METHOD 3 /* B */ -#define OAKLEY_ATTR_AUTH_METHOD_PSKEY 1 -#define OAKLEY_ATTR_AUTH_METHOD_DSS 2 -#define OAKLEY_ATTR_AUTH_METHOD_RSA 3 -#define OAKLEY_ATTR_AUTH_METHOD_RSAENC 4 -#define OAKLEY_ATTR_AUTH_METHOD_RSAREV 5 -#define OAKLEY_ATTR_GRP_DESC 4 /* B */ -#define OAKLEY_ATTR_GRP_DESC_MODP768 1 -#define OAKLEY_ATTR_GRP_DESC_MODP1024 2 -#define OAKLEY_ATTR_GRP_DESC_EC2N155 3 -#define OAKLEY_ATTR_GRP_DESC_EC2N185 4 -#define OAKLEY_ATTR_GRP_TYPE 5 /* B */ -#define OAKLEY_ATTR_GRP_TYPE_MODP 1 -#define OAKLEY_ATTR_GRP_TYPE_ECP 2 -#define OAKLEY_ATTR_GRP_TYPE_EC2N 3 -#define OAKLEY_ATTR_GRP_PI 6 /* V */ -#define OAKLEY_ATTR_GRP_GEN_ONE 7 /* V */ -#define OAKLEY_ATTR_GRP_GEN_TWO 8 /* V */ -#define OAKLEY_ATTR_GRP_CURVE_A 9 /* V */ -#define OAKLEY_ATTR_GRP_CURVE_B 10 /* V */ -#define OAKLEY_ATTR_SA_LTYPE 11 /* B */ -#define OAKLEY_ATTR_SA_LTYPE_DEFAULT 1 -#define OAKLEY_ATTR_SA_LTYPE_SEC 1 -#define OAKLEY_ATTR_SA_LTYPE_KB 2 -#define OAKLEY_ATTR_SA_LDUR 12 /* V */ -#define OAKLEY_ATTR_SA_LDUR_DEFAULT 28800 /* 8 hours */ -#define OAKLEY_ATTR_PRF 13 /* B */ -#define OAKLEY_ATTR_KEY_LEN 14 /* B */ -#define OAKLEY_ATTR_FIELD_SIZE 15 /* B */ -#define OAKLEY_ATTR_GRP_ORDER 16 /* V */ - -#define OAKLEY_ID_IPV4_ADDR 0 -#define OAKLEY_ID_IPV4_ADDR_SUBNET 1 -#define OAKLEY_ID_IPV6_ADDR 2 -#define OAKLEY_ID_IPV6_ADDR_SUBNET 3 - -/* Additional Exchange Type */ -#define ISAKMP_ETYPE_QUICK 32 -#define ISAKMP_ETYPE_NEWGRP 33 - -/* The use for checking proposal payload. This is not exchange type. */ -#define OAKLEY_MAIN_MODE 0 -#define OAKLEY_QUICK_MODE 1 - -#define OAKLEY_PRIME_MODP768 "\ - FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 \ - 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD \ - EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 \ - E485B576 625E7EC6 F44C42E9 A63A3620 FFFFFFFF FFFFFFFF" - -#define OAKLEY_PRIME_MODP1024 "\ - FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 \ - 29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD \ - EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 \ - E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \ - EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \ - FFFFFFFF FFFFFFFF" - -#define DEFAULTSECRETSIZE ( 128 / 8 ) /* 128 bits */ -#define DEFAULTNONCESIZE ( 128 / 8 ) /* 128 bits */ - -#define MAXPADLWORD 20 - -#if 0 -/* isakmp sa structure */ -struct oakley_sa { - u_int8_t proto_id; /* OAKLEY */ - vchar_t *spi; /* spi */ - u_int8_t dhgrp; /* DH; group */ - u_int8_t auth_t; /* method of authentication */ - u_int8_t prf_t; /* type of prf */ - u_int8_t hash_t; /* type of hash */ - u_int8_t enc_t; /* type of cipher */ - u_int8_t life_t; /* type of duration of lifetime */ - u_int32_t ldur; /* life duration */ -}; -#endif - -#endif /* !defined(_ISAKMP_OAKLEY_H_) */ diff --git a/kame/kame/racoon/var.h b/kame/kame/racoon/var.h deleted file mode 100644 index 334c03cea7..0000000000 --- a/kame/kame/racoon/var.h +++ /dev/null @@ -1,90 +0,0 @@ -/* $KAME: var.h,v 1.14 2003/07/29 04:46:14 itojun Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#if !defined(_VAR_H_) -#define _VAR_H_ - -#define MAX3(a, b, c) (a > b ? (a > c ? a : c) : (b > c ? b : c)) - -#define ISSET(exp, bit) (((exp) & (bit)) == (bit)) - -#define LALIGN(a) \ - ((a) > 0 ? ((a) &~ (sizeof(long) - 1)) : sizeof(long)) - -#define RNDUP(a) \ - ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long)) - -#define ARRAYLEN(a) (sizeof(a)/sizeof(a[0])) - -#define BUFSIZE 5120 - -#ifndef FALSE -#define FALSE 0 -#endif -#ifndef TRUE -#define TRUE 1 -#endif - -#ifdef ENABLE_STATS -#include -#endif -#include - -/* - * XXX use of GETNAMEINFO(x, y, NULL) is not politically correct, - * as sizeof(NULL) would be 4, not 0. - */ -#include -#include - -/* var.h is used from non-racoon code (like eaytest), so we can't use niflags */ -#define NIFLAGS (NI_NUMERICHOST | NI_NUMERICSERV) - -#define GETNAMEINFO(x, y, z) \ -do { \ - if (getnameinfo((x), (x)->sa_len, (y), sizeof(y), (z), sizeof(z), \ - NIFLAGS) != 0) { \ - if (y) \ - strlcpy((y), "(invalid)", sizeof(y)); \ - if (z) \ - strlcpy((z), "(invalid)", sizeof(z)); \ - } \ -} while (0); - -#include -#ifndef LIST_FOREACH -#define LIST_FOREACH(elm, head, field) \ - for (elm = LIST_FIRST(head); elm; elm = LIST_NEXT(elm, field)) -#endif - -#include "gcmalloc.h" - -#endif /*!defined(_VAR_H_)*/ diff --git a/kame/kame/racoon/vendorid.c b/kame/kame/racoon/vendorid.c deleted file mode 100644 index 438f68598c..0000000000 --- a/kame/kame/racoon/vendorid.c +++ /dev/null @@ -1,139 +0,0 @@ -/* $KAME: vendorid.c,v 1.9 2004/09/10 04:46:02 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include - -#include -#include -#include -#include -#include - -#include "var.h" -#include "misc.h" -#include "vmbuf.h" -#include "plog.h" -#include "debug.h" - -#include "localconf.h" -#include "isakmp_var.h" -#include "isakmp.h" -#include "vendorid.h" -#include "crypto_openssl.h" - -const char *vendorid_strings[] = VENDORID_STRINGS; - -/* - * set hashed vendor id. - * hash function is always MD5. - */ -vchar_t * -set_vendorid(int vendorid) -{ - vchar_t vid, *vidhash; - - if (vendorid == VENDORID_UNKNOWN) { - /* - * The default unknown ID gets translated to - * KAME/racoon. - */ - vendorid = VENDORID_KAME; - } - - if (vendorid < 0 || vendorid >= NUMVENDORIDS) { - plog(LLV_ERROR, LOCATION, NULL, - "invalid vendor ID index: %d\n", vendorid); - return (NULL); - } - - /* XXX Cast away const. */ - vid.v = (char *) vendorid_strings[vendorid]; - vid.l = strlen(vendorid_strings[vendorid]); - - vidhash = eay_md5_one(&vid); - if (vidhash == NULL) - plog(LLV_ERROR, LOCATION, NULL, - "unable to hash vendor ID string\n"); - - return vidhash; -} - -/* - * Check the vendor ID payload -- return the vendor ID index - * if we find a recognized one, or UNKNOWN if we don't. - */ -int -check_vendorid(gen) - struct isakmp_gen *gen; /* points to Vendor ID payload */ -{ - vchar_t vid, *vidhash; - int i, vidlen; - - if (gen == NULL) - return (VENDORID_UNKNOWN); - - vidlen = ntohs(gen->len) - sizeof(*gen); - - for (i = 0; i < NUMVENDORIDS; i++) { - /* XXX Cast away const. */ - vid.v = (char *) vendorid_strings[i]; - vid.l = strlen(vendorid_strings[i]); - - vidhash = eay_md5_one(&vid); - if (vidhash == NULL) { - plog(LLV_ERROR, LOCATION, NULL, - "unable to hash vendor ID string\n"); - return (VENDORID_UNKNOWN); - } - - /* - * XXX THIS IS NOT QUITE RIGHT! - * - * But we need to be able to recognize - * Windows 2000's ID, which is the MD5 - * hash of a known string + 4 bytes of - * what appears to be version info. - */ - if (vidhash->l <= vidlen && - memcmp(vidhash->v, gen + 1, vidhash->l) == 0) { - plog(LLV_INFO, LOCATION, NULL, - "received Vendor ID: %s\n", - vendorid_strings[i]); - vfree(vidhash); - return (i); - } - vfree(vidhash); - } - - plog(LLV_DEBUG, LOCATION, NULL, "received unknown Vendor ID\n"); - return (VENDORID_UNKNOWN); -} diff --git a/kame/kame/racoon/vendorid.h b/kame/kame/racoon/vendorid.h deleted file mode 100644 index 0a8786876d..0000000000 --- a/kame/kame/racoon/vendorid.h +++ /dev/null @@ -1,62 +0,0 @@ -/* $KAME: vendorid.h,v 1.6 2001/03/27 02:39:58 thorpej Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* The unknown vendor ID. */ -#define VENDORID_UNKNOWN -1 - -/* Our default vendor ID. */ -#define VENDORID_KAME 0 - -/* - * Refer to draft-ietf-ipsec-isakmp-gss-auth-06.txt. - */ -#define VENDORID_GSSAPI_LONG 1 -#define VENDORID_GSSAPI 2 -#define VENDORID_MS_NT5 3 -#define VENDOR_SUPPORTS_GSSAPI(x) \ - ((x) == VENDORID_GSSAPI_LONG || \ - (x) == VENDORID_GSSAPI || \ - (x) == VENDORID_MS_NT5) - -#define NUMVENDORIDS 4 - -#define VENDORID_STRINGS \ -{ \ - "KAME/racoon", \ - "A GSS-API Authentication Method for IKE", \ - "GSSAPI", \ - "MS NT5 ISAKMPOAKLEY", \ -} - -extern const char *vendorid_strings[]; - -vchar_t *set_vendorid __P((int)); -int check_vendorid __P((struct isakmp_gen *)); diff --git a/kame/kame/racoon/vmbuf.c b/kame/kame/racoon/vmbuf.c deleted file mode 100644 index 15331310c5..0000000000 --- a/kame/kame/racoon/vmbuf.c +++ /dev/null @@ -1,115 +0,0 @@ -/* $KAME: vmbuf.c,v 1.11 2001/11/26 16:54:29 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#define NONEED_DRM -#include -#include - -#include -#include -#include - -#include "var.h" -#include "misc.h" -#include "vmbuf.h" -#include "debug.h" -#include "gcmalloc.h" - -vchar_t * -vmalloc(size) - size_t size; -{ - vchar_t *var; - - if ((var = (vchar_t *)racoon_malloc(sizeof(*var))) == NULL) - return NULL; - - var->l = size; - var->v = (caddr_t)racoon_calloc(1, size); - if (var->v == NULL) { - (void)racoon_free(var); - return NULL; - } - - return var; -} - -vchar_t * -vrealloc(ptr, size) - vchar_t *ptr; - size_t size; -{ - caddr_t v; - - if (ptr != NULL) { - if ((v = (caddr_t)racoon_realloc(ptr->v, size)) == NULL) { - (void)vfree(ptr); - return NULL; - } - memset(v + ptr->l, 0, size - ptr->l); - ptr->v = v; - ptr->l = size; - } else { - if ((ptr = vmalloc(size)) == NULL) - return NULL; - } - - return ptr; -} - -void -vfree(var) - vchar_t *var; -{ - if (var == NULL) - return; - - if (var->v) - (void)racoon_free(var->v); - - (void)racoon_free(var); - - return; -} - -vchar_t * -vdup(src) - vchar_t *src; -{ - vchar_t *new; - - if ((new = vmalloc(src->l)) == NULL) - return NULL; - - memcpy(new->v, src->v, src->l); - - return new; -} diff --git a/kame/kame/racoon/vmbuf.h b/kame/kame/racoon/vmbuf.h deleted file mode 100644 index 08cd10a519..0000000000 --- a/kame/kame/racoon/vmbuf.h +++ /dev/null @@ -1,61 +0,0 @@ -/* $KAME: vmbuf.h,v 1.8 2001/12/12 21:18:33 sakane Exp $ */ - -/* - * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the project nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* - * bp v - * v v - * ........................ - * <--------------> l - * <----------------------> bl - */ -typedef struct _vchar_t_ { -#if notyet - u_int32_t t; /* type of the value */ - vchar_t *n; /* next vchar_t buffer */ - size_t bl; /* length of the buffer */ - caddr_t bp; /* pointer to the buffer */ -#endif - size_t l; /* length of the value */ - caddr_t v; /* place holder to the pointer to the value */ -} vchar_t; - -#define VPTRINIT(p) \ -do { \ - if (p) { \ - vfree(p); \ - (p) = NULL; \ - } \ -} while(0); - -extern vchar_t *vmalloc __P((size_t)); -extern vchar_t *vrealloc __P((vchar_t *, size_t)); -extern void vfree __P((vchar_t *)); -extern vchar_t *vdup __P((vchar_t *));