aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHansen Kurli <hkurli@google.com>2023-11-15 07:09:26 +0000
committerAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>2023-11-15 07:09:26 +0000
commitc76061a1b5935e0010184119e641c8d028a447c5 (patch)
tree9e408e7770678de657c8a7d6a71a18691ce7a126
parent2e54ef8c4850ceca75cf9470357bab9d0e35843b (diff)
parent983a494a99bd10477555fa8d1a217bca12e29cd4 (diff)
downloadipsec-tools-c76061a1b5935e0010184119e641c8d028a447c5.tar.gz
Merge "Remove racoon." into main am: 983a494a99
Original change: https://android-review.googlesource.com/c/platform/external/ipsec-tools/+/2825853 Change-Id: I4b5fa5017ff7ba01162ab9e13a46b0c177f020e1 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
Diffstat
-rw-r--r--Android.bp74
-rw-r--r--Makefile35
-rw-r--r--README1
-rw-r--r--main.c243
-rw-r--r--racoon.rc9
-rw-r--r--setup.c708
-rw-r--r--src/racoon/MODULE_LICENSE_BSD0
-rw-r--r--src/racoon/Makefile.am127
-rw-r--r--src/racoon/Makefile.in1000
-rw-r--r--src/racoon/NOTICE325
-rw-r--r--src/racoon/TODO131
-rw-r--r--src/racoon/admin.c628
-rw-r--r--src/racoon/admin.h114
-rw-r--r--src/racoon/admin_var.h41
-rw-r--r--src/racoon/algorithm.c957
-rw-r--r--src/racoon/algorithm.h216
-rw-r--r--src/racoon/backupsa.c468
-rw-r--r--src/racoon/backupsa.h41
-rw-r--r--src/racoon/cfparse.h392
-rw-r--r--src/racoon/cfparse.y2599
-rw-r--r--src/racoon/cfparse_proto.h42
-rw-r--r--src/racoon/cftoken.l795
-rw-r--r--src/racoon/cftoken_proto.h48
-rw-r--r--src/racoon/contrib/sp.pl21
-rw-r--r--src/racoon/crypto_openssl.c2852
-rw-r--r--src/racoon/crypto_openssl.h234
-rw-r--r--src/racoon/debug.h41
-rw-r--r--src/racoon/debugrm.h102
-rw-r--r--src/racoon/dhgroup.h205
-rw-r--r--src/racoon/dnssec.c154
-rw-r--r--src/racoon/dnssec.h39
-rw-r--r--src/racoon/doc/FAQ114
-rw-r--r--src/racoon/doc/README.certificate1
-rw-r--r--src/racoon/doc/README.gssapi106
-rw-r--r--src/racoon/doc/README.plainrsa109
-rw-r--r--src/racoon/dump.h41
-rw-r--r--src/racoon/eaytest.c1068
-rw-r--r--src/racoon/evt.c158
-rw-r--r--src/racoon/evt.h88
-rw-r--r--src/racoon/gcmalloc.h127
-rw-r--r--src/racoon/genlist.c174
-rw-r--r--src/racoon/genlist.h82
-rw-r--r--src/racoon/getcertsbyname.c418
-rw-r--r--src/racoon/gnuc.h46
-rw-r--r--src/racoon/grabmyaddr.c938
-rw-r--r--src/racoon/grabmyaddr.h56
-rw-r--r--src/racoon/gssapi.c749
-rw-r--r--src/racoon/gssapi.h91
-rw-r--r--src/racoon/handler.c1571
-rw-r--r--src/racoon/handler.h483
-rw-r--r--src/racoon/ipsec_doi.c4949
-rw-r--r--src/racoon/ipsec_doi.h243
-rw-r--r--src/racoon/isakmp.c3643
-rw-r--r--src/racoon/isakmp.h429
-rw-r--r--src/racoon/isakmp_agg.c1489
-rw-r--r--src/racoon/isakmp_agg.h46
-rw-r--r--src/racoon/isakmp_base.c1407
-rw-r--r--src/racoon/isakmp_base.h48
-rw-r--r--src/racoon/isakmp_cfg.c2194
-rw-r--r--src/racoon/isakmp_cfg.h229
-rw-r--r--src/racoon/isakmp_frag.c356
-rw-r--r--src/racoon/isakmp_frag.h58
-rw-r--r--src/racoon/isakmp_ident.c1911
-rw-r--r--src/racoon/isakmp_ident.h52
-rw-r--r--src/racoon/isakmp_inf.c1714
-rw-r--r--src/racoon/isakmp_inf.h60
-rw-r--r--src/racoon/isakmp_newg.c232
-rw-r--r--src/racoon/isakmp_newg.h39
-rw-r--r--src/racoon/isakmp_quick.c2189
-rw-r--r--src/racoon/isakmp_quick.h50
-rw-r--r--src/racoon/isakmp_unity.c411
-rw-r--r--src/racoon/isakmp_unity.h74
-rw-r--r--src/racoon/isakmp_var.h132
-rw-r--r--src/racoon/isakmp_xauth.c1704
-rw-r--r--src/racoon/isakmp_xauth.h155
-rw-r--r--src/racoon/kmpstat.c227
-rw-r--r--src/racoon/localconf.c371
-rw-r--r--src/racoon/localconf.h137
-rw-r--r--src/racoon/logger.c262
-rw-r--r--src/racoon/logger.h53
-rw-r--r--src/racoon/main.c398
-rw-r--r--src/racoon/misc.c171
-rw-r--r--src/racoon/misc.h77
-rw-r--r--src/racoon/missing/crypto/rijndael/boxes-fst.dat957
-rw-r--r--src/racoon/missing/crypto/rijndael/rijndael-alg-fst.c496
-rw-r--r--src/racoon/missing/crypto/rijndael/rijndael-alg-fst.h35
-rw-r--r--src/racoon/missing/crypto/rijndael/rijndael-api-fst.c494
-rw-r--r--src/racoon/missing/crypto/rijndael/rijndael-api-fst.h105
-rw-r--r--src/racoon/missing/crypto/rijndael/rijndael.h5
-rw-r--r--src/racoon/missing/crypto/rijndael/rijndael_local.h12
-rw-r--r--src/racoon/missing/crypto/sha2/sha2.c1201
-rw-r--r--src/racoon/missing/crypto/sha2/sha2.h161
-rw-r--r--src/racoon/nattraversal.c528
-rw-r--r--src/racoon/nattraversal.h99
-rw-r--r--src/racoon/netdb_dnssec.h74
-rw-r--r--src/racoon/oakley.c3429
-rw-r--r--src/racoon/oakley.h243
-rw-r--r--src/racoon/pfkey.c3157
-rw-r--r--src/racoon/pfkey.h77
-rw-r--r--src/racoon/plainrsa-gen.8138
-rw-r--r--src/racoon/plainrsa-gen.c208
-rw-r--r--src/racoon/plog.c268
-rw-r--r--src/racoon/plog.h110
-rw-r--r--src/racoon/policy.c488
-rw-r--r--src/racoon/policy.h163
-rw-r--r--src/racoon/privsep.c1339
-rw-r--r--src/racoon/privsep.h72
-rw-r--r--src/racoon/proposal.c1294
-rw-r--r--src/racoon/proposal.h214
-rw-r--r--src/racoon/prsa_par.h110
-rw-r--r--src/racoon/prsa_par.y350
-rw-r--r--src/racoon/prsa_tok.l89
-rw-r--r--src/racoon/racoon.8155
-rw-r--r--src/racoon/racoon.conf.51420
-rw-r--r--src/racoon/racoonctl.8199
-rw-r--r--src/racoon/racoonctl.c1654
-rw-r--r--src/racoon/racoonctl.h53
-rw-r--r--src/racoon/remoteconf.c693
-rw-r--r--src/racoon/remoteconf.h196
-rw-r--r--src/racoon/rsalist.c216
-rw-r--r--src/racoon/rsalist.h65
-rw-r--r--src/racoon/safefile.c93
-rw-r--r--src/racoon/safefile.h39
-rw-r--r--src/racoon/sainfo.c319
-rw-r--r--src/racoon/sainfo.h88
-rw-r--r--src/racoon/samples/psk.txt.in21
-rw-r--r--src/racoon/samples/psk.txt.sample10
-rw-r--r--src/racoon/samples/racoon.conf.in121
-rw-r--r--src/racoon/samples/racoon.conf.sample61
-rw-r--r--src/racoon/samples/racoon.conf.sample-gssapi43
-rw-r--r--src/racoon/samples/racoon.conf.sample-inherit55
-rw-r--r--src/racoon/samples/racoon.conf.sample-natt97
-rw-r--r--src/racoon/samples/racoon.conf.sample-plainrsa46
-rw-r--r--src/racoon/samples/roadwarrior/README67
-rwxr-xr-xsrc/racoon/samples/roadwarrior/client/phase1-down.sh73
-rwxr-xr-xsrc/racoon/samples/roadwarrior/client/phase1-up.sh77
-rw-r--r--src/racoon/samples/roadwarrior/client/racoon.conf33
-rw-r--r--src/racoon/samples/roadwarrior/server/racoon.conf42
-rw-r--r--src/racoon/samples/roadwarrior/server/racoon.conf-radius42
-rw-r--r--src/racoon/schedule.c364
-rw-r--r--src/racoon/schedule.h85
-rw-r--r--src/racoon/security.c265
-rw-r--r--src/racoon/session.c592
-rw-r--r--src/racoon/session.h40
-rw-r--r--src/racoon/sockmisc.c1197
-rw-r--r--src/racoon/sockmisc.h89
-rw-r--r--src/racoon/stats.pl15
-rw-r--r--src/racoon/str2val.c126
-rw-r--r--src/racoon/str2val.h40
-rw-r--r--src/racoon/strnames.c1034
-rw-r--r--src/racoon/strnames.h80
-rw-r--r--src/racoon/throttle.c158
-rw-r--r--src/racoon/throttle.h51
-rw-r--r--src/racoon/var.h107
-rw-r--r--src/racoon/vendorid.c317
-rw-r--r--src/racoon/vendorid.h106
-rw-r--r--src/racoon/vmbuf.c137
-rw-r--r--src/racoon/vmbuf.h73
158 files changed, 0 insertions, 71342 deletions
diff --git a/Android.bp b/Android.bp
index 0ed452d..c4e2761 100644
--- a/Android.bp
+++ b/Android.bp
@@ -50,80 +50,6 @@ license {
],
}
-cc_binary {
- name: "racoon",
-
- srcs: [
- "src/racoon/algorithm.c",
- "src/racoon/crypto_openssl.c",
- "src/racoon/genlist.c",
- "src/racoon/handler.c",
- "src/racoon/isakmp.c",
- "src/racoon/isakmp_agg.c",
- "src/racoon/isakmp_base.c",
- "src/racoon/isakmp_cfg.c",
- "src/racoon/isakmp_frag.c",
- "src/racoon/isakmp_ident.c",
- "src/racoon/isakmp_inf.c",
- "src/racoon/isakmp_newg.c",
- "src/racoon/isakmp_quick.c",
- "src/racoon/isakmp_unity.c",
- "src/racoon/isakmp_xauth.c",
- "src/racoon/ipsec_doi.c",
- "src/racoon/nattraversal.c",
- "src/racoon/oakley.c",
- "src/racoon/pfkey.c",
- "src/racoon/policy.c",
- "src/racoon/proposal.c",
- "src/racoon/remoteconf.c",
- "src/racoon/schedule.c",
- "src/racoon/sockmisc.c",
- "src/racoon/str2val.c",
- "src/racoon/strnames.c",
- "src/racoon/vendorid.c",
- "src/racoon/vmbuf.c",
- "main.c",
- "setup.c",
- ],
-
- local_include_dirs: [
- "src/include-glibc",
- "src/racoon",
- "src/racoon/missing",
- ],
-
- static_libs: ["libipsec"],
-
- shared_libs: [
- "libcutils",
- "liblog",
- "libcrypto",
- "libkeystore-engine",
- "libnetd_client",
- ],
-
- cflags: [
- "-DANDROID_CHANGES",
- "-DHAVE_CONFIG_H",
- "-D_BSD_SOURCE=1",
-
- "-Wno-sign-compare",
- "-Wno-missing-field-initializers",
- "-Wno-unused-parameter",
- "-Wno-pointer-sign",
- "-Werror",
-
- // Turn off unused XXX warnings. Should be removed/fixed when syncing with upstream. b/18523687, b/18632512
- "-Wno-unused-variable",
- "-Wno-unused-but-set-variable",
- "-Wno-unused-function",
- "-Wno-unused-label",
- "-Wno-unused-value",
- ],
-
- init_rc: ["racoon.rc"],
-}
-
cc_library_static {
name: "libipsec",
diff --git a/Makefile b/Makefile
deleted file mode 100644
index d8c417f..0000000
--- a/Makefile
+++ /dev/null
@@ -1,35 +0,0 @@
-all:
- gcc -O3 -Wall -o racoon -I. -Isrc/include-glibc -Isrc/libipsec \
- -Isrc/racoon -Isrc/racoon/missing -DHAVE_CONFIG_H -lcrypto \
- src/libipsec/pfkey.c \
- src/libipsec/ipsec_strerror.c \
- src/racoon/algorithm.c \
- src/racoon/crypto_openssl.c \
- src/racoon/genlist.c \
- src/racoon/handler.c \
- src/racoon/isakmp.c \
- src/racoon/isakmp_agg.c \
- src/racoon/isakmp_base.c \
- src/racoon/isakmp_cfg.c \
- src/racoon/isakmp_frag.c \
- src/racoon/isakmp_ident.c \
- src/racoon/isakmp_inf.c \
- src/racoon/isakmp_newg.c \
- src/racoon/isakmp_quick.c \
- src/racoon/isakmp_unity.c \
- src/racoon/isakmp_xauth.c \
- src/racoon/ipsec_doi.c \
- src/racoon/nattraversal.c \
- src/racoon/oakley.c \
- src/racoon/pfkey.c \
- src/racoon/policy.c \
- src/racoon/proposal.c \
- src/racoon/remoteconf.c \
- src/racoon/schedule.c \
- src/racoon/sockmisc.c \
- src/racoon/str2val.c \
- src/racoon/strnames.c \
- src/racoon/vendorid.c \
- src/racoon/vmbuf.c \
- main.c \
- setup.c
diff --git a/README b/README
index 2e4f90a..e366133 100644
--- a/README
+++ b/README
@@ -6,7 +6,6 @@ in the Linux 2.6+ kernel. It works as well on NetBSD and FreeBSD.
- libipsec, a PF_KEYv2 library
- setkey, a tool to directly manipulate policies and SAs
- - racoon, an IKEv1 keying daemon
IPsec-tools were ported to Linux from the KAME project
(http://www.kame.net) by Derek Atkins <derek@ihtfp.com>.
diff --git a/main.c b/main.c
deleted file mode 100644
index 63862c5..0000000
--- a/main.c
+++ /dev/null
@@ -1,243 +0,0 @@
-/*
- * Copyright (C) 2011 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <stdarg.h>
-#include <signal.h>
-#include <poll.h>
-#include <unistd.h>
-
-#include "config.h"
-#include "gcmalloc.h"
-#include "schedule.h"
-#include "plog.h"
-
-#ifdef ANDROID_CHANGES
-
-#include <string.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-#include <errno.h>
-#include <linux/if.h>
-#include <linux/if_tun.h>
-
-#include <android/log.h>
-#include <cutils/sockets.h>
-#include <private/android_filesystem_config.h>
-
-static void notify_death()
-{
- creat("/data/misc/vpn/abort", 0);
-}
-
-static int android_get_control_and_arguments(int *argc, char ***argv)
-{
- static char *args[32];
- int control;
- int i;
-
- atexit(notify_death);
-
- if ((i = android_get_control_socket("racoon")) == -1) {
- return -1;
- }
- do_plog(LLV_DEBUG, "Waiting for control socket");
- if (listen(i, 1) == -1 || (control = accept(i, NULL, 0)) == -1) {
- do_plog(LLV_ERROR, "Cannot get control socket");
- exit(1);
- }
- close(i);
- fcntl(control, F_SETFD, FD_CLOEXEC);
-
- args[0] = (*argv)[0];
- for (i = 1; i < 32; ++i) {
- unsigned char bytes[2];
- if (recv(control, &bytes[0], 1, 0) != 1 ||
- recv(control, &bytes[1], 1, 0) != 1) {
- do_plog(LLV_ERROR, "Cannot get argument length");
- exit(1);
- } else {
- int length = bytes[0] << 8 | bytes[1];
- int offset = 0;
-
- if (length == 0xFFFF) {
- break;
- }
- args[i] = malloc(length + 1);
- while (offset < length) {
- int n = recv(control, &args[i][offset], length - offset, 0);
- if (n > 0) {
- offset += n;
- } else {
- do_plog(LLV_ERROR, "Cannot get argument value");
- exit(1);
- }
- }
- args[i][length] = 0;
- }
- }
- do_plog(LLV_DEBUG, "Received %d arguments", i - 1);
-
- *argc = i;
- *argv = args;
- return control;
-}
-
-const char *android_hook(char **envp)
-{
- struct ifreq ifr = {.ifr_flags = IFF_TUN};
- int tun = open("/dev/tun", 0);
-
- /* Android does not support INTERNAL_WINS4_LIST, so we just use it. */
- while (*envp && strncmp(*envp, "INTERNAL_WINS4_LIST=", 20)) {
- ++envp;
- }
- if (!*envp) {
- do_plog(LLV_ERROR, "Cannot find environment variable\n");
- exit(1);
- }
- if (ioctl(tun, TUNSETIFF, &ifr)) {
- do_plog(LLV_ERROR, "Cannot allocate TUN: %s\n", strerror(errno));
- exit(1);
- }
- sprintf(*envp, "INTERFACE=%s", ifr.ifr_name);
- return "/system/bin/ip-up-vpn";
-}
-
-#endif
-
-extern void setup(int argc, char **argv);
-extern void shutdown_session();
-
-static int monitors;
-static void (*callbacks[10])(int fd);
-static struct pollfd pollfds[10];
-
-char *pname;
-
-static void terminate(int signal)
-{
- exit(1);
-}
-
-static void terminated()
-{
- do_plog(LLV_INFO, "Bye\n");
-}
-
-void monitor_fd(int fd, void (*callback)(int))
-{
- if (fd < 0 || monitors == 10) {
- do_plog(LLV_ERROR, "Cannot monitor fd");
- exit(1);
- }
- callbacks[monitors] = callback;
- pollfds[monitors].fd = fd;
- pollfds[monitors].events = callback ? POLLIN : 0;
- ++monitors;
-}
-
-int main(int argc, char **argv)
-{
-#ifdef ANDROID_CHANGES
- int control = android_get_control_and_arguments(&argc, &argv);
-
- if (control != -1) {
- pname = "%p";
- monitor_fd(control, NULL);
- }
-#endif
-
- do_plog(LLV_INFO, "ipsec-tools 0.7.3 (http://ipsec-tools.sf.net)\n");
-
- signal(SIGHUP, terminate);
- signal(SIGINT, terminate);
- signal(SIGTERM, terminate);
- signal(SIGPIPE, SIG_IGN);
- atexit(terminated);
-
- setup(argc, argv);
-
-#ifdef ANDROID_CHANGES
- shutdown(control, SHUT_WR);
-#endif
-
- while (1) {
- struct timeval *tv = schedular();
- int timeout = tv->tv_sec * 1000 + tv->tv_usec / 1000 + 1;
-
- if (poll(pollfds, monitors, timeout) > 0) {
- int i;
- for (i = 0; i < monitors; ++i) {
- if (pollfds[i].revents & POLLHUP) {
- do_plog(LLV_INFO, "Connection is closed\n", pollfds[i].fd);
- shutdown_session();
-
- /* Wait for few seconds to consume late messages. */
- sleep(5);
- exit(1);
- }
- if (pollfds[i].revents & POLLIN) {
- callbacks[i](pollfds[i].fd);
- }
- }
- }
- }
-
- return 0;
-}
-
-/* plog.h */
-
-void do_plog(int level, char *format, ...)
-{
- if (level >= 0 && level <= 5) {
-#ifdef ANDROID_CHANGES
- static int levels[6] = {
- ANDROID_LOG_ERROR, ANDROID_LOG_WARN, ANDROID_LOG_INFO,
- ANDROID_LOG_INFO, ANDROID_LOG_DEBUG, ANDROID_LOG_VERBOSE
- };
- va_list ap;
- va_start(ap, format);
- __android_log_vprint(levels[level], "racoon", format, ap);
- va_end(ap);
-#else
- static char *levels = "EWNIDV";
- fprintf(stderr, "%c: ", levels[level]);
- va_list ap;
- va_start(ap, format);
- vfprintf(stderr, format, ap);
- va_end(ap);
-#endif
- }
-}
-
-char *binsanitize(char *data, size_t length)
-{
- char *output = racoon_malloc(length + 1);
- if (output) {
- size_t i;
- for (i = 0; i < length; ++i) {
- output[i] = (data[i] < ' ' || data[i] > '~') ? '?' : data[i];
- }
- output[length] = '\0';
- }
- return output;
-}
diff --git a/racoon.rc b/racoon.rc
deleted file mode 100644
index fdb8823..0000000
--- a/racoon.rc
+++ /dev/null
@@ -1,9 +0,0 @@
-service racoon /system/bin/racoon
- class main
- socket racoon stream 600 system system
- # IKE uses UDP port 500.
- user vpn
- group vpn inet
- capabilities NET_ADMIN NET_BIND_SERVICE NET_RAW
- disabled
- oneshot
diff --git a/setup.c b/setup.c
deleted file mode 100644
index 9cbe2f9..0000000
--- a/setup.c
+++ /dev/null
@@ -1,708 +0,0 @@
-/*
- * Copyright (C) 2011 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <sys/param.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <netinet/ip.h>
-#include <netdb.h>
-#include <fcntl.h>
-
-#include "config.h"
-#include "gcmalloc.h"
-#include "libpfkey.h"
-#include "var.h"
-#include "isakmp_var.h"
-#include "isakmp.h"
-#include "isakmp_xauth.h"
-#include "vmbuf.h"
-#include "crypto_openssl.h"
-#include "oakley.h"
-#include "ipsec_doi.h"
-#include "algorithm.h"
-#include "vendorid.h"
-#include "schedule.h"
-#include "pfkey.h"
-#include "nattraversal.h"
-#include "proposal.h"
-#include "sainfo.h"
-#include "localconf.h"
-#include "remoteconf.h"
-#include "sockmisc.h"
-#include "grabmyaddr.h"
-#include "plog.h"
-#include "admin.h"
-#include "privsep.h"
-#include "throttle.h"
-#include "misc.h"
-#include "handler.h"
-
-static struct localconf localconf;
-static struct sainfo sainfo;
-static char *pre_shared_key;
-
-static struct sockaddr *targets[2];
-static struct sockaddr *source;
-static struct myaddrs myaddrs[2];
-
-struct localconf *lcconf = &localconf;
-int f_local = 0;
-
-/*****************************************************************************/
-
-static void add_sainfo_algorithm(int class, int algorithm, int length)
-{
- struct sainfoalg *p = calloc(1, sizeof(struct sainfoalg));
- p->alg = algorithm;
- p->encklen = length;
-
- if (!sainfo.algs[class]) {
- sainfo.algs[class] = p;
- } else {
- struct sainfoalg *q = sainfo.algs[class];
- while (q->next) {
- q = q->next;
- }
- q->next = p;
- }
-}
-
-static void add_sainfo() {
- if (pk_checkalg(algclass_ipsec_auth, algtype_hmac_sha2_512, 0) == 0) {
- add_sainfo_algorithm(algclass_ipsec_auth, IPSECDOI_ATTR_AUTH_HMAC_SHA2_512, 0);
- } else {
- do_plog(LLV_WARNING, "Kernel does not support SHA512, not enabling\n");
- }
- if (pk_checkalg(algclass_ipsec_auth, algtype_hmac_sha2_384, 0) == 0) {
- add_sainfo_algorithm(algclass_ipsec_auth, IPSECDOI_ATTR_AUTH_HMAC_SHA2_384, 0);
- } else {
- do_plog(LLV_WARNING, "Kernel does not support SHA384, not enabling\n");
- }
- add_sainfo_algorithm(algclass_ipsec_auth, IPSECDOI_ATTR_AUTH_HMAC_SHA1, 0);
- add_sainfo_algorithm(algclass_ipsec_auth, IPSECDOI_ATTR_AUTH_HMAC_SHA2_256, 0);
- add_sainfo_algorithm(algclass_ipsec_auth, IPSECDOI_ATTR_AUTH_HMAC_MD5, 0);
- add_sainfo_algorithm(algclass_ipsec_enc, IPSECDOI_ESP_AES, 256);
- add_sainfo_algorithm(algclass_ipsec_enc, IPSECDOI_ESP_AES, 128);
- add_sainfo_algorithm(algclass_ipsec_enc, IPSECDOI_ESP_3DES, 0);
- add_sainfo_algorithm(algclass_ipsec_enc, IPSECDOI_ESP_DES, 0);
-}
-
-static void set_globals(char *server)
-{
- struct addrinfo hints = {
- .ai_flags = AI_NUMERICSERV,
-#ifndef INET6
- .ai_family = AF_INET,
-#else
- .ai_family = AF_UNSPEC,
-#endif
- .ai_socktype = SOCK_DGRAM,
- };
- struct addrinfo *info;
-
- if (getaddrinfo(server, "500", &hints, &info) != 0) {
- do_plog(LLV_ERROR, "Cannot resolve address: %s\n", server);
- exit(1);
- }
- if (info->ai_next) {
- do_plog(LLV_WARNING, "Found multiple addresses. Use the first one.\n");
- }
- targets[0] = dupsaddr(info->ai_addr);
- freeaddrinfo(info);
-
- source = getlocaladdr(targets[0]);
- if (!source) {
- do_plog(LLV_ERROR, "Cannot get local address\n");
- exit(1);
- }
- set_port(targets[0], 0);
- set_port(source, 0);
-
- myaddrs[0].addr = dupsaddr(source);
- set_port(myaddrs[0].addr, PORT_ISAKMP);
- myaddrs[0].sock = -1;
-#ifdef ENABLE_NATT
- myaddrs[0].next = &myaddrs[1];
- myaddrs[1].addr = dupsaddr(myaddrs[0].addr);
- set_port(myaddrs[1].addr, PORT_ISAKMP_NATT);
- myaddrs[1].sock = -1;
- myaddrs[1].udp_encap = 1;
-#endif
-
- localconf.myaddrs = &myaddrs[0];
- localconf.port_isakmp = PORT_ISAKMP;
- localconf.port_isakmp_natt = PORT_ISAKMP_NATT;
- localconf.default_af = AF_INET;
- localconf.pathinfo[LC_PATHTYPE_CERT] = "./";
- localconf.pad_random = LC_DEFAULT_PAD_RANDOM;
- localconf.pad_randomlen = LC_DEFAULT_PAD_RANDOM;
- localconf.pad_strict = LC_DEFAULT_PAD_STRICT;
- localconf.pad_excltail = LC_DEFAULT_PAD_EXCLTAIL;
- localconf.retry_counter = 10;
- localconf.retry_interval = 3;
- localconf.count_persend = LC_DEFAULT_COUNT_PERSEND;
- localconf.secret_size = LC_DEFAULT_SECRETSIZE;
- localconf.retry_checkph1 = LC_DEFAULT_RETRY_CHECKPH1;
- localconf.wait_ph2complete = LC_DEFAULT_WAIT_PH2COMPLETE;
- localconf.natt_ka_interval = LC_DEFAULT_NATT_KA_INTERVAL;
-
- sainfo.lifetime = IPSECDOI_ATTR_SA_LD_SEC_DEFAULT;
- sainfo.lifebyte = IPSECDOI_ATTR_SA_LD_KB_MAX;
-
- memset(script_names, 0, sizeof(script_names));
-}
-
-/*****************************************************************************/
-
-static int policy_match(struct sadb_address *address)
-{
- if (address) {
- struct sockaddr *addr = PFKEY_ADDR_SADDR(address);
- return !cmpsaddrwop(addr, targets[0]) || !cmpsaddrwop(addr, targets[1]);
- }
- return 0;
-}
-
-/* flush; spdflush; */
-static void flush()
-{
- struct sadb_msg *p;
- int replies = 0;
- int key = pfkey_open();
-
- if (pfkey_send_dump(key, SADB_SATYPE_UNSPEC) <= 0 ||
- pfkey_send_spddump(key) <= 0) {
- do_plog(LLV_ERROR, "Cannot dump SAD and SPD\n");
- exit(1);
- }
-
- for (p = NULL; replies < 2 && (p = pfkey_recv(key)) != NULL; free(p)) {
- caddr_t q[SADB_EXT_MAX + 1];
-
- if (p->sadb_msg_type != SADB_DUMP &&
- p->sadb_msg_type != SADB_X_SPDDUMP) {
- continue;
- }
- replies += !p->sadb_msg_seq;
-
- if (p->sadb_msg_errno || pfkey_align(p, q) || pfkey_check(q)) {
- continue;
- }
- if (policy_match((struct sadb_address *)q[SADB_EXT_ADDRESS_SRC]) ||
- policy_match((struct sadb_address *)q[SADB_EXT_ADDRESS_DST])) {
- p->sadb_msg_type = (p->sadb_msg_type == SADB_DUMP) ?
- SADB_DELETE : SADB_X_SPDDELETE;
- p->sadb_msg_reserved = 0;
- p->sadb_msg_seq = 0;
- pfkey_send(key, p, PFKEY_UNUNIT64(p->sadb_msg_len));
- }
- }
-
- pfkey_close(key);
-}
-
-/* spdadd src dst protocol -P out ipsec esp/transport//require;
- * spdadd dst src protocol -P in ipsec esp/transport//require;
- * or
- * spdadd src any protocol -P out ipsec esp/tunnel/local-remote/require;
- * spdadd any src protocol -P in ipsec esp/tunnel/remote-local/require; */
-static void spdadd(struct sockaddr *src, struct sockaddr *dst,
- int protocol, struct sockaddr *local, struct sockaddr *remote)
-{
- struct __attribute__((packed)) {
- struct sadb_x_policy p;
- struct sadb_x_ipsecrequest q;
- char addresses[sizeof(struct sockaddr_storage) * 2];
- } policy;
-
- struct sockaddr_storage any = {
-#ifndef __linux__
- .ss_len = src->sa_len,
-#endif
- .ss_family = src->sa_family,
- };
-
- int src_prefix = (src->sa_family == AF_INET) ? 32 : 128;
- int dst_prefix = src_prefix;
- int length = 0;
- int key;
-
- /* Fill values for outbound policy. */
- memset(&policy, 0, sizeof(policy));
- policy.p.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
- policy.p.sadb_x_policy_type = IPSEC_POLICY_IPSEC;
- policy.p.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
-#ifdef HAVE_PFKEY_POLICY_PRIORITY
- policy.p.sadb_x_policy_priority = PRIORITY_DEFAULT;
-#endif
- policy.q.sadb_x_ipsecrequest_proto = IPPROTO_ESP;
- policy.q.sadb_x_ipsecrequest_mode = IPSEC_MODE_TRANSPORT;
- policy.q.sadb_x_ipsecrequest_level = IPSEC_LEVEL_REQUIRE;
-
- /* Deal with tunnel mode. */
- if (!dst) {
- int size = sysdep_sa_len(local);
- memcpy(policy.addresses, local, size);
- memcpy(&policy.addresses[size], remote, size);
- length += size + size;
-
- policy.q.sadb_x_ipsecrequest_mode = IPSEC_MODE_TUNNEL;
- dst = (struct sockaddr *)&any;
- dst_prefix = 0;
-
- /* Also use the source address to filter policies. */
- targets[1] = dupsaddr(src);
- }
-
- /* Fix lengths. */
- length += sizeof(policy.q);
- policy.q.sadb_x_ipsecrequest_len = length;
- length += sizeof(policy.p);
- policy.p.sadb_x_policy_len = PFKEY_UNIT64(length);
-
- /* Always do a flush before adding new policies. */
- flush();
-
- /* Set outbound policy. */
- key = pfkey_open();
- if (pfkey_send_spdadd(key, src, src_prefix, dst, dst_prefix, protocol,
- (caddr_t)&policy, length, 0) <= 0) {
- do_plog(LLV_ERROR, "Cannot set outbound policy\n");
- exit(1);
- }
-
- /* Flip values for inbound policy. */
- policy.p.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
- if (!dst_prefix) {
- int size = sysdep_sa_len(local);
- memcpy(policy.addresses, remote, size);
- memcpy(&policy.addresses[size], local, size);
- }
-
- /* Set inbound policy. */
- if (pfkey_send_spdadd(key, dst, dst_prefix, src, src_prefix, protocol,
- (caddr_t)&policy, length, 0) <= 0) {
- do_plog(LLV_ERROR, "Cannot set inbound policy\n");
- exit(1);
- }
-
- pfkey_close(key);
- atexit(flush);
-}
-
-/*****************************************************************************/
-
-static void add_proposal(struct remoteconf *remoteconf,
- int auth, int hash, int encryption, int length)
-{
- struct isakmpsa *p = racoon_calloc(1, sizeof(struct isakmpsa));
- p->prop_no = 1;
- p->lifetime = OAKLEY_ATTR_SA_LD_SEC_DEFAULT;
- p->enctype = encryption;
- p->encklen = length;
- p->authmethod = auth;
- p->hashtype = hash;
- p->dh_group = OAKLEY_ATTR_GRP_DESC_MODP1024;
- p->vendorid = VENDORID_UNKNOWN;
- p->rmconf = remoteconf;
-
- if (!remoteconf->proposal) {
- p->trns_no = 1;
- remoteconf->proposal = p;
- } else {
- struct isakmpsa *q = remoteconf->proposal;
- while (q->next) {
- q = q->next;
- }
- p->trns_no = q->trns_no + 1;
- q->next = p;
- }
-}
-
-static vchar_t *strtovchar(char *string)
-{
- vchar_t *vchar = string ? vmalloc(strlen(string) + 1) : NULL;
- if (vchar) {
- memcpy(vchar->v, string, vchar->l);
- vchar->l -= 1;
- }
- return vchar;
-}
-
-static void set_pre_shared_key(struct remoteconf *remoteconf,
- char *identifier, char *key)
-{
- pre_shared_key = key;
- if (identifier[0]) {
- remoteconf->idv = strtovchar(identifier);
- remoteconf->etypes->type = ISAKMP_ETYPE_AGG;
-
- remoteconf->idvtype = IDTYPE_KEYID;
- if (strchr(identifier, '.')) {
- remoteconf->idvtype = IDTYPE_FQDN;
- if (strchr(identifier, '@')) {
- remoteconf->idvtype = IDTYPE_USERFQDN;
- }
- }
- }
-}
-
-static void set_certificates(struct remoteconf *remoteconf,
- char *user_private_key, char *user_certificate,
- char *ca_certificate, char *server_certificate)
-{
- remoteconf->myprivfile = user_private_key;
- remoteconf->mycertfile = user_certificate;
- if (user_certificate) {
- remoteconf->idvtype = IDTYPE_ASN1DN;
- }
- if (!ca_certificate[0]) {
- remoteconf->verify_cert = FALSE;
- } else {
- remoteconf->cacertfile = ca_certificate;
- }
- if (server_certificate[0]) {
- remoteconf->peerscertfile = server_certificate;
- remoteconf->getcert_method = ISAKMP_GETCERT_LOCALFILE;
- }
-}
-
-#ifdef ENABLE_HYBRID
-
-static void set_xauth_and_more(struct remoteconf *remoteconf,
- char *username, char *password, char *phase1_up, char *script_arg)
-{
- struct xauth_rmconf *xauth = racoon_calloc(1, sizeof(struct xauth_rmconf));
- xauth->login = strtovchar(username);
- xauth->login->l += 1;
- xauth->pass = strtovchar(password);
- // Unlike the code that reads login, the code that reads pass does not
- // strip trailing nulls, so don't add one here.
- remoteconf->xauth = xauth;
- remoteconf->mode_cfg = TRUE;
- remoteconf->script[SCRIPT_PHASE1_UP] = strtovchar(phase1_up);
- script_names[SCRIPT_PHASE1_UP] = script_arg;
-}
-
-#endif
-
-extern void monitor_fd(int fd, void (*callback)(int));
-
-void add_isakmp_handler(int fd, const char *interface)
-{
- if (setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE,
- interface, strlen(interface))) {
- do_plog(LLV_WARNING, "Cannot bind socket to %s\n", interface);
- }
- monitor_fd(fd, (void *)isakmp_handler);
-}
-
-void setup(int argc, char **argv)
-{
- struct remoteconf *remoteconf = NULL;
- int auth;
-
- if (argc > 2) {
- set_globals(argv[2]);
-
- /* Initialize everything else. */
- eay_init();
- initrmconf();
- oakley_dhinit();
- compute_vendorids();
- sched_init();
- if (pfkey_init() < 0 || isakmp_init() < 0) {
- exit(1);
- }
- add_sainfo();
- monitor_fd(localconf.sock_pfkey, (void *)pfkey_handler);
- add_isakmp_handler(myaddrs[0].sock, argv[1]);
-
-#ifdef ENABLE_NATT
- add_isakmp_handler(myaddrs[1].sock, argv[1]);
- natt_keepalive_init();
-#endif
-
- /* Create remote configuration. */
- remoteconf = newrmconf();
- remoteconf->etypes = racoon_calloc(1, sizeof(struct etypes));
- remoteconf->etypes->type = ISAKMP_ETYPE_IDENT;
- remoteconf->idvtype = IDTYPE_ADDRESS;
- remoteconf->ike_frag = TRUE;
- remoteconf->pcheck_level = PROP_CHECK_CLAIM;
- remoteconf->certtype = ISAKMP_CERT_X509SIGN;
- remoteconf->gen_policy = TRUE;
- remoteconf->nat_traversal = TRUE;
- remoteconf->dh_group = OAKLEY_ATTR_GRP_DESC_MODP1024;
- remoteconf->script[SCRIPT_PHASE1_UP] = strtovchar("");
- remoteconf->script[SCRIPT_PHASE1_DOWN] = strtovchar("");
- oakley_setdhgroup(remoteconf->dh_group, &remoteconf->dhgrp);
- remoteconf->remote = dupsaddr(targets[0]);
- }
-
- /* Set authentication method and credentials. */
- if (argc == 7 && !strcmp(argv[3], "udppsk")) {
- set_pre_shared_key(remoteconf, argv[4], argv[5]);
- auth = OAKLEY_ATTR_AUTH_METHOD_PSKEY;
-
- set_port(targets[0], atoi(argv[6]));
- spdadd(source, targets[0], IPPROTO_UDP, NULL, NULL);
- } else if (argc == 9 && !strcmp(argv[3], "udprsa")) {
- set_certificates(remoteconf, argv[4], argv[5], argv[6], argv[7]);
- auth = OAKLEY_ATTR_AUTH_METHOD_RSASIG;
-
- set_port(targets[0], atoi(argv[8]));
- spdadd(source, targets[0], IPPROTO_UDP, NULL, NULL);
-#ifdef ENABLE_HYBRID
- } else if (argc == 10 && !strcmp(argv[3], "xauthpsk")) {
- set_pre_shared_key(remoteconf, argv[4], argv[5]);
- set_xauth_and_more(remoteconf, argv[6], argv[7], argv[8], argv[9]);
- auth = OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I;
- } else if (argc == 12 && !strcmp(argv[3], "xauthrsa")) {
- set_certificates(remoteconf, argv[4], argv[5], argv[6], argv[7]);
- set_xauth_and_more(remoteconf, argv[8], argv[9], argv[10], argv[11]);
- auth = OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I;
- } else if (argc == 10 && !strcmp(argv[3], "hybridrsa")) {
- set_certificates(remoteconf, NULL, NULL, argv[4], argv[5]);
- set_xauth_and_more(remoteconf, argv[6], argv[7], argv[8], argv[9]);
- auth = OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I;
-#endif
- } else {
- printf("Usage: %s <interface> <server> [...], where [...] can be:\n"
- " udppsk <identifier> <pre-shared-key> <port>; \n"
- " udprsa <user-private-key> <user-certificate> \\\n"
- " <ca-certificate> <server-certificate> <port>;\n"
-#ifdef ENABLE_HYBRID
- " xauthpsk <identifier> <pre-shared-key> \\\n"
- " <username> <password> <phase1-up> <script-arg>;\n"
- " xauthrsa <user-private-key> <user-certificate> \\\n"
- " <ca-certificate> <server-certificate> \\\n"
- " <username> <password> <phase1-up> <script-arg>;\n"
- " hybridrsa <ca-certificate> <server-certificate> \\\n"
- " <username> <password> <phase1-up> <script-arg>;\n"
-#endif
- "", argv[0]);
- exit(0);
- }
-
- /* Add proposals. */
- add_proposal(remoteconf, auth,
- OAKLEY_ATTR_HASH_ALG_SHA2_384, OAKLEY_ATTR_ENC_ALG_AES, 256);
- add_proposal(remoteconf, auth,
- OAKLEY_ATTR_HASH_ALG_SHA2_256, OAKLEY_ATTR_ENC_ALG_AES, 256);
- // VPNs to openswan breaks when SHA2_512 is used as the first proposal.
- // openswan supports SHA2_256 or lower hash alg. With this add_proposal
- // order, openswan picks SHA2_256 and others pick SHA2_384
- add_proposal(remoteconf, auth,
- OAKLEY_ATTR_HASH_ALG_SHA2_512, OAKLEY_ATTR_ENC_ALG_AES, 256);
- add_proposal(remoteconf, auth,
- OAKLEY_ATTR_HASH_ALG_SHA, OAKLEY_ATTR_ENC_ALG_AES, 256);
- add_proposal(remoteconf, auth,
- OAKLEY_ATTR_HASH_ALG_MD5, OAKLEY_ATTR_ENC_ALG_AES, 256);
- add_proposal(remoteconf, auth,
- OAKLEY_ATTR_HASH_ALG_SHA2_512, OAKLEY_ATTR_ENC_ALG_AES, 128);
- add_proposal(remoteconf, auth,
- OAKLEY_ATTR_HASH_ALG_SHA2_384, OAKLEY_ATTR_ENC_ALG_AES, 128);
- add_proposal(remoteconf, auth,
- OAKLEY_ATTR_HASH_ALG_SHA2_256, OAKLEY_ATTR_ENC_ALG_AES, 128);
- add_proposal(remoteconf, auth,
- OAKLEY_ATTR_HASH_ALG_SHA, OAKLEY_ATTR_ENC_ALG_AES, 128);
- add_proposal(remoteconf, auth,
- OAKLEY_ATTR_HASH_ALG_MD5, OAKLEY_ATTR_ENC_ALG_AES, 128);
- add_proposal(remoteconf, auth,
- OAKLEY_ATTR_HASH_ALG_SHA2_256, OAKLEY_ATTR_ENC_ALG_3DES, 0);
- add_proposal(remoteconf, auth,
- OAKLEY_ATTR_HASH_ALG_SHA, OAKLEY_ATTR_ENC_ALG_3DES, 0);
- add_proposal(remoteconf, auth,
- OAKLEY_ATTR_HASH_ALG_MD5, OAKLEY_ATTR_ENC_ALG_3DES, 0);
- add_proposal(remoteconf, auth,
- OAKLEY_ATTR_HASH_ALG_SHA2_256, OAKLEY_ATTR_ENC_ALG_DES, 0);
- add_proposal(remoteconf, auth,
- OAKLEY_ATTR_HASH_ALG_SHA, OAKLEY_ATTR_ENC_ALG_DES, 0);
- add_proposal(remoteconf, auth,
- OAKLEY_ATTR_HASH_ALG_MD5, OAKLEY_ATTR_ENC_ALG_DES, 0);
-
- /* Install remote configuration. */
- insrmconf(remoteconf);
-
- /* Start phase 1 negotiation for xauth. */
- if (remoteconf->xauth) {
- isakmp_ph1begin_i(remoteconf, remoteconf->remote, source);
- }
-}
-
-/*****************************************************************************/
-
-/* localconf.h */
-
-vchar_t *getpskbyaddr(struct sockaddr *addr)
-{
- return strtovchar(pre_shared_key);
-}
-
-vchar_t *getpskbyname(vchar_t *name)
-{
- return NULL;
-}
-
-void getpathname(char *path, int length, int type, const char *name)
-{
- if (pname) {
- snprintf(path, length, pname, name);
- } else {
- strncpy(path, name, length);
- }
- path[length - 1] = '\0';
-}
-
-/* grabmyaddr.h */
-
-int myaddr_getsport(struct sockaddr *addr)
-{
- return 0;
-}
-
-int getsockmyaddr(struct sockaddr *addr)
-{
-#ifdef ENABLE_NATT
- if (!cmpsaddrstrict(addr, myaddrs[1].addr)) {
- return myaddrs[1].sock;
- }
-#endif
- if (!cmpsaddrwop(addr, myaddrs[0].addr)) {
- return myaddrs[0].sock;
- }
- return -1;
-}
-
-/* privsep.h */
-
-int privsep_pfkey_open()
-{
- return pfkey_open();
-}
-
-void privsep_pfkey_close(int key)
-{
- pfkey_close(key);
-}
-
-vchar_t *privsep_eay_get_pkcs1privkey(char *file)
-{
- return eay_get_pkcs1privkey(file);
-}
-
-static char *get_env(char * const *envp, char *key)
-{
- int length = strlen(key);
- while (*envp && (strncmp(*envp, key, length) || (*envp)[length] != '=')) {
- ++envp;
- }
- return *envp ? &(*envp)[length + 1] : "";
-}
-
-static int skip_script = 0;
-extern const char *android_hook(char **envp);
-
-int privsep_script_exec(char *script, int name, char * const *envp)
-{
- if (skip_script) {
- return 0;
- }
- skip_script = 1;
-
- if (name == SCRIPT_PHASE1_DOWN) {
- exit(1);
- }
- if (script_names[SCRIPT_PHASE1_UP]) {
- /* Racoon ignores INTERNAL_IP6_ADDRESS, so we only do IPv4. */
- struct sockaddr *addr4 = str2saddr(get_env(envp, "INTERNAL_ADDR4"),
- NULL);
- struct sockaddr *local = str2saddr(get_env(envp, "LOCAL_ADDR"),
- get_env(envp, "LOCAL_PORT"));
- struct sockaddr *remote = str2saddr(get_env(envp, "REMOTE_ADDR"),
- get_env(envp, "REMOTE_PORT"));
-
- if (addr4 && local && remote) {
-#ifdef ANDROID_CHANGES
- if (pname) {
- script = (char *)android_hook((char **)envp);
- }
-#endif
- spdadd(addr4, NULL, IPPROTO_IP, local, remote);
- } else {
- do_plog(LLV_ERROR, "Cannot get parameters for SPD policy.\n");
- exit(1);
- }
-
- racoon_free(addr4);
- racoon_free(local);
- racoon_free(remote);
- return script_exec(script, name, envp);
- }
- return 0;
-}
-
-int privsep_accounting_system(int port, struct sockaddr *addr,
- char *user, int status)
-{
- return 0;
-}
-
-int privsep_xauth_login_system(char *user, char *password)
-{
- return -1;
-}
-
-/* misc.h */
-
-int racoon_hexdump(const void *data, size_t length)
-{
- return 0;
-}
-
-/* sainfo.h */
-
-struct sainfo *getsainfo(const vchar_t *src, const vchar_t *dst,
- const vchar_t *peer, int remoteid)
-{
- return &sainfo;
-}
-
-const char *sainfo2str(const struct sainfo *si)
-{
- return "*";
-}
-
-/* throttle.h */
-
-int throttle_host(struct sockaddr *addr, int fail)
-{
- return 0;
-}
-
-void shutdown_session()
-{
- flushph2();
- flushph1();
- isakmp_close();
- pfkey_close(localconf.sock_pfkey);
-}
diff --git a/src/racoon/MODULE_LICENSE_BSD b/src/racoon/MODULE_LICENSE_BSD
deleted file mode 100644
index e69de29..0000000
--- a/src/racoon/MODULE_LICENSE_BSD
+++ /dev/null
diff --git a/src/racoon/Makefile.am b/src/racoon/Makefile.am
deleted file mode 100644
index 202a18e..0000000
--- a/src/racoon/Makefile.am
+++ /dev/null
@@ -1,127 +0,0 @@
-# Id: Makefile.am,v 1.23 2005/07/01 08:57:50 manubsd Exp
-
-sbin_PROGRAMS = racoon racoonctl plainrsa-gen
-noinst_PROGRAMS = eaytest
-include_racoon_HEADERS = racoonctl.h var.h vmbuf.h misc.h gcmalloc.h admin.h \
- schedule.h sockmisc.h vmbuf.h isakmp_var.h isakmp.h isakmp_xauth.h \
- isakmp_cfg.h isakmp_unity.h ipsec_doi.h evt.h
-lib_LTLIBRARIES = libracoon.la
-
-adminsockdir=${localstatedir}/racoon
-
-BUILT_SOURCES = cfparse.h prsa_par.h
-INCLUDES = -I${srcdir}/../libipsec
-AM_CFLAGS = -D_GNU_SOURCE @GLIBC_BUGS@ -DSYSCONFDIR=\"${sysconfdir}\" \
- -DADMINPORTDIR=\"${adminsockdir}\"
-AM_LDFLAGS = @EXTRA_CRYPTO@ -lcrypto
-AM_YFLAGS = -d ${$*_YFLAGS}
-AM_LFLAGS = ${$*_LFLAGS}
-
-prsa_par_YFLAGS = -p prsa
-prsa_tok_LFLAGS = -Pprsa -olex.yy.c
-
-MISSING_ALGOS = \
- missing/crypto/sha2/sha2.c \
- missing/crypto/rijndael/rijndael-api-fst.c \
- missing/crypto/rijndael/rijndael-alg-fst.c
-
-racoon_SOURCES = \
- main.c session.c isakmp.c handler.c \
- isakmp_ident.c isakmp_agg.c isakmp_base.c \
- isakmp_quick.c isakmp_inf.c isakmp_newg.c \
- gssapi.c dnssec.c getcertsbyname.c privsep.c \
- pfkey.c admin.c evt.c ipsec_doi.c oakley.c grabmyaddr.c vendorid.c \
- policy.c localconf.c remoteconf.c crypto_openssl.c algorithm.c \
- proposal.c sainfo.c strnames.c \
- plog.c logger.c schedule.c str2val.c \
- safefile.c backupsa.c genlist.c rsalist.c \
- cftoken.l cfparse.y prsa_tok.l prsa_par.y
-EXTRA_racoon_SOURCES = isakmp_xauth.c isakmp_cfg.c isakmp_unity.c throttle.c \
- isakmp_frag.c nattraversal.c security.c $(MISSING_ALGOS)
-racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(LEXLIB) \
- $(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la
-racoon_DEPENDENCIES = \
- $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(SECCTX_OBJS) \
- vmbuf.o sockmisc.o misc.o
-
-racoonctl_SOURCES = racoonctl.c str2val.c
-racoonctl_LDADD = libracoon.la ../libipsec/libipsec.la
-
-libracoon_la_SOURCES = kmpstat.c vmbuf.c sockmisc.c misc.c
-
-plainrsa_gen_SOURCES = plainrsa-gen.c plog.c \
- crypto_openssl.c logger.c
-EXTRA_plainrsa_gen_SOURCES = $(MISSING_ALGOS)
-plainrsa_gen_LDADD = $(CRYPTOBJS) vmbuf.o misc.o
-plainrsa_gen_DEPENDENCIES = $(CRYPTOBJS) vmbuf.o misc.o
-
-eaytest_SOURCES = eaytest.c plog.c logger.c
-EXTRA_eaytest_SOURCES = missing/crypto/sha2/sha2.c
-eaytest_LDADD = crypto_openssl_test.o vmbuf.o str2val.o misc_noplog.o \
- $(CRYPTOBJS)
-eaytest_DEPENDENCIES = crypto_openssl_test.o vmbuf.o str2val.o \
- misc_noplog.o $(CRYPTOBJS)
-
-noinst_HEADERS = \
- admin.h dnssec.h isakmp_base.h oakley.h session.h \
- admin_var.h dump.h isakmp_ident.h pfkey.h sockmisc.h \
- algorithm.h gcmalloc.h isakmp_inf.h plog.h str2val.h \
- backupsa.h gnuc.h isakmp_newg.h policy.h strnames.h \
- grabmyaddr.h isakmp_quick.h proposal.h var.h evt.h \
- gssapi.h isakmp_var.h vendorid.h nattraversal.h\
- crypto_openssl.h handler.h localconf.h remoteconf.h vmbuf.h \
- debug.h ipsec_doi.h logger.h safefile.h \
- debugrm.h isakmp.h misc.h sainfo.h \
- dhgroup.h isakmp_agg.h netdb_dnssec.h schedule.h \
- isakmp_cfg.h isakmp_xauth.h isakmp_unity.h isakmp_frag.h \
- throttle.h privsep.h \
- cfparse_proto.h cftoken_proto.h genlist.h rsalist.h \
- missing/crypto/sha2/sha2.h missing/crypto/rijndael/rijndael_local.h \
- missing/crypto/rijndael/rijndael-api-fst.h \
- missing/crypto/rijndael/rijndael-alg-fst.h \
- missing/crypto/rijndael/rijndael.h
-
-man5_MANS = racoon.conf.5
-man8_MANS = racoon.8 racoonctl.8 plainrsa-gen.8
-
-EXTRA_DIST = \
- ${man5_MANS} ${man8_MANS} \
- missing/crypto/rijndael/boxes-fst.dat \
- doc/FAQ doc/README.certificate doc/README.gssapi doc/README.plainrsa \
- contrib/sp.pl stats.pl \
- samples/psk.txt.sample samples/racoon.conf.sample \
- samples/psk.txt.in samples/racoon.conf.in \
- samples/racoon.conf.sample-gssapi samples/racoon.conf.sample-natt \
- samples/racoon.conf.sample-inherit samples/racoon.conf.sample-plainrsa \
- samples/roadwarrior/README \
- samples/roadwarrior/client/phase1-down.sh \
- samples/roadwarrior/client/phase1-up.sh \
- samples/roadwarrior/client/racoon.conf \
- samples/roadwarrior/server/racoon.conf \
- samples/roadwarrior/server/racoon.conf-radius
-
-TESTS = eaytest
-
-install-exec-local:
- ${mkinstalldirs} $(DESTDIR)${adminsockdir}
-
-# special object rules
-crypto_openssl_test.o: crypto_openssl.c
- $(COMPILE) -DEAYDEBUG -o crypto_openssl_test.o -c $(srcdir)/crypto_openssl.c
-
-misc_noplog.o: misc.c
- $(COMPILE) -DNOUSE_PLOG -o misc_noplog.o -c $(srcdir)/misc.c
-
-# missing/*.c
-strdup.o: $(srcdir)/missing/strdup.c
- $(COMPILE) -c $(srcdir)/missing/$*.c
-getaddrinfo.o: $(srcdir)/missing/getaddrinfo.c
- $(COMPILE) -c $(srcdir)/missing/$*.c
-getnameinfo.o: $(srcdir)/missing/getnameinfo.c
- $(COMPILE) -c $(srcdir)/missing/$*.c
-rijndael-api-fst.o: $(srcdir)/missing/crypto/rijndael/rijndael-api-fst.c
- $(COMPILE) -c $(srcdir)/missing/crypto/rijndael/$*.c
-rijndael-alg-fst.o: $(srcdir)/missing/crypto/rijndael/rijndael-alg-fst.c
- $(COMPILE) -c $(srcdir)/missing/crypto/rijndael/$*.c
-sha2.o: $(srcdir)/missing/crypto/sha2/sha2.c
- $(COMPILE) -c $(srcdir)/missing/crypto/sha2/$*.c
diff --git a/src/racoon/Makefile.in b/src/racoon/Makefile.in
deleted file mode 100644
index 47e997b..0000000
--- a/src/racoon/Makefile.in
+++ /dev/null
@@ -1,1000 +0,0 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
-@SET_MAKE@
-
-# Id: Makefile.am,v 1.23 2005/07/01 08:57:50 manubsd Exp
-
-
-
-VPATH = @srcdir@
-pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-sbin_PROGRAMS = racoon$(EXEEXT) racoonctl$(EXEEXT) \
- plainrsa-gen$(EXEEXT)
-noinst_PROGRAMS = eaytest$(EXEEXT)
-TESTS = eaytest$(EXEEXT)
-subdir = src/racoon
-DIST_COMMON = $(include_racoon_HEADERS) $(noinst_HEADERS) \
- $(srcdir)/Makefile.am $(srcdir)/Makefile.in TODO cfparse.c \
- cfparse.h cftoken.c prsa_par.c prsa_par.h prsa_tok.c
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/acracoon.m4 \
- $(top_srcdir)/configure.ac
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
- $(ACLOCAL_M4)
-mkinstalldirs = $(install_sh) -d
-CONFIG_HEADER = $(top_builddir)/config.h
-CONFIG_CLEAN_FILES =
-am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
-am__vpath_adj = case $$p in \
- $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
- *) f=$$p;; \
- esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
-am__installdirs = "$(DESTDIR)$(libdir)" "$(DESTDIR)$(sbindir)" \
- "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" \
- "$(DESTDIR)$(include_racoondir)"
-libLTLIBRARIES_INSTALL = $(INSTALL)
-LTLIBRARIES = $(lib_LTLIBRARIES)
-libracoon_la_LIBADD =
-am_libracoon_la_OBJECTS = kmpstat.lo vmbuf.lo sockmisc.lo misc.lo
-libracoon_la_OBJECTS = $(am_libracoon_la_OBJECTS)
-sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
-PROGRAMS = $(noinst_PROGRAMS) $(sbin_PROGRAMS)
-am_eaytest_OBJECTS = eaytest.$(OBJEXT) plog.$(OBJEXT) logger.$(OBJEXT)
-eaytest_OBJECTS = $(am_eaytest_OBJECTS)
-am__DEPENDENCIES_1 =
-am_plainrsa_gen_OBJECTS = plainrsa-gen.$(OBJEXT) plog.$(OBJEXT) \
- crypto_openssl.$(OBJEXT) logger.$(OBJEXT)
-plainrsa_gen_OBJECTS = $(am_plainrsa_gen_OBJECTS)
-am_racoon_OBJECTS = main.$(OBJEXT) session.$(OBJEXT) isakmp.$(OBJEXT) \
- handler.$(OBJEXT) isakmp_ident.$(OBJEXT) isakmp_agg.$(OBJEXT) \
- isakmp_base.$(OBJEXT) isakmp_quick.$(OBJEXT) \
- isakmp_inf.$(OBJEXT) isakmp_newg.$(OBJEXT) gssapi.$(OBJEXT) \
- dnssec.$(OBJEXT) getcertsbyname.$(OBJEXT) privsep.$(OBJEXT) \
- pfkey.$(OBJEXT) admin.$(OBJEXT) evt.$(OBJEXT) \
- ipsec_doi.$(OBJEXT) oakley.$(OBJEXT) grabmyaddr.$(OBJEXT) \
- vendorid.$(OBJEXT) policy.$(OBJEXT) localconf.$(OBJEXT) \
- remoteconf.$(OBJEXT) crypto_openssl.$(OBJEXT) \
- algorithm.$(OBJEXT) proposal.$(OBJEXT) sainfo.$(OBJEXT) \
- strnames.$(OBJEXT) plog.$(OBJEXT) logger.$(OBJEXT) \
- schedule.$(OBJEXT) str2val.$(OBJEXT) safefile.$(OBJEXT) \
- backupsa.$(OBJEXT) genlist.$(OBJEXT) rsalist.$(OBJEXT) \
- cftoken.$(OBJEXT) cfparse.$(OBJEXT) prsa_tok.$(OBJEXT) \
- prsa_par.$(OBJEXT)
-racoon_OBJECTS = $(am_racoon_OBJECTS)
-am_racoonctl_OBJECTS = racoonctl.$(OBJEXT) str2val.$(OBJEXT)
-racoonctl_OBJECTS = $(am_racoonctl_OBJECTS)
-racoonctl_DEPENDENCIES = libracoon.la ../libipsec/libipsec.la
-DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
- $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
- --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \
- $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-CCLD = $(CC)
-LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
- --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \
- $(LDFLAGS) -o $@
-LEXCOMPILE = $(LEX) $(LFLAGS) $(AM_LFLAGS)
-LTLEXCOMPILE = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
- --mode=compile $(LEX) $(LFLAGS) $(AM_LFLAGS)
-YLWRAP = $(top_srcdir)/ylwrap
-YACCCOMPILE = $(YACC) $(YFLAGS) $(AM_YFLAGS)
-LTYACCCOMPILE = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
- --mode=compile $(YACC) $(YFLAGS) $(AM_YFLAGS)
-SOURCES = $(libracoon_la_SOURCES) $(eaytest_SOURCES) \
- $(EXTRA_eaytest_SOURCES) $(plainrsa_gen_SOURCES) \
- $(EXTRA_plainrsa_gen_SOURCES) $(racoon_SOURCES) \
- $(EXTRA_racoon_SOURCES) $(racoonctl_SOURCES)
-DIST_SOURCES = $(libracoon_la_SOURCES) $(eaytest_SOURCES) \
- $(EXTRA_eaytest_SOURCES) $(plainrsa_gen_SOURCES) \
- $(EXTRA_plainrsa_gen_SOURCES) $(racoon_SOURCES) \
- $(EXTRA_racoon_SOURCES) $(racoonctl_SOURCES)
-man5dir = $(mandir)/man5
-man8dir = $(mandir)/man8
-NROFF = nroff
-MANS = $(man5_MANS) $(man8_MANS)
-include_racoonHEADERS_INSTALL = $(INSTALL_HEADER)
-HEADERS = $(include_racoon_HEADERS) $(noinst_HEADERS)
-ETAGS = etags
-CTAGS = ctags
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-AMTAR = @AMTAR@
-AR = @AR@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-CONFIGURE_AMFLAGS = @CONFIGURE_AMFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CRYPTOBJS = @CRYPTOBJS@
-CXX = @CXX@
-CXXCPP = @CXXCPP@
-CXXDEPMODE = @CXXDEPMODE@
-CXXFLAGS = @CXXFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DSYMUTIL = @DSYMUTIL@
-ECHO = @ECHO@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-EXTRA_CRYPTO = @EXTRA_CRYPTO@
-F77 = @F77@
-FFLAGS = @FFLAGS@
-FRAG_OBJS = @FRAG_OBJS@
-GLIBC_BUGS = @GLIBC_BUGS@
-GREP = @GREP@
-HYBRID_OBJS = @HYBRID_OBJS@
-INCLUDE_GLIBC = @INCLUDE_GLIBC@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_OPTS = @INSTALL_OPTS@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-KERNEL_INCLUDE = @KERNEL_INCLUDE@
-KRB5_CONFIG = @KRB5_CONFIG@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-MAKEINFO = @MAKEINFO@
-MKDIR_P = @MKDIR_P@
-NATT_OBJS = @NATT_OBJS@
-NMEDIT = @NMEDIT@
-OBJEXT = @OBJEXT@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-RANLIB = @RANLIB@
-RPM = @RPM@
-SECCTX_OBJS = @SECCTX_OBJS@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-STRIP = @STRIP@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_CXX = @ac_ct_CXX@
-ac_ct_F77 = @ac_ct_F77@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-datadir = @datadir@
-datarootdir = @datarootdir@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-include_racoondir = @include_racoondir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-libdir = @libdir@
-libexecdir = @libexecdir@
-localedir = @localedir@
-localstatedir = @localstatedir@
-mandir = @mandir@
-mkdir_p = @mkdir_p@
-oldincludedir = @oldincludedir@
-pdfdir = @pdfdir@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-sbindir = @sbindir@
-sharedstatedir = @sharedstatedir@
-srcdir = @srcdir@
-sysconfdir = @sysconfdir@
-target_alias = @target_alias@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-include_racoon_HEADERS = racoonctl.h var.h vmbuf.h misc.h gcmalloc.h admin.h \
- schedule.h sockmisc.h vmbuf.h isakmp_var.h isakmp.h isakmp_xauth.h \
- isakmp_cfg.h isakmp_unity.h ipsec_doi.h evt.h
-
-lib_LTLIBRARIES = libracoon.la
-adminsockdir = ${localstatedir}/racoon
-BUILT_SOURCES = cfparse.h prsa_par.h
-INCLUDES = -I${srcdir}/../libipsec
-AM_CFLAGS = -D_GNU_SOURCE @GLIBC_BUGS@ -DSYSCONFDIR=\"${sysconfdir}\" \
- -DADMINPORTDIR=\"${adminsockdir}\"
-
-AM_LDFLAGS = @EXTRA_CRYPTO@ -lcrypto
-AM_YFLAGS = -d ${$*_YFLAGS}
-AM_LFLAGS = ${$*_LFLAGS}
-prsa_par_YFLAGS = -p prsa
-prsa_tok_LFLAGS = -Pprsa -olex.yy.c
-MISSING_ALGOS = \
- missing/crypto/sha2/sha2.c \
- missing/crypto/rijndael/rijndael-api-fst.c \
- missing/crypto/rijndael/rijndael-alg-fst.c
-
-racoon_SOURCES = \
- main.c session.c isakmp.c handler.c \
- isakmp_ident.c isakmp_agg.c isakmp_base.c \
- isakmp_quick.c isakmp_inf.c isakmp_newg.c \
- gssapi.c dnssec.c getcertsbyname.c privsep.c \
- pfkey.c admin.c evt.c ipsec_doi.c oakley.c grabmyaddr.c vendorid.c \
- policy.c localconf.c remoteconf.c crypto_openssl.c algorithm.c \
- proposal.c sainfo.c strnames.c \
- plog.c logger.c schedule.c str2val.c \
- safefile.c backupsa.c genlist.c rsalist.c \
- cftoken.l cfparse.y prsa_tok.l prsa_par.y
-
-EXTRA_racoon_SOURCES = isakmp_xauth.c isakmp_cfg.c isakmp_unity.c throttle.c \
- isakmp_frag.c nattraversal.c security.c $(MISSING_ALGOS)
-
-racoon_LDADD = $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(LEXLIB) \
- $(SECCTX_OBJS) vmbuf.o sockmisc.o misc.o ../libipsec/libipsec.la
-
-racoon_DEPENDENCIES = \
- $(CRYPTOBJS) $(HYBRID_OBJS) $(NATT_OBJS) $(FRAG_OBJS) $(SECCTX_OBJS) \
- vmbuf.o sockmisc.o misc.o
-
-racoonctl_SOURCES = racoonctl.c str2val.c
-racoonctl_LDADD = libracoon.la ../libipsec/libipsec.la
-libracoon_la_SOURCES = kmpstat.c vmbuf.c sockmisc.c misc.c
-plainrsa_gen_SOURCES = plainrsa-gen.c plog.c \
- crypto_openssl.c logger.c
-
-EXTRA_plainrsa_gen_SOURCES = $(MISSING_ALGOS)
-plainrsa_gen_LDADD = $(CRYPTOBJS) vmbuf.o misc.o
-plainrsa_gen_DEPENDENCIES = $(CRYPTOBJS) vmbuf.o misc.o
-eaytest_SOURCES = eaytest.c plog.c logger.c
-EXTRA_eaytest_SOURCES = missing/crypto/sha2/sha2.c
-eaytest_LDADD = crypto_openssl_test.o vmbuf.o str2val.o misc_noplog.o \
- $(CRYPTOBJS)
-
-eaytest_DEPENDENCIES = crypto_openssl_test.o vmbuf.o str2val.o \
- misc_noplog.o $(CRYPTOBJS)
-
-noinst_HEADERS = \
- admin.h dnssec.h isakmp_base.h oakley.h session.h \
- admin_var.h dump.h isakmp_ident.h pfkey.h sockmisc.h \
- algorithm.h gcmalloc.h isakmp_inf.h plog.h str2val.h \
- backupsa.h gnuc.h isakmp_newg.h policy.h strnames.h \
- grabmyaddr.h isakmp_quick.h proposal.h var.h evt.h \
- gssapi.h isakmp_var.h vendorid.h nattraversal.h\
- crypto_openssl.h handler.h localconf.h remoteconf.h vmbuf.h \
- debug.h ipsec_doi.h logger.h safefile.h \
- debugrm.h isakmp.h misc.h sainfo.h \
- dhgroup.h isakmp_agg.h netdb_dnssec.h schedule.h \
- isakmp_cfg.h isakmp_xauth.h isakmp_unity.h isakmp_frag.h \
- throttle.h privsep.h \
- cfparse_proto.h cftoken_proto.h genlist.h rsalist.h \
- missing/crypto/sha2/sha2.h missing/crypto/rijndael/rijndael_local.h \
- missing/crypto/rijndael/rijndael-api-fst.h \
- missing/crypto/rijndael/rijndael-alg-fst.h \
- missing/crypto/rijndael/rijndael.h
-
-man5_MANS = racoon.conf.5
-man8_MANS = racoon.8 racoonctl.8 plainrsa-gen.8
-EXTRA_DIST = \
- ${man5_MANS} ${man8_MANS} \
- missing/crypto/rijndael/boxes-fst.dat \
- doc/FAQ doc/README.certificate doc/README.gssapi doc/README.plainrsa \
- contrib/sp.pl stats.pl \
- samples/psk.txt.sample samples/racoon.conf.sample \
- samples/psk.txt.in samples/racoon.conf.in \
- samples/racoon.conf.sample-gssapi samples/racoon.conf.sample-natt \
- samples/racoon.conf.sample-inherit samples/racoon.conf.sample-plainrsa \
- samples/roadwarrior/README \
- samples/roadwarrior/client/phase1-down.sh \
- samples/roadwarrior/client/phase1-up.sh \
- samples/roadwarrior/client/racoon.conf \
- samples/roadwarrior/server/racoon.conf \
- samples/roadwarrior/server/racoon.conf-radius
-
-all: $(BUILT_SOURCES)
- $(MAKE) $(AM_MAKEFLAGS) all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .l .lo .o .obj .y
-$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
- @for dep in $?; do \
- case '$(am__configure_deps)' in \
- *$$dep*) \
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
- && exit 0; \
- exit 1;; \
- esac; \
- done; \
- echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/racoon/Makefile'; \
- cd $(top_srcdir) && \
- $(AUTOMAKE) --foreign src/racoon/Makefile
-.PRECIOUS: Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
- @case '$?' in \
- *config.status*) \
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
- *) \
- echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
- cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
- esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure: $(am__configure_deps)
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4): $(am__aclocal_m4_deps)
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-install-libLTLIBRARIES: $(lib_LTLIBRARIES)
- @$(NORMAL_INSTALL)
- test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)"
- @list='$(lib_LTLIBRARIES)'; for p in $$list; do \
- if test -f $$p; then \
- f=$(am__strip_dir) \
- echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(libdir)/$$f'"; \
- $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(libLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(libdir)/$$f"; \
- else :; fi; \
- done
-
-uninstall-libLTLIBRARIES:
- @$(NORMAL_UNINSTALL)
- @list='$(lib_LTLIBRARIES)'; for p in $$list; do \
- p=$(am__strip_dir) \
- echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(libdir)/$$p'"; \
- $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(libdir)/$$p"; \
- done
-
-clean-libLTLIBRARIES:
- -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES)
- @list='$(lib_LTLIBRARIES)'; for p in $$list; do \
- dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \
- test "$$dir" != "$$p" || dir=.; \
- echo "rm -f \"$${dir}/so_locations\""; \
- rm -f "$${dir}/so_locations"; \
- done
-libracoon.la: $(libracoon_la_OBJECTS) $(libracoon_la_DEPENDENCIES)
- $(LINK) -rpath $(libdir) $(libracoon_la_OBJECTS) $(libracoon_la_LIBADD) $(LIBS)
-
-clean-noinstPROGRAMS:
- @list='$(noinst_PROGRAMS)'; for p in $$list; do \
- f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
- echo " rm -f $$p $$f"; \
- rm -f $$p $$f ; \
- done
-install-sbinPROGRAMS: $(sbin_PROGRAMS)
- @$(NORMAL_INSTALL)
- test -z "$(sbindir)" || $(MKDIR_P) "$(DESTDIR)$(sbindir)"
- @list='$(sbin_PROGRAMS)'; for p in $$list; do \
- p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
- if test -f $$p \
- || test -f $$p1 \
- ; then \
- f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \
- echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(sbinPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(sbindir)/$$f'"; \
- $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(sbinPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(sbindir)/$$f" || exit 1; \
- else :; fi; \
- done
-
-uninstall-sbinPROGRAMS:
- @$(NORMAL_UNINSTALL)
- @list='$(sbin_PROGRAMS)'; for p in $$list; do \
- f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \
- echo " rm -f '$(DESTDIR)$(sbindir)/$$f'"; \
- rm -f "$(DESTDIR)$(sbindir)/$$f"; \
- done
-
-clean-sbinPROGRAMS:
- @list='$(sbin_PROGRAMS)'; for p in $$list; do \
- f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
- echo " rm -f $$p $$f"; \
- rm -f $$p $$f ; \
- done
-eaytest$(EXEEXT): $(eaytest_OBJECTS) $(eaytest_DEPENDENCIES)
- @rm -f eaytest$(EXEEXT)
- $(LINK) $(eaytest_OBJECTS) $(eaytest_LDADD) $(LIBS)
-plainrsa-gen$(EXEEXT): $(plainrsa_gen_OBJECTS) $(plainrsa_gen_DEPENDENCIES)
- @rm -f plainrsa-gen$(EXEEXT)
- $(LINK) $(plainrsa_gen_OBJECTS) $(plainrsa_gen_LDADD) $(LIBS)
-cfparse.h: cfparse.c
- @if test ! -f $@; then \
- rm -f cfparse.c; \
- $(MAKE) $(AM_MAKEFLAGS) cfparse.c; \
- else :; fi
-prsa_par.h: prsa_par.c
- @if test ! -f $@; then \
- rm -f prsa_par.c; \
- $(MAKE) $(AM_MAKEFLAGS) prsa_par.c; \
- else :; fi
-racoon$(EXEEXT): $(racoon_OBJECTS) $(racoon_DEPENDENCIES)
- @rm -f racoon$(EXEEXT)
- $(LINK) $(racoon_OBJECTS) $(racoon_LDADD) $(LIBS)
-racoonctl$(EXEEXT): $(racoonctl_OBJECTS) $(racoonctl_DEPENDENCIES)
- @rm -f racoonctl$(EXEEXT)
- $(LINK) $(racoonctl_OBJECTS) $(racoonctl_LDADD) $(LIBS)
-
-mostlyclean-compile:
- -rm -f *.$(OBJEXT)
-
-distclean-compile:
- -rm -f *.tab.c
-
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/admin.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/algorithm.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/backupsa.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cfparse.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cftoken.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypto_openssl.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dnssec.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eaytest.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/evt.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/genlist.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/getcertsbyname.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/grabmyaddr.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gssapi.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/handler.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ipsec_doi.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/isakmp.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/isakmp_agg.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/isakmp_base.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/isakmp_cfg.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/isakmp_frag.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/isakmp_ident.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/isakmp_inf.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/isakmp_newg.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/isakmp_quick.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/isakmp_unity.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/isakmp_xauth.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/kmpstat.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/localconf.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/logger.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/main.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/misc.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nattraversal.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/oakley.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pfkey.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/plainrsa-gen.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/plog.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/policy.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/privsep.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/proposal.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/prsa_par.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/prsa_tok.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/racoonctl.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/remoteconf.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rijndael-alg-fst.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rijndael-api-fst.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rsalist.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/safefile.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sainfo.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/schedule.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/security.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/session.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha2.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sockmisc.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/str2val.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/strnames.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/throttle.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vendorid.Po@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vmbuf.Plo@am__quote@
-
-.c.o:
-@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(COMPILE) -c $<
-
-.c.obj:
-@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'`
-
-.c.lo:
-@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $<
-
-sha2.obj: missing/crypto/sha2/sha2.c
-@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT sha2.obj -MD -MP -MF $(DEPDIR)/sha2.Tpo -c -o sha2.obj `if test -f 'missing/crypto/sha2/sha2.c'; then $(CYGPATH_W) 'missing/crypto/sha2/sha2.c'; else $(CYGPATH_W) '$(srcdir)/missing/crypto/sha2/sha2.c'; fi`
-@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/sha2.Tpo $(DEPDIR)/sha2.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='missing/crypto/sha2/sha2.c' object='sha2.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o sha2.obj `if test -f 'missing/crypto/sha2/sha2.c'; then $(CYGPATH_W) 'missing/crypto/sha2/sha2.c'; else $(CYGPATH_W) '$(srcdir)/missing/crypto/sha2/sha2.c'; fi`
-
-rijndael-api-fst.obj: missing/crypto/rijndael/rijndael-api-fst.c
-@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rijndael-api-fst.obj -MD -MP -MF $(DEPDIR)/rijndael-api-fst.Tpo -c -o rijndael-api-fst.obj `if test -f 'missing/crypto/rijndael/rijndael-api-fst.c'; then $(CYGPATH_W) 'missing/crypto/rijndael/rijndael-api-fst.c'; else $(CYGPATH_W) '$(srcdir)/missing/crypto/rijndael/rijndael-api-fst.c'; fi`
-@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/rijndael-api-fst.Tpo $(DEPDIR)/rijndael-api-fst.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='missing/crypto/rijndael/rijndael-api-fst.c' object='rijndael-api-fst.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rijndael-api-fst.obj `if test -f 'missing/crypto/rijndael/rijndael-api-fst.c'; then $(CYGPATH_W) 'missing/crypto/rijndael/rijndael-api-fst.c'; else $(CYGPATH_W) '$(srcdir)/missing/crypto/rijndael/rijndael-api-fst.c'; fi`
-
-rijndael-alg-fst.obj: missing/crypto/rijndael/rijndael-alg-fst.c
-@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rijndael-alg-fst.obj -MD -MP -MF $(DEPDIR)/rijndael-alg-fst.Tpo -c -o rijndael-alg-fst.obj `if test -f 'missing/crypto/rijndael/rijndael-alg-fst.c'; then $(CYGPATH_W) 'missing/crypto/rijndael/rijndael-alg-fst.c'; else $(CYGPATH_W) '$(srcdir)/missing/crypto/rijndael/rijndael-alg-fst.c'; fi`
-@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/rijndael-alg-fst.Tpo $(DEPDIR)/rijndael-alg-fst.Po
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='missing/crypto/rijndael/rijndael-alg-fst.c' object='rijndael-alg-fst.obj' libtool=no @AMDEPBACKSLASH@
-@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rijndael-alg-fst.obj `if test -f 'missing/crypto/rijndael/rijndael-alg-fst.c'; then $(CYGPATH_W) 'missing/crypto/rijndael/rijndael-alg-fst.c'; else $(CYGPATH_W) '$(srcdir)/missing/crypto/rijndael/rijndael-alg-fst.c'; fi`
-
-.l.c:
- $(am__skiplex) $(SHELL) $(YLWRAP) $< $(LEX_OUTPUT_ROOT).c $@ -- $(LEXCOMPILE)
-
-.y.c:
- $(am__skipyacc) $(SHELL) $(YLWRAP) $< y.tab.c $@ y.tab.h $*.h y.output $*.output -- $(YACCCOMPILE)
-
-mostlyclean-libtool:
- -rm -f *.lo
-
-clean-libtool:
- -rm -rf .libs _libs
-install-man5: $(man5_MANS) $(man_MANS)
- @$(NORMAL_INSTALL)
- test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)"
- @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \
- l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
- for i in $$l2; do \
- case "$$i" in \
- *.5*) list="$$list $$i" ;; \
- esac; \
- done; \
- for i in $$list; do \
- if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
- else file=$$i; fi; \
- ext=`echo $$i | sed -e 's/^.*\\.//'`; \
- case "$$ext" in \
- 5*) ;; \
- *) ext='5' ;; \
- esac; \
- inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
- inst=`echo $$inst | sed -e 's/^.*\///'`; \
- inst=`echo $$inst | sed '$(transform)'`.$$ext; \
- echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \
- $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst"; \
- done
-uninstall-man5:
- @$(NORMAL_UNINSTALL)
- @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \
- l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
- for i in $$l2; do \
- case "$$i" in \
- *.5*) list="$$list $$i" ;; \
- esac; \
- done; \
- for i in $$list; do \
- ext=`echo $$i | sed -e 's/^.*\\.//'`; \
- case "$$ext" in \
- 5*) ;; \
- *) ext='5' ;; \
- esac; \
- inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
- inst=`echo $$inst | sed -e 's/^.*\///'`; \
- inst=`echo $$inst | sed '$(transform)'`.$$ext; \
- echo " rm -f '$(DESTDIR)$(man5dir)/$$inst'"; \
- rm -f "$(DESTDIR)$(man5dir)/$$inst"; \
- done
-install-man8: $(man8_MANS) $(man_MANS)
- @$(NORMAL_INSTALL)
- test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
- @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
- l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
- for i in $$l2; do \
- case "$$i" in \
- *.8*) list="$$list $$i" ;; \
- esac; \
- done; \
- for i in $$list; do \
- if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
- else file=$$i; fi; \
- ext=`echo $$i | sed -e 's/^.*\\.//'`; \
- case "$$ext" in \
- 8*) ;; \
- *) ext='8' ;; \
- esac; \
- inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
- inst=`echo $$inst | sed -e 's/^.*\///'`; \
- inst=`echo $$inst | sed '$(transform)'`.$$ext; \
- echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
- $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \
- done
-uninstall-man8:
- @$(NORMAL_UNINSTALL)
- @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
- l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
- for i in $$l2; do \
- case "$$i" in \
- *.8*) list="$$list $$i" ;; \
- esac; \
- done; \
- for i in $$list; do \
- ext=`echo $$i | sed -e 's/^.*\\.//'`; \
- case "$$ext" in \
- 8*) ;; \
- *) ext='8' ;; \
- esac; \
- inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
- inst=`echo $$inst | sed -e 's/^.*\///'`; \
- inst=`echo $$inst | sed '$(transform)'`.$$ext; \
- echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \
- rm -f "$(DESTDIR)$(man8dir)/$$inst"; \
- done
-install-include_racoonHEADERS: $(include_racoon_HEADERS)
- @$(NORMAL_INSTALL)
- test -z "$(include_racoondir)" || $(MKDIR_P) "$(DESTDIR)$(include_racoondir)"
- @list='$(include_racoon_HEADERS)'; for p in $$list; do \
- if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
- f=$(am__strip_dir) \
- echo " $(include_racoonHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(include_racoondir)/$$f'"; \
- $(include_racoonHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(include_racoondir)/$$f"; \
- done
-
-uninstall-include_racoonHEADERS:
- @$(NORMAL_UNINSTALL)
- @list='$(include_racoon_HEADERS)'; for p in $$list; do \
- f=$(am__strip_dir) \
- echo " rm -f '$(DESTDIR)$(include_racoondir)/$$f'"; \
- rm -f "$(DESTDIR)$(include_racoondir)/$$f"; \
- done
-
-ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
- list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
- unique=`for i in $$list; do \
- if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
- done | \
- $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
- END { if (nonempty) { for (i in files) print i; }; }'`; \
- mkid -fID $$unique
-tags: TAGS
-
-TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
- $(TAGS_FILES) $(LISP)
- tags=; \
- here=`pwd`; \
- list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
- unique=`for i in $$list; do \
- if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
- done | \
- $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
- END { if (nonempty) { for (i in files) print i; }; }'`; \
- if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
- test -n "$$unique" || unique=$$empty_fix; \
- $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
- $$tags $$unique; \
- fi
-ctags: CTAGS
-CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
- $(TAGS_FILES) $(LISP)
- tags=; \
- list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
- unique=`for i in $$list; do \
- if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
- done | \
- $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
- END { if (nonempty) { for (i in files) print i; }; }'`; \
- test -z "$(CTAGS_ARGS)$$tags$$unique" \
- || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
- $$tags $$unique
-
-GTAGS:
- here=`$(am__cd) $(top_builddir) && pwd` \
- && cd $(top_srcdir) \
- && gtags -i $(GTAGS_ARGS) $$here
-
-distclean-tags:
- -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-check-TESTS: $(TESTS)
- @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \
- srcdir=$(srcdir); export srcdir; \
- list=' $(TESTS) '; \
- if test -n "$$list"; then \
- for tst in $$list; do \
- if test -f ./$$tst; then dir=./; \
- elif test -f $$tst; then dir=; \
- else dir="$(srcdir)/"; fi; \
- if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \
- all=`expr $$all + 1`; \
- case " $(XFAIL_TESTS) " in \
- *$$ws$$tst$$ws*) \
- xpass=`expr $$xpass + 1`; \
- failed=`expr $$failed + 1`; \
- echo "XPASS: $$tst"; \
- ;; \
- *) \
- echo "PASS: $$tst"; \
- ;; \
- esac; \
- elif test $$? -ne 77; then \
- all=`expr $$all + 1`; \
- case " $(XFAIL_TESTS) " in \
- *$$ws$$tst$$ws*) \
- xfail=`expr $$xfail + 1`; \
- echo "XFAIL: $$tst"; \
- ;; \
- *) \
- failed=`expr $$failed + 1`; \
- echo "FAIL: $$tst"; \
- ;; \
- esac; \
- else \
- skip=`expr $$skip + 1`; \
- echo "SKIP: $$tst"; \
- fi; \
- done; \
- if test "$$failed" -eq 0; then \
- if test "$$xfail" -eq 0; then \
- banner="All $$all tests passed"; \
- else \
- banner="All $$all tests behaved as expected ($$xfail expected failures)"; \
- fi; \
- else \
- if test "$$xpass" -eq 0; then \
- banner="$$failed of $$all tests failed"; \
- else \
- banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \
- fi; \
- fi; \
- dashes="$$banner"; \
- skipped=""; \
- if test "$$skip" -ne 0; then \
- skipped="($$skip tests were not run)"; \
- test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
- dashes="$$skipped"; \
- fi; \
- report=""; \
- if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \
- report="Please report to $(PACKAGE_BUGREPORT)"; \
- test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \
- dashes="$$report"; \
- fi; \
- dashes=`echo "$$dashes" | sed s/./=/g`; \
- echo "$$dashes"; \
- echo "$$banner"; \
- test -z "$$skipped" || echo "$$skipped"; \
- test -z "$$report" || echo "$$report"; \
- echo "$$dashes"; \
- test "$$failed" -eq 0; \
- else :; fi
-
-distdir: $(DISTFILES)
- @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
- topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
- list='$(DISTFILES)'; \
- dist_files=`for file in $$list; do echo $$file; done | \
- sed -e "s|^$$srcdirstrip/||;t" \
- -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
- case $$dist_files in \
- */*) $(MKDIR_P) `echo "$$dist_files" | \
- sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
- sort -u` ;; \
- esac; \
- for file in $$dist_files; do \
- if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
- if test -d $$d/$$file; then \
- dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
- if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
- cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
- fi; \
- cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
- else \
- test -f $(distdir)/$$file \
- || cp -p $$d/$$file $(distdir)/$$file \
- || exit 1; \
- fi; \
- done
-check-am: all-am
- $(MAKE) $(AM_MAKEFLAGS) check-TESTS
-check: $(BUILT_SOURCES)
- $(MAKE) $(AM_MAKEFLAGS) check-am
-all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(HEADERS)
-installdirs:
- for dir in "$(DESTDIR)$(libdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(include_racoondir)"; do \
- test -z "$$dir" || $(MKDIR_P) "$$dir"; \
- done
-install: $(BUILT_SOURCES)
- $(MAKE) $(AM_MAKEFLAGS) install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
- @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
- $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
- install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
- `test -z '$(STRIP)' || \
- echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
- -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-
-maintainer-clean-generic:
- @echo "This command is intended for maintainers to use"
- @echo "it deletes files that may require special tools to rebuild."
- -rm -f cfparse.c
- -rm -f cfparse.h
- -rm -f cftoken.c
- -rm -f prsa_par.c
- -rm -f prsa_par.h
- -rm -f prsa_tok.c
- -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES)
-clean: clean-am
-
-clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \
- clean-noinstPROGRAMS clean-sbinPROGRAMS mostlyclean-am
-
-distclean: distclean-am
- -rm -rf ./$(DEPDIR)
- -rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
- distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-info: info-am
-
-info-am:
-
-install-data-am: install-include_racoonHEADERS install-man
-
-install-dvi: install-dvi-am
-
-install-exec-am: install-exec-local install-libLTLIBRARIES \
- install-sbinPROGRAMS
-
-install-html: install-html-am
-
-install-info: install-info-am
-
-install-man: install-man5 install-man8
-
-install-pdf: install-pdf-am
-
-install-ps: install-ps-am
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
- -rm -rf ./$(DEPDIR)
- -rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
- mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-include_racoonHEADERS uninstall-libLTLIBRARIES \
- uninstall-man uninstall-sbinPROGRAMS
-
-uninstall-man: uninstall-man5 uninstall-man8
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \
- clean-generic clean-libLTLIBRARIES clean-libtool \
- clean-noinstPROGRAMS clean-sbinPROGRAMS ctags distclean \
- distclean-compile distclean-generic distclean-libtool \
- distclean-tags distdir dvi dvi-am html html-am info info-am \
- install install-am install-data install-data-am install-dvi \
- install-dvi-am install-exec install-exec-am install-exec-local \
- install-html install-html-am install-include_racoonHEADERS \
- install-info install-info-am install-libLTLIBRARIES \
- install-man install-man5 install-man8 install-pdf \
- install-pdf-am install-ps install-ps-am install-sbinPROGRAMS \
- install-strip installcheck installcheck-am installdirs \
- maintainer-clean maintainer-clean-generic mostlyclean \
- mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
- pdf pdf-am ps ps-am tags uninstall uninstall-am \
- uninstall-include_racoonHEADERS uninstall-libLTLIBRARIES \
- uninstall-man uninstall-man5 uninstall-man8 \
- uninstall-sbinPROGRAMS
-
-
-install-exec-local:
- ${mkinstalldirs} $(DESTDIR)${adminsockdir}
-
-# special object rules
-crypto_openssl_test.o: crypto_openssl.c
- $(COMPILE) -DEAYDEBUG -o crypto_openssl_test.o -c $(srcdir)/crypto_openssl.c
-
-misc_noplog.o: misc.c
- $(COMPILE) -DNOUSE_PLOG -o misc_noplog.o -c $(srcdir)/misc.c
-
-# missing/*.c
-strdup.o: $(srcdir)/missing/strdup.c
- $(COMPILE) -c $(srcdir)/missing/$*.c
-getaddrinfo.o: $(srcdir)/missing/getaddrinfo.c
- $(COMPILE) -c $(srcdir)/missing/$*.c
-getnameinfo.o: $(srcdir)/missing/getnameinfo.c
- $(COMPILE) -c $(srcdir)/missing/$*.c
-rijndael-api-fst.o: $(srcdir)/missing/crypto/rijndael/rijndael-api-fst.c
- $(COMPILE) -c $(srcdir)/missing/crypto/rijndael/$*.c
-rijndael-alg-fst.o: $(srcdir)/missing/crypto/rijndael/rijndael-alg-fst.c
- $(COMPILE) -c $(srcdir)/missing/crypto/rijndael/$*.c
-sha2.o: $(srcdir)/missing/crypto/sha2/sha2.c
- $(COMPILE) -c $(srcdir)/missing/crypto/sha2/$*.c
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/racoon/NOTICE b/src/racoon/NOTICE
deleted file mode 100644
index b07098f..0000000
--- a/src/racoon/NOTICE
+++ /dev/null
@@ -1,325 +0,0 @@
-Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-3. Neither the name of the project nor the names of its contributors
- may be used to endorse or promote products derived from this software
- without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGE.
-
-
-
-Copyright (C) 2004 Emmanuel Dreyfus
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-3. Neither the name of the project nor the names of its contributors
- may be used to endorse or promote products derived from this software
- without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGE.
-
-
-
-Copyright (C) 2004-2006 Emmanuel Dreyfus
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-3. Neither the name of the project nor the names of its contributors
- may be used to endorse or promote products derived from this software
- without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGE.
-
-
-
-Copyright (C) 2000 WIDE Project.
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-3. Neither the name of the project nor the names of its contributors
- may be used to endorse or promote products derived from this software
- without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGE.
-
-
-Copyright (C) 2004-2005 Emmanuel Dreyfus
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-3. Neither the name of the project nor the names of its contributors
- may be used to endorse or promote products derived from this software
- without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGE.
-
-
-
-Copyright (C) 2000, 2001 WIDE Project.
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-3. Neither the name of the project nor the names of its contributors
- may be used to endorse or promote products derived from this software
- without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGE.
-
-
-
-Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany.
-Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-3. Neither the name of the project nor the names of its contributors
- may be used to endorse or promote products derived from this software
- without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGE.
-
-
-
-Copyright (C) 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 and 2003 WIDE Project.
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-3. Neither the name of the project nor the names of its contributors
- may be used to endorse or promote products derived from this software
- without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGE.
-
-
-
-Copyright 2000 Wasabi Systems, Inc.
-All rights reserved.
-
-This software was written by Frank van der Linden of Wasabi Systems
-for Zembu Labs, Inc. http://www.zembu.com/
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-3. The name of Wasabi Systems, Inc. may not be used to endorse
- or promote products derived from this software without specific prior
- written permission.
-
-THIS SOFTWARE IS PROVIDED BY WASABI SYSTEMS, INC. ``AS IS'' AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
-TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL WASABI SYSTEMS, INC
-BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
-
-
-
-Copyright (C) 2005 International Business Machines Corporation
-Copyright (c) 2005 by Trusted Computer Solutions, Inc.
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-3. Neither the name of the project nor the names of its contributors
- may be used to endorse or promote products derived from this software
- without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGE.
-
-
-
-sha2.h
-
-Version 1.0.0beta1
-
-Written by Aaron D. Gifford <me@aarongifford.com>
-
-Copyright 2000 Aaron D. Gifford. All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-3. Neither the name of the copyright holder nor the names of contributors
- may be used to endorse or promote products derived from this software
- without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGE.
diff --git a/src/racoon/TODO b/src/racoon/TODO
deleted file mode 100644
index 1507167..0000000
--- a/src/racoon/TODO
+++ /dev/null
@@ -1,131 +0,0 @@
-$KAME: TODO,v 1.36 2001/09/19 09:41:39 sakane Exp $
-
-Please send any questions or bug reports to snap-users@kame.net.
-
-TODO list
-
-URGENT
-o The documents for users convenience.
-o split log file based on client. printf-like config directive, i.e.
- "logfile racoon.%s.log", should be useful here.
- -> beware of possible security issue, don't use sprintf() directly!
- make validation before giving a string to sprintf().
-o save decrypted IKE packet in tcpdump format
-o IPComp SA with wellknown CPI in CPI field. how to handle it?
-o better rekey
-
-MUST
-o multiple certificate payload handling.
-o To consider the use with certificate infrastructure. PXIX ???
-o kmstat should be improved.
-o Informational Exchange processing properly.
-o require less configuration. phase 2 is easier (as kernel presents racoon
- some hints), phase 1 is harder. for example,
- - grab phase 2 lifetime and algorith configuration from sadb_comb payloads in
- ACQUIRE message.
- - give reasonable default behavior when no configuration file is present.
- - difficult items:
- how to guess a reasonable phase 1 SA lifetime
- (hardcoded default? guess from phase 2 lifetime?)
- guess what kind of ID payload to use
- guess what kind of authentication to be used
- guess phase 1 DH group (for aggressive mode, we cannot negotiate it)
- guess if we need phase 2 PFS or not (we cannot negotiate it. so
- we may need to pick from "no PFS" or "same as phase 1 DH group")
- guess how we should negotiate lifetime
- (is "strict" a reasonable default?)
- guess which mode to use for phase 1 negotiation (is main mode useful?
- is base mode popular enough?)
-o more acceptable check.
-
-SHOULD
-o psk.txt should be a database? (psk.db?) psk_mkdb?
-o Dynamically retry to exchange and resend the packet per nodes.
-o To make the list of supported algorithm by sadb_supported payload
- in the SADB_REGISTER message which happens asynchronously.
-o fix the structure of ph2handle.
- We can handle the below case.
-
- node A node B
- +--------------SA1----------------+
- +--------------SA2----------------+
-
- at node A:
- kernel
- acquire(A-B) ------> ph2handle(A=B) -----> ph1handle
- |
- policy
- A=B
- A=B
-
- But we can not handle the below case because there is no x?handle.
-
- node A node B node C
- +--------------SA1----------------+
- +------------------------------------------------SA2---------------+
-
- at node A:
- kernel
- acquire(A-C) ---+---> x?handle ---+---> ph2handle(A=B) -------> ph1handle
- | | |
- acquire(A-B) ---+ policy +---> ph2handle(A=C) -------> ph1handle
- A=B
- A=C
-
-o consistency of function name.
-o deep copy configuration entry to hander. It's easy to reload configuration.
-o don't keep to hold keymat values, do it ?
-o local address's field in isakmpsa handler must be kicked out to rmconf.
-o responder policy and initiator policy should be separated.
-o for lifetime and key length, something like this should be useful.
- - propose N
- - accept between X and Y
-o wildcard "accept any proposal" policy should be allowed.
-o replay prevention
- - limited total number of session
- - limited session per peer
- - number of proposal
-o full support for variable length SPI. quickhack support for IPComp is done.
-
-MAY
-o Effective code.
-o interaction between IKE/IPsec and socket layer.
- at this moment, IKE/IPsec failure is modeled as total packet loss to other
- part of network subsystem, including socket layer. this presents the
- following behaviors:
- - annoyingly long timeouts on tcp connection attempt, and IKE failure;
- need to wait till tcp socket timeouts.
- - blackhole if there's mismatching SAs.
- we may be able to give socket layer some feedback from IKE/IPsec layer.
- still not sure if those make sense or not.
- for example:
- - send PRU_HOSTDEAD to sockets if IKE negotiation failed
- (sys/netkey/key.c:key_acquire2)
- to do this, we need to remember which ACQUIRE was caused by which socket,
- possibly into larval SAs.
- - PRU_QUENCH on "no SA found on output"
- - kick tcp retransmission timer on first SA establishment
-o IKE daemon should handle situations where peer does not run IKE daemon
- (UDP port unreach for port 500) better.
- should use connected UDP sockets for sending IKE datagrams.
-o rate-limit log messages from kernel IPsec errors, like "no SA found".
-
-TO BE TESTED.
-o IKE retransmit behavior
- see, draft-*-ipsec-rekeying*.txt
-o Reboot recovery (peer reboot losing it's security associations)
- see, draft-*-ipsec-rekeying*.txt
-o Scenarios
- - End-to-End transport long lived security associations
- (over night, data transfer >1Gb) with frequent dynamic rekey
- - End-to-GW tunnel long lived security associations
- (over night, data transfer >1Gb) with frequent dynamic rekey
- - Policy change events while under SA load
- - End-to-End SA through IPsec tunnels, initiation both ways
- - Client End-to-End through client-to-GW tunnel SA, initiate from
- client for tunnel, then initiation both ways for end-to-end
- - Client-to-GW transport SA for secure management
-o behavior to receive multiple auth method proposals and AND proposal
-
-and to be written many many.
-
diff --git a/src/racoon/admin.c b/src/racoon/admin.c
deleted file mode 100644
index b56dd2c..0000000
--- a/src/racoon/admin.c
+++ /dev/null
@@ -1,628 +0,0 @@
-/* $NetBSD: admin.c,v 1.17.6.3 2009/04/20 13:32:57 tteras Exp $ */
-
-/* Id: admin.c,v 1.25 2006/04/06 14:31:04 manubsd Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-#include <sys/signal.h>
-#include <sys/stat.h>
-#include <sys/un.h>
-
-#include <net/pfkeyv2.h>
-
-#include <netinet/in.h>
-#include PATH_IPSEC_H
-
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-#include <netdb.h>
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-#ifdef ENABLE_HYBRID
-#include <resolv.h>
-#endif
-
-#include "var.h"
-#include "misc.h"
-#include "vmbuf.h"
-#include "plog.h"
-#include "sockmisc.h"
-#include "debug.h"
-
-#include "schedule.h"
-#include "localconf.h"
-#include "remoteconf.h"
-#include "grabmyaddr.h"
-#include "isakmp_var.h"
-#include "isakmp.h"
-#include "oakley.h"
-#include "handler.h"
-#include "evt.h"
-#include "pfkey.h"
-#include "ipsec_doi.h"
-#include "admin.h"
-#include "admin_var.h"
-#include "isakmp_inf.h"
-#ifdef ENABLE_HYBRID
-#include "isakmp_cfg.h"
-#endif
-#include "session.h"
-#include "gcmalloc.h"
-
-#ifdef ENABLE_ADMINPORT
-char *adminsock_path = ADMINSOCK_PATH;
-uid_t adminsock_owner = 0;
-gid_t adminsock_group = 0;
-mode_t adminsock_mode = 0600;
-
-static struct sockaddr_un sunaddr;
-static int admin_process __P((int, char *));
-static int admin_reply __P((int, struct admin_com *, vchar_t *));
-
-int
-admin_handler()
-{
- int so2;
- struct sockaddr_storage from;
- socklen_t fromlen = sizeof(from);
- struct admin_com com;
- char *combuf = NULL;
- int len, error = -1;
-
- so2 = accept(lcconf->sock_admin, (struct sockaddr *)&from, &fromlen);
- if (so2 < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to accept admin command: %s\n",
- strerror(errno));
- return -1;
- }
-
- /* get buffer length */
- while ((len = recv(so2, (char *)&com, sizeof(com), MSG_PEEK)) < 0) {
- if (errno == EINTR)
- continue;
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to recv admin command: %s\n",
- strerror(errno));
- goto end;
- }
-
- /* sanity check */
- if (len < sizeof(com)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid header length of admin command\n");
- goto end;
- }
-
- /* get buffer to receive */
- if ((combuf = racoon_malloc(com.ac_len)) == 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to alloc buffer for admin command\n");
- goto end;
- }
-
- /* get real data */
- while ((len = recv(so2, combuf, com.ac_len, 0)) < 0) {
- if (errno == EINTR)
- continue;
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to recv admin command: %s\n",
- strerror(errno));
- goto end;
- }
-
- if (com.ac_cmd == ADMIN_RELOAD_CONF) {
- /* reload does not work at all! */
- signal_handler(SIGHUP);
- goto end;
- }
-
- error = admin_process(so2, combuf);
-
- end:
- (void)close(so2);
- if (combuf)
- racoon_free(combuf);
-
- return error;
-}
-
-/*
- * main child's process.
- */
-static int
-admin_process(so2, combuf)
- int so2;
- char *combuf;
-{
- struct admin_com *com = (struct admin_com *)combuf;
- vchar_t *buf = NULL;
- vchar_t *id = NULL;
- vchar_t *key = NULL;
- int idtype = 0;
- int error = -1;
-
- com->ac_errno = 0;
-
- switch (com->ac_cmd) {
- case ADMIN_RELOAD_CONF:
- /* don't entered because of proccessing it in other place. */
- plog(LLV_ERROR, LOCATION, NULL, "should never reach here\n");
- goto out;
-
- case ADMIN_SHOW_SCHED:
- {
- caddr_t p = NULL;
- int len;
-
- com->ac_errno = -1;
-
- if (sched_dump(&p, &len) == -1)
- goto out2;
-
- if ((buf = vmalloc(len)) == NULL)
- goto out2;
-
- memcpy(buf->v, p, len);
-
- com->ac_errno = 0;
-out2:
- racoon_free(p);
- break;
- }
-
- case ADMIN_SHOW_EVT:
- /* It's not really an error, don't force racoonctl to quit */
- if ((buf = evt_dump()) == NULL)
- com->ac_errno = 0;
- break;
-
- case ADMIN_SHOW_SA:
- case ADMIN_FLUSH_SA:
- {
- switch (com->ac_proto) {
- case ADMIN_PROTO_ISAKMP:
- switch (com->ac_cmd) {
- case ADMIN_SHOW_SA:
- buf = dumpph1();
- if (buf == NULL)
- com->ac_errno = -1;
- break;
- case ADMIN_FLUSH_SA:
- flushph1();
- break;
- }
- break;
- case ADMIN_PROTO_IPSEC:
- case ADMIN_PROTO_AH:
- case ADMIN_PROTO_ESP:
- switch (com->ac_cmd) {
- case ADMIN_SHOW_SA:
- {
- u_int p;
- p = admin2pfkey_proto(com->ac_proto);
- if (p == -1)
- goto out;
- buf = pfkey_dump_sadb(p);
- if (buf == NULL)
- com->ac_errno = -1;
- }
- break;
- case ADMIN_FLUSH_SA:
- pfkey_flush_sadb(com->ac_proto);
- break;
- }
- break;
-
- case ADMIN_PROTO_INTERNAL:
- switch (com->ac_cmd) {
- case ADMIN_SHOW_SA:
- buf = NULL; /*XXX dumpph2(&error);*/
- if (buf == NULL)
- com->ac_errno = error;
- break;
- case ADMIN_FLUSH_SA:
- /*XXX flushph2();*/
- com->ac_errno = 0;
- break;
- }
- break;
-
- default:
- /* ignore */
- com->ac_errno = -1;
- }
- }
- break;
-
- case ADMIN_DELETE_SA: {
- struct ph1handle *iph1;
- struct sockaddr *dst;
- struct sockaddr *src;
- char *loc, *rem;
-
- src = (struct sockaddr *)
- &((struct admin_com_indexes *)
- ((caddr_t)com + sizeof(*com)))->src;
- dst = (struct sockaddr *)
- &((struct admin_com_indexes *)
- ((caddr_t)com + sizeof(*com)))->dst;
-
- loc = racoon_strdup(saddrwop2str(src));
- rem = racoon_strdup(saddrwop2str(dst));
- STRDUP_FATAL(loc);
- STRDUP_FATAL(rem);
-
- if ((iph1 = getph1byaddrwop(src, dst)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "phase 1 for %s -> %s not found\n", loc, rem);
- } else {
- if (iph1->status == PHASE1ST_ESTABLISHED)
- isakmp_info_send_d1(iph1);
- purge_remote(iph1);
- }
-
- racoon_free(loc);
- racoon_free(rem);
-
- break;
- }
-
-#ifdef ENABLE_HYBRID
- case ADMIN_LOGOUT_USER: {
- struct ph1handle *iph1;
- char user[LOGINLEN+1];
- int found = 0, len = com->ac_len - sizeof(com);
-
- if (len > LOGINLEN) {
- plog(LLV_ERROR, LOCATION, NULL,
- "malformed message (login too long)\n");
- break;
- }
-
- memcpy(user, (char *)(com + 1), len);
- user[len] = 0;
-
- found = purgeph1bylogin(user);
- plog(LLV_INFO, LOCATION, NULL,
- "deleted %d SA for user \"%s\"\n", found, user);
-
- break;
- }
-#endif
-
- case ADMIN_DELETE_ALL_SA_DST: {
- struct ph1handle *iph1;
- struct sockaddr *dst;
- char *loc, *rem;
-
- dst = (struct sockaddr *)
- &((struct admin_com_indexes *)
- ((caddr_t)com + sizeof(*com)))->dst;
-
- rem = racoon_strdup(saddrwop2str(dst));
- STRDUP_FATAL(rem);
-
- plog(LLV_INFO, LOCATION, NULL,
- "Flushing all SAs for peer %s\n", rem);
-
- while ((iph1 = getph1bydstaddrwop(dst)) != NULL) {
- loc = racoon_strdup(saddrwop2str(iph1->local));
- STRDUP_FATAL(loc);
-
- if (iph1->status == PHASE1ST_ESTABLISHED)
- isakmp_info_send_d1(iph1);
- purge_remote(iph1);
-
- racoon_free(loc);
- }
-
- racoon_free(rem);
-
- break;
- }
-
- case ADMIN_ESTABLISH_SA_PSK: {
- struct admin_com_psk *acp;
- char *data;
-
- com->ac_cmd = ADMIN_ESTABLISH_SA;
-
- acp = (struct admin_com_psk *)
- ((char *)com + sizeof(*com) +
- sizeof(struct admin_com_indexes));
-
- idtype = acp->id_type;
-
- if ((id = vmalloc(acp->id_len)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "cannot allocate memory: %s\n",
- strerror(errno));
- break;
- }
- data = (char *)(acp + 1);
- memcpy(id->v, data, id->l);
-
- if ((key = vmalloc(acp->key_len)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "cannot allocate memory: %s\n",
- strerror(errno));
- vfree(id);
- id = NULL;
- break;
- }
- data = (char *)(data + acp->id_len);
- memcpy(key->v, data, key->l);
- }
- /* FALLTHROUGH */
- case ADMIN_ESTABLISH_SA:
- {
- struct sockaddr *dst;
- struct sockaddr *src;
- src = (struct sockaddr *)
- &((struct admin_com_indexes *)
- ((caddr_t)com + sizeof(*com)))->src;
- dst = (struct sockaddr *)
- &((struct admin_com_indexes *)
- ((caddr_t)com + sizeof(*com)))->dst;
-
- switch (com->ac_proto) {
- case ADMIN_PROTO_ISAKMP: {
- struct remoteconf *rmconf;
- struct sockaddr *remote = NULL;
- struct sockaddr *local = NULL;
- u_int16_t port;
-
- com->ac_errno = -1;
-
- /* search appropreate configuration */
- rmconf = getrmconf(dst);
- if (rmconf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "no configuration found "
- "for %s\n", saddrwop2str(dst));
- goto out1;
- }
-
- /* get remote IP address and port number. */
- if ((remote = dupsaddr(dst)) == NULL)
- goto out1;
-
- port = extract_port(rmconf->remote);
- if (set_port(remote, port) == NULL)
- goto out1;
-
- /* get local address */
- if ((local = dupsaddr(src)) == NULL)
- goto out1;
-
- port = getmyaddrsport(local);
- if (set_port(local, port) == NULL)
- goto out1;
-
-#ifdef ENABLE_HYBRID
- /* Set the id and key */
- if (id && key) {
- if (xauth_rmconf_used(&rmconf->xauth) == -1)
- goto out1;
-
- if (rmconf->xauth->login != NULL) {
- vfree(rmconf->xauth->login);
- rmconf->xauth->login = NULL;
- }
- if (rmconf->xauth->pass != NULL) {
- vfree(rmconf->xauth->pass);
- rmconf->xauth->pass = NULL;
- }
-
- rmconf->xauth->login = id;
- rmconf->xauth->pass = key;
- }
-#endif
-
- plog(LLV_INFO, LOCATION, NULL,
- "accept a request to establish IKE-SA: "
- "%s\n", saddrwop2str(remote));
-
- /* begin ident mode */
- if (isakmp_ph1begin_i(rmconf, remote, local) < 0)
- goto out1;
-
- com->ac_errno = 0;
-out1:
- if (local != NULL)
- racoon_free(local);
- if (remote != NULL)
- racoon_free(remote);
- break;
- }
- case ADMIN_PROTO_AH:
- case ADMIN_PROTO_ESP:
- break;
- default:
- /* ignore */
- com->ac_errno = -1;
- }
- }
- break;
-
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid command: %d\n", com->ac_cmd);
- com->ac_errno = -1;
- }
-
- if ((error = admin_reply(so2, com, buf)) != 0)
- goto out;
-
- error = 0;
-out:
- if (buf != NULL)
- vfree(buf);
-
- return error;
-}
-
-static int
-admin_reply(so, combuf, buf)
- int so;
- struct admin_com *combuf;
- vchar_t *buf;
-{
- int tlen;
- char *retbuf = NULL;
-
- if (buf != NULL)
- tlen = sizeof(*combuf) + buf->l;
- else
- tlen = sizeof(*combuf);
-
- retbuf = racoon_calloc(1, tlen);
- if (retbuf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate admin buffer\n");
- return -1;
- }
-
- memcpy(retbuf, combuf, sizeof(*combuf));
- ((struct admin_com *)retbuf)->ac_len = tlen;
-
- if (buf != NULL)
- memcpy(retbuf + sizeof(*combuf), buf->v, buf->l);
-
- tlen = send(so, retbuf, tlen, 0);
- racoon_free(retbuf);
- if (tlen < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to send admin command: %s\n",
- strerror(errno));
- return -1;
- }
-
- return 0;
-}
-
-/* ADMIN_PROTO -> SADB_SATYPE */
-int
-admin2pfkey_proto(proto)
- u_int proto;
-{
- switch (proto) {
- case ADMIN_PROTO_IPSEC:
- return SADB_SATYPE_UNSPEC;
- case ADMIN_PROTO_AH:
- return SADB_SATYPE_AH;
- case ADMIN_PROTO_ESP:
- return SADB_SATYPE_ESP;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "unsupported proto for admin: %d\n", proto);
- return -1;
- }
- /*NOTREACHED*/
-}
-
-int
-admin_init()
-{
- if (adminsock_path == NULL) {
- lcconf->sock_admin = -1;
- return 0;
- }
-
- memset(&sunaddr, 0, sizeof(sunaddr));
- sunaddr.sun_family = AF_UNIX;
- snprintf(sunaddr.sun_path, sizeof(sunaddr.sun_path),
- "%s", adminsock_path);
-
- lcconf->sock_admin = socket(AF_UNIX, SOCK_STREAM, 0);
- if (lcconf->sock_admin == -1) {
- plog(LLV_ERROR, LOCATION, NULL,
- "socket: %s\n", strerror(errno));
- return -1;
- }
-
- unlink(sunaddr.sun_path);
- if (bind(lcconf->sock_admin, (struct sockaddr *)&sunaddr,
- sizeof(sunaddr)) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "bind(sockname:%s): %s\n",
- sunaddr.sun_path, strerror(errno));
- (void)close(lcconf->sock_admin);
- return -1;
- }
-
- if (chown(sunaddr.sun_path, adminsock_owner, adminsock_group) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "chown(%s, %d, %d): %s\n",
- sunaddr.sun_path, adminsock_owner,
- adminsock_group, strerror(errno));
- (void)close(lcconf->sock_admin);
- return -1;
- }
-
- if (chmod(sunaddr.sun_path, adminsock_mode) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "chmod(%s, 0%03o): %s\n",
- sunaddr.sun_path, adminsock_mode, strerror(errno));
- (void)close(lcconf->sock_admin);
- return -1;
- }
-
- if (listen(lcconf->sock_admin, 5) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "listen(sockname:%s): %s\n",
- sunaddr.sun_path, strerror(errno));
- (void)close(lcconf->sock_admin);
- return -1;
- }
- plog(LLV_DEBUG, LOCATION, NULL,
- "open %s as racoon management.\n", sunaddr.sun_path);
-
- return 0;
-}
-
-int
-admin_close()
-{
- close(lcconf->sock_admin);
- return 0;
-}
-#endif
-
diff --git a/src/racoon/admin.h b/src/racoon/admin.h
deleted file mode 100644
index cbc19e8..0000000
--- a/src/racoon/admin.h
+++ /dev/null
@@ -1,114 +0,0 @@
-/* $NetBSD: admin.h,v 1.4 2006/09/09 16:22:09 manu Exp $ */
-
-/* Id: admin.h,v 1.11 2005/06/19 22:37:47 manubsd Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _ADMIN_H
-#define _ADMIN_H
-
-#define ADMINSOCK_PATH ADMINPORTDIR "/racoon.sock"
-
-extern char *adminsock_path;
-extern uid_t adminsock_owner;
-extern gid_t adminsock_group;
-extern mode_t adminsock_mode;
-
-/* command for administration. */
-/* NOTE: host byte order. */
-struct admin_com {
- u_int16_t ac_len; /* total packet length including data */
- u_int16_t ac_cmd;
- int16_t ac_errno;
- u_int16_t ac_proto;
-};
-
-/*
- * No data follows as the data.
- * These don't use proto field.
- */
-#define ADMIN_RELOAD_CONF 0x0001
-#define ADMIN_SHOW_SCHED 0x0002
-#define ADMIN_SHOW_EVT 0x0003
-
-/*
- * No data follows as the data.
- * These use proto field.
- */
-#define ADMIN_SHOW_SA 0x0101
-#define ADMIN_FLUSH_SA 0x0102
-
-/*
- * The admin_com_indexes follows, see below.
- */
-#define ADMIN_DELETE_SA 0x0201
-#define ADMIN_ESTABLISH_SA 0x0202
-#define ADMIN_DELETE_ALL_SA_DST 0x0204 /* All SA for a given peer */
-
-/*
- * The admin_com_indexes and admin_com_psk follow, see below.
- */
-#define ADMIN_ESTABLISH_SA_PSK 0x0203
-
-/*
- * user login follows
- */
-#define ADMIN_LOGOUT_USER 0x0205 /* Delete SA for a given Xauth user */
-
-/*
- * Range 0x08xx is reserved for privilege separation, see privsep.h
- */
-
-/* the value of proto */
-#define ADMIN_PROTO_ISAKMP 0x01ff
-#define ADMIN_PROTO_IPSEC 0x02ff
-#define ADMIN_PROTO_AH 0x0201
-#define ADMIN_PROTO_ESP 0x0202
-#define ADMIN_PROTO_INTERNAL 0x0301
-
-struct admin_com_indexes {
- u_int8_t prefs;
- u_int8_t prefd;
- u_int8_t ul_proto;
- u_int8_t reserved;
- struct sockaddr_storage src;
- struct sockaddr_storage dst;
-};
-
-struct admin_com_psk {
- int id_type;
- size_t id_len;
- size_t key_len;
- /* Followed by id and key */
-};
-
-extern int admin2pfkey_proto __P((u_int));
-
-#endif /* _ADMIN_H */
diff --git a/src/racoon/admin_var.h b/src/racoon/admin_var.h
deleted file mode 100644
index 6d7ba81..0000000
--- a/src/racoon/admin_var.h
+++ /dev/null
@@ -1,41 +0,0 @@
-/* $NetBSD: admin_var.h,v 1.4 2006/09/09 16:22:09 manu Exp $ */
-
-/* Id: admin_var.h,v 1.7 2004/12/30 00:08:30 manubsd Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _ADMIN_VAR_H
-#define _ADMIN_VAR_H
-
-extern int admin_handler __P((void));
-extern int admin_init __P((void));
-extern int admin_close __P((void));
-
-#endif /* _ADMIN_VAR_H */
diff --git a/src/racoon/algorithm.c b/src/racoon/algorithm.c
deleted file mode 100644
index 3fd50f6..0000000
--- a/src/racoon/algorithm.c
+++ /dev/null
@@ -1,957 +0,0 @@
-/* $NetBSD: algorithm.c,v 1.8 2006/10/06 12:02:27 manu Exp $ */
-
-/* Id: algorithm.c,v 1.15 2006/05/23 20:23:09 manubsd Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/param.h>
-#include <sys/types.h>
-#include <stdlib.h>
-
-#include "var.h"
-#include "misc.h"
-#include "vmbuf.h"
-#include "plog.h"
-#include "debug.h"
-
-#include "crypto_openssl.h"
-#include "dhgroup.h"
-#include "algorithm.h"
-#include "oakley.h"
-#include "isakmp_var.h"
-#include "isakmp.h"
-#include "ipsec_doi.h"
-#include "gcmalloc.h"
-
-static struct hash_algorithm oakley_hashdef[] = {
-{ "md5", algtype_md5, OAKLEY_ATTR_HASH_ALG_MD5,
- eay_md5_init, eay_md5_update,
- eay_md5_final, eay_md5_hashlen,
- eay_md5_one, },
-{ "sha1", algtype_sha1, OAKLEY_ATTR_HASH_ALG_SHA,
- eay_sha1_init, eay_sha1_update,
- eay_sha1_final, eay_sha1_hashlen,
- eay_sha1_one, },
-#ifdef WITH_SHA2
-{ "sha2_256", algtype_sha2_256, OAKLEY_ATTR_HASH_ALG_SHA2_256,
- eay_sha2_256_init, eay_sha2_256_update,
- eay_sha2_256_final, eay_sha2_256_hashlen,
- eay_sha2_256_one, },
-{ "sha2_384", algtype_sha2_384, OAKLEY_ATTR_HASH_ALG_SHA2_384,
- eay_sha2_384_init, eay_sha2_384_update,
- eay_sha2_384_final, eay_sha2_384_hashlen,
- eay_sha2_384_one, },
-{ "sha2_512", algtype_sha2_512, OAKLEY_ATTR_HASH_ALG_SHA2_512,
- eay_sha2_512_init, eay_sha2_512_update,
- eay_sha2_512_final, eay_sha2_512_hashlen,
- eay_sha2_512_one, },
-#endif
-};
-
-static struct hmac_algorithm oakley_hmacdef[] = {
-{ "hmac_md5", algtype_md5, OAKLEY_ATTR_HASH_ALG_MD5,
- eay_hmacmd5_init, eay_hmacmd5_update,
- eay_hmacmd5_final, NULL,
- eay_hmacmd5_one, },
-{ "hmac_sha1", algtype_sha1, OAKLEY_ATTR_HASH_ALG_SHA,
- eay_hmacsha1_init, eay_hmacsha1_update,
- eay_hmacsha1_final, NULL,
- eay_hmacsha1_one, },
-#ifdef WITH_SHA2
-{ "hmac_sha2_256", algtype_sha2_256, OAKLEY_ATTR_HASH_ALG_SHA2_256,
- eay_hmacsha2_256_init, eay_hmacsha2_256_update,
- eay_hmacsha2_256_final, NULL,
- eay_hmacsha2_256_one, },
-{ "hmac_sha2_384", algtype_sha2_384, OAKLEY_ATTR_HASH_ALG_SHA2_384,
- eay_hmacsha2_384_init, eay_hmacsha2_384_update,
- eay_hmacsha2_384_final, NULL,
- eay_hmacsha2_384_one, },
-{ "hmac_sha2_512", algtype_sha2_512, OAKLEY_ATTR_HASH_ALG_SHA2_512,
- eay_hmacsha2_512_init, eay_hmacsha2_512_update,
- eay_hmacsha2_512_final, NULL,
- eay_hmacsha2_512_one, },
-#endif
-};
-
-static struct enc_algorithm oakley_encdef[] = {
-{ "des", algtype_des, OAKLEY_ATTR_ENC_ALG_DES, 8,
- eay_des_encrypt, eay_des_decrypt,
- eay_des_weakkey, eay_des_keylen, },
-#ifdef HAVE_OPENSSL_IDEA_H
-{ "idea", algtype_idea, OAKLEY_ATTR_ENC_ALG_IDEA, 8,
- eay_idea_encrypt, eay_idea_decrypt,
- eay_idea_weakkey, eay_idea_keylen, },
-#endif
-{ "blowfish", algtype_blowfish, OAKLEY_ATTR_ENC_ALG_BLOWFISH, 8,
- eay_bf_encrypt, eay_bf_decrypt,
- eay_bf_weakkey, eay_bf_keylen, },
-#ifdef HAVE_OPENSSL_RC5_H
-{ "rc5", algtype_rc5, OAKLEY_ATTR_ENC_ALG_RC5, 8,
- eay_rc5_encrypt, eay_rc5_decrypt,
- eay_rc5_weakkey, eay_rc5_keylen, },
-#endif
-{ "3des", algtype_3des, OAKLEY_ATTR_ENC_ALG_3DES, 8,
- eay_3des_encrypt, eay_3des_decrypt,
- eay_3des_weakkey, eay_3des_keylen, },
-{ "cast", algtype_cast128, OAKLEY_ATTR_ENC_ALG_CAST, 8,
- eay_cast_encrypt, eay_cast_decrypt,
- eay_cast_weakkey, eay_cast_keylen, },
-{ "aes", algtype_aes, OAKLEY_ATTR_ENC_ALG_AES, 16,
- eay_aes_encrypt, eay_aes_decrypt,
- eay_aes_weakkey, eay_aes_keylen, },
-#ifdef HAVE_OPENSSL_CAMELLIA_H
-{ "camellia", algtype_camellia, OAKLEY_ATTR_ENC_ALG_CAMELLIA, 16,
- eay_camellia_encrypt, eay_camellia_decrypt,
- eay_camellia_weakkey, eay_camellia_keylen, },
-#endif
-};
-
-static struct enc_algorithm ipsec_encdef[] = {
-{ "des-iv64", algtype_des_iv64, IPSECDOI_ESP_DES_IV64, 8,
- NULL, NULL,
- NULL, eay_des_keylen, },
-{ "des", algtype_des, IPSECDOI_ESP_DES, 8,
- NULL, NULL,
- NULL, eay_des_keylen, },
-{ "3des", algtype_3des, IPSECDOI_ESP_3DES, 8,
- NULL, NULL,
- NULL, eay_3des_keylen, },
-#ifdef HAVE_OPENSSL_RC5_H
-{ "rc5", algtype_rc5, IPSECDOI_ESP_RC5, 8,
- NULL, NULL,
- NULL, eay_rc5_keylen, },
-#endif
-{ "cast", algtype_cast128, IPSECDOI_ESP_CAST, 8,
- NULL, NULL,
- NULL, eay_cast_keylen, },
-{ "blowfish", algtype_blowfish, IPSECDOI_ESP_BLOWFISH, 8,
- NULL, NULL,
- NULL, eay_bf_keylen, },
-{ "des-iv32", algtype_des_iv32, IPSECDOI_ESP_DES_IV32, 8,
- NULL, NULL,
- NULL, eay_des_keylen, },
-{ "null", algtype_null_enc, IPSECDOI_ESP_NULL, 8,
- NULL, NULL,
- NULL, eay_null_keylen, },
-{ "aes", algtype_aes, IPSECDOI_ESP_AES, 16,
- NULL, NULL,
- NULL, eay_aes_keylen, },
-{ "twofish", algtype_twofish, IPSECDOI_ESP_TWOFISH, 16,
- NULL, NULL,
- NULL, eay_twofish_keylen, },
-#ifdef HAVE_OPENSSL_IDEA_H
-{ "3idea", algtype_3idea, IPSECDOI_ESP_3IDEA, 8,
- NULL, NULL,
- NULL, NULL, },
-{ "idea", algtype_idea, IPSECDOI_ESP_IDEA, 8,
- NULL, NULL,
- NULL, NULL, },
-#endif
-{ "rc4", algtype_rc4, IPSECDOI_ESP_RC4, 8,
- NULL, NULL,
- NULL, NULL, },
-#ifdef HAVE_OPENSSL_CAMELLIA_H
-{ "camellia", algtype_camellia, IPSECDOI_ESP_CAMELLIA, 16,
- NULL, NULL,
- NULL, eay_camellia_keylen, },
-#endif
-};
-
-static struct hmac_algorithm ipsec_hmacdef[] = {
-{ "md5", algtype_hmac_md5, IPSECDOI_ATTR_AUTH_HMAC_MD5,
- NULL, NULL,
- NULL, eay_md5_hashlen,
- NULL, },
-{ "sha1", algtype_hmac_sha1, IPSECDOI_ATTR_AUTH_HMAC_SHA1,
- NULL, NULL,
- NULL, eay_sha1_hashlen,
- NULL, },
-{ "kpdk", algtype_kpdk, IPSECDOI_ATTR_AUTH_KPDK,
- NULL, NULL,
- NULL, eay_kpdk_hashlen,
- NULL, },
-{ "null", algtype_non_auth, IPSECDOI_ATTR_AUTH_NONE,
- NULL, NULL,
- NULL, eay_null_hashlen,
- NULL, },
-#ifdef WITH_SHA2
-{ "hmac_sha2_256", algtype_hmac_sha2_256,IPSECDOI_ATTR_AUTH_HMAC_SHA2_256,
- NULL, NULL,
- NULL, eay_sha2_256_hashlen,
- NULL, },
-{ "hmac_sha2_384", algtype_hmac_sha2_384,IPSECDOI_ATTR_AUTH_HMAC_SHA2_384,
- NULL, NULL,
- NULL, eay_sha2_384_hashlen,
- NULL, },
-{ "hmac_sha2_512", algtype_hmac_sha2_512,IPSECDOI_ATTR_AUTH_HMAC_SHA2_512,
- NULL, NULL,
- NULL, eay_sha2_512_hashlen,
- NULL, },
-#endif
-};
-
-static struct misc_algorithm ipsec_compdef[] = {
-{ "oui", algtype_oui, IPSECDOI_IPCOMP_OUI, },
-{ "deflate", algtype_deflate, IPSECDOI_IPCOMP_DEFLATE, },
-{ "lzs", algtype_lzs, IPSECDOI_IPCOMP_LZS, },
-};
-
-/*
- * In case of asymetric modes (hybrid xauth), what's racoon mode of
- * operations ; it seems that the proposal should always use the
- * initiator half (unless a server initiates a connection, which is
- * not handled, and probably not useful).
- */
-static struct misc_algorithm oakley_authdef[] = {
-{ "pre_shared_key", algtype_psk, OAKLEY_ATTR_AUTH_METHOD_PSKEY, },
-{ "dsssig", algtype_dsssig, OAKLEY_ATTR_AUTH_METHOD_DSSSIG, },
-{ "rsasig", algtype_rsasig, OAKLEY_ATTR_AUTH_METHOD_RSASIG, },
-{ "rsaenc", algtype_rsaenc, OAKLEY_ATTR_AUTH_METHOD_RSAENC, },
-{ "rsarev", algtype_rsarev, OAKLEY_ATTR_AUTH_METHOD_RSAREV, },
-
-{ "gssapi_krb", algtype_gssapikrb,
- OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB, },
-
-#ifdef ENABLE_HYBRID
-{ "hybrid_rsa_server", algtype_hybrid_rsa_s,
- OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R, },
-
-{ "hybrid_dss_server", algtype_hybrid_dss_s,
- OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R, },
-
-{ "xauth_psk_server", algtype_xauth_psk_s,
- OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R, },
-
-{ "xauth_rsa_server", algtype_xauth_rsa_s,
- OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R, },
-
-{ "hybrid_rsa_client", algtype_hybrid_rsa_c,
- OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I, },
-
-{ "hybrid_dss_client", algtype_hybrid_dss_c,
- OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I, },
-
-{ "xauth_psk_client", algtype_xauth_psk_c,
- OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I, },
-
-{ "xauth_rsa_client", algtype_xauth_rsa_c,
- OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I, },
-#endif
-};
-
-static struct dh_algorithm oakley_dhdef[] = {
-{ "modp768", algtype_modp768, OAKLEY_ATTR_GRP_DESC_MODP768,
- &dh_modp768, },
-{ "modp1024", algtype_modp1024, OAKLEY_ATTR_GRP_DESC_MODP1024,
- &dh_modp1024, },
-{ "modp1536", algtype_modp1536, OAKLEY_ATTR_GRP_DESC_MODP1536,
- &dh_modp1536, },
-{ "modp2048", algtype_modp2048, OAKLEY_ATTR_GRP_DESC_MODP2048,
- &dh_modp2048, },
-{ "modp3072", algtype_modp3072, OAKLEY_ATTR_GRP_DESC_MODP3072,
- &dh_modp3072, },
-{ "modp4096", algtype_modp4096, OAKLEY_ATTR_GRP_DESC_MODP4096,
- &dh_modp4096, },
-{ "modp6144", algtype_modp6144, OAKLEY_ATTR_GRP_DESC_MODP6144,
- &dh_modp6144, },
-{ "modp8192", algtype_modp8192, OAKLEY_ATTR_GRP_DESC_MODP8192,
- &dh_modp8192, },
-};
-
-static struct hash_algorithm *alg_oakley_hashdef __P((int));
-static struct hmac_algorithm *alg_oakley_hmacdef __P((int));
-static struct enc_algorithm *alg_oakley_encdef __P((int));
-static struct enc_algorithm *alg_ipsec_encdef __P((int));
-static struct hmac_algorithm *alg_ipsec_hmacdef __P((int));
-static struct dh_algorithm *alg_oakley_dhdef __P((int));
-
-/* oakley hash algorithm */
-static struct hash_algorithm *
-alg_oakley_hashdef(doi)
- int doi;
-{
- int i;
-
- for (i = 0; i < ARRAYLEN(oakley_hashdef); i++)
- if (doi == oakley_hashdef[i].doi) {
- plog(LLV_DEBUG, LOCATION, NULL, "hash(%s)\n",
- oakley_hashdef[i].name);
- return &oakley_hashdef[i];
- }
- return NULL;
-}
-
-int
-alg_oakley_hashdef_ok(doi)
- int doi;
-{
- struct hash_algorithm *f;
-
- f = alg_oakley_hashdef(doi);
- if (f == NULL)
- return 0;
-
- return 1;
-}
-
-int
-alg_oakley_hashdef_doi(type)
- int type;
-{
- int i, res = -1;
-
- for (i = 0; i < ARRAYLEN(oakley_hashdef); i++)
- if (type == oakley_hashdef[i].type) {
- res = oakley_hashdef[i].doi;
- break;
- }
- return res;
-}
-
-int
-alg_oakley_hashdef_hashlen(doi)
- int doi;
-{
- struct hash_algorithm *f;
-
- f = alg_oakley_hashdef(doi);
- if (f == NULL || f->hashlen == NULL)
- return 0;
-
- return (f->hashlen)();
-}
-
-const char *
-alg_oakley_hashdef_name (doi)
- int doi;
-{
- struct hash_algorithm *f;
-
- f = alg_oakley_hashdef(doi);
- if (f == NULL)
- return "*UNKNOWN*";
-
- return f->name;
-}
-
-vchar_t *
-alg_oakley_hashdef_one(doi, buf)
- int doi;
- vchar_t *buf;
-{
- struct hash_algorithm *f;
-
- f = alg_oakley_hashdef(doi);
- if (f == NULL || f->hashlen == NULL)
- return NULL;
-
- return (f->one)(buf);
-}
-
-/* oakley hmac algorithm */
-static struct hmac_algorithm *
-alg_oakley_hmacdef(doi)
- int doi;
-{
- int i;
-
- for (i = 0; i < ARRAYLEN(oakley_hmacdef); i++)
- if (doi == oakley_hmacdef[i].doi) {
- plog(LLV_DEBUG, LOCATION, NULL, "hmac(%s)\n",
- oakley_hmacdef[i].name);
- return &oakley_hmacdef[i];
- }
- return NULL;
-}
-
-int
-alg_oakley_hmacdef_doi(type)
- int type;
-{
- int i, res = -1;
-
- for (i = 0; i < ARRAYLEN(oakley_hmacdef); i++)
- if (type == oakley_hmacdef[i].type) {
- res = oakley_hmacdef[i].doi;
- break;
- }
- return res;
-}
-
-vchar_t *
-alg_oakley_hmacdef_one(doi, key, buf)
- int doi;
- vchar_t *key, *buf;
-{
- struct hmac_algorithm *f;
- vchar_t *res;
-#ifdef ENABLE_STATS
- struct timeval start, end;
-#endif
-
- f = alg_oakley_hmacdef(doi);
- if (f == NULL || f->one == NULL)
- return NULL;
-
-#ifdef ENABLE_STATS
- gettimeofday(&start, NULL);
-#endif
-
- res = (f->one)(key, buf);
-
-#ifdef ENABLE_STATS
- gettimeofday(&end, NULL);
- syslog(LOG_NOTICE, "%s(%s size=%zu): %8.6f", __func__,
- f->name, buf->l, timedelta(&start, &end));
-#endif
-
- return res;
-}
-
-/* oakley encryption algorithm */
-static struct enc_algorithm *
-alg_oakley_encdef(doi)
- int doi;
-{
- int i;
-
- for (i = 0; i < ARRAYLEN(oakley_encdef); i++)
- if (doi == oakley_encdef[i].doi) {
- plog(LLV_DEBUG, LOCATION, NULL, "encryption(%s)\n",
- oakley_encdef[i].name);
- return &oakley_encdef[i];
- }
- return NULL;
-}
-
-int
-alg_oakley_encdef_ok(doi)
- int doi;
-{
- struct enc_algorithm *f;
-
- f = alg_oakley_encdef(doi);
- if (f == NULL)
- return 0;
-
- return 1;
-}
-
-int
-alg_oakley_encdef_doi(type)
- int type;
-{
- int i, res = -1;
-
- for (i = 0; i < ARRAYLEN(oakley_encdef); i++)
- if (type == oakley_encdef[i].type) {
- res = oakley_encdef[i].doi;
- break;
- }
- return res;
-}
-
-int
-alg_oakley_encdef_keylen(doi, len)
- int doi, len;
-{
- struct enc_algorithm *f;
-
- f = alg_oakley_encdef(doi);
- if (f == NULL || f->keylen == NULL)
- return -1;
-
- return (f->keylen)(len);
-}
-
-int
-alg_oakley_encdef_blocklen(doi)
- int doi;
-{
- struct enc_algorithm *f;
-
- f = alg_oakley_encdef(doi);
- if (f == NULL)
- return -1;
-
- return f->blocklen;
-}
-
-const char *
-alg_oakley_encdef_name (doi)
- int doi;
-{
- struct enc_algorithm *f;
-
- f = alg_oakley_encdef(doi);
- if (f == NULL)
- return "*UNKNOWN*";
-
- return f->name;
-}
-
-vchar_t *
-alg_oakley_encdef_decrypt(doi, buf, key, iv)
- int doi;
- vchar_t *buf, *key, *iv;
-{
- vchar_t *res;
- struct enc_algorithm *f;
-#ifdef ENABLE_STATS
- struct timeval start, end;
-#endif
-
- f = alg_oakley_encdef(doi);
- if (f == NULL || f->decrypt == NULL)
- return NULL;
-
-#ifdef ENABLE_STATS
- gettimeofday(&start, NULL);
-#endif
-
- res = (f->decrypt)(buf, key, iv);
-
-#ifdef ENABLE_STATS
- gettimeofday(&end, NULL);
- syslog(LOG_NOTICE, "%s(%s klen=%zu size=%zu): %8.6f", __func__,
- f->name, key->l << 3, buf->l, timedelta(&start, &end));
-#endif
- return res;
-}
-
-vchar_t *
-alg_oakley_encdef_encrypt(doi, buf, key, iv)
- int doi;
- vchar_t *buf, *key, *iv;
-{
- vchar_t *res;
- struct enc_algorithm *f;
-#ifdef ENABLE_STATS
- struct timeval start, end;
-#endif
-
- f = alg_oakley_encdef(doi);
- if (f == NULL || f->encrypt == NULL)
- return NULL;
-
-#ifdef ENABLE_STATS
- gettimeofday(&start, NULL);
-#endif
-
- res = (f->encrypt)(buf, key, iv);
-
-#ifdef ENABLE_STATS
- gettimeofday(&end, NULL);
- syslog(LOG_NOTICE, "%s(%s klen=%zu size=%zu): %8.6f", __func__,
- f->name, key->l << 3, buf->l, timedelta(&start, &end));
-#endif
- return res;
-}
-
-/* ipsec encryption algorithm */
-static struct enc_algorithm *
-alg_ipsec_encdef(doi)
- int doi;
-{
- int i;
-
- for (i = 0; i < ARRAYLEN(ipsec_encdef); i++)
- if (doi == ipsec_encdef[i].doi) {
- plog(LLV_DEBUG, LOCATION, NULL, "encryption(%s)\n",
- ipsec_encdef[i].name);
- return &ipsec_encdef[i];
- }
- return NULL;
-}
-
-int
-alg_ipsec_encdef_doi(type)
- int type;
-{
- int i, res = -1;
-
- for (i = 0; i < ARRAYLEN(ipsec_encdef); i++)
- if (type == ipsec_encdef[i].type) {
- res = ipsec_encdef[i].doi;
- break;
- }
- return res;
-}
-
-int
-alg_ipsec_encdef_keylen(doi, len)
- int doi, len;
-{
- struct enc_algorithm *f;
-
- f = alg_ipsec_encdef(doi);
- if (f == NULL || f->keylen == NULL)
- return -1;
-
- return (f->keylen)(len);
-}
-
-/* ipsec hmac algorithm */
-static struct hmac_algorithm *
-alg_ipsec_hmacdef(doi)
- int doi;
-{
- int i;
-
- for (i = 0; i < ARRAYLEN(ipsec_hmacdef); i++)
- if (doi == ipsec_hmacdef[i].doi) {
- plog(LLV_DEBUG, LOCATION, NULL, "hmac(%s)\n",
- ipsec_hmacdef[i].name);
- return &ipsec_hmacdef[i];
- }
- return NULL;
-}
-
-int
-alg_ipsec_hmacdef_doi(type)
- int type;
-{
- int i, res = -1;
-
- for (i = 0; i < ARRAYLEN(ipsec_hmacdef); i++)
- if (type == ipsec_hmacdef[i].type) {
- res = ipsec_hmacdef[i].doi;
- break;
- }
- return res;
-}
-
-int
-alg_ipsec_hmacdef_hashlen(doi)
- int doi;
-{
- struct hmac_algorithm *f;
-
- f = alg_ipsec_hmacdef(doi);
- if (f == NULL || f->hashlen == NULL)
- return -1;
-
- return (f->hashlen)();
-}
-
-/* ip compression */
-int
-alg_ipsec_compdef_doi(type)
- int type;
-{
- int i, res = -1;
-
- for (i = 0; i < ARRAYLEN(ipsec_compdef); i++)
- if (type == ipsec_compdef[i].type) {
- res = ipsec_compdef[i].doi;
- break;
- }
- return res;
-}
-
-/* dh algorithm */
-static struct dh_algorithm *
-alg_oakley_dhdef(doi)
- int doi;
-{
- int i;
-
- for (i = 0; i < ARRAYLEN(oakley_dhdef); i++)
- if (doi == oakley_dhdef[i].doi) {
- plog(LLV_DEBUG, LOCATION, NULL, "hmac(%s)\n",
- oakley_dhdef[i].name);
- return &oakley_dhdef[i];
- }
- return NULL;
-}
-
-int
-alg_oakley_dhdef_ok(doi)
- int doi;
-{
- struct dh_algorithm *f;
-
- f = alg_oakley_dhdef(doi);
- if (f == NULL)
- return 0;
-
- return 1;
-}
-
-int
-alg_oakley_dhdef_doi(type)
- int type;
-{
- int i, res = -1;
-
- for (i = 0; i < ARRAYLEN(oakley_dhdef); i++)
- if (type == oakley_dhdef[i].type) {
- res = oakley_dhdef[i].doi;
- break;
- }
- return res;
-}
-
-struct dhgroup *
-alg_oakley_dhdef_group(doi)
- int doi;
-{
- struct dh_algorithm *f;
-
- f = alg_oakley_dhdef(doi);
- if (f == NULL || f->dhgroup == NULL)
- return NULL;
-
- return f->dhgroup;
-}
-
-const char *
-alg_oakley_dhdef_name (doi)
- int doi;
-{
- struct dh_algorithm *f;
-
- f = alg_oakley_dhdef(doi);
- if (f == NULL)
- return "*UNKNOWN*";
- return f->name;
-}
-
-/* authentication method */
-int
-alg_oakley_authdef_doi(type)
- int type;
-{
- int i, res = -1;
-
- for (i = 0; i < ARRAYLEN(oakley_authdef); i++)
- if (type == oakley_authdef[i].type) {
- res = oakley_authdef[i].doi;
- break;
- }
- return res;
-}
-
-const char *
-alg_oakley_authdef_name (doi)
- int doi;
-{
- int i;
-
- for (i = 0; i < ARRAYLEN(oakley_authdef); i++)
- if (doi == oakley_authdef[i].doi) {
- return oakley_authdef[i].name;
- }
- return "*UNKNOWN*";
-}
-
-/*
- * give the default key length
- * OUT: -1: NG
- * 0: fixed key cipher, key length not allowed
- * positive: default key length
- */
-int
-default_keylen(class, type)
- int class, type;
-{
-
- switch (class) {
- case algclass_isakmp_enc:
- case algclass_ipsec_enc:
- break;
- default:
- return 0;
- }
-
- switch (type) {
- case algtype_blowfish:
- case algtype_rc5:
- case algtype_cast128:
- case algtype_aes:
- case algtype_twofish:
- case algtype_camellia:
- return 128;
- default:
- return 0;
- }
-}
-
-/*
- * check key length
- * OUT: -1: NG
- * 0: OK
- */
-int
-check_keylen(class, type, len)
- int class, type, len;
-{
- int badrange;
-
- switch (class) {
- case algclass_isakmp_enc:
- case algclass_ipsec_enc:
- break;
- default:
- /* unknown class, punt */
- plog(LLV_ERROR, LOCATION, NULL,
- "unknown algclass %d\n", class);
- return -1;
- }
-
- /* key length must be multiple of 8 bytes - RFC2451 2.2 */
- switch (type) {
- case algtype_blowfish:
- case algtype_rc5:
- case algtype_cast128:
- case algtype_aes:
- case algtype_twofish:
- case algtype_camellia:
- if (len % 8 != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "key length %d is not multiple of 8\n", len);
- return -1;
- }
- break;
- }
-
- /* key length range */
- badrange = 0;
- switch (type) {
- case algtype_blowfish:
- if (len < 40 || 448 < len)
- badrange++;
- break;
- case algtype_rc5:
- if (len < 40 || 2040 < len)
- badrange++;
- break;
- case algtype_cast128:
- if (len < 40 || 128 < len)
- badrange++;
- break;
- case algtype_aes:
- if (!(len == 128 || len == 192 || len == 256))
- badrange++;
- break;
- case algtype_twofish:
- if (len < 40 || 256 < len)
- badrange++;
- break;
- case algtype_camellia:
- if (!(len == 128 || len == 192 || len == 256))
- badrange++;
- break;
- default:
- if (len) {
- plog(LLV_ERROR, LOCATION, NULL,
- "key length is not allowed");
- return -1;
- }
- break;
- }
- if (badrange) {
- plog(LLV_ERROR, LOCATION, NULL,
- "key length out of range\n");
- return -1;
- }
-
- return 0;
-}
-
-/*
- * convert algorithm type to DOI value.
- * OUT -1 : NG
- * other: converted.
- */
-int
-algtype2doi(class, type)
- int class, type;
-{
- int res = -1;
-
- switch (class) {
- case algclass_ipsec_enc:
- res = alg_ipsec_encdef_doi(type);
- break;
- case algclass_ipsec_auth:
- res = alg_ipsec_hmacdef_doi(type);
- break;
- case algclass_ipsec_comp:
- res = alg_ipsec_compdef_doi(type);
- break;
- case algclass_isakmp_enc:
- res = alg_oakley_encdef_doi(type);
- break;
- case algclass_isakmp_hash:
- res = alg_oakley_hashdef_doi(type);
- break;
- case algclass_isakmp_dh:
- res = alg_oakley_dhdef_doi(type);
- break;
- case algclass_isakmp_ameth:
- res = alg_oakley_authdef_doi(type);
- break;
- }
- return res;
-}
-
-/*
- * convert algorithm class to DOI value.
- * OUT -1 : NG
- * other: converted.
- */
-int
-algclass2doi(class)
- int class;
-{
- switch (class) {
- case algclass_ipsec_enc:
- return IPSECDOI_PROTO_IPSEC_ESP;
- case algclass_ipsec_auth:
- return IPSECDOI_ATTR_AUTH;
- case algclass_ipsec_comp:
- return IPSECDOI_PROTO_IPCOMP;
- case algclass_isakmp_enc:
- return OAKLEY_ATTR_ENC_ALG;
- case algclass_isakmp_hash:
- return OAKLEY_ATTR_HASH_ALG;
- case algclass_isakmp_dh:
- return OAKLEY_ATTR_GRP_DESC;
- case algclass_isakmp_ameth:
- return OAKLEY_ATTR_AUTH_METHOD;
- default:
- return -1;
- }
- /*NOTREACHED*/
- return -1;
-}
diff --git a/src/racoon/algorithm.h b/src/racoon/algorithm.h
deleted file mode 100644
index 8b631b6..0000000
--- a/src/racoon/algorithm.h
+++ /dev/null
@@ -1,216 +0,0 @@
-/* $NetBSD: algorithm.h,v 1.5 2006/10/06 12:02:27 manu Exp $ */
-
-/* Id: algorithm.h,v 1.10 2005/04/09 16:25:23 manubsd Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _ALGORITHM_H
-#define _ALGORITHM_H
-
-#include <gnuc.h>
-
-/* algorithm class */
-enum {
- algclass_ipsec_enc,
- algclass_ipsec_auth,
- algclass_ipsec_comp,
- algclass_isakmp_enc,
- algclass_isakmp_hash,
- algclass_isakmp_dh,
- algclass_isakmp_ameth, /* authentication method. */
-#define MAXALGCLASS 7
-};
-
-#define ALG_DEFAULT_KEYLEN 64
-
-#define ALGTYPE_NOTHING 0
-
-/* algorithm type */
-enum algtype {
- algtype_nothing = 0,
-
- /* enc */
- algtype_des_iv64,
- algtype_des,
- algtype_3des,
- algtype_rc5,
- algtype_idea,
- algtype_cast128,
- algtype_blowfish,
- algtype_3idea,
- algtype_des_iv32,
- algtype_rc4,
- algtype_null_enc,
- algtype_aes,
- algtype_twofish,
- algtype_camellia,
-
- /* ipsec auth */
- algtype_hmac_md5,
- algtype_hmac_sha1,
- algtype_des_mac,
- algtype_kpdk,
- algtype_non_auth,
- algtype_hmac_sha2_256,
- algtype_hmac_sha2_384,
- algtype_hmac_sha2_512,
-
- /* ipcomp */
- algtype_oui,
- algtype_deflate,
- algtype_lzs,
-
- /* hash */
- algtype_md5,
- algtype_sha1,
- algtype_tiger,
- algtype_sha2_256,
- algtype_sha2_384,
- algtype_sha2_512,
-
- /* dh_group */
- algtype_modp768,
- algtype_modp1024,
- algtype_ec2n155,
- algtype_ec2n185,
- algtype_modp1536,
- algtype_modp2048,
- algtype_modp3072,
- algtype_modp4096,
- algtype_modp6144,
- algtype_modp8192,
-
- /* authentication method. */
- algtype_psk,
- algtype_dsssig,
- algtype_rsasig,
- algtype_rsaenc,
- algtype_rsarev,
- algtype_gssapikrb,
-#ifdef ENABLE_HYBRID
- algtype_hybrid_rsa_s,
- algtype_hybrid_dss_s,
- algtype_hybrid_rsa_c,
- algtype_hybrid_dss_c,
- algtype_xauth_psk_s,
- algtype_xauth_psk_c,
- algtype_xauth_rsa_s,
- algtype_xauth_rsa_c,
-#endif
-};
-
-struct hmac_algorithm {
- char *name;
- int type;
- int doi;
- caddr_t (*init) __P((vchar_t *));
- void (*update) __P((caddr_t, vchar_t *));
- vchar_t *(*final) __P((caddr_t));
- int (*hashlen) __P((void));
- vchar_t *(*one) __P((vchar_t *, vchar_t *));
-};
-
-struct hash_algorithm {
- char *name;
- int type;
- int doi;
- caddr_t (*init) __P((void));
- void (*update) __P((caddr_t, vchar_t *));
- vchar_t *(*final) __P((caddr_t));
- int (*hashlen) __P((void));
- vchar_t *(*one) __P((vchar_t *));
-};
-
-struct enc_algorithm {
- char *name;
- int type;
- int doi;
- int blocklen;
- vchar_t *(*encrypt) __P((vchar_t *, vchar_t *, vchar_t *));
- vchar_t *(*decrypt) __P((vchar_t *, vchar_t *, vchar_t *));
- int (*weakkey) __P((vchar_t *));
- int (*keylen) __P((int));
-};
-
-/* dh group */
-struct dh_algorithm {
- char *name;
- int type;
- int doi;
- struct dhgroup *dhgroup;
-};
-
-/* ipcomp, auth meth, dh group */
-struct misc_algorithm {
- char *name;
- int type;
- int doi;
-};
-
-extern int alg_oakley_hashdef_ok __P((int));
-extern int alg_oakley_hashdef_doi __P((int));
-extern int alg_oakley_hashdef_hashlen __P((int));
-extern vchar_t *alg_oakley_hashdef_one __P((int, vchar_t *));
-
-extern int alg_oakley_hmacdef_doi __P((int));
-extern vchar_t *alg_oakley_hmacdef_one __P((int, vchar_t *, vchar_t *));
-
-extern int alg_oakley_encdef_ok __P((int));
-extern int alg_oakley_encdef_doi __P((int));
-extern int alg_oakley_encdef_keylen __P((int, int));
-extern int alg_oakley_encdef_blocklen __P((int));
-extern vchar_t *alg_oakley_encdef_decrypt __P((int, vchar_t *, vchar_t *, vchar_t *));
-extern vchar_t *alg_oakley_encdef_encrypt __P((int, vchar_t *, vchar_t *, vchar_t *));
-
-extern int alg_ipsec_encdef_doi __P((int));
-extern int alg_ipsec_encdef_keylen __P((int, int));
-
-extern int alg_ipsec_hmacdef_doi __P((int));
-extern int alg_ipsec_hmacdef_hashlen __P((int));
-
-extern int alg_ipsec_compdef_doi __P((int));
-
-extern int alg_oakley_dhdef_doi __P((int));
-extern int alg_oakley_dhdef_ok __P((int));
-extern struct dhgroup *alg_oakley_dhdef_group __P((int));
-
-extern int alg_oakley_authdef_doi __P((int));
-
-extern int default_keylen __P((int, int));
-extern int check_keylen __P((int, int, int));
-extern int algtype2doi __P((int, int));
-extern int algclass2doi __P((int));
-
-extern const char *alg_oakley_encdef_name __P((int));
-extern const char *alg_oakley_hashdef_name __P((int));
-extern const char *alg_oakley_dhdef_name __P((int));
-extern const char *alg_oakley_authdef_name __P((int));
-
-#endif /* _ALGORITHM_H */
diff --git a/src/racoon/backupsa.c b/src/racoon/backupsa.c
deleted file mode 100644
index 9496000..0000000
--- a/src/racoon/backupsa.c
+++ /dev/null
@@ -1,468 +0,0 @@
-/* $NetBSD: backupsa.c,v 1.8.4.1 2007/08/01 11:52:19 vanhu Exp $ */
-
-/* $KAME: backupsa.c,v 1.16 2001/12/31 20:13:40 thorpej Exp $ */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <ctype.h>
-
-#include <netinet/in.h>
-#include PATH_IPSEC_H
-
-#if TIME_WITH_SYS_TIME
-# include <sys/time.h>
-# include <time.h>
-#else
-# if HAVE_SYS_TIME_H
-# include <sys/time.h>
-# else
-# include <time.h>
-# endif
-#endif
-
-#include "var.h"
-#include "misc.h"
-#include "vmbuf.h"
-#include "str2val.h"
-#include "plog.h"
-#include "debug.h"
-
-#include "localconf.h"
-#include "sockmisc.h"
-#include "safefile.h"
-#include "backupsa.h"
-#include "libpfkey.h"
-
-/*
- * (time string)%(sa parameter)
- * (time string) := ex. Nov 24 18:22:48 1986
- * (sa parameter) :=
- * src dst satype spi mode reqid wsize \
- * e_type e_keylen a_type a_keylen flags \
- * l_alloc l_bytes l_addtime l_usetime seq keymat
- */
-static char *format = "%b %d %T %Y"; /* time format */
-static char *strmon[12] = {
- "Jan", "Feb", "Mar", "Apr", "May", "Jun",
- "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
-};
-
-static char *str2tmx __P((char *, struct tm *));
-static int str2num __P((char *, int));
-
-/*
- * output the sa parameter.
- */
-int
-backupsa_to_file(sa_args)
- struct pfkey_send_sa_args *sa_args;
-{
- char buf[1024];
- struct tm *tm;
- time_t t;
- char *p, *k;
- int len, l, i;
- FILE *fp;
-
- p = buf;
- len = sizeof(buf);
-
- t = time(NULL);
- tm = localtime(&t);
- l = strftime(p, len, format, tm);
- p += l;
- len -= l;
- if (len < 0)
- goto err;
-
- l = snprintf(p, len, "%%");
- if (l < 0 || l >= len)
- goto err;
- p += l;
- len -= l;
- if (len < 0)
- goto err;
-
- i = getnameinfo(sa_args->src, sysdep_sa_len(sa_args->src), p, len, NULL, 0, NIFLAGS);
- if (i != 0)
- goto err;
- l = strlen(p);
- p += l;
- len -= l;
- if (len < 0)
- goto err;
-
- l = snprintf(p, len, " ");
- if (l < 0 || l >= len)
- goto err;
- p += l;
- len -= l;
- if (len < 0)
- goto err;
-
- i = getnameinfo(sa_args->dst, sysdep_sa_len(sa_args->dst), p, len, NULL, 0, NIFLAGS);
- if (i != 0)
- goto err;
- l = strlen(p);
- p += l;
- len -= l;
- if (len < 0)
- goto err;
-
- l = snprintf(p, len,
- " %u %lu %u %u %u "
- "%u %u %u %u %u "
- "%u %llu %llu %llu %u",
- sa_args->satype, (unsigned long)ntohl(sa_args->spi),
- sa_args->mode, sa_args->reqid, sa_args->wsize, sa_args->e_type,
- sa_args->e_keylen, sa_args->a_type, sa_args->a_keylen,
- sa_args->flags, sa_args->l_alloc,
- (unsigned long long)sa_args->l_bytes,
- (unsigned long long)sa_args->l_addtime,
- (unsigned long long)sa_args->l_usetime, sa_args->seq);
-
- if (l < 0 || l >= len)
- goto err;
- p += l;
- len -= l;
- if (len < 0)
- goto err;
-
- k = val2str(sa_args->keymat, sa_args->e_keylen + sa_args->a_keylen);
- l = snprintf(p, len, " %s", k);
- racoon_free(k);
- if (l < 0 || l >= len)
- goto err;
- p += l;
- len -= l;
- if (len < 0)
- goto err;
-
- /* open the file and write the SA parameter */
- if (safefile(lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], 1) != 0 ||
- (fp = fopen(lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], "a")) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to open the backup file %s.\n",
- lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]);
- return -1;
- }
- fprintf(fp, "%s\n", buf);
- fclose(fp);
-
- return 0;
-
-err:
- plog(LLV_ERROR, LOCATION, NULL,
- "SA cannot be saved to a file.\n");
- return -1;
-}
-
-int
-backupsa_from_file()
-{
- FILE *fp;
- char buf[512];
- struct tm tm;
- time_t created, current;
- char *p, *q;
- size_t keymatlen;
- int line;
- struct pfkey_send_sa_args sa_args;
-
- memset(&sa_args, 0, sizeof(sa_args));
-
- if (safefile(lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], 1) == 0)
- fp = fopen(lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], "r");
- else
- fp = NULL;
- if (fp == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to open the backup file %s.\n",
- lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]);
- return -1;
- }
-
- current = time(NULL);
-
- for(line = 1; fgets(buf, sizeof(buf), fp) != NULL; line++) {
- /* comment line */
- if (buf[0] == '#')
- continue;
-
- memset(&tm, 0, sizeof(tm));
- p = str2tmx(buf, &tm);
- if (*p != '%') {
- err:
- plog(LLV_ERROR, LOCATION, NULL,
- "illegal format line#%d in %s: %s\n",
- line, lcconf->pathinfo[LC_PATHTYPE_BACKUPSA],
- buf);
- goto next;
- }
- created = mktime(&tm);
- p++;
-
- for (q = p; *q != '\0' && !isspace((int)*q); q++)
- ;
- *q = '\0';
- if ((sa_args.src = str2saddr(p, NULL)) == NULL)
- goto next;
- p = q + 1;
-
- for (q = p; *q != '\0' && !isspace((int)*q); q++)
- ;
- *q = '\0';
- if ((sa_args.dst = str2saddr(p, NULL)) == NULL)
- goto next;
- p = q + 1;
-
-#define GETNEXTNUM(value, function) \
-do { \
- char *y; \
- for (q = p; *q != '\0' && !isspace((int)*q); q++) \
- ; \
- *q = '\0'; \
- (value) = function(p, &y, 10); \
- if ((value) == 0 && *y != '\0') \
- goto next; \
- p = q + 1; \
-} while (/*CONSTCOND*/0);
-
- GETNEXTNUM(sa_args.satype, strtoul);
- GETNEXTNUM(sa_args.spi, strtoul);
- sa_args.spi = ntohl(sa_args.spi);
- GETNEXTNUM(sa_args.mode, strtoul);
- GETNEXTNUM(sa_args.reqid, strtoul);
- GETNEXTNUM(sa_args.wsize, strtoul);
- GETNEXTNUM(sa_args.e_type, strtoul);
- GETNEXTNUM(sa_args.e_keylen, strtoul);
- GETNEXTNUM(sa_args.a_type, strtoul);
- GETNEXTNUM(sa_args.a_keylen, strtoul);
- GETNEXTNUM(sa_args.flags, strtoul);
- GETNEXTNUM(sa_args.l_alloc, strtoul);
- GETNEXTNUM(sa_args.l_bytes, strtouq);
- GETNEXTNUM(sa_args.l_addtime, strtouq);
- GETNEXTNUM(sa_args.l_usetime, strtouq);
- GETNEXTNUM(sa_args.seq, strtoul);
-
-#undef GETNEXTNUM
-
- sa_args.keymat = str2val(p, 16, &keymatlen);
- if (sa_args.keymat == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "illegal format(keymat) line#%d in %s: %s\n",
- line, lcconf->pathinfo[LC_PATHTYPE_BACKUPSA],
- buf);
- goto next;
- }
-
- if (created + sa_args.l_addtime < current) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "ignore this line#%d in %s due to expiration\n",
- line, lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]);
- goto next;
- }
- sa_args.l_addtime -= current - created;
-
- if (pfkey_send_add2(&sa_args) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "restore SA failed line#%d in %s: %s\n",
- line, lcconf->pathinfo[LC_PATHTYPE_BACKUPSA],
- ipsec_strerror());
- }
-
-next:
- if (sa_args.src != NULL) {
- racoon_free(sa_args.src);
- sa_args.src = NULL;
- }
- if (sa_args.dst != NULL) {
- racoon_free(sa_args.dst);
- sa_args.dst = NULL;
- }
- if (sa_args.keymat != NULL) {
- racoon_free(sa_args.keymat);
- sa_args.keymat = NULL;
- }
- }
-
- fclose(fp);
-
- /*
- * There is a possibility that an abnormal system down will happen
- * again before new negotiation will be started. so racoon clears
- * the backup file here. it's ok that old SAs are remained in the
- * file. any old SA will not be installed because racoon checks the
- * lifetime and compare with current time.
- */
-
- return 0;
-}
-
-int
-backupsa_clean()
-{
- FILE *fp;
-
- /* simply return if the file is not defined. */
- if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA])
- return 0;
-
- fp = fopen(lcconf->pathinfo[LC_PATHTYPE_BACKUPSA], "w+");
- if (fp == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to clean the backup file %s.\n",
- lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]);
- return -1;
- }
- fclose(fp);
- return 0;
-}
-
-/*
- * convert fixed string into the tm structure.
- * The fixed string is like 'Nov 24 18:22:48 1986'.
- * static char *format = "%b %d %T %Y";
- */
-static char *
-str2tmx(char *p, struct tm *tm)
-{
- int i, len;
-
- /* Month */
- for (i = 0; i < sizeof(strmon)/sizeof(strmon[0]); i++) {
- if (strncasecmp(p, strmon[i], strlen(strmon[i])) == 0) {
- tm->tm_mon = i;
- break;
- }
- }
- if (i == sizeof(strmon)/sizeof(strmon[0]))
- return 0;
- p += strlen(strmon[i]);
- if (*p++ != ' ')
- return 0;
-
- /* Day */
- len = 2;
- tm->tm_mday = str2num(p, len);
- if (tm->tm_mday == -1 || tm->tm_mday > 31)
- return 0;
- p += len;
- if (*p++ != ' ')
- return 0;
-
- /* Hour */
- len = 2;
- tm->tm_hour = str2num(p, len);
- if (tm->tm_hour == -1 || tm->tm_hour > 24)
- return 0;
- p += len;
- if (*p++ != ':')
- return 0;
-
- /* Min */
- len = 2;
- tm->tm_min = str2num(p, len);
- if (tm->tm_min == -1 || tm->tm_min > 60)
- return 0;
- p += len;
- if (*p++ != ':')
- return 0;
-
- /* Sec */
- len = 2;
- tm->tm_sec = str2num(p, len);
- if (tm->tm_sec == -1 || tm->tm_sec > 60)
- return 0;
- p += len;
- if (*p++ != ' ')
- return 0;
-
- /* Year */
- len = 4;
- tm->tm_year = str2num(p, len);
- if (tm->tm_year == -1 || tm->tm_year < 1900)
- return 0;
- tm->tm_year -= 1900;
- p += len;
-
- return p;
-}
-
-static int
-str2num(p, len)
- char *p;
- int len;
-{
- int res, i;
-
- res = 0;
- for (i = len; i > 0; i--) {
- if (!isdigit((int)*p))
- return -1;
- res *= 10;
- res += *p - '0';
- p++;
- }
-
- return res;
-}
-
-#ifdef TEST
-#include <stdio.h>
-int
-main()
-{
- struct tm tm;
- time_t t;
- char *buf = "Nov 24 18:22:48 1986 ";
- char *p;
-
- memset(&tm, 0, sizeof(tm));
- p = str2tmx(buf, &tm);
- printf("[%x]\n", *p);
- t = mktime(&tm);
- if (t == -1)
- printf("mktime failed.");
- p = ctime(&t);
- printf("[%s]\n", p);
-
- exit(0);
-}
-#endif
diff --git a/src/racoon/backupsa.h b/src/racoon/backupsa.h
deleted file mode 100644
index e563791..0000000
--- a/src/racoon/backupsa.h
+++ /dev/null
@@ -1,41 +0,0 @@
-/* $NetBSD: backupsa.h,v 1.5 2006/12/09 05:52:57 manu Exp $ */
-
-/* Id: backupsa.h,v 1.3 2004/06/11 16:00:15 ludvigm Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _BACKUPSA_H
-#define _BACKUPSA_H
-
-extern int backupsa_to_file __P((struct pfkey_send_sa_args *));
-extern int backupsa_from_file __P((void));
-extern int backupsa_clean __P((void));
-
-#endif /* _BACKUPSA_H */
diff --git a/src/racoon/cfparse.h b/src/racoon/cfparse.h
deleted file mode 100644
index 2946b3e..0000000
--- a/src/racoon/cfparse.h
+++ /dev/null
@@ -1,392 +0,0 @@
-/* A Bison parser, made by GNU Bison 2.3. */
-
-/* Skeleton interface for Bison's Yacc-like parsers in C
-
- Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005, 2006
- Free Software Foundation, Inc.
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2, or (at your option)
- any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 51 Franklin Street, Fifth Floor,
- Boston, MA 02110-1301, USA. */
-
-/* As a special exception, you may create a larger work that contains
- part or all of the Bison parser skeleton and distribute that work
- under terms of your choice, so long as that work isn't itself a
- parser generator using the skeleton or a modified version thereof
- as a parser skeleton. Alternatively, if you modify or redistribute
- the parser skeleton itself, you may (at your option) remove this
- special exception, which will cause the skeleton and the resulting
- Bison output files to be licensed under the GNU General Public
- License without this special exception.
-
- This special exception was added by the Free Software Foundation in
- version 2.2 of Bison. */
-
-/* Tokens. */
-#ifndef YYTOKENTYPE
-# define YYTOKENTYPE
- /* Put the tokens into the symbol table, so that GDB and other debuggers
- know about them. */
- enum yytokentype {
- PRIVSEP = 258,
- USER = 259,
- GROUP = 260,
- CHROOT = 261,
- PATH = 262,
- PATHTYPE = 263,
- INCLUDE = 264,
- IDENTIFIER = 265,
- VENDORID = 266,
- LOGGING = 267,
- LOGLEV = 268,
- PADDING = 269,
- PAD_RANDOMIZE = 270,
- PAD_RANDOMIZELEN = 271,
- PAD_MAXLEN = 272,
- PAD_STRICT = 273,
- PAD_EXCLTAIL = 274,
- LISTEN = 275,
- X_ISAKMP = 276,
- X_ISAKMP_NATT = 277,
- X_ADMIN = 278,
- STRICT_ADDRESS = 279,
- ADMINSOCK = 280,
- DISABLED = 281,
- LDAPCFG = 282,
- LDAP_HOST = 283,
- LDAP_PORT = 284,
- LDAP_PVER = 285,
- LDAP_BASE = 286,
- LDAP_BIND_DN = 287,
- LDAP_BIND_PW = 288,
- LDAP_SUBTREE = 289,
- LDAP_ATTR_USER = 290,
- LDAP_ATTR_ADDR = 291,
- LDAP_ATTR_MASK = 292,
- LDAP_ATTR_GROUP = 293,
- LDAP_ATTR_MEMBER = 294,
- MODECFG = 295,
- CFG_NET4 = 296,
- CFG_MASK4 = 297,
- CFG_DNS4 = 298,
- CFG_NBNS4 = 299,
- CFG_DEFAULT_DOMAIN = 300,
- CFG_AUTH_SOURCE = 301,
- CFG_AUTH_GROUPS = 302,
- CFG_SYSTEM = 303,
- CFG_RADIUS = 304,
- CFG_PAM = 305,
- CFG_LDAP = 306,
- CFG_LOCAL = 307,
- CFG_NONE = 308,
- CFG_GROUP_SOURCE = 309,
- CFG_ACCOUNTING = 310,
- CFG_CONF_SOURCE = 311,
- CFG_MOTD = 312,
- CFG_POOL_SIZE = 313,
- CFG_AUTH_THROTTLE = 314,
- CFG_SPLIT_NETWORK = 315,
- CFG_SPLIT_LOCAL = 316,
- CFG_SPLIT_INCLUDE = 317,
- CFG_SPLIT_DNS = 318,
- CFG_PFS_GROUP = 319,
- CFG_SAVE_PASSWD = 320,
- RETRY = 321,
- RETRY_COUNTER = 322,
- RETRY_INTERVAL = 323,
- RETRY_PERSEND = 324,
- RETRY_PHASE1 = 325,
- RETRY_PHASE2 = 326,
- NATT_KA = 327,
- ALGORITHM_CLASS = 328,
- ALGORITHMTYPE = 329,
- STRENGTHTYPE = 330,
- SAINFO = 331,
- FROM = 332,
- REMOTE = 333,
- ANONYMOUS = 334,
- INHERIT = 335,
- EXCHANGE_MODE = 336,
- EXCHANGETYPE = 337,
- DOI = 338,
- DOITYPE = 339,
- SITUATION = 340,
- SITUATIONTYPE = 341,
- CERTIFICATE_TYPE = 342,
- CERTTYPE = 343,
- PEERS_CERTFILE = 344,
- CA_TYPE = 345,
- VERIFY_CERT = 346,
- SEND_CERT = 347,
- SEND_CR = 348,
- IDENTIFIERTYPE = 349,
- IDENTIFIERQUAL = 350,
- MY_IDENTIFIER = 351,
- PEERS_IDENTIFIER = 352,
- VERIFY_IDENTIFIER = 353,
- DNSSEC = 354,
- CERT_X509 = 355,
- CERT_PLAINRSA = 356,
- NONCE_SIZE = 357,
- DH_GROUP = 358,
- KEEPALIVE = 359,
- PASSIVE = 360,
- INITIAL_CONTACT = 361,
- NAT_TRAVERSAL = 362,
- REMOTE_FORCE_LEVEL = 363,
- PROPOSAL_CHECK = 364,
- PROPOSAL_CHECK_LEVEL = 365,
- GENERATE_POLICY = 366,
- GENERATE_LEVEL = 367,
- SUPPORT_PROXY = 368,
- PROPOSAL = 369,
- EXEC_PATH = 370,
- EXEC_COMMAND = 371,
- EXEC_SUCCESS = 372,
- EXEC_FAILURE = 373,
- GSS_ID = 374,
- GSS_ID_ENC = 375,
- GSS_ID_ENCTYPE = 376,
- COMPLEX_BUNDLE = 377,
- DPD = 378,
- DPD_DELAY = 379,
- DPD_RETRY = 380,
- DPD_MAXFAIL = 381,
- PH1ID = 382,
- XAUTH_LOGIN = 383,
- WEAK_PHASE1_CHECK = 384,
- PREFIX = 385,
- PORT = 386,
- PORTANY = 387,
- UL_PROTO = 388,
- ANY = 389,
- IKE_FRAG = 390,
- ESP_FRAG = 391,
- MODE_CFG = 392,
- PFS_GROUP = 393,
- LIFETIME = 394,
- LIFETYPE_TIME = 395,
- LIFETYPE_BYTE = 396,
- STRENGTH = 397,
- REMOTEID = 398,
- SCRIPT = 399,
- PHASE1_UP = 400,
- PHASE1_DOWN = 401,
- NUMBER = 402,
- SWITCH = 403,
- BOOLEAN = 404,
- HEXSTRING = 405,
- QUOTEDSTRING = 406,
- ADDRSTRING = 407,
- ADDRRANGE = 408,
- UNITTYPE_BYTE = 409,
- UNITTYPE_KBYTES = 410,
- UNITTYPE_MBYTES = 411,
- UNITTYPE_TBYTES = 412,
- UNITTYPE_SEC = 413,
- UNITTYPE_MIN = 414,
- UNITTYPE_HOUR = 415,
- EOS = 416,
- BOC = 417,
- EOC = 418,
- COMMA = 419
- };
-#endif
-/* Tokens. */
-#define PRIVSEP 258
-#define USER 259
-#define GROUP 260
-#define CHROOT 261
-#define PATH 262
-#define PATHTYPE 263
-#define INCLUDE 264
-#define IDENTIFIER 265
-#define VENDORID 266
-#define LOGGING 267
-#define LOGLEV 268
-#define PADDING 269
-#define PAD_RANDOMIZE 270
-#define PAD_RANDOMIZELEN 271
-#define PAD_MAXLEN 272
-#define PAD_STRICT 273
-#define PAD_EXCLTAIL 274
-#define LISTEN 275
-#define X_ISAKMP 276
-#define X_ISAKMP_NATT 277
-#define X_ADMIN 278
-#define STRICT_ADDRESS 279
-#define ADMINSOCK 280
-#define DISABLED 281
-#define LDAPCFG 282
-#define LDAP_HOST 283
-#define LDAP_PORT 284
-#define LDAP_PVER 285
-#define LDAP_BASE 286
-#define LDAP_BIND_DN 287
-#define LDAP_BIND_PW 288
-#define LDAP_SUBTREE 289
-#define LDAP_ATTR_USER 290
-#define LDAP_ATTR_ADDR 291
-#define LDAP_ATTR_MASK 292
-#define LDAP_ATTR_GROUP 293
-#define LDAP_ATTR_MEMBER 294
-#define MODECFG 295
-#define CFG_NET4 296
-#define CFG_MASK4 297
-#define CFG_DNS4 298
-#define CFG_NBNS4 299
-#define CFG_DEFAULT_DOMAIN 300
-#define CFG_AUTH_SOURCE 301
-#define CFG_AUTH_GROUPS 302
-#define CFG_SYSTEM 303
-#define CFG_RADIUS 304
-#define CFG_PAM 305
-#define CFG_LDAP 306
-#define CFG_LOCAL 307
-#define CFG_NONE 308
-#define CFG_GROUP_SOURCE 309
-#define CFG_ACCOUNTING 310
-#define CFG_CONF_SOURCE 311
-#define CFG_MOTD 312
-#define CFG_POOL_SIZE 313
-#define CFG_AUTH_THROTTLE 314
-#define CFG_SPLIT_NETWORK 315
-#define CFG_SPLIT_LOCAL 316
-#define CFG_SPLIT_INCLUDE 317
-#define CFG_SPLIT_DNS 318
-#define CFG_PFS_GROUP 319
-#define CFG_SAVE_PASSWD 320
-#define RETRY 321
-#define RETRY_COUNTER 322
-#define RETRY_INTERVAL 323
-#define RETRY_PERSEND 324
-#define RETRY_PHASE1 325
-#define RETRY_PHASE2 326
-#define NATT_KA 327
-#define ALGORITHM_CLASS 328
-#define ALGORITHMTYPE 329
-#define STRENGTHTYPE 330
-#define SAINFO 331
-#define FROM 332
-#define REMOTE 333
-#define ANONYMOUS 334
-#define INHERIT 335
-#define EXCHANGE_MODE 336
-#define EXCHANGETYPE 337
-#define DOI 338
-#define DOITYPE 339
-#define SITUATION 340
-#define SITUATIONTYPE 341
-#define CERTIFICATE_TYPE 342
-#define CERTTYPE 343
-#define PEERS_CERTFILE 344
-#define CA_TYPE 345
-#define VERIFY_CERT 346
-#define SEND_CERT 347
-#define SEND_CR 348
-#define IDENTIFIERTYPE 349
-#define IDENTIFIERQUAL 350
-#define MY_IDENTIFIER 351
-#define PEERS_IDENTIFIER 352
-#define VERIFY_IDENTIFIER 353
-#define DNSSEC 354
-#define CERT_X509 355
-#define CERT_PLAINRSA 356
-#define NONCE_SIZE 357
-#define DH_GROUP 358
-#define KEEPALIVE 359
-#define PASSIVE 360
-#define INITIAL_CONTACT 361
-#define NAT_TRAVERSAL 362
-#define REMOTE_FORCE_LEVEL 363
-#define PROPOSAL_CHECK 364
-#define PROPOSAL_CHECK_LEVEL 365
-#define GENERATE_POLICY 366
-#define GENERATE_LEVEL 367
-#define SUPPORT_PROXY 368
-#define PROPOSAL 369
-#define EXEC_PATH 370
-#define EXEC_COMMAND 371
-#define EXEC_SUCCESS 372
-#define EXEC_FAILURE 373
-#define GSS_ID 374
-#define GSS_ID_ENC 375
-#define GSS_ID_ENCTYPE 376
-#define COMPLEX_BUNDLE 377
-#define DPD 378
-#define DPD_DELAY 379
-#define DPD_RETRY 380
-#define DPD_MAXFAIL 381
-#define PH1ID 382
-#define XAUTH_LOGIN 383
-#define WEAK_PHASE1_CHECK 384
-#define PREFIX 385
-#define PORT 386
-#define PORTANY 387
-#define UL_PROTO 388
-#define ANY 389
-#define IKE_FRAG 390
-#define ESP_FRAG 391
-#define MODE_CFG 392
-#define PFS_GROUP 393
-#define LIFETIME 394
-#define LIFETYPE_TIME 395
-#define LIFETYPE_BYTE 396
-#define STRENGTH 397
-#define REMOTEID 398
-#define SCRIPT 399
-#define PHASE1_UP 400
-#define PHASE1_DOWN 401
-#define NUMBER 402
-#define SWITCH 403
-#define BOOLEAN 404
-#define HEXSTRING 405
-#define QUOTEDSTRING 406
-#define ADDRSTRING 407
-#define ADDRRANGE 408
-#define UNITTYPE_BYTE 409
-#define UNITTYPE_KBYTES 410
-#define UNITTYPE_MBYTES 411
-#define UNITTYPE_TBYTES 412
-#define UNITTYPE_SEC 413
-#define UNITTYPE_MIN 414
-#define UNITTYPE_HOUR 415
-#define EOS 416
-#define BOC 417
-#define EOC 418
-#define COMMA 419
-
-
-
-
-#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
-typedef union YYSTYPE
-#line 174 "cfparse.y"
-{
- unsigned long num;
- vchar_t *val;
- struct remoteconf *rmconf;
- struct sockaddr *saddr;
- struct sainfoalg *alg;
-}
-/* Line 1489 of yacc.c. */
-#line 385 "cfparse.h"
- YYSTYPE;
-# define yystype YYSTYPE /* obsolescent; will be withdrawn */
-# define YYSTYPE_IS_DECLARED 1
-# define YYSTYPE_IS_TRIVIAL 1
-#endif
-
-extern YYSTYPE yylval;
-
diff --git a/src/racoon/cfparse.y b/src/racoon/cfparse.y
deleted file mode 100644
index 540c400..0000000
--- a/src/racoon/cfparse.y
+++ /dev/null
@@ -1,2599 +0,0 @@
-/* $NetBSD: cfparse.y,v 1.18.4.7 2008/07/21 20:45:32 tteras Exp $ */
-
-/* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
-
-%{
-/*
- * Copyright (C) 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 and 2003 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/queue.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-#include PATH_IPSEC_H
-
-#ifdef ENABLE_HYBRID
-#include <arpa/inet.h>
-#endif
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-#include <netdb.h>
-#include <pwd.h>
-#include <grp.h>
-
-#include "var.h"
-#include "misc.h"
-#include "vmbuf.h"
-#include "plog.h"
-#include "sockmisc.h"
-#include "str2val.h"
-#include "genlist.h"
-#include "debug.h"
-
-#include "admin.h"
-#include "privsep.h"
-#include "cfparse_proto.h"
-#include "cftoken_proto.h"
-#include "algorithm.h"
-#include "localconf.h"
-#include "policy.h"
-#include "sainfo.h"
-#include "oakley.h"
-#include "pfkey.h"
-#include "remoteconf.h"
-#include "grabmyaddr.h"
-#include "isakmp_var.h"
-#include "handler.h"
-#include "isakmp.h"
-#include "nattraversal.h"
-#include "isakmp_frag.h"
-#ifdef ENABLE_HYBRID
-#include "resolv.h"
-#include "isakmp_unity.h"
-#include "isakmp_xauth.h"
-#include "isakmp_cfg.h"
-#endif
-#include "ipsec_doi.h"
-#include "strnames.h"
-#include "gcmalloc.h"
-#ifdef HAVE_GSSAPI
-#include "gssapi.h"
-#endif
-#include "vendorid.h"
-#include "rsalist.h"
-
-struct proposalspec {
- time_t lifetime; /* for isakmp/ipsec */
- int lifebyte; /* for isakmp/ipsec */
- struct secprotospec *spspec; /* the head is always current spec. */
- struct proposalspec *next; /* the tail is the most prefered. */
- struct proposalspec *prev;
-};
-
-struct secprotospec {
- int prop_no;
- int trns_no;
- int strength; /* for isakmp/ipsec */
- int encklen; /* for isakmp/ipsec */
- time_t lifetime; /* for isakmp */
- int lifebyte; /* for isakmp */
- int proto_id; /* for ipsec (isakmp?) */
- int ipsec_level; /* for ipsec */
- int encmode; /* for ipsec */
- int vendorid; /* for isakmp */
- char *gssid;
- struct sockaddr *remote;
- int algclass[MAXALGCLASS];
-
- struct secprotospec *next; /* the tail is the most prefiered. */
- struct secprotospec *prev;
- struct proposalspec *back;
-};
-
-static int num2dhgroup[] = {
- 0,
- OAKLEY_ATTR_GRP_DESC_MODP768,
- OAKLEY_ATTR_GRP_DESC_MODP1024,
- OAKLEY_ATTR_GRP_DESC_EC2N155,
- OAKLEY_ATTR_GRP_DESC_EC2N185,
- OAKLEY_ATTR_GRP_DESC_MODP1536,
- 0,
- 0,
- 0,
- 0,
- 0,
- 0,
- 0,
- 0,
- OAKLEY_ATTR_GRP_DESC_MODP2048,
- OAKLEY_ATTR_GRP_DESC_MODP3072,
- OAKLEY_ATTR_GRP_DESC_MODP4096,
- OAKLEY_ATTR_GRP_DESC_MODP6144,
- OAKLEY_ATTR_GRP_DESC_MODP8192
-};
-
-static struct remoteconf *cur_rmconf;
-static int tmpalgtype[MAXALGCLASS];
-static struct sainfo *cur_sainfo;
-static int cur_algclass;
-static int oldloglevel = LLV_BASE;
-
-static struct proposalspec *newprspec __P((void));
-static void insprspec __P((struct proposalspec *, struct proposalspec **));
-static struct secprotospec *newspspec __P((void));
-static void insspspec __P((struct secprotospec *, struct proposalspec **));
-static void adminsock_conf __P((vchar_t *, vchar_t *, vchar_t *, int));
-
-static int set_isakmp_proposal
- __P((struct remoteconf *, struct proposalspec *));
-static void clean_tmpalgtype __P((void));
-static int expand_isakmpspec __P((int, int, int *,
- int, int, time_t, int, int, int, char *, struct remoteconf *));
-static int listen_addr __P((struct sockaddr *addr, int udp_encap));
-
-void freeetypes (struct etypes **etypes);
-
-#if 0
-static int fix_lifebyte __P((u_long));
-#endif
-%}
-
-%union {
- unsigned long num;
- vchar_t *val;
- struct remoteconf *rmconf;
- struct sockaddr *saddr;
- struct sainfoalg *alg;
-}
-
- /* privsep */
-%token PRIVSEP USER GROUP CHROOT
- /* path */
-%token PATH PATHTYPE
- /* include */
-%token INCLUDE
- /* self information */
-%token IDENTIFIER VENDORID
- /* logging */
-%token LOGGING LOGLEV
- /* padding */
-%token PADDING PAD_RANDOMIZE PAD_RANDOMIZELEN PAD_MAXLEN PAD_STRICT PAD_EXCLTAIL
- /* listen */
-%token LISTEN X_ISAKMP X_ISAKMP_NATT X_ADMIN STRICT_ADDRESS ADMINSOCK DISABLED
- /* ldap config */
-%token LDAPCFG LDAP_HOST LDAP_PORT LDAP_PVER LDAP_BASE LDAP_BIND_DN LDAP_BIND_PW LDAP_SUBTREE
-%token LDAP_ATTR_USER LDAP_ATTR_ADDR LDAP_ATTR_MASK LDAP_ATTR_GROUP LDAP_ATTR_MEMBER
- /* modecfg */
-%token MODECFG CFG_NET4 CFG_MASK4 CFG_DNS4 CFG_NBNS4 CFG_DEFAULT_DOMAIN
-%token CFG_AUTH_SOURCE CFG_AUTH_GROUPS CFG_SYSTEM CFG_RADIUS CFG_PAM CFG_LDAP CFG_LOCAL CFG_NONE
-%token CFG_GROUP_SOURCE CFG_ACCOUNTING CFG_CONF_SOURCE CFG_MOTD CFG_POOL_SIZE CFG_AUTH_THROTTLE
-%token CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL CFG_SPLIT_INCLUDE CFG_SPLIT_DNS
-%token CFG_PFS_GROUP CFG_SAVE_PASSWD
-
- /* timer */
-%token RETRY RETRY_COUNTER RETRY_INTERVAL RETRY_PERSEND
-%token RETRY_PHASE1 RETRY_PHASE2 NATT_KA
- /* algorithm */
-%token ALGORITHM_CLASS ALGORITHMTYPE STRENGTHTYPE
- /* sainfo */
-%token SAINFO FROM
- /* remote */
-%token REMOTE ANONYMOUS INHERIT
-%token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE
-%token CERTIFICATE_TYPE CERTTYPE PEERS_CERTFILE CA_TYPE
-%token VERIFY_CERT SEND_CERT SEND_CR
-%token IDENTIFIERTYPE IDENTIFIERQUAL MY_IDENTIFIER
-%token PEERS_IDENTIFIER VERIFY_IDENTIFIER
-%token DNSSEC CERT_X509 CERT_PLAINRSA
-%token NONCE_SIZE DH_GROUP KEEPALIVE PASSIVE INITIAL_CONTACT
-%token NAT_TRAVERSAL REMOTE_FORCE_LEVEL
-%token PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL
-%token GENERATE_POLICY GENERATE_LEVEL SUPPORT_PROXY
-%token PROPOSAL
-%token EXEC_PATH EXEC_COMMAND EXEC_SUCCESS EXEC_FAILURE
-%token GSS_ID GSS_ID_ENC GSS_ID_ENCTYPE
-%token COMPLEX_BUNDLE
-%token DPD DPD_DELAY DPD_RETRY DPD_MAXFAIL
-%token PH1ID
-%token XAUTH_LOGIN WEAK_PHASE1_CHECK
-
-%token PREFIX PORT PORTANY UL_PROTO ANY IKE_FRAG ESP_FRAG MODE_CFG
-%token PFS_GROUP LIFETIME LIFETYPE_TIME LIFETYPE_BYTE STRENGTH REMOTEID
-
-%token SCRIPT PHASE1_UP PHASE1_DOWN
-
-%token NUMBER SWITCH BOOLEAN
-%token HEXSTRING QUOTEDSTRING ADDRSTRING ADDRRANGE
-%token UNITTYPE_BYTE UNITTYPE_KBYTES UNITTYPE_MBYTES UNITTYPE_TBYTES
-%token UNITTYPE_SEC UNITTYPE_MIN UNITTYPE_HOUR
-%token EOS BOC EOC COMMA
-
-%type <num> NUMBER BOOLEAN SWITCH keylength
-%type <num> PATHTYPE IDENTIFIERTYPE IDENTIFIERQUAL LOGLEV GSS_ID_ENCTYPE
-%type <num> ALGORITHM_CLASS dh_group_num
-%type <num> ALGORITHMTYPE STRENGTHTYPE
-%type <num> PREFIX prefix PORT port ike_port
-%type <num> ul_proto UL_PROTO
-%type <num> EXCHANGETYPE DOITYPE SITUATIONTYPE
-%type <num> CERTTYPE CERT_X509 CERT_PLAINRSA PROPOSAL_CHECK_LEVEL REMOTE_FORCE_LEVEL GENERATE_LEVEL
-%type <num> unittype_time unittype_byte
-%type <val> QUOTEDSTRING HEXSTRING ADDRSTRING ADDRRANGE sainfo_id
-%type <val> identifierstring
-%type <saddr> remote_index ike_addrinfo_port
-%type <alg> algorithm
-
-%%
-
-statements
- : /* nothing */
- | statements statement
- ;
-statement
- : privsep_statement
- | path_statement
- | include_statement
- | gssenc_statement
- | identifier_statement
- | logging_statement
- | padding_statement
- | listen_statement
- | ldapcfg_statement
- | modecfg_statement
- | timer_statement
- | sainfo_statement
- | remote_statement
- | special_statement
- ;
-
- /* privsep */
-privsep_statement
- : PRIVSEP BOC privsep_stmts EOC
- ;
-privsep_stmts
- : /* nothing */
- | privsep_stmts privsep_stmt
- ;
-privsep_stmt
- : USER QUOTEDSTRING
- {
- struct passwd *pw;
-
- if ((pw = getpwnam($2->v)) == NULL) {
- yyerror("unknown user \"%s\"", $2->v);
- return -1;
- }
- lcconf->uid = pw->pw_uid;
- }
- EOS
- | USER NUMBER { lcconf->uid = $2; } EOS
- | GROUP QUOTEDSTRING
- {
- struct group *gr;
-
- if ((gr = getgrnam($2->v)) == NULL) {
- yyerror("unknown group \"%s\"", $2->v);
- return -1;
- }
- lcconf->gid = gr->gr_gid;
- }
- EOS
- | GROUP NUMBER { lcconf->gid = $2; } EOS
- | CHROOT QUOTEDSTRING { lcconf->chroot = $2->v; } EOS
- ;
-
- /* path */
-path_statement
- : PATH PATHTYPE QUOTEDSTRING
- {
- if ($2 >= LC_PATHTYPE_MAX) {
- yyerror("invalid path type %d", $2);
- return -1;
- }
-
- /* free old pathinfo */
- if (lcconf->pathinfo[$2])
- racoon_free(lcconf->pathinfo[$2]);
-
- /* set new pathinfo */
- lcconf->pathinfo[$2] = racoon_strdup($3->v);
- STRDUP_FATAL(lcconf->pathinfo[$2]);
- vfree($3);
- }
- EOS
- ;
-
- /* special */
-special_statement
- : COMPLEX_BUNDLE SWITCH { lcconf->complex_bundle = $2; } EOS
- ;
-
- /* include */
-include_statement
- : INCLUDE QUOTEDSTRING EOS
- {
- char path[MAXPATHLEN];
-
- getpathname(path, sizeof(path),
- LC_PATHTYPE_INCLUDE, $2->v);
- vfree($2);
- if (yycf_switch_buffer(path) != 0)
- return -1;
- }
- ;
-
- /* gss_id_enc */
-gssenc_statement
- : GSS_ID_ENC GSS_ID_ENCTYPE EOS
- {
- if ($2 >= LC_GSSENC_MAX) {
- yyerror("invalid GSS ID encoding %d", $2);
- return -1;
- }
- lcconf->gss_id_enc = $2;
- }
- ;
-
- /* self information */
-identifier_statement
- : IDENTIFIER identifier_stmt
- ;
-identifier_stmt
- : VENDORID
- {
- /*XXX to be deleted */
- }
- QUOTEDSTRING EOS
- | IDENTIFIERTYPE QUOTEDSTRING
- {
- /*XXX to be deleted */
- $2->l--; /* nuke '\0' */
- lcconf->ident[$1] = $2;
- if (lcconf->ident[$1] == NULL) {
- yyerror("failed to set my ident: %s",
- strerror(errno));
- return -1;
- }
- }
- EOS
- ;
-
- /* logging */
-logging_statement
- : LOGGING log_level EOS
- ;
-log_level
- : HEXSTRING
- {
- /*
- * XXX ignore it because this specification
- * will be obsoleted.
- */
- yywarn("see racoon.conf(5), such a log specification will be obsoleted.");
- vfree($1);
- }
- | LOGLEV
- {
- /*
- * set the loglevel to the value specified
- * in the configuration file plus the number
- * of -d options specified on the command line
- */
- loglevel += $1 - oldloglevel;
- oldloglevel = $1;
- }
- ;
-
- /* padding */
-padding_statement
- : PADDING BOC padding_stmts EOC
- ;
-padding_stmts
- : /* nothing */
- | padding_stmts padding_stmt
- ;
-padding_stmt
- : PAD_RANDOMIZE SWITCH { lcconf->pad_random = $2; } EOS
- | PAD_RANDOMIZELEN SWITCH { lcconf->pad_randomlen = $2; } EOS
- | PAD_MAXLEN NUMBER { lcconf->pad_maxsize = $2; } EOS
- | PAD_STRICT SWITCH { lcconf->pad_strict = $2; } EOS
- | PAD_EXCLTAIL SWITCH { lcconf->pad_excltail = $2; } EOS
- ;
-
- /* listen */
-listen_statement
- : LISTEN BOC listen_stmts EOC
- ;
-listen_stmts
- : /* nothing */
- | listen_stmts listen_stmt
- ;
-listen_stmt
- : X_ISAKMP ike_addrinfo_port
- {
- listen_addr ($2, 0);
- }
- EOS
- | X_ISAKMP_NATT ike_addrinfo_port
- {
-#ifdef ENABLE_NATT
- listen_addr ($2, 1);
-#else
- yyerror("NAT-T support not compiled in.");
-#endif
- }
- EOS
- | X_ADMIN
- {
- yyerror("admin directive is obsoleted.");
- }
- PORT EOS
- | ADMINSOCK QUOTEDSTRING QUOTEDSTRING QUOTEDSTRING NUMBER
- {
-#ifdef ENABLE_ADMINPORT
- adminsock_conf($2, $3, $4, $5);
-#else
- yywarn("admin port support not compiled in");
-#endif
- }
- EOS
- | ADMINSOCK QUOTEDSTRING
- {
-#ifdef ENABLE_ADMINPORT
- adminsock_conf($2, NULL, NULL, -1);
-#else
- yywarn("admin port support not compiled in");
-#endif
- }
- EOS
- | ADMINSOCK DISABLED
- {
-#ifdef ENABLE_ADMINPORT
- adminsock_path = NULL;
-#else
- yywarn("admin port support not compiled in");
-#endif
- }
- EOS
- | STRICT_ADDRESS { lcconf->strict_address = TRUE; } EOS
- ;
-ike_addrinfo_port
- : ADDRSTRING ike_port
- {
- char portbuf[10];
-
- snprintf(portbuf, sizeof(portbuf), "%ld", $2);
- $$ = str2saddr($1->v, portbuf);
- vfree($1);
- if (!$$)
- return -1;
- }
- ;
-ike_port
- : /* nothing */ { $$ = PORT_ISAKMP; }
- | PORT { $$ = $1; }
- ;
-
- /* ldap configuration */
-ldapcfg_statement
- : LDAPCFG {
-#ifndef ENABLE_HYBRID
- yyerror("racoon not configured with --enable-hybrid");
- return -1;
-#endif
-#ifndef HAVE_LIBLDAP
- yyerror("racoon not configured with --with-libldap");
- return -1;
-#endif
- } BOC ldapcfg_stmts EOC
- ;
-ldapcfg_stmts
- : /* nothing */
- | ldapcfg_stmts ldapcfg_stmt
- ;
-ldapcfg_stmt
- : LDAP_PVER NUMBER
- {
-#ifdef ENABLE_HYBRID
-#ifdef HAVE_LIBLDAP
- if (($2<2)||($2>3))
- yyerror("invalid ldap protocol version (2|3)");
- xauth_ldap_config.pver = $2;
-#endif
-#endif
- }
- EOS
- | LDAP_HOST QUOTEDSTRING
- {
-#ifdef ENABLE_HYBRID
-#ifdef HAVE_LIBLDAP
- if (xauth_ldap_config.host != NULL)
- vfree(xauth_ldap_config.host);
- xauth_ldap_config.host = vdup($2);
-#endif
-#endif
- }
- EOS
- | LDAP_PORT NUMBER
- {
-#ifdef ENABLE_HYBRID
-#ifdef HAVE_LIBLDAP
- xauth_ldap_config.port = $2;
-#endif
-#endif
- }
- EOS
- | LDAP_BASE QUOTEDSTRING
- {
-#ifdef ENABLE_HYBRID
-#ifdef HAVE_LIBLDAP
- if (xauth_ldap_config.base != NULL)
- vfree(xauth_ldap_config.base);
- xauth_ldap_config.base = vdup($2);
-#endif
-#endif
- }
- EOS
- | LDAP_SUBTREE SWITCH
- {
-#ifdef ENABLE_HYBRID
-#ifdef HAVE_LIBLDAP
- xauth_ldap_config.subtree = $2;
-#endif
-#endif
- }
- EOS
- | LDAP_BIND_DN QUOTEDSTRING
- {
-#ifdef ENABLE_HYBRID
-#ifdef HAVE_LIBLDAP
- if (xauth_ldap_config.bind_dn != NULL)
- vfree(xauth_ldap_config.bind_dn);
- xauth_ldap_config.bind_dn = vdup($2);
-#endif
-#endif
- }
- EOS
- | LDAP_BIND_PW QUOTEDSTRING
- {
-#ifdef ENABLE_HYBRID
-#ifdef HAVE_LIBLDAP
- if (xauth_ldap_config.bind_pw != NULL)
- vfree(xauth_ldap_config.bind_pw);
- xauth_ldap_config.bind_pw = vdup($2);
-#endif
-#endif
- }
- EOS
- | LDAP_ATTR_USER QUOTEDSTRING
- {
-#ifdef ENABLE_HYBRID
-#ifdef HAVE_LIBLDAP
- if (xauth_ldap_config.attr_user != NULL)
- vfree(xauth_ldap_config.attr_user);
- xauth_ldap_config.attr_user = vdup($2);
-#endif
-#endif
- }
- EOS
- | LDAP_ATTR_ADDR QUOTEDSTRING
- {
-#ifdef ENABLE_HYBRID
-#ifdef HAVE_LIBLDAP
- if (xauth_ldap_config.attr_addr != NULL)
- vfree(xauth_ldap_config.attr_addr);
- xauth_ldap_config.attr_addr = vdup($2);
-#endif
-#endif
- }
- EOS
- | LDAP_ATTR_MASK QUOTEDSTRING
- {
-#ifdef ENABLE_HYBRID
-#ifdef HAVE_LIBLDAP
- if (xauth_ldap_config.attr_mask != NULL)
- vfree(xauth_ldap_config.attr_mask);
- xauth_ldap_config.attr_mask = vdup($2);
-#endif
-#endif
- }
- EOS
- | LDAP_ATTR_GROUP QUOTEDSTRING
- {
-#ifdef ENABLE_HYBRID
-#ifdef HAVE_LIBLDAP
- if (xauth_ldap_config.attr_group != NULL)
- vfree(xauth_ldap_config.attr_group);
- xauth_ldap_config.attr_group = vdup($2);
-#endif
-#endif
- }
- EOS
- | LDAP_ATTR_MEMBER QUOTEDSTRING
- {
-#ifdef ENABLE_HYBRID
-#ifdef HAVE_LIBLDAP
- if (xauth_ldap_config.attr_member != NULL)
- vfree(xauth_ldap_config.attr_member);
- xauth_ldap_config.attr_member = vdup($2);
-#endif
-#endif
- }
- EOS
- ;
-
- /* modecfg */
-modecfg_statement
- : MODECFG BOC modecfg_stmts EOC
- ;
-modecfg_stmts
- : /* nothing */
- | modecfg_stmts modecfg_stmt
- ;
-modecfg_stmt
- : CFG_NET4 ADDRSTRING
- {
-#ifdef ENABLE_HYBRID
- if (inet_pton(AF_INET, $2->v,
- &isakmp_cfg_config.network4) != 1)
- yyerror("bad IPv4 network address.");
-#else
- yyerror("racoon not configured with --enable-hybrid");
-#endif
- }
- EOS
- | CFG_MASK4 ADDRSTRING
- {
-#ifdef ENABLE_HYBRID
- if (inet_pton(AF_INET, $2->v,
- &isakmp_cfg_config.netmask4) != 1)
- yyerror("bad IPv4 netmask address.");
-#else
- yyerror("racoon not configured with --enable-hybrid");
-#endif
- }
- EOS
- | CFG_DNS4 addrdnslist
- EOS
- | CFG_NBNS4 addrwinslist
- EOS
- | CFG_SPLIT_NETWORK CFG_SPLIT_LOCAL splitnetlist
- {
-#ifdef ENABLE_HYBRID
- isakmp_cfg_config.splitnet_type = UNITY_LOCAL_LAN;
-#else
- yyerror("racoon not configured with --enable-hybrid");
-#endif
- }
- EOS
- | CFG_SPLIT_NETWORK CFG_SPLIT_INCLUDE splitnetlist
- {
-#ifdef ENABLE_HYBRID
- isakmp_cfg_config.splitnet_type = UNITY_SPLIT_INCLUDE;
-#else
- yyerror("racoon not configured with --enable-hybrid");
-#endif
- }
- EOS
- | CFG_SPLIT_DNS splitdnslist
- {
-#ifndef ENABLE_HYBRID
- yyerror("racoon not configured with --enable-hybrid");
-#endif
- }
- EOS
- | CFG_DEFAULT_DOMAIN QUOTEDSTRING
- {
-#ifdef ENABLE_HYBRID
- strncpy(&isakmp_cfg_config.default_domain[0],
- $2->v, MAXPATHLEN);
- isakmp_cfg_config.default_domain[MAXPATHLEN] = '\0';
- vfree($2);
-#else
- yyerror("racoon not configured with --enable-hybrid");
-#endif
- }
- EOS
- | CFG_AUTH_SOURCE CFG_SYSTEM
- {
-#ifdef ENABLE_HYBRID
- isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_SYSTEM;
-#else
- yyerror("racoon not configured with --enable-hybrid");
-#endif
- }
- EOS
- | CFG_AUTH_SOURCE CFG_RADIUS
- {
-#ifdef ENABLE_HYBRID
-#ifdef HAVE_LIBRADIUS
- isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_RADIUS;
-#else /* HAVE_LIBRADIUS */
- yyerror("racoon not configured with --with-libradius");
-#endif /* HAVE_LIBRADIUS */
-#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
-#endif /* ENABLE_HYBRID */
- }
- EOS
- | CFG_AUTH_SOURCE CFG_PAM
- {
-#ifdef ENABLE_HYBRID
-#ifdef HAVE_LIBPAM
- isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_PAM;
-#else /* HAVE_LIBPAM */
- yyerror("racoon not configured with --with-libpam");
-#endif /* HAVE_LIBPAM */
-#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
-#endif /* ENABLE_HYBRID */
- }
- EOS
- | CFG_AUTH_SOURCE CFG_LDAP
- {
-#ifdef ENABLE_HYBRID
-#ifdef HAVE_LIBLDAP
- isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_LDAP;
-#else /* HAVE_LIBLDAP */
- yyerror("racoon not configured with --with-libldap");
-#endif /* HAVE_LIBLDAP */
-#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
-#endif /* ENABLE_HYBRID */
- }
- EOS
- | CFG_AUTH_GROUPS authgrouplist
- {
-#ifndef ENABLE_HYBRID
- yyerror("racoon not configured with --enable-hybrid");
-#endif
- }
- EOS
- | CFG_GROUP_SOURCE CFG_SYSTEM
- {
-#ifdef ENABLE_HYBRID
- isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_SYSTEM;
-#else
- yyerror("racoon not configured with --enable-hybrid");
-#endif
- }
- EOS
- | CFG_GROUP_SOURCE CFG_LDAP
- {
-#ifdef ENABLE_HYBRID
-#ifdef HAVE_LIBLDAP
- isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_LDAP;
-#else /* HAVE_LIBLDAP */
- yyerror("racoon not configured with --with-libldap");
-#endif /* HAVE_LIBLDAP */
-#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
-#endif /* ENABLE_HYBRID */
- }
- EOS
- | CFG_ACCOUNTING CFG_NONE
- {
-#ifdef ENABLE_HYBRID
- isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_NONE;
-#else
- yyerror("racoon not configured with --enable-hybrid");
-#endif
- }
- EOS
- | CFG_ACCOUNTING CFG_SYSTEM
- {
-#ifdef ENABLE_HYBRID
- isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_SYSTEM;
-#else
- yyerror("racoon not configured with --enable-hybrid");
-#endif
- }
- EOS
- | CFG_ACCOUNTING CFG_RADIUS
- {
-#ifdef ENABLE_HYBRID
-#ifdef HAVE_LIBRADIUS
- isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_RADIUS;
-#else /* HAVE_LIBRADIUS */
- yyerror("racoon not configured with --with-libradius");
-#endif /* HAVE_LIBRADIUS */
-#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
-#endif /* ENABLE_HYBRID */
- }
- EOS
- | CFG_ACCOUNTING CFG_PAM
- {
-#ifdef ENABLE_HYBRID
-#ifdef HAVE_LIBPAM
- isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_PAM;
-#else /* HAVE_LIBPAM */
- yyerror("racoon not configured with --with-libpam");
-#endif /* HAVE_LIBPAM */
-#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
-#endif /* ENABLE_HYBRID */
- }
- EOS
- | CFG_POOL_SIZE NUMBER
- {
-#ifdef ENABLE_HYBRID
- if (isakmp_cfg_resize_pool($2) != 0)
- yyerror("cannot allocate memory for pool");
-#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
-#endif /* ENABLE_HYBRID */
- }
- EOS
- | CFG_PFS_GROUP NUMBER
- {
-#ifdef ENABLE_HYBRID
- isakmp_cfg_config.pfs_group = $2;
-#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
-#endif /* ENABLE_HYBRID */
- }
- EOS
- | CFG_SAVE_PASSWD SWITCH
- {
-#ifdef ENABLE_HYBRID
- isakmp_cfg_config.save_passwd = $2;
-#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
-#endif /* ENABLE_HYBRID */
- }
- EOS
- | CFG_AUTH_THROTTLE NUMBER
- {
-#ifdef ENABLE_HYBRID
- isakmp_cfg_config.auth_throttle = $2;
-#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
-#endif /* ENABLE_HYBRID */
- }
- EOS
- | CFG_CONF_SOURCE CFG_LOCAL
- {
-#ifdef ENABLE_HYBRID
- isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LOCAL;
-#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
-#endif /* ENABLE_HYBRID */
- }
- EOS
- | CFG_CONF_SOURCE CFG_RADIUS
- {
-#ifdef ENABLE_HYBRID
-#ifdef HAVE_LIBRADIUS
- isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_RADIUS;
-#else /* HAVE_LIBRADIUS */
- yyerror("racoon not configured with --with-libradius");
-#endif /* HAVE_LIBRADIUS */
-#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
-#endif /* ENABLE_HYBRID */
- }
- EOS
- | CFG_CONF_SOURCE CFG_LDAP
- {
-#ifdef ENABLE_HYBRID
-#ifdef HAVE_LIBLDAP
- isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LDAP;
-#else /* HAVE_LIBLDAP */
- yyerror("racoon not configured with --with-libldap");
-#endif /* HAVE_LIBLDAP */
-#else /* ENABLE_HYBRID */
- yyerror("racoon not configured with --enable-hybrid");
-#endif /* ENABLE_HYBRID */
- }
- EOS
- | CFG_MOTD QUOTEDSTRING
- {
-#ifdef ENABLE_HYBRID
- strncpy(&isakmp_cfg_config.motd[0], $2->v, MAXPATHLEN);
- isakmp_cfg_config.motd[MAXPATHLEN] = '\0';
- vfree($2);
-#else
- yyerror("racoon not configured with --enable-hybrid");
-#endif
- }
- EOS
- ;
-
-addrdnslist
- : addrdns
- | addrdns COMMA addrdnslist
- ;
-addrdns
- : ADDRSTRING
- {
-#ifdef ENABLE_HYBRID
- struct isakmp_cfg_config *icc = &isakmp_cfg_config;
-
- if (icc->dns4_index > MAXNS)
- yyerror("No more than %d DNS", MAXNS);
- if (inet_pton(AF_INET, $1->v,
- &icc->dns4[icc->dns4_index++]) != 1)
- yyerror("bad IPv4 DNS address.");
-#else
- yyerror("racoon not configured with --enable-hybrid");
-#endif
- }
- ;
-
-addrwinslist
- : addrwins
- | addrwins COMMA addrwinslist
- ;
-addrwins
- : ADDRSTRING
- {
-#ifdef ENABLE_HYBRID
- struct isakmp_cfg_config *icc = &isakmp_cfg_config;
-
- if (icc->nbns4_index > MAXWINS)
- yyerror("No more than %d WINS", MAXWINS);
- if (inet_pton(AF_INET, $1->v,
- &icc->nbns4[icc->nbns4_index++]) != 1)
- yyerror("bad IPv4 WINS address.");
-#else
- yyerror("racoon not configured with --enable-hybrid");
-#endif
- }
- ;
-
-splitnetlist
- : splitnet
- | splitnetlist COMMA splitnet
- ;
-splitnet
- : ADDRSTRING PREFIX
- {
-#ifdef ENABLE_HYBRID
- struct isakmp_cfg_config *icc = &isakmp_cfg_config;
- struct unity_network network;
- memset(&network,0,sizeof(network));
-
- if (inet_pton(AF_INET, $1->v, &network.addr4) != 1)
- yyerror("bad IPv4 SPLIT address.");
-
- /* Turn $2 (the prefix) into a subnet mask */
- network.mask4.s_addr = ($2) ? htonl(~((1 << (32 - $2)) - 1)) : 0;
-
- /* add the network to our list */
- if (splitnet_list_add(&icc->splitnet_list, &network,&icc->splitnet_count))
- yyerror("Unable to allocate split network");
-#else
- yyerror("racoon not configured with --enable-hybrid");
-#endif
- }
- ;
-
-authgrouplist
- : authgroup
- | authgroup COMMA authgrouplist
- ;
-authgroup
- : QUOTEDSTRING
- {
-#ifdef ENABLE_HYBRID
- char * groupname = NULL;
- char ** grouplist = NULL;
- struct isakmp_cfg_config *icc = &isakmp_cfg_config;
-
- grouplist = racoon_realloc(icc->grouplist,
- sizeof(char**)*(icc->groupcount+1));
- if (grouplist == NULL)
- yyerror("unable to allocate auth group list");
-
- groupname = racoon_malloc($1->l+1);
- if (groupname == NULL)
- yyerror("unable to allocate auth group name");
-
- memcpy(groupname,$1->v,$1->l);
- groupname[$1->l]=0;
- grouplist[icc->groupcount]=groupname;
- icc->grouplist = grouplist;
- icc->groupcount++;
-
- vfree($1);
-#else
- yyerror("racoon not configured with --enable-hybrid");
-#endif
- }
- ;
-
-splitdnslist
- : splitdns
- | splitdns COMMA splitdnslist
- ;
-splitdns
- : QUOTEDSTRING
- {
-#ifdef ENABLE_HYBRID
- struct isakmp_cfg_config *icc = &isakmp_cfg_config;
-
- if (!icc->splitdns_len)
- {
- icc->splitdns_list = racoon_malloc($1->l);
- if(icc->splitdns_list == NULL)
- yyerror("error allocating splitdns list buffer");
- memcpy(icc->splitdns_list,$1->v,$1->l);
- icc->splitdns_len = $1->l;
- }
- else
- {
- int len = icc->splitdns_len + $1->l + 1;
- icc->splitdns_list = racoon_realloc(icc->splitdns_list,len);
- if(icc->splitdns_list == NULL)
- yyerror("error allocating splitdns list buffer");
- icc->splitdns_list[icc->splitdns_len] = ',';
- memcpy(icc->splitdns_list + icc->splitdns_len + 1, $1->v, $1->l);
- icc->splitdns_len = len;
- }
- vfree($1);
-#else
- yyerror("racoon not configured with --enable-hybrid");
-#endif
- }
- ;
-
-
- /* timer */
-timer_statement
- : RETRY BOC timer_stmts EOC
- ;
-timer_stmts
- : /* nothing */
- | timer_stmts timer_stmt
- ;
-timer_stmt
- : RETRY_COUNTER NUMBER
- {
- lcconf->retry_counter = $2;
- }
- EOS
- | RETRY_INTERVAL NUMBER unittype_time
- {
- lcconf->retry_interval = $2 * $3;
- }
- EOS
- | RETRY_PERSEND NUMBER
- {
- lcconf->count_persend = $2;
- }
- EOS
- | RETRY_PHASE1 NUMBER unittype_time
- {
- lcconf->retry_checkph1 = $2 * $3;
- }
- EOS
- | RETRY_PHASE2 NUMBER unittype_time
- {
- lcconf->wait_ph2complete = $2 * $3;
- }
- EOS
- | NATT_KA NUMBER unittype_time
- {
-#ifdef ENABLE_NATT
- if (libipsec_opt & LIBIPSEC_OPT_NATT)
- lcconf->natt_ka_interval = $2 * $3;
- else
- yyerror("libipsec lacks NAT-T support");
-#else
- yyerror("NAT-T support not compiled in.");
-#endif
- }
- EOS
- ;
-
- /* sainfo */
-sainfo_statement
- : SAINFO
- {
- cur_sainfo = newsainfo();
- if (cur_sainfo == NULL) {
- yyerror("failed to allocate sainfo");
- return -1;
- }
- }
- sainfo_name sainfo_param BOC sainfo_specs
- {
- struct sainfo *check;
-
- /* default */
- if (cur_sainfo->algs[algclass_ipsec_enc] == 0) {
- yyerror("no encryption algorithm at %s",
- sainfo2str(cur_sainfo));
- return -1;
- }
- if (cur_sainfo->algs[algclass_ipsec_auth] == 0) {
- yyerror("no authentication algorithm at %s",
- sainfo2str(cur_sainfo));
- return -1;
- }
- if (cur_sainfo->algs[algclass_ipsec_comp] == 0) {
- yyerror("no compression algorithm at %s",
- sainfo2str(cur_sainfo));
- return -1;
- }
-
- /* duplicate check */
- check = getsainfo(cur_sainfo->idsrc,
- cur_sainfo->iddst,
- cur_sainfo->id_i,
- cur_sainfo->remoteid);
- if (check && (!check->idsrc && !cur_sainfo->idsrc)) {
- yyerror("duplicated sainfo: %s",
- sainfo2str(cur_sainfo));
- return -1;
- }
- inssainfo(cur_sainfo);
- }
- EOC
- ;
-sainfo_name
- : ANONYMOUS
- {
- cur_sainfo->idsrc = NULL;
- cur_sainfo->iddst = NULL;
- }
- | ANONYMOUS sainfo_id
- {
- cur_sainfo->idsrc = NULL;
- cur_sainfo->iddst = $2;
- }
- | sainfo_id ANONYMOUS
- {
- cur_sainfo->idsrc = $1;
- cur_sainfo->iddst = NULL;
- }
- | sainfo_id sainfo_id
- {
- cur_sainfo->idsrc = $1;
- cur_sainfo->iddst = $2;
- }
- ;
-sainfo_id
- : IDENTIFIERTYPE ADDRSTRING prefix port ul_proto
- {
- char portbuf[10];
- struct sockaddr *saddr;
-
- if (($5 == IPPROTO_ICMP || $5 == IPPROTO_ICMPV6)
- && ($4 != IPSEC_PORT_ANY || $4 != IPSEC_PORT_ANY)) {
- yyerror("port number must be \"any\".");
- return -1;
- }
-
- snprintf(portbuf, sizeof(portbuf), "%lu", $4);
- saddr = str2saddr($2->v, portbuf);
- vfree($2);
- if (saddr == NULL)
- return -1;
-
- switch (saddr->sa_family) {
- case AF_INET:
- if ($5 == IPPROTO_ICMPV6) {
- yyerror("upper layer protocol mismatched.\n");
- racoon_free(saddr);
- return -1;
- }
- $$ = ipsecdoi_sockaddr2id(saddr,
- $3 == ~0 ? (sizeof(struct in_addr) << 3): $3,
- $5);
- break;
-#ifdef INET6
- case AF_INET6:
- if ($5 == IPPROTO_ICMP) {
- yyerror("upper layer protocol mismatched.\n");
- racoon_free(saddr);
- return -1;
- }
- $$ = ipsecdoi_sockaddr2id(saddr,
- $3 == ~0 ? (sizeof(struct in6_addr) << 3): $3,
- $5);
- break;
-#endif
- default:
- yyerror("invalid family: %d", saddr->sa_family);
- $$ = NULL;
- break;
- }
- racoon_free(saddr);
- if ($$ == NULL)
- return -1;
- }
- | IDENTIFIERTYPE ADDRSTRING ADDRRANGE prefix port ul_proto
- {
- char portbuf[10];
- struct sockaddr *laddr = NULL, *haddr = NULL;
- char *cur = NULL;
-
- if (($6 == IPPROTO_ICMP || $6 == IPPROTO_ICMPV6)
- && ($5 != IPSEC_PORT_ANY || $5 != IPSEC_PORT_ANY)) {
- yyerror("port number must be \"any\".");
- return -1;
- }
-
- snprintf(portbuf, sizeof(portbuf), "%lu", $5);
-
- laddr = str2saddr($2->v, portbuf);
- if (laddr == NULL) {
- return -1;
- }
- vfree($2);
- haddr = str2saddr($3->v, portbuf);
- if (haddr == NULL) {
- racoon_free(laddr);
- return -1;
- }
- vfree($3);
-
- switch (laddr->sa_family) {
- case AF_INET:
- if ($6 == IPPROTO_ICMPV6) {
- yyerror("upper layer protocol mismatched.\n");
- if (laddr)
- racoon_free(laddr);
- if (haddr)
- racoon_free(haddr);
- return -1;
- }
- $$ = ipsecdoi_sockrange2id(laddr, haddr,
- $6);
- break;
-#ifdef INET6
- case AF_INET6:
- if ($6 == IPPROTO_ICMP) {
- yyerror("upper layer protocol mismatched.\n");
- if (laddr)
- racoon_free(laddr);
- if (haddr)
- racoon_free(haddr);
- return -1;
- }
- $$ = ipsecdoi_sockrange2id(laddr, haddr,
- $6);
- break;
-#endif
- default:
- yyerror("invalid family: %d", laddr->sa_family);
- $$ = NULL;
- break;
- }
- if (laddr)
- racoon_free(laddr);
- if (haddr)
- racoon_free(haddr);
- if ($$ == NULL)
- return -1;
- }
- | IDENTIFIERTYPE QUOTEDSTRING
- {
- struct ipsecdoi_id_b *id_b;
-
- if ($1 == IDTYPE_ASN1DN) {
- yyerror("id type forbidden: %d", $1);
- $$ = NULL;
- return -1;
- }
-
- $2->l--;
-
- $$ = vmalloc(sizeof(*id_b) + $2->l);
- if ($$ == NULL) {
- yyerror("failed to allocate identifier");
- return -1;
- }
-
- id_b = (struct ipsecdoi_id_b *)$$->v;
- id_b->type = idtype2doi($1);
-
- id_b->proto_id = 0;
- id_b->port = 0;
-
- memcpy($$->v + sizeof(*id_b), $2->v, $2->l);
- }
- ;
-sainfo_param
- : /* nothing */
- {
- cur_sainfo->id_i = NULL;
- }
- | FROM IDENTIFIERTYPE identifierstring
- {
- struct ipsecdoi_id_b *id_b;
- vchar_t *idv;
-
- if (set_identifier(&idv, $2, $3) != 0) {
- yyerror("failed to set identifer.\n");
- return -1;
- }
- cur_sainfo->id_i = vmalloc(sizeof(*id_b) + idv->l);
- if (cur_sainfo->id_i == NULL) {
- yyerror("failed to allocate identifier");
- return -1;
- }
-
- id_b = (struct ipsecdoi_id_b *)cur_sainfo->id_i->v;
- id_b->type = idtype2doi($2);
-
- id_b->proto_id = 0;
- id_b->port = 0;
-
- memcpy(cur_sainfo->id_i->v + sizeof(*id_b),
- idv->v, idv->l);
- vfree(idv);
- }
- | GROUP QUOTEDSTRING
- {
-#ifdef ENABLE_HYBRID
- if ((cur_sainfo->group = vdup($2)) == NULL) {
- yyerror("failed to set sainfo xauth group.\n");
- return -1;
- }
-#else
- yyerror("racoon not configured with --enable-hybrid");
- return -1;
-#endif
- }
- ;
-sainfo_specs
- : /* nothing */
- | sainfo_specs sainfo_spec
- ;
-sainfo_spec
- : PFS_GROUP dh_group_num
- {
- cur_sainfo->pfs_group = $2;
- }
- EOS
- | REMOTEID NUMBER
- {
- cur_sainfo->remoteid = $2;
- }
- EOS
- | LIFETIME LIFETYPE_TIME NUMBER unittype_time
- {
- cur_sainfo->lifetime = $3 * $4;
- }
- EOS
- | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
- {
-#if 1
- yyerror("byte lifetime support is deprecated");
- return -1;
-#else
- cur_sainfo->lifebyte = fix_lifebyte($3 * $4);
- if (cur_sainfo->lifebyte == 0)
- return -1;
-#endif
- }
- EOS
- | ALGORITHM_CLASS {
- cur_algclass = $1;
- }
- algorithms EOS
- | IDENTIFIER IDENTIFIERTYPE
- {
- yyerror("it's deprecated to specify a identifier in phase 2");
- }
- EOS
- | MY_IDENTIFIER IDENTIFIERTYPE QUOTEDSTRING
- {
- yyerror("it's deprecated to specify a identifier in phase 2");
- }
- EOS
- ;
-
-algorithms
- : algorithm
- {
- inssainfoalg(&cur_sainfo->algs[cur_algclass], $1);
- }
- | algorithm
- {
- inssainfoalg(&cur_sainfo->algs[cur_algclass], $1);
- }
- COMMA algorithms
- ;
-algorithm
- : ALGORITHMTYPE keylength
- {
- int defklen;
-
- $$ = newsainfoalg();
- if ($$ == NULL) {
- yyerror("failed to get algorithm allocation");
- return -1;
- }
-
- $$->alg = algtype2doi(cur_algclass, $1);
- if ($$->alg == -1) {
- yyerror("algorithm mismatched");
- racoon_free($$);
- $$ = NULL;
- return -1;
- }
-
- defklen = default_keylen(cur_algclass, $1);
- if (defklen == 0) {
- if ($2) {
- yyerror("keylen not allowed");
- racoon_free($$);
- $$ = NULL;
- return -1;
- }
- } else {
- if ($2 && check_keylen(cur_algclass, $1, $2) < 0) {
- yyerror("invalid keylen %d", $2);
- racoon_free($$);
- $$ = NULL;
- return -1;
- }
- }
-
- if ($2)
- $$->encklen = $2;
- else
- $$->encklen = defklen;
-
- /* check if it's supported algorithm by kernel */
- if (!(cur_algclass == algclass_ipsec_auth && $1 == algtype_non_auth)
- && pk_checkalg(cur_algclass, $1, $$->encklen)) {
- int a = algclass2doi(cur_algclass);
- int b = algtype2doi(cur_algclass, $1);
- if (a == IPSECDOI_ATTR_AUTH)
- a = IPSECDOI_PROTO_IPSEC_AH;
- yyerror("algorithm %s not supported by the kernel (missing module?)",
- s_ipsecdoi_trns(a, b));
- racoon_free($$);
- $$ = NULL;
- return -1;
- }
- }
- ;
-prefix
- : /* nothing */ { $$ = ~0; }
- | PREFIX { $$ = $1; }
- ;
-port
- : /* nothing */ { $$ = IPSEC_PORT_ANY; }
- | PORT { $$ = $1; }
- | PORTANY { $$ = IPSEC_PORT_ANY; }
- ;
-ul_proto
- : NUMBER { $$ = $1; }
- | UL_PROTO { $$ = $1; }
- | ANY { $$ = IPSEC_ULPROTO_ANY; }
- ;
-keylength
- : /* nothing */ { $$ = 0; }
- | NUMBER { $$ = $1; }
- ;
-
- /* remote */
-remote_statement
- : REMOTE remote_index INHERIT remote_index
- {
- struct remoteconf *new;
- struct proposalspec *prspec;
-
- new = copyrmconf($4);
- if (new == NULL) {
- yyerror("failed to get remoteconf for %s.", saddr2str ($4));
- return -1;
- }
-
- new->remote = $2;
- new->inherited_from = getrmconf_strict($4, 1);
- new->proposal = NULL;
- new->prhead = NULL;
- cur_rmconf = new;
-
- prspec = newprspec();
- if (prspec == NULL || !cur_rmconf->inherited_from
- || !cur_rmconf->inherited_from->proposal)
- return -1;
- prspec->lifetime = cur_rmconf->inherited_from->proposal->lifetime;
- prspec->lifebyte = cur_rmconf->inherited_from->proposal->lifebyte;
- insprspec(prspec, &cur_rmconf->prhead);
- }
- remote_specs_block
- | REMOTE remote_index
- {
- struct remoteconf *new;
- struct proposalspec *prspec;
-
- new = newrmconf();
- if (new == NULL) {
- yyerror("failed to get new remoteconf.");
- return -1;
- }
-
- new->remote = $2;
- cur_rmconf = new;
-
- prspec = newprspec();
- if (prspec == NULL)
- return -1;
- prspec->lifetime = oakley_get_defaultlifetime();
- insprspec(prspec, &cur_rmconf->prhead);
- }
- remote_specs_block
- ;
-
-remote_specs_block
- : BOC remote_specs EOC
- {
- /* check a exchange mode */
- if (cur_rmconf->etypes == NULL) {
- yyerror("no exchange mode specified.\n");
- return -1;
- }
-
- if (cur_rmconf->idvtype == IDTYPE_UNDEFINED)
- cur_rmconf->idvtype = IDTYPE_ADDRESS;
-
-
- if (cur_rmconf->idvtype == IDTYPE_ASN1DN) {
- if (cur_rmconf->mycertfile) {
- if (cur_rmconf->idv)
- yywarn("Both CERT and ASN1 ID "
- "are set. Hope this is OK.\n");
- /* TODO: Preparse the DN here */
- } else if (cur_rmconf->idv) {
- /* OK, using asn1dn without X.509. */
- } else {
- yyerror("ASN1 ID not specified "
- "and no CERT defined!\n");
- return -1;
- }
- }
-
- if (cur_rmconf->prhead->spspec == NULL
- && cur_rmconf->inherited_from
- && cur_rmconf->inherited_from->prhead) {
- cur_rmconf->prhead->spspec = cur_rmconf->inherited_from->prhead->spspec;
- }
- if (set_isakmp_proposal(cur_rmconf, cur_rmconf->prhead) != 0)
- return -1;
-
- /* DH group settting if aggressive mode is there. */
- if (check_etypeok(cur_rmconf, ISAKMP_ETYPE_AGG) != NULL) {
- struct isakmpsa *p;
- int b = 0;
-
- /* DH group */
- for (p = cur_rmconf->proposal; p; p = p->next) {
- if (b == 0 || (b && b == p->dh_group)) {
- b = p->dh_group;
- continue;
- }
- yyerror("DH group must be equal "
- "in all proposals "
- "when aggressive mode is "
- "used.\n");
- return -1;
- }
- cur_rmconf->dh_group = b;
-
- if (cur_rmconf->dh_group == 0) {
- yyerror("DH group must be set in the proposal.\n");
- return -1;
- }
-
- /* DH group settting if PFS is required. */
- if (oakley_setdhgroup(cur_rmconf->dh_group,
- &cur_rmconf->dhgrp) < 0) {
- yyerror("failed to set DH value.\n");
- return -1;
- }
- }
-
- insrmconf(cur_rmconf);
- }
- ;
-remote_index
- : ANONYMOUS ike_port
- {
- $$ = newsaddr(sizeof(struct sockaddr));
- $$->sa_family = AF_UNSPEC;
- ((struct sockaddr_in *)$$)->sin_port = htons($2);
- }
- | ike_addrinfo_port
- {
- $$ = $1;
- if ($$ == NULL) {
- yyerror("failed to allocate sockaddr");
- return -1;
- }
- }
- ;
-remote_specs
- : /* nothing */
- | remote_specs remote_spec
- ;
-remote_spec
- : EXCHANGE_MODE
- {
- cur_rmconf->etypes = NULL;
- }
- exchange_types EOS
- | DOI DOITYPE { cur_rmconf->doitype = $2; } EOS
- | SITUATION SITUATIONTYPE { cur_rmconf->sittype = $2; } EOS
- | CERTIFICATE_TYPE cert_spec
- | PEERS_CERTFILE QUOTEDSTRING
- {
- yywarn("This directive without certtype will be removed!\n");
- yywarn("Please use 'peers_certfile x509 \"%s\";' instead\n", $2->v);
- cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE;
-
- if (cur_rmconf->peerscertfile != NULL)
- racoon_free(cur_rmconf->peerscertfile);
- cur_rmconf->peerscertfile = racoon_strdup($2->v);
- STRDUP_FATAL(cur_rmconf->peerscertfile);
- vfree($2);
- }
- EOS
- | CA_TYPE CERT_X509 QUOTEDSTRING
- {
- cur_rmconf->cacerttype = $2;
- cur_rmconf->getcacert_method = ISAKMP_GETCERT_LOCALFILE;
- if (cur_rmconf->cacertfile != NULL)
- racoon_free(cur_rmconf->cacertfile);
- cur_rmconf->cacertfile = racoon_strdup($3->v);
- STRDUP_FATAL(cur_rmconf->cacertfile);
- vfree($3);
- }
- EOS
- | PEERS_CERTFILE CERT_X509 QUOTEDSTRING
- {
- cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE;
- if (cur_rmconf->peerscertfile != NULL)
- racoon_free(cur_rmconf->peerscertfile);
- cur_rmconf->peerscertfile = racoon_strdup($3->v);
- STRDUP_FATAL(cur_rmconf->peerscertfile);
- vfree($3);
- }
- EOS
- | PEERS_CERTFILE CERT_PLAINRSA QUOTEDSTRING
- {
- char path[MAXPATHLEN];
- int ret = 0;
-
- getpathname(path, sizeof(path),
- LC_PATHTYPE_CERT, $3->v);
- vfree($3);
-
- if (cur_rmconf->getcert_method == ISAKMP_GETCERT_DNS) {
- yyerror("Different peers_certfile method "
- "already defined: %d!\n",
- cur_rmconf->getcert_method);
- return -1;
- }
- cur_rmconf->getcert_method = ISAKMP_GETCERT_LOCALFILE;
- if (rsa_parse_file(cur_rmconf->rsa_public, path, RSA_TYPE_PUBLIC)) {
- yyerror("Couldn't parse keyfile.\n", path);
- return -1;
- }
- plog(LLV_DEBUG, LOCATION, NULL, "Public PlainRSA keyfile parsed: %s\n", path);
- }
- EOS
- | PEERS_CERTFILE DNSSEC
- {
- if (cur_rmconf->getcert_method) {
- yyerror("Different peers_certfile method already defined!\n");
- return -1;
- }
- cur_rmconf->getcert_method = ISAKMP_GETCERT_DNS;
- cur_rmconf->peerscertfile = NULL;
- }
- EOS
- | VERIFY_CERT SWITCH { cur_rmconf->verify_cert = $2; } EOS
- | SEND_CERT SWITCH { cur_rmconf->send_cert = $2; } EOS
- | SEND_CR SWITCH { cur_rmconf->send_cr = $2; } EOS
- | MY_IDENTIFIER IDENTIFIERTYPE identifierstring
- {
- if (set_identifier(&cur_rmconf->idv, $2, $3) != 0) {
- yyerror("failed to set identifer.\n");
- return -1;
- }
- cur_rmconf->idvtype = $2;
- }
- EOS
- | MY_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring
- {
- if (set_identifier_qual(&cur_rmconf->idv, $2, $4, $3) != 0) {
- yyerror("failed to set identifer.\n");
- return -1;
- }
- cur_rmconf->idvtype = $2;
- }
- EOS
- | XAUTH_LOGIN identifierstring
- {
-#ifdef ENABLE_HYBRID
- /* formerly identifier type login */
- if (xauth_rmconf_used(&cur_rmconf->xauth) == -1) {
- yyerror("failed to allocate xauth state\n");
- return -1;
- }
- if ((cur_rmconf->xauth->login = vdup($2)) == NULL) {
- yyerror("failed to set identifer.\n");
- return -1;
- }
-#else
- yyerror("racoon not configured with --enable-hybrid");
-#endif
- }
- EOS
- | PEERS_IDENTIFIER IDENTIFIERTYPE identifierstring
- {
- struct idspec *id;
- id = newidspec();
- if (id == NULL) {
- yyerror("failed to allocate idspec");
- return -1;
- }
- if (set_identifier(&id->id, $2, $3) != 0) {
- yyerror("failed to set identifer.\n");
- racoon_free(id);
- return -1;
- }
- id->idtype = $2;
- genlist_append (cur_rmconf->idvl_p, id);
- }
- EOS
- | PEERS_IDENTIFIER IDENTIFIERTYPE IDENTIFIERQUAL identifierstring
- {
- struct idspec *id;
- id = newidspec();
- if (id == NULL) {
- yyerror("failed to allocate idspec");
- return -1;
- }
- if (set_identifier_qual(&id->id, $2, $4, $3) != 0) {
- yyerror("failed to set identifer.\n");
- racoon_free(id);
- return -1;
- }
- id->idtype = $2;
- genlist_append (cur_rmconf->idvl_p, id);
- }
- EOS
- | VERIFY_IDENTIFIER SWITCH { cur_rmconf->verify_identifier = $2; } EOS
- | NONCE_SIZE NUMBER { cur_rmconf->nonce_size = $2; } EOS
- | DH_GROUP
- {
- yyerror("dh_group cannot be defined here.");
- return -1;
- }
- dh_group_num EOS
- | PASSIVE SWITCH { cur_rmconf->passive = $2; } EOS
- | IKE_FRAG SWITCH { cur_rmconf->ike_frag = $2; } EOS
- | IKE_FRAG REMOTE_FORCE_LEVEL { cur_rmconf->ike_frag = ISAKMP_FRAG_FORCE; } EOS
- | ESP_FRAG NUMBER {
-#ifdef SADB_X_EXT_NAT_T_FRAG
- if (libipsec_opt & LIBIPSEC_OPT_FRAG)
- cur_rmconf->esp_frag = $2;
- else
- yywarn("libipsec lacks IKE frag support");
-#else
- yywarn("Your kernel does not support esp_frag");
-#endif
- } EOS
- | SCRIPT QUOTEDSTRING PHASE1_UP {
- if (cur_rmconf->script[SCRIPT_PHASE1_UP] != NULL)
- vfree(cur_rmconf->script[SCRIPT_PHASE1_UP]);
-
- cur_rmconf->script[SCRIPT_PHASE1_UP] =
- script_path_add(vdup($2));
- } EOS
- | SCRIPT QUOTEDSTRING PHASE1_DOWN {
- if (cur_rmconf->script[SCRIPT_PHASE1_DOWN] != NULL)
- vfree(cur_rmconf->script[SCRIPT_PHASE1_DOWN]);
-
- cur_rmconf->script[SCRIPT_PHASE1_DOWN] =
- script_path_add(vdup($2));
- } EOS
- | MODE_CFG SWITCH { cur_rmconf->mode_cfg = $2; } EOS
- | WEAK_PHASE1_CHECK SWITCH {
- cur_rmconf->weak_phase1_check = $2;
- } EOS
- | GENERATE_POLICY SWITCH { cur_rmconf->gen_policy = $2; } EOS
- | GENERATE_POLICY GENERATE_LEVEL { cur_rmconf->gen_policy = $2; } EOS
- | SUPPORT_PROXY SWITCH { cur_rmconf->support_proxy = $2; } EOS
- | INITIAL_CONTACT SWITCH { cur_rmconf->ini_contact = $2; } EOS
- | NAT_TRAVERSAL SWITCH
- {
-#ifdef ENABLE_NATT
- if (libipsec_opt & LIBIPSEC_OPT_NATT)
- cur_rmconf->nat_traversal = $2;
- else
- yyerror("libipsec lacks NAT-T support");
-#else
- yyerror("NAT-T support not compiled in.");
-#endif
- } EOS
- | NAT_TRAVERSAL REMOTE_FORCE_LEVEL
- {
-#ifdef ENABLE_NATT
- if (libipsec_opt & LIBIPSEC_OPT_NATT)
- cur_rmconf->nat_traversal = NATT_FORCE;
- else
- yyerror("libipsec lacks NAT-T support");
-#else
- yyerror("NAT-T support not compiled in.");
-#endif
- } EOS
- | DPD SWITCH
- {
-#ifdef ENABLE_DPD
- cur_rmconf->dpd = $2;
-#else
- yyerror("DPD support not compiled in.");
-#endif
- } EOS
- | DPD_DELAY NUMBER
- {
-#ifdef ENABLE_DPD
- cur_rmconf->dpd_interval = $2;
-#else
- yyerror("DPD support not compiled in.");
-#endif
- }
- EOS
- | DPD_RETRY NUMBER
- {
-#ifdef ENABLE_DPD
- cur_rmconf->dpd_retry = $2;
-#else
- yyerror("DPD support not compiled in.");
-#endif
- }
- EOS
- | DPD_MAXFAIL NUMBER
- {
-#ifdef ENABLE_DPD
- cur_rmconf->dpd_maxfails = $2;
-#else
- yyerror("DPD support not compiled in.");
-#endif
- }
- EOS
- | PH1ID NUMBER
- {
- cur_rmconf->ph1id = $2;
- }
- EOS
- | LIFETIME LIFETYPE_TIME NUMBER unittype_time
- {
- cur_rmconf->prhead->lifetime = $3 * $4;
- }
- EOS
- | PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL { cur_rmconf->pcheck_level = $2; } EOS
- | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
- {
-#if 1
- yyerror("byte lifetime support is deprecated in Phase1");
- return -1;
-#else
- yywarn("the lifetime of bytes in phase 1 "
- "will be ignored at the moment.");
- cur_rmconf->prhead->lifebyte = fix_lifebyte($3 * $4);
- if (cur_rmconf->prhead->lifebyte == 0)
- return -1;
-#endif
- }
- EOS
- | PROPOSAL
- {
- struct secprotospec *spspec;
-
- spspec = newspspec();
- if (spspec == NULL)
- return -1;
- insspspec(spspec, &cur_rmconf->prhead);
- }
- BOC isakmpproposal_specs EOC
- ;
-exchange_types
- : /* nothing */
- | exchange_types EXCHANGETYPE
- {
- struct etypes *new;
- new = racoon_malloc(sizeof(struct etypes));
- if (new == NULL) {
- yyerror("failed to allocate etypes");
- return -1;
- }
- new->type = $2;
- new->next = NULL;
- if (cur_rmconf->etypes == NULL)
- cur_rmconf->etypes = new;
- else {
- struct etypes *p;
- for (p = cur_rmconf->etypes;
- p->next != NULL;
- p = p->next)
- ;
- p->next = new;
- }
- }
- ;
-cert_spec
- : CERT_X509 QUOTEDSTRING QUOTEDSTRING
- {
- cur_rmconf->certtype = $1;
- if (cur_rmconf->mycertfile != NULL)
- racoon_free(cur_rmconf->mycertfile);
- cur_rmconf->mycertfile = racoon_strdup($2->v);
- STRDUP_FATAL(cur_rmconf->mycertfile);
- vfree($2);
- if (cur_rmconf->myprivfile != NULL)
- racoon_free(cur_rmconf->myprivfile);
- cur_rmconf->myprivfile = racoon_strdup($3->v);
- STRDUP_FATAL(cur_rmconf->myprivfile);
- vfree($3);
- }
- EOS
- | CERT_PLAINRSA QUOTEDSTRING
- {
- char path[MAXPATHLEN];
- int ret = 0;
-
- getpathname(path, sizeof(path),
- LC_PATHTYPE_CERT, $2->v);
- vfree($2);
-
- cur_rmconf->certtype = $1;
- cur_rmconf->send_cr = FALSE;
- cur_rmconf->send_cert = FALSE;
- cur_rmconf->verify_cert = FALSE;
- if (rsa_parse_file(cur_rmconf->rsa_private, path, RSA_TYPE_PRIVATE)) {
- yyerror("Couldn't parse keyfile.\n", path);
- return -1;
- }
- plog(LLV_DEBUG, LOCATION, NULL, "Private PlainRSA keyfile parsed: %s\n", path);
- }
- EOS
- ;
-dh_group_num
- : ALGORITHMTYPE
- {
- $$ = algtype2doi(algclass_isakmp_dh, $1);
- if ($$ == -1) {
- yyerror("must be DH group");
- return -1;
- }
- }
- | NUMBER
- {
- if (ARRAYLEN(num2dhgroup) > $1 && num2dhgroup[$1] != 0) {
- $$ = num2dhgroup[$1];
- } else {
- yyerror("must be DH group");
- $$ = 0;
- return -1;
- }
- }
- ;
-identifierstring
- : /* nothing */ { $$ = NULL; }
- | ADDRSTRING { $$ = $1; }
- | QUOTEDSTRING { $$ = $1; }
- ;
-isakmpproposal_specs
- : /* nothing */
- | isakmpproposal_specs isakmpproposal_spec
- ;
-isakmpproposal_spec
- : STRENGTH
- {
- yyerror("strength directive is obsoleted.");
- } STRENGTHTYPE EOS
- | LIFETIME LIFETYPE_TIME NUMBER unittype_time
- {
- cur_rmconf->prhead->spspec->lifetime = $3 * $4;
- }
- EOS
- | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
- {
-#if 1
- yyerror("byte lifetime support is deprecated");
- return -1;
-#else
- cur_rmconf->prhead->spspec->lifebyte = fix_lifebyte($3 * $4);
- if (cur_rmconf->prhead->spspec->lifebyte == 0)
- return -1;
-#endif
- }
- EOS
- | DH_GROUP dh_group_num
- {
- cur_rmconf->prhead->spspec->algclass[algclass_isakmp_dh] = $2;
- }
- EOS
- | GSS_ID QUOTEDSTRING
- {
- if (cur_rmconf->prhead->spspec->vendorid != VENDORID_GSSAPI) {
- yyerror("wrong Vendor ID for gssapi_id");
- return -1;
- }
- if (cur_rmconf->prhead->spspec->gssid != NULL)
- racoon_free(cur_rmconf->prhead->spspec->gssid);
- cur_rmconf->prhead->spspec->gssid =
- racoon_strdup($2->v);
- STRDUP_FATAL(cur_rmconf->prhead->spspec->gssid);
- }
- EOS
- | ALGORITHM_CLASS ALGORITHMTYPE keylength
- {
- int doi;
- int defklen;
-
- doi = algtype2doi($1, $2);
- if (doi == -1) {
- yyerror("algorithm mismatched 1");
- return -1;
- }
-
- switch ($1) {
- case algclass_isakmp_enc:
- /* reject suppressed algorithms */
-#ifndef HAVE_OPENSSL_RC5_H
- if ($2 == algtype_rc5) {
- yyerror("algorithm %s not supported",
- s_attr_isakmp_enc(doi));
- return -1;
- }
-#endif
-#ifndef HAVE_OPENSSL_IDEA_H
- if ($2 == algtype_idea) {
- yyerror("algorithm %s not supported",
- s_attr_isakmp_enc(doi));
- return -1;
- }
-#endif
-
- cur_rmconf->prhead->spspec->algclass[algclass_isakmp_enc] = doi;
- defklen = default_keylen($1, $2);
- if (defklen == 0) {
- if ($3) {
- yyerror("keylen not allowed");
- return -1;
- }
- } else {
- if ($3 && check_keylen($1, $2, $3) < 0) {
- yyerror("invalid keylen %d", $3);
- return -1;
- }
- }
- if ($3)
- cur_rmconf->prhead->spspec->encklen = $3;
- else
- cur_rmconf->prhead->spspec->encklen = defklen;
- break;
- case algclass_isakmp_hash:
- cur_rmconf->prhead->spspec->algclass[algclass_isakmp_hash] = doi;
- break;
- case algclass_isakmp_ameth:
- cur_rmconf->prhead->spspec->algclass[algclass_isakmp_ameth] = doi;
- /*
- * We may have to set the Vendor ID for the
- * authentication method we're using.
- */
- switch ($2) {
- case algtype_gssapikrb:
- if (cur_rmconf->prhead->spspec->vendorid !=
- VENDORID_UNKNOWN) {
- yyerror("Vendor ID mismatch "
- "for auth method");
- return -1;
- }
- /*
- * For interoperability with Win2k,
- * we set the Vendor ID to "GSSAPI".
- */
- cur_rmconf->prhead->spspec->vendorid =
- VENDORID_GSSAPI;
- break;
- case algtype_rsasig:
- if (cur_rmconf->certtype == ISAKMP_CERT_PLAINRSA) {
- if (rsa_list_count(cur_rmconf->rsa_private) == 0) {
- yyerror ("Private PlainRSA key not set. "
- "Use directive 'certificate_type plainrsa ...'\n");
- return -1;
- }
- if (rsa_list_count(cur_rmconf->rsa_public) == 0) {
- yyerror ("Public PlainRSA keys not set. "
- "Use directive 'peers_certfile plainrsa ...'\n");
- return -1;
- }
- }
- break;
- default:
- break;
- }
- break;
- default:
- yyerror("algorithm mismatched 2");
- return -1;
- }
- }
- EOS
- ;
-
-unittype_time
- : UNITTYPE_SEC { $$ = 1; }
- | UNITTYPE_MIN { $$ = 60; }
- | UNITTYPE_HOUR { $$ = (60 * 60); }
- ;
-unittype_byte
- : UNITTYPE_BYTE { $$ = 1; }
- | UNITTYPE_KBYTES { $$ = 1024; }
- | UNITTYPE_MBYTES { $$ = (1024 * 1024); }
- | UNITTYPE_TBYTES { $$ = (1024 * 1024 * 1024); }
- ;
-%%
-
-static struct proposalspec *
-newprspec()
-{
- struct proposalspec *new;
-
- new = racoon_calloc(1, sizeof(*new));
- if (new == NULL)
- yyerror("failed to allocate proposal");
-
- return new;
-}
-
-/*
- * insert into head of list.
- */
-static void
-insprspec(prspec, head)
- struct proposalspec *prspec;
- struct proposalspec **head;
-{
- if (*head != NULL)
- (*head)->prev = prspec;
- prspec->next = *head;
- *head = prspec;
-}
-
-static struct secprotospec *
-newspspec()
-{
- struct secprotospec *new;
-
- new = racoon_calloc(1, sizeof(*new));
- if (new == NULL) {
- yyerror("failed to allocate spproto");
- return NULL;
- }
-
- new->encklen = 0; /*XXX*/
-
- /*
- * Default to "uknown" vendor -- we will override this
- * as necessary. When we send a Vendor ID payload, an
- * "unknown" will be translated to a KAME/racoon ID.
- */
- new->vendorid = VENDORID_UNKNOWN;
-
- return new;
-}
-
-/*
- * insert into head of list.
- */
-static void
-insspspec(spspec, head)
- struct secprotospec *spspec;
- struct proposalspec **head;
-{
- spspec->back = *head;
-
- if ((*head)->spspec != NULL)
- (*head)->spspec->prev = spspec;
- spspec->next = (*head)->spspec;
- (*head)->spspec = spspec;
-}
-
-/* set final acceptable proposal */
-static int
-set_isakmp_proposal(rmconf, prspec)
- struct remoteconf *rmconf;
- struct proposalspec *prspec;
-{
- struct proposalspec *p;
- struct secprotospec *s;
- int prop_no = 1;
- int trns_no = 1;
- int32_t types[MAXALGCLASS];
-
- p = prspec;
- if (p->next != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "multiple proposal definition.\n");
- return -1;
- }
-
- /* mandatory check */
- if (p->spspec == NULL) {
- yyerror("no remote specification found: %s.\n",
- saddr2str(rmconf->remote));
- return -1;
- }
- for (s = p->spspec; s != NULL; s = s->next) {
- /* XXX need more to check */
- if (s->algclass[algclass_isakmp_enc] == 0) {
- yyerror("encryption algorithm required.");
- return -1;
- }
- if (s->algclass[algclass_isakmp_hash] == 0) {
- yyerror("hash algorithm required.");
- return -1;
- }
- if (s->algclass[algclass_isakmp_dh] == 0) {
- yyerror("DH group required.");
- return -1;
- }
- if (s->algclass[algclass_isakmp_ameth] == 0) {
- yyerror("authentication method required.");
- return -1;
- }
- }
-
- /* skip to last part */
- for (s = p->spspec; s->next != NULL; s = s->next)
- ;
-
- while (s != NULL) {
- plog(LLV_DEBUG2, LOCATION, NULL,
- "lifetime = %ld\n", (long)
- (s->lifetime ? s->lifetime : p->lifetime));
- plog(LLV_DEBUG2, LOCATION, NULL,
- "lifebyte = %d\n",
- s->lifebyte ? s->lifebyte : p->lifebyte);
- plog(LLV_DEBUG2, LOCATION, NULL,
- "encklen=%d\n", s->encklen);
-
- memset(types, 0, ARRAYLEN(types));
- types[algclass_isakmp_enc] = s->algclass[algclass_isakmp_enc];
- types[algclass_isakmp_hash] = s->algclass[algclass_isakmp_hash];
- types[algclass_isakmp_dh] = s->algclass[algclass_isakmp_dh];
- types[algclass_isakmp_ameth] =
- s->algclass[algclass_isakmp_ameth];
-
- /* expanding spspec */
- clean_tmpalgtype();
- trns_no = expand_isakmpspec(prop_no, trns_no, types,
- algclass_isakmp_enc, algclass_isakmp_ameth + 1,
- s->lifetime ? s->lifetime : p->lifetime,
- s->lifebyte ? s->lifebyte : p->lifebyte,
- s->encklen, s->vendorid, s->gssid,
- rmconf);
- if (trns_no == -1) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to expand isakmp proposal.\n");
- return -1;
- }
-
- s = s->prev;
- }
-
- if (rmconf->proposal == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "no proposal found.\n");
- return -1;
- }
-
- return 0;
-}
-
-static void
-clean_tmpalgtype()
-{
- int i;
- for (i = 0; i < MAXALGCLASS; i++)
- tmpalgtype[i] = 0; /* means algorithm undefined. */
-}
-
-static int
-expand_isakmpspec(prop_no, trns_no, types,
- class, last, lifetime, lifebyte, encklen, vendorid, gssid,
- rmconf)
- int prop_no, trns_no;
- int *types, class, last;
- time_t lifetime;
- int lifebyte;
- int encklen;
- int vendorid;
- char *gssid;
- struct remoteconf *rmconf;
-{
- struct isakmpsa *new;
-
- /* debugging */
- {
- int j;
- char tb[10];
- plog(LLV_DEBUG2, LOCATION, NULL,
- "p:%d t:%d\n", prop_no, trns_no);
- for (j = class; j < MAXALGCLASS; j++) {
- snprintf(tb, sizeof(tb), "%d", types[j]);
- plog(LLV_DEBUG2, LOCATION, NULL,
- "%s%s%s%s\n",
- s_algtype(j, types[j]),
- types[j] ? "(" : "",
- tb[0] == '0' ? "" : tb,
- types[j] ? ")" : "");
- }
- plog(LLV_DEBUG2, LOCATION, NULL, "\n");
- }
-
-#define TMPALGTYPE2STR(n) \
- s_algtype(algclass_isakmp_##n, types[algclass_isakmp_##n])
- /* check mandatory values */
- if (types[algclass_isakmp_enc] == 0
- || types[algclass_isakmp_ameth] == 0
- || types[algclass_isakmp_hash] == 0
- || types[algclass_isakmp_dh] == 0) {
- yyerror("few definition of algorithm "
- "enc=%s ameth=%s hash=%s dhgroup=%s.\n",
- TMPALGTYPE2STR(enc),
- TMPALGTYPE2STR(ameth),
- TMPALGTYPE2STR(hash),
- TMPALGTYPE2STR(dh));
- return -1;
- }
-#undef TMPALGTYPE2STR
-
- /* set new sa */
- new = newisakmpsa();
- if (new == NULL) {
- yyerror("failed to allocate isakmp sa");
- return -1;
- }
- new->prop_no = prop_no;
- new->trns_no = trns_no++;
- new->lifetime = lifetime;
- new->lifebyte = lifebyte;
- new->enctype = types[algclass_isakmp_enc];
- new->encklen = encklen;
- new->authmethod = types[algclass_isakmp_ameth];
- new->hashtype = types[algclass_isakmp_hash];
- new->dh_group = types[algclass_isakmp_dh];
- new->vendorid = vendorid;
-#ifdef HAVE_GSSAPI
- if (new->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
- if (gssid != NULL) {
- if ((new->gssid = vmalloc(strlen(gssid))) == NULL) {
- racoon_free(new);
- yyerror("failed to allocate gssid");
- return -1;
- }
- memcpy(new->gssid->v, gssid, new->gssid->l);
- racoon_free(gssid);
-#ifdef ENABLE_HYBRID
- } else if (rmconf->xauth == NULL) {
-#else
- } else {
-#endif
- /*
- * Allocate the default ID so that it gets put
- * into a GSS ID attribute during the Phase 1
- * exchange.
- */
- new->gssid = gssapi_get_default_gss_id();
- }
- }
-#endif
- insisakmpsa(new, rmconf);
-
- return trns_no;
-}
-
-static int
-listen_addr (struct sockaddr *addr, int udp_encap)
-{
- struct myaddrs *p;
-
- p = newmyaddr();
- if (p == NULL) {
- yyerror("failed to allocate myaddrs");
- return -1;
- }
- p->addr = addr;
- if (p->addr == NULL) {
- yyerror("failed to copy sockaddr ");
- delmyaddr(p);
- return -1;
- }
- p->udp_encap = udp_encap;
-
- insmyaddr(p, &lcconf->myaddrs);
-
- lcconf->autograbaddr = 0;
- return 0;
-}
-
-#if 0
-/*
- * fix lifebyte.
- * Must be more than 1024B because its unit is kilobytes.
- * That is defined RFC2407.
- */
-static int
-fix_lifebyte(t)
- unsigned long t;
-{
- if (t < 1024) {
- yyerror("byte size should be more than 1024B.");
- return 0;
- }
-
- return(t / 1024);
-}
-#endif
-
-int
-cfparse()
-{
- int error;
-
- yycf_init_buffer();
-
- if (yycf_switch_buffer(lcconf->racoon_conf) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "could not read configuration file \"%s\"\n",
- lcconf->racoon_conf);
- return -1;
- }
-
- error = yyparse();
- if (error != 0) {
- if (yyerrorcount) {
- plog(LLV_ERROR, LOCATION, NULL,
- "fatal parse failure (%d errors)\n",
- yyerrorcount);
- } else {
- plog(LLV_ERROR, LOCATION, NULL,
- "fatal parse failure.\n");
- }
- return -1;
- }
-
- if (error == 0 && yyerrorcount) {
- plog(LLV_ERROR, LOCATION, NULL,
- "parse error is nothing, but yyerrorcount is %d.\n",
- yyerrorcount);
- exit(1);
- }
-
- yycf_clean_buffer();
-
- plog(LLV_DEBUG2, LOCATION, NULL, "parse successed.\n");
-
- return 0;
-}
-
-int
-cfreparse()
-{
- flushph2();
- flushph1();
- flushrmconf();
- flushsainfo();
- clean_tmpalgtype();
- return(cfparse());
-}
-
-#ifdef ENABLE_ADMINPORT
-static void
-adminsock_conf(path, owner, group, mode_dec)
- vchar_t *path;
- vchar_t *owner;
- vchar_t *group;
- int mode_dec;
-{
- struct passwd *pw = NULL;
- struct group *gr = NULL;
- mode_t mode = 0;
- uid_t uid;
- gid_t gid;
- int isnum;
-
- adminsock_path = path->v;
-
- if (owner == NULL)
- return;
-
- errno = 0;
- uid = atoi(owner->v);
- isnum = !errno;
- if (((pw = getpwnam(owner->v)) == NULL) && !isnum)
- yyerror("User \"%s\" does not exist", owner->v);
-
- if (pw)
- adminsock_owner = pw->pw_uid;
- else
- adminsock_owner = uid;
-
- if (group == NULL)
- return;
-
- errno = 0;
- gid = atoi(group->v);
- isnum = !errno;
- if (((gr = getgrnam(group->v)) == NULL) && !isnum)
- yyerror("Group \"%s\" does not exist", group->v);
-
- if (gr)
- adminsock_group = gr->gr_gid;
- else
- adminsock_group = gid;
-
- if (mode_dec == -1)
- return;
-
- if (mode_dec > 777)
- yyerror("Mode 0%03o is invalid", mode_dec);
- if (mode_dec >= 400) { mode += 0400; mode_dec -= 400; }
- if (mode_dec >= 200) { mode += 0200; mode_dec -= 200; }
- if (mode_dec >= 100) { mode += 0200; mode_dec -= 100; }
-
- if (mode_dec > 77)
- yyerror("Mode 0%03o is invalid", mode_dec);
- if (mode_dec >= 40) { mode += 040; mode_dec -= 40; }
- if (mode_dec >= 20) { mode += 020; mode_dec -= 20; }
- if (mode_dec >= 10) { mode += 020; mode_dec -= 10; }
-
- if (mode_dec > 7)
- yyerror("Mode 0%03o is invalid", mode_dec);
- if (mode_dec >= 4) { mode += 04; mode_dec -= 4; }
- if (mode_dec >= 2) { mode += 02; mode_dec -= 2; }
- if (mode_dec >= 1) { mode += 02; mode_dec -= 1; }
-
- adminsock_mode = mode;
-
- return;
-}
-#endif
diff --git a/src/racoon/cfparse_proto.h b/src/racoon/cfparse_proto.h
deleted file mode 100644
index 139520c..0000000
--- a/src/racoon/cfparse_proto.h
+++ /dev/null
@@ -1,42 +0,0 @@
-/* $NetBSD: cfparse_proto.h,v 1.4 2006/09/09 16:22:09 manu Exp $ */
-
-/* Id: cfparse_proto.h,v 1.3 2004/06/11 16:00:15 ludvigm Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _CFPARSE_PROTO_H
-#define _CFPARSE_PROTO_H
-
-/* cfparse.y */
-extern int yyparse __P((void));
-extern int cfparse __P((void));
-extern int cfreparse __P((void));
-
-#endif /* _CFPARSE_PROTO_H */
diff --git a/src/racoon/cftoken.l b/src/racoon/cftoken.l
deleted file mode 100644
index 9950d49..0000000
--- a/src/racoon/cftoken.l
+++ /dev/null
@@ -1,795 +0,0 @@
-/* $NetBSD: cftoken.l,v 1.11.4.2 2007/09/03 18:07:29 mgrooms Exp $ */
-
-/* Id: cftoken.l,v 1.53 2006/08/22 18:17:17 manubsd Exp */
-
-%{
-/*
- * Copyright (C) 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 and 2003 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-#include PATH_IPSEC_H
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-#include <limits.h>
-#include <ctype.h>
-#include <glob.h>
-#ifdef HAVE_STDARG_H
-#include <stdarg.h>
-#else
-#include <varargs.h>
-#endif
-
-#include "var.h"
-#include "misc.h"
-#include "vmbuf.h"
-#include "plog.h"
-#include "debug.h"
-
-#include "algorithm.h"
-#include "cfparse_proto.h"
-#include "cftoken_proto.h"
-#include "localconf.h"
-#include "oakley.h"
-#include "isakmp_var.h"
-#include "isakmp.h"
-#include "ipsec_doi.h"
-#include "policy.h"
-#include "proposal.h"
-#include "remoteconf.h"
-#ifdef GC
-#include "gcmalloc.h"
-#endif
-
-#include "cfparse.h"
-
-int yyerrorcount = 0;
-
-#if defined(YIPS_DEBUG)
-# define YYDB plog(LLV_DEBUG2, LOCATION, NULL, \
- "begin <%d>%s\n", yy_start, yytext);
-# define YYD { \
- plog(LLV_DEBUG2, LOCATION, NULL, "<%d>%s", \
- yy_start, loglevel >= LLV_DEBUG2 ? "\n" : ""); \
-}
-#else
-# define YYDB
-# define YYD
-#endif /* defined(YIPS_DEBUG) */
-
-#define MAX_INCLUDE_DEPTH 10
-
-static struct include_stack {
- char *path;
- FILE *fp;
- YY_BUFFER_STATE prevstate;
- int lineno;
- glob_t matches;
- int matchon;
-} incstack[MAX_INCLUDE_DEPTH];
-static int incstackp = 0;
-
-static int yy_first_time = 1;
-%}
-
-/* common seciton */
-nl \n
-ws [ \t]+
-digit [0-9]
-letter [A-Za-z]
-hexdigit [0-9A-Fa-f]
-/*octet (([01]?{digit}?{digit})|((2([0-4]{digit}))|(25[0-5]))) */
-special [()+\|\?\*]
-comma \,
-dot \.
-slash \/
-bcl \{
-ecl \}
-blcl \[
-elcl \]
-hyphen \-
-percent \%
-semi \;
-comment \#.*
-ccomment "/*"
-bracketstring \<[^>]*\>
-quotedstring \"[^"]*\"
-addrstring [a-fA-F0-9:]([a-fA-F0-9:\.]*|[a-fA-F0-9:\.]*%[a-zA-Z0-9]*)
-decstring {digit}+
-hexstring 0x{hexdigit}+
-
-%s S_INI S_PRIV S_PTH S_INF S_LOG S_PAD S_LST S_RTRY S_CFG S_LDAP
-%s S_ALGST S_ALGCL
-%s S_SAINF S_SAINFS
-%s S_RMT S_RMTS S_RMTP
-%s S_SA
-%s S_GSSENC
-
-%%
-%{
- if (yy_first_time) {
- BEGIN S_INI;
- yy_first_time = 0;
- }
-%}
-
- /* privsep */
-<S_INI>privsep { BEGIN S_PRIV; YYDB; return(PRIVSEP); }
-<S_PRIV>{bcl} { return(BOC); }
-<S_PRIV>user { YYD; return(USER); }
-<S_PRIV>group { YYD; return(GROUP); }
-<S_PRIV>chroot { YYD; return(CHROOT); }
-<S_PRIV>{ecl} { BEGIN S_INI; return(EOC); }
-
- /* path */
-<S_INI>path { BEGIN S_PTH; YYDB; return(PATH); }
-<S_PTH>include { YYD; yylval.num = LC_PATHTYPE_INCLUDE;
- return(PATHTYPE); }
-<S_PTH>pre_shared_key { YYD; yylval.num = LC_PATHTYPE_PSK;
- return(PATHTYPE); }
-<S_PTH>certificate { YYD; yylval.num = LC_PATHTYPE_CERT;
- return(PATHTYPE); }
-<S_PTH>script { YYD; yylval.num = LC_PATHTYPE_SCRIPT;
- return(PATHTYPE); }
-<S_PTH>backupsa { YYD; yylval.num = LC_PATHTYPE_BACKUPSA;
- return(PATHTYPE); }
-<S_PTH>pidfile { YYD; yylval.num = LC_PATHTYPE_PIDFILE;
- return(PATHTYPE); }
-<S_PTH>{semi} { BEGIN S_INI; YYDB; return(EOS); }
-
- /* include */
-<S_INI>include { YYDB; return(INCLUDE); }
-
- /* self information */
-<S_INI>identifier { BEGIN S_INF; YYDB; yywarn("it is obsoleted. use \"my_identifier\" in each remote directives."); return(IDENTIFIER); }
-<S_INF>{semi} { BEGIN S_INI; return(EOS); }
-
- /* special */
-<S_INI>complex_bundle { YYDB; return(COMPLEX_BUNDLE); }
-
- /* logging */
-<S_INI>log { BEGIN S_LOG; YYDB; return(LOGGING); }
-<S_LOG>error { YYD; yylval.num = LLV_ERROR; return(LOGLEV); }
-<S_LOG>warning { YYD; yylval.num = LLV_WARNING; return(LOGLEV); }
-<S_LOG>notify { YYD; yylval.num = LLV_NOTIFY; return(LOGLEV); }
-<S_LOG>info { YYD; yylval.num = LLV_INFO; return(LOGLEV); }
-<S_LOG>debug { YYD; yylval.num = LLV_DEBUG; return(LOGLEV); }
-<S_LOG>debug2 { YYD; yylval.num = LLV_DEBUG2; return(LOGLEV); }
-<S_LOG>debug3 { YYD; yywarn("it is obsoleted. use \"debug2\""); yylval.num = LLV_DEBUG2; return(LOGLEV); }
-<S_LOG>debug4 { YYD; yywarn("it is obsoleted. use \"debug2\""); yylval.num = LLV_DEBUG2; return(LOGLEV); }
-<S_LOG>{semi} { BEGIN S_INI; return(EOS); }
-
- /* padding */
-<S_INI>padding { BEGIN S_PAD; YYDB; return(PADDING); }
-<S_PAD>{bcl} { return(BOC); }
-<S_PAD>randomize { YYD; return(PAD_RANDOMIZE); }
-<S_PAD>randomize_length { YYD; return(PAD_RANDOMIZELEN); }
-<S_PAD>maximum_length { YYD; return(PAD_MAXLEN); }
-<S_PAD>strict_check { YYD; return(PAD_STRICT); }
-<S_PAD>exclusive_tail { YYD; return(PAD_EXCLTAIL); }
-<S_PAD>{ecl} { BEGIN S_INI; return(EOC); }
-
- /* listen */
-<S_INI>listen { BEGIN S_LST; YYDB; return(LISTEN); }
-<S_LST>{bcl} { return(BOC); }
-<S_LST>isakmp { YYD; return(X_ISAKMP); }
-<S_LST>isakmp_natt { YYD; return(X_ISAKMP_NATT); }
-<S_LST>admin { YYD; return(X_ADMIN); }
-<S_LST>adminsock { YYD; return(ADMINSOCK); }
-<S_LST>disabled { YYD; return(DISABLED); }
-<S_LST>strict_address { YYD; return(STRICT_ADDRESS); }
-<S_LST>{ecl} { BEGIN S_INI; return(EOC); }
-
- /* ldap config */
-<S_INI>ldapcfg { BEGIN S_LDAP; YYDB; return(LDAPCFG); }
-<S_LDAP>{bcl} { return(BOC); }
-<S_LDAP>version { YYD; return(LDAP_PVER); }
-<S_LDAP>host { YYD; return(LDAP_HOST); }
-<S_LDAP>port { YYD; return(LDAP_PORT); }
-<S_LDAP>base { YYD; return(LDAP_BASE); }
-<S_LDAP>subtree { YYD; return(LDAP_SUBTREE); }
-<S_LDAP>bind_dn { YYD; return(LDAP_BIND_DN); }
-<S_LDAP>bind_pw { YYD; return(LDAP_BIND_PW); }
-<S_LDAP>attr_user { YYD; return(LDAP_ATTR_USER); }
-<S_LDAP>attr_addr { YYD; return(LDAP_ATTR_ADDR); }
-<S_LDAP>attr_mask { YYD; return(LDAP_ATTR_MASK); }
-<S_LDAP>attr_group { YYD; return(LDAP_ATTR_GROUP); }
-<S_LDAP>attr_member { YYD; return(LDAP_ATTR_MEMBER); }
-<S_LDAP>{ecl} { BEGIN S_INI; return(EOC); }
-
- /* mode_cfg */
-<S_INI>mode_cfg { BEGIN S_CFG; YYDB; return(MODECFG); }
-<S_CFG>{bcl} { return(BOC); }
-<S_CFG>network4 { YYD; return(CFG_NET4); }
-<S_CFG>netmask4 { YYD; return(CFG_MASK4); }
-<S_CFG>dns4 { YYD; return(CFG_DNS4); }
-<S_CFG>nbns4 { YYD; return(CFG_NBNS4); }
-<S_CFG>wins4 { YYD; return(CFG_NBNS4); }
-<S_CFG>default_domain { YYD; return(CFG_DEFAULT_DOMAIN); }
-<S_CFG>auth_source { YYD; return(CFG_AUTH_SOURCE); }
-<S_CFG>auth_groups { YYD; return(CFG_AUTH_GROUPS); }
-<S_CFG>group_source { YYD; return(CFG_GROUP_SOURCE); }
-<S_CFG>conf_source { YYD; return(CFG_CONF_SOURCE); }
-<S_CFG>accounting { YYD; return(CFG_ACCOUNTING); }
-<S_CFG>system { YYD; return(CFG_SYSTEM); }
-<S_CFG>local { YYD; return(CFG_LOCAL); }
-<S_CFG>none { YYD; return(CFG_NONE); }
-<S_CFG>radius { YYD; return(CFG_RADIUS); }
-<S_CFG>pam { YYD; return(CFG_PAM); }
-<S_CFG>ldap { YYD; return(CFG_LDAP); }
-<S_CFG>pool_size { YYD; return(CFG_POOL_SIZE); }
-<S_CFG>banner { YYD; return(CFG_MOTD); }
-<S_CFG>auth_throttle { YYD; return(CFG_AUTH_THROTTLE); }
-<S_CFG>split_network { YYD; return(CFG_SPLIT_NETWORK); }
-<S_CFG>local_lan { YYD; return(CFG_SPLIT_LOCAL); }
-<S_CFG>include { YYD; return(CFG_SPLIT_INCLUDE); }
-<S_CFG>split_dns { YYD; return(CFG_SPLIT_DNS); }
-<S_CFG>pfs_group { YYD; return(CFG_PFS_GROUP); }
-<S_CFG>save_passwd { YYD; return(CFG_SAVE_PASSWD); }
-<S_CFG>{comma} { YYD; return(COMMA); }
-<S_CFG>{ecl} { BEGIN S_INI; return(EOC); }
-
- /* timer */
-<S_INI>timer { BEGIN S_RTRY; YYDB; return(RETRY); }
-<S_RTRY>{bcl} { return(BOC); }
-<S_RTRY>counter { YYD; return(RETRY_COUNTER); }
-<S_RTRY>interval { YYD; return(RETRY_INTERVAL); }
-<S_RTRY>persend { YYD; return(RETRY_PERSEND); }
-<S_RTRY>phase1 { YYD; return(RETRY_PHASE1); }
-<S_RTRY>phase2 { YYD; return(RETRY_PHASE2); }
-<S_RTRY>natt_keepalive { YYD; return(NATT_KA); }
-<S_RTRY>{ecl} { BEGIN S_INI; return(EOC); }
-
- /* sainfo */
-<S_INI>sainfo { BEGIN S_SAINF; YYDB; return(SAINFO); }
-<S_SAINF>anonymous { YYD; return(ANONYMOUS); }
-<S_SAINF>{blcl}any{elcl} { YYD; return(PORTANY); }
-<S_SAINF>any { YYD; return(ANY); }
-<S_SAINF>from { YYD; return(FROM); }
-<S_SAINF>group { YYD; return(GROUP); }
- /* sainfo spec */
-<S_SAINF>{bcl} { BEGIN S_SAINFS; return(BOC); }
-<S_SAINF>{semi} { BEGIN S_INI; return(EOS); }
-<S_SAINFS>{ecl} { BEGIN S_INI; return(EOC); }
-<S_SAINFS>pfs_group { YYD; return(PFS_GROUP); }
-<S_SAINFS>remoteid { YYD; return(REMOTEID); }
-<S_SAINFS>identifier { YYD; yywarn("it is obsoleted. use \"my_identifier\"."); return(IDENTIFIER); }
-<S_SAINFS>my_identifier { YYD; return(MY_IDENTIFIER); }
-<S_SAINFS>lifetime { YYD; return(LIFETIME); }
-<S_SAINFS>time { YYD; return(LIFETYPE_TIME); }
-<S_SAINFS>byte { YYD; return(LIFETYPE_BYTE); }
-<S_SAINFS>encryption_algorithm { YYD; yylval.num = algclass_ipsec_enc; return(ALGORITHM_CLASS); }
-<S_SAINFS>authentication_algorithm { YYD; yylval.num = algclass_ipsec_auth; return(ALGORITHM_CLASS); }
-<S_SAINFS>compression_algorithm { YYD; yylval.num = algclass_ipsec_comp; return(ALGORITHM_CLASS); }
-<S_SAINFS>{comma} { YYD; return(COMMA); }
-
- /* remote */
-<S_INI>remote { BEGIN S_RMT; YYDB; return(REMOTE); }
-<S_RMT>anonymous { YYD; return(ANONYMOUS); }
-<S_RMT>inherit { YYD; return(INHERIT); }
- /* remote spec */
-<S_RMT>{bcl} { BEGIN S_RMTS; return(BOC); }
-<S_RMTS>{ecl} { BEGIN S_INI; return(EOC); }
-<S_RMTS>exchange_mode { YYD; return(EXCHANGE_MODE); }
-<S_RMTS>{comma} { YYD; /* XXX ignored, but to be handled. */ ; }
-<S_RMTS>base { YYD; yylval.num = ISAKMP_ETYPE_BASE; return(EXCHANGETYPE); }
-<S_RMTS>main { YYD; yylval.num = ISAKMP_ETYPE_IDENT; return(EXCHANGETYPE); }
-<S_RMTS>aggressive { YYD; yylval.num = ISAKMP_ETYPE_AGG; return(EXCHANGETYPE); }
-<S_RMTS>doi { YYD; return(DOI); }
-<S_RMTS>ipsec_doi { YYD; yylval.num = IPSEC_DOI; return(DOITYPE); }
-<S_RMTS>situation { YYD; return(SITUATION); }
-<S_RMTS>identity_only { YYD; yylval.num = IPSECDOI_SIT_IDENTITY_ONLY; return(SITUATIONTYPE); }
-<S_RMTS>secrecy { YYD; yylval.num = IPSECDOI_SIT_SECRECY; return(SITUATIONTYPE); }
-<S_RMTS>integrity { YYD; yylval.num = IPSECDOI_SIT_INTEGRITY; return(SITUATIONTYPE); }
-<S_RMTS>identifier { YYD; yywarn("it is obsoleted. use \"my_identifier\"."); return(IDENTIFIER); }
-<S_RMTS>my_identifier { YYD; return(MY_IDENTIFIER); }
-<S_RMTS>xauth_login { YYD; return(XAUTH_LOGIN); /* formerly identifier type login */ }
-<S_RMTS>peers_identifier { YYD; return(PEERS_IDENTIFIER); }
-<S_RMTS>verify_identifier { YYD; return(VERIFY_IDENTIFIER); }
-<S_RMTS>certificate_type { YYD; return(CERTIFICATE_TYPE); }
-<S_RMTS>ca_type { YYD; return(CA_TYPE); }
-<S_RMTS>x509 { YYD; yylval.num = ISAKMP_CERT_X509SIGN; return(CERT_X509); }
-<S_RMTS>plain_rsa { YYD; yylval.num = ISAKMP_CERT_PLAINRSA; return(CERT_PLAINRSA); }
-<S_RMTS>peers_certfile { YYD; return(PEERS_CERTFILE); }
-<S_RMTS>dnssec { YYD; return(DNSSEC); }
-<S_RMTS>verify_cert { YYD; return(VERIFY_CERT); }
-<S_RMTS>send_cert { YYD; return(SEND_CERT); }
-<S_RMTS>send_cr { YYD; return(SEND_CR); }
-<S_RMTS>dh_group { YYD; return(DH_GROUP); }
-<S_RMTS>nonce_size { YYD; return(NONCE_SIZE); }
-<S_RMTS>generate_policy { YYD; return(GENERATE_POLICY); }
-<S_RMTS>unique { YYD; yylval.num = GENERATE_POLICY_UNIQUE; return(GENERATE_LEVEL); }
-<S_RMTS>require { YYD; yylval.num = GENERATE_POLICY_REQUIRE; return(GENERATE_LEVEL); }
-<S_RMTS>support_mip6 { YYD; yywarn("it is obsoleted. use \"support_proxy\"."); return(SUPPORT_PROXY); }
-<S_RMTS>support_proxy { YYD; return(SUPPORT_PROXY); }
-<S_RMTS>initial_contact { YYD; return(INITIAL_CONTACT); }
-<S_RMTS>nat_traversal { YYD; return(NAT_TRAVERSAL); }
-<S_RMTS>force { YYD; return(REMOTE_FORCE_LEVEL); }
-<S_RMTS>proposal_check { YYD; return(PROPOSAL_CHECK); }
-<S_RMTS>obey { YYD; yylval.num = PROP_CHECK_OBEY; return(PROPOSAL_CHECK_LEVEL); }
-<S_RMTS>strict { YYD; yylval.num = PROP_CHECK_STRICT; return(PROPOSAL_CHECK_LEVEL); }
-<S_RMTS>exact { YYD; yylval.num = PROP_CHECK_EXACT; return(PROPOSAL_CHECK_LEVEL); }
-<S_RMTS>claim { YYD; yylval.num = PROP_CHECK_CLAIM; return(PROPOSAL_CHECK_LEVEL); }
-<S_RMTS>keepalive { YYD; return(KEEPALIVE); }
-<S_RMTS>passive { YYD; return(PASSIVE); }
-<S_RMTS>lifetime { YYD; return(LIFETIME); }
-<S_RMTS>time { YYD; return(LIFETYPE_TIME); }
-<S_RMTS>byte { YYD; return(LIFETYPE_BYTE); }
-<S_RMTS>dpd { YYD; return(DPD); }
-<S_RMTS>dpd_delay { YYD; return(DPD_DELAY); }
-<S_RMTS>dpd_retry { YYD; return(DPD_RETRY); }
-<S_RMTS>dpd_maxfail { YYD; return(DPD_MAXFAIL); }
-<S_RMTS>ph1id { YYD; return(PH1ID); }
-<S_RMTS>ike_frag { YYD; return(IKE_FRAG); }
-<S_RMTS>esp_frag { YYD; return(ESP_FRAG); }
-<S_RMTS>script { YYD; return(SCRIPT); }
-<S_RMTS>phase1_up { YYD; return(PHASE1_UP); }
-<S_RMTS>phase1_down { YYD; return(PHASE1_DOWN); }
-<S_RMTS>mode_cfg { YYD; return(MODE_CFG); }
-<S_RMTS>weak_phase1_check { YYD; return(WEAK_PHASE1_CHECK); }
- /* remote proposal */
-<S_RMTS>proposal { BEGIN S_RMTP; YYDB; return(PROPOSAL); }
-<S_RMTP>{bcl} { return(BOC); }
-<S_RMTP>{ecl} { BEGIN S_RMTS; return(EOC); }
-<S_RMTP>lifetime { YYD; return(LIFETIME); }
-<S_RMTP>time { YYD; return(LIFETYPE_TIME); }
-<S_RMTP>byte { YYD; return(LIFETYPE_BYTE); }
-<S_RMTP>encryption_algorithm { YYD; yylval.num = algclass_isakmp_enc; return(ALGORITHM_CLASS); }
-<S_RMTP>authentication_method { YYD; yylval.num = algclass_isakmp_ameth; return(ALGORITHM_CLASS); }
-<S_RMTP>hash_algorithm { YYD; yylval.num = algclass_isakmp_hash; return(ALGORITHM_CLASS); }
-<S_RMTP>dh_group { YYD; return(DH_GROUP); }
-<S_RMTP>gss_id { YYD; return(GSS_ID); }
-<S_RMTP>gssapi_id { YYD; return(GSS_ID); } /* for back compatibility */
-
- /* GSS ID encoding type (global) */
-<S_INI>gss_id_enc { BEGIN S_GSSENC; YYDB; return(GSS_ID_ENC); }
-<S_GSSENC>latin1 { YYD; yylval.num = LC_GSSENC_LATIN1;
- return(GSS_ID_ENCTYPE); }
-<S_GSSENC>utf-16le { YYD; yylval.num = LC_GSSENC_UTF16LE;
- return(GSS_ID_ENCTYPE); }
-<S_GSSENC>{semi} { BEGIN S_INI; YYDB; return(EOS); }
-
- /* parameter */
-on { YYD; yylval.num = TRUE; return(SWITCH); }
-off { YYD; yylval.num = FALSE; return(SWITCH); }
-
- /* prefix */
-{slash}{digit}{1,3} {
- YYD;
- yytext++;
- yylval.num = atoi(yytext);
- return(PREFIX);
- }
-
- /* port number */
-{blcl}{decstring}{elcl} {
- char *p = yytext;
- YYD;
- while (*++p != ']') ;
- *p = 0;
- yytext++;
- yylval.num = atoi(yytext);
- return(PORT);
- }
-
- /* address range */
-{hyphen}{addrstring} {
- YYD;
- yytext++;
- yylval.val = vmalloc(yyleng + 1);
- if (yylval.val == NULL) {
- yyerror("vmalloc failed");
- return -1;
- }
- memcpy(yylval.val->v, yytext, yylval.val->l);
- return(ADDRRANGE);
- }
-
- /* upper protocol */
-esp { YYD; yylval.num = IPPROTO_ESP; return(UL_PROTO); }
-ah { YYD; yylval.num = IPPROTO_AH; return(UL_PROTO); }
-ipcomp { YYD; yylval.num = IPPROTO_IPCOMP; return(UL_PROTO); }
-icmp { YYD; yylval.num = IPPROTO_ICMP; return(UL_PROTO); }
-icmp6 { YYD; yylval.num = IPPROTO_ICMPV6; return(UL_PROTO); }
-tcp { YYD; yylval.num = IPPROTO_TCP; return(UL_PROTO); }
-udp { YYD; yylval.num = IPPROTO_UDP; return(UL_PROTO); }
-
- /* algorithm type */
-des_iv64 { YYD; yylval.num = algtype_des_iv64; return(ALGORITHMTYPE); }
-des { YYD; yylval.num = algtype_des; return(ALGORITHMTYPE); }
-3des { YYD; yylval.num = algtype_3des; return(ALGORITHMTYPE); }
-rc5 { YYD; yylval.num = algtype_rc5; return(ALGORITHMTYPE); }
-idea { YYD; yylval.num = algtype_idea; return(ALGORITHMTYPE); }
-cast128 { YYD; yylval.num = algtype_cast128; return(ALGORITHMTYPE); }
-blowfish { YYD; yylval.num = algtype_blowfish; return(ALGORITHMTYPE); }
-3idea { YYD; yylval.num = algtype_3idea; return(ALGORITHMTYPE); }
-des_iv32 { YYD; yylval.num = algtype_des_iv32; return(ALGORITHMTYPE); }
-rc4 { YYD; yylval.num = algtype_rc4; return(ALGORITHMTYPE); }
-null_enc { YYD; yylval.num = algtype_null_enc; return(ALGORITHMTYPE); }
-null { YYD; yylval.num = algtype_null_enc; return(ALGORITHMTYPE); }
-aes { YYD; yylval.num = algtype_aes; return(ALGORITHMTYPE); }
-rijndael { YYD; yylval.num = algtype_aes; return(ALGORITHMTYPE); }
-twofish { YYD; yylval.num = algtype_twofish; return(ALGORITHMTYPE); }
-camellia { YYD; yylval.num = algtype_camellia; return(ALGORITHMTYPE); }
-non_auth { YYD; yylval.num = algtype_non_auth; return(ALGORITHMTYPE); }
-hmac_md5 { YYD; yylval.num = algtype_hmac_md5; return(ALGORITHMTYPE); }
-hmac_sha1 { YYD; yylval.num = algtype_hmac_sha1; return(ALGORITHMTYPE); }
-hmac_sha2_256 { YYD; yylval.num = algtype_hmac_sha2_256; return(ALGORITHMTYPE); }
-hmac_sha256 { YYD; yylval.num = algtype_hmac_sha2_256; return(ALGORITHMTYPE); }
-hmac_sha2_384 { YYD; yylval.num = algtype_hmac_sha2_384; return(ALGORITHMTYPE); }
-hmac_sha384 { YYD; yylval.num = algtype_hmac_sha2_384; return(ALGORITHMTYPE); }
-hmac_sha2_512 { YYD; yylval.num = algtype_hmac_sha2_512; return(ALGORITHMTYPE); }
-hmac_sha512 { YYD; yylval.num = algtype_hmac_sha2_512; return(ALGORITHMTYPE); }
-des_mac { YYD; yylval.num = algtype_des_mac; return(ALGORITHMTYPE); }
-kpdk { YYD; yylval.num = algtype_kpdk; return(ALGORITHMTYPE); }
-md5 { YYD; yylval.num = algtype_md5; return(ALGORITHMTYPE); }
-sha1 { YYD; yylval.num = algtype_sha1; return(ALGORITHMTYPE); }
-tiger { YYD; yylval.num = algtype_tiger; return(ALGORITHMTYPE); }
-sha2_256 { YYD; yylval.num = algtype_sha2_256; return(ALGORITHMTYPE); }
-sha256 { YYD; yylval.num = algtype_sha2_256; return(ALGORITHMTYPE); }
-sha2_384 { YYD; yylval.num = algtype_sha2_384; return(ALGORITHMTYPE); }
-sha384 { YYD; yylval.num = algtype_sha2_384; return(ALGORITHMTYPE); }
-sha2_512 { YYD; yylval.num = algtype_sha2_512; return(ALGORITHMTYPE); }
-sha512 { YYD; yylval.num = algtype_sha2_512; return(ALGORITHMTYPE); }
-oui { YYD; yylval.num = algtype_oui; return(ALGORITHMTYPE); }
-deflate { YYD; yylval.num = algtype_deflate; return(ALGORITHMTYPE); }
-lzs { YYD; yylval.num = algtype_lzs; return(ALGORITHMTYPE); }
-modp768 { YYD; yylval.num = algtype_modp768; return(ALGORITHMTYPE); }
-modp1024 { YYD; yylval.num = algtype_modp1024; return(ALGORITHMTYPE); }
-modp1536 { YYD; yylval.num = algtype_modp1536; return(ALGORITHMTYPE); }
-ec2n155 { YYD; yylval.num = algtype_ec2n155; return(ALGORITHMTYPE); }
-ec2n185 { YYD; yylval.num = algtype_ec2n185; return(ALGORITHMTYPE); }
-modp2048 { YYD; yylval.num = algtype_modp2048; return(ALGORITHMTYPE); }
-modp3072 { YYD; yylval.num = algtype_modp3072; return(ALGORITHMTYPE); }
-modp4096 { YYD; yylval.num = algtype_modp4096; return(ALGORITHMTYPE); }
-modp6144 { YYD; yylval.num = algtype_modp6144; return(ALGORITHMTYPE); }
-modp8192 { YYD; yylval.num = algtype_modp8192; return(ALGORITHMTYPE); }
-pre_shared_key { YYD; yylval.num = algtype_psk; return(ALGORITHMTYPE); }
-rsasig { YYD; yylval.num = algtype_rsasig; return(ALGORITHMTYPE); }
-dsssig { YYD; yylval.num = algtype_dsssig; return(ALGORITHMTYPE); }
-rsaenc { YYD; yylval.num = algtype_rsaenc; return(ALGORITHMTYPE); }
-rsarev { YYD; yylval.num = algtype_rsarev; return(ALGORITHMTYPE); }
-gssapi_krb { YYD; yylval.num = algtype_gssapikrb; return(ALGORITHMTYPE); }
-hybrid_rsa_server {
-#ifdef ENABLE_HYBRID
- YYD; yylval.num = algtype_hybrid_rsa_s; return(ALGORITHMTYPE);
-#else
- yyerror("racoon not configured with --enable-hybrid");
-#endif
-}
-hybrid_dss_server {
-#ifdef ENABLE_HYBRID
- YYD; yylval.num = algtype_hybrid_dss_s; return(ALGORITHMTYPE);
-#else
- yyerror("racoon not configured with --enable-hybrid");
-#endif
-}
-hybrid_rsa_client {
-#ifdef ENABLE_HYBRID
- YYD; yylval.num = algtype_hybrid_rsa_c; return(ALGORITHMTYPE);
-#else
- yyerror("racoon not configured with --enable-hybrid");
-#endif
-}
-hybrid_dss_client {
-#ifdef ENABLE_HYBRID
- YYD; yylval.num = algtype_hybrid_dss_c; return(ALGORITHMTYPE);
-#else
- yyerror("racoon not configured with --enable-hybrid");
-#endif
-}
-xauth_psk_server {
-#ifdef ENABLE_HYBRID
- YYD; yylval.num = algtype_xauth_psk_s; return(ALGORITHMTYPE);
-#else
- yyerror("racoon not configured with --enable-hybrid");
-#endif
-}
-xauth_psk_client {
-#ifdef ENABLE_HYBRID
- YYD; yylval.num = algtype_xauth_psk_c; return(ALGORITHMTYPE);
-#else
- yyerror("racoon not configured with --enable-hybrid");
-#endif
-}
-xauth_rsa_server {
-#ifdef ENABLE_HYBRID
- YYD; yylval.num = algtype_xauth_rsa_s; return(ALGORITHMTYPE);
-#else
- yyerror("racoon not configured with --enable-hybrid");
-#endif
-}
-xauth_rsa_client {
-#ifdef ENABLE_HYBRID
- YYD; yylval.num = algtype_xauth_rsa_c; return(ALGORITHMTYPE);
-#else
- yyerror("racoon not configured with --enable-hybrid");
-#endif
-}
-
-
- /* identifier type */
-vendor_id { YYD; yywarn("it is obsoleted."); return(VENDORID); }
-user_fqdn { YYD; yylval.num = IDTYPE_USERFQDN; return(IDENTIFIERTYPE); }
-fqdn { YYD; yylval.num = IDTYPE_FQDN; return(IDENTIFIERTYPE); }
-keyid { YYD; yylval.num = IDTYPE_KEYID; return(IDENTIFIERTYPE); }
-address { YYD; yylval.num = IDTYPE_ADDRESS; return(IDENTIFIERTYPE); }
-subnet { YYD; yylval.num = IDTYPE_SUBNET; return(IDENTIFIERTYPE); }
-asn1dn { YYD; yylval.num = IDTYPE_ASN1DN; return(IDENTIFIERTYPE); }
-certname { YYD; yywarn("certname will be obsoleted in near future."); yylval.num = IDTYPE_ASN1DN; return(IDENTIFIERTYPE); }
-
- /* identifier qualifier */
-tag { YYD; yylval.num = IDQUAL_TAG; return(IDENTIFIERQUAL); }
-file { YYD; yylval.num = IDQUAL_FILE; return(IDENTIFIERQUAL); }
-
- /* units */
-B|byte|bytes { YYD; return(UNITTYPE_BYTE); }
-KB { YYD; return(UNITTYPE_KBYTES); }
-MB { YYD; return(UNITTYPE_MBYTES); }
-TB { YYD; return(UNITTYPE_TBYTES); }
-sec|secs|second|seconds { YYD; return(UNITTYPE_SEC); }
-min|mins|minute|minutes { YYD; return(UNITTYPE_MIN); }
-hour|hours { YYD; return(UNITTYPE_HOUR); }
-
- /* boolean */
-yes { YYD; yylval.num = TRUE; return(BOOLEAN); }
-no { YYD; yylval.num = FALSE; return(BOOLEAN); }
-
-{decstring} {
- char *bp;
-
- YYD;
- yylval.num = strtol(yytext, &bp, 10);
- return(NUMBER);
- }
-
-{hexstring} {
- char *p;
-
- YYD;
- yylval.val = vmalloc(yyleng + (yyleng & 1) + 1);
- if (yylval.val == NULL) {
- yyerror("vmalloc failed");
- return -1;
- }
-
- p = yylval.val->v;
- *p++ = '0';
- *p++ = 'x';
-
- /* fixed string if length is odd. */
- if (yyleng & 1)
- *p++ = '0';
- memcpy(p, &yytext[2], yyleng - 1);
-
- return(HEXSTRING);
- }
-
-{quotedstring} {
- char *p = yytext;
-
- YYD;
- while (*++p != '"') ;
- *p = '\0';
-
- yylval.val = vmalloc(yyleng - 1);
- if (yylval.val == NULL) {
- yyerror("vmalloc failed");
- return -1;
- }
- memcpy(yylval.val->v, &yytext[1], yylval.val->l);
-
- return(QUOTEDSTRING);
- }
-
-{addrstring} {
- YYD;
-
- yylval.val = vmalloc(yyleng + 1);
- if (yylval.val == NULL) {
- yyerror("vmalloc failed");
- return -1;
- }
- memcpy(yylval.val->v, yytext, yylval.val->l);
-
- return(ADDRSTRING);
- }
-
-<<EOF>> {
- yy_delete_buffer(YY_CURRENT_BUFFER);
- incstackp--;
- nextfile:
- if (incstack[incstackp].matchon <
- incstack[incstackp].matches.gl_pathc) {
- char* filepath = incstack[incstackp].matches.gl_pathv[incstack[incstackp].matchon];
- incstack[incstackp].matchon++;
- incstackp++;
- if (yycf_set_buffer(filepath) != 0) {
- incstackp--;
- goto nextfile;
- }
- yy_switch_to_buffer(yy_create_buffer(yyin, YY_BUF_SIZE));
- BEGIN(S_INI);
- } else {
- globfree(&incstack[incstackp].matches);
- if (incstackp == 0)
- yyterminate();
- else
- yy_switch_to_buffer(incstack[incstackp].prevstate);
- }
- }
-
- /* ... */
-{ws} { ; }
-{nl} { incstack[incstackp].lineno++; }
-{comment} { YYD; }
-{semi} { return(EOS); }
-. { yymore(); }
-
-%%
-
-void
-yyerror(char *s, ...)
-{
- char fmt[512];
-
- va_list ap;
-#ifdef HAVE_STDARG_H
- va_start(ap, s);
-#else
- va_start(ap);
-#endif
- snprintf(fmt, sizeof(fmt), "%s:%d: \"%s\" %s\n",
- incstack[incstackp].path, incstack[incstackp].lineno,
- yytext, s);
- plogv(LLV_ERROR, LOCATION, NULL, fmt, ap);
- va_end(ap);
-
- yyerrorcount++;
-}
-
-void
-yywarn(char *s, ...)
-{
- char fmt[512];
-
- va_list ap;
-#ifdef HAVE_STDARG_H
- va_start(ap, s);
-#else
- va_start(ap);
-#endif
- snprintf(fmt, sizeof(fmt), "%s:%d: \"%s\" %s\n",
- incstack[incstackp].path, incstack[incstackp].lineno,
- yytext, s);
- plogv(LLV_WARNING, LOCATION, NULL, fmt, ap);
- va_end(ap);
-}
-
-int
-yycf_switch_buffer(path)
- char *path;
-{
- char *filepath = NULL;
-
- /* got the include file name */
- if (incstackp >= MAX_INCLUDE_DEPTH) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Includes nested too deeply");
- return -1;
- }
-
- if (glob(path, GLOB_TILDE, NULL, &incstack[incstackp].matches) != 0 ||
- incstack[incstackp].matches.gl_pathc == 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "glob found no matches for path \"%s\"\n", path);
- return -1;
- }
- incstack[incstackp].matchon = 0;
- incstack[incstackp].prevstate = YY_CURRENT_BUFFER;
-
- nextmatch:
- if (incstack[incstackp].matchon >= incstack[incstackp].matches.gl_pathc)
- return -1;
- filepath =
- incstack[incstackp].matches.gl_pathv[incstack[incstackp].matchon];
- incstack[incstackp].matchon++;
- incstackp++;
-
- if (yycf_set_buffer(filepath) != 0) {
- incstackp--;
- goto nextmatch;
- }
-
- yy_switch_to_buffer(yy_create_buffer(yyin, YY_BUF_SIZE));
-
- BEGIN(S_INI);
-
- return 0;
-}
-
-int
-yycf_set_buffer(path)
- char *path;
-{
- yyin = fopen(path, "r");
- if (yyin == NULL) {
- fprintf(stderr, "failed to open file %s (%s)\n",
- path, strerror(errno));
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to open file %s (%s)\n",
- path, strerror(errno));
- return -1;
- }
-
- /* initialize */
- incstack[incstackp].fp = yyin;
- if (incstack[incstackp].path != NULL)
- racoon_free(incstack[incstackp].path);
- incstack[incstackp].path = racoon_strdup(path);
- STRDUP_FATAL(incstack[incstackp].path);
- incstack[incstackp].lineno = 1;
- plog(LLV_DEBUG, LOCATION, NULL,
- "reading config file %s\n", path);
-
- return 0;
-}
-
-void
-yycf_init_buffer()
-{
- int i;
-
- for (i = 0; i < MAX_INCLUDE_DEPTH; i++)
- memset(&incstack[i], 0, sizeof(incstack[i]));
- incstackp = 0;
-}
-
-void
-yycf_clean_buffer()
-{
- int i;
-
- for (i = 0; i < MAX_INCLUDE_DEPTH; i++) {
- if (incstack[i].path != NULL) {
- fclose(incstack[i].fp);
- racoon_free(incstack[i].path);
- incstack[i].path = NULL;
- }
- }
-}
-
diff --git a/src/racoon/cftoken_proto.h b/src/racoon/cftoken_proto.h
deleted file mode 100644
index 41cb939..0000000
--- a/src/racoon/cftoken_proto.h
+++ /dev/null
@@ -1,48 +0,0 @@
-/* $NetBSD: cftoken_proto.h,v 1.4 2006/09/09 16:22:09 manu Exp $ */
-
-/* Id: cftoken_proto.h,v 1.3 2004/06/11 16:00:15 ludvigm Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _CFTOKEN_PROTO_H
-#define _CFTOKEN_PROTO_H
-
-extern int yyerrorcount;
-
-extern int yylex __P((void));
-extern void yyerror __P((char *, ...));
-extern void yywarn __P((char *, ...));
-
-extern int yycf_switch_buffer __P((char *));
-extern int yycf_set_buffer __P((char *));
-extern void yycf_init_buffer __P((void));
-extern void yycf_clean_buffer __P((void));
-
-#endif /* _CFTOKEN_PROTO_H */
diff --git a/src/racoon/contrib/sp.pl b/src/racoon/contrib/sp.pl
deleted file mode 100644
index d1f9caf..0000000
--- a/src/racoon/contrib/sp.pl
+++ /dev/null
@@ -1,21 +0,0 @@
-#! /usr/pkg/bin/perl
-
-die "insufficient arguments" if (scalar(@ARGV) < 2);
-$src = $ARGV[0];
-$dst = $ARGV[1];
-$mode = 'transport';
-if (scalar(@ARGV) > 2) {
- $mode = $ARGV[2];
-}
-
-open(OUT, "|setkey -c");
-if ($mode eq 'transport') {
- print STDERR "install esp transport mode: $src -> $dst\n";
- print OUT "spdadd $src $dst any -P out ipsec esp/transport//require;\n";
- print OUT "spdadd $dst $src any -P in ipsec esp/transport//require;\n";
-} elsif ($mode eq 'delete') {
- print STDERR "delete policy: $src -> $dst\n";
- print OUT "spddelete $src $dst any -P out;\n";
- print OUT "spddelete $dst $src any -P in;\n";
-}
-close(OUT);
diff --git a/src/racoon/crypto_openssl.c b/src/racoon/crypto_openssl.c
deleted file mode 100644
index b34b6dd..0000000
--- a/src/racoon/crypto_openssl.c
+++ /dev/null
@@ -1,2852 +0,0 @@
-/* $NetBSD: crypto_openssl.c,v 1.11.6.6 2009/04/29 10:50:25 tteras Exp $ */
-
-/* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <limits.h>
-#include <string.h>
-
-/* get openssl/ssleay version number */
-#include <openssl/opensslv.h>
-
-#if !defined(OPENSSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x0090602fL)
-#error OpenSSL version 0.9.6 or later required.
-#endif
-
-#include <openssl/pem.h>
-#include <openssl/evp.h>
-#include <openssl/x509.h>
-#include <openssl/x509v3.h>
-#include <openssl/x509_vfy.h>
-#include <openssl/bn.h>
-#include <openssl/dh.h>
-#include <openssl/md5.h>
-#include <openssl/sha.h>
-#include <openssl/hmac.h>
-#include <openssl/des.h>
-#include <openssl/crypto.h>
-#ifdef HAVE_OPENSSL_ENGINE_H
-#include <openssl/engine.h>
-#endif
-#ifndef ANDROID_CHANGES
-#include <openssl/blowfish.h>
-#include <openssl/cast.h>
-#else
-#define EVP_bf_cbc() NULL
-#define EVP_cast5_cbc() NULL
-#endif
-#include <openssl/err.h>
-#ifdef HAVE_OPENSSL_RC5_H
-#include <openssl/rc5.h>
-#endif
-#ifdef HAVE_OPENSSL_IDEA_H
-#include <openssl/idea.h>
-#endif
-#if defined(HAVE_OPENSSL_AES_H)
-#include <openssl/aes.h>
-#elif defined(HAVE_OPENSSL_RIJNDAEL_H)
-#include <openssl/rijndael.h>
-#else
-#include "crypto/rijndael/rijndael-api-fst.h"
-#endif
-#if defined(HAVE_OPENSSL_CAMELLIA_H)
-#include <openssl/camellia.h>
-#endif
-#ifdef WITH_SHA2
-#ifdef HAVE_OPENSSL_SHA2_H
-#include <openssl/sha2.h>
-#else
-#include "crypto/sha2/sha2.h"
-#endif
-#endif
-#include "plog.h"
-
-/* 0.9.7 stuff? */
-#if OPENSSL_VERSION_NUMBER < 0x0090700fL
-typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES;
-#else
-#define USE_NEW_DES_API
-#endif
-
-#define OpenSSL_BUG() do { plog(LLV_ERROR, LOCATION, NULL, "OpenSSL function failed\n"); } while(0)
-
-#include "var.h"
-#include "misc.h"
-#include "vmbuf.h"
-#include "plog.h"
-#include "crypto_openssl.h"
-#include "debug.h"
-#include "gcmalloc.h"
-
-#if defined(OPENSSL_IS_BORINGSSL)
-/* HMAC_cleanup is deprecated wrapper in OpenSSL and has been removed in
- * BoringSSL. */
-#define HMAC_cleanup(ctx) HMAC_CTX_cleanup(ctx)
-#endif
-
-/*
- * I hate to cast every parameter to des_xx into void *, but it is
- * necessary for SSLeay/OpenSSL portability. It sucks.
- */
-
-static int cb_check_cert_local __P((int, X509_STORE_CTX *));
-static int cb_check_cert_remote __P((int, X509_STORE_CTX *));
-static X509 *mem2x509 __P((vchar_t *));
-
-static caddr_t eay_hmac_init __P((vchar_t *, const EVP_MD *));
-
-/* X509 Certificate */
-/*
- * convert the string of the subject name into DER
- * e.g. str = "C=JP, ST=Kanagawa";
- */
-vchar_t *
-eay_str2asn1dn(str, len)
- const char *str;
- int len;
-{
- X509_NAME *name;
- char *buf;
- char *field, *value;
- int i, j;
- vchar_t *ret = NULL;
- caddr_t p;
-
- if (len == -1)
- len = strlen(str);
-
- buf = racoon_malloc(len + 1);
- if (!buf) {
- plog(LLV_WARNING, LOCATION, NULL,"failed to allocate buffer\n");
- return NULL;
- }
- memcpy(buf, str, len);
-
- name = X509_NAME_new();
-
- field = &buf[0];
- value = NULL;
- for (i = 0; i < len; i++) {
- if (!value && buf[i] == '=') {
- buf[i] = '\0';
- value = &buf[i + 1];
- continue;
- } else if (buf[i] == ',' || buf[i] == '/') {
- buf[i] = '\0';
-
- plog(LLV_DEBUG, LOCATION, NULL, "DN: %s=%s\n",
- field, value);
-
- if (!value) goto err;
- if (!X509_NAME_add_entry_by_txt(name, field,
- (value[0] == '*' && value[1] == 0) ?
- V_ASN1_PRINTABLESTRING : MBSTRING_ASC,
- (unsigned char *) value, -1, -1, 0)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Invalid DN field: %s=%s\n",
- field, value);
- plog(LLV_ERROR, LOCATION, NULL,
- "%s\n", eay_strerror());
- goto err;
- }
- for (j = i + 1; j < len; j++) {
- if (buf[j] != ' ')
- break;
- }
- field = &buf[j];
- value = NULL;
- continue;
- }
- }
- buf[len] = '\0';
-
- plog(LLV_DEBUG, LOCATION, NULL, "DN: %s=%s\n",
- field, value);
-
- if (!value) goto err;
- if (!X509_NAME_add_entry_by_txt(name, field,
- (value[0] == '*' && value[1] == 0) ?
- V_ASN1_PRINTABLESTRING : MBSTRING_ASC,
- (unsigned char *) value, -1, -1, 0)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Invalid DN field: %s=%s\n",
- field, value);
- plog(LLV_ERROR, LOCATION, NULL,
- "%s\n", eay_strerror());
- goto err;
- }
-
- i = i2d_X509_NAME(name, NULL);
- if (!i)
- goto err;
- ret = vmalloc(i);
- if (!ret)
- goto err;
- p = ret->v;
- i = i2d_X509_NAME(name, (void *)&p);
- if (!i)
- goto err;
-
- return ret;
-
- err:
- if (buf)
- racoon_free(buf);
- if (name)
- X509_NAME_free(name);
- if (ret)
- vfree(ret);
- return NULL;
-}
-
-/*
- * convert the hex string of the subject name into DER
- */
-vchar_t *
-eay_hex2asn1dn(const char *hex, int len)
-{
- BIGNUM *bn = BN_new();
- char *binbuf;
- size_t binlen;
- vchar_t *ret = NULL;
-
- if (len == -1)
- len = strlen(hex);
-
- if (BN_hex2bn(&bn, hex) != len) {
- plog(LLV_ERROR, LOCATION, NULL,
- "conversion of Hex-encoded ASN1 string to binary failed: %s\n",
- eay_strerror());
- goto out;
- }
-
- binlen = BN_num_bytes(bn);
- ret = vmalloc(binlen);
- if (!ret) {
- plog(LLV_WARNING, LOCATION, NULL,"failed to allocate buffer\n");
- return NULL;
- }
- binbuf = ret->v;
-
- BN_bn2bin(bn, (unsigned char *) binbuf);
-
-out:
- BN_free(bn);
-
- return ret;
-}
-
-/*
- * The following are derived from code in crypto/x509/x509_cmp.c
- * in OpenSSL0.9.7c:
- * X509_NAME_wildcmp() adds wildcard matching to the original
- * X509_NAME_cmp(), nocase_cmp() and nocase_spacenorm_cmp() are as is.
- */
-#include <ctype.h>
-/* Case insensitive string comparision */
-static int nocase_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
-{
- int i;
-
- int a_length = ASN1_STRING_length(a);
- int b_length = ASN1_STRING_length(b);
- if (a_length != b_length)
- return (a_length - b_length);
-
- const unsigned char *a_data = ASN1_STRING_get0_data(a);
- const unsigned char *b_data = ASN1_STRING_get0_data(b);
- for (i=0; i<a_length; i++)
- {
- int ca, cb;
-
- ca = tolower(a_data[i]);
- cb = tolower(b_data[i]);
-
- if (ca != cb)
- return(ca-cb);
- }
- return 0;
-}
-
-/* Case insensitive string comparision with space normalization
- * Space normalization - ignore leading, trailing spaces,
- * multiple spaces between characters are replaced by single space
- */
-static int nocase_spacenorm_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
-{
- const unsigned char *pa = NULL, *pb = NULL;
- int la, lb;
-
- la = ASN1_STRING_length(a);
- lb = ASN1_STRING_length(b);
- pa = ASN1_STRING_get0_data(a);
- pb = ASN1_STRING_get0_data(b);
-
- /* skip leading spaces */
- while (la > 0 && isspace(*pa))
- {
- la--;
- pa++;
- }
- while (lb > 0 && isspace(*pb))
- {
- lb--;
- pb++;
- }
-
- /* skip trailing spaces */
- while (la > 0 && isspace(pa[la-1]))
- la--;
- while (lb > 0 && isspace(pb[lb-1]))
- lb--;
-
- /* compare strings with space normalization */
- while (la > 0 && lb > 0)
- {
- int ca, cb;
-
- /* compare character */
- ca = tolower(*pa);
- cb = tolower(*pb);
- if (ca != cb)
- return (ca - cb);
-
- pa++; pb++;
- la--; lb--;
-
- if (la <= 0 || lb <= 0)
- break;
-
- /* is white space next character ? */
- if (isspace(*pa) && isspace(*pb))
- {
- /* skip remaining white spaces */
- while (la > 0 && isspace(*pa))
- {
- la--;
- pa++;
- }
- while (lb > 0 && isspace(*pb))
- {
- lb--;
- pb++;
- }
- }
- }
- if (la > 0 || lb > 0)
- return la - lb;
-
- return 0;
-}
-
-static int X509_NAME_wildcmp(const X509_NAME *a, const X509_NAME *b)
-{
- int i,j;
- X509_NAME_ENTRY *na,*nb;
-
- if (X509_NAME_entry_count(a)
- != X509_NAME_entry_count(b))
- return X509_NAME_entry_count(a)
- -X509_NAME_entry_count(b);
- for (i=X509_NAME_entry_count(a)-1; i>=0; i--)
- {
- na=X509_NAME_get_entry(a,i);
- nb=X509_NAME_get_entry(b,i);
- j=OBJ_cmp(X509_NAME_ENTRY_get_object(na),X509_NAME_ENTRY_get_object(nb));
- if (j) return(j);
- const ASN1_STRING *na_value=X509_NAME_ENTRY_get_data(na);
- const ASN1_STRING *nb_value=X509_NAME_ENTRY_get_data(nb);
- if ((ASN1_STRING_length(na_value) == 1 && ASN1_STRING_get0_data(na_value)[0] == '*')
- || (ASN1_STRING_length(nb_value) == 1 && ASN1_STRING_get0_data(nb_value)[0] == '*'))
- continue;
- j=ASN1_STRING_type(na_value)-ASN1_STRING_type(nb_value);
- if (j) return(j);
- if (ASN1_STRING_type(na_value) == V_ASN1_PRINTABLESTRING)
- j=nocase_spacenorm_cmp(na_value, nb_value);
- else if (ASN1_STRING_type(na_value) == V_ASN1_IA5STRING
- && OBJ_obj2nid(X509_NAME_ENTRY_get_object(na)) == NID_pkcs9_emailAddress)
- j=nocase_cmp(na_value, nb_value);
- else
- {
- j=ASN1_STRING_length(na_value)-ASN1_STRING_length(nb_value);
- if (j) return(j);
- j=memcmp(ASN1_STRING_get0_data(na_value),ASN1_STRING_get0_data(nb_value),
- ASN1_STRING_length(na_value));
- }
- if (j) return(j);
- j=X509_NAME_ENTRY_set(na)-X509_NAME_ENTRY_set(nb);
- if (j) return(j);
- }
-
- return(0);
-}
-
-/*
- * compare two subjectNames.
- * OUT: 0: equal
- * positive:
- * -1: other error.
- */
-int
-eay_cmp_asn1dn(n1, n2)
- vchar_t *n1, *n2;
-{
- X509_NAME *a = NULL, *b = NULL;
- caddr_t p;
- int i = -1;
-
- p = n1->v;
- if (!d2i_X509_NAME(&a, (void *)&p, n1->l))
- goto end;
- p = n2->v;
- if (!d2i_X509_NAME(&b, (void *)&p, n2->l))
- goto end;
-
- i = X509_NAME_wildcmp(a, b);
-
- end:
- if (a)
- X509_NAME_free(a);
- if (b)
- X509_NAME_free(b);
- return i;
-}
-
-#ifdef ANDROID_CHANGES
-
-static BIO *BIO_from_android(char *path)
-{
- void *data;
- if (sscanf(path, pname, &data) == 1) {
- return BIO_new_mem_buf(data, -1);
- }
- return NULL;
-}
-
-#endif
-
-/*
- * this functions is derived from apps/verify.c in OpenSSL0.9.5
- */
-int
-eay_check_x509cert(cert, CApath, CAfile, local)
- vchar_t *cert;
- char *CApath;
- char *CAfile;
- int local;
-{
- X509_STORE *cert_ctx = NULL;
- X509_LOOKUP *lookup = NULL;
- X509 *x509 = NULL;
- X509_STORE_CTX *csc;
- int error = -1;
-
- cert_ctx = X509_STORE_new();
- if (cert_ctx == NULL)
- goto end;
-
- if (local)
- X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert_local);
- else
- X509_STORE_set_verify_cb_func(cert_ctx, cb_check_cert_remote);
-
-#ifdef ANDROID_CHANGES
- if (pname) {
- BIO *bio = BIO_from_android(CAfile);
- STACK_OF(X509_INFO) *stack;
- X509_INFO *info;
- int i;
-
- if (!bio) {
- goto end;
- }
- stack = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL);
- BIO_free(bio);
- if (!stack) {
- goto end;
- }
- for (i = 0; i < sk_X509_INFO_num(stack); ++i) {
- info = sk_X509_INFO_value(stack, i);
- if (info->x509) {
- X509_STORE_add_cert(cert_ctx, info->x509);
- }
- if (info->crl) {
- X509_STORE_add_crl(cert_ctx, info->crl);
- }
- }
- sk_X509_INFO_pop_free(stack, X509_INFO_free);
- } else {
-#endif
- lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_file());
- if (lookup == NULL)
- goto end;
-
- X509_LOOKUP_load_file(lookup, CAfile,
- (CAfile == NULL) ? X509_FILETYPE_DEFAULT : X509_FILETYPE_PEM);
-
- lookup = X509_STORE_add_lookup(cert_ctx, X509_LOOKUP_hash_dir());
- if (lookup == NULL)
- goto end;
- error = X509_LOOKUP_add_dir(lookup, CApath, X509_FILETYPE_PEM);
- if(!error) {
- error = -1;
- goto end;
- }
- error = -1; /* initialized */
-#ifdef ANDROID_CHANGES
- }
-#endif
-
- /* read the certificate to be verified */
- x509 = mem2x509(cert);
- if (x509 == NULL)
- goto end;
-
- csc = X509_STORE_CTX_new();
- if (csc == NULL)
- goto end;
- X509_STORE_CTX_init(csc, cert_ctx, x509, NULL);
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
- X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK);
- X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK_ALL);
-#endif
- error = X509_verify_cert(csc);
- X509_STORE_CTX_free(csc);
-
- /*
- * if x509_verify_cert() is successful then the value of error is
- * set non-zero.
- */
- error = error ? 0 : -1;
-
-end:
- if (error)
- plog(LLV_WARNING, LOCATION, NULL,"%s\n", eay_strerror());
- if (cert_ctx != NULL)
- X509_STORE_free(cert_ctx);
- if (x509 != NULL)
- X509_free(x509);
-
- return(error);
-}
-
-/*
- * callback function for verifing certificate.
- * this function is derived from cb() in openssl/apps/s_server.c
- */
-static int
-cb_check_cert_local(ok, ctx)
- int ok;
- X509_STORE_CTX *ctx;
-{
- char buf[256];
- int log_tag;
-
- if (!ok) {
- X509_NAME_oneline(
- X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)),
- buf,
- 256);
- /*
- * since we are just checking the certificates, it is
- * ok if they are self signed. But we should still warn
- * the user.
- */
- int error = X509_STORE_CTX_get_error(ctx);
- switch (error) {
- case X509_V_ERR_CERT_HAS_EXPIRED:
- case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
- case X509_V_ERR_INVALID_CA:
- case X509_V_ERR_PATH_LENGTH_EXCEEDED:
- case X509_V_ERR_INVALID_PURPOSE:
- case X509_V_ERR_UNABLE_TO_GET_CRL:
- ok = 1;
- log_tag = LLV_WARNING;
- break;
- default:
- log_tag = LLV_ERROR;
- }
- plog(log_tag, LOCATION, NULL,
- "%s(%d) at depth:%d SubjectName:%s\n",
- X509_verify_cert_error_string(error),
- error,
- X509_STORE_CTX_get_error_depth(ctx),
- buf);
- }
- ERR_clear_error();
-
- return ok;
-}
-
-/*
- * callback function for verifing remote certificates.
- * this function is derived from cb() in openssl/apps/s_server.c
- */
-static int
-cb_check_cert_remote(ok, ctx)
- int ok;
- X509_STORE_CTX *ctx;
-{
- char buf[256];
- int log_tag;
-
- if (!ok) {
- X509_NAME_oneline(
- X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)),
- buf,
- 256);
- int error = X509_STORE_CTX_get_error(ctx);
- switch (error) {
- case X509_V_ERR_UNABLE_TO_GET_CRL:
- ok = 1;
- log_tag = LLV_WARNING;
- break;
- default:
- log_tag = LLV_ERROR;
- }
- plog(log_tag, LOCATION, NULL,
- "%s(%d) at depth:%d SubjectName:%s\n",
- X509_verify_cert_error_string(error),
- error,
- X509_STORE_CTX_get_error_depth(ctx),
- buf);
- }
- ERR_clear_error();
-
- return ok;
-}
-
-/*
- * get a subjectAltName from X509 certificate.
- */
-vchar_t *
-eay_get_x509asn1subjectname(cert)
- vchar_t *cert;
-{
- X509 *x509 = NULL;
- u_char *bp;
- vchar_t *name = NULL;
- int len;
-
- bp = (unsigned char *) cert->v;
-
- x509 = mem2x509(cert);
- if (x509 == NULL)
- goto error;
-
- /* get the length of the name */
- len = i2d_X509_NAME(X509_get_subject_name(x509), NULL);
- name = vmalloc(len);
- if (!name)
- goto error;
- /* get the name */
- bp = (unsigned char *) name->v;
- len = i2d_X509_NAME(X509_get_subject_name(x509), &bp);
-
- X509_free(x509);
-
- return name;
-
-error:
- plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror());
-
- if (name != NULL)
- vfree(name);
-
- if (x509 != NULL)
- X509_free(x509);
-
- return NULL;
-}
-
-/*
- * get the subjectAltName from X509 certificate.
- * the name must be terminated by '\0'.
- */
-int
-eay_get_x509subjectaltname(cert, altname, type, pos)
- vchar_t *cert;
- char **altname;
- int *type;
- int pos;
-{
- X509 *x509 = NULL;
- GENERAL_NAMES *gens = NULL;
- GENERAL_NAME *gen;
- int len;
- int error = -1;
-
- *altname = NULL;
- *type = GENT_OTHERNAME;
-
- x509 = mem2x509(cert);
- if (x509 == NULL)
- goto end;
-
- gens = X509_get_ext_d2i(x509, NID_subject_alt_name, NULL, NULL);
- if (gens == NULL)
- goto end;
-
- /* there is no data at "pos" */
- if (pos > sk_GENERAL_NAME_num(gens))
- goto end;
-
- gen = sk_GENERAL_NAME_value(gens, pos - 1);
-
- /* read DNSName / Email */
- if (gen->type == GEN_DNS ||
- gen->type == GEN_EMAIL ||
- gen->type == GEN_URI )
- {
- /* make sure if the data is terminated by '\0'. */
- if (ASN1_STRING_get0_data(gen->d.ia5)[ASN1_STRING_length(gen->d.ia5)] != '\0')
- {
- plog(LLV_ERROR, LOCATION, NULL,
- "data is not terminated by NUL.");
- racoon_hexdump(ASN1_STRING_get0_data(gen->d.ia5), ASN1_STRING_length(gen->d.ia5) + 1);
- goto end;
- }
-
- len = ASN1_STRING_length(gen->d.ia5) + 1;
- *altname = racoon_malloc(len);
- if (!*altname)
- goto end;
-
- strlcpy(*altname, (const char *) ASN1_STRING_get0_data(gen->d.ia5), len);
- *type = gen->type;
- error = 0;
- }
- /* read IP address */
- else if (gen->type == GEN_IPADD)
- {
- const unsigned char *ip;
-
- /* only support IPv4 */
- if (ASN1_STRING_length(gen->d.ip) != 4)
- goto end;
-
- /* convert Octet String to String
- * XXX ???????
- */
- /*i2d_ASN1_OCTET_STRING(gen->d.ip,&ip);*/
- ip = ASN1_STRING_get0_data(gen->d.ip);
-
- /* XXX Magic, enough for an IPv4 address
- */
- *altname = racoon_malloc(20);
- if (!*altname)
- goto end;
-
- sprintf(*altname, "%u.%u.%u.%u", ip[0], ip[1], ip[2], ip[3]);
- *type = gen->type;
- error = 0;
- }
- /* XXX other possible types ?
- * For now, error will be -1 if unsupported type
- */
-
-end:
- if (error) {
- if (*altname) {
- racoon_free(*altname);
- *altname = NULL;
- }
- plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror());
- }
- if (x509)
- X509_free(x509);
- if (gens)
- /* free the whole stack. */
- sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
-
- return error;
-}
-
-
-/*
- * decode a X509 certificate and make a readable text terminated '\n'.
- * return the buffer allocated, so must free it later.
- */
-char *
-eay_get_x509text(cert)
- vchar_t *cert;
-{
- X509 *x509 = NULL;
- BIO *bio = NULL;
- char *text = NULL;
- u_char *bp = NULL;
- int len = 0;
- int error = -1;
-
- x509 = mem2x509(cert);
- if (x509 == NULL)
- goto end;
-
- bio = BIO_new(BIO_s_mem());
- if (bio == NULL)
- goto end;
-
- error = X509_print(bio, x509);
- if (error != 1) {
- error = -1;
- goto end;
- }
-
-#if defined(ANDROID_CHANGES)
- len = BIO_get_mem_data(bio, (char**) &bp);
-#else
- len = BIO_get_mem_data(bio, &bp);
-#endif
- text = racoon_malloc(len + 1);
- if (text == NULL)
- goto end;
- memcpy(text, bp, len);
- text[len] = '\0';
-
- error = 0;
-
- end:
- if (error) {
- if (text) {
- racoon_free(text);
- text = NULL;
- }
- plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror());
- }
- if (bio)
- BIO_free(bio);
- if (x509)
- X509_free(x509);
-
- return text;
-}
-
-/* get X509 structure from buffer. */
-static X509 *
-mem2x509(cert)
- vchar_t *cert;
-{
- X509 *x509;
-
-#ifndef EAYDEBUG
- {
- u_char *bp;
-
- bp = (unsigned char *) cert->v;
-
- x509 = d2i_X509(NULL, (void *)&bp, cert->l);
- }
-#else
- {
- BIO *bio;
- int len;
-
- bio = BIO_new(BIO_s_mem());
- if (bio == NULL)
- return NULL;
- len = BIO_write(bio, cert->v, cert->l);
- if (len == -1)
- return NULL;
- x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
- BIO_free(bio);
- }
-#endif
- return x509;
-}
-
-/*
- * get a X509 certificate from local file.
- * a certificate must be PEM format.
- * Input:
- * path to a certificate.
- * Output:
- * NULL if error occured
- * other is the cert.
- */
-vchar_t *
-eay_get_x509cert(path)
- char *path;
-{
- FILE *fp;
- X509 *x509;
- vchar_t *cert;
- u_char *bp;
- int len;
- int error;
-
-#ifdef ANDROID_CHANGES
- if (pname) {
- BIO *bio = BIO_from_android(path);
- if (!bio) {
- return NULL;
- }
- x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL);
- BIO_free(bio);
- } else {
-#endif
- /* Read private key */
- fp = fopen(path, "r");
- if (fp == NULL)
- return NULL;
- x509 = PEM_read_X509(fp, NULL, NULL, NULL);
- fclose (fp);
-#ifdef ANDROID_CHANGES
- }
-#endif
-
- if (x509 == NULL)
- return NULL;
-
- len = i2d_X509(x509, NULL);
- cert = vmalloc(len);
- if (cert == NULL) {
- X509_free(x509);
- return NULL;
- }
- bp = (unsigned char *) cert->v;
- error = i2d_X509(x509, &bp);
- X509_free(x509);
-
- if (error == 0) {
- vfree(cert);
- return NULL;
- }
-
- return cert;
-}
-
-/*
- * check a X509 signature
- * XXX: to be get hash type from my cert ?
- * to be handled EVP_dss().
- * OUT: return -1 when error.
- * 0
- */
-int
-eay_check_x509sign(source, sig, cert)
- vchar_t *source;
- vchar_t *sig;
- vchar_t *cert;
-{
- X509 *x509;
- u_char *bp;
- EVP_PKEY *evp;
- int res;
-
- bp = (unsigned char *) cert->v;
-
- x509 = d2i_X509(NULL, (void *)&bp, cert->l);
- if (x509 == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "d2i_X509(): %s\n", eay_strerror());
- return -1;
- }
-
- evp = X509_get_pubkey(x509);
- if (! evp) {
- plog(LLV_ERROR, LOCATION, NULL, "X509_get_pubkey(): %s\n", eay_strerror());
- X509_free(x509);
- return -1;
- }
-
- res = eay_rsa_verify(source, sig, EVP_PKEY_get0_RSA(evp));
-
- EVP_PKEY_free(evp);
- X509_free(x509);
-
- return res;
-}
-
-/*
- * check RSA signature
- * OUT: return -1 when error.
- * 0 on success
- */
-int
-eay_check_rsasign(source, sig, rsa)
- vchar_t *source;
- vchar_t *sig;
- RSA *rsa;
-{
- return eay_rsa_verify(source, sig, rsa);
-}
-
-/*
- * get PKCS#1 Private Key of PEM format from local file.
- */
-vchar_t *
-eay_get_pkcs1privkey(path)
- char *path;
-{
- FILE *fp;
- EVP_PKEY *evp = NULL;
- vchar_t *pkey = NULL;
- u_char *bp;
- int pkeylen;
- int error = -1;
-
-#ifdef ANDROID_CHANGES
- if (pname) {
- BIO *bio = BIO_from_android(path);
- if (!bio) {
- return NULL;
- }
- evp = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);
- BIO_free(bio);
- } else {
-#endif
- /* Read private key */
- fp = fopen(path, "r");
- if (fp == NULL)
- return NULL;
-
- evp = PEM_read_PrivateKey(fp, NULL, NULL, NULL);
-
- fclose (fp);
-#ifdef ANDROID_CHANGES
- }
-#endif
-
- if (evp == NULL)
- return NULL;
-
- pkeylen = i2d_PrivateKey(evp, NULL);
- if (pkeylen == 0)
- goto end;
- pkey = vmalloc(pkeylen);
- if (pkey == NULL)
- goto end;
- bp = (unsigned char *) pkey->v;
- pkeylen = i2d_PrivateKey(evp, &bp);
- if (pkeylen == 0)
- goto end;
-
- error = 0;
-
-end:
- if (evp != NULL)
- EVP_PKEY_free(evp);
- if (error != 0 && pkey != NULL) {
- vfree(pkey);
- pkey = NULL;
- }
-
- return pkey;
-}
-
-/*
- * get PKCS#1 Public Key of PEM format from local file.
- */
-vchar_t *
-eay_get_pkcs1pubkey(path)
- char *path;
-{
- FILE *fp;
- EVP_PKEY *evp = NULL;
- vchar_t *pkey = NULL;
- X509 *x509 = NULL;
- u_char *bp;
- int pkeylen;
- int error = -1;
-
- /* Read private key */
- fp = fopen(path, "r");
- if (fp == NULL)
- return NULL;
-
- x509 = PEM_read_X509(fp, NULL, NULL, NULL);
-
- fclose (fp);
-
- if (x509 == NULL)
- return NULL;
-
- /* Get public key - eay */
- evp = X509_get_pubkey(x509);
- if (evp == NULL)
- return NULL;
-
- pkeylen = i2d_PublicKey(evp, NULL);
- if (pkeylen == 0)
- goto end;
- pkey = vmalloc(pkeylen);
- if (pkey == NULL)
- goto end;
- bp = (unsigned char *) pkey->v;
- pkeylen = i2d_PublicKey(evp, &bp);
- if (pkeylen == 0)
- goto end;
-
- error = 0;
-end:
- if (evp != NULL)
- EVP_PKEY_free(evp);
- if (error != 0 && pkey != NULL) {
- vfree(pkey);
- pkey = NULL;
- }
-
- return pkey;
-}
-
-vchar_t *
-eay_get_x509sign(src, privkey)
- vchar_t *src, *privkey;
-{
- EVP_PKEY *evp;
- u_char *bp = (unsigned char *) privkey->v;
- vchar_t *sig = NULL;
- int len;
- int pad = RSA_PKCS1_PADDING;
-
- /* XXX to be handled EVP_PKEY_DSA */
- evp = d2i_PrivateKey(EVP_PKEY_RSA, NULL, (void *)&bp, privkey->l);
- if (evp == NULL)
- return NULL;
-
- sig = eay_rsa_sign(src, EVP_PKEY_get0_RSA(evp));
-
- EVP_PKEY_free(evp);
-
- return sig;
-}
-
-vchar_t *
-eay_get_rsasign(src, rsa)
- vchar_t *src;
- RSA *rsa;
-{
- return eay_rsa_sign(src, rsa);
-}
-
-vchar_t *
-eay_rsa_sign(vchar_t *src, RSA *rsa)
-{
- int len;
- vchar_t *sig = NULL;
- int pad = RSA_PKCS1_PADDING;
-
- len = RSA_size(rsa);
-
- sig = vmalloc(len);
- if (sig == NULL)
- return NULL;
-
- len = RSA_private_encrypt(src->l, (unsigned char *) src->v,
- (unsigned char *) sig->v, rsa, pad);
-
- if (len == 0 || len != sig->l) {
- vfree(sig);
- sig = NULL;
- }
-
- return sig;
-}
-
-int
-eay_rsa_verify(src, sig, rsa)
- vchar_t *src, *sig;
- RSA *rsa;
-{
- vchar_t *xbuf = NULL;
- int pad = RSA_PKCS1_PADDING;
- int len = 0;
- int error;
-
- len = RSA_size(rsa);
- xbuf = vmalloc(len);
- if (xbuf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror());
- return -1;
- }
-
- len = RSA_public_decrypt(sig->l, (unsigned char *) sig->v,
- (unsigned char *) xbuf->v, rsa, pad);
- if (len == 0 || len != src->l) {
- plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror());
- vfree(xbuf);
- return -1;
- }
-
- error = memcmp(src->v, xbuf->v, src->l);
- vfree(xbuf);
- if (error != 0)
- return -1;
-
- return 0;
-}
-
-/*
- * get error string
- * MUST load ERR_load_crypto_strings() first.
- */
-char *
-eay_strerror()
-{
- static char ebuf[512];
- int len = 0, n;
- unsigned long l;
- char buf[200];
- const char *file, *data;
- int line, flags;
- unsigned long es;
-
-#if defined(ANDROID_CHANGES)
- es = 0;
-#else
- es = CRYPTO_thread_id();
-#endif
-
- while ((l = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0){
- n = snprintf(ebuf + len, sizeof(ebuf) - len,
- "%lu:%s:%s:%d:%s ",
- es, ERR_error_string(l, buf), file, line,
- (flags & ERR_TXT_STRING) ? data : "");
- if (n < 0 || n >= sizeof(ebuf) - len)
- break;
- len += n;
- if (sizeof(ebuf) < len)
- break;
- }
-
- return ebuf;
-}
-
-vchar_t *
-evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc)
-{
- vchar_t *res;
- EVP_CIPHER_CTX ctx;
-
- if (!e)
- return NULL;
-
- if (data->l % EVP_CIPHER_block_size(e))
- return NULL;
-
- if ((res = vmalloc(data->l)) == NULL)
- return NULL;
-
- EVP_CIPHER_CTX_init(&ctx);
-
-#if !defined(OPENSSL_IS_BORINGSSL)
- switch(EVP_CIPHER_nid(e)){
- case NID_bf_cbc:
- case NID_bf_ecb:
- case NID_bf_cfb64:
- case NID_bf_ofb64:
- case NID_cast5_cbc:
- case NID_cast5_ecb:
- case NID_cast5_cfb64:
- case NID_cast5_ofb64:
- /* XXX: can we do that also for algos with a fixed key size ?
- */
- /* init context without key/iv
- */
- if (!EVP_CipherInit(&ctx, e, NULL, NULL, enc))
- {
- OpenSSL_BUG();
- vfree(res);
- return NULL;
- }
-
- /* update key size
- */
- if (!EVP_CIPHER_CTX_set_key_length(&ctx, key->l))
- {
- OpenSSL_BUG();
- vfree(res);
- return NULL;
- }
-
- /* finalize context init with desired key size
- */
- if (!EVP_CipherInit(&ctx, NULL, (u_char *) key->v,
- (u_char *) iv->v, enc))
- {
- OpenSSL_BUG();
- vfree(res);
- return NULL;
- }
- break;
- default:
-#endif /* OPENSSL_IS_BORINGSSL */
- if (!EVP_CipherInit(&ctx, e, (u_char *) key->v,
- (u_char *) iv->v, enc)) {
- OpenSSL_BUG();
- vfree(res);
- return NULL;
- }
-#if !defined(OPENSSL_IS_BORINGSSL)
- }
-#endif
-
- /* disable openssl padding */
- EVP_CIPHER_CTX_set_padding(&ctx, 0);
-
- if (!EVP_Cipher(&ctx, (u_char *) res->v, (u_char *) data->v, data->l)) {
- OpenSSL_BUG();
- vfree(res);
- return NULL;
- }
-
- EVP_CIPHER_CTX_cleanup(&ctx);
-
- return res;
-}
-
-int
-evp_weakkey(vchar_t *key, const EVP_CIPHER *e)
-{
- return 0;
-}
-
-int
-evp_keylen(int len, const EVP_CIPHER *e)
-{
- if (!e)
- return -1;
- /* EVP functions return lengths in bytes, ipsec-tools
- * uses lengths in bits, therefore conversion is required. --AK
- */
- if (len != 0 && len != (EVP_CIPHER_key_length(e) << 3))
- return -1;
-
- return EVP_CIPHER_key_length(e) << 3;
-}
-
-/*
- * DES-CBC
- */
-vchar_t *
-eay_des_encrypt(data, key, iv)
- vchar_t *data, *key, *iv;
-{
- return evp_crypt(data, key, iv, EVP_des_cbc(), 1);
-}
-
-vchar_t *
-eay_des_decrypt(data, key, iv)
- vchar_t *data, *key, *iv;
-{
- return evp_crypt(data, key, iv, EVP_des_cbc(), 0);
-}
-
-#if defined(OPENSSL_IS_BORINGSSL)
-/* BoringSSL doesn't implement DES_is_weak_key because the concept is nonsense.
- * Thankfully, ipsec-tools never actually uses the result of this function. */
-static int
-DES_is_weak_key(const DES_cblock *key)
-{
- return 0;
-}
-#endif /* OPENSSL_IS_BORINGSSL */
-
-int
-eay_des_weakkey(key)
- vchar_t *key;
-{
-#ifdef USE_NEW_DES_API
- return DES_is_weak_key((void *)key->v);
-#else
- return des_is_weak_key((void *)key->v);
-#endif
-}
-
-int
-eay_des_keylen(len)
- int len;
-{
- return evp_keylen(len, EVP_des_cbc());
-}
-
-#ifdef HAVE_OPENSSL_IDEA_H
-/*
- * IDEA-CBC
- */
-vchar_t *
-eay_idea_encrypt(data, key, iv)
- vchar_t *data, *key, *iv;
-{
- vchar_t *res;
- IDEA_KEY_SCHEDULE ks;
-
- idea_set_encrypt_key((unsigned char *)key->v, &ks);
-
- /* allocate buffer for result */
- if ((res = vmalloc(data->l)) == NULL)
- return NULL;
-
- /* decryption data */
- idea_cbc_encrypt((unsigned char *)data->v, (unsigned char *)res->v, data->l,
- &ks, (unsigned char *)iv->v, IDEA_ENCRYPT);
-
- return res;
-}
-
-vchar_t *
-eay_idea_decrypt(data, key, iv)
- vchar_t *data, *key, *iv;
-{
- vchar_t *res;
- IDEA_KEY_SCHEDULE ks, dks;
-
- idea_set_encrypt_key((unsigned char *)key->v, &ks);
- idea_set_decrypt_key(&ks, &dks);
-
- /* allocate buffer for result */
- if ((res = vmalloc(data->l)) == NULL)
- return NULL;
-
- /* decryption data */
- idea_cbc_encrypt((unsigned char *)data->v, (unsigned char *)res->v, data->l,
- &dks, (unsigned char *)iv->v, IDEA_DECRYPT);
-
- return res;
-}
-
-int
-eay_idea_weakkey(key)
- vchar_t *key;
-{
- return 0; /* XXX */
-}
-
-int
-eay_idea_keylen(len)
- int len;
-{
- if (len != 0 && len != 128)
- return -1;
- return 128;
-}
-#endif
-
-/*
- * BLOWFISH-CBC
- */
-vchar_t *
-eay_bf_encrypt(data, key, iv)
- vchar_t *data, *key, *iv;
-{
- return evp_crypt(data, key, iv, EVP_bf_cbc(), 1);
-}
-
-vchar_t *
-eay_bf_decrypt(data, key, iv)
- vchar_t *data, *key, *iv;
-{
- return evp_crypt(data, key, iv, EVP_bf_cbc(), 0);
-}
-
-int
-eay_bf_weakkey(key)
- vchar_t *key;
-{
- return 0; /* XXX to be done. refer to RFC 2451 */
-}
-
-int
-eay_bf_keylen(len)
- int len;
-{
- if (len == 0)
- return 448;
- if (len < 40 || len > 448)
- return -1;
- return len;
-}
-
-#ifdef HAVE_OPENSSL_RC5_H
-/*
- * RC5-CBC
- */
-vchar_t *
-eay_rc5_encrypt(data, key, iv)
- vchar_t *data, *key, *iv;
-{
- vchar_t *res;
- RC5_32_KEY ks;
-
- /* in RFC 2451, there is information about the number of round. */
- RC5_32_set_key(&ks, key->l, (unsigned char *)key->v, 16);
-
- /* allocate buffer for result */
- if ((res = vmalloc(data->l)) == NULL)
- return NULL;
-
- /* decryption data */
- RC5_32_cbc_encrypt((unsigned char *)data->v, (unsigned char *)res->v, data->l,
- &ks, (unsigned char *)iv->v, RC5_ENCRYPT);
-
- return res;
-}
-
-vchar_t *
-eay_rc5_decrypt(data, key, iv)
- vchar_t *data, *key, *iv;
-{
- vchar_t *res;
- RC5_32_KEY ks;
-
- /* in RFC 2451, there is information about the number of round. */
- RC5_32_set_key(&ks, key->l, (unsigned char *)key->v, 16);
-
- /* allocate buffer for result */
- if ((res = vmalloc(data->l)) == NULL)
- return NULL;
-
- /* decryption data */
- RC5_32_cbc_encrypt((unsigned char *)data->v, (unsigned char *)res->v, data->l,
- &ks, (unsigned char *)iv->v, RC5_DECRYPT);
-
- return res;
-}
-
-int
-eay_rc5_weakkey(key)
- vchar_t *key;
-{
- return 0; /* No known weak keys when used with 16 rounds. */
-
-}
-
-int
-eay_rc5_keylen(len)
- int len;
-{
- if (len == 0)
- return 128;
- if (len < 40 || len > 2040)
- return -1;
- return len;
-}
-#endif
-
-/*
- * 3DES-CBC
- */
-vchar_t *
-eay_3des_encrypt(data, key, iv)
- vchar_t *data, *key, *iv;
-{
- return evp_crypt(data, key, iv, EVP_des_ede3_cbc(), 1);
-}
-
-vchar_t *
-eay_3des_decrypt(data, key, iv)
- vchar_t *data, *key, *iv;
-{
- return evp_crypt(data, key, iv, EVP_des_ede3_cbc(), 0);
-}
-
-int
-eay_3des_weakkey(key)
- vchar_t *key;
-{
-#ifdef USE_NEW_DES_API
- return (DES_is_weak_key((void *)key->v) ||
- DES_is_weak_key((void *)(key->v + 8)) ||
- DES_is_weak_key((void *)(key->v + 16)));
-#else
- if (key->l < 24)
- return 0;
-
- return (des_is_weak_key((void *)key->v) ||
- des_is_weak_key((void *)(key->v + 8)) ||
- des_is_weak_key((void *)(key->v + 16)));
-#endif
-}
-
-int
-eay_3des_keylen(len)
- int len;
-{
- if (len != 0 && len != 192)
- return -1;
- return 192;
-}
-
-/*
- * CAST-CBC
- */
-vchar_t *
-eay_cast_encrypt(data, key, iv)
- vchar_t *data, *key, *iv;
-{
- return evp_crypt(data, key, iv, EVP_cast5_cbc(), 1);
-}
-
-vchar_t *
-eay_cast_decrypt(data, key, iv)
- vchar_t *data, *key, *iv;
-{
- return evp_crypt(data, key, iv, EVP_cast5_cbc(), 0);
-}
-
-int
-eay_cast_weakkey(key)
- vchar_t *key;
-{
- return 0; /* No known weak keys. */
-}
-
-int
-eay_cast_keylen(len)
- int len;
-{
- if (len == 0)
- return 128;
- if (len < 40 || len > 128)
- return -1;
- return len;
-}
-
-/*
- * AES(RIJNDAEL)-CBC
- */
-#ifndef HAVE_OPENSSL_AES_H
-vchar_t *
-eay_aes_encrypt(data, key, iv)
- vchar_t *data, *key, *iv;
-{
- vchar_t *res;
- keyInstance k;
- cipherInstance c;
-
- memset(&k, 0, sizeof(k));
- if (rijndael_makeKey(&k, DIR_ENCRYPT, key->l << 3, key->v) < 0)
- return NULL;
-
- /* allocate buffer for result */
- if ((res = vmalloc(data->l)) == NULL)
- return NULL;
-
- /* encryption data */
- memset(&c, 0, sizeof(c));
- if (rijndael_cipherInit(&c, MODE_CBC, iv->v) < 0){
- vfree(res);
- return NULL;
- }
- if (rijndael_blockEncrypt(&c, &k, data->v, data->l << 3, res->v) < 0){
- vfree(res);
- return NULL;
- }
-
- return res;
-}
-
-vchar_t *
-eay_aes_decrypt(data, key, iv)
- vchar_t *data, *key, *iv;
-{
- vchar_t *res;
- keyInstance k;
- cipherInstance c;
-
- memset(&k, 0, sizeof(k));
- if (rijndael_makeKey(&k, DIR_DECRYPT, key->l << 3, key->v) < 0)
- return NULL;
-
- /* allocate buffer for result */
- if ((res = vmalloc(data->l)) == NULL)
- return NULL;
-
- /* decryption data */
- memset(&c, 0, sizeof(c));
- if (rijndael_cipherInit(&c, MODE_CBC, iv->v) < 0){
- vfree(res);
- return NULL;
- }
- if (rijndael_blockDecrypt(&c, &k, data->v, data->l << 3, res->v) < 0){
- vfree(res);
- return NULL;
- }
-
- return res;
-}
-#else
-static inline const EVP_CIPHER *
-aes_evp_by_keylen(int keylen)
-{
- switch(keylen) {
- case 16:
- case 128:
- return EVP_aes_128_cbc();
-#if !defined(ANDROID_CHANGES)
- case 24:
- case 192:
- return EVP_aes_192_cbc();
-#endif
- case 32:
- case 256:
- return EVP_aes_256_cbc();
- default:
- return NULL;
- }
-}
-
-vchar_t *
-eay_aes_encrypt(data, key, iv)
- vchar_t *data, *key, *iv;
-{
- return evp_crypt(data, key, iv, aes_evp_by_keylen(key->l), 1);
-}
-
-vchar_t *
-eay_aes_decrypt(data, key, iv)
- vchar_t *data, *key, *iv;
-{
- return evp_crypt(data, key, iv, aes_evp_by_keylen(key->l), 0);
-}
-#endif
-
-int
-eay_aes_weakkey(key)
- vchar_t *key;
-{
- return 0;
-}
-
-int
-eay_aes_keylen(len)
- int len;
-{
- if (len == 0)
- return 128;
- if (len != 128 && len != 192 && len != 256)
- return -1;
- return len;
-}
-
-#if defined(HAVE_OPENSSL_CAMELLIA_H)
-/*
- * CAMELLIA-CBC
- */
-static inline const EVP_CIPHER *
-camellia_evp_by_keylen(int keylen)
-{
- switch(keylen) {
- case 16:
- case 128:
- return EVP_camellia_128_cbc();
- case 24:
- case 192:
- return EVP_camellia_192_cbc();
- case 32:
- case 256:
- return EVP_camellia_256_cbc();
- default:
- return NULL;
- }
-}
-
-vchar_t *
-eay_camellia_encrypt(data, key, iv)
- vchar_t *data, *key, *iv;
-{
- return evp_crypt(data, key, iv, camellia_evp_by_keylen(key->l), 1);
-}
-
-vchar_t *
-eay_camellia_decrypt(data, key, iv)
- vchar_t *data, *key, *iv;
-{
- return evp_crypt(data, key, iv, camellia_evp_by_keylen(key->l), 0);
-}
-
-int
-eay_camellia_weakkey(key)
- vchar_t *key;
-{
- return 0;
-}
-
-int
-eay_camellia_keylen(len)
- int len;
-{
- if (len == 0)
- return 128;
- if (len != 128 && len != 192 && len != 256)
- return -1;
- return len;
-}
-
-#endif
-
-/* for ipsec part */
-int
-eay_null_hashlen()
-{
- return 0;
-}
-
-int
-eay_kpdk_hashlen()
-{
- return 0;
-}
-
-int
-eay_twofish_keylen(len)
- int len;
-{
- if (len < 0 || len > 256)
- return -1;
- return len;
-}
-
-int
-eay_null_keylen(len)
- int len;
-{
- return 0;
-}
-
-/*
- * HMAC functions
- */
-static caddr_t
-eay_hmac_init(key, md)
- vchar_t *key;
- const EVP_MD *md;
-{
- HMAC_CTX *c = racoon_malloc(sizeof(*c));
-
- HMAC_Init(c, key->v, key->l, md);
-
- return (caddr_t)c;
-}
-
-#ifdef WITH_SHA2
-/*
- * HMAC SHA2-512
- */
-vchar_t *
-eay_hmacsha2_512_one(key, data)
- vchar_t *key, *data;
-{
- vchar_t *res;
- caddr_t ctx;
-
- ctx = eay_hmacsha2_512_init(key);
- eay_hmacsha2_512_update(ctx, data);
- res = eay_hmacsha2_512_final(ctx);
-
- return(res);
-}
-
-caddr_t
-eay_hmacsha2_512_init(key)
- vchar_t *key;
-{
- return eay_hmac_init(key, EVP_sha2_512());
-}
-
-void
-eay_hmacsha2_512_update(c, data)
- caddr_t c;
- vchar_t *data;
-{
- HMAC_Update((HMAC_CTX *)c, (unsigned char *) data->v, data->l);
-}
-
-vchar_t *
-eay_hmacsha2_512_final(c)
- caddr_t c;
-{
- vchar_t *res;
- unsigned int l;
-
- if ((res = vmalloc(SHA512_DIGEST_LENGTH)) == 0)
- return NULL;
-
- HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
- res->l = l;
- HMAC_cleanup((HMAC_CTX *)c);
- (void)racoon_free(c);
-
- if (SHA512_DIGEST_LENGTH != res->l) {
- plog(LLV_ERROR, LOCATION, NULL,
- "hmac sha2_512 length mismatch %zd.\n", res->l);
- vfree(res);
- return NULL;
- }
-
- return(res);
-}
-
-/*
- * HMAC SHA2-384
- */
-vchar_t *
-eay_hmacsha2_384_one(key, data)
- vchar_t *key, *data;
-{
- vchar_t *res;
- caddr_t ctx;
-
- ctx = eay_hmacsha2_384_init(key);
- eay_hmacsha2_384_update(ctx, data);
- res = eay_hmacsha2_384_final(ctx);
-
- return(res);
-}
-
-caddr_t
-eay_hmacsha2_384_init(key)
- vchar_t *key;
-{
- return eay_hmac_init(key, EVP_sha2_384());
-}
-
-void
-eay_hmacsha2_384_update(c, data)
- caddr_t c;
- vchar_t *data;
-{
- HMAC_Update((HMAC_CTX *)c, (unsigned char *) data->v, data->l);
-}
-
-vchar_t *
-eay_hmacsha2_384_final(c)
- caddr_t c;
-{
- vchar_t *res;
- unsigned int l;
-
- if ((res = vmalloc(SHA384_DIGEST_LENGTH)) == 0)
- return NULL;
-
- HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
- res->l = l;
- HMAC_cleanup((HMAC_CTX *)c);
- (void)racoon_free(c);
-
- if (SHA384_DIGEST_LENGTH != res->l) {
- plog(LLV_ERROR, LOCATION, NULL,
- "hmac sha2_384 length mismatch %zd.\n", res->l);
- vfree(res);
- return NULL;
- }
-
- return(res);
-}
-
-/*
- * HMAC SHA2-256
- */
-vchar_t *
-eay_hmacsha2_256_one(key, data)
- vchar_t *key, *data;
-{
- vchar_t *res;
- caddr_t ctx;
-
- ctx = eay_hmacsha2_256_init(key);
- eay_hmacsha2_256_update(ctx, data);
- res = eay_hmacsha2_256_final(ctx);
-
- return(res);
-}
-
-caddr_t
-eay_hmacsha2_256_init(key)
- vchar_t *key;
-{
- return eay_hmac_init(key, EVP_sha2_256());
-}
-
-void
-eay_hmacsha2_256_update(c, data)
- caddr_t c;
- vchar_t *data;
-{
- HMAC_Update((HMAC_CTX *)c, (unsigned char *) data->v, data->l);
-}
-
-vchar_t *
-eay_hmacsha2_256_final(c)
- caddr_t c;
-{
- vchar_t *res;
- unsigned int l;
-
- if ((res = vmalloc(SHA256_DIGEST_LENGTH)) == 0)
- return NULL;
-
- HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
- res->l = l;
- HMAC_cleanup((HMAC_CTX *)c);
- (void)racoon_free(c);
-
- if (SHA256_DIGEST_LENGTH != res->l) {
- plog(LLV_ERROR, LOCATION, NULL,
- "hmac sha2_256 length mismatch %zd.\n", res->l);
- vfree(res);
- return NULL;
- }
-
- return(res);
-}
-#endif /* WITH_SHA2 */
-
-/*
- * HMAC SHA1
- */
-vchar_t *
-eay_hmacsha1_one(key, data)
- vchar_t *key, *data;
-{
- vchar_t *res;
- caddr_t ctx;
-
- ctx = eay_hmacsha1_init(key);
- eay_hmacsha1_update(ctx, data);
- res = eay_hmacsha1_final(ctx);
-
- return(res);
-}
-
-caddr_t
-eay_hmacsha1_init(key)
- vchar_t *key;
-{
- return eay_hmac_init(key, EVP_sha1());
-}
-
-void
-eay_hmacsha1_update(c, data)
- caddr_t c;
- vchar_t *data;
-{
- HMAC_Update((HMAC_CTX *)c, (unsigned char *) data->v, data->l);
-}
-
-vchar_t *
-eay_hmacsha1_final(c)
- caddr_t c;
-{
- vchar_t *res;
- unsigned int l;
-
- if ((res = vmalloc(SHA_DIGEST_LENGTH)) == 0)
- return NULL;
-
- HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
- res->l = l;
- HMAC_cleanup((HMAC_CTX *)c);
- (void)racoon_free(c);
-
- if (SHA_DIGEST_LENGTH != res->l) {
- plog(LLV_ERROR, LOCATION, NULL,
- "hmac sha1 length mismatch %zd.\n", res->l);
- vfree(res);
- return NULL;
- }
-
- return(res);
-}
-
-/*
- * HMAC MD5
- */
-vchar_t *
-eay_hmacmd5_one(key, data)
- vchar_t *key, *data;
-{
- vchar_t *res;
- caddr_t ctx;
-
- ctx = eay_hmacmd5_init(key);
- eay_hmacmd5_update(ctx, data);
- res = eay_hmacmd5_final(ctx);
-
- return(res);
-}
-
-caddr_t
-eay_hmacmd5_init(key)
- vchar_t *key;
-{
- return eay_hmac_init(key, EVP_md5());
-}
-
-void
-eay_hmacmd5_update(c, data)
- caddr_t c;
- vchar_t *data;
-{
- HMAC_Update((HMAC_CTX *)c, (unsigned char *) data->v, data->l);
-}
-
-vchar_t *
-eay_hmacmd5_final(c)
- caddr_t c;
-{
- vchar_t *res;
- unsigned int l;
-
- if ((res = vmalloc(MD5_DIGEST_LENGTH)) == 0)
- return NULL;
-
- HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l);
- res->l = l;
- HMAC_cleanup((HMAC_CTX *)c);
- (void)racoon_free(c);
-
- if (MD5_DIGEST_LENGTH != res->l) {
- plog(LLV_ERROR, LOCATION, NULL,
- "hmac md5 length mismatch %zd.\n", res->l);
- vfree(res);
- return NULL;
- }
-
- return(res);
-}
-
-#ifdef WITH_SHA2
-/*
- * SHA2-512 functions
- */
-caddr_t
-eay_sha2_512_init()
-{
- SHA512_CTX *c = racoon_malloc(sizeof(*c));
-
- SHA512_Init(c);
-
- return((caddr_t)c);
-}
-
-void
-eay_sha2_512_update(c, data)
- caddr_t c;
- vchar_t *data;
-{
- SHA512_Update((SHA512_CTX *)c, (unsigned char *) data->v, data->l);
-
- return;
-}
-
-vchar_t *
-eay_sha2_512_final(c)
- caddr_t c;
-{
- vchar_t *res;
-
- if ((res = vmalloc(SHA512_DIGEST_LENGTH)) == 0)
- return(0);
-
- SHA512_Final((unsigned char *) res->v, (SHA512_CTX *)c);
- (void)racoon_free(c);
-
- return(res);
-}
-
-vchar_t *
-eay_sha2_512_one(data)
- vchar_t *data;
-{
- caddr_t ctx;
- vchar_t *res;
-
- ctx = eay_sha2_512_init();
- eay_sha2_512_update(ctx, data);
- res = eay_sha2_512_final(ctx);
-
- return(res);
-}
-
-int
-eay_sha2_512_hashlen()
-{
- return SHA512_DIGEST_LENGTH << 3;
-}
-#endif
-
-#ifdef WITH_SHA2
-/*
- * SHA2-384 functions
- */
-caddr_t
-eay_sha2_384_init()
-{
- SHA384_CTX *c = racoon_malloc(sizeof(*c));
-
- SHA384_Init(c);
-
- return((caddr_t)c);
-}
-
-void
-eay_sha2_384_update(c, data)
- caddr_t c;
- vchar_t *data;
-{
- SHA384_Update((SHA384_CTX *)c, (unsigned char *) data->v, data->l);
-
- return;
-}
-
-vchar_t *
-eay_sha2_384_final(c)
- caddr_t c;
-{
- vchar_t *res;
-
- if ((res = vmalloc(SHA384_DIGEST_LENGTH)) == 0)
- return(0);
-
- SHA384_Final((unsigned char *) res->v, (SHA384_CTX *)c);
- (void)racoon_free(c);
-
- return(res);
-}
-
-vchar_t *
-eay_sha2_384_one(data)
- vchar_t *data;
-{
- caddr_t ctx;
- vchar_t *res;
-
- ctx = eay_sha2_384_init();
- eay_sha2_384_update(ctx, data);
- res = eay_sha2_384_final(ctx);
-
- return(res);
-}
-
-int
-eay_sha2_384_hashlen()
-{
- return SHA384_DIGEST_LENGTH << 3;
-}
-#endif
-
-#ifdef WITH_SHA2
-/*
- * SHA2-256 functions
- */
-caddr_t
-eay_sha2_256_init()
-{
- SHA256_CTX *c = racoon_malloc(sizeof(*c));
-
- SHA256_Init(c);
-
- return((caddr_t)c);
-}
-
-void
-eay_sha2_256_update(c, data)
- caddr_t c;
- vchar_t *data;
-{
- SHA256_Update((SHA256_CTX *)c, (unsigned char *) data->v, data->l);
-
- return;
-}
-
-vchar_t *
-eay_sha2_256_final(c)
- caddr_t c;
-{
- vchar_t *res;
-
- if ((res = vmalloc(SHA256_DIGEST_LENGTH)) == 0)
- return(0);
-
- SHA256_Final((unsigned char *) res->v, (SHA256_CTX *)c);
- (void)racoon_free(c);
-
- return(res);
-}
-
-vchar_t *
-eay_sha2_256_one(data)
- vchar_t *data;
-{
- caddr_t ctx;
- vchar_t *res;
-
- ctx = eay_sha2_256_init();
- eay_sha2_256_update(ctx, data);
- res = eay_sha2_256_final(ctx);
-
- return(res);
-}
-
-int
-eay_sha2_256_hashlen()
-{
- return SHA256_DIGEST_LENGTH << 3;
-}
-#endif
-
-/*
- * SHA functions
- */
-caddr_t
-eay_sha1_init()
-{
- SHA_CTX *c = racoon_malloc(sizeof(*c));
-
- SHA1_Init(c);
-
- return((caddr_t)c);
-}
-
-void
-eay_sha1_update(c, data)
- caddr_t c;
- vchar_t *data;
-{
- SHA1_Update((SHA_CTX *)c, data->v, data->l);
-
- return;
-}
-
-vchar_t *
-eay_sha1_final(c)
- caddr_t c;
-{
- vchar_t *res;
-
- if ((res = vmalloc(SHA_DIGEST_LENGTH)) == 0)
- return(0);
-
- SHA1_Final((unsigned char *) res->v, (SHA_CTX *)c);
- (void)racoon_free(c);
-
- return(res);
-}
-
-vchar_t *
-eay_sha1_one(data)
- vchar_t *data;
-{
- caddr_t ctx;
- vchar_t *res;
-
- ctx = eay_sha1_init();
- eay_sha1_update(ctx, data);
- res = eay_sha1_final(ctx);
-
- return(res);
-}
-
-int
-eay_sha1_hashlen()
-{
- return SHA_DIGEST_LENGTH << 3;
-}
-
-/*
- * MD5 functions
- */
-caddr_t
-eay_md5_init()
-{
- MD5_CTX *c = racoon_malloc(sizeof(*c));
-
- MD5_Init(c);
-
- return((caddr_t)c);
-}
-
-void
-eay_md5_update(c, data)
- caddr_t c;
- vchar_t *data;
-{
- MD5_Update((MD5_CTX *)c, data->v, data->l);
-
- return;
-}
-
-vchar_t *
-eay_md5_final(c)
- caddr_t c;
-{
- vchar_t *res;
-
- if ((res = vmalloc(MD5_DIGEST_LENGTH)) == 0)
- return(0);
-
- MD5_Final((unsigned char *) res->v, (MD5_CTX *)c);
- (void)racoon_free(c);
-
- return(res);
-}
-
-vchar_t *
-eay_md5_one(data)
- vchar_t *data;
-{
- caddr_t ctx;
- vchar_t *res;
-
- ctx = eay_md5_init();
- eay_md5_update(ctx, data);
- res = eay_md5_final(ctx);
-
- return(res);
-}
-
-int
-eay_md5_hashlen()
-{
- return MD5_DIGEST_LENGTH << 3;
-}
-
-/*
- * eay_set_random
- * size: number of bytes.
- */
-vchar_t *
-eay_set_random(size)
- u_int32_t size;
-{
- BIGNUM *r = NULL;
- vchar_t *res = 0;
-
- if ((r = BN_new()) == NULL)
- goto end;
- BN_rand(r, size * 8, 0, 0);
- eay_bn2v(&res, r);
-
-end:
- if (r)
- BN_free(r);
- return(res);
-}
-
-/* DH */
-int
-eay_dh_generate(prime, g, publen, pub, priv)
- vchar_t *prime, **pub, **priv;
- u_int publen;
- u_int32_t g;
-{
- BIGNUM *p = NULL, *g_bn = NULL;
- DH *dh = NULL;
- int error = -1;
-
- /* initialize */
- /* pre-process to generate number */
- if (eay_v2bn(&p, prime) < 0)
- goto end;
-
- if ((dh = DH_new()) == NULL)
- goto end;
- if ((g_bn = BN_new()) == NULL)
- goto end;
- if (!BN_set_word(g_bn, g))
- goto end;
- if (!DH_set0_pqg(dh, p, NULL, g_bn))
- goto end;
- /* DH_set0_pqg takes ownership on success. */
- p = NULL;
- g_bn = NULL;
-
- if (publen != 0) {
- DH_set_length(dh, publen);
- }
-
- /* generate public and private number */
- if (!DH_generate_key(dh))
- goto end;
-
- /* copy results to buffers */
- if (eay_bn2v(pub, DH_get0_pub_key(dh)) < 0)
- goto end;
- if (eay_bn2v(priv, DH_get0_priv_key(dh)) < 0) {
- vfree(*pub);
- goto end;
- }
-
- error = 0;
-
-end:
- if (dh != NULL)
- DH_free(dh);
- if (p != NULL)
- BN_free(p);
- if (g_bn != NULL)
- BN_free(g_bn);
- return(error);
-}
-
-int
-eay_dh_compute(prime, g, pub, priv, pub2, key)
- vchar_t *prime, *pub, *priv, *pub2, **key;
- u_int32_t g;
-{
- BIGNUM *dh_pub = NULL;
- BIGNUM *dh_pub2 = NULL;
- BIGNUM *dh_priv = NULL;
- BIGNUM *dh_p = NULL;
- BIGNUM *dh_g = NULL;
- DH *dh = NULL;
- int l;
- unsigned char *v = NULL;
- int error = -1;
-
- /* make public number to compute */
- if (eay_v2bn(&dh_pub2, pub2) < 0)
- goto end;
-
- /* make DH structure */
- if ((dh = DH_new()) == NULL)
- goto end;
- if (eay_v2bn(&dh_p, prime) < 0)
- goto end;
- if (eay_v2bn(&dh_pub, pub) < 0)
- goto end;
- if (eay_v2bn(&dh_priv, priv) < 0)
- goto end;
- DH_set_length(dh, pub2->l * 8);
-
- if ((dh_g = BN_new()) == NULL)
- goto end;
- if (!BN_set_word(dh_g, g))
- goto end;
- if (!DH_set0_pqg(dh, dh_p, NULL, dh_g))
- goto end;
- /* DH_set0_pqg takes ownership on success. */
- dh_p = NULL;
- dh_g = NULL;
- if (!DH_set0_key(dh, dh_pub, dh_priv))
- goto end;
- /* DH_set0_key takes ownership on success. */
- dh_pub = NULL;
- dh_priv = NULL;
-
- if ((v = racoon_calloc(prime->l, sizeof(u_char))) == NULL)
- goto end;
- if ((l = DH_compute_key(v, dh_pub2, dh)) == -1)
- goto end;
- memcpy((*key)->v + (prime->l - l), v, l);
-
- error = 0;
-
-end:
- if (dh_pub != NULL)
- BN_free(dh_pub);
- if (dh_pub2 != NULL)
- BN_free(dh_pub2);
- if (dh_priv != NULL)
- BN_free(dh_priv);
- if (dh_p != NULL)
- BN_free(dh_p);
- if (dh_g != NULL)
- BN_free(dh_g);
- if (dh != NULL)
- DH_free(dh);
- if (v != NULL)
- racoon_free(v);
- return(error);
-}
-
-/*
- * convert vchar_t <-> BIGNUM.
- *
- * vchar_t: unit is u_char, network endian, most significant byte first.
- * BIGNUM: unit is BN_ULONG, each of BN_ULONG is in host endian,
- * least significant BN_ULONG must come first.
- *
- * hex value of "0x3ffe050104" is represented as follows:
- * vchar_t: 3f fe 05 01 04
- * BIGNUM (BN_ULONG = u_int8_t): 04 01 05 fe 3f
- * BIGNUM (BN_ULONG = u_int16_t): 0x0104 0xfe05 0x003f
- * BIGNUM (BN_ULONG = u_int32_t_t): 0xfe050104 0x0000003f
- */
-int
-eay_v2bn(bn, var)
- BIGNUM **bn;
- vchar_t *var;
-{
- if ((*bn = BN_bin2bn((unsigned char *) var->v, var->l, NULL)) == NULL)
- return -1;
-
- return 0;
-}
-
-int
-eay_bn2v(var, bn)
- vchar_t **var;
- const BIGNUM *bn;
-{
-#if defined(ANDROID_CHANGES)
- *var = vmalloc(BN_num_bytes(bn));
-#else
- *var = vmalloc(bn->top * BN_BYTES);
-#endif
- if (*var == NULL)
- return(-1);
-
- (*var)->l = BN_bn2bin(bn, (unsigned char *) (*var)->v);
-
- return 0;
-}
-
-void
-eay_init()
-{
- OpenSSL_add_all_algorithms();
- ERR_load_crypto_strings();
-#ifdef HAVE_OPENSSL_ENGINE_H
- ENGINE_load_builtin_engines();
- ENGINE_register_all_complete();
-#endif
-}
-
-vchar_t *
-base64_decode(char *in, long inlen)
-{
-#if defined(OPENSSL_IS_BORINGSSL)
- vchar_t *res;
- size_t decoded_size;
-
- if (!EVP_DecodedLength(&decoded_size, inlen)) {
- return NULL;
- }
- res = vmalloc(decoded_size);
- if (res == NULL) {
- return NULL;
- }
- if (!EVP_DecodeBase64((uint8_t*) res->v, &res->l, decoded_size, (uint8_t*) in, inlen)) {
- vfree(res);
- return NULL;
- }
- return res;
-#else
- BIO *bio=NULL, *b64=NULL;
- vchar_t *res = NULL;
- char *outb;
- long outlen;
-
- outb = malloc(inlen * 2);
- if (outb == NULL)
- goto out;
- bio = BIO_new_mem_buf(in, inlen);
- b64 = BIO_new(BIO_f_base64());
- BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL);
- bio = BIO_push(b64, bio);
-
- outlen = BIO_read(bio, outb, inlen * 2);
- if (outlen <= 0) {
- plog(LLV_ERROR, LOCATION, NULL, "%s\n", eay_strerror());
- goto out;
- }
-
- res = vmalloc(outlen);
- if (!res)
- goto out;
-
- memcpy(res->v, outb, outlen);
-
-out:
- if (outb)
- free(outb);
- if (bio)
- BIO_free_all(bio);
-
- return res;
-#endif
-}
-
-vchar_t *
-base64_encode(char *in, long inlen)
-{
-#if defined(OPENSSL_IS_BORINGSSL)
- vchar_t *res;
- size_t encoded_size;
-
- if (!EVP_EncodedLength(&encoded_size, inlen)) {
- return NULL;
- }
- res = vmalloc(encoded_size+1);
- if (res == NULL) {
- return NULL;
- }
- EVP_EncodeBlock((uint8_t*) res->v, (uint8_t*) in, inlen);
- res->v[encoded_size] = 0;
- return res;
-#else
- BIO *bio=NULL, *b64=NULL;
- char *ptr;
- long plen = -1;
- vchar_t *res = NULL;
-
- bio = BIO_new(BIO_s_mem());
- b64 = BIO_new(BIO_f_base64());
- BIO_set_flags(b64, BIO_FLAGS_BASE64_NO_NL);
- bio = BIO_push(b64, bio);
-
- BIO_write(bio, in, inlen);
- BIO_flush(bio);
-
- plen = BIO_get_mem_data(bio, &ptr);
- res = vmalloc(plen+1);
- if (!res)
- goto out;
-
- memcpy (res->v, ptr, plen);
- res->v[plen] = '\0';
-
-out:
- if (bio)
- BIO_free_all(bio);
-
- return res;
-#endif
-}
-
-static RSA *
-binbuf_pubkey2rsa(vchar_t *binbuf)
-{
- BIGNUM *exp, *mod;
- RSA *rsa_pub = NULL;
-
- if (binbuf->v[0] > binbuf->l - 1) {
- plog(LLV_ERROR, LOCATION, NULL, "Plain RSA pubkey format error: decoded string doesn't make sense.\n");
- goto out;
- }
-
- exp = BN_bin2bn((unsigned char *) (binbuf->v + 1), binbuf->v[0], NULL);
- mod = BN_bin2bn((unsigned char *) (binbuf->v + binbuf->v[0] + 1),
- binbuf->l - binbuf->v[0] - 1, NULL);
- rsa_pub = RSA_new();
-
- if (!exp || !mod || !rsa_pub || !RSA_set0_key(rsa_pub, mod, exp, NULL)) {
- plog(LLV_ERROR, LOCATION, NULL, "Plain RSA pubkey parsing error: %s\n", eay_strerror());
- if (exp)
- BN_free(exp);
- if (mod)
- BN_free(exp);
- if (rsa_pub)
- RSA_free(rsa_pub);
- rsa_pub = NULL;
- goto out;
- }
- /* RSA_set0_key takes ownership of mod and exp on success. */
-
-out:
- return rsa_pub;
-}
-
-RSA *
-base64_pubkey2rsa(char *in)
-{
- BIGNUM *exp, *mod;
- RSA *rsa_pub = NULL;
- vchar_t *binbuf;
-
- if (strncmp(in, "0s", 2) != 0) {
- plog(LLV_ERROR, LOCATION, NULL, "Plain RSA pubkey format error: doesn't start with '0s'\n");
- return NULL;
- }
-
- binbuf = base64_decode(in + 2, strlen(in + 2));
- if (!binbuf) {
- plog(LLV_ERROR, LOCATION, NULL, "Plain RSA pubkey format error: Base64 decoding failed.\n");
- return NULL;
- }
-
- if (binbuf->v[0] > binbuf->l - 1) {
- plog(LLV_ERROR, LOCATION, NULL, "Plain RSA pubkey format error: decoded string doesn't make sense.\n");
- goto out;
- }
-
- rsa_pub = binbuf_pubkey2rsa(binbuf);
-
-out:
- if (binbuf)
- vfree(binbuf);
-
- return rsa_pub;
-}
-
-RSA *
-bignum_pubkey2rsa(BIGNUM *in)
-{
- RSA *rsa_pub = NULL;
- vchar_t *binbuf;
-
- binbuf = vmalloc(BN_num_bytes(in));
- if (!binbuf) {
- plog(LLV_ERROR, LOCATION, NULL, "Plain RSA pubkey conversion: memory allocation failed..\n");
- return NULL;
- }
-
- BN_bn2bin(in, (unsigned char *) binbuf->v);
-
- rsa_pub = binbuf_pubkey2rsa(binbuf);
-
-out:
- if (binbuf)
- vfree(binbuf);
-
- return rsa_pub;
-}
-
-u_int32_t
-eay_random()
-{
- u_int32_t result;
- vchar_t *vrand;
-
- vrand = eay_set_random(sizeof(result));
- memcpy(&result, vrand->v, sizeof(result));
- vfree(vrand);
-
- return result;
-}
-
-const char *
-eay_version()
-{
-#if defined(OPENSSL_IS_BORINGSSL)
- return "(BoringSSL)";
-#else
- return SSLeay_version(SSLEAY_VERSION);
-#endif
-}
diff --git a/src/racoon/crypto_openssl.h b/src/racoon/crypto_openssl.h
deleted file mode 100644
index 983ffe5..0000000
--- a/src/racoon/crypto_openssl.h
+++ /dev/null
@@ -1,234 +0,0 @@
-/* $NetBSD: crypto_openssl.h,v 1.5 2006/10/06 12:02:27 manu Exp $ */
-
-/* Id: crypto_openssl.h,v 1.11 2004/11/13 11:28:01 manubsd Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _CRYPTO_OPENSSL_H
-#define _CRYPTO_OPENSSL_H
-
-#include "crypto_openssl.h"
-
-#include <openssl/x509v3.h>
-#include <openssl/rsa.h>
-
-#define GENT_OTHERNAME GEN_OTHERNAME
-#define GENT_EMAIL GEN_EMAIL
-#define GENT_DNS GEN_DNS
-#define GENT_X400 GEN_X400
-#define GENT_DIRNAME GEN_DIRNAME
-#define GENT_EDIPARTY GEN_EDIPARTY
-#define GENT_URI GEN_URI
-#define GENT_IPADD GEN_IPADD
-#define GENT_RID GEN_RID
-
-extern vchar_t *eay_str2asn1dn __P((const char *, int));
-extern vchar_t *eay_hex2asn1dn __P((const char *, int));
-extern int eay_cmp_asn1dn __P((vchar_t *, vchar_t *));
-extern int eay_check_x509cert __P((vchar_t *, char *, char *, int));
-extern vchar_t *eay_get_x509asn1subjectname __P((vchar_t *));
-extern int eay_get_x509subjectaltname __P((vchar_t *, char **, int *, int));
-extern char *eay_get_x509text __P((vchar_t *));
-extern vchar_t *eay_get_x509cert __P((char *));
-extern vchar_t *eay_get_x509sign __P((vchar_t *, vchar_t *));
-extern int eay_check_x509sign __P((vchar_t *, vchar_t *, vchar_t *));
-
-extern int eay_check_rsasign __P((vchar_t *, vchar_t *, RSA *));
-extern vchar_t *eay_get_rsasign __P((vchar_t *, RSA *));
-
-/* RSA */
-extern vchar_t *eay_rsa_sign __P((vchar_t *, RSA *));
-extern int eay_rsa_verify __P((vchar_t *, vchar_t *, RSA *));
-
-/* ASN.1 */
-extern vchar_t *eay_get_pkcs1privkey __P((char *));
-extern vchar_t *eay_get_pkcs1pubkey __P((char *));
-
-/* string error */
-extern char *eay_strerror __P((void));
-
-/* OpenSSL initialization */
-extern void eay_init __P((void));
-
-/* Generic EVP */
-extern vchar_t *evp_crypt __P((vchar_t *data, vchar_t *key, vchar_t *iv,
- const EVP_CIPHER *e, int enc));
-extern int evp_weakkey __P((vchar_t *key, const EVP_CIPHER *e));
-extern int evp_keylen __P((int len, const EVP_CIPHER *e));
-
-/* DES */
-extern vchar_t *eay_des_encrypt __P((vchar_t *, vchar_t *, vchar_t *));
-extern vchar_t *eay_des_decrypt __P((vchar_t *, vchar_t *, vchar_t *));
-extern int eay_des_weakkey __P((vchar_t *));
-extern int eay_des_keylen __P((int));
-
-/* IDEA */
-extern vchar_t *eay_idea_encrypt __P((vchar_t *, vchar_t *, vchar_t *));
-extern vchar_t *eay_idea_decrypt __P((vchar_t *, vchar_t *, vchar_t *));
-extern int eay_idea_weakkey __P((vchar_t *));
-extern int eay_idea_keylen __P((int));
-
-/* blowfish */
-extern vchar_t *eay_bf_encrypt __P((vchar_t *, vchar_t *, vchar_t *));
-extern vchar_t *eay_bf_decrypt __P((vchar_t *, vchar_t *, vchar_t *));
-extern int eay_bf_weakkey __P((vchar_t *));
-extern int eay_bf_keylen __P((int));
-
-/* RC5 */
-extern vchar_t *eay_rc5_encrypt __P((vchar_t *, vchar_t *, vchar_t *));
-extern vchar_t *eay_rc5_decrypt __P((vchar_t *, vchar_t *, vchar_t *));
-extern int eay_rc5_weakkey __P((vchar_t *));
-extern int eay_rc5_keylen __P((int));
-
-/* 3DES */
-extern vchar_t *eay_3des_encrypt __P((vchar_t *, vchar_t *, vchar_t *));
-extern vchar_t *eay_3des_decrypt __P((vchar_t *, vchar_t *, vchar_t *));
-extern int eay_3des_weakkey __P((vchar_t *));
-extern int eay_3des_keylen __P((int));
-
-/* CAST */
-extern vchar_t *eay_cast_encrypt __P((vchar_t *, vchar_t *, vchar_t *));
-extern vchar_t *eay_cast_decrypt __P((vchar_t *, vchar_t *, vchar_t *));
-extern int eay_cast_weakkey __P((vchar_t *));
-extern int eay_cast_keylen __P((int));
-
-/* AES(RIJNDAEL) */
-extern vchar_t *eay_aes_encrypt __P((vchar_t *, vchar_t *, vchar_t *));
-extern vchar_t *eay_aes_decrypt __P((vchar_t *, vchar_t *, vchar_t *));
-extern int eay_aes_weakkey __P((vchar_t *));
-extern int eay_aes_keylen __P((int));
-
-#if defined(HAVE_OPENSSL_CAMELLIA_H)
-/* Camellia */
-extern vchar_t *eay_camellia_encrypt __P((vchar_t *, vchar_t *, vchar_t *));
-extern vchar_t *eay_camellia_decrypt __P((vchar_t *, vchar_t *, vchar_t *));
-extern int eay_camellia_weakkey __P((vchar_t *));
-extern int eay_camellia_keylen __P((int));
-#endif
-
-/* misc */
-extern int eay_null_keylen __P((int));
-extern int eay_null_hashlen __P((void));
-extern int eay_kpdk_hashlen __P((void));
-extern int eay_twofish_keylen __P((int));
-
-/* hash */
-#if defined(WITH_SHA2)
-/* HMAC SHA2 */
-extern vchar_t *eay_hmacsha2_512_one __P((vchar_t *, vchar_t *));
-extern caddr_t eay_hmacsha2_512_init __P((vchar_t *));
-extern void eay_hmacsha2_512_update __P((caddr_t, vchar_t *));
-extern vchar_t *eay_hmacsha2_512_final __P((caddr_t));
-extern vchar_t *eay_hmacsha2_384_one __P((vchar_t *, vchar_t *));
-extern caddr_t eay_hmacsha2_384_init __P((vchar_t *));
-extern void eay_hmacsha2_384_update __P((caddr_t, vchar_t *));
-extern vchar_t *eay_hmacsha2_384_final __P((caddr_t));
-extern vchar_t *eay_hmacsha2_256_one __P((vchar_t *, vchar_t *));
-extern caddr_t eay_hmacsha2_256_init __P((vchar_t *));
-extern void eay_hmacsha2_256_update __P((caddr_t, vchar_t *));
-extern vchar_t *eay_hmacsha2_256_final __P((caddr_t));
-#endif
-/* HMAC SHA1 */
-extern vchar_t *eay_hmacsha1_one __P((vchar_t *, vchar_t *));
-extern caddr_t eay_hmacsha1_init __P((vchar_t *));
-extern void eay_hmacsha1_update __P((caddr_t, vchar_t *));
-extern vchar_t *eay_hmacsha1_final __P((caddr_t));
-/* HMAC MD5 */
-extern vchar_t *eay_hmacmd5_one __P((vchar_t *, vchar_t *));
-extern caddr_t eay_hmacmd5_init __P((vchar_t *));
-extern void eay_hmacmd5_update __P((caddr_t, vchar_t *));
-extern vchar_t *eay_hmacmd5_final __P((caddr_t));
-
-#if defined(WITH_SHA2)
-/* SHA2 functions */
-extern caddr_t eay_sha2_512_init __P((void));
-extern void eay_sha2_512_update __P((caddr_t, vchar_t *));
-extern vchar_t *eay_sha2_512_final __P((caddr_t));
-extern vchar_t *eay_sha2_512_one __P((vchar_t *));
-#endif
-extern int eay_sha2_512_hashlen __P((void));
-
-#if defined(WITH_SHA2)
-extern caddr_t eay_sha2_384_init __P((void));
-extern void eay_sha2_384_update __P((caddr_t, vchar_t *));
-extern vchar_t *eay_sha2_384_final __P((caddr_t));
-extern vchar_t *eay_sha2_384_one __P((vchar_t *));
-#endif
-extern int eay_sha2_384_hashlen __P((void));
-
-#if defined(WITH_SHA2)
-extern caddr_t eay_sha2_256_init __P((void));
-extern void eay_sha2_256_update __P((caddr_t, vchar_t *));
-extern vchar_t *eay_sha2_256_final __P((caddr_t));
-extern vchar_t *eay_sha2_256_one __P((vchar_t *));
-#endif
-extern int eay_sha2_256_hashlen __P((void));
-
-/* SHA functions */
-extern caddr_t eay_sha1_init __P((void));
-extern void eay_sha1_update __P((caddr_t, vchar_t *));
-extern vchar_t *eay_sha1_final __P((caddr_t));
-extern vchar_t *eay_sha1_one __P((vchar_t *));
-extern int eay_sha1_hashlen __P((void));
-
-/* MD5 functions */
-extern caddr_t eay_md5_init __P((void));
-extern void eay_md5_update __P((caddr_t, vchar_t *));
-extern vchar_t *eay_md5_final __P((caddr_t));
-extern vchar_t *eay_md5_one __P((vchar_t *));
-extern int eay_md5_hashlen __P((void));
-
-/* RNG */
-extern vchar_t *eay_set_random __P((u_int32_t));
-extern u_int32_t eay_random __P((void));
-
-/* DH */
-extern int eay_dh_generate __P((vchar_t *, u_int32_t, u_int, vchar_t **, vchar_t **));
-extern int eay_dh_compute __P((vchar_t *, u_int32_t, vchar_t *, vchar_t *, vchar_t *, vchar_t **));
-
-/* Base 64 */
-vchar_t *base64_encode(char *in, long inlen);
-vchar_t *base64_decode(char *in, long inlen);
-
-RSA *base64_pubkey2rsa(char *in);
-RSA *bignum_pubkey2rsa(BIGNUM *in);
-
-/* misc */
-extern int eay_revbnl __P((vchar_t *));
-#include <openssl/bn.h>
-extern int eay_v2bn __P((BIGNUM **, vchar_t *));
-extern int eay_bn2v __P((vchar_t **, const BIGNUM *));
-
-extern const char *eay_version __P((void));
-
-#define CBC_BLOCKLEN 8
-#define IPSEC_ENCRYPTKEYLEN 8
-
-#endif /* _CRYPTO_OPENSSL_H */
diff --git a/src/racoon/debug.h b/src/racoon/debug.h
deleted file mode 100644
index 47c2641..0000000
--- a/src/racoon/debug.h
+++ /dev/null
@@ -1,41 +0,0 @@
-/* $NetBSD: debug.h,v 1.4 2006/09/09 16:22:09 manu Exp $ */
-
-/* Id: debug.h,v 1.3 2004/06/11 16:00:16 ludvigm Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _DEBUG_H
-#define _DEBUG_H
-
-/* define by main.c */
-extern int f_local;
-extern int vflag;
-
-#endif /* _DEBUG_H */
diff --git a/src/racoon/debugrm.h b/src/racoon/debugrm.h
deleted file mode 100644
index 6a2f411..0000000
--- a/src/racoon/debugrm.h
+++ /dev/null
@@ -1,102 +0,0 @@
-/* $NetBSD: debugrm.h,v 1.4 2006/09/09 16:22:09 manu Exp $ */
-
-/* Id: debugrm.h,v 1.4 2006/04/06 14:00:06 manubsd Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _DEBUGRM_H
-#define _DEBUGRM_H
-
-#define DRMDUMPFILE "/var/tmp/debugrm.dump"
-
-#ifdef NONEED_DRM
-#ifndef racoon_malloc
-#define racoon_malloc(sz) malloc((sz))
-#endif
-#ifndef racoon_calloc
-#define racoon_calloc(cnt, sz) calloc((cnt), (sz))
-#endif
-#ifndef racoon_realloc
-#define racoon_realloc(old, sz) realloc((old), (sz))
-#endif
-#ifndef racoon_free
-#define racoon_free(p) free((p))
-#endif
-#ifndef racoon_strdup
-#define racoon_strdup(p) strdup((p))
-#endif
-#else /*!NONEED_DRM*/
-#ifndef racoon_malloc
-#define racoon_malloc(sz) \
- DRM_malloc(__FILE__, __LINE__, __func__, (sz))
-#endif
-#ifndef racoon_calloc
-#define racoon_calloc(cnt, sz) \
- DRM_calloc(__FILE__, __LINE__, __func__, (cnt), (sz))
-#endif
-#ifndef racoon_realloc
-#define racoon_realloc(old, sz) \
- DRM_realloc(__FILE__, __LINE__, __func__, (old), (sz))
-#endif
-#ifndef racoon_free
-#define racoon_free(p) \
- DRM_free(__FILE__, __LINE__, __func__, (p))
-#endif
-#ifndef racoon_strdup
-#define racoon_strdup(p) \
- DRM_strdup(__FILE__, __LINE__, __func__, (p))
-#endif
-#endif /*NONEED_DRM*/
-
-extern void DRM_init __P((void));
-extern void DRM_dump __P((void));
-extern void *DRM_malloc __P((char *, int, char *, size_t));
-extern void *DRM_calloc __P((char *, int, char *, size_t, size_t));
-extern void *DRM_realloc __P((char *, int, char *, void *, size_t));
-extern void DRM_free __P((char *, int, char *, void *));
-extern char *DRM_strdup __P((char *, int, char *, const char *));
-
-#ifndef NONEED_DRM
-#define vmalloc(sz) \
- DRM_vmalloc(__FILE__, __LINE__, __func__, (sz))
-#define vdup(old) \
- DRM_vdup(__FILE__, __LINE__, __func__, (old))
-#define vrealloc(old, sz) \
- DRM_vrealloc(__FILE__, __LINE__, __func__, (old), (sz))
-#define vfree(p) \
- DRM_vfree(__FILE__, __LINE__, __func__, (p))
-#endif
-
-extern void *DRM_vmalloc __P((char *, int, char *, size_t));
-extern void *DRM_vrealloc __P((char *, int, char *, void *, size_t));
-extern void DRM_vfree __P((char *, int, char *, void *));
-extern void *DRM_vdup __P((char *, int, char *, void *));
-
-#endif /* _DEBUGRM_H */
diff --git a/src/racoon/dhgroup.h b/src/racoon/dhgroup.h
deleted file mode 100644
index 54d7eeb..0000000
--- a/src/racoon/dhgroup.h
+++ /dev/null
@@ -1,205 +0,0 @@
-/* $NetBSD: dhgroup.h,v 1.4 2006/09/09 16:22:09 manu Exp $ */
-
-/* Id: dhgroup.h,v 1.3 2004/06/11 16:00:16 ludvigm Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _DHGROUP_H
-#define _DHGROUP_H
-
-#define OAKLEY_PRIME_MODP768 \
- "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \
- "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \
- "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \
- "E485B576 625E7EC6 F44C42E9 A63A3620 FFFFFFFF FFFFFFFF"
-
-#define OAKLEY_PRIME_MODP1024 \
- "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \
- "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \
- "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \
- "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" \
- "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381" \
- "FFFFFFFF FFFFFFFF"
-
-#define OAKLEY_PRIME_MODP1536 \
- "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \
- "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \
- "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \
- "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" \
- "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" \
- "C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" \
- "83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" \
- "670C354E 4ABC9804 F1746C08 CA237327 FFFFFFFF FFFFFFFF"
-
-/* RFC 3526 */
-#define OAKLEY_PRIME_MODP2048 \
- "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \
- "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \
- "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \
- "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" \
- "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" \
- "C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" \
- "83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" \
- "670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B" \
- "E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9" \
- "DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510" \
- "15728E5A 8AACAA68 FFFFFFFF FFFFFFFF"
-
-#define OAKLEY_PRIME_MODP3072 \
- "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \
- "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \
- "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \
- "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" \
- "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" \
- "C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" \
- "83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" \
- "670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B" \
- "E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9" \
- "DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510" \
- "15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64" \
- "ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7" \
- "ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B" \
- "F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C" \
- "BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31" \
- "43DB5BFC E0FD108E 4B82D120 A93AD2CA FFFFFFFF FFFFFFFF"
-
-#define OAKLEY_PRIME_MODP4096 \
- "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \
- "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \
- "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \
- "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" \
- "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" \
- "C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" \
- "83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" \
- "670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B" \
- "E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9" \
- "DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510" \
- "15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64" \
- "ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7" \
- "ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B" \
- "F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C" \
- "BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31" \
- "43DB5BFC E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7" \
- "88719A10 BDBA5B26 99C32718 6AF4E23C 1A946834 B6150BDA" \
- "2583E9CA 2AD44CE8 DBBBC2DB 04DE8EF9 2E8EFC14 1FBECAA6" \
- "287C5947 4E6BC05D 99B2964F A090C3A2 233BA186 515BE7ED" \
- "1F612970 CEE2D7AF B81BDD76 2170481C D0069127 D5B05AA9" \
- "93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34063199" \
- "FFFFFFFF FFFFFFFF"
-
-#define OAKLEY_PRIME_MODP6144 \
- "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \
- "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \
- "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \
- "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" \
- "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" \
- "C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" \
- "83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" \
- "670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B" \
- "E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9" \
- "DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510" \
- "15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64" \
- "ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7" \
- "ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B" \
- "F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C" \
- "BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31" \
- "43DB5BFC E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7" \
- "88719A10 BDBA5B26 99C32718 6AF4E23C 1A946834 B6150BDA" \
- "2583E9CA 2AD44CE8 DBBBC2DB 04DE8EF9 2E8EFC14 1FBECAA6" \
- "287C5947 4E6BC05D 99B2964F A090C3A2 233BA186 515BE7ED" \
- "1F612970 CEE2D7AF B81BDD76 2170481C D0069127 D5B05AA9" \
- "93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34028492" \
- "36C3FAB4 D27C7026 C1D4DCB2 602646DE C9751E76 3DBA37BD" \
- "F8FF9406 AD9E530E E5DB382F 413001AE B06A53ED 9027D831" \
- "179727B0 865A8918 DA3EDBEB CF9B14ED 44CE6CBA CED4BB1B" \
- "DB7F1447 E6CC254B 33205151 2BD7AF42 6FB8F401 378CD2BF" \
- "5983CA01 C64B92EC F032EA15 D1721D03 F482D7CE 6E74FEF6" \
- "D55E702F 46980C82 B5A84031 900B1C9E 59E7C97F BEC7E8F3" \
- "23A97A7E 36CC88BE 0F1D45B7 FF585AC5 4BD407B2 2B4154AA" \
- "CC8F6D7E BF48E1D8 14CC5ED2 0F8037E0 A79715EE F29BE328" \
- "06A1D58B B7C5DA76 F550AA3D 8A1FBFF0 EB19CCB1 A313D55C" \
- "DA56C9EC 2EF29632 387FE8D7 6E3C0468 043E8F66 3F4860EE" \
- "12BF2D5B 0B7474D6 E694F91E 6DCC4024 FFFFFFFF FFFFFFFF"
-
-#define OAKLEY_PRIME_MODP8192 \
- "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \
- "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \
- "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \
- "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" \
- "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" \
- "C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" \
- "83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" \
- "670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B" \
- "E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9" \
- "DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510" \
- "15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64" \
- "ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7" \
- "ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B" \
- "F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C" \
- "BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31" \
- "43DB5BFC E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7" \
- "88719A10 BDBA5B26 99C32718 6AF4E23C 1A946834 B6150BDA" \
- "2583E9CA 2AD44CE8 DBBBC2DB 04DE8EF9 2E8EFC14 1FBECAA6" \
- "287C5947 4E6BC05D 99B2964F A090C3A2 233BA186 515BE7ED" \
- "1F612970 CEE2D7AF B81BDD76 2170481C D0069127 D5B05AA9" \
- "93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34028492" \
- "36C3FAB4 D27C7026 C1D4DCB2 602646DE C9751E76 3DBA37BD" \
- "F8FF9406 AD9E530E E5DB382F 413001AE B06A53ED 9027D831" \
- "179727B0 865A8918 DA3EDBEB CF9B14ED 44CE6CBA CED4BB1B" \
- "DB7F1447 E6CC254B 33205151 2BD7AF42 6FB8F401 378CD2BF" \
- "5983CA01 C64B92EC F032EA15 D1721D03 F482D7CE 6E74FEF6" \
- "D55E702F 46980C82 B5A84031 900B1C9E 59E7C97F BEC7E8F3" \
- "23A97A7E 36CC88BE 0F1D45B7 FF585AC5 4BD407B2 2B4154AA" \
- "CC8F6D7E BF48E1D8 14CC5ED2 0F8037E0 A79715EE F29BE328" \
- "06A1D58B B7C5DA76 F550AA3D 8A1FBFF0 EB19CCB1 A313D55C" \
- "DA56C9EC 2EF29632 387FE8D7 6E3C0468 043E8F66 3F4860EE" \
- "12BF2D5B 0B7474D6 E694F91E 6DBE1159 74A3926F 12FEE5E4" \
- "38777CB6 A932DF8C D8BEC4D0 73B931BA 3BC832B6 8D9DD300" \
- "741FA7BF 8AFC47ED 2576F693 6BA42466 3AAB639C 5AE4F568" \
- "3423B474 2BF1C978 238F16CB E39D652D E3FDB8BE FC848AD9" \
- "22222E04 A4037C07 13EB57A8 1A23F0C7 3473FC64 6CEA306B" \
- "4BCBC886 2F8385DD FA9D4B7F A2C087E8 79683303 ED5BDD3A" \
- "062B3CF5 B3A278A6 6D2A13F8 3F44F82D DF310EE0 74AB6A36" \
- "4597E899 A0255DC1 64F31CC5 0846851D F9AB4819 5DED7EA1" \
- "B1D510BD 7EE74D73 FAF36BC3 1ECFA268 359046F4 EB879F92" \
- "4009438B 481C6CD7 889A002E D5EE382B C9190DA6 FC026E47" \
- "9558E447 5677E9AA 9E3050E2 765694DF C81F56E8 80B96E71" \
- "60C980DD 98EDD3DF FFFFFFFF FFFFFFFF"
-
-extern struct dhgroup dh_modp768;
-extern struct dhgroup dh_modp1024;
-extern struct dhgroup dh_modp1536;
-extern struct dhgroup dh_modp2048;
-extern struct dhgroup dh_modp3072;
-extern struct dhgroup dh_modp4096;
-extern struct dhgroup dh_modp6144;
-extern struct dhgroup dh_modp8192;
-
-#endif /* _DHGROUP_H */
diff --git a/src/racoon/dnssec.c b/src/racoon/dnssec.c
deleted file mode 100644
index 1fc0bd1..0000000
--- a/src/racoon/dnssec.c
+++ /dev/null
@@ -1,154 +0,0 @@
-/* $NetBSD: dnssec.c,v 1.4 2006/09/09 16:22:09 manu Exp $ */
-
-/* $KAME: dnssec.c,v 1.2 2001/08/05 18:46:07 itojun Exp $ */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "var.h"
-#include "vmbuf.h"
-#include "misc.h"
-#include "plog.h"
-#include "debug.h"
-
-#include "isakmp_var.h"
-#include "isakmp.h"
-#include "ipsec_doi.h"
-#include "oakley.h"
-#include "netdb_dnssec.h"
-#include "strnames.h"
-#include "dnssec.h"
-#include "gcmalloc.h"
-
-extern int h_errno;
-
-cert_t *
-dnssec_getcert(id)
- vchar_t *id;
-{
- cert_t *cert = NULL;
- struct certinfo *res = NULL;
- struct ipsecdoi_id_b *id_b;
- int type;
- char *name = NULL;
- int namelen;
- int error;
-
- id_b = (struct ipsecdoi_id_b *)id->v;
-
- namelen = id->l - sizeof(*id_b);
- name = racoon_malloc(namelen + 1);
- if (!name) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get buffer.\n");
- return NULL;
- }
- memcpy(name, id_b + 1, namelen);
- name[namelen] = '\0';
-
- switch (id_b->type) {
- case IPSECDOI_ID_FQDN:
- error = getcertsbyname(name, &res);
- if (error != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "getcertsbyname(\"%s\") failed.\n", name);
- goto err;
- }
- break;
- case IPSECDOI_ID_IPV4_ADDR:
- case IPSECDOI_ID_IPV6_ADDR:
- /* XXX should be processed to query PTR ? */
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "inpropper ID type passed %s "
- "though getcert method is dnssec.\n",
- s_ipsecdoi_ident(id_b->type));
- goto err;
- }
-
- /* check response */
- if (res->ci_next != NULL) {
- plog(LLV_WARNING, LOCATION, NULL,
- "not supported multiple CERT RR.\n");
- }
- switch (res->ci_type) {
- case DNSSEC_TYPE_PKIX:
- /* XXX is it enough condition to set this type ? */
- type = ISAKMP_CERT_X509SIGN;
- break;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "not supported CERT RR type %d.\n", res->ci_type);
- goto err;
- }
-
- /* create cert holder */
- cert = oakley_newcert();
- if (cert == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get cert buffer.\n");
- goto err;
- }
- cert->pl = vmalloc(res->ci_certlen + 1);
- if (cert->pl == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get cert buffer.\n");
- goto err;
- }
- memcpy(cert->pl->v + 1, res->ci_cert, res->ci_certlen);
- cert->pl->v[0] = type;
- cert->cert.v = cert->pl->v + 1;
- cert->cert.l = cert->pl->l - 1;
-
- plog(LLV_DEBUG, LOCATION, NULL, "created CERT payload:\n");
- plogdump(LLV_DEBUG, cert->pl->v, cert->pl->l);
-
-end:
- if (res)
- freecertinfo(res);
-
- return cert;
-
-err:
- if (name)
- racoon_free(name);
- if (cert) {
- oakley_delcert(cert);
- cert = NULL;
- }
-
- goto end;
-}
diff --git a/src/racoon/dnssec.h b/src/racoon/dnssec.h
deleted file mode 100644
index fb1c931..0000000
--- a/src/racoon/dnssec.h
+++ /dev/null
@@ -1,39 +0,0 @@
-/* $NetBSD: dnssec.h,v 1.4 2006/09/09 16:22:09 manu Exp $ */
-
-/* Id: dnssec.h,v 1.3 2004/06/11 16:00:16 ludvigm Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _DNSSEC_H
-#define _DNSSEC_H
-
-extern cert_t *dnssec_getcert __P((vchar_t *));
-
-#endif /* _DNSSEC_H */
diff --git a/src/racoon/doc/FAQ b/src/racoon/doc/FAQ
deleted file mode 100644
index 0ab49f0..0000000
--- a/src/racoon/doc/FAQ
+++ /dev/null
@@ -1,114 +0,0 @@
-This document is derived from the KAME racoon FAQ. Some answers do not
-apply to ipsec-tools (they are obsolete or not up to date). They are
-tagged [KAME]
-
-Q: With what other IKE/IPsec implementation racoon is known to be interoperable?
-
-A: [KAME]
- See "IMPLEMENTATION" document supplied with KAME kit, or:
- http://www.kame.net/dev/cvsweb.cgi/kame/IMPLEMENTATION
- As we have tested/got test reports in the past, and our end and
- the other end may have changed their implemenations, we are not sure
- if we can interoperate with them today (we hope them to interoperate,
- but we are not sure).
- Also note that, IKE interoperability highly depends on configuration
- on both ends. You must configure both ends exactly the same.
-
-Q: How can I make racoon interoperate with <IKE/IPsec implementation>?
-
-A:
- Configure both ends exactly the same. With just a tiny little
- differnce, you will be in trouble.
-
-Q: How to build racoon on my platform?
-
-A:
- As usual: configure && make && make install
- ipsec-tools is also available as a package in the NetBSD pkgsrc
-
-Q: Describe me the options to "configure".
-
-A:
- --enable-adminport:
- Lets racoon to listen to racoon admin port, which is to
- be contacted by racoonctl(8).
- --enable-natt:
- Enable NAT-Traversal. This needs kernel support, which is
- available on Linux. On NetBSD, NAT-Traversal kernel support
- has not been integrated yet, you can get it from here:
- http://ipsec-tools.sourceforge.net/netbsd_nat-t.diff
- If you live in a country where software patents are legal,
- using NAT-Traversal might infringe a patent.
- --enable-broken-natt:
- When ipsec-tools is built with --enable-natt, racoon
- sets IKE ports in SAD and SPD so that the kernel is
- able to ditinguish peers hidden behind the same NAT.
- Some kernel will not cope with that ports. Use that
- option to force the ports to 0 in SAD ans SPD. Of
- course this means that you cannot have multiple peers
- behind the same NAT.
- --enable-frag:
- Enable IKE fragmentation, which is a workaround for
- broken routers that drop fragmented packets
- --enable-hybrid:
- Enable hybrid authentication, and ISAKMP mode config and
- Xauth as well. Note that plain Xauth (without hybrid auth)
- is not implemented.
- --with-libradius:
- Enable the use of RADIUS with hybrid authentication on the
- server side. RADIUS is used for authentication, configuration
- and accounting.
- --with-libpam:
- Enable the use of PAM with hybrid authentication on the
- server side. PAM can be used for authentication and accounting.
- --enable-gssapi:
- Enable GSS-API, for Kerberos V support.
- --enable-stats:
- Enable statistics logging function.
- --enable-samode-unspec:
- Enable to use unspecified a mode of SA.
- --enable-ipv6:
- Enable IPv6 support.
- --with-kernel-headers:
- Supply the location of Linux kernel headers.
- --with-readline:
- Support readline input (yes by default).
- --with-openssl:
- Specify OpenSSL directory.
- --sysconfdir:
- Where racoon config file goes. Default is /etc, which means
- that racoon will look for /etc/racoon.conf
- --localstatedir:
- Where is the directory where racoon stores the control socket
- (when using --enable-adminport). Default is /var, which
- means racoon will use /var/racoon/racoon.sock
- --prefix:
- Where racoon gets installed.
-
-Q: How can I get help?
-
-A:
- Always identify your operating system platforms, the versions you are
- using (like "ipsec-tools-0.5"), and information to repeat the
- problem. The more revelant information you supply, the better your
- chances of getting help are. Useful informations include, depending
- of the problem:
- - version identification
- - trace from racoon, taken by "racoon -d 0xffffffff"
- (maximum debug level)
- - configuration file you are using
- - probabaly, tcpdump trace
- http://orange.kame.net/dev/send-pr.html has the guideline.
-
- If your question is not confidential, send your questions to:
- <ipsec-tools-devel@lists.sourceforge.net>
-
- If your question is confidential, send your questions to:
- <ipsec-tools-core@lists.sourceforge.net>
-
-Q: Other documents to look at?
-
-A:
- http://www.netbsd.org/Documentation/network/ipsec/
- http://www.kame.net/
- http://www.kame.net/newsletter/
diff --git a/src/racoon/doc/README.certificate b/src/racoon/doc/README.certificate
deleted file mode 100644
index a8bbfa2..0000000
--- a/src/racoon/doc/README.certificate
+++ /dev/null
@@ -1 +0,0 @@
-See http://www.kame.net/newsletter/20001119b/
diff --git a/src/racoon/doc/README.gssapi b/src/racoon/doc/README.gssapi
deleted file mode 100644
index 9cb3fbb..0000000
--- a/src/racoon/doc/README.gssapi
+++ /dev/null
@@ -1,106 +0,0 @@
-The gss-api authentication mechanism implementation for racoon was
-based on the ietf draft draft-ietf-ipsec-isakmp-gss-auth-06.txt.
-
-The implementation uses the Heimdal gss-api library, i.e. gss-api
-on top of Kerberos 5. The Heimdal gss-api library had to be modified
-to meet the requirements of using gss-api in a daemon. More specifically,
-the gss_acquire_cred() call did not work for other cases than
-GSS_C_NO_CREDENTIAL ("use default creds"). Daemons are often started
-as root, and have no Kerberos 5 credentials, so racoon explicitly
-needs to acquire its credentials. The usual method (already used
-by login authentication daemons) in these situations is to add
-a set of special credentials to be used. For example, authentication
-by daemons concerned with login credentials, uses 'host/fqdn' as
-its credential, where fqdn is the hostname on the interface that
-is being used. These special credentials need to be extracted into
-a local keytab from the kdc. The default value used in racoon
-is 'ike/fqdn', but it can be overridden in the racoon config file.
-
-The modification to the Heimdal gss-api library implements the
-mechanism above. If a credential other than GSS_C_NO_CREDENTIAL
-is specified to gss_acquire_cred(), it first looks in the default
-credential cache if it its principal matches the desired credential.
-If not, it extracts it from the default keytab file, and stores
-it in a memory-based credential cache, part of the gss credential
-structure.
-
-
-
-The modifcations to racoon itself are as follows:
-
- * The racoon.conf config file accepts a new keyword, "gssapi_id",
- to be used inside a proposal specification. It specifies
- a string (a Kerberos 5 principal in this case), specifying the
- credential that racoon will try to acquire. The default value
- is 'ike/fqdn', where fqdn is the hostname for the interface
- being used for the exchange. If the id is not specified, no
- GSS endpoint attribute will be specified in the first SA sent.
- However, if the initiator does specify a GSS endpoint attribute,
- racoon will always respond with its own GSS endpoint name
- in the SA (the default one if not specified by this option).
-
- * The racoon.conf file accepts "gssapi_krb" as authentication
- method inside a proposal specification. The number used
- for this method is 65001, which is a temporary number as
- specified in the draft.
-
- * The cftoken.l and cfparse.y source files were modified to
- pick up the configuration options. The original sources
- stored algorithms in bitmask, which unfortunately meant
- that the maximum value was 32, clearly not enough for 65001.
- After consulting with the author (sakane@kame.net), it turned
- out that method was a leftover, and no longer needed. I replaced
- it with plain integers.
-
- * The gss-api specific code was concentrated as much as possible
- in gssapi.c and gssapi.h. The code to call functions defined
- in these files is conditional on HAVE_GSSAPI, except for the
- config scan code. Specifying this flag on the compiler commandline
- is conditional on the --enable-gssapi option to the configure
- script.
-
- * Racoon seems to want to send accepted SA proposals back to
- the initiator in a verbatim fashion, leaving no room to
- insert the (variable-length) GSS endpoint name attribute.
- I worked around this by re-assembling the extracted SA
- into a new SA if the gssapi_krb method is used, and the
- initiator sent the name attribute. This scheme should
- possibly be re-examined by the racoon maintainers, storing
- the SAs (the transformations, to be more precise) in a different
- fashion to allow for variable-length attributes to be
- re-inserted would be a good change, but I considered it to be
- beyond the scope of this project.
-
- * The various state functions for aggressive and main mode
- (in isakmp_agg.c and isakmp_ident.c respectively) were
- changed to conditionally change their behavior if the
- gssapi_krb method is specified.
-
-
-This implementation tried to follow the specification in the ietf draft
-as close as possible. However, it has not been tested against other
-IKE daemon implementations. The only other one I know of is Windows 2000,
-and it has some caveats. I attempted to be Windows 2000 compatible.
-Should racoon be tried against Windows 2000, the gssapi_id option in
-the config file must be used, as Windows 2000 expects the GSS endpoint
-name to be sent at all times. I have my doubts as to the W2K compatibility,
-because the spec describes the GSS endpoint name sent by W2K as
-an unicode string 'xxx@domain', which doesn't seem to match the
-required standard for gss-api + kerberos 5 (i.e. I am fairly certain
-that such a string will be rejected by the Heimdal gss-api library, as it
-is not a valid Kerberos 5 principal).
-
-With the Heimdal gss-api implementation, the gssapi_krb authentication
-method will only work in main mode. Aggressive mode does not allow
-for the extra round-trips needed by gss_init_sec_context and
-gss_accept_sec_context when mutual authentication is requested.
-The draft specifies that the a fallback should be done to main mode,
-through the return of INVALID-EXCHANGE-TYPE if it turns out that
-the gss-api mechanisms needs more roundtrips. This is implemented.
-Unfortunately, racoon does not seem to properly fall back to
-its next mode, and this is not specific to the gssapi_krb method.
-So, to avoid problems, only specify main mode in the config file.
-
-
- -- Frank van der Linden <fvdl@wasabisystems.com>
-
diff --git a/src/racoon/doc/README.plainrsa b/src/racoon/doc/README.plainrsa
deleted file mode 100644
index 36de09c..0000000
--- a/src/racoon/doc/README.plainrsa
+++ /dev/null
@@ -1,109 +0,0 @@
-HOW-TO use plainrsa auth, contributed by Simon Chang <simonychang@gmail.com>
-
-Before you begin, you should understand that the RSA authentication
-mechanism hinges upon the idea of a split cryptographic key: one used
-by the public, the other readable only to you. Any data that is
-encrypted by a public key can be decrypted only by the corresponding
-private key, so that the private key user can be assured that the
-content of the transmission has not been examined by unauthorized
-parties. Similarly, any data encrypted by the private key can be
-decrypted by the public key so that the public knows that this
-transmission came from this user and nobody else (this idea is called
-non-repudiation). Also, the longer the key length, the more difficult
-it would be for potential attacker to conduct brute-force discovery of
-the keys. So, what all this means for the security administrator is
-that the setup needs a pair of reasonably long keys for each host that
-wishes to authenticate in this manner.
-
-With this in mind, it should be relatively straightforward to set up
-RSA authentication. For the purpose of this document, we assume that
-we are setting up RSA authentication between two networked hosts
-called Boston and Chicago. Unless otherwise noted, all steps should
-be performed on both hosts with corresponding key names. Here are the
-steps:
-
-1) Included in each default installation of ipsec-tools is a binary
-called plainrsa-gen. This executable is used to generate a pair of
-RSA keys for the host. There are only two parameters that you should
-be concerned about: -b, which sets the number of bits for the keys,
-and -f, which specifies the output file for plainrsa-gen to send the
-results. On an ordinary Pentium-II with 128 MB of RAM, it takes only
-seconds to generate keys that are 2048 bits long, and only slightly
-longer to generate 4096-bit keys. Either key length should be
-sufficient; any longer key length actually reduces performance and
-does not increase security significantly. You should therefore run it
-as:
-
- plainrsa-gen -b 2048 -f /var/tmp/boston.keys
-
-2) When the process completes, you should have a text file that
-includes both public and private keys. GUARD THIS FILE CAREFULLY,
-because once a private key is compromised it is no longer any good,
-and you must generate a new pair from scratch. Reading the file
-itself, you should see several very long lines of alphanumeric data.
-The only line you should be concerned with is the line towards the top
-of the output file that begins with "# pubkey=0sAQPAmBdT/" or
-something to that effect. This line is your public key, which should
-be made available to the other host that you are setting up. Copy
-this line to a separate file called "boston.pub" and change the
-beginning of the line so that it reads ": PUB 0sAQPAmBdT/".
-Alternatively, you can also grab the first line of the boston.keys
-file and uncomment the line so that it reads the same as above. Now
-rename the file you generated initially to "boston.priv".
-
-3) You should now have two files, boston.priv and boston.pub
-(chicago.priv and chicago.pub on Chicago). The first file contains
-your private key and the second file your public key. Next you should
-find a way to get the public key over to the other host involved.
-Boston should have (1) its own key pair, and (2) Chicago's public key
-ONLY. Do not copy Chicago's private key over to Boston, because (a)
-it is not necessary, and (b) you would now have two potential places
-for losing control of your private key.
-
-4) You should now configure the racoon.conf configuration file for
-each host to (a) turn on RSA authentication, and (b) designate each
-host's private key and the remote host(s)'s public key(s). Take all
-your keys and place it in one directory and use the global directive
-"path certificate" to specify the location of the keys. This step is
-especially important if you are running racoon with privilege
-separation, because if racoon cannot find the keys inside the
-directory you have just specified it will fail the authentication
-process. So, write the directive like the following:
-
- path certificate "/etc/racoon";
-
-Next, you need to specify the host's own private key and the public
-keys of all the remote peers involved. For your local private key and
-remote public key(s), you should use the following directives:
-
- certificate_type plain_rsa "/etc/racoon/boston.priv";
- peers_certfile plain_rsa "/etc/racoon/chicago.pub";
-
-Notice the option "plain_rsa" for both directives.
-
-Finally, under the "proposal" statement section, you should specify
-the "rsasig" option for "authentication_method".
-
-5) You have finished configuring the host for RSA authentication.
-Now use racoonctl to reload the configuration or simply restart the
-machine and you should be all set.
-
-TROUBLESHOOTING
-
-In the event that the hosts fail to communicate, first go back to the
-instructions above and make sure that:
-
-1) You have placed all the keys in the directory that is specified by
-the "path certificate" directive. Keep in mind that privilege
-separation will force racoon to look into that directory and nowhere
-else.
-2) You have specified correctly the host's own private key and the
-remote peer's public key.
-3) You have specified the "rsasig" method for authentication in the
-proposal statement.
-
-If you run into any further problems, you should try to use "racoon
--v" to debug the setup, and send a copy of the debug messages to the
-mailing list so that we can help you determine what the problem is.
-
-Last modified: $Date: 2006/12/10 05:51:14 $
diff --git a/src/racoon/dump.h b/src/racoon/dump.h
deleted file mode 100644
index 3e8a5df..0000000
--- a/src/racoon/dump.h
+++ /dev/null
@@ -1,41 +0,0 @@
-/* $NetBSD: dump.h,v 1.4 2006/09/09 16:22:09 manu Exp $ */
-
-/* Id: dump.h,v 1.3 2004/06/11 16:00:16 ludvigm Exp */
-
-/*
- * Copyright (C) 2000 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _DUMP_H
-#define _DUMP_H
-
-extern int isakmp_dump_open __P((char *));
-extern int isakmp_dump_close __P((void));
-extern int isakmp_dump __P((vchar_t *, struct sockaddr *, struct sockaddr *));
-
-#endif /* _DUMP_H */
diff --git a/src/racoon/eaytest.c b/src/racoon/eaytest.c
deleted file mode 100644
index 323ecef..0000000
--- a/src/racoon/eaytest.c
+++ /dev/null
@@ -1,1068 +0,0 @@
-/* $NetBSD: eaytest.c,v 1.7.6.2 2008/07/15 00:55:48 mgrooms Exp $ */
-
-/* Id: eaytest.c,v 1.22 2005/06/19 18:02:54 manubsd Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <limits.h>
-#include <dirent.h>
-#include <fcntl.h>
-#include <unistd.h>
-#include <err.h>
-
-#include <openssl/bio.h>
-#include <openssl/pem.h>
-
-#include "var.h"
-#include "vmbuf.h"
-#include "misc.h"
-#include "debug.h"
-#include "str2val.h"
-#include "plog.h"
-
-#include "oakley.h"
-#include "dhgroup.h"
-#include "crypto_openssl.h"
-#include "gnuc.h"
-
-#include "package_version.h"
-
-#define PVDUMP(var) racoon_hexdump((var)->v, (var)->l)
-
-/*#define CERTTEST_BROKEN */
-
-/* prototype */
-
-static vchar_t *pem_read_buf __P((char *));
-void Usage __P((void));
-
-int rsatest __P((int, char **));
-int ciphertest __P((int, char **));
-int hmactest __P((int, char **));
-int sha1test __P((int, char **));
-int md5test __P((int, char **));
-int dhtest __P((int, char **));
-int bntest __P((int, char **));
-#ifndef CERTTEST_BROKEN
-static char **getcerts __P((char *));
-int certtest __P((int, char **));
-#endif
-
-/* test */
-
-static int
-rsa_verify_with_pubkey(src, sig, pubkey_txt)
- vchar_t *src, *sig;
- char *pubkey_txt;
-{
- BIO *bio;
- EVP_PKEY *evp;
- int error;
-
- bio = BIO_new_mem_buf(pubkey_txt, strlen(pubkey_txt));
- evp = PEM_read_bio_PUBKEY(bio, NULL, NULL, NULL);
- if (! evp) {
- printf ("PEM_read_PUBKEY(): %s\n", eay_strerror());
- return -1;
- }
- error = eay_check_rsasign(src, sig, evp->pkey.rsa);
-
- return error;
-}
-
-int
-rsatest(ac, av)
- int ac;
- char **av;
-{
- char *text = "this is test.";
- vchar_t src;
- vchar_t *priv, *sig;
- int loglevel_saved;
-
- char *pkcs1 =
-"-----BEGIN RSA PRIVATE KEY-----\n"
-"MIICXQIBAAKBgQChe5/Fzk9SA0vCKBOcu9jBcLb9oLv50PeuEfQojhakY+OH8A3Q\n"
-"M8A0qIDG6uhTNGPvzCWb/+mKeOB48n5HJpLxlDFyP3kyd2yXHIZ/MN8g1nh4FsB0\n"
-"iTkk8QUCJkkan6FCOBrIeLEsGA5AdodzuR+khnCMt8vO+NFHZYKAQeynyQIDAQAB\n"
-"AoGAOfDcnCHxjhDGrwyoNNWl6Yqi7hAtQm67YAbrH14UO7nnmxAENM9MyNgpFLaW\n"
-"07v5m8IZQIcradcDXAJOUwNBN8E06UflwEYCaScIwndvr5UpVlN3e2NC6Wyg2yC7\n"
-"GarxQput3zj35XNR5bK42UneU0H6zDxpHWqI1SwE+ToAHu0CQQDNl9gUJTpg0L09\n"
-"HkbE5jeb8bA5I20nKqBOBP0v5tnzpwu41umQwk9I7Ru0ucD7j+DW4k8otadW+FnI\n"
-"G1M1MpSjAkEAyRMt4bN8otfpOpsOQWzw4jQtouohOxRFCrQTntHhU20PrQnQLZWs\n"
-"pOVzqCjRytYtkPEUA1z8QK5gGcVPcOQsowJBALmt2rwPB1NrEo5Bat7noO+Zb3Ob\n"
-"WDiYWeE8xkHd95gDlSWiC53ur9aINo6ZeP556jGIgL+el/yHHecJLrQL84sCQH48\n"
-"zUxq/C/cb++8UzneJGlPqusiJNTLiAENR1gpmlZfHT1c8Nb9phMsfu0vG29GAfuC\n"
-"bzchVLljALCNQK+2gRMCQQCNIgN+R9mRWZhFAcC1sq++YnuSBlw4VwdL/fd1Yg9e\n"
-"Ul+U98yPl/NXt8Rs4TRBFcOZjkFI8xv0hQtevTgTmgz+\n"
-"-----END RSA PRIVATE KEY-----\n\n";
- char *pubkey =
-"-----BEGIN PUBLIC KEY-----\n"
-"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQChe5/Fzk9SA0vCKBOcu9jBcLb9\n"
-"oLv50PeuEfQojhakY+OH8A3QM8A0qIDG6uhTNGPvzCWb/+mKeOB48n5HJpLxlDFy\n"
-"P3kyd2yXHIZ/MN8g1nh4FsB0iTkk8QUCJkkan6FCOBrIeLEsGA5AdodzuR+khnCM\n"
-"t8vO+NFHZYKAQeynyQIDAQAB\n"
-"-----END PUBLIC KEY-----\n\n";
- char *pubkey_wrong =
-"-----BEGIN PUBLIC KEY-----\n"
-"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwDncG2tSokRBhK8la1mO\n"
-"QnUpxg6KvpoFUjEyRiIE1GRap5V6jCCEOmA9ZAz4Oa/97oxewwMWtchIxSBZVCia\n"
-"H9oGasbOFzrtSR+MKl6Cb/Ow3Fu+PKbHTsnfTk/nOOWyaQh91PRD7fdwHe8L9P7w\n"
-"2kFPmDW6+RNKIR4OErhXf1O0eSShPe0TO3vx43O7dWqhmh3Kgr4Jq7zAGqHtwu0B\n"
-"RFZnmsocOnVZb2yAHndp51/Mk1H37ThHwN7qMx7RqrS3ru3XtchpJd9IQJPBIRfY\n"
-"VYQ68u5ix/Z80Y6VkRf0qnAvel8B6D3N3Zyq5u7G60PfvvtCybeMn7nVrSMxqMW/\n"
-"xwIDAQAB\n"
-"-----END PUBLIC KEY-----\n\n";
-
- printf ("%s", pkcs1);
- printf ("%s", pubkey);
- priv = pem_read_buf(pkcs1);
-
- src.v = text;
- src.l = strlen(text);
-
- /* sign */
- sig = eay_get_x509sign(&src, priv);
- if (sig == NULL) {
- printf("sign failed. %s\n", eay_strerror());
- return -1;
- }
-
- printf("RSA signed data.\n");
- PVDUMP(sig);
-
- printf("Verification with correct pubkey: ");
- if (rsa_verify_with_pubkey (&src, sig, pubkey) != 0) {
- printf ("Failed.\n");
- return -1;
- }
- else
- printf ("Verified. Good.\n");
-
- loglevel_saved = loglevel;
- loglevel = 0;
- printf("Verification with wrong pubkey: ");
- if (rsa_verify_with_pubkey (&src, sig, pubkey_wrong) != 0)
- printf ("Not verified. Good.\n");
- else {
- printf ("Verified. This is bad...\n");
- loglevel = loglevel_saved;
- return -1;
- }
- loglevel = loglevel_saved;
-
- return 0;
-}
-
-static vchar_t *
-pem_read_buf(buf)
- char *buf;
-{
- BIO *bio;
- char *nm = NULL, *header = NULL;
- unsigned char *data = NULL;
- long len;
- vchar_t *ret;
- int error;
-
- bio = BIO_new_mem_buf(buf, strlen(buf));
- error = PEM_read_bio(bio, &nm, &header, &data, &len);
- if (error == 0)
- errx(1, "%s", eay_strerror());
- ret = vmalloc(len);
- if (ret == NULL)
- err(1, "vmalloc");
- memcpy(ret->v, data, len);
-
- return ret;
-}
-
-#ifndef CERTTEST_BROKEN
-int
-certtest(ac, av)
- int ac;
- char **av;
-{
- char *certpath;
- char **certs;
- int type;
- int error;
-
- printf("\n**Test for Certificate.**\n");
-
- {
- vchar_t *asn1dn = NULL, asn1dn0;
-#ifdef ORIG_DN
- char dnstr[] = "C=JP, ST=Kanagawa, L=Fujisawa, O=WIDE Project, OU=KAME Project, CN=Shoichi Sakane/Email=sakane@kame.net";
- char *dnstr_w1 = NULL;
- char *dnstr_w2 = NULL;
- char dn0[] = {
- 0x30,0x81,0x9a,0x31,0x0b,0x30,0x09,0x06,
- 0x03,0x55,0x04,0x06,0x13,0x02,0x4a,0x50,
- 0x31,0x11,0x30,0x0f,0x06,0x03,0x55,0x04,
- 0x08,0x13,0x08,0x4b,0x61,0x6e,0x61,0x67,
- 0x61,0x77,0x61,0x31,0x11,0x30,0x0f,0x06,
- 0x03,0x55,0x04,0x07,0x13,0x08,0x46,0x75,
- 0x6a,0x69,0x73,0x61,0x77,0x61,0x31,0x15,
- 0x30,0x13,0x06,0x03,0x55,0x04,0x0a,0x13,
- 0x0c,0x57,0x49,0x44,0x45,0x20,0x50,0x72,
- 0x6f,0x6a,0x65,0x63,0x74,0x31,0x15,0x30,
- 0x13,0x06,0x03,0x55,0x04,0x0b,0x13,0x0c,
- 0x4b,0x41,0x4d,0x45,0x20,0x50,0x72,0x6f,
- 0x6a,0x65,0x63,0x74,0x31,0x17,0x30,0x15,
- 0x06,0x03,0x55,0x04,0x03,0x13,0x0e,0x53,
- 0x68,0x6f,0x69,0x63,0x68,0x69,0x20,0x53,
- 0x61,0x6b,0x61,0x6e,0x65,0x31,0x1e,0x30,
- 0x1c,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,
- 0x0d,0x01,0x09,0x01,
- 0x0c, /* <== XXX */
- 0x0f,0x73,0x61,
- 0x6b,0x61,0x6e,0x65,0x40,0x6b,0x61,0x6d,
- 0x65,0x2e,0x6e,0x65,0x74,
- };
-#else /* not ORIG_DN */
- char dnstr[] = "C=JP, ST=Kanagawa, L=Fujisawa, O=WIDE Project, OU=KAME Project, CN=Shoichi Sakane";
- char dnstr_w1[] = "C=JP, ST=Kanagawa, L=Fujisawa, O=WIDE Project, OU=*, CN=Shoichi Sakane";
- char dnstr_w2[] = "C=JP, ST=Kanagawa, L=Fujisawa, O=WIDE Project, OU=KAME Project, CN=*";
- char dn0[] = {
- 0x30,0x7a,0x31,0x0b,0x30,0x09,0x06,0x03,
- 0x55,0x04,0x06,0x13,0x02,0x4a,0x50,0x31,
- 0x11,0x30,0x0f,0x06,0x03,0x55,0x04,0x08,
- 0x13,0x08,0x4b,0x61,0x6e,0x61,0x67,0x61,
- 0x77,0x61,0x31,0x11,0x30,0x0f,0x06,0x03,
- 0x55,0x04,0x07,0x13,0x08,0x46,0x75,0x6a,
- 0x69,0x73,0x61,0x77,0x61,0x31,0x15,0x30,
- 0x13,0x06,0x03,0x55,0x04,0x0a,0x13,0x0c,
- 0x57,0x49,0x44,0x45,0x20,0x50,0x72,0x6f,
- 0x6a,0x65,0x63,0x74,0x31,0x15,0x30,0x13,
- 0x06,0x03,0x55,0x04,0x0b,0x13,0x0c,0x4b,
- 0x41,0x4d,0x45,0x20,0x50,0x72,0x6f,0x6a,
- 0x65,0x63,0x74,0x31,0x17,0x30,0x15,0x06,
- 0x03,0x55,0x04,0x03,0x13,0x0e,0x53,0x68,
- 0x6f,0x69,0x63,0x68,0x69,0x20,0x53,0x61,
- 0x6b,0x61,0x6e,0x65,
- };
-#endif /* ORIG_DN */
-
- printf("check to convert the string into subjectName.\n");
- printf("%s\n", dnstr);
-
- asn1dn0.v = dn0;
- asn1dn0.l = sizeof(dn0);
-
- asn1dn = eay_str2asn1dn(dnstr, strlen(dnstr));
- if (asn1dn == NULL || asn1dn->l != asn1dn0.l)
-#ifdef OUTPUT_VALID_ASN1DN
- {
- unsigned char *cp; int i;
- printf("asn1dn length mismatched (%zu != %zu).\n", asn1dn ? asn1dn->l : -1, asn1dn0.l);
- for (cp = asn1dn->v, i = 0; i < asn1dn->l; i++)
- printf ("0x%02x,", *cp++);
- exit (1);
- }
-#else
- errx(1, "asn1dn length mismatched (%zu != %zu).\n", asn1dn ? asn1dn->l : -1, asn1dn0.l);
-#endif
-
- /*
- * NOTE: The value pointed by "<==" above is different from the
- * return of eay_str2asn1dn(). but eay_cmp_asn1dn() can distinguish
- * both of the names are same name.
- */
- if (eay_cmp_asn1dn(&asn1dn0, asn1dn))
- errx(1, "asn1dn mismatched.\n");
- vfree(asn1dn);
-
- printf("exact match: succeed.\n");
-
- if (dnstr_w1 != NULL) {
- asn1dn = eay_str2asn1dn(dnstr_w1, strlen(dnstr_w1));
- if (asn1dn == NULL || asn1dn->l == asn1dn0.l)
- errx(1, "asn1dn length wrong for wildcard 1\n");
- if (eay_cmp_asn1dn(&asn1dn0, asn1dn))
- errx(1, "asn1dn mismatched for wildcard 1.\n");
- vfree(asn1dn);
- printf("wildcard 1 match: succeed.\n");
- }
-
- if (dnstr_w1 != NULL) {
- asn1dn = eay_str2asn1dn(dnstr_w2, strlen(dnstr_w2));
- if (asn1dn == NULL || asn1dn->l == asn1dn0.l)
- errx(1, "asn1dn length wrong for wildcard 2\n");
- if (eay_cmp_asn1dn(&asn1dn0, asn1dn))
- errx(1, "asn1dn mismatched for wildcard 2.\n");
- vfree(asn1dn);
- printf("wildcard 2 match: succeed.\n");
- }
-
- }
- eay_init();
-
- /* get certs */
- if (ac > 1) {
- certpath = *(av + 1);
- certs = getcerts(certpath);
- } else {
-#ifdef ORIG_DN
- printf("\nCAUTION: These certificates are probably invalid "
- "on your environment because you don't have their "
- "issuer's certs in your environment.\n\n");
-
- certpath = "/usr/local/openssl/certs";
- certs = getcerts(NULL);
-#else
- printf("\nWARNING: The main certificates are probably invalid "
- "on your environment\nbecause you don't have their "
- "issuer's certs in your environment\nso not doing "
- "this test.\n\n");
- return (0);
-#endif
- }
-
- while (*certs != NULL) {
-
- vchar_t c;
- char *str;
- vchar_t *vstr;
-
- printf("===CERT===\n");
-
- c.v = *certs;
- c.l = strlen(*certs);
-
- /* print text */
- str = eay_get_x509text(&c);
- printf("%s", str);
- racoon_free(str);
-
- /* print ASN.1 of subject name */
- vstr = eay_get_x509asn1subjectname(&c);
- if (!vstr)
- return 0;
- PVDUMP(vstr);
- printf("\n");
- vfree(vstr);
-
- /* print subject alt name */
- {
- int pos;
- for (pos = 1; ; pos++) {
- error = eay_get_x509subjectaltname(&c, &str, &type, pos);
- if (error) {
- printf("no subjectaltname found.\n");
- break;
- }
- if (!str)
- break;
- printf("SubjectAltName: %d: %s\n", type, str);
- racoon_free(str);
- }
- }
-
- /* NULL => name of the certificate file */
- error = eay_check_x509cert(&c, certpath, NULL, 1);
- if (error)
- printf("ERROR: cert is invalid.\n");
- printf("\n");
-
- certs++;
- }
- return 0;
-}
-
-static char **
-getcerts(path)
- char *path;
-{
- char **certs = NULL, **p;
- DIR *dirp;
- struct dirent *dp;
- struct stat sb;
- char buf[512];
- int len;
- int n;
- int fd;
-
- static char *samplecerts[] = {
-/* self signed */
-"-----BEGIN CERTIFICATE-----\n"
-"MIICpTCCAg4CAQAwDQYJKoZIhvcNAQEEBQAwgZoxCzAJBgNVBAYTAkpQMREwDwYD\n"
-"VQQIEwhLYW5hZ2F3YTERMA8GA1UEBxMIRnVqaXNhd2ExFTATBgNVBAoTDFdJREUg\n"
-"UHJvamVjdDEVMBMGA1UECxMMS0FNRSBQcm9qZWN0MRcwFQYDVQQDEw5TaG9pY2hp\n"
-"IFNha2FuZTEeMBwGCSqGSIb3DQEJARYPc2FrYW5lQGthbWUubmV0MB4XDTAwMDgy\n"
-"NDAxMzc0NFoXDTAwMDkyMzAxMzc0NFowgZoxCzAJBgNVBAYTAkpQMREwDwYDVQQI\n"
-"EwhLYW5hZ2F3YTERMA8GA1UEBxMIRnVqaXNhd2ExFTATBgNVBAoTDFdJREUgUHJv\n"
-"amVjdDEVMBMGA1UECxMMS0FNRSBQcm9qZWN0MRcwFQYDVQQDEw5TaG9pY2hpIFNh\n"
-"a2FuZTEeMBwGCSqGSIb3DQEJARYPc2FrYW5lQGthbWUubmV0MIGfMA0GCSqGSIb3\n"
-"DQEBAQUAA4GNADCBiQKBgQCpIQG/H3zn4czAmPBcbkDrYxE1A9vcpghpib3Of0Op\n"
-"SsiWIBOyIMiVAzK/I/JotWp3Vdn5fzGp/7DGAbWXAALas2xHkNmTMPpu6qhmNQ57\n"
-"kJHZHal24mgc1hwbrI9fb5olvIexx9a1riNPnKMRVHzXYizsyMbf+lJJmZ8QFhWN\n"
-"twIDAQABMA0GCSqGSIb3DQEBBAUAA4GBACKs6X/BYycuHI3iop403R3XWMHHnNBN\n"
-"5XTHVWiWgR1cMWkq/dp51gn+nPftpdAaYGpqGkiHGhZcXLoBaX9uON3p+7av+sQN\n"
-"plXwnvUf2Zsgu+fojskS0gKcDlYiq1O8TOaBgJouFZgr1q6PiYjVEJGogAP28+HN\n"
-"M4o+GBFbFoqK\n"
-"-----END CERTIFICATE-----\n\n",
-/* signed by SSH testing CA + CA1 + CA2 */
-"-----BEGIN X509 CERTIFICATE-----\n"
-"MIICtTCCAj+gAwIBAgIEOaR8NjANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJG\n"
-"STEkMCIGA1UEChMbU1NIIENvbW11bmljYXRpb25zIFNlY3VyaXR5MREwDwYDVQQL\n"
-"EwhXZWIgdGVzdDEbMBkGA1UEAxMSVGVzdCBDQSAxIHN1YiBjYSAyMB4XDTAwMDgy\n"
-"NDAwMDAwMFoXDTAwMTAwMTAwMDAwMFowgZoxCzAJBgNVBAYTAkpQMREwDwYDVQQI\n"
-"EwhLYW5hZ2F3YTERMA8GA1UEBxMIRnVqaXNhd2ExFTATBgNVBAoTDFdJREUgUHJv\n"
-"amVjdDEVMBMGA1UECxMMS0FNRSBQcm9qZWN0MRcwFQYDVQQDEw5TaG9pY2hpIFNh\n"
-"a2FuZTEeMBwGCSqGSIb3DQEJAQwPc2FrYW5lQGthbWUubmV0MIGfMA0GCSqGSIb3\n"
-"DQEBAQUAA4GNADCBiQKBgQCpIQG/H3zn4czAmPBcbkDrYxE1A9vcpghpib3Of0Op\n"
-"SsiWIBOyIMiVAzK/I/JotWp3Vdn5fzGp/7DGAbWXAALas2xHkNmTMPpu6qhmNQ57\n"
-"kJHZHal24mgc1hwbrI9fb5olvIexx9a1riNPnKMRVHzXYizsyMbf+lJJmZ8QFhWN\n"
-"twIDAQABo18wXTALBgNVHQ8EBAMCBaAwGgYDVR0RBBMwEYEPc2FrYW5lQGthbWUu\n"
-"bmV0MDIGA1UdHwQrMCkwJ6AloCOGIWh0dHA6Ly9sZGFwLnNzaC5maS9jcmxzL2Nh\n"
-"MS0yLmNybDANBgkqhkiG9w0BAQUFAANhADtaqual41OWshF/rwCTuR6zySBJysGp\n"
-"+qjkp5efCiYKhAu1L4WXlMsV/SNdzspui5tHasPBvUw8gzFsU/VW/B2zuQZkimf1\n"
-"u6ZPjUb/vt8vLOPScP5MeH7xrTk9iigsqQ==\n"
-"-----END X509 CERTIFICATE-----\n\n",
-/* VP100 */
-"-----BEGIN CERTIFICATE-----\n"
-"MIICXzCCAcigAwIBAgIEOXGBIzANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJG\n"
-"STEkMCIGA1UEChMbU1NIIENvbW11bmljYXRpb25zIFNlY3VyaXR5MREwDwYDVQQL\n"
-"EwhXZWIgdGVzdDESMBAGA1UEAxMJVGVzdCBDQSAxMB4XDTAwMDcxNjAwMDAwMFoX\n"
-"DTAwMDkwMTAwMDAwMFowNTELMAkGA1UEBhMCanAxETAPBgNVBAoTCHRhaGl0ZXN0\n"
-"MRMwEQYDVQQDEwpmdXJ1a2F3YS0xMIGdMA0GCSqGSIb3DQEBAQUAA4GLADCBhwKB\n"
-"gQDUmI2RaAuoLvtRDbASwRhbkj/Oq0BBIKgAqbFknc/EanJSQwZQu82gD88nf7gG\n"
-"VEioWmKPLDuEjz5JCuM+k5f7HYHI1wWmz1KFr7UA+avZm4Kp6YKnhuH7soZp7kBL\n"
-"hTiZEpL0jdmCWLW3ZXoro55rmPrBsCd+bt8VU6tRZm5dUwIBKaNZMFcwCwYDVR0P\n"
-"BAQDAgWgMBYGA1UdEQQPMA2CBVZQMTAwhwQKFIaFMDAGA1UdHwQpMCcwJaAjoCGG\n"
-"H2h0dHA6Ly9sZGFwLnNzaC5maS9jcmxzL2NhMS5jcmwwDQYJKoZIhvcNAQEFBQAD\n"
-"gYEAKJ/2Co/KYW65mwpGG3CBvsoRL8xyUMHGt6gQpFLHiiHuAdix1ADTL6uoFuYi\n"
-"4sE5omQm1wKVv2ZhS03zDtUfKoVEv0HZ7IY3AU/FZT/M5gQvbt43Dki/ma3ock2I\n"
-"PPhbLsvXm+GCVh3jvkYGk1zr7VERVeTPtmT+hW63lcxfFp4=\n"
-"-----END CERTIFICATE-----\n\n",
-/* IKED */
-"-----BEGIN CERTIFICATE-----\n"
-"MIIEFTCCA7+gAwIBAgIKYU5X6AAAAAAACTANBgkqhkiG9w0BAQUFADCBljEpMCcG\n"
-"CSqGSIb3DQEJARYaeS13YXRhbmFAc2RsLmhpdGFjaGkuY28uanAxCzAJBgNVBAYT\n"
-"AkpQMREwDwYDVQQIEwhLQU5BR0FXQTERMA8GA1UEBxMIWW9rb2hhbWExEDAOBgNV\n"
-"BAoTB0hJVEFDSEkxDDAKBgNVBAsTA1NETDEWMBQGA1UEAxMNSVBzZWMgVGVzdCBD\n"
-"QTAeFw0wMDA3MTUwMjUxNDdaFw0wMTA3MTUwMzAxNDdaMEUxCzAJBgNVBAYTAkpQ\n"
-"MREwDwYDVQQIEwhLQU5BR0FXQTEQMA4GA1UEChMHSElUQUNISTERMA8GA1UEAxMI\n"
-"V0FUQU5BQkUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA6Wja5A7Ldzrtx+rMWHEB\n"
-"Cyt+/ZoG0qdFQbuuUiU1vOSq+1f+ZSCYAdTq13Lrr6Xfz3jDVFEZLPID9PSTFwq+\n"
-"yQIDAQABo4ICPTCCAjkwDgYDVR0PAQH/BAQDAgTwMBMGA1UdJQQMMAoGCCsGAQUF\n"
-"CAICMB0GA1UdDgQWBBTkv7/MH5Ra+S1zBAmnUIH5w8ZTUTCB0gYDVR0jBIHKMIHH\n"
-"gBQsF2qoaTl5F3GFLKrttaxPJ8j4faGBnKSBmTCBljEpMCcGCSqGSIb3DQEJARYa\n"
-"eS13YXRhbmFAc2RsLmhpdGFjaGkuY28uanAxCzAJBgNVBAYTAkpQMREwDwYDVQQI\n"
-"EwhLQU5BR0FXQTERMA8GA1UEBxMIWW9rb2hhbWExEDAOBgNVBAoTB0hJVEFDSEkx\n"
-"DDAKBgNVBAsTA1NETDEWMBQGA1UEAxMNSVBzZWMgVGVzdCBDQYIQeccIf4GYDIBA\n"
-"rS6HSUt8XjB7BgNVHR8EdDByMDagNKAyhjBodHRwOi8vZmxvcmEyMjAvQ2VydEVu\n"
-"cm9sbC9JUHNlYyUyMFRlc3QlMjBDQS5jcmwwOKA2oDSGMmZpbGU6Ly9cXGZsb3Jh\n"
-"MjIwXENlcnRFbnJvbGxcSVBzZWMlMjBUZXN0JTIwQ0EuY3JsMIGgBggrBgEFBQcB\n"
-"AQSBkzCBkDBFBggrBgEFBQcwAoY5aHR0cDovL2Zsb3JhMjIwL0NlcnRFbnJvbGwv\n"
-"ZmxvcmEyMjBfSVBzZWMlMjBUZXN0JTIwQ0EuY3J0MEcGCCsGAQUFBzAChjtmaWxl\n"
-"Oi8vXFxmbG9yYTIyMFxDZXJ0RW5yb2xsXGZsb3JhMjIwX0lQc2VjJTIwVGVzdCUy\n"
-"MENBLmNydDANBgkqhkiG9w0BAQUFAANBAG8yZAWHb6g3zba453Hw5loojVDZO6fD\n"
-"9lCsyaxeo9/+7x1JEEcdZ6qL7KKqe7ZBwza+hIN0ITkp2WEWo22gTz4=\n"
-"-----END CERTIFICATE-----\n\n",
-/* From Entrust */
-"-----BEGIN CERTIFICATE-----\n"
-"MIIDXTCCAsagAwIBAgIEOb6khTANBgkqhkiG9w0BAQUFADA4MQswCQYDVQQGEwJV\n"
-"UzEQMA4GA1UEChMHRW50cnVzdDEXMBUGA1UECxMOVlBOIEludGVyb3AgUk8wHhcN\n"
-"MDAwOTE4MjMwMDM3WhcNMDMwOTE4MjMzMDM3WjBTMQswCQYDVQQGEwJVUzEQMA4G\n"
-"A1UEChMHRW50cnVzdDEXMBUGA1UECxMOVlBOIEludGVyb3AgUk8xGTAXBgNVBAMT\n"
-"EFNob2ljaGkgU2FrYW5lIDIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKj3\n"
-"eXSt1qXxFXzpa265B/NQYk5BZN7pNJg0tlTKBTVV3UgpQ92Bx5DoNfZh11oIv0Sw\n"
-"6YnG5p9F9ma36U9HDoD3hVTjAvQKy4ssCsnU1y6v5XOU1QvYQo6UTzgsXUTaIau4\n"
-"Lrccl+nyoiNzy3lG51tLR8CxuA+3OOAK9xPjszClAgMBAAGjggFXMIIBUzBABgNV\n"
-"HREEOTA3gQ9zYWthbmVAa2FtZS5uZXSHBM6vIHWCHjIwNi0xNzUtMzItMTE3LnZw\n"
-"bndvcmtzaG9wLmNvbTATBgNVHSUEDDAKBggrBgEFBQgCAjALBgNVHQ8EBAMCAKAw\n"
-"KwYDVR0QBCQwIoAPMjAwMDA5MTgyMzAwMzdagQ8yMDAyMTAyNTExMzAzN1owWgYD\n"
-"VR0fBFMwUTBPoE2gS6RJMEcxCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0\n"
-"MRcwFQYDVQQLEw5WUE4gSW50ZXJvcCBSTzENMAsGA1UEAxMEQ1JMMTAfBgNVHSME\n"
-"GDAWgBTzVmhu0tBoWKwkZE5mXpooE9630DAdBgNVHQ4EFgQUEgBHPtXggJqei5Xz\n"
-"92CrWXTJxfAwCQYDVR0TBAIwADAZBgkqhkiG9n0HQQAEDDAKGwRWNS4wAwIEsDAN\n"
-"BgkqhkiG9w0BAQUFAAOBgQCIFriNGMUE8GH5LuDrTJfA8uGx8vLy2seljuo694TR\n"
-"et/ojp9QnfOJ1PF9iAdGaEaSLfkwhY4fZNZzxic5HBoHLeo9BXLP7i7FByXjvOZC\n"
-"Y8++0dC8NVvendIILcJBM5nbDq1TqIbb8K3SP80XhO5JLVJkoZiQftAMjo0peZPO\n"
-"EQ==\n"
-"-----END CERTIFICATE-----\n\n",
- NULL,
- };
-
- if (path == NULL)
- return (char **)&samplecerts;
-
- stat(path, &sb);
- if (!(sb.st_mode & S_IFDIR)) {
- printf("ERROR: %s is not directory.\n", path);
- exit(0);
- }
-
- dirp = opendir(path);
- if (dirp == NULL) {
- printf("opendir failed.\n");
- exit(0);
- }
-
- n = 0;
- while ((dp = readdir(dirp)) != NULL) {
- if (dp->d_type != DT_REG)
- continue;
- if (strcmp(dp->d_name + strlen(dp->d_name) - 4, "cert"))
- continue;
- snprintf(buf, sizeof(buf), "%s/%s", path, dp->d_name);
- stat(buf, &sb);
-
- p = (char **)realloc(certs, (n + 1) * sizeof(certs));
- if (p == NULL)
- err(1, "realloc");
- certs = p;
-
- certs[n] = malloc(sb.st_size + 1);
- if (certs[n] == NULL)
- err(1, "malloc");
-
- fd = open(buf, O_RDONLY);
- if (fd == -1)
- err(1, "open");
- len = read(fd, certs[n], sb.st_size);
- if (len == -1)
- err(1, "read");
- if (len != sb.st_size)
- errx(1, "read: length mismatch");
- certs[n][sb.st_size] = '\0';
- close(fd);
-
- printf("%s: %d\n", dp->d_name, (int)sb.st_size);
-
- n++;
- }
-
- p = (char **)realloc(certs, (n + 1) * sizeof(certs));
- if (p == NULL)
- err(1, "realloc");
- certs = p;
- certs[n] = NULL;
-
- return certs;
-}
-#endif /* CERTTEST_BROKEN */
-
-typedef vchar_t* (eay_func) (vchar_t *, vchar_t *, vchar_t *);
-
-static int
-ciphertest_1 (const char *name,
- vchar_t *data,
- size_t data_align,
- vchar_t *key,
- size_t min_keysize,
- vchar_t *iv0,
- size_t iv_length,
- eay_func encrypt,
- eay_func decrypt)
-{
- int padlen;
- vchar_t *buf, *iv, *res1, *res2;
- iv = vmalloc(iv_length);
-
- printf("Test for cipher %s\n", name);
- printf("data:\n");
- PVDUMP(data);
-
- if (data_align <= 1 || (data->l % data_align) == 0)
- padlen = 0;
- else
- padlen = data_align - data->l % data_align;
-
- buf = vmalloc(data->l + padlen);
- memcpy(buf->v, data->v, data->l);
-
- memcpy(iv->v, iv0->v, iv_length);
- res1 = (encrypt)(buf, key, iv);
- if (res1 == NULL) {
- printf("%s encryption failed.\n", name);
- return -1;
- }
- printf("encrypted:\n");
- PVDUMP(res1);
-
- memcpy(iv->v, iv0->v, iv_length);
- res2 = (decrypt)(res1, key, iv);
- if (res2 == NULL) {
- printf("%s decryption failed.\n", name);
- return -1;
- }
- printf("decrypted:\n");
- PVDUMP(res2);
-
- if (memcmp(data->v, res2->v, data->l)) {
- printf("XXXX NG (%s) XXXX\n", name);
- return -1;
- }
- else
- printf("%s cipher verified.\n", name);
- vfree(res1);
- vfree(res2);
- vfree(buf);
- vfree(iv);
-
- return 0;
-}
-
-int
-ciphertest(ac, av)
- int ac;
- char **av;
-{
- vchar_t data;
- vchar_t key;
- vchar_t iv0;
-
- printf("\n**Testing CIPHERS**\n");
-
- data.v = str2val("\
-06000017 03000000 73616b61 6e65406b 616d652e 6e657409 0002c104 308202b8 \
-04f05a90 \
- ", 16, &data.l);
- key.v = str2val("f59bd70f 81b9b9cc 2a32c7fd 229a4b37", 16, &key.l);
- iv0.v = str2val("26b68c90 9467b4ab 7ec29fa0 0b696b55", 16, &iv0.l);
-
- if (ciphertest_1 ("DES",
- &data, 8,
- &key, 8,
- &iv0, 8,
- eay_des_encrypt, eay_des_decrypt) < 0)
- return -1;
-
- if (ciphertest_1 ("3DES",
- &data, 8,
- &key, 24,
- &iv0, 8,
- eay_3des_encrypt, eay_3des_decrypt) < 0)
- return -1;
-
- if (ciphertest_1 ("AES",
- &data, 16,
- &key, key.l,
- &iv0, 16,
- eay_aes_encrypt, eay_aes_decrypt) < 0)
- return -1;
-
- if (ciphertest_1 ("BLOWFISH",
- &data, 8,
- &key, key.l,
- &iv0, 8,
- eay_bf_encrypt, eay_bf_decrypt) < 0)
- return -1;
-
- if (ciphertest_1 ("CAST",
- &data, 8,
- &key, key.l,
- &iv0, 8,
- eay_cast_encrypt, eay_cast_decrypt) < 0)
- return -1;
-
-#ifdef HAVE_OPENSSL_IDEA_H
- if (ciphertest_1 ("IDEA",
- &data, 8,
- &key, key.l,
- &iv0, 8,
- eay_idea_encrypt, eay_idea_decrypt) < 0)
- return -1;
-#endif
-
-#ifdef HAVE_OPENSSL_RC5_H
- if (ciphertest_1 ("RC5",
- &data, 8,
- &key, key.l,
- &iv0, 8,
- eay_rc5_encrypt, eay_rc5_decrypt) < 0)
- return -1;
-#endif
-#if defined(HAVE_OPENSSL_CAMELLIA_H)
- if (ciphertest_1 ("CAMELLIA",
- &data, 16,
- &key, key.l,
- &iv0, 16,
- eay_camellia_encrypt, eay_camellia_decrypt) < 0)
- return -1;
-#endif
- return 0;
-}
-
-int
-hmactest(ac, av)
- int ac;
- char **av;
-{
- char *keyword = "hehehe test secret!";
- char *object = "d7e6a6c1876ef0488bb74958b9fee94e";
- char *object1 = "d7e6a6c1876ef048";
- char *object2 = "8bb74958b9fee94e";
- char *r_hmd5 = "5702d7d1 fd1bfc7e 210fc9fa cda7d02c";
- char *r_hsha1 = "309999aa 9779a43e ebdea839 1b4e7ee1 d8646874";
-#ifdef WITH_SHA2
- char *r_hsha2 = "d47262d8 a5b6f39d d8686939 411b3e79 ed2e27f9 2c4ea89f dd0a06ae 0c0aa396";
-#endif
- vchar_t *key, *data, *data1, *data2, *res;
- vchar_t mod;
- caddr_t ctx;
-
-#ifdef WITH_SHA2
- printf("\n**Test for HMAC MD5, SHA1, and SHA256.**\n");
-#else
- printf("\n**Test for HMAC MD5 & SHA1.**\n");
-#endif
-
- key = vmalloc(strlen(keyword));
- memcpy(key->v, keyword, key->l);
-
- data = vmalloc(strlen(object));
- data1 = vmalloc(strlen(object1));
- data2 = vmalloc(strlen(object2));
- memcpy(data->v, object, data->l);
- memcpy(data1->v, object1, data1->l);
- memcpy(data2->v, object2, data2->l);
-
- /* HMAC MD5 */
- printf("HMAC MD5 by eay_hmacmd5_one()\n");
- res = eay_hmacmd5_one(key, data);
- PVDUMP(res);
- mod.v = str2val(r_hmd5, 16, &mod.l);
- if (memcmp(res->v, mod.v, mod.l)) {
- printf(" XXX NG XXX\n");
- return -1;
- }
- free(mod.v);
- vfree(res);
-
- /* HMAC MD5 */
- printf("HMAC MD5 by eay_hmacmd5_xxx()\n");
- ctx = eay_hmacmd5_init(key);
- eay_hmacmd5_update(ctx, data1);
- eay_hmacmd5_update(ctx, data2);
- res = eay_hmacmd5_final(ctx);
- PVDUMP(res);
- mod.v = str2val(r_hmd5, 16, &mod.l);
- if (memcmp(res->v, mod.v, mod.l)) {
- printf(" XXX NG XXX\n");
- return -1;
- }
- free(mod.v);
- vfree(res);
-
- /* HMAC SHA1 */
- printf("HMAC SHA1 by eay_hmacsha1_one()\n");
- res = eay_hmacsha1_one(key, data);
- PVDUMP(res);
- mod.v = str2val(r_hsha1, 16, &mod.l);
- if (memcmp(res->v, mod.v, mod.l)) {
- printf(" XXX NG XXX\n");
- return -1;
- }
- free(mod.v);
- vfree(res);
-
- /* HMAC SHA1 */
- printf("HMAC SHA1 by eay_hmacsha1_xxx()\n");
- ctx = eay_hmacsha1_init(key);
- eay_hmacsha1_update(ctx, data1);
- eay_hmacsha1_update(ctx, data2);
- res = eay_hmacsha1_final(ctx);
- PVDUMP(res);
- mod.v = str2val(r_hsha1, 16, &mod.l);
- if (memcmp(res->v, mod.v, mod.l)) {
- printf(" XXX NG XXX\n");
- return -1;
- }
- free(mod.v);
- vfree(res);
-
-#ifdef WITH_SHA2
- /* HMAC SHA2 */
- printf("HMAC SHA2 by eay_hmacsha2_256_one()\n");
- res = eay_hmacsha2_256_one(key, data);
- PVDUMP(res);
- mod.v = str2val(r_hsha2, 16, &mod.l);
- if (memcmp(res->v, mod.v, mod.l)) {
- printf(" XXX NG XXX\n");
- return -1;
- }
- free(mod.v);
- vfree(res);
-#endif
-
- vfree(data);
- vfree(data1);
- vfree(data2);
- vfree(key);
-
- return 0;
-}
-
-int
-sha1test(ac, av)
- int ac;
- char **av;
-{
- char *word1 = "1234567890", *word2 = "12345678901234567890";
- caddr_t ctx;
- vchar_t *buf, *res;
-
- printf("\n**Test for SHA1.**\n");
-
- ctx = eay_sha1_init();
- buf = vmalloc(strlen(word1));
- memcpy(buf->v, word1, buf->l);
- eay_sha1_update(ctx, buf);
- eay_sha1_update(ctx, buf);
- res = eay_sha1_final(ctx);
- PVDUMP(res);
- vfree(res);
- vfree(buf);
-
- ctx = eay_sha1_init();
- buf = vmalloc(strlen(word2));
- memcpy(buf->v, word2, buf->l);
- eay_sha1_update(ctx, buf);
- res = eay_sha1_final(ctx);
- PVDUMP(res);
- vfree(res);
-
- res = eay_sha1_one(buf);
- PVDUMP(res);
- vfree(res);
- vfree(buf);
-
- return 0;
-}
-
-int
-md5test(ac, av)
- int ac;
- char **av;
-{
- char *word1 = "1234567890", *word2 = "12345678901234567890";
- caddr_t ctx;
- vchar_t *buf, *res;
-
- printf("\n**Test for MD5.**\n");
-
- ctx = eay_md5_init();
- buf = vmalloc(strlen(word1));
- memcpy(buf->v, word1, buf->l);
- eay_md5_update(ctx, buf);
- eay_md5_update(ctx, buf);
- res = eay_md5_final(ctx);
- PVDUMP(res);
- vfree(res);
- vfree(buf);
-
- ctx = eay_md5_init();
- buf = vmalloc(strlen(word2));
- memcpy(buf->v, word2, buf->l);
- eay_md5_update(ctx, buf);
- res = eay_md5_final(ctx);
- PVDUMP(res);
- vfree(res);
-
- res = eay_md5_one(buf);
- PVDUMP(res);
- vfree(res);
- vfree(buf);
-
- return 0;
-}
-
-int
-dhtest(ac, av)
- int ac;
- char **av;
-{
- static struct {
- char *name;
- char *p;
- } px[] = {
- { "modp768", OAKLEY_PRIME_MODP768, },
- { "modp1024", OAKLEY_PRIME_MODP1024, },
- { "modp1536", OAKLEY_PRIME_MODP1536, },
- { "modp2048", OAKLEY_PRIME_MODP2048, },
- { "modp3072", OAKLEY_PRIME_MODP3072, },
- { "modp4096", OAKLEY_PRIME_MODP4096, },
- { "modp6144", OAKLEY_PRIME_MODP6144, },
- { "modp8192", OAKLEY_PRIME_MODP8192, },
- };
- vchar_t p1, *pub1, *priv1, *gxy1;
- vchar_t p2, *pub2, *priv2, *gxy2;
- int i;
-
- printf("\n**Test for DH.**\n");
-
- for (i = 0; i < sizeof(px)/sizeof(px[0]); i++) {
- printf("\n**Test for DH %s.**\n", px[i].name);
-
- p1.v = str2val(px[i].p, 16, &p1.l);
- p2.v = str2val(px[i].p, 16, &p2.l);
- printf("prime number = \n"); PVDUMP(&p1);
-
- if (eay_dh_generate(&p1, 2, 96, &pub1, &priv1) < 0) {
- printf("error\n");
- return -1;
- }
- printf("private key for user 1 = \n"); PVDUMP(priv1);
- printf("public key for user 1 = \n"); PVDUMP(pub1);
-
- if (eay_dh_generate(&p2, 2, 96, &pub2, &priv2) < 0) {
- printf("error\n");
- return -1;
- }
- printf("private key for user 2 = \n"); PVDUMP(priv2);
- printf("public key for user 2 = \n"); PVDUMP(pub2);
-
- /* process to generate key for user 1 */
- gxy1 = vmalloc(p1.l);
- memset(gxy1->v, 0, gxy1->l);
- eay_dh_compute(&p1, 2, pub1, priv1, pub2, &gxy1);
- printf("sharing gxy1 of user 1 = \n"); PVDUMP(gxy1);
-
- /* process to generate key for user 2 */
- gxy2 = vmalloc(p1.l);
- memset(gxy2->v, 0, gxy2->l);
- eay_dh_compute(&p2, 2, pub2, priv2, pub1, &gxy2);
- printf("sharing gxy2 of user 2 = \n"); PVDUMP(gxy2);
-
- if (memcmp(gxy1->v, gxy2->v, gxy1->l)) {
- printf("ERROR: sharing gxy mismatched.\n");
- return -1;
- }
-
- vfree(pub1);
- vfree(pub2);
- vfree(priv1);
- vfree(priv2);
- vfree(gxy1);
- vfree(gxy2);
- }
-
- return 0;
-}
-
-int
-bntest(ac, av)
- int ac;
- char **av;
-{
- vchar_t *rn;
-
- printf("\n**Test for generate a random number.**\n");
-
- rn = eay_set_random((u_int32_t)96);
- PVDUMP(rn);
- vfree(rn);
-
- return 0;
-}
-
-struct {
- char *name;
- int (*func) __P((int, char **));
-} func[] = {
- { "random", bntest, },
- { "dh", dhtest, },
- { "md5", md5test, },
- { "sha1", sha1test, },
- { "hmac", hmactest, },
- { "cipher", ciphertest, },
-#ifndef CERTTEST_BROKEN
- { "cert", certtest, },
-#endif
- { "rsa", rsatest, },
-};
-
-int
-main(ac, av)
- int ac;
- char **av;
-{
- int i;
- int len = sizeof(func)/sizeof(func[0]);
-
- f_foreground = 1;
- ploginit();
-
- printf ("\nTestsuite of the %s\nlinked with %s\n\n", TOP_PACKAGE_STRING, eay_version());
-
- if (strcmp(*av, "-h") == 0)
- Usage();
-
- ac--;
- av++;
-
- for (i = 0; i < len; i++) {
- if ((ac == 0) || (strcmp(*av, func[i].name) == 0)) {
- if ((func[i].func)(ac, av) != 0) {
- printf ("\n!!!!! Test '%s' failed. !!!!!\n\n", func[i].name);
- exit(1);
- }
- if (ac)
- break;
- }
- }
- if (ac && i == len)
- Usage();
-
- printf ("\n===== All tests passed =====\n\n");
- exit(0);
-}
-
-void
-Usage()
-{
- int i;
- int len = sizeof(func)/sizeof(func[0]);
-
- printf("Usage: eaytest [");
- for (i = 0; i < len; i++)
- printf("%s%s", func[i].name, (i<len-1)?"|":"");
- printf("]\n");
-#ifndef CERTTEST_BROKEN
- printf(" eaytest cert [cert_directory]\n");
-#endif
- exit(1);
-}
-
diff --git a/src/racoon/evt.c b/src/racoon/evt.c
deleted file mode 100644
index fc65b20..0000000
--- a/src/racoon/evt.c
+++ /dev/null
@@ -1,158 +0,0 @@
-/* $NetBSD: evt.c,v 1.5 2006/09/09 16:22:09 manu Exp $ */
-
-/* Id: evt.c,v 1.5 2006/06/22 20:11:35 manubsd Exp */
-
-/*
- * Copyright (C) 2004 Emmanuel Dreyfus
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <errno.h>
-#include <string.h>
-#include <stdio.h>
-#include <time.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <sys/queue.h>
-#include <sys/socket.h>
-
-#include "vmbuf.h"
-#include "plog.h"
-#include "misc.h"
-#include "admin.h"
-#include "gcmalloc.h"
-#include "evt.h"
-
-#ifdef ENABLE_ADMINPORT
-struct evtlist evtlist = TAILQ_HEAD_INITIALIZER(evtlist);
-int evtlist_len = 0;
-
-void
-evt_push(src, dst, type, optdata)
- struct sockaddr *src;
- struct sockaddr *dst;
- int type;
- vchar_t *optdata;
-{
- struct evtdump *evtdump;
- struct evt *evt;
- size_t len;
-
- /* If admin socket is disabled, silently discard anything */
- if (adminsock_path == NULL)
- return;
-
- /* If we are above the limit, don't record anything */
- if (evtlist_len > EVTLIST_MAX) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "Cannot record event: event queue overflowed\n");
- return;
- }
-
- /* If we hit the limit, record an overflow event instead */
- if (evtlist_len == EVTLIST_MAX) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot record event: event queue overflow\n");
- src = NULL;
- dst = NULL;
- type = EVTT_OVERFLOW;
- optdata = NULL;
- }
-
- len = sizeof(*evtdump);
- if (optdata)
- len += optdata->l;
-
- if ((evtdump = racoon_malloc(len)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "Cannot record event: %s\n",
- strerror(errno));
- return;
- }
-
- if ((evt = racoon_malloc(sizeof(*evt))) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "Cannot record event: %s\n",
- strerror(errno));
- racoon_free(evtdump);
- return;
- }
-
- if (src)
- memcpy(&evtdump->src, src, sysdep_sa_len(src));
- if (dst)
- memcpy(&evtdump->dst, dst, sysdep_sa_len(dst));
- evtdump->len = len;
- evtdump->type = type;
- time(&evtdump->timestamp);
-
- if (optdata)
- memcpy(evtdump + 1, optdata->v, optdata->l);
-
- evt->dump = evtdump;
- TAILQ_INSERT_TAIL(&evtlist, evt, next);
-
- evtlist_len++;
-
- return;
-}
-
-struct evtdump *
-evt_pop(void) {
- struct evtdump *evtdump;
- struct evt *evt;
-
- if ((evt = TAILQ_FIRST(&evtlist)) == NULL)
- return NULL;
-
- evtdump = evt->dump;
- TAILQ_REMOVE(&evtlist, evt, next);
- racoon_free(evt);
- evtlist_len--;
-
- return evtdump;
-}
-
-vchar_t *
-evt_dump(void) {
- struct evtdump *evtdump;
- vchar_t *buf = NULL;
-
- if ((evtdump = evt_pop()) != NULL) {
- if ((buf = vmalloc(evtdump->len)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "evt_dump failed: %s\n", strerror(errno));
- return NULL;
- }
- memcpy(buf->v, evtdump, evtdump->len);
- racoon_free(evtdump);
- }
-
- return buf;
-}
-
-#endif /* ENABLE_ADMINPORT */
diff --git a/src/racoon/evt.h b/src/racoon/evt.h
deleted file mode 100644
index 88ee366..0000000
--- a/src/racoon/evt.h
+++ /dev/null
@@ -1,88 +0,0 @@
-/* $NetBSD: evt.h,v 1.4 2006/09/09 16:22:09 manu Exp $ */
-
-/* Id: evt.h,v 1.5 2006/01/19 10:24:09 fredsen Exp */
-
-/*
- * Copyright (C) 2004 Emmanuel Dreyfus
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _EVT_H
-#define _EVT_H
-
-struct evtdump {
- size_t len;
- struct sockaddr_storage src;
- struct sockaddr_storage dst;
- time_t timestamp;
- int type;
- /*
- * Optionnal list of struct isakmp_data
- * for type EVTT_ISAKMP_CFG_DONE
- */
-};
-
-/* type */
-#define EVTT_UNSEPC 0
-#define EVTT_PHASE1_UP 1
-#define EVTT_PHASE1_DOWN 2
-#define EVTT_XAUTH_SUCCESS 3
-#define EVTT_ISAKMP_CFG_DONE 4
-#define EVTT_PHASE2_UP 5
-#define EVTT_PHASE2_DOWN 6
-#define EVTT_DPD_TIMEOUT 7
-#define EVTT_PEER_NO_RESPONSE 8
-#define EVTT_PEER_DELETE 9
-#define EVTT_RACOON_QUIT 10
-#define EVTT_XAUTH_FAILED 11
-#define EVTT_OVERFLOW 12 /* Event queue overflowed */
-#define EVTT_PEERPH1AUTH_FAILED 13
-#define EVTT_PEERPH1_NOPROP 14 /* NO_PROPOSAL_CHOSEN & friends */
-#define EVTT_NO_ISAKMP_CFG 15 /* no need to wait for mode_cfg */
-
-struct evt {
- struct evtdump *dump;
- TAILQ_ENTRY(evt) next;
-};
-
-TAILQ_HEAD(evtlist, evt);
-
-#define EVTLIST_MAX 32
-
-#ifdef ENABLE_ADMINPORT
-struct evtdump *evt_pop(void);
-vchar_t *evt_dump(void);
-void evt_push(struct sockaddr *, struct sockaddr *, int, vchar_t *);
-#endif
-
-#ifdef ENABLE_ADMINPORT
-#define EVT_PUSH(src, dst, type, optdata) evt_push(src, dst, type, optdata);
-#else
-#define EVT_PUSH(src, dst, type, optdata) ;
-#endif
-
-#endif /* _EVT_H */
diff --git a/src/racoon/gcmalloc.h b/src/racoon/gcmalloc.h
deleted file mode 100644
index acdf7fa..0000000
--- a/src/racoon/gcmalloc.h
+++ /dev/null
@@ -1,127 +0,0 @@
-/* $NetBSD: gcmalloc.h,v 1.4 2006/09/09 16:22:09 manu Exp $ */
-
-/* $KAME: gcmalloc.h,v 1.4 2001/11/16 04:34:57 sakane Exp $ */
-
-/*
- * Copyright (C) 2000, 2001 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/*
- * Debugging malloc glue for Racoon.
- */
-
-#ifndef _GCMALLOC_H_DEFINED
-#define _GCMALLOC_H_DEFINED
-
-/* ElectricFence needs no special handling. */
-
-/*
- * Boehm-GC provides GC_malloc(), GC_realloc(), GC_free() functions,
- * but not the traditional entry points. So what we do is provide
- * malloc(), calloc(), realloc(), and free() entry points in the main
- * program and letting the linker do the rest.
- */
-#ifdef GC
-#define GC_DEBUG
-#include <gc.h>
-
-#ifdef RACOON_MAIN_PROGRAM
-void *
-malloc(size_t size)
-{
-
- return (GC_MALLOC(size));
-}
-
-void *
-calloc(size_t number, size_t size)
-{
-
- /* GC_malloc() clears the storage. */
- return (GC_MALLOC(number * size));
-}
-
-void *
-realloc(void *ptr, size_t size)
-{
-
- return (GC_REALLOC(ptr, size));
-}
-
-void
-free(void *ptr)
-{
-
- GC_FREE(ptr);
-}
-
-char *
-strdup(const char *str)
-{
-
- return (GC_STRDUP(str));
-}
-#endif /* RACOON_MAIN_PROGRAM */
-
-#define racoon_malloc(sz) GC_debug_malloc(sz, GC_EXTRAS)
-#define racoon_calloc(cnt, sz) GC_debug_malloc(cnt * sz, GC_EXTRAS)
-#define racoon_realloc(old, sz) GC_debug_realloc(old, sz, GC_EXTRAS)
-#define racoon_free(p) GC_debug_free(p)
-#define racoon_strdup(str) GC_debug_strdup(str)
-
-#endif /* GC */
-
-/*
- * Dmalloc only requires that you pull in a header file and link
- * against libdmalloc.
- */
-#ifdef DMALLOC
-#include <dmalloc.h>
-#endif /* DMALLOC */
-
-#ifdef DEBUG_RECORD_MALLOCATION
-#include <debugrm.h>
-#else
-#ifndef racoon_malloc
-#define racoon_malloc(sz) malloc((sz))
-#endif
-#ifndef racoon_calloc
-#define racoon_calloc(cnt, sz) calloc((cnt), (sz))
-#endif
-#ifndef racoon_realloc
-#define racoon_realloc(old, sz) realloc((old), (sz))
-#endif
-#ifndef racoon_free
-#define racoon_free(p) free((p))
-#endif
-#ifndef racoon_strdup
-#define racoon_strdup(s) strdup((s))
-#endif
-#endif /* DEBUG_RECORD_MALLOCATION */
-
-#endif /* _GCMALLOC_H_DEFINED */
diff --git a/src/racoon/genlist.c b/src/racoon/genlist.c
deleted file mode 100644
index b5204c0..0000000
--- a/src/racoon/genlist.c
+++ /dev/null
@@ -1,174 +0,0 @@
-/* $NetBSD: genlist.c,v 1.4 2006/09/09 16:22:09 manu Exp $ */
-
-/* Id: genlist.c,v 1.2 2004/07/12 20:43:50 ludvigm Exp */
-
-/*
- * Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany.
- * Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <sys/queue.h>
-
-#include "genlist.h"
-
-struct genlist *
-genlist_init (void)
-{
- struct genlist *new = calloc(sizeof(struct genlist), 1);
- TAILQ_INIT(new);
- return new;
-}
-
-struct genlist_entry *
-genlist_insert (struct genlist *head, void *data)
-{
- struct genlist_entry *entry = calloc(sizeof(struct genlist_entry), 1);
- entry->data = data;
- TAILQ_INSERT_HEAD(head, entry, chain);
- return entry;
-}
-
-struct genlist_entry *
-genlist_append (struct genlist *head, void *data)
-{
- struct genlist_entry *entry = calloc(sizeof(struct genlist_entry), 1);
- entry->data = data;
- TAILQ_INSERT_TAIL(head, entry, chain);
- return entry;
-}
-
-void *
-genlist_foreach (struct genlist *head, genlist_func_t func, void *arg)
-{
- struct genlist_entry *p;
- void *ret = NULL;
- TAILQ_FOREACH(p, head, chain) {
- ret = (*func)(p->data, arg);
- if (ret)
- break;
- }
-
- return ret;
-}
-
-void *
-genlist_next (struct genlist *head, struct genlist_entry **buf)
-{
- struct genlist_entry *p;
-
- if (head)
- p = TAILQ_FIRST(head);
- else
- p = (buf && *buf) ? TAILQ_NEXT(*buf, chain) : NULL;
- if (buf)
- *buf = p;
- return (p ? p->data : NULL);
-}
-
-void
-genlist_free (struct genlist *head, genlist_freedata_t func)
-{
- struct genlist_entry *p;
-
- while ((p = TAILQ_LAST(head, genlist)) != NULL) {
- TAILQ_REMOVE(head, p, chain);
- if (func)
- func(p->data);
- free(p);
- }
- free(head);
-}
-
-
-#if 0
-/* Here comes the example... */
-struct conf {
- struct genlist *l1, *l2;
-};
-
-void *
-print_entry(void *entry, void *arg)
-{
- if (!entry)
- return NULL;
- printf("%s\n", (char *)entry);
- return NULL;
-}
-
-void
-dump_list(struct genlist *head)
-{
- genlist_foreach(head, print_entry, NULL);
-}
-
-void
-free_data(void *data)
-{
- printf ("removing %s\n", (char *)data);
-}
-
-int main()
-{
- struct conf *cf;
- char *cp;
- struct genlist_entry *gpb;
-
- cf = calloc(sizeof(struct conf), 1);
- cf->l1 = genlist_init();
- cf->l2 = genlist_init();
-
- genlist_insert(cf->l1, "Ahoj");
- genlist_insert(cf->l1, "Cau");
- genlist_insert(cf->l1, "Nazdar");
- genlist_insert(cf->l1, "Te buch");
-
- genlist_append(cf->l2, "Curak");
- genlist_append(cf->l2, "Kozy");
- genlist_append(cf->l2, "Pica");
- genlist_append(cf->l2, "Prdel");
-
- printf("List 2\n");
- dump_list(cf->l2);
- printf("\nList 1\n");
- dump_list(cf->l1);
-
- printf("\nList 2 - using genlist_next()\n");
- for (cp = genlist_next (cf->l2, &gpb); cp; cp = genlist_next (0, &gpb))
- printf("%s\n", cp);
-
- printf("\nFreeing List 1\n");
- /* the data here isn't actually alloc'd so we would really call
- * genlist_free (cf->l1, 0); but to illustrate the idea */
- genlist_free (cf->l1, free_data);
- cf->l1 = 0;
-
- return 0;
-}
-#endif
diff --git a/src/racoon/genlist.h b/src/racoon/genlist.h
deleted file mode 100644
index ee15392..0000000
--- a/src/racoon/genlist.h
+++ /dev/null
@@ -1,82 +0,0 @@
-/* $NetBSD: genlist.h,v 1.4 2006/09/09 16:22:09 manu Exp $ */
-
-/* Id: genlist.h,v 1.2 2004/07/12 20:43:50 ludvigm Exp */
-
-/*
- * Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany.
- * Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _GENLIST_H
-#define _GENLIST_H
-
-#include <sys/queue.h>
-
-/* See the bottom of genlist.c for example use. */
-
-/* This declares 'struct genlist' */
-TAILQ_HEAD(genlist, genlist_entry);
-
-/* This is where the data are actually stored. */
-struct genlist_entry {
- void *data;
- TAILQ_ENTRY(genlist_entry) chain;
-};
-
-/* This function returns an initialized list head. */
-struct genlist *genlist_init (void);
-
-/* Insert an entry at the beginning/end og the list. */
-struct genlist_entry *genlist_insert (struct genlist *head, void *data);
-struct genlist_entry *genlist_append (struct genlist *head, void *data);
-
-/* Create a function with this prototype for use with genlist_foreach().
- * See genlist_foreach() description below for details. */
-typedef void *(genlist_func_t)(void *entry, void *arg);
-
-/* Traverse the list and call 'func' for each entry. As long as func() returns
- * NULL the list traversal continues, once it returns non-NULL (usually the
- * 'entry' arg), the list traversal exits and the return value is returned
- * further from genlist_foreach(). Optional 'arg' may be passed to func(), e.g.
- * for some lookup purposes, etc. */
-void *genlist_foreach (struct genlist *head, genlist_func_t func, void *arg);
-
-/* Get first entry in list if head is not NULL, otherwise get next
- * entry based on saved position in list from previous call as stored in buf.
- * If buf is NULL no position is saved */
-void *genlist_next (struct genlist *head, struct genlist_entry **buf);
-
-/* Create a function with this prototype for use with genlist_free()
- * to free any storage associated with genlist_entry.data */
-typedef void (genlist_freedata_t)(void *entry);
-
-/* Free all storage associated with list at head using func to free any
- * alloc()d data in data field of genlist_entry */
-void genlist_free (struct genlist *head, genlist_freedata_t func);
-
-#endif /* _GENLIST_H */
diff --git a/src/racoon/getcertsbyname.c b/src/racoon/getcertsbyname.c
deleted file mode 100644
index 1ce7c62..0000000
--- a/src/racoon/getcertsbyname.c
+++ /dev/null
@@ -1,418 +0,0 @@
-/* $NetBSD: getcertsbyname.c,v 1.4 2006/09/09 16:22:09 manu Exp $ */
-
-/* $KAME: getcertsbyname.c,v 1.7 2001/11/16 04:12:59 sakane Exp $ */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#if (defined(__APPLE__) && defined(__MACH__))
-# include <nameser8_compat.h>
-#endif
-#include <resolv.h>
-#ifdef HAVE_LWRES_GETRRSETBYNAME
-#include <lwres/netdb.h>
-#include <lwres/lwres.h>
-#else
-#include <netdb.h>
-#endif
-#include <stdlib.h>
-#include <string.h>
-#include <errno.h>
-
-#ifdef DNSSEC_DEBUG
-#include <stdio.h>
-#include <strings.h>
-#endif
-
-#include "netdb_dnssec.h"
-
-/* XXX should it use ci_errno to hold errno instead of h_errno ? */
-extern int h_errno;
-
-static struct certinfo *getnewci __P((int, int, int, int, int,
- unsigned char *));
-
-static struct certinfo *
-getnewci(qtype, keytag, algorithm, flags, certlen, cert)
- int qtype, keytag, algorithm, flags, certlen;
- unsigned char *cert;
-{
- struct certinfo *res;
-
- res = malloc(sizeof(*res));
- if (!res)
- return NULL;
-
- memset(res, 0, sizeof(*res));
- res->ci_type = qtype;
- res->ci_keytag = keytag;
- res->ci_algorithm = algorithm;
- res->ci_flags = flags;
- res->ci_certlen = certlen;
- res->ci_cert = malloc(certlen);
- if (!res->ci_cert) {
- free(res);
- return NULL;
- }
- memcpy(res->ci_cert, cert, certlen);
-
- return res;
-}
-
-void
-freecertinfo(ci)
- struct certinfo *ci;
-{
- struct certinfo *next;
-
- do {
- next = ci->ci_next;
- if (ci->ci_cert)
- free(ci->ci_cert);
- free(ci);
- ci = next;
- } while (ci);
-}
-
-/*
- * get CERT RR by FQDN and create certinfo structure chain.
- */
-#ifdef HAVE_LWRES_GETRRSETBYNAME
-#define getrrsetbyname lwres_getrrsetbyname
-#define freerrset lwres_freerrset
-#define hstrerror lwres_hstrerror
-#endif
-#if defined(HAVE_LWRES_GETRRSETBYNAME) || defined(AHVE_GETRRSETBYNAME)
-int
-getcertsbyname(name, res)
- char *name;
- struct certinfo **res;
-{
- int rdlength;
- char *cp;
- int type, keytag, algorithm;
- struct certinfo head, *cur;
- struct rrsetinfo *rr = NULL;
- int i;
- int error = -1;
-
- /* initialize res */
- *res = NULL;
-
- memset(&head, 0, sizeof(head));
- cur = &head;
-
- error = getrrsetbyname(name, C_IN, T_CERT, 0, &rr);
- if (error) {
-#ifdef DNSSEC_DEBUG
- printf("getrrsetbyname: %s\n", hstrerror(error));
-#endif
- h_errno = NO_RECOVERY;
- goto end;
- }
-
- if (rr->rri_rdclass != C_IN
- || rr->rri_rdtype != T_CERT
- || rr->rri_nrdatas == 0) {
-#ifdef DNSSEC_DEBUG
- printf("getrrsetbyname: %s", hstrerror(error));
-#endif
- h_errno = NO_RECOVERY;
- goto end;
- }
-#ifdef DNSSEC_DEBUG
- if (!(rr->rri_flags & LWRDATA_VALIDATED))
- printf("rr is not valid");
-#endif
-
- for (i = 0; i < rr->rri_nrdatas; i++) {
- rdlength = rr->rri_rdatas[i].rdi_length;
- cp = rr->rri_rdatas[i].rdi_data;
-
- GETSHORT(type, cp); /* type */
- rdlength -= INT16SZ;
- GETSHORT(keytag, cp); /* key tag */
- rdlength -= INT16SZ;
- algorithm = *cp++; /* algorithm */
- rdlength -= 1;
-
-#ifdef DNSSEC_DEBUG
- printf("type=%d keytag=%d alg=%d len=%d\n",
- type, keytag, algorithm, rdlength);
-#endif
-
- /* create new certinfo */
- cur->ci_next = getnewci(type, keytag, algorithm,
- rr->rri_flags, rdlength, cp);
- if (!cur->ci_next) {
-#ifdef DNSSEC_DEBUG
- printf("getnewci: %s", strerror(errno));
-#endif
- h_errno = NO_RECOVERY;
- goto end;
- }
- cur = cur->ci_next;
- }
-
- *res = head.ci_next;
- error = 0;
-
-end:
- if (rr)
- freerrset(rr);
- if (error && head.ci_next)
- freecertinfo(head.ci_next);
-
- return error;
-}
-#else /*!HAVE_LWRES_GETRRSETBYNAME*/
-int
-getcertsbyname(name, res)
- char *name;
- struct certinfo **res;
-{
- unsigned char *answer = NULL, *p;
- int buflen, anslen, len;
- HEADER *hp;
- int qdcount, ancount, rdlength;
- unsigned char *cp, *eom;
- char hostbuf[1024]; /* XXX */
- int qtype, qclass, keytag, algorithm;
- struct certinfo head, *cur;
- int error = -1;
-
- /* initialize res */
- *res = NULL;
-
- memset(&head, 0, sizeof(head));
- cur = &head;
-
- /* get CERT RR */
- buflen = 512;
- do {
-
- buflen *= 2;
- p = realloc(answer, buflen);
- if (!p) {
-#ifdef DNSSEC_DEBUG
- printf("realloc: %s", strerror(errno));
-#endif
- h_errno = NO_RECOVERY;
- goto end;
- }
- answer = p;
-
- anslen = res_query(name, C_IN, T_CERT, answer, buflen);
- if (anslen == -1)
- goto end;
-
- } while (buflen < anslen);
-
-#ifdef DNSSEC_DEBUG
- printf("get a DNS packet len=%d\n", anslen);
-#endif
-
- /* parse CERT RR */
- eom = answer + anslen;
-
- hp = (HEADER *)answer;
- qdcount = ntohs(hp->qdcount);
- ancount = ntohs(hp->ancount);
-
- /* question section */
- if (qdcount != 1) {
-#ifdef DNSSEC_DEBUG
- printf("query count is not 1.\n");
-#endif
- h_errno = NO_RECOVERY;
- goto end;
- }
- cp = (unsigned char *)(hp + 1);
- len = dn_expand(answer, eom, cp, hostbuf, sizeof(hostbuf));
- if (len < 0) {
-#ifdef DNSSEC_DEBUG
- printf("dn_expand failed.\n");
-#endif
- goto end;
- }
- cp += len;
- GETSHORT(qtype, cp); /* QTYPE */
- GETSHORT(qclass, cp); /* QCLASS */
-
- /* answer section */
- while (ancount-- && cp < eom) {
- len = dn_expand(answer, eom, cp, hostbuf, sizeof(hostbuf));
- if (len < 0) {
-#ifdef DNSSEC_DEBUG
- printf("dn_expand failed.\n");
-#endif
- goto end;
- }
- cp += len;
- GETSHORT(qtype, cp); /* TYPE */
- GETSHORT(qclass, cp); /* CLASS */
- cp += INT32SZ; /* TTL */
- GETSHORT(rdlength, cp); /* RDLENGTH */
-
- /* CERT RR */
- if (qtype != T_CERT) {
-#ifdef DNSSEC_DEBUG
- printf("not T_CERT\n");
-#endif
- h_errno = NO_RECOVERY;
- goto end;
- }
- GETSHORT(qtype, cp); /* type */
- rdlength -= INT16SZ;
- GETSHORT(keytag, cp); /* key tag */
- rdlength -= INT16SZ;
- algorithm = *cp++; /* algorithm */
- rdlength -= 1;
- if (cp + rdlength > eom) {
-#ifdef DNSSEC_DEBUG
- printf("rdlength is too long.\n");
-#endif
- h_errno = NO_RECOVERY;
- goto end;
- }
-#ifdef DNSSEC_DEBUG
- printf("type=%d keytag=%d alg=%d len=%d\n",
- qtype, keytag, algorithm, rdlength);
-#endif
-
- /* create new certinfo */
- cur->ci_next = getnewci(qtype, keytag, algorithm,
- 0, rdlength, cp);
- if (!cur->ci_next) {
-#ifdef DNSSEC_DEBUG
- printf("getnewci: %s", strerror(errno));
-#endif
- h_errno = NO_RECOVERY;
- goto end;
- }
- cur = cur->ci_next;
-
- cp += rdlength;
- }
-
- *res = head.ci_next;
- error = 0;
-
-end:
- if (answer)
- free(answer);
- if (error && head.ci_next)
- freecertinfo(head.ci_next);
-
- return error;
-}
-#endif
-
-#ifdef DNSSEC_DEBUG
-int
-b64encode(p, len)
- char *p;
- int len;
-{
- static const char b64t[] =
- "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
- "abcdefghijklmnopqrstuvwxyz"
- "0123456789+/=";
-
- while (len > 2) {
- printf("%c", b64t[(p[0] >> 2) & 0x3f]);
- printf("%c", b64t[((p[0] << 4) & 0x30) | ((p[1] >> 4) & 0x0f)]);
- printf("%c", b64t[((p[1] << 2) & 0x3c) | ((p[2] >> 6) & 0x03)]);
- printf("%c", b64t[p[2] & 0x3f]);
- len -= 3;
- p += 3;
- }
-
- if (len == 2) {
- printf("%c", b64t[(p[0] >> 2) & 0x3f]);
- printf("%c", b64t[((p[0] << 4) & 0x30)| ((p[1] >> 4) & 0x0f)]);
- printf("%c", b64t[((p[1] << 2) & 0x3c)]);
- printf("%c", '=');
- } else if (len == 1) {
- printf("%c", b64t[(p[0] >> 2) & 0x3f]);
- printf("%c", b64t[((p[0] << 4) & 0x30)]);
- printf("%c", '=');
- printf("%c", '=');
- }
-
- return 0;
-}
-
-int
-main(ac, av)
- int ac;
- char **av;
-{
- struct certinfo *res, *p;
- int i;
-
- if (ac < 2) {
- printf("Usage: a.out (FQDN)\n");
- exit(1);
- }
-
- i = getcertsbyname(*(av + 1), &res);
- if (i != 0) {
- herror("getcertsbyname");
- exit(1);
- }
- printf("getcertsbyname succeeded.\n");
-
- i = 0;
- for (p = res; p; p = p->ci_next) {
- printf("certinfo[%d]:\n", i);
- printf("\tci_type=%d\n", p->ci_type);
- printf("\tci_keytag=%d\n", p->ci_keytag);
- printf("\tci_algorithm=%d\n", p->ci_algorithm);
- printf("\tci_flags=%d\n", p->ci_flags);
- printf("\tci_certlen=%d\n", p->ci_certlen);
- printf("\tci_cert: ");
- b64encode(p->ci_cert, p->ci_certlen);
- printf("\n");
- i++;
- }
-
- freecertinfo(res);
-
- exit(0);
-}
-#endif
diff --git a/src/racoon/gnuc.h b/src/racoon/gnuc.h
deleted file mode 100644
index 8537ad2..0000000
--- a/src/racoon/gnuc.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/* $NetBSD: gnuc.h,v 1.4 2006/09/09 16:22:09 manu Exp $ */
-
-/* Id: gnuc.h,v 1.4 2004/11/18 15:14:44 ludvigm Exp */
-
-/* Define __P() macro, if necessary */
-#undef __P
-#ifndef __P
-#if __STDC__
-#define __P(protos) protos
-#else
-#define __P(protos) ()
-#endif
-#endif
-
-/* inline foo */
-#ifdef __GNUC__
-#define inline __inline
-#else
-#define inline
-#endif
-
-/*
- * Handle new and old "dead" routine prototypes
- *
- * For example:
- *
- * __dead void foo(void) __attribute__((volatile));
- *
- */
-#ifdef __GNUC__
-#ifndef __dead
-#define __dead volatile
-#endif
-#if __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 5)
-#ifndef __attribute__
-#define __attribute__(args)
-#endif
-#endif
-#else
-#ifndef __dead
-#define __dead
-#endif
-#ifndef __attribute__
-#define __attribute__(args)
-#endif
-#endif
diff --git a/src/racoon/grabmyaddr.c b/src/racoon/grabmyaddr.c
deleted file mode 100644
index dae4690..0000000
--- a/src/racoon/grabmyaddr.c
+++ /dev/null
@@ -1,938 +0,0 @@
-/* $NetBSD: grabmyaddr.c,v 1.4.6.3 2008/06/18 07:30:18 mgrooms Exp $ */
-
-/* Id: grabmyaddr.c,v 1.27 2006/04/06 16:27:05 manubsd Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-#include <sys/ioctl.h>
-
-#include <net/if.h>
-#if defined(__FreeBSD__) && __FreeBSD__ >= 3
-#include <net/if_var.h>
-#endif
-#if defined(__NetBSD__) || defined(__FreeBSD__) || \
- (defined(__APPLE__) && defined(__MACH__))
-#include <netinet/in.h>
-#include <netinet6/in6_var.h>
-#endif
-#include <net/route.h>
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-#include <netdb.h>
-#ifdef HAVE_GETIFADDRS
-#include <ifaddrs.h>
-#include <net/if.h>
-#endif
-
-#include "var.h"
-#include "misc.h"
-#include "vmbuf.h"
-#include "plog.h"
-#include "sockmisc.h"
-#include "debug.h"
-
-#include "localconf.h"
-#include "handler.h"
-#include "grabmyaddr.h"
-#include "sockmisc.h"
-#include "isakmp_var.h"
-#include "gcmalloc.h"
-#include "nattraversal.h"
-
-#ifdef __linux__
-#include <linux/types.h>
-#include <linux/rtnetlink.h>
-#ifndef HAVE_GETIFADDRS
-#define HAVE_GETIFADDRS
-#define NEED_LINUX_GETIFADDRS
-#endif
-#endif
-
-#ifdef ANDROID_CHANGES
-#include "NetdClient.h"
-#endif
-
-#ifndef HAVE_GETIFADDRS
-static unsigned int if_maxindex __P((void));
-#endif
-static struct myaddrs *find_myaddr __P((struct myaddrs *, struct myaddrs *));
-static int suitable_ifaddr __P((const char *, const struct sockaddr *));
-#ifdef INET6
-static int suitable_ifaddr6 __P((const char *, const struct sockaddr *));
-#endif
-
-#ifdef NEED_LINUX_GETIFADDRS
-
-/* We could do this _much_ better. kame racoon in its current form
- * will esentially die at frequent changes of address configuration.
- */
-
-struct ifaddrs
-{
- struct ifaddrs *ifa_next;
- char ifa_name[16];
- int ifa_ifindex;
- struct sockaddr *ifa_addr;
- struct sockaddr_storage ifa_addrbuf;
-};
-
-static int parse_rtattr(struct rtattr *tb[], int max, struct rtattr *rta, int len)
-{
- while (RTA_OK(rta, len)) {
- if (rta->rta_type <= max)
- tb[rta->rta_type] = rta;
- rta = RTA_NEXT(rta,len);
- }
- return 0;
-}
-
-static void recvaddrs(int fd, struct ifaddrs **ifa, __u32 seq)
-{
- char buf[8192];
- struct sockaddr_nl nladdr;
- struct iovec iov = { buf, sizeof(buf) };
- struct ifaddrmsg *m;
- struct rtattr * rta_tb[IFA_MAX+1];
- struct ifaddrs *I;
-
- while (1) {
- int status;
- struct nlmsghdr *h;
-
- struct msghdr msg = {
- (void*)&nladdr, sizeof(nladdr),
- &iov, 1,
- NULL, 0,
- 0
- };
-
- status = recvmsg(fd, &msg, 0);
-
- if (status < 0)
- continue;
-
- if (status == 0)
- return;
-
- if (nladdr.nl_pid) /* Message not from kernel */
- continue;
-
- h = (struct nlmsghdr*)buf;
- while (NLMSG_OK(h, status)) {
- if (h->nlmsg_seq != seq)
- goto skip_it;
-
- if (h->nlmsg_type == NLMSG_DONE)
- return;
-
- if (h->nlmsg_type == NLMSG_ERROR)
- return;
-
- if (h->nlmsg_type != RTM_NEWADDR)
- goto skip_it;
-
- m = NLMSG_DATA(h);
-
- if (m->ifa_family != AF_INET &&
- m->ifa_family != AF_INET6)
- goto skip_it;
-
- if (m->ifa_flags&IFA_F_TENTATIVE)
- goto skip_it;
-
- memset(rta_tb, 0, sizeof(rta_tb));
- parse_rtattr(rta_tb, IFA_MAX, IFA_RTA(m), h->nlmsg_len - NLMSG_LENGTH(sizeof(*m)));
-
- if (rta_tb[IFA_LOCAL] == NULL)
- rta_tb[IFA_LOCAL] = rta_tb[IFA_ADDRESS];
- if (rta_tb[IFA_LOCAL] == NULL)
- goto skip_it;
-
- I = malloc(sizeof(struct ifaddrs));
- if (!I)
- return;
- memset(I, 0, sizeof(*I));
-
- I->ifa_ifindex = m->ifa_index;
- I->ifa_addr = (struct sockaddr*)&I->ifa_addrbuf;
- I->ifa_addr->sa_family = m->ifa_family;
- if (m->ifa_family == AF_INET) {
- struct sockaddr_in *sin = (void*)I->ifa_addr;
- memcpy(&sin->sin_addr, RTA_DATA(rta_tb[IFA_LOCAL]), 4);
- } else {
- struct sockaddr_in6 *sin = (void*)I->ifa_addr;
- memcpy(&sin->sin6_addr, RTA_DATA(rta_tb[IFA_LOCAL]), 16);
- if (IN6_IS_ADDR_LINKLOCAL(&sin->sin6_addr))
- sin->sin6_scope_id = I->ifa_ifindex;
- }
- I->ifa_next = *ifa;
- *ifa = I;
-
-skip_it:
- h = NLMSG_NEXT(h, status);
- }
- if (msg.msg_flags & MSG_TRUNC)
- continue;
- }
- return;
-}
-
-static int getifaddrs(struct ifaddrs **ifa0)
-{
- struct {
- struct nlmsghdr nlh;
- struct rtgenmsg g;
- } req;
- struct sockaddr_nl nladdr;
- static __u32 seq;
- struct ifaddrs *i;
- int fd;
-
- fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
- if (fd < 0)
- return -1;
-
- memset(&nladdr, 0, sizeof(nladdr));
- nladdr.nl_family = AF_NETLINK;
-
- req.nlh.nlmsg_len = sizeof(req);
- req.nlh.nlmsg_type = RTM_GETADDR;
- req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;
- req.nlh.nlmsg_pid = 0;
- req.nlh.nlmsg_seq = ++seq;
- req.g.rtgen_family = AF_UNSPEC;
-
- if (sendto(fd, (void*)&req, sizeof(req), 0, (struct sockaddr*)&nladdr, sizeof(nladdr)) < 0) {
- close(fd);
- return -1;
- }
-
- *ifa0 = NULL;
-
- recvaddrs(fd, ifa0, seq);
-
- close(fd);
-
- fd = socket(AF_INET, SOCK_DGRAM, 0);
-
- for (i=*ifa0; i; i = i->ifa_next) {
- struct ifreq ifr;
- ifr.ifr_ifindex = i->ifa_ifindex;
- ioctl(fd, SIOCGIFNAME, (void*)&ifr);
- memcpy(i->ifa_name, ifr.ifr_name, 16);
- }
- close(fd);
-
- return 0;
-}
-
-static void freeifaddrs(struct ifaddrs *ifa0)
-{
- struct ifaddrs *i;
-
- while (ifa0) {
- i = ifa0;
- ifa0 = i->ifa_next;
- free(i);
- }
-}
-
-#endif
-
-#ifndef HAVE_GETIFADDRS
-static unsigned int
-if_maxindex()
-{
- struct if_nameindex *p, *p0;
- unsigned int max = 0;
-
- p0 = if_nameindex();
- for (p = p0; p && p->if_index && p->if_name; p++) {
- if (max < p->if_index)
- max = p->if_index;
- }
- if_freenameindex(p0);
- return max;
-}
-#endif
-
-void
-clear_myaddr(db)
- struct myaddrs **db;
-{
- struct myaddrs *p;
-
- while (*db) {
- p = (*db)->next;
- delmyaddr(*db);
- *db = p;
- }
-}
-
-static struct myaddrs *
-find_myaddr(db, p)
- struct myaddrs *db;
- struct myaddrs *p;
-{
- struct myaddrs *q;
- char h1[NI_MAXHOST], h2[NI_MAXHOST];
-
- if (getnameinfo(p->addr, sysdep_sa_len(p->addr), h1, sizeof(h1), NULL, 0,
- NI_NUMERICHOST | niflags) != 0)
- return NULL;
-
- for (q = db; q; q = q->next) {
- if (p->addr->sa_family != q->addr->sa_family)
- continue;
- if (getnameinfo(q->addr, sysdep_sa_len(q->addr), h2, sizeof(h2),
- NULL, 0, NI_NUMERICHOST | niflags) != 0)
- return NULL;
- if (strcmp(h1, h2) == 0)
- return q;
- }
-
- return NULL;
-}
-
-void
-grab_myaddrs()
-{
-#ifdef HAVE_GETIFADDRS
- struct myaddrs *p, *q, *old;
- struct ifaddrs *ifa0, *ifap;
-#ifdef INET6
- struct sockaddr_in6 *sin6;
-#endif
-
- char addr1[NI_MAXHOST];
-
- if (getifaddrs(&ifa0)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "getifaddrs failed: %s\n", strerror(errno));
- exit(1);
- /*NOTREACHED*/
- }
-
- old = lcconf->myaddrs;
-
- for (ifap = ifa0; ifap; ifap = ifap->ifa_next) {
- if (! ifap->ifa_addr)
- continue;
-
- if (ifap->ifa_addr->sa_family != AF_INET
-#ifdef INET6
- && ifap->ifa_addr->sa_family != AF_INET6
-#endif
- )
- continue;
-
- if (!suitable_ifaddr(ifap->ifa_name, ifap->ifa_addr)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "unsuitable address: %s %s\n",
- ifap->ifa_name,
- saddrwop2str(ifap->ifa_addr));
- continue;
- }
-
- p = newmyaddr();
- if (p == NULL) {
- exit(1);
- /*NOTREACHED*/
- }
- p->addr = dupsaddr(ifap->ifa_addr);
- if (p->addr == NULL) {
- exit(1);
- /*NOTREACHED*/
- }
-#ifdef INET6
-#ifdef __KAME__
- if (ifap->ifa_addr->sa_family == AF_INET6) {
- sin6 = (struct sockaddr_in6 *)p->addr;
- if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)
- || IN6_IS_ADDR_SITELOCAL(&sin6->sin6_addr)) {
- sin6->sin6_scope_id =
- ntohs(*(u_int16_t *)&sin6->sin6_addr.s6_addr[2]);
- sin6->sin6_addr.s6_addr[2] = 0;
- sin6->sin6_addr.s6_addr[3] = 0;
- }
- }
-#else /* !__KAME__ */
- if (ifap->ifa_addr->sa_family == AF_INET6) {
- sin6 = (struct sockaddr_in6 *)p->addr;
- if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)
- || IN6_IS_ADDR_SITELOCAL(&sin6->sin6_addr)) {
- sin6->sin6_scope_id =
- if_nametoindex(ifap->ifa_name);
- }
- }
-
-#endif
-#endif
- if (getnameinfo(p->addr, sysdep_sa_len(p->addr),
- addr1, sizeof(addr1),
- NULL, 0,
- NI_NUMERICHOST | niflags))
- strlcpy(addr1, "(invalid)", sizeof(addr1));
- plog(LLV_DEBUG, LOCATION, NULL,
- "my interface: %s (%s)\n",
- addr1, ifap->ifa_name);
- q = find_myaddr(old, p);
-#ifdef ANDROID_CHANGES
- if (q) {
- protectFromVpn(q->sock);
- }
-#endif
- if (q)
- p->sock = q->sock;
- else
- p->sock = -1;
- p->next = lcconf->myaddrs;
- lcconf->myaddrs = p;
- }
-
- freeifaddrs(ifa0);
-
- clear_myaddr(&old);
-
-#else /*!HAVE_GETIFADDRS*/
- int s;
- unsigned int maxif;
- int len;
- struct ifreq *iflist;
- struct ifconf ifconf;
- struct ifreq *ifr, *ifr_end;
- struct myaddrs *p, *q, *old;
-#ifdef INET6
-#ifdef __KAME__
- struct sockaddr_in6 *sin6;
-#endif
-#endif
-
- char addr1[NI_MAXHOST];
-
- maxif = if_maxindex() + 1;
- len = maxif * sizeof(struct sockaddr_storage) * 4; /* guess guess */
-
- iflist = (struct ifreq *)racoon_malloc(len);
- if (!iflist) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate buffer\n");
- exit(1);
- /*NOTREACHED*/
- }
-
- if ((s = socket(PF_INET, SOCK_DGRAM, 0)) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "socket(SOCK_DGRAM) failed: %s\n",
- strerror(errno));
- exit(1);
- /*NOTREACHED*/
- }
-#ifdef ANDROID_CHANGES
- protectFromVpn(s);
-#endif
-
- memset(&ifconf, 0, sizeof(ifconf));
- ifconf.ifc_req = iflist;
- ifconf.ifc_len = len;
- if (ioctl(s, SIOCGIFCONF, &ifconf) < 0) {
- close(s);
- plog(LLV_ERROR, LOCATION, NULL,
- "ioctl(SIOCGIFCONF) failed: %s\n",
- strerror(errno));
- exit(1);
- /*NOTREACHED*/
- }
- close(s);
-
- old = lcconf->myaddrs;
-
- /* Look for this interface in the list */
- ifr_end = (struct ifreq *) (ifconf.ifc_buf + ifconf.ifc_len);
-
-#define _IFREQ_LEN(p) \
- (sizeof((p)->ifr_name) + sysdep_sa_len(&(p)->ifr_addr) > sizeof(struct ifreq) \
- ? sizeof((p)->ifr_name) + sysdep_sa_len(&(p)->ifr_addr) : sizeof(struct ifreq))
-
- for (ifr = ifconf.ifc_req;
- ifr < ifr_end;
- ifr = (struct ifreq *)((caddr_t)ifr + _IFREQ_LEN(ifr))) {
-
- switch (ifr->ifr_addr.sa_family) {
- case AF_INET:
-#ifdef INET6
- case AF_INET6:
-#endif
- if (!suitable_ifaddr(ifr->ifr_name, &ifr->ifr_addr)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "unsuitable address: %s %s\n",
- ifr->ifr_name,
- saddrwop2str(&ifr->ifr_addr));
- continue;
- }
-
- p = newmyaddr();
- if (p == NULL) {
- exit(1);
- /*NOTREACHED*/
- }
- p->addr = dupsaddr(&ifr->ifr_addr);
- if (p->addr == NULL) {
- exit(1);
- /*NOTREACHED*/
- }
-#ifdef INET6
-#ifdef __KAME__
- sin6 = (struct sockaddr_in6 *)p->addr;
- if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr)
- || IN6_IS_ADDR_SITELOCAL(&sin6->sin6_addr)) {
- sin6->sin6_scope_id =
- ntohs(*(u_int16_t *)&sin6->sin6_addr.s6_addr[2]);
- sin6->sin6_addr.s6_addr[2] = 0;
- sin6->sin6_addr.s6_addr[3] = 0;
- }
-#endif
-#endif
- if (getnameinfo(p->addr, sysdep_sa_len(p->addr),
- addr1, sizeof(addr1),
- NULL, 0,
- NI_NUMERICHOST | niflags))
- strlcpy(addr1, "(invalid)", sizeof(addr1));
- plog(LLV_DEBUG, LOCATION, NULL,
- "my interface: %s (%s)\n",
- addr1, ifr->ifr_name);
- q = find_myaddr(old, p);
-#ifdef ANDROID_CHANGES
- if (q) {
- protectFromVpn(q->sock);
- }
-#endif
- if (q)
- p->sock = q->sock;
- else
- p->sock = -1;
- p->next = lcconf->myaddrs;
- lcconf->myaddrs = p;
- break;
- default:
- break;
- }
- }
-
- clear_myaddr(&old);
-
- racoon_free(iflist);
-#endif /*HAVE_GETIFADDRS*/
-}
-
-/*
- * check the interface is suitable or not
- */
-static int
-suitable_ifaddr(ifname, ifaddr)
- const char *ifname;
- const struct sockaddr *ifaddr;
-{
-#ifdef ENABLE_HYBRID
- /* Exclude any address we got through ISAKMP mode config */
- if (exclude_cfg_addr(ifaddr) == 0)
- return 0;
-#endif
- switch(ifaddr->sa_family) {
- case AF_INET:
- return 1;
-#ifdef INET6
- case AF_INET6:
- return suitable_ifaddr6(ifname, ifaddr);
-#endif
- default:
- return 0;
- }
- /*NOTREACHED*/
-}
-
-#ifdef INET6
-static int
-suitable_ifaddr6(ifname, ifaddr)
- const char *ifname;
- const struct sockaddr *ifaddr;
-{
-#ifndef __linux__
- struct in6_ifreq ifr6;
- int s;
-#endif
-
- if (ifaddr->sa_family != AF_INET6)
- return 0;
-
-#ifndef __linux__
- s = socket(PF_INET6, SOCK_DGRAM, 0);
- if (s == -1) {
- plog(LLV_ERROR, LOCATION, NULL,
- "socket(SOCK_DGRAM) failed:%s\n", strerror(errno));
- return 0;
- }
-#ifdef ANDROID_CHANGES
- protectFromVpn(s);
-#endif
-
- memset(&ifr6, 0, sizeof(ifr6));
- strncpy(ifr6.ifr_name, ifname, strlen(ifname));
-
- ifr6.ifr_addr = *(const struct sockaddr_in6 *)ifaddr;
-
- if (ioctl(s, SIOCGIFAFLAG_IN6, &ifr6) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "ioctl(SIOCGIFAFLAG_IN6) failed:%s\n", strerror(errno));
- close(s);
- return 0;
- }
-
- close(s);
-
- if (ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_DUPLICATED
- || ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_DETACHED
- || ifr6.ifr_ifru.ifru_flags6 & IN6_IFF_ANYCAST)
- return 0;
-#endif
-
- /* suitable */
- return 1;
-}
-#endif
-
-int
-update_myaddrs()
-{
-#ifdef __linux__
- char msg[BUFSIZ];
- int len;
- struct nlmsghdr *h = (void*)msg;
- len = read(lcconf->rtsock, msg, sizeof(msg));
- if (len < 0)
- return errno == ENOBUFS;
- if (len < sizeof(*h))
- return 0;
- if (h->nlmsg_pid) /* not from kernel! */
- return 0;
- if (h->nlmsg_type == RTM_NEWLINK)
- return 0;
- plog(LLV_DEBUG, LOCATION, NULL,
- "netlink signals update interface address list\n");
- return 1;
-#else
- char msg[BUFSIZ];
- int len;
- struct rt_msghdr *rtm;
-
- len = read(lcconf->rtsock, msg, sizeof(msg));
- if (len < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "read(PF_ROUTE) failed: %s\n",
- strerror(errno));
- return 0;
- }
- rtm = (struct rt_msghdr *)msg;
- if (len < rtm->rtm_msglen) {
- plog(LLV_ERROR, LOCATION, NULL,
- "read(PF_ROUTE) short read\n");
- return 0;
- }
- if (rtm->rtm_version != RTM_VERSION) {
- plog(LLV_ERROR, LOCATION, NULL,
- "routing socket version mismatch\n");
- close(lcconf->rtsock);
- lcconf->rtsock = -1;
- return 0;
- }
- switch (rtm->rtm_type) {
- case RTM_NEWADDR:
- case RTM_DELADDR:
- case RTM_DELETE:
- case RTM_IFINFO:
- break;
- case RTM_MISS:
- /* ignore this message silently */
- return 0;
- default:
- plog(LLV_DEBUG, LOCATION, NULL,
- "msg %d not interesting\n", rtm->rtm_type);
- return 0;
- }
- /* XXX more filters here? */
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "caught rtm:%d, need update interface address list\n",
- rtm->rtm_type);
- return 1;
-#endif /* __linux__ */
-}
-
-/*
- * initialize default port for ISAKMP to send, if no "listen"
- * directive is specified in config file.
- *
- * DO NOT listen to wildcard addresses. if you receive packets to
- * wildcard address, you'll be in trouble (DoS attack possible by
- * broadcast storm).
- */
-int
-autoconf_myaddrsport()
-{
- struct myaddrs *p;
- int n;
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "configuring default isakmp port.\n");
-
-#ifdef ENABLE_NATT
- if (natt_enabled_in_rmconf ()) {
- plog(LLV_NOTIFY, LOCATION, NULL, "NAT-T is enabled, autoconfiguring ports\n");
- for (p = lcconf->myaddrs; p; p = p->next) {
- struct myaddrs *new;
- if (! p->udp_encap) {
- new = dupmyaddr(p);
- new->udp_encap = 1;
- }
- }
- }
-#endif
-
- for (p = lcconf->myaddrs, n = 0; p; p = p->next, n++) {
- set_port (p->addr, p->udp_encap ? lcconf->port_isakmp_natt : lcconf->port_isakmp);
- }
- plog(LLV_DEBUG, LOCATION, NULL,
- "%d addrs are configured successfully\n", n);
-
- return 0;
-}
-
-/*
- * get a port number to which racoon binded.
- */
-u_short
-getmyaddrsport(local)
- struct sockaddr *local;
-{
- struct myaddrs *p, *bestmatch = NULL;
- u_short bestmatch_port = PORT_ISAKMP;
-
- /* get a relative port */
- for (p = lcconf->myaddrs; p; p = p->next) {
- if (!p->addr)
- continue;
- if (cmpsaddrwop(local, p->addr))
- continue;
-
- /* use first matching address regardless of port */
- if (!bestmatch) {
- bestmatch = p;
- continue;
- }
-
- /* matching address with port PORT_ISAKMP */
- if (extract_port(p->addr) == PORT_ISAKMP) {
- bestmatch = p;
- bestmatch_port = PORT_ISAKMP;
- }
- }
-
- return bestmatch_port;
-}
-
-struct myaddrs *
-newmyaddr()
-{
- struct myaddrs *new;
-
- new = racoon_calloc(1, sizeof(*new));
- if (new == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate buffer for myaddrs.\n");
- return NULL;
- }
-
- new->next = NULL;
- new->addr = NULL;
-
- return new;
-}
-
-struct myaddrs *
-dupmyaddr(struct myaddrs *old)
-{
- struct myaddrs *new;
-
- new = racoon_calloc(1, sizeof(*new));
- if (new == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate buffer for myaddrs.\n");
- return NULL;
- }
-
- /* Copy the whole structure and set the differences. */
- memcpy (new, old, sizeof (*new));
- new->addr = dupsaddr (old->addr);
- if (new->addr == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate buffer for myaddrs.\n");
- racoon_free(new);
- return NULL;
- }
- new->next = old->next;
- old->next = new;
-
- return new;
-}
-
-void
-insmyaddr(new, head)
- struct myaddrs *new;
- struct myaddrs **head;
-{
- new->next = *head;
- *head = new;
-}
-
-void
-delmyaddr(myaddr)
- struct myaddrs *myaddr;
-{
- if (myaddr->addr)
- racoon_free(myaddr->addr);
- racoon_free(myaddr);
-}
-
-int
-initmyaddr()
-{
- /* initialize routing socket */
- lcconf->rtsock = socket(PF_ROUTE, SOCK_RAW, PF_UNSPEC);
- if (lcconf->rtsock < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "socket(PF_ROUTE) failed: %s",
- strerror(errno));
- return -1;
- }
-
-#ifdef __linux__
- {
- struct sockaddr_nl nl;
- u_int addr_len;
-
- memset(&nl, 0, sizeof(nl));
- nl.nl_family = AF_NETLINK;
- nl.nl_groups = RTMGRP_IPV4_IFADDR|RTMGRP_LINK|RTMGRP_IPV6_IFADDR;
-
- if (bind(lcconf->rtsock, (struct sockaddr*)&nl, sizeof(nl)) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "bind(PF_NETLINK) failed: %s\n",
- strerror(errno));
- return -1;
- }
- addr_len = sizeof(nl);
- if (getsockname(lcconf->rtsock, (struct sockaddr*)&nl, &addr_len) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "getsockname(PF_NETLINK) failed: %s\n",
- strerror(errno));
- return -1;
- }
- }
-#endif
-
- if (lcconf->myaddrs == NULL && lcconf->autograbaddr == 1) {
- grab_myaddrs();
-
- if (autoconf_myaddrsport() < 0)
- return -1;
- }
-
- return 0;
-}
-
-/* select the socket to be sent */
-/* should implement other method. */
-int
-getsockmyaddr(my)
- struct sockaddr *my;
-{
- struct myaddrs *p, *lastresort = NULL;
-#if defined(INET6) && defined(__linux__)
- struct myaddrs *match_wo_scope_id = NULL;
- int check_wo_scope_id = (my->sa_family == AF_INET6) &&
- IN6_IS_ADDR_LINKLOCAL(&((struct sockaddr_in6 *)my)->sin6_addr);
-#endif
-
- for (p = lcconf->myaddrs; p; p = p->next) {
- if (p->addr == NULL)
- continue;
- if (my->sa_family == p->addr->sa_family) {
- lastresort = p;
- } else continue;
- if (sysdep_sa_len(my) == sysdep_sa_len(p->addr)
- && memcmp(my, p->addr, sysdep_sa_len(my)) == 0) {
- break;
- }
-#if defined(INET6) && defined(__linux__)
- if (check_wo_scope_id && IN6_IS_ADDR_LINKLOCAL(&((struct sockaddr_in6 *)p->addr)->sin6_addr) &&
- /* XXX: this depends on sin6_scope_id to be last
- * item in struct sockaddr_in6 */
- memcmp(my, p->addr,
- sysdep_sa_len(my) - sizeof(uint32_t)) == 0) {
- match_wo_scope_id = p;
- }
-#endif
- }
-#if defined(INET6) && defined(__linux__)
- if (!p)
- p = match_wo_scope_id;
-#endif
- if (!p)
- p = lastresort;
- if (!p) {
- plog(LLV_ERROR, LOCATION, NULL,
- "no socket matches address family %d\n",
- my->sa_family);
- return -1;
- }
-
- return p->sock;
-}
diff --git a/src/racoon/grabmyaddr.h b/src/racoon/grabmyaddr.h
deleted file mode 100644
index ac74b46..0000000
--- a/src/racoon/grabmyaddr.h
+++ /dev/null
@@ -1,56 +0,0 @@
-/* $NetBSD: grabmyaddr.h,v 1.4 2006/09/09 16:22:09 manu Exp $ */
-
-/* Id: grabmyaddr.h,v 1.5 2004/06/11 16:00:16 ludvigm Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _GRABMYADDR_H
-#define _GRABMYADDR_H
-
-struct myaddrs {
- struct myaddrs *next;
- struct sockaddr *addr;
- int sock;
- int udp_encap;
-};
-
-extern void clear_myaddr __P((struct myaddrs **));
-extern void grab_myaddrs __P((void));
-extern int update_myaddrs __P((void));
-extern int autoconf_myaddrsport __P((void));
-extern u_short getmyaddrsport __P((struct sockaddr *));
-extern struct myaddrs *newmyaddr __P((void));
-extern struct myaddrs *dupmyaddr __P((struct myaddrs *));
-extern void insmyaddr __P((struct myaddrs *, struct myaddrs **));
-extern void delmyaddr __P((struct myaddrs *));
-extern int initmyaddr __P((void));
-extern int getsockmyaddr __P((struct sockaddr *));
-
-#endif /* _GRABMYADDR_H */
diff --git a/src/racoon/gssapi.c b/src/racoon/gssapi.c
deleted file mode 100644
index e64b201..0000000
--- a/src/racoon/gssapi.c
+++ /dev/null
@@ -1,749 +0,0 @@
-/* $NetBSD: gssapi.c,v 1.4 2006/09/09 16:22:09 manu Exp $ */
-
-/* $KAME: gssapi.c,v 1.19 2001/04/03 15:51:55 thorpej Exp $ */
-
-/*
- * Copyright 2000 Wasabi Systems, Inc.
- * All rights reserved.
- *
- * This software was written by Frank van der Linden of Wasabi Systems
- * for Zembu Labs, Inc. http://www.zembu.com/
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of Wasabi Systems, Inc. may not be used to endorse
- * or promote products derived from this software without specific prior
- * written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY WASABI SYSTEMS, INC. ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL WASABI SYSTEMS, INC
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#ifdef HAVE_GSSAPI
-
-#include <sys/types.h>
-#include <sys/queue.h>
-#include <sys/socket.h>
-#include <netdb.h>
-#include <unistd.h>
-
-#include <stdlib.h>
-#include <string.h>
-#include <errno.h>
-
-#include "var.h"
-#include "misc.h"
-#include "vmbuf.h"
-#include "plog.h"
-#include "sockmisc.h"
-#include "schedule.h"
-#include "debug.h"
-
-#include "localconf.h"
-#include "remoteconf.h"
-#include "isakmp_var.h"
-#include "isakmp.h"
-#include "oakley.h"
-#include "handler.h"
-#include "ipsec_doi.h"
-#include "crypto_openssl.h"
-#include "pfkey.h"
-#include "isakmp_ident.h"
-#include "isakmp_inf.h"
-#include "vendorid.h"
-#include "gcmalloc.h"
-
-#include "gssapi.h"
-
-static void
-gssapi_error(OM_uint32 status_code, const char *where,
- const char *fmt, ...)
-{
- OM_uint32 message_context, maj_stat, min_stat;
- gss_buffer_desc status_string;
- va_list ap;
-
- va_start(ap, fmt);
- plogv(LLV_ERROR, where, NULL, fmt, ap);
- va_end(ap);
-
- message_context = 0;
-
- do {
- maj_stat = gss_display_status(&min_stat, status_code,
- GSS_C_MECH_CODE, GSS_C_NO_OID, &message_context,
- &status_string);
- if (GSS_ERROR(maj_stat))
- plog(LLV_ERROR, LOCATION, NULL,
- "UNABLE TO GET GSSAPI ERROR CODE\n");
- else {
- plog(LLV_ERROR, where, NULL,
- "%s\n", (char *)status_string.value);
- gss_release_buffer(&min_stat, &status_string);
- }
- } while (message_context != 0);
-}
-
-/*
- * vmbufs and gss_buffer_descs are really just the same on NetBSD, but
- * this is to be portable.
- */
-static int
-gssapi_vm2gssbuf(vchar_t *vmbuf, gss_buffer_t gsstoken)
-{
-
- gsstoken->value = racoon_malloc(vmbuf->l);
- if (gsstoken->value == NULL)
- return -1;
- memcpy(gsstoken->value, vmbuf->v, vmbuf->l);
- gsstoken->length = vmbuf->l;
-
- return 0;
-}
-
-static int
-gssapi_gss2vmbuf(gss_buffer_t gsstoken, vchar_t **vmbuf)
-{
-
- *vmbuf = vmalloc(gsstoken->length);
- if (*vmbuf == NULL)
- return -1;
- memcpy((*vmbuf)->v, gsstoken->value, gsstoken->length);
- (*vmbuf)->l = gsstoken->length;
-
- return 0;
-}
-
-vchar_t *
-gssapi_get_default_gss_id(void)
-{
- char name[NI_MAXHOST];
- vchar_t *gssid;
-
- if (gethostname(name, sizeof(name)) != 0) {
- plog(LLV_ERROR, LOCATION, NULL, "gethostname failed: %s\n",
- strerror(errno));
- return (NULL);
- }
- name[sizeof(name) - 1] = '\0';
-
- gssid = racoon_malloc(sizeof(*gssid));
- gssid->l = asprintf(&gssid->v, "%s/%s", GSSAPI_DEF_NAME, name);
-
- return (gssid);
-}
-
-static int
-gssapi_get_default_name(struct ph1handle *iph1, int remote, gss_name_t *service)
-{
- char name[NI_MAXHOST];
- struct sockaddr *sa;
- char* buf = NULL;
- gss_buffer_desc name_token;
- OM_uint32 min_stat, maj_stat;
-
- sa = remote ? iph1->remote : iph1->local;
-
- if (getnameinfo(sa, sysdep_sa_len(sa), name, NI_MAXHOST, NULL, 0, 0) != 0)
- return -1;
-
- name_token.length = asprintf(&buf, "%s@%s", GSSAPI_DEF_NAME, name);
- name_token.value = buf;
-
- maj_stat = gss_import_name(&min_stat, &name_token,
- GSS_C_NT_HOSTBASED_SERVICE, service);
- if (GSS_ERROR(maj_stat)) {
- gssapi_error(min_stat, LOCATION, "import name\n");
- maj_stat = gss_release_buffer(&min_stat, &name_token);
- if (GSS_ERROR(maj_stat))
- gssapi_error(min_stat, LOCATION, "release name_token");
- return -1;
- }
- maj_stat = gss_release_buffer(&min_stat, &name_token);
- if (GSS_ERROR(maj_stat))
- gssapi_error(min_stat, LOCATION, "release name_token");
-
- return 0;
-}
-
-static int
-gssapi_init(struct ph1handle *iph1)
-{
- struct gssapi_ph1_state *gps;
- gss_buffer_desc id_token, cred_token;
- gss_buffer_t cred = &cred_token;
- gss_name_t princ, canon_princ;
- OM_uint32 maj_stat, min_stat;
-
- gps = racoon_calloc(1, sizeof (struct gssapi_ph1_state));
- if (gps == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "racoon_calloc failed\n");
- return -1;
- }
- gps->gss_context = GSS_C_NO_CONTEXT;
- gps->gss_cred = GSS_C_NO_CREDENTIAL;
-
- gssapi_set_state(iph1, gps);
-
- if (iph1->rmconf->proposal->gssid != NULL) {
- id_token.length = iph1->rmconf->proposal->gssid->l;
- id_token.value = iph1->rmconf->proposal->gssid->v;
- maj_stat = gss_import_name(&min_stat, &id_token, GSS_C_NO_OID,
- &princ);
- if (GSS_ERROR(maj_stat)) {
- gssapi_error(min_stat, LOCATION, "import name\n");
- gssapi_free_state(iph1);
- return -1;
- }
- } else
- gssapi_get_default_name(iph1, 0, &princ);
-
- maj_stat = gss_canonicalize_name(&min_stat, princ, GSS_C_NO_OID,
- &canon_princ);
- if (GSS_ERROR(maj_stat)) {
- gssapi_error(min_stat, LOCATION, "canonicalize name\n");
- maj_stat = gss_release_name(&min_stat, &princ);
- if (GSS_ERROR(maj_stat))
- gssapi_error(min_stat, LOCATION, "release princ\n");
- gssapi_free_state(iph1);
- return -1;
- }
- maj_stat = gss_release_name(&min_stat, &princ);
- if (GSS_ERROR(maj_stat))
- gssapi_error(min_stat, LOCATION, "release princ\n");
-
- maj_stat = gss_export_name(&min_stat, canon_princ, cred);
- if (GSS_ERROR(maj_stat)) {
- gssapi_error(min_stat, LOCATION, "export name\n");
- maj_stat = gss_release_name(&min_stat, &canon_princ);
- if (GSS_ERROR(maj_stat))
- gssapi_error(min_stat, LOCATION,
- "release canon_princ\n");
- gssapi_free_state(iph1);
- return -1;
- }
-
-#if 0
- /*
- * XXXJRT Did this debug message ever work? This is a GSS name
- * blob at this point.
- */
- plog(LLV_DEBUG, LOCATION, NULL, "will try to acquire '%.*s' creds\n",
- cred->length, cred->value);
-#endif
-
- maj_stat = gss_release_buffer(&min_stat, cred);
- if (GSS_ERROR(maj_stat))
- gssapi_error(min_stat, LOCATION, "release cred buffer\n");
-
- maj_stat = gss_acquire_cred(&min_stat, canon_princ, GSS_C_INDEFINITE,
- GSS_C_NO_OID_SET, GSS_C_BOTH, &gps->gss_cred, NULL, NULL);
- if (GSS_ERROR(maj_stat)) {
- gssapi_error(min_stat, LOCATION, "acquire cred\n");
- maj_stat = gss_release_name(&min_stat, &canon_princ);
- if (GSS_ERROR(maj_stat))
- gssapi_error(min_stat, LOCATION,
- "release canon_princ\n");
- gssapi_free_state(iph1);
- return -1;
- }
- maj_stat = gss_release_name(&min_stat, &canon_princ);
- if (GSS_ERROR(maj_stat))
- gssapi_error(min_stat, LOCATION, "release canon_princ\n");
-
- return 0;
-}
-
-int
-gssapi_get_itoken(struct ph1handle *iph1, int *lenp)
-{
- struct gssapi_ph1_state *gps;
- gss_buffer_desc empty, name_token;
- gss_buffer_t itoken, rtoken, dummy;
- OM_uint32 maj_stat, min_stat;
- gss_name_t partner;
-
- if (gssapi_get_state(iph1) == NULL && gssapi_init(iph1) < 0)
- return -1;
-
- gps = gssapi_get_state(iph1);
-
- empty.length = 0;
- empty.value = NULL;
- dummy = &empty;
-
- if (iph1->approval != NULL && iph1->approval->gssid != NULL) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "using provided service '%.*s'\n",
- (int)iph1->approval->gssid->l, iph1->approval->gssid->v);
- name_token.length = iph1->approval->gssid->l;
- name_token.value = iph1->approval->gssid->v;
- maj_stat = gss_import_name(&min_stat, &name_token,
- GSS_C_NO_OID, &partner);
- if (GSS_ERROR(maj_stat)) {
- gssapi_error(min_stat, LOCATION, "import of %.*s\n",
- name_token.length, name_token.value);
- return -1;
- }
- } else
- if (gssapi_get_default_name(iph1, 1, &partner) < 0)
- return -1;
-
- rtoken = gps->gsscnt_p == 0 ? dummy : &gps->gss_p[gps->gsscnt_p - 1];
- itoken = &gps->gss[gps->gsscnt];
-
- gps->gss_status = gss_init_sec_context(&min_stat, gps->gss_cred,
- &gps->gss_context, partner, GSS_C_NO_OID,
- GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG |
- GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG,
- 0, GSS_C_NO_CHANNEL_BINDINGS, rtoken, NULL,
- itoken, NULL, NULL);
-
- if (GSS_ERROR(gps->gss_status)) {
- gssapi_error(min_stat, LOCATION, "init_sec_context\n");
- maj_stat = gss_release_name(&min_stat, &partner);
- if (GSS_ERROR(maj_stat))
- gssapi_error(min_stat, LOCATION, "release name\n");
- return -1;
- }
- maj_stat = gss_release_name(&min_stat, &partner);
- if (GSS_ERROR(maj_stat))
- gssapi_error(min_stat, LOCATION, "release name\n");
-
- plog(LLV_DEBUG, LOCATION, NULL, "gss_init_sec_context status %x\n",
- gps->gss_status);
-
- if (lenp)
- *lenp = itoken->length;
-
- if (itoken->length != 0)
- gps->gsscnt++;
-
- return 0;
-}
-
-/*
- * Call gss_accept_context, with token just read from the wire.
- */
-int
-gssapi_get_rtoken(struct ph1handle *iph1, int *lenp)
-{
- struct gssapi_ph1_state *gps;
- gss_buffer_desc name_token;
- gss_buffer_t itoken, rtoken;
- OM_uint32 min_stat, maj_stat;
- gss_name_t client_name;
-
- if (gssapi_get_state(iph1) == NULL && gssapi_init(iph1) < 0)
- return -1;
-
- gps = gssapi_get_state(iph1);
-
- rtoken = &gps->gss_p[gps->gsscnt_p - 1];
- itoken = &gps->gss[gps->gsscnt];
-
- gps->gss_status = gss_accept_sec_context(&min_stat, &gps->gss_context,
- gps->gss_cred, rtoken, GSS_C_NO_CHANNEL_BINDINGS, &client_name,
- NULL, itoken, NULL, NULL, NULL);
-
- if (GSS_ERROR(gps->gss_status)) {
- gssapi_error(min_stat, LOCATION, "accept_sec_context\n");
- return -1;
- }
-
- maj_stat = gss_display_name(&min_stat, client_name, &name_token, NULL);
- if (GSS_ERROR(maj_stat)) {
- gssapi_error(min_stat, LOCATION, "gss_display_name\n");
- maj_stat = gss_release_name(&min_stat, &client_name);
- if (GSS_ERROR(maj_stat))
- gssapi_error(min_stat, LOCATION,
- "release client_name\n");
- return -1;
- }
- maj_stat = gss_release_name(&min_stat, &client_name);
- if (GSS_ERROR(maj_stat))
- gssapi_error(min_stat, LOCATION, "release client_name\n");
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "gss_accept_sec_context: other side is %s\n",
- (char *)name_token.value);
- maj_stat = gss_release_buffer(&min_stat, &name_token);
- if (GSS_ERROR(maj_stat))
- gssapi_error(min_stat, LOCATION, "release name buffer\n");
-
- if (itoken->length != 0)
- gps->gsscnt++;
-
- if (lenp)
- *lenp = itoken->length;
-
- return 0;
-}
-
-int
-gssapi_save_received_token(struct ph1handle *iph1, vchar_t *token)
-{
- struct gssapi_ph1_state *gps;
- gss_buffer_t gsstoken;
- int ret;
-
- if (gssapi_get_state(iph1) == NULL && gssapi_init(iph1) < 0)
- return -1;
-
- gps = gssapi_get_state(iph1);
-
- gsstoken = &gps->gss_p[gps->gsscnt_p];
-
- ret = gssapi_vm2gssbuf(token, gsstoken);
- if (ret < 0)
- return ret;
- gps->gsscnt_p++;
-
- return 0;
-}
-
-int
-gssapi_get_token_to_send(struct ph1handle *iph1, vchar_t **token)
-{
- struct gssapi_ph1_state *gps;
- gss_buffer_t gsstoken;
- int ret;
-
- gps = gssapi_get_state(iph1);
- if (gps == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "gssapi not yet initialized?\n");
- return -1;
- }
- gsstoken = &gps->gss[gps->gsscnt - 1];
- ret = gssapi_gss2vmbuf(gsstoken, token);
- if (ret < 0)
- return ret;
-
- return 0;
-}
-
-int
-gssapi_get_itokens(struct ph1handle *iph1, vchar_t **tokens)
-{
- struct gssapi_ph1_state *gps;
- int len, i;
- vchar_t *toks;
- char *p;
-
- gps = gssapi_get_state(iph1);
- if (gps == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "gssapi not yet initialized?\n");
- return -1;
- }
-
- for (i = len = 0; i < gps->gsscnt; i++)
- len += gps->gss[i].length;
-
- toks = vmalloc(len);
- if (toks == 0)
- return -1;
- p = (char *)toks->v;
- for (i = 0; i < gps->gsscnt; i++) {
- memcpy(p, gps->gss[i].value, gps->gss[i].length);
- p += gps->gss[i].length;
- }
-
- *tokens = toks;
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "%d itokens of length %zu\n", gps->gsscnt, (*tokens)->l);
-
- return 0;
-}
-
-int
-gssapi_get_rtokens(struct ph1handle *iph1, vchar_t **tokens)
-{
- struct gssapi_ph1_state *gps;
- int len, i;
- vchar_t *toks;
- char *p;
-
- gps = gssapi_get_state(iph1);
- if (gps == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "gssapi not yet initialized?\n");
- return -1;
- }
-
- if (gssapi_more_tokens(iph1)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "gssapi roundtrips not complete\n");
- return -1;
- }
-
- for (i = len = 0; i < gps->gsscnt_p; i++)
- len += gps->gss_p[i].length;
-
- toks = vmalloc(len);
- if (toks == 0)
- return -1;
- p = (char *)toks->v;
- for (i = 0; i < gps->gsscnt_p; i++) {
- memcpy(p, gps->gss_p[i].value, gps->gss_p[i].length);
- p += gps->gss_p[i].length;
- }
-
- *tokens = toks;
-
- return 0;
-}
-
-vchar_t *
-gssapi_wraphash(struct ph1handle *iph1)
-{
- struct gssapi_ph1_state *gps;
- OM_uint32 maj_stat, min_stat;
- gss_buffer_desc hash_in_buf, hash_out_buf;
- gss_buffer_t hash_in = &hash_in_buf, hash_out = &hash_out_buf;
- vchar_t *outbuf;
-
- gps = gssapi_get_state(iph1);
- if (gps == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "gssapi not yet initialized?\n");
- return NULL;
- }
-
- if (gssapi_more_tokens(iph1)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "gssapi roundtrips not complete\n");
- return NULL;
- }
-
- if (gssapi_vm2gssbuf(iph1->hash, hash_in) < 0) {
- plog(LLV_ERROR, LOCATION, NULL, "vm2gssbuf failed\n");
- return NULL;
- }
-
- maj_stat = gss_wrap(&min_stat, gps->gss_context, 1, GSS_C_QOP_DEFAULT,
- hash_in, NULL, hash_out);
- if (GSS_ERROR(maj_stat)) {
- gssapi_error(min_stat, LOCATION, "wrapping hash value\n");
- maj_stat = gss_release_buffer(&min_stat, hash_in);
- if (GSS_ERROR(maj_stat))
- gssapi_error(min_stat, LOCATION,
- "release hash_in buffer\n");
- return NULL;
- }
-
- plog(LLV_DEBUG, LOCATION, NULL, "wrapped HASH, ilen %zu olen %zu\n",
- hash_in->length, hash_out->length);
-
- maj_stat = gss_release_buffer(&min_stat, hash_in);
- if (GSS_ERROR(maj_stat))
- gssapi_error(min_stat, LOCATION, "release hash_in buffer\n");
-
- if (gssapi_gss2vmbuf(hash_out, &outbuf) < 0) {
- plog(LLV_ERROR, LOCATION, NULL, "gss2vmbuf failed\n");
- maj_stat = gss_release_buffer(&min_stat, hash_out);
- if (GSS_ERROR(maj_stat))
- gssapi_error(min_stat, LOCATION,
- "release hash_out buffer\n");
- return NULL;
- }
- maj_stat = gss_release_buffer(&min_stat, hash_out);
- if (GSS_ERROR(maj_stat))
- gssapi_error(min_stat, LOCATION, "release hash_out buffer\n");
-
- return outbuf;
-}
-
-vchar_t *
-gssapi_unwraphash(struct ph1handle *iph1)
-{
- struct gssapi_ph1_state *gps;
- OM_uint32 maj_stat, min_stat;
- gss_buffer_desc hashbuf, hash_outbuf;
- gss_buffer_t hash_in = &hashbuf, hash_out = &hash_outbuf;
- vchar_t *outbuf;
-
- gps = gssapi_get_state(iph1);
- if (gps == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "gssapi not yet initialized?\n");
- return NULL;
- }
-
-
- hashbuf.length = ntohs(iph1->pl_hash->h.len) - sizeof(*iph1->pl_hash);
- hashbuf.value = (char *)(iph1->pl_hash + 1);
-
- plog(LLV_DEBUG, LOCATION, NULL, "unwrapping HASH of len %zu\n",
- hashbuf.length);
-
- maj_stat = gss_unwrap(&min_stat, gps->gss_context, hash_in, hash_out,
- NULL, NULL);
- if (GSS_ERROR(maj_stat)) {
- gssapi_error(min_stat, LOCATION, "unwrapping hash value\n");
- return NULL;
- }
-
- if (gssapi_gss2vmbuf(hash_out, &outbuf) < 0) {
- plog(LLV_ERROR, LOCATION, NULL, "gss2vmbuf failed\n");
- maj_stat = gss_release_buffer(&min_stat, hash_out);
- if (GSS_ERROR(maj_stat))
- gssapi_error(min_stat, LOCATION,
- "release hash_out buffer\n");
- return NULL;
- }
- maj_stat = gss_release_buffer(&min_stat, hash_out);
- if (GSS_ERROR(maj_stat))
- gssapi_error(min_stat, LOCATION, "release hash_out buffer\n");
-
- return outbuf;
-}
-
-void
-gssapi_set_id_sent(struct ph1handle *iph1)
-{
- struct gssapi_ph1_state *gps;
-
- gps = gssapi_get_state(iph1);
-
- gps->gss_flags |= GSSFLAG_ID_SENT;
-}
-
-int
-gssapi_id_sent(struct ph1handle *iph1)
-{
- struct gssapi_ph1_state *gps;
-
- gps = gssapi_get_state(iph1);
-
- return (gps->gss_flags & GSSFLAG_ID_SENT) != 0;
-}
-
-void
-gssapi_set_id_rcvd(struct ph1handle *iph1)
-{
- struct gssapi_ph1_state *gps;
-
- gps = gssapi_get_state(iph1);
-
- gps->gss_flags |= GSSFLAG_ID_RCVD;
-}
-
-int
-gssapi_id_rcvd(struct ph1handle *iph1)
-{
- struct gssapi_ph1_state *gps;
-
- gps = gssapi_get_state(iph1);
-
- return (gps->gss_flags & GSSFLAG_ID_RCVD) != 0;
-}
-
-void
-gssapi_free_state(struct ph1handle *iph1)
-{
- struct gssapi_ph1_state *gps;
- OM_uint32 maj_stat, min_stat;
-
- gps = gssapi_get_state(iph1);
-
- if (gps == NULL)
- return;
-
- gssapi_set_state(iph1, NULL);
-
- if (gps->gss_cred != GSS_C_NO_CREDENTIAL) {
- maj_stat = gss_release_cred(&min_stat, &gps->gss_cred);
- if (GSS_ERROR(maj_stat))
- gssapi_error(min_stat, LOCATION,
- "releasing credentials\n");
- }
- racoon_free(gps);
-}
-
-vchar_t *
-gssapi_get_id(struct ph1handle *iph1)
-{
- gss_buffer_desc id_buffer;
- gss_buffer_t id = &id_buffer;
- gss_name_t defname, canon_name;
- OM_uint32 min_stat, maj_stat;
- vchar_t *vmbuf;
-
- if (iph1->rmconf->proposal->gssid != NULL)
- return (vdup(iph1->rmconf->proposal->gssid));
-
- if (gssapi_get_default_name(iph1, 0, &defname) < 0)
- return NULL;
-
- maj_stat = gss_canonicalize_name(&min_stat, defname, GSS_C_NO_OID,
- &canon_name);
- if (GSS_ERROR(maj_stat)) {
- gssapi_error(min_stat, LOCATION, "canonicalize name\n");
- maj_stat = gss_release_name(&min_stat, &defname);
- if (GSS_ERROR(maj_stat))
- gssapi_error(min_stat, LOCATION,
- "release default name\n");
- return NULL;
- }
- maj_stat = gss_release_name(&min_stat, &defname);
- if (GSS_ERROR(maj_stat))
- gssapi_error(min_stat, LOCATION, "release default name\n");
-
- maj_stat = gss_export_name(&min_stat, canon_name, id);
- if (GSS_ERROR(maj_stat)) {
- gssapi_error(min_stat, LOCATION, "export name\n");
- maj_stat = gss_release_name(&min_stat, &canon_name);
- if (GSS_ERROR(maj_stat))
- gssapi_error(min_stat, LOCATION,
- "release canonical name\n");
- return NULL;
- }
- maj_stat = gss_release_name(&min_stat, &canon_name);
- if (GSS_ERROR(maj_stat))
- gssapi_error(min_stat, LOCATION, "release canonical name\n");
-
-#if 0
- /*
- * XXXJRT Did this debug message ever work? This is a GSS name
- * blob at this point.
- */
- plog(LLV_DEBUG, LOCATION, NULL, "will try to acquire '%.*s' creds\n",
- id->length, id->value);
-#endif
-
- if (gssapi_gss2vmbuf(id, &vmbuf) < 0) {
- plog(LLV_ERROR, LOCATION, NULL, "gss2vmbuf failed\n");
- maj_stat = gss_release_buffer(&min_stat, id);
- if (GSS_ERROR(maj_stat))
- gssapi_error(min_stat, LOCATION, "release id buffer\n");
- return NULL;
- }
- maj_stat = gss_release_buffer(&min_stat, id);
- if (GSS_ERROR(maj_stat))
- gssapi_error(min_stat, LOCATION, "release id buffer\n");
-
- return vmbuf;
-}
-#else
-int __gssapi_dUmMy;
-#endif
diff --git a/src/racoon/gssapi.h b/src/racoon/gssapi.h
deleted file mode 100644
index 25c6c48..0000000
--- a/src/racoon/gssapi.h
+++ /dev/null
@@ -1,91 +0,0 @@
-/* $NetBSD: gssapi.h,v 1.4 2006/09/09 16:22:09 manu Exp $ */
-
-/* Id: gssapi.h,v 1.5 2005/02/11 06:59:01 manubsd Exp */
-
-/*
- * Copyright 2000 Wasabi Systems, Inc.
- * All rights reserved.
- *
- * This software was written by Frank van der Linden of Wasabi Systems
- * for Zembu Labs, Inc. http://www.zembu.com/
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of Wasabi Systems, Inc. may not be used to endorse
- * or promote products derived from this software without specific prior
- * written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY WASABI SYSTEMS, INC. ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL WASABI SYSTEMS, INC
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifdef __FreeBSD__
-#include "/usr/include/gssapi.h"
-#else
-#include <gssapi/gssapi.h>
-#endif
-
-#define GSSAPI_DEF_NAME "host"
-
-struct ph1handle;
-struct isakmpsa;
-
-struct gssapi_ph1_state {
- int gsscnt; /* # of token we're working on */
- int gsscnt_p; /* # of token we're working on */
-
- gss_buffer_desc gss[3]; /* gss-api tokens. */
- /* NOTE: XXX this restricts the max # */
- /* to 3. More should never happen */
-
- gss_buffer_desc gss_p[3];
-
- gss_ctx_id_t gss_context; /* context for gss_init_sec_context */
-
- OM_uint32 gss_status; /* retval from gss_init_sec_context */
- gss_cred_id_t gss_cred; /* acquired credentials */
-
- int gss_flags;
-#define GSSFLAG_ID_SENT 0x0001
-#define GSSFLAG_ID_RCVD 0x0001
-};
-
-#define gssapi_get_state(ph) \
- ((struct gssapi_ph1_state *)((ph)->gssapi_state))
-
-#define gssapi_set_state(ph, st) \
- (ph)->gssapi_state = (st)
-
-#define gssapi_more_tokens(ph) \
- ((gssapi_get_state(ph)->gss_status & GSS_S_CONTINUE_NEEDED) != 0)
-
-int gssapi_get_itoken __P((struct ph1handle *, int *));
-int gssapi_get_rtoken __P((struct ph1handle *, int *));
-int gssapi_save_received_token __P((struct ph1handle *, vchar_t *));
-int gssapi_get_token_to_send __P((struct ph1handle *, vchar_t **));
-int gssapi_get_itokens __P((struct ph1handle *, vchar_t **));
-int gssapi_get_rtokens __P((struct ph1handle *, vchar_t **));
-vchar_t *gssapi_wraphash __P((struct ph1handle *));
-vchar_t *gssapi_unwraphash __P((struct ph1handle *));
-void gssapi_set_id_sent __P((struct ph1handle *));
-int gssapi_id_sent __P((struct ph1handle *));
-void gssapi_set_id_rcvd __P((struct ph1handle *));
-int gssapi_id_rcvd __P((struct ph1handle *));
-void gssapi_free_state __P((struct ph1handle *));
-vchar_t *gssapi_get_id __P((struct ph1handle *));
-vchar_t *gssapi_get_default_gss_id __P((void));
diff --git a/src/racoon/handler.c b/src/racoon/handler.c
deleted file mode 100644
index b643256..0000000
--- a/src/racoon/handler.c
+++ /dev/null
@@ -1,1571 +0,0 @@
-/* $NetBSD: handler.c,v 1.9.6.8 2009/04/20 13:25:27 tteras Exp $ */
-
-/* Id: handler.c,v 1.28 2006/05/26 12:17:29 manubsd Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <time.h>
-#include <errno.h>
-
-#include "var.h"
-#include "misc.h"
-#include "vmbuf.h"
-#include "plog.h"
-#include "sockmisc.h"
-#include "debug.h"
-
-#ifdef ENABLE_HYBRID
-#include <resolv.h>
-#endif
-
-#include "schedule.h"
-#include "grabmyaddr.h"
-#include "algorithm.h"
-#include "crypto_openssl.h"
-#include "policy.h"
-#include "proposal.h"
-#include "isakmp_var.h"
-#include "evt.h"
-#include "isakmp.h"
-#ifdef ENABLE_HYBRID
-#include "isakmp_xauth.h"
-#include "isakmp_cfg.h"
-#endif
-#include "isakmp_inf.h"
-#include "oakley.h"
-#include "remoteconf.h"
-#include "localconf.h"
-#include "handler.h"
-#include "gcmalloc.h"
-#include "nattraversal.h"
-
-#include "sainfo.h"
-
-#ifdef HAVE_GSSAPI
-#include "gssapi.h"
-#endif
-
-static LIST_HEAD(_ph1tree_, ph1handle) ph1tree;
-static LIST_HEAD(_ph2tree_, ph2handle) ph2tree;
-static LIST_HEAD(_ctdtree_, contacted) ctdtree;
-static LIST_HEAD(_rcptree_, recvdpkt) rcptree;
-
-static void del_recvdpkt __P((struct recvdpkt *));
-static void rem_recvdpkt __P((struct recvdpkt *));
-static void sweep_recvdpkt __P((void *));
-
-/*
- * functions about management of the isakmp status table
- */
-/* %%% management phase 1 handler */
-/*
- * search for isakmpsa handler with isakmp index.
- */
-
-extern caddr_t val2str(const char *, size_t);
-
-struct ph1handle *
-getph1byindex(index)
- isakmp_index *index;
-{
- struct ph1handle *p;
-
- LIST_FOREACH(p, &ph1tree, chain) {
- if (p->status == PHASE1ST_EXPIRED)
- continue;
- if (memcmp(&p->index, index, sizeof(*index)) == 0)
- return p;
- }
-
- return NULL;
-}
-
-
-/*
- * search for isakmp handler by i_ck in index.
- */
-struct ph1handle *
-getph1byindex0(index)
- isakmp_index *index;
-{
- struct ph1handle *p;
-
- LIST_FOREACH(p, &ph1tree, chain) {
- if (p->status == PHASE1ST_EXPIRED)
- continue;
- if (memcmp(&p->index, index, sizeof(cookie_t)) == 0)
- return p;
- }
-
- return NULL;
-}
-
-/*
- * search for isakmpsa handler by source and remote address.
- * don't use port number to search because this function search
- * with phase 2's destinaion.
- */
-struct ph1handle *
-getph1byaddr(local, remote, established)
- struct sockaddr *local, *remote;
- int established;
-{
- struct ph1handle *p;
-
- plog(LLV_DEBUG2, LOCATION, NULL, "getph1byaddr: start\n");
- plog(LLV_DEBUG2, LOCATION, NULL, "local: %s\n", saddr2str(local));
- plog(LLV_DEBUG2, LOCATION, NULL, "remote: %s\n", saddr2str(remote));
-
- LIST_FOREACH(p, &ph1tree, chain) {
- if (p->status == PHASE1ST_EXPIRED)
- continue;
- plog(LLV_DEBUG2, LOCATION, NULL, "p->local: %s\n", saddr2str(p->local));
- plog(LLV_DEBUG2, LOCATION, NULL, "p->remote: %s\n", saddr2str(p->remote));
-
- if(established && p->status != PHASE1ST_ESTABLISHED){
- plog(LLV_DEBUG2, LOCATION, NULL, "status %d, skipping\n", p->status);
- continue;
- }
- if (CMPSADDR(local, p->local) == 0
- && CMPSADDR(remote, p->remote) == 0){
- plog(LLV_DEBUG2, LOCATION, NULL, "matched\n");
- return p;
- }
- }
-
- plog(LLV_DEBUG2, LOCATION, NULL, "no match\n");
-
- return NULL;
-}
-
-struct ph1handle *
-getph1byaddrwop(local, remote)
- struct sockaddr *local, *remote;
-{
- struct ph1handle *p;
-
- LIST_FOREACH(p, &ph1tree, chain) {
- if (p->status == PHASE1ST_EXPIRED)
- continue;
- if (cmpsaddrwop(local, p->local) == 0
- && cmpsaddrwop(remote, p->remote) == 0)
- return p;
- }
-
- return NULL;
-}
-
-/*
- * search for isakmpsa handler by remote address.
- * don't use port number to search because this function search
- * with phase 2's destinaion.
- */
-struct ph1handle *
-getph1bydstaddrwop(remote)
- struct sockaddr *remote;
-{
- struct ph1handle *p;
-
- LIST_FOREACH(p, &ph1tree, chain) {
- if (p->status == PHASE1ST_EXPIRED)
- continue;
- if (cmpsaddrwop(remote, p->remote) == 0)
- return p;
- }
-
- return NULL;
-}
-
-/*
- * dump isakmp-sa
- */
-vchar_t *
-dumpph1()
-{
- struct ph1handle *iph1;
- struct ph1dump *pd;
- int cnt = 0;
- vchar_t *buf;
-
- /* get length of buffer */
- LIST_FOREACH(iph1, &ph1tree, chain)
- cnt++;
-
- buf = vmalloc(cnt * sizeof(struct ph1dump));
- if (buf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get buffer\n");
- return NULL;
- }
- pd = (struct ph1dump *)buf->v;
-
- LIST_FOREACH(iph1, &ph1tree, chain) {
- memcpy(&pd->index, &iph1->index, sizeof(iph1->index));
- pd->status = iph1->status;
- pd->side = iph1->side;
- memcpy(&pd->remote, iph1->remote, sysdep_sa_len(iph1->remote));
- memcpy(&pd->local, iph1->local, sysdep_sa_len(iph1->local));
- pd->version = iph1->version;
- pd->etype = iph1->etype;
- pd->created = iph1->created;
- pd->ph2cnt = iph1->ph2cnt;
- pd++;
- }
-
- return buf;
-}
-
-/*
- * create new isakmp Phase 1 status record to handle isakmp in Phase1
- */
-struct ph1handle *
-newph1()
-{
- struct ph1handle *iph1;
-
- /* create new iph1 */
- iph1 = racoon_calloc(1, sizeof(*iph1));
- if (iph1 == NULL)
- return NULL;
-
- iph1->status = PHASE1ST_SPAWN;
-
-#ifdef ENABLE_DPD
- iph1->dpd_support = 0;
- iph1->dpd_lastack = 0;
- iph1->dpd_seq = 0;
- iph1->dpd_fails = 0;
- iph1->dpd_r_u = NULL;
-#endif
-
- return iph1;
-}
-
-/*
- * delete new isakmp Phase 1 status record to handle isakmp in Phase1
- */
-void
-delph1(iph1)
- struct ph1handle *iph1;
-{
- if (iph1 == NULL)
- return;
-
- /* SA down shell script hook */
- script_hook(iph1, SCRIPT_PHASE1_DOWN);
-
- EVT_PUSH(iph1->local, iph1->remote, EVTT_PHASE1_DOWN, NULL);
-
-#ifdef ENABLE_NATT
- if (iph1->natt_flags & NAT_KA_QUEUED)
- natt_keepalive_remove (iph1->local, iph1->remote);
-
- if (iph1->natt_options) {
- racoon_free(iph1->natt_options);
- iph1->natt_options = NULL;
- }
-#endif
-
-#ifdef ENABLE_HYBRID
- if (iph1->mode_cfg)
- isakmp_cfg_rmstate(iph1);
-#endif
-
-#ifdef ENABLE_DPD
- SCHED_KILL(iph1->dpd_r_u);
-#endif
-
- if (iph1->remote) {
- racoon_free(iph1->remote);
- iph1->remote = NULL;
- }
- if (iph1->local) {
- racoon_free(iph1->local);
- iph1->local = NULL;
- }
- if (iph1->approval) {
- delisakmpsa(iph1->approval);
- iph1->approval = NULL;
- }
-
- VPTRINIT(iph1->authstr);
-
- sched_scrub_param(iph1);
- iph1->sce = NULL;
- iph1->scr = NULL;
-
- VPTRINIT(iph1->sendbuf);
-
- VPTRINIT(iph1->dhpriv);
- VPTRINIT(iph1->dhpub);
- VPTRINIT(iph1->dhpub_p);
- VPTRINIT(iph1->dhgxy);
- VPTRINIT(iph1->nonce);
- VPTRINIT(iph1->nonce_p);
- VPTRINIT(iph1->skeyid);
- VPTRINIT(iph1->skeyid_d);
- VPTRINIT(iph1->skeyid_a);
- VPTRINIT(iph1->skeyid_e);
- VPTRINIT(iph1->key);
- VPTRINIT(iph1->hash);
- VPTRINIT(iph1->sig);
- VPTRINIT(iph1->sig_p);
- oakley_delcert(iph1->cert);
- iph1->cert = NULL;
- oakley_delcert(iph1->cert_p);
- iph1->cert_p = NULL;
- oakley_delcert(iph1->crl_p);
- iph1->crl_p = NULL;
- oakley_delcert(iph1->cr_p);
- iph1->cr_p = NULL;
- VPTRINIT(iph1->id);
- VPTRINIT(iph1->id_p);
-
- if(iph1->approval != NULL)
- delisakmpsa(iph1->approval);
-
- if (iph1->ivm) {
- oakley_delivm(iph1->ivm);
- iph1->ivm = NULL;
- }
-
- VPTRINIT(iph1->sa);
- VPTRINIT(iph1->sa_ret);
-
-#ifdef HAVE_GSSAPI
- VPTRINIT(iph1->gi_i);
- VPTRINIT(iph1->gi_r);
-
- gssapi_free_state(iph1);
-#endif
-
- racoon_free(iph1);
-}
-
-/*
- * create new isakmp Phase 1 status record to handle isakmp in Phase1
- */
-int
-insph1(iph1)
- struct ph1handle *iph1;
-{
- /* validity check */
- if (iph1->remote == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid isakmp SA handler. no remote address.\n");
- return -1;
- }
- LIST_INSERT_HEAD(&ph1tree, iph1, chain);
-
- return 0;
-}
-
-void
-remph1(iph1)
- struct ph1handle *iph1;
-{
- LIST_REMOVE(iph1, chain);
-}
-
-/*
- * flush isakmp-sa
- */
-void
-flushph1()
-{
- struct ph1handle *p, *next;
-
- for (p = LIST_FIRST(&ph1tree); p; p = next) {
- next = LIST_NEXT(p, chain);
-
- /* send delete information */
- if (p->status == PHASE1ST_ESTABLISHED)
- isakmp_info_send_d1(p);
-
- remph1(p);
- delph1(p);
- }
-}
-
-void
-initph1tree()
-{
- LIST_INIT(&ph1tree);
-}
-
-/* %%% management phase 2 handler */
-/*
- * search ph2handle with policy id.
- */
-struct ph2handle *
-getph2byspid(spid)
- u_int32_t spid;
-{
- struct ph2handle *p;
-
- LIST_FOREACH(p, &ph2tree, chain) {
- /*
- * there are ph2handle independent on policy
- * such like informational exchange.
- */
- if (p->spid == spid)
- return p;
- }
-
- return NULL;
-}
-
-/*
- * search ph2handle with sequence number.
- */
-struct ph2handle *
-getph2byseq(seq)
- u_int32_t seq;
-{
- struct ph2handle *p;
-
- LIST_FOREACH(p, &ph2tree, chain) {
- if (p->seq == seq)
- return p;
- }
-
- return NULL;
-}
-
-/*
- * search ph2handle with message id.
- */
-struct ph2handle *
-getph2bymsgid(iph1, msgid)
- struct ph1handle *iph1;
- u_int32_t msgid;
-{
- struct ph2handle *p;
-
- LIST_FOREACH(p, &ph2tree, chain) {
- if (p->msgid == msgid && p->ph1 == iph1)
- return p;
- }
-
- return NULL;
-}
-
-struct ph2handle *
-getph2byid(src, dst, spid)
- struct sockaddr *src, *dst;
- u_int32_t spid;
-{
- struct ph2handle *p;
-
- LIST_FOREACH(p, &ph2tree, chain) {
- if (spid == p->spid &&
- CMPSADDR(src, p->src) == 0 &&
- CMPSADDR(dst, p->dst) == 0){
- /* Sanity check to detect zombie handlers
- * XXX Sould be done "somewhere" more interesting,
- * because we have lots of getph2byxxxx(), but this one
- * is called by pk_recvacquire(), so is the most important.
- */
- if(p->status < PHASE2ST_ESTABLISHED &&
- p->retry_counter == 0
- && p->sce == NULL && p->scr == NULL){
- plog(LLV_DEBUG, LOCATION, NULL,
- "Zombie ph2 found, expiring it\n");
- isakmp_ph2expire(p);
- }else
- return p;
- }
- }
-
- return NULL;
-}
-
-struct ph2handle *
-getph2bysaddr(src, dst)
- struct sockaddr *src, *dst;
-{
- struct ph2handle *p;
-
- LIST_FOREACH(p, &ph2tree, chain) {
- if (cmpsaddrstrict(src, p->src) == 0 &&
- cmpsaddrstrict(dst, p->dst) == 0)
- return p;
- }
-
- return NULL;
-}
-
-/*
- * call by pk_recvexpire().
- */
-struct ph2handle *
-getph2bysaidx(src, dst, proto_id, spi)
- struct sockaddr *src, *dst;
- u_int proto_id;
- u_int32_t spi;
-{
- struct ph2handle *iph2;
- struct saproto *pr;
-
- LIST_FOREACH(iph2, &ph2tree, chain) {
- if (iph2->proposal == NULL && iph2->approval == NULL)
- continue;
- if (iph2->approval != NULL) {
- for (pr = iph2->approval->head; pr != NULL;
- pr = pr->next) {
- if (proto_id != pr->proto_id)
- break;
- if (spi == pr->spi || spi == pr->spi_p)
- return iph2;
- }
- } else if (iph2->proposal != NULL) {
- for (pr = iph2->proposal->head; pr != NULL;
- pr = pr->next) {
- if (proto_id != pr->proto_id)
- break;
- if (spi == pr->spi)
- return iph2;
- }
- }
- }
-
- return NULL;
-}
-
-/*
- * create new isakmp Phase 2 status record to handle isakmp in Phase2
- */
-struct ph2handle *
-newph2()
-{
- struct ph2handle *iph2 = NULL;
-
- /* create new iph2 */
- iph2 = racoon_calloc(1, sizeof(*iph2));
- if (iph2 == NULL)
- return NULL;
-
- iph2->status = PHASE1ST_SPAWN;
-
- return iph2;
-}
-
-/*
- * initialize ph2handle
- * NOTE: don't initialize src/dst.
- * SPI in the proposal is cleared.
- */
-void
-initph2(iph2)
- struct ph2handle *iph2;
-{
- sched_scrub_param(iph2);
- iph2->sce = NULL;
- iph2->scr = NULL;
-
- VPTRINIT(iph2->sendbuf);
- VPTRINIT(iph2->msg1);
-
- /* clear spi, keep variables in the proposal */
- if (iph2->proposal) {
- struct saproto *pr;
- for (pr = iph2->proposal->head; pr != NULL; pr = pr->next)
- pr->spi = 0;
- }
-
- /* clear approval */
- if (iph2->approval) {
- flushsaprop(iph2->approval);
- iph2->approval = NULL;
- }
-
- /* clear the generated policy */
- if (iph2->spidx_gen) {
- delsp_bothdir((struct policyindex *)iph2->spidx_gen);
- racoon_free(iph2->spidx_gen);
- iph2->spidx_gen = NULL;
- }
-
- if (iph2->pfsgrp) {
- oakley_dhgrp_free(iph2->pfsgrp);
- iph2->pfsgrp = NULL;
- }
-
- VPTRINIT(iph2->dhpriv);
- VPTRINIT(iph2->dhpub);
- VPTRINIT(iph2->dhpub_p);
- VPTRINIT(iph2->dhgxy);
- VPTRINIT(iph2->id);
- VPTRINIT(iph2->id_p);
- VPTRINIT(iph2->nonce);
- VPTRINIT(iph2->nonce_p);
- VPTRINIT(iph2->sa);
- VPTRINIT(iph2->sa_ret);
-
- if (iph2->ivm) {
- oakley_delivm(iph2->ivm);
- iph2->ivm = NULL;
- }
-}
-
-/*
- * delete new isakmp Phase 2 status record to handle isakmp in Phase2
- */
-void
-delph2(iph2)
- struct ph2handle *iph2;
-{
- initph2(iph2);
-
- if (iph2->src) {
- racoon_free(iph2->src);
- iph2->src = NULL;
- }
- if (iph2->dst) {
- racoon_free(iph2->dst);
- iph2->dst = NULL;
- }
- if (iph2->src_id) {
- racoon_free(iph2->src_id);
- iph2->src_id = NULL;
- }
- if (iph2->dst_id) {
- racoon_free(iph2->dst_id);
- iph2->dst_id = NULL;
- }
-
- if (iph2->proposal) {
- flushsaprop(iph2->proposal);
- iph2->proposal = NULL;
- }
-
- racoon_free(iph2);
-}
-
-/*
- * create new isakmp Phase 2 status record to handle isakmp in Phase2
- */
-int
-insph2(iph2)
- struct ph2handle *iph2;
-{
- LIST_INSERT_HEAD(&ph2tree, iph2, chain);
-
- return 0;
-}
-
-void
-remph2(iph2)
- struct ph2handle *iph2;
-{
- LIST_REMOVE(iph2, chain);
-}
-
-void
-initph2tree()
-{
- LIST_INIT(&ph2tree);
-}
-
-void
-flushph2()
-{
- struct ph2handle *p, *next;
-
- plog(LLV_DEBUG2, LOCATION, NULL,
- "flushing all ph2 handlers...\n");
-
- for (p = LIST_FIRST(&ph2tree); p; p = next) {
- next = LIST_NEXT(p, chain);
-
- /* send delete information */
- if (p->status == PHASE2ST_ESTABLISHED){
- plog(LLV_DEBUG2, LOCATION, NULL,
- "got a ph2 handler to flush...\n");
- isakmp_info_send_d2(p);
- }else{
- plog(LLV_DEBUG2, LOCATION, NULL,
- "skipping ph2 handler (state %d)\n", p->status);
- }
-
- delete_spd(p, 0);
- unbindph12(p);
- remph2(p);
- delph2(p);
- }
-}
-
-/*
- * Delete all Phase 2 handlers for this src/dst/proto. This
- * is used during INITIAL-CONTACT processing (so no need to
- * send a message to the peer).
- */
-void
-deleteallph2(src, dst, proto_id)
- struct sockaddr *src, *dst;
- u_int proto_id;
-{
- struct ph2handle *iph2, *next;
- struct saproto *pr;
-
- for (iph2 = LIST_FIRST(&ph2tree); iph2 != NULL; iph2 = next) {
- next = LIST_NEXT(iph2, chain);
- if (iph2->proposal == NULL && iph2->approval == NULL)
- continue;
- if (iph2->approval != NULL) {
- for (pr = iph2->approval->head; pr != NULL;
- pr = pr->next) {
- if (proto_id == pr->proto_id)
- goto zap_it;
- }
- } else if (iph2->proposal != NULL) {
- for (pr = iph2->proposal->head; pr != NULL;
- pr = pr->next) {
- if (proto_id == pr->proto_id)
- goto zap_it;
- }
- }
- continue;
- zap_it:
- unbindph12(iph2);
- remph2(iph2);
- delph2(iph2);
- }
-}
-
-/* %%% */
-void
-bindph12(iph1, iph2)
- struct ph1handle *iph1;
- struct ph2handle *iph2;
-{
- iph2->ph1 = iph1;
- LIST_INSERT_HEAD(&iph1->ph2tree, iph2, ph1bind);
-}
-
-void
-unbindph12(iph2)
- struct ph2handle *iph2;
-{
- if (iph2->ph1 != NULL) {
- iph2->ph1 = NULL;
- LIST_REMOVE(iph2, ph1bind);
- }
-}
-
-/* %%% management contacted list */
-/*
- * search contacted list.
- */
-struct contacted *
-getcontacted(remote)
- struct sockaddr *remote;
-{
- struct contacted *p;
-
- LIST_FOREACH(p, &ctdtree, chain) {
- if (cmpsaddrstrict(remote, p->remote) == 0)
- return p;
- }
-
- return NULL;
-}
-
-/*
- * create new isakmp Phase 2 status record to handle isakmp in Phase2
- */
-int
-inscontacted(remote)
- struct sockaddr *remote;
-{
- struct contacted *new;
-
- /* create new iph2 */
- new = racoon_calloc(1, sizeof(*new));
- if (new == NULL)
- return -1;
-
- new->remote = dupsaddr(remote);
- if (new->remote == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate buffer.\n");
- racoon_free(new);
- return -1;
- }
-
- LIST_INSERT_HEAD(&ctdtree, new, chain);
-
- return 0;
-}
-
-void
-initctdtree()
-{
- LIST_INIT(&ctdtree);
-}
-
-/*
- * check the response has been sent to the peer. when not, simply reply
- * the buffered packet to the peer.
- * OUT:
- * 0: the packet is received at the first time.
- * 1: the packet was processed before.
- * 2: the packet was processed before, but the address mismatches.
- * -1: error happened.
- */
-int
-check_recvdpkt(remote, local, rbuf)
- struct sockaddr *remote, *local;
- vchar_t *rbuf;
-{
- vchar_t *hash;
- struct recvdpkt *r;
- time_t t;
- int len, s;
-
- /* set current time */
- t = time(NULL);
-
- hash = eay_md5_one(rbuf);
- if (!hash) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate buffer.\n");
- return -1;
- }
-
- LIST_FOREACH(r, &rcptree, chain) {
- if (memcmp(hash->v, r->hash->v, r->hash->l) == 0)
- break;
- }
- vfree(hash);
-
- /* this is the first time to receive the packet */
- if (r == NULL)
- return 0;
-
- /*
- * the packet was processed before, but the remote address mismatches.
- */
- if (cmpsaddrstrict(remote, r->remote) != 0)
- return 2;
-
- /*
- * it should not check the local address because the packet
- * may arrive at other interface.
- */
-
- /* check the previous time to send */
- if (t - r->time_send < 1) {
- plog(LLV_WARNING, LOCATION, NULL,
- "the packet retransmitted in a short time from %s\n",
- saddr2str(remote));
- /*XXX should it be error ? */
- }
-
- /* select the socket to be sent */
- s = getsockmyaddr(r->local);
- if (s == -1)
- return -1;
-
- /* resend the packet if needed */
- len = sendfromto(s, r->sendbuf->v, r->sendbuf->l,
- r->local, r->remote, lcconf->count_persend);
- if (len == -1) {
- plog(LLV_ERROR, LOCATION, NULL, "sendfromto failed\n");
- return -1;
- }
-
- /* check the retry counter */
- r->retry_counter--;
- if (r->retry_counter <= 0) {
- rem_recvdpkt(r);
- del_recvdpkt(r);
- plog(LLV_DEBUG, LOCATION, NULL,
- "deleted the retransmission packet to %s.\n",
- saddr2str(remote));
- } else
- r->time_send = t;
-
- return 1;
-}
-
-/*
- * adding a hash of received packet into the received list.
- */
-int
-add_recvdpkt(remote, local, sbuf, rbuf)
- struct sockaddr *remote, *local;
- vchar_t *sbuf, *rbuf;
-{
- struct recvdpkt *new = NULL;
-
- if (lcconf->retry_counter == 0) {
- /* no need to add it */
- return 0;
- }
-
- new = racoon_calloc(1, sizeof(*new));
- if (!new) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate buffer.\n");
- return -1;
- }
-
- new->hash = eay_md5_one(rbuf);
- if (!new->hash) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate buffer.\n");
- del_recvdpkt(new);
- return -1;
- }
- new->remote = dupsaddr(remote);
- if (new->remote == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate buffer.\n");
- del_recvdpkt(new);
- return -1;
- }
- new->local = dupsaddr(local);
- if (new->local == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate buffer.\n");
- del_recvdpkt(new);
- return -1;
- }
- new->sendbuf = vdup(sbuf);
- if (new->sendbuf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate buffer.\n");
- del_recvdpkt(new);
- return -1;
- }
-
- new->retry_counter = lcconf->retry_counter;
- new->time_send = 0;
- new->created = time(NULL);
-
- LIST_INSERT_HEAD(&rcptree, new, chain);
-
- return 0;
-}
-
-void
-del_recvdpkt(r)
- struct recvdpkt *r;
-{
- if (r->remote)
- racoon_free(r->remote);
- if (r->local)
- racoon_free(r->local);
- if (r->hash)
- vfree(r->hash);
- if (r->sendbuf)
- vfree(r->sendbuf);
- racoon_free(r);
-}
-
-void
-rem_recvdpkt(r)
- struct recvdpkt *r;
-{
- LIST_REMOVE(r, chain);
-}
-
-void
-sweep_recvdpkt(dummy)
- void *dummy;
-{
- struct recvdpkt *r, *next;
- time_t t, lt;
-
- /* set current time */
- t = time(NULL);
-
- /* set the lifetime of the retransmission */
- lt = lcconf->retry_counter * lcconf->retry_interval;
-
- for (r = LIST_FIRST(&rcptree); r; r = next) {
- next = LIST_NEXT(r, chain);
-
- if (t - r->created > lt) {
- rem_recvdpkt(r);
- del_recvdpkt(r);
- }
- }
-
- sched_new(lt, sweep_recvdpkt, NULL);
-}
-
-void
-init_recvdpkt()
-{
- time_t lt = lcconf->retry_counter * lcconf->retry_interval;
-
- LIST_INIT(&rcptree);
-
- sched_new(lt, sweep_recvdpkt, NULL);
-}
-
-#ifdef ENABLE_HYBRID
-/*
- * Retruns 0 if the address was obtained by ISAKMP mode config, 1 otherwise
- * This should be in isakmp_cfg.c but ph1tree being private, it must be there
- */
-int
-exclude_cfg_addr(addr)
- const struct sockaddr *addr;
-{
- struct ph1handle *p;
- struct sockaddr_in *sin;
-
- LIST_FOREACH(p, &ph1tree, chain) {
- if ((p->mode_cfg != NULL) &&
- (p->mode_cfg->flags & ISAKMP_CFG_GOT_ADDR4) &&
- (addr->sa_family == AF_INET)) {
- sin = (struct sockaddr_in *)addr;
- if (sin->sin_addr.s_addr == p->mode_cfg->addr4.s_addr)
- return 0;
- }
- }
-
- return 1;
-}
-#endif
-
-
-
-/*
- * Reload conf code
- */
-static int revalidate_ph2(struct ph2handle *iph2){
- struct sainfoalg *alg;
- int found, check_level;
- struct sainfo *sainfo;
- struct saprop *approval;
- struct ph1handle *iph1;
-
- /*
- * Get the new sainfo using values of the old one
- */
- if (iph2->sainfo != NULL) {
- iph2->sainfo = getsainfo(iph2->sainfo->idsrc,
- iph2->sainfo->iddst, iph2->sainfo->id_i,
- iph2->sainfo->remoteid);
- }
- approval = iph2->approval;
- sainfo = iph2->sainfo;
-
- if (sainfo == NULL) {
- /*
- * Sainfo has been removed
- */
- plog(LLV_DEBUG, LOCATION, NULL,
- "Reload: No sainfo for ph2\n");
- return 0;
- }
-
- if (approval == NULL) {
- /*
- * XXX why do we have a NULL approval sometimes ???
- */
- plog(LLV_DEBUG, LOCATION, NULL,
- "No approval found !\n");
- return 0;
- }
-
- /*
- * Don't care about proposals, should we do something ?
- * We have to keep iph2->proposal valid at least for initiator,
- * for pk_sendgetspi()
- */
-
- plog(LLV_DEBUG, LOCATION, NULL, "active single bundle:\n");
- printsaprop0(LLV_DEBUG, approval);
-
- /*
- * Validate approval against sainfo
- * Note: we must have an updated ph1->rmconf before doing that,
- * we'll set check_level to EXACT if we don't have a ph1
- * XXX try tu find the new remote section to get the new check level ?
- * XXX lifebyte
- */
- if (iph2->ph1 != NULL)
- iph1=iph2->ph1;
- else
- iph1=getph1byaddr(iph2->src, iph2->dst, 0);
-
- if(iph1 != NULL && iph1->rmconf != NULL) {
- check_level = iph1->rmconf->pcheck_level;
- } else {
- if(iph1 != NULL)
- plog(LLV_DEBUG, LOCATION, NULL, "No phase1 rmconf found !\n");
- else
- plog(LLV_DEBUG, LOCATION, NULL, "No phase1 found !\n");
- check_level = PROP_CHECK_EXACT;
- }
-
- switch (check_level) {
- case PROP_CHECK_OBEY:
- plog(LLV_DEBUG, LOCATION, NULL,
- "Reload: OBEY for ph2, ok\n");
- return 1;
- break;
-
- case PROP_CHECK_STRICT:
- /* FALLTHROUGH */
- case PROP_CHECK_CLAIM:
- if (sainfo->lifetime < approval->lifetime) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "Reload: lifetime mismatch\n");
- return 0;
- }
-
-#if 0
- /* Lifebyte is deprecated, just ignore it
- */
- if (sainfo->lifebyte < approval->lifebyte) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "Reload: lifebyte mismatch\n");
- return 0;
- }
-#endif
-
- if (sainfo->pfs_group &&
- sainfo->pfs_group != approval->pfs_group) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "Reload: PFS group mismatch\n");
- return 0;
- }
- break;
-
- case PROP_CHECK_EXACT:
- if (sainfo->lifetime != approval->lifetime ||
-#if 0
- /* Lifebyte is deprecated, just ignore it
- */
- sainfo->lifebyte != approval->lifebyte ||
-#endif
- sainfo->pfs_group != iph2->approval->pfs_group) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "Reload: lifetime | pfs mismatch\n");
- return 0;
- }
- break;
-
- default:
- plog(LLV_DEBUG, LOCATION, NULL,
- "Reload: Shouldn't be here !\n");
- return 0;
- break;
- }
-
- for (alg = sainfo->algs[algclass_ipsec_auth]; alg; alg = alg->next) {
- if (alg->alg == approval->head->head->authtype)
- break;
- }
- if (alg == NULL) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "Reload: alg == NULL (auth)\n");
- return 0;
- }
-
- found = 0;
- for (alg = sainfo->algs[algclass_ipsec_enc];
- (found == 0 && alg != NULL); alg = alg->next) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "Reload: next ph2 enc alg...\n");
-
- if (alg->alg != approval->head->head->trns_id){
- plog(LLV_DEBUG, LOCATION, NULL,
- "Reload: encmode mismatch (%d / %d)\n",
- alg->alg, approval->head->head->trns_id);
- continue;
- }
-
- switch (check_level){
- /* PROP_CHECK_STRICT cannot happen here */
- case PROP_CHECK_EXACT:
- if (alg->encklen != approval->head->head->encklen) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "Reload: enclen mismatch\n");
- continue;
- }
- break;
-
- case PROP_CHECK_CLAIM:
- /* FALLTHROUGH */
- case PROP_CHECK_STRICT:
- if (alg->encklen > approval->head->head->encklen) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "Reload: enclen mismatch\n");
- continue;
- }
- break;
-
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "unexpected check_level\n");
- continue;
- break;
- }
- found = 1;
- }
-
- if (!found){
- plog(LLV_DEBUG, LOCATION, NULL,
- "Reload: No valid enc\n");
- return 0;
- }
-
- /*
- * XXX comp
- */
- plog(LLV_DEBUG, LOCATION, NULL,
- "Reload: ph2 check ok\n");
-
- return 1;
-}
-
-
-static void
-remove_ph2(struct ph2handle *iph2)
-{
- u_int32_t spis[2];
-
- if(iph2 == NULL)
- return;
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "Deleting a Ph2...\n");
-
- if (iph2->status == PHASE2ST_ESTABLISHED)
- isakmp_info_send_d2(iph2);
-
- if(iph2->approval != NULL && iph2->approval->head != NULL){
- spis[0]=iph2->approval->head->spi;
- spis[1]=iph2->approval->head->spi_p;
-
- /* purge_ipsec_spi() will do all the work:
- * - delete SPIs in kernel
- * - delete generated SPD
- * - unbind / rem / del ph2
- */
- purge_ipsec_spi(iph2->dst, iph2->approval->head->proto_id,
- spis, 2);
- }else{
- unbindph12(iph2);
- remph2(iph2);
- delph2(iph2);
- }
-}
-
-static void remove_ph1(struct ph1handle *iph1){
- struct ph2handle *iph2, *iph2_next;
-
- if(iph1 == NULL)
- return;
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "Removing PH1...\n");
-
- if (iph1->status == PHASE1ST_ESTABLISHED){
- for (iph2 = LIST_FIRST(&iph1->ph2tree); iph2; iph2 = iph2_next) {
- iph2_next = LIST_NEXT(iph2, chain);
- remove_ph2(iph2);
- }
- isakmp_info_send_d1(iph1);
- }
- iph1->status = PHASE1ST_EXPIRED;
- iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
-}
-
-
-static int revalidate_ph1tree_rmconf(void){
- struct ph1handle *p, *next;
- struct remoteconf *newrmconf;
-
- for (p = LIST_FIRST(&ph1tree); p; p = next) {
- next = LIST_NEXT(p, chain);
-
- if (p->status == PHASE1ST_EXPIRED)
- continue;
-
- newrmconf=getrmconf(p->remote);
- if(newrmconf == NULL){
- p->rmconf = NULL;
- remove_ph1(p);
- }else{
- /* Do not free old rmconf, it is just a pointer to an entry in rmtree
- */
- p->rmconf=newrmconf;
- if(p->approval != NULL){
- struct isakmpsa *tmpsa;
-
- tmpsa=dupisakmpsa(p->approval);
- if(tmpsa != NULL){
- delisakmpsa(p->approval);
- p->approval=tmpsa;
- p->approval->rmconf=newrmconf;
- }
- }
- }
- }
-
- return 1;
-}
-
-
-/* rmconf is already updated here
- */
-static int revalidate_ph1(struct ph1handle *iph1){
- struct isakmpsa *p, *approval;
- struct etypes *e;
-
- if(iph1 == NULL ||
- iph1->approval == NULL ||
- iph1->rmconf == NULL)
- return 0;
-
- approval=iph1->approval;
-
- for (e = iph1->rmconf->etypes; e != NULL; e = e->next){
- if (iph1->etype == e->type)
- break;
- }
-
- if (e == NULL){
- plog(LLV_DEBUG, LOCATION, NULL,
- "Reload: Exchange type mismatch\n");
- return 0;
- }
-
- if (iph1->etype == ISAKMP_ETYPE_AGG &&
- approval->dh_group != iph1->rmconf->dh_group){
- plog(LLV_DEBUG, LOCATION, NULL,
- "Reload: DH mismatch\n");
- return 0;
- }
-
- for (p=iph1->rmconf->proposal; p != NULL; p=p->next){
- plog(LLV_DEBUG, LOCATION, NULL,
- "Reload: Trying next proposal...\n");
-
- if(approval->authmethod != p->authmethod){
- plog(LLV_DEBUG, LOCATION, NULL,
- "Reload: Authmethod mismatch\n");
- continue;
- }
-
- if(approval->enctype != p->enctype){
- plog(LLV_DEBUG, LOCATION, NULL,
- "Reload: enctype mismatch\n");
- continue;
- }
-
- switch (iph1->rmconf->pcheck_level) {
- case PROP_CHECK_OBEY:
- plog(LLV_DEBUG, LOCATION, NULL,
- "Reload: OBEY pcheck level, ok...\n");
- return 1;
- break;
-
- case PROP_CHECK_CLAIM:
- /* FALLTHROUGH */
- case PROP_CHECK_STRICT:
- if (approval->encklen < p->encklen) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "Reload: encklen mismatch\n");
- continue;
- }
-
- if (approval->lifetime > p->lifetime) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "Reload: lifetime mismatch\n");
- continue;
- }
-
-#if 0
- /* Lifebyte is deprecated, just ignore it
- */
- if (approval->lifebyte > p->lifebyte) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "Reload: lifebyte mismatch\n");
- continue;
- }
-#endif
- break;
-
- case PROP_CHECK_EXACT:
- if (approval->encklen != p->encklen) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "Reload: encklen mismatch\n");
- continue;
- }
-
- if (approval->lifetime != p->lifetime) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "Reload: lifetime mismatch\n");
- continue;
- }
-
-#if 0
- /* Lifebyte is deprecated, just ignore it
- */
- if (approval->lifebyte != p->lifebyte) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "Reload: lifebyte mismatch\n");
- continue;
- }
-#endif
- break;
-
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "unexpected check_level\n");
- continue;
- break;
- }
-
- if (approval->hashtype != p->hashtype) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "Reload: hashtype mismatch\n");
- continue;
- }
-
- if (iph1->etype != ISAKMP_ETYPE_AGG &&
- approval->dh_group != p->dh_group) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "Reload: dhgroup mismatch\n");
- continue;
- }
-
- plog(LLV_DEBUG, LOCATION, NULL, "Reload: Conf ok\n");
- return 1;
- }
-
- plog(LLV_DEBUG, LOCATION, NULL, "Reload: No valid conf found\n");
- return 0;
-}
-
-
-static int revalidate_ph1tree(void){
- struct ph1handle *p, *next;
-
- for (p = LIST_FIRST(&ph1tree); p; p = next) {
- next = LIST_NEXT(p, chain);
-
- if (p->status == PHASE1ST_EXPIRED)
- continue;
-
- if(!revalidate_ph1(p))
- remove_ph1(p);
- }
-
- return 1;
-}
-
-static int revalidate_ph2tree(void){
- struct ph2handle *p, *next;
-
- for (p = LIST_FIRST(&ph2tree); p; p = next) {
- next = LIST_NEXT(p, chain);
-
- if (p->status == PHASE2ST_EXPIRED)
- continue;
-
- if(!revalidate_ph2(p)){
- plog(LLV_DEBUG, LOCATION, NULL,
- "PH2 not validated, removing it\n");
- remove_ph2(p);
- }
- }
-
- return 1;
-}
-
-int
-revalidate_ph12(void)
-{
-
- revalidate_ph1tree_rmconf();
-
- revalidate_ph2tree();
- revalidate_ph1tree();
-
- return 1;
-}
-
-#ifdef ENABLE_HYBRID
-struct ph1handle *
-getph1bylogin(login)
- char *login;
-{
- struct ph1handle *p;
-
- LIST_FOREACH(p, &ph1tree, chain) {
- if (p->mode_cfg == NULL)
- continue;
- if (strncmp(p->mode_cfg->login, login, LOGINLEN) == 0)
- return p;
- }
-
- return NULL;
-}
-
-int
-purgeph1bylogin(login)
- char *login;
-{
- struct ph1handle *p;
- int found = 0;
-
- LIST_FOREACH(p, &ph1tree, chain) {
- if (p->mode_cfg == NULL)
- continue;
- if (strncmp(p->mode_cfg->login, login, LOGINLEN) == 0) {
- if (p->status == PHASE1ST_ESTABLISHED)
- isakmp_info_send_d1(p);
- purge_remote(p);
- found++;
- }
- }
-
- return found;
-}
-#endif
diff --git a/src/racoon/handler.h b/src/racoon/handler.h
deleted file mode 100644
index a52dc6c..0000000
--- a/src/racoon/handler.h
+++ /dev/null
@@ -1,483 +0,0 @@
-/* $NetBSD: handler.h,v 1.9.6.1 2008/01/11 14:12:01 vanhu Exp $ */
-
-/* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _HANDLER_H
-#define _HANDLER_H
-
-#include <sys/queue.h>
-#include <openssl/rsa.h>
-
-#include <sys/time.h>
-
-#include "isakmp_var.h"
-#include "oakley.h"
-
-/* Phase 1 handler */
-/*
- * main mode:
- * initiator responder
- * 0 (---) (---)
- * 1 start start (1st msg received)
- * 2 (---) 1st valid msg received
- * 3 1st msg sent 1st msg sent
- * 4 1st valid msg received 2st valid msg received
- * 5 2nd msg sent 2nd msg sent
- * 6 2nd valid msg received 3rd valid msg received
- * 7 3rd msg sent 3rd msg sent
- * 8 3rd valid msg received (---)
- * 9 SA established SA established
- *
- * aggressive mode:
- * initiator responder
- * 0 (---) (---)
- * 1 start start (1st msg received)
- * 2 (---) 1st valid msg received
- * 3 1st msg sent 1st msg sent
- * 4 1st valid msg received 2st valid msg received
- * 5 (---) (---)
- * 6 (---) (---)
- * 7 (---) (---)
- * 8 (---) (---)
- * 9 SA established SA established
- *
- * base mode:
- * initiator responder
- * 0 (---) (---)
- * 1 start start (1st msg received)
- * 2 (---) 1st valid msg received
- * 3 1st msg sent 1st msg sent
- * 4 1st valid msg received 2st valid msg received
- * 5 2nd msg sent (---)
- * 6 (---) (---)
- * 7 (---) (---)
- * 8 (---) (---)
- * 9 SA established SA established
- */
-#define PHASE1ST_SPAWN 0
-#define PHASE1ST_START 1
-#define PHASE1ST_MSG1RECEIVED 2
-#define PHASE1ST_MSG1SENT 3
-#define PHASE1ST_MSG2RECEIVED 4
-#define PHASE1ST_MSG2SENT 5
-#define PHASE1ST_MSG3RECEIVED 6
-#define PHASE1ST_MSG3SENT 7
-#define PHASE1ST_MSG4RECEIVED 8
-#define PHASE1ST_ESTABLISHED 9
-#define PHASE1ST_EXPIRED 10
-#define PHASE1ST_MAX 11
-
-/* About address semantics in each case.
- * initiator(addr=I) responder(addr=R)
- * src dst src dst
- * (local) (remote) (local) (remote)
- * phase 1 handler I R R I
- * phase 2 handler I R R I
- * getspi msg R I I R
- * acquire msg I R
- * ID payload I R I R
- */
-#ifdef ENABLE_HYBRID
-struct isakmp_cfg_state;
-#endif
-struct ph1handle {
- isakmp_index index;
-
- int status; /* status of this SA */
- int side; /* INITIATOR or RESPONDER */
-
- struct sockaddr *remote; /* remote address to negosiate ph1 */
- struct sockaddr *local; /* local address to negosiate ph1 */
- /* XXX copy from rmconf due to anonymous configuration.
- * If anonymous will be forbidden, we do delete them. */
-
- struct remoteconf *rmconf; /* pointer to remote configuration */
-
- struct isakmpsa *approval; /* pointer to SA(s) approved. */
- vchar_t *authstr; /* place holder of string for auth. */
- /* for example pre-shared key */
-
- u_int8_t version; /* ISAKMP version */
- u_int8_t etype; /* Exchange type actually for use */
- u_int8_t flags; /* Flags */
- u_int32_t msgid; /* message id */
-
-#ifdef ENABLE_NATT
- struct ph1natt_options *natt_options; /* Selected NAT-T IKE version */
- u_int32_t natt_flags; /* NAT-T related flags */
-#endif
-#ifdef ENABLE_FRAG
- int frag; /* IKE phase 1 fragmentation */
- struct isakmp_frag_item *frag_chain; /* Received fragments */
-#endif
-
- struct sched *sce; /* schedule for expire */
-
- struct sched *scr; /* schedule for resend */
- int retry_counter; /* for resend. */
- vchar_t *sendbuf; /* buffer for re-sending */
-
- vchar_t *dhpriv; /* DH; private value */
- vchar_t *dhpub; /* DH; public value */
- vchar_t *dhpub_p; /* DH; partner's public value */
- vchar_t *dhgxy; /* DH; shared secret */
- vchar_t *nonce; /* nonce value */
- vchar_t *nonce_p; /* partner's nonce value */
- vchar_t *skeyid; /* SKEYID */
- vchar_t *skeyid_d; /* SKEYID_d */
- vchar_t *skeyid_a; /* SKEYID_a, i.e. hash */
- vchar_t *skeyid_e; /* SKEYID_e, i.e. encryption */
- vchar_t *key; /* cipher key */
- vchar_t *hash; /* HASH minus general header */
- vchar_t *sig; /* SIG minus general header */
- vchar_t *sig_p; /* peer's SIG minus general header */
- cert_t *cert; /* CERT minus general header */
- cert_t *cert_p; /* peer's CERT minus general header */
- cert_t *crl_p; /* peer's CRL minus general header */
- cert_t *cr_p; /* peer's CR not including general */
- RSA *rsa; /* my RSA key */
- RSA *rsa_p; /* peer's RSA key */
- struct genlist *rsa_candidates; /* possible candidates for peer's RSA key */
- vchar_t *id; /* ID minus gen header */
- vchar_t *id_p; /* partner's ID minus general header */
- /* i.e. struct ipsecdoi_id_b*. */
- struct isakmp_ivm *ivm; /* IVs */
-
- vchar_t *sa; /* whole SA payload to send/to be sent*/
- /* to calculate HASH */
- /* NOT INCLUDING general header. */
-
- vchar_t *sa_ret; /* SA payload to reply/to be replyed */
- /* NOT INCLUDING general header. */
- /* NOTE: Should be release after use. */
-
-#ifdef HAVE_GSSAPI
- void *gssapi_state; /* GSS-API specific state. */
- /* Allocated when needed */
- vchar_t *gi_i; /* optional initiator GSS id */
- vchar_t *gi_r; /* optional responder GSS id */
-#endif
-
- struct isakmp_pl_hash *pl_hash; /* pointer to hash payload */
-
- time_t created; /* timestamp for establish */
-#ifdef ENABLE_STATS
- struct timeval start;
- struct timeval end;
-#endif
-
-#ifdef ENABLE_DPD
- int dpd_support; /* Does remote supports DPD ? */
- time_t dpd_lastack; /* Last ack received */
- u_int16_t dpd_seq; /* DPD seq number to receive */
- u_int8_t dpd_fails; /* number of failures */
- struct sched *dpd_r_u;
-#endif
-
- u_int32_t msgid2; /* msgid counter for Phase 2 */
- int ph2cnt; /* the number which is negotiated by this phase 1 */
- LIST_HEAD(_ph2ofph1_, ph2handle) ph2tree;
-
- LIST_ENTRY(ph1handle) chain;
-#ifdef ENABLE_HYBRID
- struct isakmp_cfg_state *mode_cfg; /* ISAKMP mode config state */
-#endif
-
-};
-
-/* Phase 2 handler */
-/* allocated per a SA or SA bundles of a pair of peer's IP addresses. */
-/*
- * initiator responder
- * 0 (---) (---)
- * 1 start start (1st msg received)
- * 2 acquire msg get 1st valid msg received
- * 3 getspi request sent getspi request sent
- * 4 getspi done getspi done
- * 5 1st msg sent 1st msg sent
- * 6 1st valid msg received 2nd valid msg received
- * 7 (commit bit) (commit bit)
- * 8 SAs added SAs added
- * 9 SAs established SAs established
- * 10 SAs expired SAs expired
- */
-#define PHASE2ST_SPAWN 0
-#define PHASE2ST_START 1
-#define PHASE2ST_STATUS2 2
-#define PHASE2ST_GETSPISENT 3
-#define PHASE2ST_GETSPIDONE 4
-#define PHASE2ST_MSG1SENT 5
-#define PHASE2ST_STATUS6 6
-#define PHASE2ST_COMMIT 7
-#define PHASE2ST_ADDSA 8
-#define PHASE2ST_ESTABLISHED 9
-#define PHASE2ST_EXPIRED 10
-#define PHASE2ST_MAX 11
-
-struct ph2handle {
- struct sockaddr *src; /* my address of SA. */
- struct sockaddr *dst; /* peer's address of SA. */
-
- /*
- * copy ip address from ID payloads when ID type is ip address.
- * In other case, they must be null.
- */
- struct sockaddr *src_id;
- struct sockaddr *dst_id;
-
- u_int32_t spid; /* policy id by kernel */
-
- int status; /* ipsec sa status */
- u_int8_t side; /* INITIATOR or RESPONDER */
-
- struct sched *sce; /* schedule for expire */
- struct sched *scr; /* schedule for resend */
- int retry_counter; /* for resend. */
- vchar_t *sendbuf; /* buffer for re-sending */
- vchar_t *msg1; /* buffer for re-sending */
- /* used for responder's first message */
-
- int retry_checkph1; /* counter to wait phase 1 finished. */
- /* NOTE: actually it's timer. */
-
- u_int32_t seq; /* sequence number used by PF_KEY */
- /*
- * NOTE: In responder side, we can't identify each SAs
- * with same destination address for example, when
- * socket based SA is required. So we set a identifier
- * number to "seq", and sent kernel by pfkey.
- */
- u_int8_t satype; /* satype in PF_KEY */
- /*
- * saved satype in the original PF_KEY request from
- * the kernel in order to reply a error.
- */
-
- u_int8_t flags; /* Flags for phase 2 */
- u_int32_t msgid; /* msgid for phase 2 */
-
- struct sainfo *sainfo; /* place holder of sainfo */
- struct saprop *proposal; /* SA(s) proposal. */
- struct saprop *approval; /* SA(s) approved. */
- caddr_t spidx_gen; /* policy from peer's proposal */
-
- struct dhgroup *pfsgrp; /* DH; prime number */
- vchar_t *dhpriv; /* DH; private value */
- vchar_t *dhpub; /* DH; public value */
- vchar_t *dhpub_p; /* DH; partner's public value */
- vchar_t *dhgxy; /* DH; shared secret */
- vchar_t *id; /* ID minus gen header */
- vchar_t *id_p; /* peer's ID minus general header */
- vchar_t *nonce; /* nonce value in phase 2 */
- vchar_t *nonce_p; /* partner's nonce value in phase 2 */
-
- vchar_t *sa; /* whole SA payload to send/to be sent*/
- /* to calculate HASH */
- /* NOT INCLUDING general header. */
-
- vchar_t *sa_ret; /* SA payload to reply/to be replyed */
- /* NOT INCLUDING general header. */
- /* NOTE: Should be release after use. */
-
- struct isakmp_ivm *ivm; /* IVs */
-
- int generated_spidx; /* mark handlers whith generated policy */
-
-#ifdef ENABLE_STATS
- struct timeval start;
- struct timeval end;
-#endif
- struct ph1handle *ph1; /* back pointer to isakmp status */
-
- LIST_ENTRY(ph2handle) chain;
- LIST_ENTRY(ph2handle) ph1bind; /* chain to ph1handle */
-};
-
-/*
- * for handling initial contact.
- */
-struct contacted {
- struct sockaddr *remote; /* remote address to negosiate ph1 */
- LIST_ENTRY(contacted) chain;
-};
-
-/*
- * for checking a packet retransmited.
- */
-struct recvdpkt {
- struct sockaddr *remote; /* the remote address */
- struct sockaddr *local; /* the local address */
- vchar_t *hash; /* hash of the received packet */
- vchar_t *sendbuf; /* buffer for the response */
- int retry_counter; /* how many times to send */
- time_t time_send; /* timestamp to send a packet */
- time_t created; /* timestamp to create a queue */
-
- struct sched *scr; /* schedule for resend, may not used */
-
- LIST_ENTRY(recvdpkt) chain;
-};
-
-/* for parsing ISAKMP header. */
-struct isakmp_parse_t {
- u_char type; /* payload type of mine */
- int len; /* ntohs(ptr->len) */
- struct isakmp_gen *ptr;
-};
-
-/*
- * for IV management.
- *
- * - normal case
- * initiator responder
- * ------------------------- --------------------------
- * initialize iv(A), ive(A). initialize iv(A), ive(A).
- * encode by ive(A).
- * save to iv(B). ---[packet(B)]--> save to ive(B).
- * decode by iv(A).
- * packet consistency.
- * sync iv(B) with ive(B).
- * check auth, integrity.
- * encode by ive(B).
- * save to ive(C). <--[packet(C)]--- save to iv(C).
- * decoded by iv(B).
- * :
- *
- * - In the case that a error is found while cipher processing,
- * initiator responder
- * ------------------------- --------------------------
- * initialize iv(A), ive(A). initialize iv(A), ive(A).
- * encode by ive(A).
- * save to iv(B). ---[packet(B)]--> save to ive(B).
- * decode by iv(A).
- * packet consistency.
- * sync iv(B) with ive(B).
- * check auth, integrity.
- * error found.
- * create notify.
- * get ive2(X) from iv(B).
- * encode by ive2(X).
- * get iv2(X) from iv(B). <--[packet(Y)]--- save to iv2(Y).
- * save to ive2(Y).
- * decoded by iv2(X).
- * :
- *
- * The reason why the responder synchronizes iv with ive after checking the
- * packet consistency is that it is required to leave the IV for decoding
- * packet. Because there is a potential of error while checking the packet
- * consistency. Also the reason why that is before authentication and
- * integirty check is that the IV for informational exchange has to be made
- * by the IV which is after packet decoded and checking the packet consistency.
- * Otherwise IV mismatched happens between the intitiator and the responder.
- */
-struct isakmp_ivm {
- vchar_t *iv; /* for decoding packet */
- /* if phase 1, it's for computing phase2 iv */
- vchar_t *ive; /* for encoding packet */
-};
-
-/* for dumping */
-struct ph1dump {
- isakmp_index index;
- int status;
- int side;
- struct sockaddr_storage remote;
- struct sockaddr_storage local;
- u_int8_t version;
- u_int8_t etype;
- time_t created;
- int ph2cnt;
-};
-
-struct sockaddr;
-struct ph1handle;
-struct ph2handle;
-struct policyindex;
-
-extern struct ph1handle *getph1byindex __P((isakmp_index *));
-extern struct ph1handle *getph1byindex0 __P((isakmp_index *));
-extern struct ph1handle *getph1byaddr __P((struct sockaddr *,
- struct sockaddr *, int));
-extern struct ph1handle *getph1byaddrwop __P((struct sockaddr *,
- struct sockaddr *));
-extern struct ph1handle *getph1bydstaddrwop __P((struct sockaddr *));
-#ifdef ENABLE_HYBRID
-struct ph1handle *getph1bylogin __P((char *));
-int purgeph1bylogin __P((char *));
-#endif
-extern vchar_t *dumpph1 __P((void));
-extern struct ph1handle *newph1 __P((void));
-extern void delph1 __P((struct ph1handle *));
-extern int insph1 __P((struct ph1handle *));
-extern void remph1 __P((struct ph1handle *));
-extern void flushph1 __P((void));
-extern void initph1tree __P((void));
-
-extern struct ph2handle *getph2byspidx __P((struct policyindex *));
-extern struct ph2handle *getph2byspid __P((u_int32_t));
-extern struct ph2handle *getph2byseq __P((u_int32_t));
-extern struct ph2handle *getph2bysaddr __P((struct sockaddr *,
- struct sockaddr *));
-extern struct ph2handle *getph2bymsgid __P((struct ph1handle *, u_int32_t));
-extern struct ph2handle *getph2byid __P((struct sockaddr *,
- struct sockaddr *, u_int32_t));
-extern struct ph2handle *getph2bysaidx __P((struct sockaddr *,
- struct sockaddr *, u_int, u_int32_t));
-extern struct ph2handle *newph2 __P((void));
-extern void initph2 __P((struct ph2handle *));
-extern void delph2 __P((struct ph2handle *));
-extern int insph2 __P((struct ph2handle *));
-extern void remph2 __P((struct ph2handle *));
-extern void flushph2 __P((void));
-extern void deleteallph2 __P((struct sockaddr *, struct sockaddr *, u_int));
-extern void initph2tree __P((void));
-
-extern void bindph12 __P((struct ph1handle *, struct ph2handle *));
-extern void unbindph12 __P((struct ph2handle *));
-
-extern struct contacted *getcontacted __P((struct sockaddr *));
-extern int inscontacted __P((struct sockaddr *));
-extern void initctdtree __P((void));
-
-extern int check_recvdpkt __P((struct sockaddr *,
- struct sockaddr *, vchar_t *));
-extern int add_recvdpkt __P((struct sockaddr *, struct sockaddr *,
- vchar_t *, vchar_t *));
-extern void init_recvdpkt __P((void));
-
-#ifdef ENABLE_HYBRID
-extern int exclude_cfg_addr __P((const struct sockaddr *));
-#endif
-
-extern int revalidate_ph12(void);
-
-#endif /* _HANDLER_H */
diff --git a/src/racoon/ipsec_doi.c b/src/racoon/ipsec_doi.c
deleted file mode 100644
index 9a59135..0000000
--- a/src/racoon/ipsec_doi.c
+++ /dev/null
@@ -1,4949 +0,0 @@
-/* $NetBSD: ipsec_doi.c,v 1.23.4.10 2009/06/19 07:32:52 tteras Exp $ */
-
-/* Id: ipsec_doi.c,v 1.55 2006/08/17 09:20:41 vanhu Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-
-#include PATH_IPSEC_H
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-#include <netdb.h>
-#if TIME_WITH_SYS_TIME
-# include <sys/time.h>
-# include <time.h>
-#else
-# if HAVE_SYS_TIME_H
-# include <sys/time.h>
-# else
-# include <time.h>
-# endif
-#endif
-
-#include "var.h"
-#include "vmbuf.h"
-#include "misc.h"
-#include "plog.h"
-#include "debug.h"
-
-#include "cfparse_proto.h"
-#include "isakmp_var.h"
-#include "isakmp.h"
-#include "ipsec_doi.h"
-#include "oakley.h"
-#include "remoteconf.h"
-#include "localconf.h"
-#include "sockmisc.h"
-#include "handler.h"
-#include "policy.h"
-#include "algorithm.h"
-#include "sainfo.h"
-#include "proposal.h"
-#include "crypto_openssl.h"
-#include "strnames.h"
-#include "gcmalloc.h"
-
-#ifdef ENABLE_NATT
-#include "nattraversal.h"
-#endif
-#ifdef ENABLE_HYBRID
-static int switch_authmethod(int);
-#endif
-
-#ifdef HAVE_GSSAPI
-#include <iconv.h>
-#include "gssapi.h"
-#ifdef HAVE_ICONV_2ND_CONST
-#define __iconv_const const
-#else
-#define __iconv_const
-#endif
-#endif
-
-int verbose_proposal_check = 1;
-
-static vchar_t *get_ph1approval __P((struct ph1handle *, struct prop_pair **));
-static struct isakmpsa *get_ph1approvalx __P((struct prop_pair *,
- struct isakmpsa *, struct isakmpsa *, int));
-static void print_ph1mismatched __P((struct prop_pair *, struct isakmpsa *));
-static int t2isakmpsa __P((struct isakmp_pl_t *, struct isakmpsa *));
-static int cmp_aproppair_i __P((struct prop_pair *, struct prop_pair *));
-static struct prop_pair *get_ph2approval __P((struct ph2handle *,
- struct prop_pair **));
-static struct prop_pair *get_ph2approvalx __P((struct ph2handle *,
- struct prop_pair *));
-static void free_proppair0 __P((struct prop_pair *));
-
-static int get_transform
- __P((struct isakmp_pl_p *, struct prop_pair **, int *));
-static u_int32_t ipsecdoi_set_ld __P((vchar_t *));
-
-static int check_doi __P((u_int32_t));
-static int check_situation __P((u_int32_t));
-
-static int check_prot_main __P((int));
-static int check_prot_quick __P((int));
-static int (*check_protocol[]) __P((int)) = {
- check_prot_main, /* IPSECDOI_TYPE_PH1 */
- check_prot_quick, /* IPSECDOI_TYPE_PH2 */
-};
-
-static int check_spi_size __P((int, int));
-
-static int check_trns_isakmp __P((int));
-static int check_trns_ah __P((int));
-static int check_trns_esp __P((int));
-static int check_trns_ipcomp __P((int));
-static int (*check_transform[]) __P((int)) = {
- 0,
- check_trns_isakmp, /* IPSECDOI_PROTO_ISAKMP */
- check_trns_ah, /* IPSECDOI_PROTO_IPSEC_AH */
- check_trns_esp, /* IPSECDOI_PROTO_IPSEC_ESP */
- check_trns_ipcomp, /* IPSECDOI_PROTO_IPCOMP */
-};
-
-static int check_attr_isakmp __P((struct isakmp_pl_t *));
-static int check_attr_ah __P((struct isakmp_pl_t *));
-static int check_attr_esp __P((struct isakmp_pl_t *));
-static int check_attr_ipsec __P((int, struct isakmp_pl_t *));
-static int check_attr_ipcomp __P((struct isakmp_pl_t *));
-static int (*check_attributes[]) __P((struct isakmp_pl_t *)) = {
- 0,
- check_attr_isakmp, /* IPSECDOI_PROTO_ISAKMP */
- check_attr_ah, /* IPSECDOI_PROTO_IPSEC_AH */
- check_attr_esp, /* IPSECDOI_PROTO_IPSEC_ESP */
- check_attr_ipcomp, /* IPSECDOI_PROTO_IPCOMP */
-};
-
-static int setph1prop __P((struct isakmpsa *, caddr_t));
-static int setph1trns __P((struct isakmpsa *, caddr_t));
-static int setph1attr __P((struct isakmpsa *, caddr_t));
-static vchar_t *setph2proposal0 __P((const struct ph2handle *,
- const struct saprop *, const struct saproto *));
-
-static vchar_t *getidval __P((int, vchar_t *));
-
-#ifdef HAVE_GSSAPI
-static struct isakmpsa *fixup_initiator_sa __P((struct isakmpsa *,
- struct isakmpsa *));
-#endif
-
-/*%%%*/
-/*
- * check phase 1 SA payload.
- * make new SA payload to be replyed not including general header.
- * the pointer to one of isakmpsa in proposal is set into iph1->approval.
- * OUT:
- * positive: the pointer to new buffer of SA payload.
- * network byte order.
- * NULL : error occurd.
- */
-int
-ipsecdoi_checkph1proposal(sa, iph1)
- vchar_t *sa;
- struct ph1handle *iph1;
-{
- vchar_t *newsa; /* new SA payload approved. */
- struct prop_pair **pair;
-
- /* get proposal pair */
- pair = get_proppair(sa, IPSECDOI_TYPE_PH1);
- if (pair == NULL)
- return -1;
-
- /* check and get one SA for use */
- newsa = get_ph1approval(iph1, pair);
-
- free_proppair(pair);
-
- if (newsa == NULL)
- return -1;
-
- iph1->sa_ret = newsa;
-
- return 0;
-}
-
-/*
- * acceptable check for remote configuration.
- * return a new SA payload to be reply to peer.
- */
-static vchar_t *
-get_ph1approval(iph1, pair)
- struct ph1handle *iph1;
- struct prop_pair **pair;
-{
- vchar_t *newsa;
- struct isakmpsa *sa, tsa;
- struct prop_pair *s, *p;
- int prophlen;
- int i;
-
- if (iph1->approval) {
- delisakmpsa(iph1->approval);
- iph1->approval = NULL;
- }
-
- for (i = 0; i < MAXPROPPAIRLEN; i++) {
- if (pair[i] == NULL)
- continue;
- for (s = pair[i]; s; s = s->next) {
- prophlen =
- sizeof(struct isakmp_pl_p) + s->prop->spi_size;
-
- /* compare proposal and select one */
- for (p = s; p; p = p->tnext) {
- if ((sa = get_ph1approvalx(p,
- iph1->rmconf->proposal, &tsa,
- iph1->rmconf->pcheck_level)) != NULL)
- goto found;
- }
- }
- }
-
- /*
- * if there is no suitable proposal, racoon complains about all of
- * mismatched items in those proposal.
- */
- if (verbose_proposal_check) {
- for (i = 0; i < MAXPROPPAIRLEN; i++) {
- if (pair[i] == NULL)
- continue;
- for (s = pair[i]; s; s = s->next) {
- prophlen = sizeof(struct isakmp_pl_p)
- + s->prop->spi_size;
- for (p = s; p; p = p->tnext) {
- print_ph1mismatched(p,
- iph1->rmconf->proposal);
- }
- }
- }
- }
- plog(LLV_ERROR, LOCATION, NULL, "no suitable proposal found.\n");
-
- return NULL;
-
-found:
- plog(LLV_DEBUG, LOCATION, NULL, "an acceptable proposal found.\n");
-
- /* check DH group settings */
- if (sa->dhgrp) {
- if (sa->dhgrp->prime && sa->dhgrp->gen1) {
- /* it's ok */
- goto saok;
- }
- plog(LLV_WARNING, LOCATION, NULL,
- "invalid DH parameter found, use default.\n");
- oakley_dhgrp_free(sa->dhgrp);
- sa->dhgrp=NULL;
- }
-
- if (oakley_setdhgroup(sa->dh_group, &sa->dhgrp) == -1) {
- sa->dhgrp = NULL;
- racoon_free(sa);
- return NULL;
- }
-
-saok:
-#ifdef HAVE_GSSAPI
- if (sa->gssid != NULL)
- plog(LLV_DEBUG, LOCATION, NULL, "gss id in new sa '%.*s'\n",
- (int)sa->gssid->l, sa->gssid->v);
- if (iph1-> side == INITIATOR) {
- if (iph1->rmconf->proposal->gssid != NULL)
- iph1->gi_i = vdup(iph1->rmconf->proposal->gssid);
- if (tsa.gssid != NULL)
- iph1->gi_r = vdup(tsa.gssid);
- iph1->approval = fixup_initiator_sa(sa, &tsa);
- } else {
- if (tsa.gssid != NULL) {
- iph1->gi_r = vdup(tsa.gssid);
- iph1->gi_i = gssapi_get_id(iph1);
- if (sa->gssid == NULL && iph1->gi_i != NULL)
- sa->gssid = vdup(iph1->gi_i);
- }
- iph1->approval = sa;
- }
- if (iph1->gi_i != NULL)
- plog(LLV_DEBUG, LOCATION, NULL, "GIi is %.*s\n",
- (int)iph1->gi_i->l, iph1->gi_i->v);
- if (iph1->gi_r != NULL)
- plog(LLV_DEBUG, LOCATION, NULL, "GIr is %.*s\n",
- (int)iph1->gi_r->l, iph1->gi_r->v);
-#else
- iph1->approval = sa;
-#endif
- if(iph1->approval) {
- plog(LLV_DEBUG, LOCATION, NULL, "agreed on %s auth.\n",
- s_oakley_attr_method(iph1->approval->authmethod));
- }
-
- newsa = get_sabyproppair(p, iph1);
- if (newsa == NULL){
- delisakmpsa(iph1->approval);
- iph1->approval = NULL;
- }
-
- return newsa;
-}
-
-/*
- * compare peer's single proposal and all of my proposal.
- * and select one if suiatable.
- * p : one of peer's proposal.
- * proposal: my proposals.
- */
-static struct isakmpsa *
-get_ph1approvalx(p, proposal, sap, check_level)
- struct prop_pair *p;
- struct isakmpsa *proposal, *sap;
- int check_level;
-{
- struct isakmp_pl_p *prop = p->prop;
- struct isakmp_pl_t *trns = p->trns;
- struct isakmpsa sa, *s, *tsap;
- int authmethod;
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "prop#=%d, prot-id=%s, spi-size=%d, #trns=%d\n",
- prop->p_no, s_ipsecdoi_proto(prop->proto_id),
- prop->spi_size, prop->num_t);
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "trns#=%d, trns-id=%s\n",
- trns->t_no,
- s_ipsecdoi_trns(prop->proto_id, trns->t_id));
-
- tsap = sap != NULL ? sap : &sa;
-
- memset(tsap, 0, sizeof(*tsap));
- if (t2isakmpsa(trns, tsap) < 0)
- return NULL;
- for (s = proposal; s != NULL; s = s->next) {
-#ifdef ENABLE_HYBRID
- authmethod = switch_authmethod(s->authmethod);
-#else
- authmethod = s->authmethod;
-#endif
- plog(LLV_DEBUG, LOCATION, NULL, "Compared: DB:Peer\n");
- plog(LLV_DEBUG, LOCATION, NULL, "(lifetime = %ld:%ld)\n",
- (long)s->lifetime, (long)tsap->lifetime);
- plog(LLV_DEBUG, LOCATION, NULL, "(lifebyte = %zu:%zu)\n",
- s->lifebyte, tsap->lifebyte);
- plog(LLV_DEBUG, LOCATION, NULL, "enctype = %s:%s\n",
- s_oakley_attr_v(OAKLEY_ATTR_ENC_ALG,
- s->enctype),
- s_oakley_attr_v(OAKLEY_ATTR_ENC_ALG,
- tsap->enctype));
- plog(LLV_DEBUG, LOCATION, NULL, "(encklen = %d:%d)\n",
- s->encklen, tsap->encklen);
- plog(LLV_DEBUG, LOCATION, NULL, "hashtype = %s:%s\n",
- s_oakley_attr_v(OAKLEY_ATTR_HASH_ALG,
- s->hashtype),
- s_oakley_attr_v(OAKLEY_ATTR_HASH_ALG,
- tsap->hashtype));
- plog(LLV_DEBUG, LOCATION, NULL, "authmethod = %s:%s\n",
- s_oakley_attr_v(OAKLEY_ATTR_AUTH_METHOD,
- s->authmethod),
- s_oakley_attr_v(OAKLEY_ATTR_AUTH_METHOD,
- tsap->authmethod));
- plog(LLV_DEBUG, LOCATION, NULL, "dh_group = %s:%s\n",
- s_oakley_attr_v(OAKLEY_ATTR_GRP_DESC,
- s->dh_group),
- s_oakley_attr_v(OAKLEY_ATTR_GRP_DESC,
- tsap->dh_group));
-#if 0
- /* XXX to be considered ? */
- if (tsap->lifebyte > s->lifebyte) ;
-#endif
- /*
- * if responder side and peer's key length in proposal
- * is bigger than mine, it might be accepted.
- */
- if(tsap->enctype == s->enctype &&
- tsap->authmethod == authmethod &&
- tsap->hashtype == s->hashtype &&
- tsap->dh_group == s->dh_group &&
- tsap->encklen == s->encklen) {
- switch(check_level) {
- case PROP_CHECK_OBEY:
- goto found;
- break;
-
- case PROP_CHECK_STRICT:
- if ((tsap->lifetime > s->lifetime) ||
- (tsap->lifebyte > s->lifebyte))
- continue;
- goto found;
- break;
-
- case PROP_CHECK_CLAIM:
- if (tsap->lifetime < s->lifetime)
- s->lifetime = tsap->lifetime;
- if (tsap->lifebyte < s->lifebyte)
- s->lifebyte = tsap->lifebyte;
- goto found;
- break;
-
- case PROP_CHECK_EXACT:
- if ((tsap->lifetime != s->lifetime) ||
- (tsap->lifebyte != s->lifebyte))
- continue;
- goto found;
- break;
-
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "Unexpected proposal_check value\n");
- continue;
- break;
- }
- }
- }
-
-found:
- if (tsap->dhgrp != NULL){
- oakley_dhgrp_free(tsap->dhgrp);
- tsap->dhgrp = NULL;
- }
-
- if ((s = dupisakmpsa(s)) != NULL) {
- switch(check_level) {
- case PROP_CHECK_OBEY:
- s->lifetime = tsap->lifetime;
- s->lifebyte = tsap->lifebyte;
- break;
-
- case PROP_CHECK_STRICT:
- s->lifetime = tsap->lifetime;
- s->lifebyte = tsap->lifebyte;
- break;
-
- case PROP_CHECK_CLAIM:
- if (tsap->lifetime < s->lifetime)
- s->lifetime = tsap->lifetime;
- if (tsap->lifebyte < s->lifebyte)
- s->lifebyte = tsap->lifebyte;
- break;
-
- default:
- break;
- }
- }
- return s;
-}
-
-/*
- * print all of items in peer's proposal which are mismatched to my proposal.
- * p : one of peer's proposal.
- * proposal: my proposals.
- */
-static void
-print_ph1mismatched(p, proposal)
- struct prop_pair *p;
- struct isakmpsa *proposal;
-{
- struct isakmpsa sa, *s;
-
- memset(&sa, 0, sizeof(sa));
- if (t2isakmpsa(p->trns, &sa) < 0)
- return;
- for (s = proposal; s ; s = s->next) {
- if (sa.enctype != s->enctype) {
- plog(LLV_ERROR, LOCATION, NULL,
- "rejected enctype: "
- "DB(prop#%d:trns#%d):Peer(prop#%d:trns#%d) = "
- "%s:%s\n",
- s->prop_no, s->trns_no,
- p->prop->p_no, p->trns->t_no,
- s_oakley_attr_v(OAKLEY_ATTR_ENC_ALG,
- s->enctype),
- s_oakley_attr_v(OAKLEY_ATTR_ENC_ALG,
- sa.enctype));
- }
- if (sa.authmethod != s->authmethod) {
- plog(LLV_ERROR, LOCATION, NULL,
- "rejected authmethod: "
- "DB(prop#%d:trns#%d):Peer(prop#%d:trns#%d) = "
- "%s:%s\n",
- s->prop_no, s->trns_no,
- p->prop->p_no, p->trns->t_no,
- s_oakley_attr_v(OAKLEY_ATTR_AUTH_METHOD,
- s->authmethod),
- s_oakley_attr_v(OAKLEY_ATTR_AUTH_METHOD,
- sa.authmethod));
- }
- if (sa.hashtype != s->hashtype) {
- plog(LLV_ERROR, LOCATION, NULL,
- "rejected hashtype: "
- "DB(prop#%d:trns#%d):Peer(prop#%d:trns#%d) = "
- "%s:%s\n",
- s->prop_no, s->trns_no,
- p->prop->p_no, p->trns->t_no,
- s_oakley_attr_v(OAKLEY_ATTR_HASH_ALG,
- s->hashtype),
- s_oakley_attr_v(OAKLEY_ATTR_HASH_ALG,
- sa.hashtype));
- }
- if (sa.dh_group != s->dh_group) {
- plog(LLV_ERROR, LOCATION, NULL,
- "rejected dh_group: "
- "DB(prop#%d:trns#%d):Peer(prop#%d:trns#%d) = "
- "%s:%s\n",
- s->prop_no, s->trns_no,
- p->prop->p_no, p->trns->t_no,
- s_oakley_attr_v(OAKLEY_ATTR_GRP_DESC,
- s->dh_group),
- s_oakley_attr_v(OAKLEY_ATTR_GRP_DESC,
- sa.dh_group));
- }
- }
-
- if (sa.dhgrp != NULL){
- oakley_dhgrp_free(sa.dhgrp);
- sa.dhgrp=NULL;
- }
-}
-
-/*
- * get ISAKMP data attributes
- */
-static int
-t2isakmpsa(trns, sa)
- struct isakmp_pl_t *trns;
- struct isakmpsa *sa;
-{
- struct isakmp_data *d, *prev;
- int flag, type;
- int error = -1;
- int life_t;
- int keylen = 0;
- vchar_t *val = NULL;
- int len, tlen;
- u_char *p;
-
- tlen = ntohs(trns->h.len) - sizeof(*trns);
- prev = (struct isakmp_data *)NULL;
- d = (struct isakmp_data *)(trns + 1);
-
- /* default */
- life_t = OAKLEY_ATTR_SA_LD_TYPE_DEFAULT;
- sa->lifetime = OAKLEY_ATTR_SA_LD_SEC_DEFAULT;
- sa->lifebyte = 0;
- sa->dhgrp = racoon_calloc(1, sizeof(struct dhgroup));
- if (!sa->dhgrp)
- goto err;
-
- while (tlen > 0) {
-
- type = ntohs(d->type) & ~ISAKMP_GEN_MASK;
- flag = ntohs(d->type) & ISAKMP_GEN_MASK;
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "type=%s, flag=0x%04x, lorv=%s\n",
- s_oakley_attr(type), flag,
- s_oakley_attr_v(type, ntohs(d->lorv)));
-
- /* get variable-sized item */
- switch (type) {
- case OAKLEY_ATTR_GRP_PI:
- case OAKLEY_ATTR_GRP_GEN_ONE:
- case OAKLEY_ATTR_GRP_GEN_TWO:
- case OAKLEY_ATTR_GRP_CURVE_A:
- case OAKLEY_ATTR_GRP_CURVE_B:
- case OAKLEY_ATTR_SA_LD:
- case OAKLEY_ATTR_GRP_ORDER:
- if (flag) { /*TV*/
- len = 2;
- p = (u_char *)&d->lorv;
- } else { /*TLV*/
- len = ntohs(d->lorv);
- p = (u_char *)(d + 1);
- }
- val = vmalloc(len);
- if (!val)
- return -1;
- memcpy(val->v, p, len);
- break;
-
- default:
- break;
- }
-
- switch (type) {
- case OAKLEY_ATTR_ENC_ALG:
- sa->enctype = (u_int16_t)ntohs(d->lorv);
- break;
-
- case OAKLEY_ATTR_HASH_ALG:
- sa->hashtype = (u_int16_t)ntohs(d->lorv);
- break;
-
- case OAKLEY_ATTR_AUTH_METHOD:
- sa->authmethod = ntohs(d->lorv);
- break;
-
- case OAKLEY_ATTR_GRP_DESC:
- sa->dh_group = (u_int16_t)ntohs(d->lorv);
- break;
-
- case OAKLEY_ATTR_GRP_TYPE:
- {
- int type = (int)ntohs(d->lorv);
- if (type == OAKLEY_ATTR_GRP_TYPE_MODP)
- sa->dhgrp->type = type;
- else
- return -1;
- break;
- }
- case OAKLEY_ATTR_GRP_PI:
- sa->dhgrp->prime = val;
- break;
-
- case OAKLEY_ATTR_GRP_GEN_ONE:
- vfree(val);
- if (!flag)
- sa->dhgrp->gen1 = ntohs(d->lorv);
- else {
- int len = ntohs(d->lorv);
- sa->dhgrp->gen1 = 0;
- if (len > 4)
- return -1;
- memcpy(&sa->dhgrp->gen1, d + 1, len);
- sa->dhgrp->gen1 = ntohl(sa->dhgrp->gen1);
- }
- break;
-
- case OAKLEY_ATTR_GRP_GEN_TWO:
- vfree(val);
- if (!flag)
- sa->dhgrp->gen2 = ntohs(d->lorv);
- else {
- int len = ntohs(d->lorv);
- sa->dhgrp->gen2 = 0;
- if (len > 4)
- return -1;
- memcpy(&sa->dhgrp->gen2, d + 1, len);
- sa->dhgrp->gen2 = ntohl(sa->dhgrp->gen2);
- }
- break;
-
- case OAKLEY_ATTR_GRP_CURVE_A:
- sa->dhgrp->curve_a = val;
- break;
-
- case OAKLEY_ATTR_GRP_CURVE_B:
- sa->dhgrp->curve_b = val;
- break;
-
- case OAKLEY_ATTR_SA_LD_TYPE:
- {
- int type = (int)ntohs(d->lorv);
- switch (type) {
- case OAKLEY_ATTR_SA_LD_TYPE_SEC:
- case OAKLEY_ATTR_SA_LD_TYPE_KB:
- life_t = type;
- break;
- default:
- life_t = OAKLEY_ATTR_SA_LD_TYPE_DEFAULT;
- break;
- }
- break;
- }
- case OAKLEY_ATTR_SA_LD:
- if (!prev
- || (ntohs(prev->type) & ~ISAKMP_GEN_MASK) !=
- OAKLEY_ATTR_SA_LD_TYPE) {
- plog(LLV_ERROR, LOCATION, NULL,
- "life duration must follow ltype\n");
- break;
- }
-
- switch (life_t) {
- case IPSECDOI_ATTR_SA_LD_TYPE_SEC:
- sa->lifetime = ipsecdoi_set_ld(val);
- vfree(val);
- if (sa->lifetime == 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid life duration.\n");
- goto err;
- }
- break;
- case IPSECDOI_ATTR_SA_LD_TYPE_KB:
- sa->lifebyte = ipsecdoi_set_ld(val);
- vfree(val);
- if (sa->lifebyte == 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid life duration.\n");
- goto err;
- }
- break;
- default:
- vfree(val);
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid life type: %d\n", life_t);
- goto err;
- }
- break;
-
- case OAKLEY_ATTR_KEY_LEN:
- {
- int len = ntohs(d->lorv);
- if (len % 8 != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "keylen %d: not multiple of 8\n",
- len);
- goto err;
- }
- sa->encklen = (u_int16_t)len;
- keylen++;
- break;
- }
- case OAKLEY_ATTR_PRF:
- case OAKLEY_ATTR_FIELD_SIZE:
- /* unsupported */
- break;
-
- case OAKLEY_ATTR_GRP_ORDER:
- sa->dhgrp->order = val;
- break;
-#ifdef HAVE_GSSAPI
- case OAKLEY_ATTR_GSS_ID:
- {
- int error = -1;
- iconv_t cd = (iconv_t) -1;
- size_t srcleft, dstleft, rv;
- __iconv_const char *src;
- char *dst;
- int len = ntohs(d->lorv);
-
- /*
- * Older verions of racoon just placed the
- * ISO-Latin-1 string on the wire directly.
- * Check to see if we are configured to be
- * compatible with this behavior.
- */
- if (lcconf->gss_id_enc == LC_GSSENC_LATIN1) {
- if ((sa->gssid = vmalloc(len)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate memory\n");
- goto out;
- }
- memcpy(sa->gssid->v, d + 1, len);
- plog(LLV_DEBUG, LOCATION, NULL,
- "received old-style gss "
- "id '%.*s' (len %zu)\n",
- (int)sa->gssid->l, sa->gssid->v,
- sa->gssid->l);
- error = 0;
- goto out;
- }
-
- /*
- * For Windows 2000 compatibility, we expect
- * the GSS ID attribute on the wire to be
- * encoded in UTF-16LE. Internally, we work
- * in ISO-Latin-1. Therefore, we should need
- * 1/2 the specified length, which should always
- * be a multiple of 2 octets.
- */
- cd = iconv_open("latin1", "utf-16le");
- if (cd == (iconv_t) -1) {
- plog(LLV_ERROR, LOCATION, NULL,
- "unable to initialize utf-16le -> latin1 "
- "conversion descriptor: %s\n",
- strerror(errno));
- goto out;
- }
-
- if ((sa->gssid = vmalloc(len / 2)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate memory\n");
- goto out;
- }
-
- src = (__iconv_const char *)(d + 1);
- srcleft = len;
-
- dst = sa->gssid->v;
- dstleft = len / 2;
-
- rv = iconv(cd, (__iconv_const char **)&src, &srcleft,
- &dst, &dstleft);
- if (rv != 0) {
- if (rv == -1) {
- plog(LLV_ERROR, LOCATION, NULL,
- "unable to convert GSS ID from "
- "utf-16le -> latin1: %s\n",
- strerror(errno));
- } else {
- plog(LLV_ERROR, LOCATION, NULL,
- "%zd character%s in GSS ID cannot "
- "be represented in latin1\n",
- rv, rv == 1 ? "" : "s");
- }
- goto out;
- }
-
- /* XXX dstleft should always be 0; assert it? */
- sa->gssid->l = (len / 2) - dstleft;
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "received gss id '%.*s' (len %zu)\n",
- (int)sa->gssid->l, sa->gssid->v, sa->gssid->l);
-
- error = 0;
-out:
- if (cd != (iconv_t)-1)
- (void)iconv_close(cd);
-
- if ((error != 0) && (sa->gssid != NULL)) {
- vfree(sa->gssid);
- sa->gssid = NULL;
- }
- break;
- }
-#endif /* HAVE_GSSAPI */
-
- default:
- break;
- }
-
- prev = d;
- if (flag) {
- tlen -= sizeof(*d);
- d = (struct isakmp_data *)((char *)d + sizeof(*d));
- } else {
- tlen -= (sizeof(*d) + ntohs(d->lorv));
- d = (struct isakmp_data *)((char *)d + sizeof(*d) + ntohs(d->lorv));
- }
- }
-
- /* key length must not be specified on some algorithms */
- if (keylen) {
- if (sa->enctype == OAKLEY_ATTR_ENC_ALG_DES
-#ifdef HAVE_OPENSSL_IDEA_H
- || sa->enctype == OAKLEY_ATTR_ENC_ALG_IDEA
-#endif
- || sa->enctype == OAKLEY_ATTR_ENC_ALG_3DES) {
- plog(LLV_ERROR, LOCATION, NULL,
- "keylen must not be specified "
- "for encryption algorithm %d\n",
- sa->enctype);
- return -1;
- }
- }
-
- return 0;
-err:
- return error;
-}
-
-/*%%%*/
-/*
- * check phase 2 SA payload and select single proposal.
- * make new SA payload to be replyed not including general header.
- * This function is called by responder only.
- * OUT:
- * 0: succeed.
- * -1: error occured.
- */
-int
-ipsecdoi_selectph2proposal(iph2)
- struct ph2handle *iph2;
-{
- struct prop_pair **pair;
- struct prop_pair *ret;
-
- /* get proposal pair */
- pair = get_proppair(iph2->sa, IPSECDOI_TYPE_PH2);
- if (pair == NULL)
- return -1;
-
- /* check and select a proposal. */
- ret = get_ph2approval(iph2, pair);
- free_proppair(pair);
- if (ret == NULL)
- return -1;
-
- /* make a SA to be replayed. */
- /* SPI must be updated later. */
- iph2->sa_ret = get_sabyproppair(ret, iph2->ph1);
- free_proppair0(ret);
- if (iph2->sa_ret == NULL)
- return -1;
-
- return 0;
-}
-
-/*
- * check phase 2 SA payload returned from responder.
- * This function is called by initiator only.
- * OUT:
- * 0: valid.
- * -1: invalid.
- */
-int
-ipsecdoi_checkph2proposal(iph2)
- struct ph2handle *iph2;
-{
- struct prop_pair **rpair = NULL, **spair = NULL;
- struct prop_pair *p;
- int i, n, num;
- int error = -1;
- vchar_t *sa_ret = NULL;
-
- /* get proposal pair of SA sent. */
- spair = get_proppair(iph2->sa, IPSECDOI_TYPE_PH2);
- if (spair == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get prop pair.\n");
- goto end;
- }
-
- /* XXX should check the number of transform */
-
- /* get proposal pair of SA replayed */
- rpair = get_proppair(iph2->sa_ret, IPSECDOI_TYPE_PH2);
- if (rpair == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get prop pair.\n");
- goto end;
- }
-
- /* check proposal is only one ? */
- n = 0;
- num = 0;
- for (i = 0; i < MAXPROPPAIRLEN; i++) {
- if (rpair[i]) {
- n = i;
- num++;
- }
- }
- if (num == 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "no proposal received.\n");
- goto end;
- }
- if (num != 1) {
- plog(LLV_ERROR, LOCATION, NULL,
- "some proposals received.\n");
- goto end;
- }
-
- if (spair[n] == NULL) {
- plog(LLV_WARNING, LOCATION, NULL,
- "invalid proposal number:%d received.\n", i);
- }
-
-
- if (rpair[n]->tnext != NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "multi transforms replyed.\n");
- goto end;
- }
-
- if (cmp_aproppair_i(rpair[n], spair[n])) {
- plog(LLV_ERROR, LOCATION, NULL,
- "proposal mismathed.\n");
- goto end;
- }
-
- /*
- * check and select a proposal.
- * ensure that there is no modification of the proposal by
- * cmp_aproppair_i()
- */
- p = get_ph2approval(iph2, rpair);
- if (p == NULL)
- goto end;
-
- /* make a SA to be replayed. */
- sa_ret = iph2->sa_ret;
- iph2->sa_ret = get_sabyproppair(p, iph2->ph1);
- free_proppair0(p);
- if (iph2->sa_ret == NULL)
- goto end;
-
- error = 0;
-
-end:
- if (rpair)
- free_proppair(rpair);
- if (spair)
- free_proppair(spair);
- if (sa_ret)
- vfree(sa_ret);
-
- return error;
-}
-
-/*
- * compare two prop_pair which is assumed to have same proposal number.
- * the case of bundle or single SA, NOT multi transforms.
- * a: a proposal that is multi protocols and single transform, usually replyed.
- * b: a proposal that is multi protocols and multi transform, usually sent.
- * NOTE: this function is for initiator.
- * OUT
- * 0: equal
- * 1: not equal
- * XXX cannot understand the comment!
- */
-static int
-cmp_aproppair_i(a, b)
- struct prop_pair *a, *b;
-{
- struct prop_pair *p, *q, *r;
- int len;
-
- for (p = a, q = b; p && q; p = p->next, q = q->next) {
- for (r = q; r; r = r->tnext) {
- /* compare trns */
- if (p->trns->t_no == r->trns->t_no)
- break;
- }
- if (!r) {
- /* no suitable transform found */
- plog(LLV_ERROR, LOCATION, NULL,
- "no suitable transform found.\n");
- return -1;
- }
-
- /* compare prop */
- if (p->prop->p_no != r->prop->p_no) {
- plog(LLV_WARNING, LOCATION, NULL,
- "proposal #%d mismatched, "
- "expected #%d.\n",
- r->prop->p_no, p->prop->p_no);
- /*FALLTHROUGH*/
- }
-
- if (p->prop->proto_id != r->prop->proto_id) {
- plog(LLV_ERROR, LOCATION, NULL,
- "proto_id mismathed: my:%d peer:%d\n",
- r->prop->proto_id, p->prop->proto_id);
- return -1;
- }
-
- if (p->prop->spi_size != r->prop->spi_size) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid spi size: %d.\n",
- p->prop->spi_size);
- return -1;
- }
-
- /* check #of transforms */
- if (p->prop->num_t != 1) {
- plog(LLV_WARNING, LOCATION, NULL,
- "#of transform is %d, "
- "but expected 1.\n", p->prop->num_t);
- /*FALLTHROUGH*/
- }
-
- if (p->trns->t_id != r->trns->t_id) {
- plog(LLV_WARNING, LOCATION, NULL,
- "transform number has been modified.\n");
- /*FALLTHROUGH*/
- }
- if (p->trns->reserved != r->trns->reserved) {
- plog(LLV_WARNING, LOCATION, NULL,
- "reserved field should be zero.\n");
- /*FALLTHROUGH*/
- }
-
- /* compare attribute */
- len = ntohs(r->trns->h.len) - sizeof(*p->trns);
- if (memcmp(p->trns + 1, r->trns + 1, len) != 0) {
- plog(LLV_WARNING, LOCATION, NULL,
- "attribute has been modified.\n");
- /*FALLTHROUGH*/
- }
- }
- if ((p && !q) || (!p && q)) {
- /* # of protocols mismatched */
- plog(LLV_ERROR, LOCATION, NULL,
- "#of protocols mismatched.\n");
- return -1;
- }
-
- return 0;
-}
-
-/*
- * acceptable check for policy configuration.
- * return a new SA payload to be reply to peer.
- */
-static struct prop_pair *
-get_ph2approval(iph2, pair)
- struct ph2handle *iph2;
- struct prop_pair **pair;
-{
- struct prop_pair *ret;
- int i;
-
- iph2->approval = NULL;
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "begin compare proposals.\n");
-
- for (i = 0; i < MAXPROPPAIRLEN; i++) {
- if (pair[i] == NULL)
- continue;
- plog(LLV_DEBUG, LOCATION, NULL,
- "pair[%d]: %p\n", i, pair[i]);
- print_proppair(LLV_DEBUG, pair[i]);;
-
- /* compare proposal and select one */
- ret = get_ph2approvalx(iph2, pair[i]);
- if (ret != NULL) {
- /* found */
- return ret;
- }
- }
-
- plog(LLV_ERROR, LOCATION, NULL, "no suitable policy found.\n");
-
- return NULL;
-}
-
-/*
- * compare my proposal and peers just one proposal.
- * set a approval.
- */
-static struct prop_pair *
-get_ph2approvalx(iph2, pp)
- struct ph2handle *iph2;
- struct prop_pair *pp;
-{
- struct prop_pair *ret = NULL;
- struct saprop *pr0, *pr = NULL;
- struct saprop *q1, *q2;
-
- pr0 = aproppair2saprop(pp);
- if (pr0 == NULL)
- return NULL;
-
- for (q1 = pr0; q1; q1 = q1->next) {
- for (q2 = iph2->proposal; q2; q2 = q2->next) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "peer's single bundle:\n");
- printsaprop0(LLV_DEBUG, q1);
- plog(LLV_DEBUG, LOCATION, NULL,
- "my single bundle:\n");
- printsaprop0(LLV_DEBUG, q2);
-
- pr = cmpsaprop_alloc(iph2->ph1, q1, q2, iph2->side);
- if (pr != NULL)
- goto found;
-
- plog(LLV_ERROR, LOCATION, NULL,
- "not matched\n");
- }
- }
- /* no proposal matching */
-err:
- flushsaprop(pr0);
- return NULL;
-
-found:
- flushsaprop(pr0);
- plog(LLV_DEBUG, LOCATION, NULL, "matched\n");
- iph2->approval = pr;
-
- {
- struct saproto *sp;
- struct prop_pair *p, *x;
- struct prop_pair *n = NULL;
-
- ret = NULL;
-
- for (p = pp; p; p = p->next) {
- /*
- * find a proposal with matching proto_id.
- * we have analyzed validity already, in cmpsaprop_alloc().
- */
- for (sp = pr->head; sp; sp = sp->next) {
- if (sp->proto_id == p->prop->proto_id)
- break;
- }
- if (!sp)
- goto err;
- if (sp->head->next)
- goto err; /* XXX */
-
- for (x = p; x; x = x->tnext)
- if (sp->head->trns_no == x->trns->t_no)
- break;
- if (!x)
- goto err; /* XXX */
-
- n = racoon_calloc(1, sizeof(struct prop_pair));
- if (n == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get buffer.\n");
- goto err;
- }
-
- n->prop = x->prop;
- n->trns = x->trns;
-
- /* need to preserve the order */
- for (x = ret; x && x->next; x = x->next)
- ;
- if (x && x->prop == n->prop) {
- for (/*nothing*/; x && x->tnext; x = x->tnext)
- ;
- x->tnext = n;
- } else {
- if (x)
- x->next = n;
- else {
- ret = n;
- }
- }
-
- /* #of transforms should be updated ? */
- }
- }
-
- return ret;
-}
-
-void
-free_proppair(pair)
- struct prop_pair **pair;
-{
- int i;
-
- for (i = 0; i < MAXPROPPAIRLEN; i++) {
- free_proppair0(pair[i]);
- pair[i] = NULL;
- }
- racoon_free(pair);
-}
-
-static void
-free_proppair0(pair)
- struct prop_pair *pair;
-{
- struct prop_pair *p, *q, *r, *s;
-
- p = pair;
- while (p) {
- q = p->next;
- r = p;
- while (r) {
- s = r->tnext;
- racoon_free(r);
- r = s;
- }
- p = q;
- }
-}
-
-/*
- * get proposal pairs from SA payload.
- * tiny check for proposal payload.
- */
-struct prop_pair **
-get_proppair(sa, mode)
- vchar_t *sa;
- int mode;
-{
- struct prop_pair **pair = NULL;
- int num_p = 0; /* number of proposal for use */
- int tlen;
- caddr_t bp;
- int i;
- struct ipsecdoi_sa_b *sab = (struct ipsecdoi_sa_b *)sa->v;
-
- plog(LLV_DEBUG, LOCATION, NULL, "total SA len=%zu\n", sa->l);
- plogdump(LLV_DEBUG, sa->v, sa->l);
-
- /* check SA payload size */
- if (sa->l < sizeof(*sab)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Invalid SA length = %zu.\n", sa->l);
- goto bad;
- }
-
- /* check DOI */
- if (check_doi(ntohl(sab->doi)) < 0)
- goto bad;
-
- /* check SITUATION */
- if (check_situation(ntohl(sab->sit)) < 0)
- goto bad;
-
- pair = racoon_calloc(1, MAXPROPPAIRLEN * sizeof(*pair));
- if (pair == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get buffer.\n");
- goto bad;
- }
-#if defined(ANDROID_CHANGES)
- memset(pair, 0, MAXPROPPAIRLEN * sizeof(*pair));
-#else
- memset(pair, 0, sizeof(pair));
-#endif
-
- bp = (caddr_t)(sab + 1);
- tlen = sa->l - sizeof(*sab);
-
- {
- struct isakmp_pl_p *prop;
- int proplen;
- vchar_t *pbuf = NULL;
- struct isakmp_parse_t *pa;
-
- pbuf = isakmp_parsewoh(ISAKMP_NPTYPE_P, (struct isakmp_gen *)bp, tlen);
- if (pbuf == NULL)
- goto bad;
-
- for (pa = (struct isakmp_parse_t *)pbuf->v;
- pa->type != ISAKMP_NPTYPE_NONE;
- pa++) {
- /* check the value of next payload */
- if (pa->type != ISAKMP_NPTYPE_P) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Invalid payload type=%u\n", pa->type);
- vfree(pbuf);
- goto bad;
- }
-
- prop = (struct isakmp_pl_p *)pa->ptr;
- proplen = pa->len;
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "proposal #%u len=%d\n", prop->p_no, proplen);
-
- if (proplen == 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid proposal with length %d\n", proplen);
- vfree(pbuf);
- goto bad;
- }
-
- /* check Protocol ID */
- if (!check_protocol[mode]) {
- plog(LLV_ERROR, LOCATION, NULL,
- "unsupported mode %d\n", mode);
- continue;
- }
-
- if (check_protocol[mode](prop->proto_id) < 0)
- continue;
-
- /* check SPI length when IKE. */
- if (check_spi_size(prop->proto_id, prop->spi_size) < 0)
- continue;
-
- /* get transform */
- if (get_transform(prop, pair, &num_p) < 0) {
- vfree(pbuf);
- goto bad;
- }
- }
- vfree(pbuf);
- pbuf = NULL;
- }
-
- {
- int notrans, nprop;
- struct prop_pair *p, *q;
-
- /* check for proposals with no transforms */
- for (i = 0; i < MAXPROPPAIRLEN; i++) {
- if (!pair[i])
- continue;
-
- plog(LLV_DEBUG, LOCATION, NULL, "pair %d:\n", i);
- print_proppair(LLV_DEBUG, pair[i]);
-
- notrans = nprop = 0;
- for (p = pair[i]; p; p = p->next) {
- if (p->trns == NULL) {
- notrans++;
- break;
- }
- for (q = p; q; q = q->tnext)
- nprop++;
- }
-
-#if 0
- /*
- * XXX at this moment, we cannot accept proposal group
- * with multiple proposals. this should be fixed.
- */
- if (pair[i]->next) {
- plog(LLV_WARNING, LOCATION, NULL,
- "proposal #%u ignored "
- "(multiple proposal not supported)\n",
- pair[i]->prop->p_no);
- notrans++;
- }
-#endif
-
- if (notrans) {
- for (p = pair[i]; p; p = q) {
- q = p->next;
- racoon_free(p);
- }
- pair[i] = NULL;
- num_p--;
- } else {
- plog(LLV_DEBUG, LOCATION, NULL,
- "proposal #%u: %d transform\n",
- pair[i]->prop->p_no, nprop);
- }
- }
- }
-
- /* bark if no proposal is found. */
- if (num_p <= 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "no Proposal found.\n");
- goto bad;
- }
-
- return pair;
-bad:
- if (pair != NULL)
- racoon_free(pair);
- return NULL;
-}
-
-/*
- * check transform payload.
- * OUT:
- * positive: return the pointer to the payload of valid transform.
- * 0 : No valid transform found.
- */
-static int
-get_transform(prop, pair, num_p)
- struct isakmp_pl_p *prop;
- struct prop_pair **pair;
- int *num_p;
-{
- int tlen; /* total length of all transform in a proposal */
- caddr_t bp;
- struct isakmp_pl_t *trns;
- int trnslen;
- vchar_t *pbuf = NULL;
- struct isakmp_parse_t *pa;
- struct prop_pair *p = NULL, *q;
- int num_t;
-
- bp = (caddr_t)prop + sizeof(struct isakmp_pl_p) + prop->spi_size;
- tlen = ntohs(prop->h.len)
- - (sizeof(struct isakmp_pl_p) + prop->spi_size);
- pbuf = isakmp_parsewoh(ISAKMP_NPTYPE_T, (struct isakmp_gen *)bp, tlen);
- if (pbuf == NULL)
- return -1;
-
- /* check and get transform for use */
- num_t = 0;
- for (pa = (struct isakmp_parse_t *)pbuf->v;
- pa->type != ISAKMP_NPTYPE_NONE;
- pa++) {
-
- num_t++;
-
- /* check the value of next payload */
- if (pa->type != ISAKMP_NPTYPE_T) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Invalid payload type=%u\n", pa->type);
- break;
- }
-
- trns = (struct isakmp_pl_t *)pa->ptr;
- trnslen = pa->len;
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "transform #%u len=%u\n", trns->t_no, trnslen);
-
- /* check transform ID */
- if (prop->proto_id >= ARRAYLEN(check_transform)) {
- plog(LLV_WARNING, LOCATION, NULL,
- "unsupported proto_id %u\n",
- prop->proto_id);
- continue;
- }
- if (prop->proto_id >= ARRAYLEN(check_attributes)) {
- plog(LLV_WARNING, LOCATION, NULL,
- "unsupported proto_id %u\n",
- prop->proto_id);
- continue;
- }
-
- if (!check_transform[prop->proto_id]
- || !check_attributes[prop->proto_id]) {
- plog(LLV_WARNING, LOCATION, NULL,
- "unsupported proto_id %u\n",
- prop->proto_id);
- continue;
- }
- if (check_transform[prop->proto_id](trns->t_id) < 0)
- continue;
-
- /* check data attributes */
- if (check_attributes[prop->proto_id](trns) != 0)
- continue;
-
- p = racoon_calloc(1, sizeof(*p));
- if (p == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get buffer.\n");
- vfree(pbuf);
- return -1;
- }
- p->prop = prop;
- p->trns = trns;
-
- /* need to preserve the order */
- for (q = pair[prop->p_no]; q && q->next; q = q->next)
- ;
- if (q && q->prop == p->prop) {
- for (/*nothing*/; q && q->tnext; q = q->tnext)
- ;
- q->tnext = p;
- } else {
- if (q)
- q->next = p;
- else {
- pair[prop->p_no] = p;
- (*num_p)++;
- }
- }
- }
-
- vfree(pbuf);
-
- return 0;
-}
-
-/*
- * make a new SA payload from prop_pair.
- * NOTE: this function make spi value clear.
- */
-vchar_t *
-get_sabyproppair(pair, iph1)
- struct prop_pair *pair;
- struct ph1handle *iph1;
-{
- vchar_t *newsa;
- int newtlen;
- u_int8_t *np_p = NULL;
- struct prop_pair *p;
- int prophlen, trnslen;
- caddr_t bp;
-
- newtlen = sizeof(struct ipsecdoi_sa_b);
- for (p = pair; p; p = p->next) {
- newtlen += sizeof(struct isakmp_pl_p);
- newtlen += p->prop->spi_size;
- newtlen += ntohs(p->trns->h.len);
- }
-
- newsa = vmalloc(newtlen);
- if (newsa == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "failed to get newsa.\n");
- return NULL;
- }
- bp = newsa->v;
-
- ((struct isakmp_gen *)bp)->len = htons(newtlen);
-
- /* update some of values in SA header */
- ((struct ipsecdoi_sa_b *)bp)->doi = htonl(iph1->rmconf->doitype);
- ((struct ipsecdoi_sa_b *)bp)->sit = htonl(iph1->rmconf->sittype);
- bp += sizeof(struct ipsecdoi_sa_b);
-
- /* create proposal payloads */
- for (p = pair; p; p = p->next) {
- prophlen = sizeof(struct isakmp_pl_p)
- + p->prop->spi_size;
- trnslen = ntohs(p->trns->h.len);
-
- if (np_p)
- *np_p = ISAKMP_NPTYPE_P;
-
- /* create proposal */
-
- memcpy(bp, p->prop, prophlen);
- ((struct isakmp_pl_p *)bp)->h.np = ISAKMP_NPTYPE_NONE;
- ((struct isakmp_pl_p *)bp)->h.len = htons(prophlen + trnslen);
- ((struct isakmp_pl_p *)bp)->num_t = 1;
- np_p = &((struct isakmp_pl_p *)bp)->h.np;
- memset(bp + sizeof(struct isakmp_pl_p), 0, p->prop->spi_size);
- bp += prophlen;
-
- /* create transform */
- memcpy(bp, p->trns, trnslen);
- ((struct isakmp_pl_t *)bp)->h.np = ISAKMP_NPTYPE_NONE;
- ((struct isakmp_pl_t *)bp)->h.len = htons(trnslen);
- bp += trnslen;
- }
-
- return newsa;
-}
-
-/*
- * update responder's spi
- */
-int
-ipsecdoi_updatespi(iph2)
- struct ph2handle *iph2;
-{
- struct prop_pair **pair, *p;
- struct saprop *pp;
- struct saproto *pr;
- int i;
- int error = -1;
- u_int8_t *spi;
-
- pair = get_proppair(iph2->sa_ret, IPSECDOI_TYPE_PH2);
- if (pair == NULL)
- return -1;
- for (i = 0; i < MAXPROPPAIRLEN; i++) {
- if (pair[i])
- break;
- }
- if (i == MAXPROPPAIRLEN || pair[i]->tnext) {
- /* multiple transform must be filtered by selectph2proposal.*/
- goto end;
- }
-
- pp = iph2->approval;
-
- /* create proposal payloads */
- for (p = pair[i]; p; p = p->next) {
- /*
- * find a proposal/transform with matching proto_id/t_id.
- * we have analyzed validity already, in cmpsaprop_alloc().
- */
- for (pr = pp->head; pr; pr = pr->next) {
- if (p->prop->proto_id == pr->proto_id &&
- p->trns->t_id == pr->head->trns_id) {
- break;
- }
- }
- if (!pr)
- goto end;
-
- /*
- * XXX SPI bits are left-filled, for use with IPComp.
- * we should be switching to variable-length spi field...
- */
- spi = (u_int8_t *)&pr->spi;
- spi += sizeof(pr->spi);
- spi -= pr->spisize;
- memcpy((caddr_t)p->prop + sizeof(*p->prop), spi, pr->spisize);
- }
-
- error = 0;
-end:
- free_proppair(pair);
- return error;
-}
-
-/*
- * make a new SA payload from prop_pair.
- */
-vchar_t *
-get_sabysaprop(pp0, sa0)
- struct saprop *pp0;
- vchar_t *sa0;
-{
- struct prop_pair **pair = NULL;
- vchar_t *newsa = NULL;
- int newtlen;
- u_int8_t *np_p = NULL;
- struct prop_pair *p = NULL;
- struct saprop *pp;
- struct saproto *pr;
- struct satrns *tr;
- int prophlen, trnslen;
- caddr_t bp;
- int error = -1;
-
- /* get proposal pair */
- pair = get_proppair(sa0, IPSECDOI_TYPE_PH2);
- if (pair == NULL)
- goto out;
-
- newtlen = sizeof(struct ipsecdoi_sa_b);
- for (pp = pp0; pp; pp = pp->next) {
-
- if (pair[pp->prop_no] == NULL)
- goto out;
-
- for (pr = pp->head; pr; pr = pr->next) {
- newtlen += (sizeof(struct isakmp_pl_p)
- + pr->spisize);
-
- for (tr = pr->head; tr; tr = tr->next) {
- for (p = pair[pp->prop_no]; p; p = p->tnext) {
- if (tr->trns_no == p->trns->t_no)
- break;
- }
- if (p == NULL)
- goto out;
-
- newtlen += ntohs(p->trns->h.len);
- }
- }
- }
-
- newsa = vmalloc(newtlen);
- if (newsa == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "failed to get newsa.\n");
- goto out;
- }
- bp = newsa->v;
-
- /* some of values of SA must be updated in the out of this function */
- ((struct isakmp_gen *)bp)->len = htons(newtlen);
- bp += sizeof(struct ipsecdoi_sa_b);
-
- /* create proposal payloads */
- for (pp = pp0; pp; pp = pp->next) {
-
- for (pr = pp->head; pr; pr = pr->next) {
- prophlen = sizeof(struct isakmp_pl_p)
- + p->prop->spi_size;
-
- for (tr = pr->head; tr; tr = tr->next) {
- for (p = pair[pp->prop_no]; p; p = p->tnext) {
- if (tr->trns_no == p->trns->t_no)
- break;
- }
- if (p == NULL)
- goto out;
-
- trnslen = ntohs(p->trns->h.len);
-
- if (np_p)
- *np_p = ISAKMP_NPTYPE_P;
-
- /* create proposal */
-
- memcpy(bp, p->prop, prophlen);
- ((struct isakmp_pl_p *)bp)->h.np = ISAKMP_NPTYPE_NONE;
- ((struct isakmp_pl_p *)bp)->h.len = htons(prophlen + trnslen);
- ((struct isakmp_pl_p *)bp)->num_t = 1;
- np_p = &((struct isakmp_pl_p *)bp)->h.np;
- bp += prophlen;
-
- /* create transform */
- memcpy(bp, p->trns, trnslen);
- ((struct isakmp_pl_t *)bp)->h.np = ISAKMP_NPTYPE_NONE;
- ((struct isakmp_pl_t *)bp)->h.len = htons(trnslen);
- bp += trnslen;
- }
- }
- }
-
- error = 0;
-out:
- if (pair != NULL)
- racoon_free(pair);
-
- if (error != 0) {
- if (newsa != NULL) {
- vfree(newsa);
- newsa = NULL;
- }
- }
-
- return newsa;
-}
-
-/*
- * If some error happens then return 0. Although 0 means that lifetime is zero,
- * such a value should not be accepted.
- * Also 0 of lifebyte should not be included in a packet although 0 means not
- * to care of it.
- */
-static u_int32_t
-ipsecdoi_set_ld(buf)
- vchar_t *buf;
-{
- u_int32_t ld;
-
- if (buf == 0)
- return 0;
-
- switch (buf->l) {
- case 2:
- ld = ntohs(*(u_int16_t *)buf->v);
- break;
- case 4:
- ld = ntohl(*(u_int32_t *)buf->v);
- break;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "length %zu of life duration "
- "isn't supported.\n", buf->l);
- return 0;
- }
-
- return ld;
-}
-
-/*%%%*/
-/*
- * check DOI
- */
-static int
-check_doi(doi)
- u_int32_t doi;
-{
- switch (doi) {
- case IPSEC_DOI:
- return 0;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid value of DOI 0x%08x.\n", doi);
- return -1;
- }
- /* NOT REACHED */
-}
-
-/*
- * check situation
- */
-static int
-check_situation(sit)
- u_int32_t sit;
-{
- switch (sit) {
- case IPSECDOI_SIT_IDENTITY_ONLY:
- return 0;
-
- case IPSECDOI_SIT_SECRECY:
- case IPSECDOI_SIT_INTEGRITY:
- plog(LLV_ERROR, LOCATION, NULL,
- "situation 0x%08x unsupported yet.\n", sit);
- return -1;
-
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid situation 0x%08x.\n", sit);
- return -1;
- }
- /* NOT REACHED */
-}
-
-/*
- * check protocol id in main mode
- */
-static int
-check_prot_main(proto_id)
- int proto_id;
-{
- switch (proto_id) {
- case IPSECDOI_PROTO_ISAKMP:
- return 0;
-
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "Illegal protocol id=%u.\n", proto_id);
- return -1;
- }
- /* NOT REACHED */
-}
-
-/*
- * check protocol id in quick mode
- */
-static int
-check_prot_quick(proto_id)
- int proto_id;
-{
- switch (proto_id) {
- case IPSECDOI_PROTO_IPSEC_AH:
- case IPSECDOI_PROTO_IPSEC_ESP:
- return 0;
-
- case IPSECDOI_PROTO_IPCOMP:
- return 0;
-
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid protocol id %d.\n", proto_id);
- return -1;
- }
- /* NOT REACHED */
-}
-
-static int
-check_spi_size(proto_id, size)
- int proto_id, size;
-{
- switch (proto_id) {
- case IPSECDOI_PROTO_ISAKMP:
- if (size != 0) {
- /* WARNING */
- plog(LLV_WARNING, LOCATION, NULL,
- "SPI size isn't zero, but IKE proposal.\n");
- }
- return 0;
-
- case IPSECDOI_PROTO_IPSEC_AH:
- case IPSECDOI_PROTO_IPSEC_ESP:
- if (size != 4) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid SPI size=%d for IPSEC proposal.\n",
- size);
- return -1;
- }
- return 0;
-
- case IPSECDOI_PROTO_IPCOMP:
- if (size != 2 && size != 4) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid SPI size=%d for IPCOMP proposal.\n",
- size);
- return -1;
- }
- return 0;
-
- default:
- /* ??? */
- return -1;
- }
- /* NOT REACHED */
-}
-
-/*
- * check transform ID in ISAKMP.
- */
-static int
-check_trns_isakmp(t_id)
- int t_id;
-{
- switch (t_id) {
- case IPSECDOI_KEY_IKE:
- return 0;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid transform-id=%u in proto_id=%u.\n",
- t_id, IPSECDOI_KEY_IKE);
- return -1;
- }
- /* NOT REACHED */
-}
-
-/*
- * check transform ID in AH.
- */
-static int
-check_trns_ah(t_id)
- int t_id;
-{
- switch (t_id) {
- case IPSECDOI_AH_MD5:
- case IPSECDOI_AH_SHA:
- case IPSECDOI_AH_SHA256:
- case IPSECDOI_AH_SHA384:
- case IPSECDOI_AH_SHA512:
- return 0;
- case IPSECDOI_AH_DES:
- plog(LLV_ERROR, LOCATION, NULL,
- "not support transform-id=%u in AH.\n", t_id);
- return -1;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid transform-id=%u in AH.\n", t_id);
- return -1;
- }
- /* NOT REACHED */
-}
-
-/*
- * check transform ID in ESP.
- */
-static int
-check_trns_esp(t_id)
- int t_id;
-{
- switch (t_id) {
- case IPSECDOI_ESP_DES:
- case IPSECDOI_ESP_3DES:
- case IPSECDOI_ESP_NULL:
- case IPSECDOI_ESP_RC5:
- case IPSECDOI_ESP_CAST:
- case IPSECDOI_ESP_BLOWFISH:
- case IPSECDOI_ESP_AES:
- case IPSECDOI_ESP_TWOFISH:
- case IPSECDOI_ESP_CAMELLIA:
- return 0;
- case IPSECDOI_ESP_DES_IV32:
- case IPSECDOI_ESP_DES_IV64:
- case IPSECDOI_ESP_IDEA:
- case IPSECDOI_ESP_3IDEA:
- case IPSECDOI_ESP_RC4:
- plog(LLV_ERROR, LOCATION, NULL,
- "not support transform-id=%u in ESP.\n", t_id);
- return -1;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid transform-id=%u in ESP.\n", t_id);
- return -1;
- }
- /* NOT REACHED */
-}
-
-/*
- * check transform ID in IPCOMP.
- */
-static int
-check_trns_ipcomp(t_id)
- int t_id;
-{
- switch (t_id) {
- case IPSECDOI_IPCOMP_OUI:
- case IPSECDOI_IPCOMP_DEFLATE:
- case IPSECDOI_IPCOMP_LZS:
- return 0;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid transform-id=%u in IPCOMP.\n", t_id);
- return -1;
- }
- /* NOT REACHED */
-}
-
-/*
- * check data attributes in IKE.
- */
-static int
-check_attr_isakmp(trns)
- struct isakmp_pl_t *trns;
-{
- struct isakmp_data *d;
- int tlen;
- int flag, type;
- u_int16_t lorv;
-
- tlen = ntohs(trns->h.len) - sizeof(struct isakmp_pl_t);
- d = (struct isakmp_data *)((caddr_t)trns + sizeof(struct isakmp_pl_t));
-
- while (tlen > 0) {
- type = ntohs(d->type) & ~ISAKMP_GEN_MASK;
- flag = ntohs(d->type) & ISAKMP_GEN_MASK;
- lorv = ntohs(d->lorv);
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "type=%s, flag=0x%04x, lorv=%s\n",
- s_oakley_attr(type), flag,
- s_oakley_attr_v(type, lorv));
-
- /*
- * some of the attributes must be encoded in TV.
- * see RFC2409 Appendix A "Attribute Classes".
- */
- switch (type) {
- case OAKLEY_ATTR_ENC_ALG:
- case OAKLEY_ATTR_HASH_ALG:
- case OAKLEY_ATTR_AUTH_METHOD:
- case OAKLEY_ATTR_GRP_DESC:
- case OAKLEY_ATTR_GRP_TYPE:
- case OAKLEY_ATTR_SA_LD_TYPE:
- case OAKLEY_ATTR_PRF:
- case OAKLEY_ATTR_KEY_LEN:
- case OAKLEY_ATTR_FIELD_SIZE:
- if (!flag) { /* TLV*/
- plog(LLV_ERROR, LOCATION, NULL,
- "oakley attribute %d must be TV.\n",
- type);
- return -1;
- }
- break;
- }
-
- /* sanity check for TLV. length must be specified. */
- if (!flag && lorv == 0) { /*TLV*/
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid length %d for TLV attribute %d.\n",
- lorv, type);
- return -1;
- }
-
- switch (type) {
- case OAKLEY_ATTR_ENC_ALG:
- if (!alg_oakley_encdef_ok(lorv)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalied encryption algorithm=%d.\n",
- lorv);
- return -1;
- }
- break;
-
- case OAKLEY_ATTR_HASH_ALG:
- if (!alg_oakley_hashdef_ok(lorv)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalied hash algorithm=%d.\n",
- lorv);
- return -1;
- }
- break;
-
- case OAKLEY_ATTR_AUTH_METHOD:
- switch (lorv) {
- case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
- case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
-#ifdef ENABLE_HYBRID
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
-#if 0 /* Clashes with OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB */
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I:
-#endif
-#endif
- case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
- break;
- case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
-#ifdef ENABLE_HYBRID
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
-#endif
- case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
- case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
- plog(LLV_ERROR, LOCATION, NULL,
- "auth method %s isn't supported.\n",
- s_oakley_attr_method(lorv));
- return -1;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid auth method %d.\n",
- lorv);
- return -1;
- }
- break;
-
- case OAKLEY_ATTR_GRP_DESC:
- if (!alg_oakley_dhdef_ok(lorv)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid DH group %d.\n",
- lorv);
- return -1;
- }
- break;
-
- case OAKLEY_ATTR_GRP_TYPE:
- switch (lorv) {
- case OAKLEY_ATTR_GRP_TYPE_MODP:
- break;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "unsupported DH group type %d.\n",
- lorv);
- return -1;
- }
- break;
-
- case OAKLEY_ATTR_GRP_PI:
- case OAKLEY_ATTR_GRP_GEN_ONE:
- /* sanity checks? */
- break;
-
- case OAKLEY_ATTR_GRP_GEN_TWO:
- case OAKLEY_ATTR_GRP_CURVE_A:
- case OAKLEY_ATTR_GRP_CURVE_B:
- plog(LLV_ERROR, LOCATION, NULL,
- "attr type=%u isn't supported.\n", type);
- return -1;
-
- case OAKLEY_ATTR_SA_LD_TYPE:
- switch (lorv) {
- case OAKLEY_ATTR_SA_LD_TYPE_SEC:
- case OAKLEY_ATTR_SA_LD_TYPE_KB:
- break;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid life type %d.\n", lorv);
- return -1;
- }
- break;
-
- case OAKLEY_ATTR_SA_LD:
- /* should check the value */
- break;
-
- case OAKLEY_ATTR_PRF:
- case OAKLEY_ATTR_KEY_LEN:
- break;
-
- case OAKLEY_ATTR_FIELD_SIZE:
- plog(LLV_ERROR, LOCATION, NULL,
- "attr type=%u isn't supported.\n", type);
- return -1;
-
- case OAKLEY_ATTR_GRP_ORDER:
- break;
-
- case OAKLEY_ATTR_GSS_ID:
- break;
-
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid attribute type %d.\n", type);
- return -1;
- }
-
- if (flag) {
- tlen -= sizeof(*d);
- d = (struct isakmp_data *)((char *)d
- + sizeof(*d));
- } else {
- tlen -= (sizeof(*d) + lorv);
- d = (struct isakmp_data *)((char *)d
- + sizeof(*d) + lorv);
- }
- }
-
- return 0;
-}
-
-/*
- * check data attributes in IPSEC AH/ESP.
- */
-static int
-check_attr_ah(trns)
- struct isakmp_pl_t *trns;
-{
- return check_attr_ipsec(IPSECDOI_PROTO_IPSEC_AH, trns);
-}
-
-static int
-check_attr_esp(trns)
- struct isakmp_pl_t *trns;
-{
- return check_attr_ipsec(IPSECDOI_PROTO_IPSEC_ESP, trns);
-}
-
-static int
-check_attr_ipsec(proto_id, trns)
- int proto_id;
- struct isakmp_pl_t *trns;
-{
- struct isakmp_data *d;
- int tlen;
- int flag, type = 0;
- u_int16_t lorv;
- int attrseen[16]; /* XXX magic number */
-
- tlen = ntohs(trns->h.len) - sizeof(struct isakmp_pl_t);
- d = (struct isakmp_data *)((caddr_t)trns + sizeof(struct isakmp_pl_t));
- memset(attrseen, 0, sizeof(attrseen));
-
- while (tlen > 0) {
- type = ntohs(d->type) & ~ISAKMP_GEN_MASK;
- flag = ntohs(d->type) & ISAKMP_GEN_MASK;
- lorv = ntohs(d->lorv);
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "type=%s, flag=0x%04x, lorv=%s\n",
- s_ipsecdoi_attr(type), flag,
- s_ipsecdoi_attr_v(type, lorv));
-
- if (type < sizeof(attrseen)/sizeof(attrseen[0]))
- attrseen[type]++;
-
- switch (type) {
- case IPSECDOI_ATTR_ENC_MODE:
- if (! flag) {
- plog(LLV_ERROR, LOCATION, NULL,
- "must be TV when ENC_MODE.\n");
- return -1;
- }
-
- switch (lorv) {
- case IPSECDOI_ATTR_ENC_MODE_TUNNEL:
- case IPSECDOI_ATTR_ENC_MODE_TRNS:
- break;
-#ifdef ENABLE_NATT
- case IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC:
- case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC:
- case IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT:
- case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT:
- plog(LLV_DEBUG, LOCATION, NULL,
- "UDP encapsulation requested\n");
- break;
-#endif
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid encryption mode=%u.\n",
- lorv);
- return -1;
- }
- break;
-
- case IPSECDOI_ATTR_AUTH:
- if (! flag) {
- plog(LLV_ERROR, LOCATION, NULL,
- "must be TV when AUTH.\n");
- return -1;
- }
-
- switch (lorv) {
- case IPSECDOI_ATTR_AUTH_HMAC_MD5:
- if (proto_id == IPSECDOI_PROTO_IPSEC_AH &&
- trns->t_id != IPSECDOI_AH_MD5) {
-ahmismatch:
- plog(LLV_ERROR, LOCATION, NULL,
- "auth algorithm %u conflicts "
- "with transform %u.\n",
- lorv, trns->t_id);
- return -1;
- }
- break;
- case IPSECDOI_ATTR_AUTH_HMAC_SHA1:
- if (proto_id == IPSECDOI_PROTO_IPSEC_AH) {
- if (trns->t_id != IPSECDOI_AH_SHA)
- goto ahmismatch;
- }
- break;
- case IPSECDOI_ATTR_AUTH_HMAC_SHA2_256:
- if (proto_id == IPSECDOI_PROTO_IPSEC_AH) {
- if (trns->t_id != IPSECDOI_AH_SHA256)
- goto ahmismatch;
- }
- break;
- case IPSECDOI_ATTR_AUTH_HMAC_SHA2_384:
- if (proto_id == IPSECDOI_PROTO_IPSEC_AH) {
- if (trns->t_id != IPSECDOI_AH_SHA384)
- goto ahmismatch;
- }
- break;
- case IPSECDOI_ATTR_AUTH_HMAC_SHA2_512:
- if (proto_id == IPSECDOI_PROTO_IPSEC_AH) {
- if (trns->t_id != IPSECDOI_AH_SHA512)
- goto ahmismatch;
- }
- break;
- case IPSECDOI_ATTR_AUTH_DES_MAC:
- case IPSECDOI_ATTR_AUTH_KPDK:
- plog(LLV_ERROR, LOCATION, NULL,
- "auth algorithm %u isn't supported.\n",
- lorv);
- return -1;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid auth algorithm=%u.\n",
- lorv);
- return -1;
- }
- break;
-
- case IPSECDOI_ATTR_SA_LD_TYPE:
- if (! flag) {
- plog(LLV_ERROR, LOCATION, NULL,
- "must be TV when LD_TYPE.\n");
- return -1;
- }
-
- switch (lorv) {
- case IPSECDOI_ATTR_SA_LD_TYPE_SEC:
- case IPSECDOI_ATTR_SA_LD_TYPE_KB:
- break;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid life type %d.\n", lorv);
- return -1;
- }
- break;
-
- case IPSECDOI_ATTR_SA_LD:
- if (flag) {
- /* i.e. ISAKMP_GEN_TV */
- plog(LLV_DEBUG, LOCATION, NULL,
- "life duration was in TLV.\n");
- } else {
- /* i.e. ISAKMP_GEN_TLV */
- if (lorv == 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid length of LD\n");
- return -1;
- }
- }
- break;
-
- case IPSECDOI_ATTR_GRP_DESC:
- if (! flag) {
- plog(LLV_ERROR, LOCATION, NULL,
- "must be TV when GRP_DESC.\n");
- return -1;
- }
-
- if (!alg_oakley_dhdef_ok(lorv)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid group description=%u.\n",
- lorv);
- return -1;
- }
- break;
-
- case IPSECDOI_ATTR_KEY_LENGTH:
- if (! flag) {
- plog(LLV_ERROR, LOCATION, NULL,
- "must be TV when KEY_LENGTH.\n");
- return -1;
- }
- break;
-
-#ifdef HAVE_SECCTX
- case IPSECDOI_ATTR_SECCTX:
- if (flag) {
- plog(LLV_ERROR, LOCATION, NULL,
- "SECCTX must be in TLV.\n");
- return -1;
- }
- break;
-#endif
-
- case IPSECDOI_ATTR_KEY_ROUNDS:
- case IPSECDOI_ATTR_COMP_DICT_SIZE:
- case IPSECDOI_ATTR_COMP_PRIVALG:
- plog(LLV_ERROR, LOCATION, NULL,
- "attr type=%u isn't supported.\n", type);
- return -1;
-
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid attribute type %d.\n", type);
- return -1;
- }
-
- if (flag) {
- tlen -= sizeof(*d);
- d = (struct isakmp_data *)((char *)d
- + sizeof(*d));
- } else {
- tlen -= (sizeof(*d) + lorv);
- d = (struct isakmp_data *)((caddr_t)d
- + sizeof(*d) + lorv);
- }
- }
-
- if (proto_id == IPSECDOI_PROTO_IPSEC_AH &&
- !attrseen[IPSECDOI_ATTR_AUTH]) {
- plog(LLV_ERROR, LOCATION, NULL,
- "attr AUTH must be present for AH.\n");
- return -1;
- }
-
- if (proto_id == IPSECDOI_PROTO_IPSEC_ESP &&
- trns->t_id == IPSECDOI_ESP_NULL &&
- !attrseen[IPSECDOI_ATTR_AUTH]) {
- plog(LLV_ERROR, LOCATION, NULL,
- "attr AUTH must be present for ESP NULL encryption.\n");
- return -1;
- }
-
- return 0;
-}
-
-static int
-check_attr_ipcomp(trns)
- struct isakmp_pl_t *trns;
-{
- struct isakmp_data *d;
- int tlen;
- int flag, type = 0;
- u_int16_t lorv;
- int attrseen[16]; /* XXX magic number */
-
- tlen = ntohs(trns->h.len) - sizeof(struct isakmp_pl_t);
- d = (struct isakmp_data *)((caddr_t)trns + sizeof(struct isakmp_pl_t));
- memset(attrseen, 0, sizeof(attrseen));
-
- while (tlen > 0) {
- type = ntohs(d->type) & ~ISAKMP_GEN_MASK;
- flag = ntohs(d->type) & ISAKMP_GEN_MASK;
- lorv = ntohs(d->lorv);
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "type=%d, flag=0x%04x, lorv=0x%04x\n",
- type, flag, lorv);
-
- if (type < sizeof(attrseen)/sizeof(attrseen[0]))
- attrseen[type]++;
-
- switch (type) {
- case IPSECDOI_ATTR_ENC_MODE:
- if (! flag) {
- plog(LLV_ERROR, LOCATION, NULL,
- "must be TV when ENC_MODE.\n");
- return -1;
- }
-
- switch (lorv) {
- case IPSECDOI_ATTR_ENC_MODE_TUNNEL:
- case IPSECDOI_ATTR_ENC_MODE_TRNS:
- break;
-#ifdef ENABLE_NATT
- case IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC:
- case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC:
- case IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT:
- case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT:
- plog(LLV_DEBUG, LOCATION, NULL,
- "UDP encapsulation requested\n");
- break;
-#endif
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid encryption mode=%u.\n",
- lorv);
- return -1;
- }
- break;
-
- case IPSECDOI_ATTR_SA_LD_TYPE:
- if (! flag) {
- plog(LLV_ERROR, LOCATION, NULL,
- "must be TV when LD_TYPE.\n");
- return -1;
- }
-
- switch (lorv) {
- case IPSECDOI_ATTR_SA_LD_TYPE_SEC:
- case IPSECDOI_ATTR_SA_LD_TYPE_KB:
- break;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid life type %d.\n", lorv);
- return -1;
- }
- break;
-
- case IPSECDOI_ATTR_SA_LD:
- if (flag) {
- /* i.e. ISAKMP_GEN_TV */
- plog(LLV_DEBUG, LOCATION, NULL,
- "life duration was in TLV.\n");
- } else {
- /* i.e. ISAKMP_GEN_TLV */
- if (lorv == 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid length of LD\n");
- return -1;
- }
- }
- break;
-
- case IPSECDOI_ATTR_GRP_DESC:
- if (! flag) {
- plog(LLV_ERROR, LOCATION, NULL,
- "must be TV when GRP_DESC.\n");
- return -1;
- }
-
- if (!alg_oakley_dhdef_ok(lorv)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid group description=%u.\n",
- lorv);
- return -1;
- }
- break;
-
- case IPSECDOI_ATTR_AUTH:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid attr type=%u.\n", type);
- return -1;
-
- case IPSECDOI_ATTR_KEY_LENGTH:
- case IPSECDOI_ATTR_KEY_ROUNDS:
- case IPSECDOI_ATTR_COMP_DICT_SIZE:
- case IPSECDOI_ATTR_COMP_PRIVALG:
- plog(LLV_ERROR, LOCATION, NULL,
- "attr type=%u isn't supported.\n", type);
- return -1;
-
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid attribute type %d.\n", type);
- return -1;
- }
-
- if (flag) {
- tlen -= sizeof(*d);
- d = (struct isakmp_data *)((char *)d
- + sizeof(*d));
- } else {
- tlen -= (sizeof(*d) + lorv);
- d = (struct isakmp_data *)((caddr_t)d
- + sizeof(*d) + lorv);
- }
- }
-
-#if 0
- if (proto_id == IPSECDOI_PROTO_IPCOMP &&
- !attrseen[IPSECDOI_ATTR_AUTH]) {
- plog(LLV_ERROR, LOCATION, NULL,
- "attr AUTH must be present for AH.\n", type);
- return -1;
- }
-#endif
-
- return 0;
-}
-
-/* %%% */
-/*
- * create phase1 proposal from remote configuration.
- * NOT INCLUDING isakmp general header of SA payload
- */
-vchar_t *
-ipsecdoi_setph1proposal(props)
- struct isakmpsa *props;
-{
- vchar_t *mysa;
- int sablen;
-
- /* count total size of SA minus isakmp general header */
- /* not including isakmp general header of SA payload */
- sablen = sizeof(struct ipsecdoi_sa_b);
- sablen += setph1prop(props, NULL);
-
- mysa = vmalloc(sablen);
- if (mysa == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate my sa buffer\n");
- return NULL;
- }
-
- /* create SA payload */
- /* not including isakmp general header */
- ((struct ipsecdoi_sa_b *)mysa->v)->doi = htonl(props->rmconf->doitype);
- ((struct ipsecdoi_sa_b *)mysa->v)->sit = htonl(props->rmconf->sittype);
-
- (void)setph1prop(props, mysa->v + sizeof(struct ipsecdoi_sa_b));
-
- return mysa;
-}
-
-static int
-setph1prop(props, buf)
- struct isakmpsa *props;
- caddr_t buf;
-{
- struct isakmp_pl_p *prop = NULL;
- struct isakmpsa *s = NULL;
- int proplen, trnslen;
- u_int8_t *np_t; /* pointer next trns type in previous header */
- int trns_num;
- caddr_t p = buf;
-
- proplen = sizeof(*prop);
- if (buf) {
- /* create proposal */
- prop = (struct isakmp_pl_p *)p;
- prop->h.np = ISAKMP_NPTYPE_NONE;
- prop->p_no = props->prop_no;
- prop->proto_id = IPSECDOI_PROTO_ISAKMP;
- prop->spi_size = 0;
- p += sizeof(*prop);
- }
-
- np_t = NULL;
- trns_num = 0;
-
- for (s = props; s != NULL; s = s->next) {
- if (np_t)
- *np_t = ISAKMP_NPTYPE_T;
-
- trnslen = setph1trns(s, p);
- proplen += trnslen;
- if (buf) {
- /* save buffer to pre-next payload */
- np_t = &((struct isakmp_pl_t *)p)->h.np;
- p += trnslen;
-
- /* count up transform length */
- trns_num++;
- }
- }
-
- /* update proposal length */
- if (buf) {
- prop->h.len = htons(proplen);
- prop->num_t = trns_num;
- }
-
- return proplen;
-}
-
-static int
-setph1trns(sa, buf)
- struct isakmpsa *sa;
- caddr_t buf;
-{
- struct isakmp_pl_t *trns = NULL;
- int trnslen, attrlen;
- caddr_t p = buf;
-
- trnslen = sizeof(*trns);
- if (buf) {
- /* create transform */
- trns = (struct isakmp_pl_t *)p;
- trns->h.np = ISAKMP_NPTYPE_NONE;
- trns->t_no = sa->trns_no;
- trns->t_id = IPSECDOI_KEY_IKE;
- p += sizeof(*trns);
- }
-
- attrlen = setph1attr(sa, p);
- trnslen += attrlen;
- if (buf)
- p += attrlen;
-
- if (buf)
- trns->h.len = htons(trnslen);
-
- return trnslen;
-}
-
-static int
-setph1attr(sa, buf)
- struct isakmpsa *sa;
- caddr_t buf;
-{
- caddr_t p = buf;
- int attrlen = 0;
-
- if (sa->lifetime) {
- u_int32_t lifetime = htonl((u_int32_t)sa->lifetime);
-
- attrlen += sizeof(struct isakmp_data)
- + sizeof(struct isakmp_data);
- if (sa->lifetime > 0xffff)
- attrlen += sizeof(lifetime);
- if (buf) {
- p = isakmp_set_attr_l(p, OAKLEY_ATTR_SA_LD_TYPE,
- OAKLEY_ATTR_SA_LD_TYPE_SEC);
- if (sa->lifetime > 0xffff) {
- p = isakmp_set_attr_v(p, OAKLEY_ATTR_SA_LD,
- (caddr_t)&lifetime,
- sizeof(lifetime));
- } else {
- p = isakmp_set_attr_l(p, OAKLEY_ATTR_SA_LD,
- sa->lifetime);
- }
- }
- }
-
- if (sa->lifebyte) {
- u_int32_t lifebyte = htonl((u_int32_t)sa->lifebyte);
-
- attrlen += sizeof(struct isakmp_data)
- + sizeof(struct isakmp_data);
- if (sa->lifebyte > 0xffff)
- attrlen += sizeof(lifebyte);
- if (buf) {
- p = isakmp_set_attr_l(p, OAKLEY_ATTR_SA_LD_TYPE,
- OAKLEY_ATTR_SA_LD_TYPE_KB);
- if (sa->lifebyte > 0xffff) {
- p = isakmp_set_attr_v(p, OAKLEY_ATTR_SA_LD,
- (caddr_t)&lifebyte,
- sizeof(lifebyte));
- } else {
- p = isakmp_set_attr_l(p, OAKLEY_ATTR_SA_LD,
- sa->lifebyte);
- }
- }
- }
-
- if (sa->enctype) {
- attrlen += sizeof(struct isakmp_data);
- if (buf)
- p = isakmp_set_attr_l(p, OAKLEY_ATTR_ENC_ALG, sa->enctype);
- }
- if (sa->encklen) {
- attrlen += sizeof(struct isakmp_data);
- if (buf)
- p = isakmp_set_attr_l(p, OAKLEY_ATTR_KEY_LEN, sa->encklen);
- }
- if (sa->authmethod) {
- int authmethod;
-
-#ifdef ENABLE_HYBRID
- authmethod = switch_authmethod(sa->authmethod);
-#else
- authmethod = sa->authmethod;
-#endif
- attrlen += sizeof(struct isakmp_data);
- if (buf)
- p = isakmp_set_attr_l(p, OAKLEY_ATTR_AUTH_METHOD, authmethod);
- }
- if (sa->hashtype) {
- attrlen += sizeof(struct isakmp_data);
- if (buf)
- p = isakmp_set_attr_l(p, OAKLEY_ATTR_HASH_ALG, sa->hashtype);
- }
- switch (sa->dh_group) {
- case OAKLEY_ATTR_GRP_DESC_MODP768:
- case OAKLEY_ATTR_GRP_DESC_MODP1024:
- case OAKLEY_ATTR_GRP_DESC_MODP1536:
- case OAKLEY_ATTR_GRP_DESC_MODP2048:
- case OAKLEY_ATTR_GRP_DESC_MODP3072:
- case OAKLEY_ATTR_GRP_DESC_MODP4096:
- case OAKLEY_ATTR_GRP_DESC_MODP6144:
- case OAKLEY_ATTR_GRP_DESC_MODP8192:
- /* don't attach group type for known groups */
- attrlen += sizeof(struct isakmp_data);
- if (buf) {
- p = isakmp_set_attr_l(p, OAKLEY_ATTR_GRP_DESC,
- sa->dh_group);
- }
- break;
- case OAKLEY_ATTR_GRP_DESC_EC2N155:
- case OAKLEY_ATTR_GRP_DESC_EC2N185:
- /* don't attach group type for known groups */
- attrlen += sizeof(struct isakmp_data);
- if (buf) {
- p = isakmp_set_attr_l(p, OAKLEY_ATTR_GRP_TYPE,
- OAKLEY_ATTR_GRP_TYPE_EC2N);
- }
- break;
- case 0:
- default:
- break;
- }
-
-#ifdef HAVE_GSSAPI
- if (sa->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB &&
- sa->gssid != NULL) {
- attrlen += sizeof(struct isakmp_data);
- /*
- * Older versions of racoon just placed the ISO-Latin-1
- * string on the wire directly. Check to see if we are
- * configured to be compatible with this behavior. Otherwise,
- * we encode the GSS ID as UTF-16LE for Windows 2000
- * compatibility, which requires twice the number of octets.
- */
- if (lcconf->gss_id_enc == LC_GSSENC_LATIN1)
- attrlen += sa->gssid->l;
- else
- attrlen += sa->gssid->l * 2;
- if (buf) {
- plog(LLV_DEBUG, LOCATION, NULL, "gss id attr: len %zu, "
- "val '%.*s'\n", sa->gssid->l, (int)sa->gssid->l,
- sa->gssid->v);
- if (lcconf->gss_id_enc == LC_GSSENC_LATIN1) {
- p = isakmp_set_attr_v(p, OAKLEY_ATTR_GSS_ID,
- (caddr_t)sa->gssid->v,
- sa->gssid->l);
- } else {
- size_t dstleft = sa->gssid->l * 2;
- size_t srcleft = sa->gssid->l;
- const char *src = (const char *)sa->gssid->v;
- char *odst, *dst = racoon_malloc(dstleft);
- iconv_t cd;
- size_t rv;
-
- cd = iconv_open("utf-16le", "latin1");
- if (cd == (iconv_t) -1) {
- plog(LLV_ERROR, LOCATION, NULL,
- "unable to initialize "
- "latin1 -> utf-16le "
- "converstion descriptor: %s\n",
- strerror(errno));
- attrlen -= sa->gssid->l * 2;
- goto gssid_done;
- }
- odst = dst;
- rv = iconv(cd, (__iconv_const char **)&src,
- &srcleft, &dst, &dstleft);
- if (rv != 0) {
- if (rv == -1) {
- plog(LLV_ERROR, LOCATION, NULL,
- "unable to convert GSS ID "
- "from latin1 -> utf-16le: "
- "%s\n", strerror(errno));
- } else {
- /* should never happen */
- plog(LLV_ERROR, LOCATION, NULL,
- "%zd character%s in GSS ID "
- "cannot be represented "
- "in utf-16le\n",
- rv, rv == 1 ? "" : "s");
- }
- (void) iconv_close(cd);
- attrlen -= sa->gssid->l * 2;
- goto gssid_done;
- }
- (void) iconv_close(cd);
-
- /* XXX Check srcleft and dstleft? */
-
- p = isakmp_set_attr_v(p, OAKLEY_ATTR_GSS_ID,
- odst, sa->gssid->l * 2);
-
- racoon_free(odst);
- }
- }
- }
- gssid_done:
-#endif /* HAVE_GSSAPI */
-
- return attrlen;
-}
-
-static vchar_t *
-setph2proposal0(iph2, pp, pr)
- const struct ph2handle *iph2;
- const struct saprop *pp;
- const struct saproto *pr;
-{
- vchar_t *p;
- struct isakmp_pl_p *prop;
- struct isakmp_pl_t *trns;
- struct satrns *tr;
- int attrlen;
- size_t trnsoff;
- caddr_t x0, x;
- u_int8_t *np_t; /* pointer next trns type in previous header */
- const u_int8_t *spi;
-#ifdef HAVE_SECCTX
- int truectxlen = 0;
-#endif
-
- p = vmalloc(sizeof(*prop) + sizeof(pr->spi));
- if (p == NULL)
- return NULL;
-
- /* create proposal */
- prop = (struct isakmp_pl_p *)p->v;
- prop->h.np = ISAKMP_NPTYPE_NONE;
- prop->p_no = pp->prop_no;
- prop->proto_id = pr->proto_id;
- prop->num_t = 1;
-
- spi = (const u_int8_t *)&pr->spi;
- switch (pr->proto_id) {
- case IPSECDOI_PROTO_IPCOMP:
- /*
- * draft-shacham-ippcp-rfc2393bis-05.txt:
- * construct 16bit SPI (CPI).
- * XXX we may need to provide a configuration option to
- * generate 32bit SPI. otherwise we cannot interoeprate
- * with nodes that uses 32bit SPI, in case we are initiator.
- */
- prop->spi_size = sizeof(u_int16_t);
- spi += sizeof(pr->spi) - sizeof(u_int16_t);
- p->l -= sizeof(pr->spi);
- p->l += sizeof(u_int16_t);
- break;
- default:
- prop->spi_size = sizeof(pr->spi);
- break;
- }
- memcpy(prop + 1, spi, prop->spi_size);
-
- /* create transform */
- trnsoff = sizeof(*prop) + prop->spi_size;
- np_t = NULL;
-
- for (tr = pr->head; tr; tr = tr->next) {
-
- switch (pr->proto_id) {
- case IPSECDOI_PROTO_IPSEC_ESP:
- /*
- * don't build a null encryption
- * with no authentication transform.
- */
- if (tr->trns_id == IPSECDOI_ESP_NULL &&
- tr->authtype == IPSECDOI_ATTR_AUTH_NONE)
- continue;
- break;
- }
-
- if (np_t) {
- *np_t = ISAKMP_NPTYPE_T;
- prop->num_t++;
- }
-
- /* get attribute length */
- attrlen = 0;
- if (pp->lifetime) {
- attrlen += sizeof(struct isakmp_data)
- + sizeof(struct isakmp_data);
- if (pp->lifetime > 0xffff)
- attrlen += sizeof(u_int32_t);
- }
- if (pp->lifebyte && pp->lifebyte != IPSECDOI_ATTR_SA_LD_KB_MAX) {
- attrlen += sizeof(struct isakmp_data)
- + sizeof(struct isakmp_data);
- if (pp->lifebyte > 0xffff)
- attrlen += sizeof(u_int32_t);
- }
- attrlen += sizeof(struct isakmp_data); /* enc mode */
- if (tr->encklen)
- attrlen += sizeof(struct isakmp_data);
-
- switch (pr->proto_id) {
- case IPSECDOI_PROTO_IPSEC_ESP:
- /* non authentication mode ? */
- if (tr->authtype != IPSECDOI_ATTR_AUTH_NONE)
- attrlen += sizeof(struct isakmp_data);
- break;
- case IPSECDOI_PROTO_IPSEC_AH:
- if (tr->authtype == IPSECDOI_ATTR_AUTH_NONE) {
- plog(LLV_ERROR, LOCATION, NULL,
- "no authentication algorithm found "
- "but protocol is AH.\n");
- vfree(p);
- return NULL;
- }
- attrlen += sizeof(struct isakmp_data);
- break;
- case IPSECDOI_PROTO_IPCOMP:
- break;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid protocol: %d\n", pr->proto_id);
- vfree(p);
- return NULL;
- }
-
- if (alg_oakley_dhdef_ok(iph2->sainfo->pfs_group))
- attrlen += sizeof(struct isakmp_data);
-
-#ifdef HAVE_SECCTX
- /* ctx_str is defined as char ctx_str[MAX_CTXSTR_SIZ].
- * The string may be smaller than MAX_CTXSTR_SIZ.
- */
- if (*pp->sctx.ctx_str) {
- truectxlen = sizeof(struct security_ctx) -
- (MAX_CTXSTR_SIZE - pp->sctx.ctx_strlen);
- attrlen += sizeof(struct isakmp_data) + truectxlen;
- }
-#endif /* HAVE_SECCTX */
-
- p = vrealloc(p, p->l + sizeof(*trns) + attrlen);
- if (p == NULL)
- return NULL;
- prop = (struct isakmp_pl_p *)p->v;
-
- /* set transform's values */
- trns = (struct isakmp_pl_t *)(p->v + trnsoff);
- trns->h.np = ISAKMP_NPTYPE_NONE;
- trns->t_no = tr->trns_no;
- trns->t_id = tr->trns_id;
-
- /* set attributes */
- x = x0 = p->v + trnsoff + sizeof(*trns);
-
- if (pp->lifetime) {
- x = isakmp_set_attr_l(x, IPSECDOI_ATTR_SA_LD_TYPE,
- IPSECDOI_ATTR_SA_LD_TYPE_SEC);
- if (pp->lifetime > 0xffff) {
- u_int32_t v = htonl((u_int32_t)pp->lifetime);
- x = isakmp_set_attr_v(x, IPSECDOI_ATTR_SA_LD,
- (caddr_t)&v, sizeof(v));
- } else {
- x = isakmp_set_attr_l(x, IPSECDOI_ATTR_SA_LD,
- pp->lifetime);
- }
- }
-
- if (pp->lifebyte && pp->lifebyte != IPSECDOI_ATTR_SA_LD_KB_MAX) {
- x = isakmp_set_attr_l(x, IPSECDOI_ATTR_SA_LD_TYPE,
- IPSECDOI_ATTR_SA_LD_TYPE_KB);
- if (pp->lifebyte > 0xffff) {
- u_int32_t v = htonl((u_int32_t)pp->lifebyte);
- x = isakmp_set_attr_v(x, IPSECDOI_ATTR_SA_LD,
- (caddr_t)&v, sizeof(v));
- } else {
- x = isakmp_set_attr_l(x, IPSECDOI_ATTR_SA_LD,
- pp->lifebyte);
- }
- }
-
- x = isakmp_set_attr_l(x, IPSECDOI_ATTR_ENC_MODE, pr->encmode);
-
- if (tr->encklen)
- x = isakmp_set_attr_l(x, IPSECDOI_ATTR_KEY_LENGTH, tr->encklen);
-
- /* mandatory check has done above. */
- if ((pr->proto_id == IPSECDOI_PROTO_IPSEC_ESP && tr->authtype != IPSECDOI_ATTR_AUTH_NONE)
- || pr->proto_id == IPSECDOI_PROTO_IPSEC_AH)
- x = isakmp_set_attr_l(x, IPSECDOI_ATTR_AUTH, tr->authtype);
-
- if (alg_oakley_dhdef_ok(iph2->sainfo->pfs_group))
- x = isakmp_set_attr_l(x, IPSECDOI_ATTR_GRP_DESC,
- iph2->sainfo->pfs_group);
-
-#ifdef HAVE_SECCTX
- if (*pp->sctx.ctx_str) {
- struct security_ctx secctx;
- secctx = pp->sctx;
- secctx.ctx_strlen = htons(pp->sctx.ctx_strlen);
- x = isakmp_set_attr_v(x, IPSECDOI_ATTR_SECCTX,
- (caddr_t)&secctx, truectxlen);
- }
-#endif
- /* update length of this transform. */
- trns = (struct isakmp_pl_t *)(p->v + trnsoff);
- trns->h.len = htons(sizeof(*trns) + attrlen);
-
- /* save buffer to pre-next payload */
- np_t = &trns->h.np;
-
- trnsoff += (sizeof(*trns) + attrlen);
- }
-
- if (np_t == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "no suitable proposal was created.\n");
- return NULL;
- }
-
- /* update length of this protocol. */
- prop->h.len = htons(p->l);
-
- return p;
-}
-
-/*
- * create phase2 proposal from policy configuration.
- * NOT INCLUDING isakmp general header of SA payload.
- * This function is called by initiator only.
- */
-int
-ipsecdoi_setph2proposal(iph2)
- struct ph2handle *iph2;
-{
- struct saprop *proposal, *a;
- struct saproto *b = NULL;
- vchar_t *q;
- struct ipsecdoi_sa_b *sab;
- struct isakmp_pl_p *prop;
- size_t propoff; /* for previous field of type of next payload. */
-
- proposal = iph2->proposal;
-
- iph2->sa = vmalloc(sizeof(*sab));
- if (iph2->sa == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate my sa buffer\n");
- return -1;
- }
-
- /* create SA payload */
- sab = (struct ipsecdoi_sa_b *)iph2->sa->v;
- sab->doi = htonl(IPSEC_DOI);
- sab->sit = htonl(IPSECDOI_SIT_IDENTITY_ONLY); /* XXX configurable ? */
-
- prop = NULL;
- propoff = 0;
- for (a = proposal; a; a = a->next) {
- for (b = a->head; b; b = b->next) {
-#ifdef ENABLE_NATT
- if (iph2->ph1->natt_flags & NAT_DETECTED) {
- int udp_diff = iph2->ph1->natt_options->mode_udp_diff;
- plog (LLV_INFO, LOCATION, NULL,
- "NAT detected -> UDP encapsulation "
- "(ENC_MODE %d->%d).\n",
- b->encmode,
- b->encmode+udp_diff);
- /* Tunnel -> UDP-Tunnel, Transport -> UDP_Transport */
- b->encmode += udp_diff;
- b->udp_encap = 1;
- }
-#endif
-
- q = setph2proposal0(iph2, a, b);
- if (q == NULL) {
- VPTRINIT(iph2->sa);
- return -1;
- }
-
- iph2->sa = vrealloc(iph2->sa, iph2->sa->l + q->l);
- if (iph2->sa == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate my sa buffer\n");
- if (q)
- vfree(q);
- return -1;
- }
- memcpy(iph2->sa->v + iph2->sa->l - q->l, q->v, q->l);
- if (propoff != 0) {
- prop = (struct isakmp_pl_p *)(iph2->sa->v +
- propoff);
- prop->h.np = ISAKMP_NPTYPE_P;
- }
- propoff = iph2->sa->l - q->l;
-
- vfree(q);
- }
- }
-
- return 0;
-}
-
-/*
- * return 1 if all of the given protocols are transport mode.
- */
-int
-ipsecdoi_transportmode(pp)
- struct saprop *pp;
-{
- struct saproto *pr = NULL;
-
- for (; pp; pp = pp->next) {
- for (pr = pp->head; pr; pr = pr->next) {
- if (pr->encmode != IPSECDOI_ATTR_ENC_MODE_TRNS)
- return 0;
- }
- }
-
- return 1;
-}
-
-int
-ipsecdoi_get_defaultlifetime()
-{
- return IPSECDOI_ATTR_SA_LD_SEC_DEFAULT;
-}
-
-int
-ipsecdoi_checkalgtypes(proto_id, enc, auth, comp)
- int proto_id, enc, auth, comp;
-{
-#define TMPALGTYPE2STR(n) s_algtype(algclass_ipsec_##n, n)
- switch (proto_id) {
- case IPSECDOI_PROTO_IPSEC_ESP:
- if (enc == 0 || comp != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "illegal algorithm defined "
- "ESP enc=%s auth=%s comp=%s.\n",
- TMPALGTYPE2STR(enc),
- TMPALGTYPE2STR(auth),
- TMPALGTYPE2STR(comp));
- return -1;
- }
- break;
- case IPSECDOI_PROTO_IPSEC_AH:
- if (enc != 0 || auth == 0 || comp != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "illegal algorithm defined "
- "AH enc=%s auth=%s comp=%s.\n",
- TMPALGTYPE2STR(enc),
- TMPALGTYPE2STR(auth),
- TMPALGTYPE2STR(comp));
- return -1;
- }
- break;
- case IPSECDOI_PROTO_IPCOMP:
- if (enc != 0 || auth != 0 || comp == 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "illegal algorithm defined "
- "IPcomp enc=%s auth=%s comp=%s.\n",
- TMPALGTYPE2STR(enc),
- TMPALGTYPE2STR(auth),
- TMPALGTYPE2STR(comp));
- return -1;
- }
- break;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid ipsec protocol %d\n", proto_id);
- return -1;
- }
-#undef TMPALGTYPE2STR
- return 0;
-}
-
-int
-ipproto2doi(proto)
- int proto;
-{
- switch (proto) {
- case IPPROTO_AH:
- return IPSECDOI_PROTO_IPSEC_AH;
- case IPPROTO_ESP:
- return IPSECDOI_PROTO_IPSEC_ESP;
- case IPPROTO_IPCOMP:
- return IPSECDOI_PROTO_IPCOMP;
- }
- return -1; /* XXX */
-}
-
-int
-doi2ipproto(proto)
- int proto;
-{
- switch (proto) {
- case IPSECDOI_PROTO_IPSEC_AH:
- return IPPROTO_AH;
- case IPSECDOI_PROTO_IPSEC_ESP:
- return IPPROTO_ESP;
- case IPSECDOI_PROTO_IPCOMP:
- return IPPROTO_IPCOMP;
- }
- return -1; /* XXX */
-}
-
-/*
- * Check if a subnet id is valid for comparison
- * with an address id ( address length mask )
- * and compare them
- * Return value
- * = 0 for match
- * = 1 for mismatch
- */
-
-int
-ipsecdoi_subnetisaddr_v4( subnet, address )
- const vchar_t *subnet;
- const vchar_t *address;
-{
- struct in_addr *mask;
-
- if (address->l != sizeof(struct in_addr))
- return 1;
-
- if (subnet->l != (sizeof(struct in_addr)*2))
- return 1;
-
- mask = (struct in_addr*)(subnet->v + sizeof(struct in_addr));
-
- if (mask->s_addr!=0xffffffff)
- return 1;
-
- return memcmp(subnet->v,address->v,address->l);
-}
-
-#ifdef INET6
-
-int
-ipsecdoi_subnetisaddr_v6( subnet, address )
- const vchar_t *subnet;
- const vchar_t *address;
-{
- struct in6_addr *mask;
- int i;
-
- if (address->l != sizeof(struct in6_addr))
- return 1;
-
- if (subnet->l != (sizeof(struct in6_addr)*2))
- return 1;
-
- mask = (struct in6_addr*)(subnet->v + sizeof(struct in6_addr));
-
- for (i=0; i<16; i++)
- if(mask->s6_addr[i]!=0xff)
- return 1;
-
- return memcmp(subnet->v,address->v,address->l);
-}
-
-#endif
-
-/*
- * Check and Compare two IDs
- * - specify 0 for exact if wildcards are allowed
- * Return value
- * = 0 for match
- * = 1 for misatch
- * = -1 for integrity error
- */
-
-int
-ipsecdoi_chkcmpids( idt, ids, exact )
- const vchar_t *idt; /* id cmp target */
- const vchar_t *ids; /* id cmp source */
- int exact;
-{
- struct ipsecdoi_id_b *id_bt;
- struct ipsecdoi_id_b *id_bs;
- vchar_t ident_t;
- vchar_t ident_s;
- int result;
-
- /* handle wildcard IDs */
-
- if (idt == NULL || ids == NULL)
- {
- if( !exact )
- {
- plog(LLV_DEBUG, LOCATION, NULL,
- "check and compare ids : values matched (ANONYMOUS)\n" );
- return 0;
- }
- else
- {
- plog(LLV_DEBUG, LOCATION, NULL,
- "check and compare ids : value mismatch (ANONYMOUS)\n" );
- return -1;
- }
- }
-
- /* make sure the ids are of the same type */
-
- id_bt = (struct ipsecdoi_id_b *) idt->v;
- id_bs = (struct ipsecdoi_id_b *) ids->v;
-
- ident_t.v = idt->v + sizeof(*id_bt);
- ident_t.l = idt->l - sizeof(*id_bt);
- ident_s.v = ids->v + sizeof(*id_bs);
- ident_s.l = ids->l - sizeof(*id_bs);
-
- if (id_bs->type != id_bt->type)
- {
- /*
- * special exception for comparing
- * address to subnet id types when
- * the netmask is address length
- */
-
- if ((id_bs->type == IPSECDOI_ID_IPV4_ADDR)&&
- (id_bt->type == IPSECDOI_ID_IPV4_ADDR_SUBNET)) {
- result = ipsecdoi_subnetisaddr_v4(&ident_t,&ident_s);
- goto cmpid_result;
- }
-
- if ((id_bs->type == IPSECDOI_ID_IPV4_ADDR_SUBNET)&&
- (id_bt->type == IPSECDOI_ID_IPV4_ADDR)) {
- result = ipsecdoi_subnetisaddr_v4(&ident_s,&ident_t);
- goto cmpid_result;
- }
-
-#ifdef INET6
- if ((id_bs->type == IPSECDOI_ID_IPV6_ADDR)&&
- (id_bt->type == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
- result = ipsecdoi_subnetisaddr_v6(&ident_t,&ident_s);
- goto cmpid_result;
- }
-
- if ((id_bs->type == IPSECDOI_ID_IPV6_ADDR_SUBNET)&&
- (id_bt->type == IPSECDOI_ID_IPV6_ADDR)) {
- result = ipsecdoi_subnetisaddr_v6(&ident_s,&ident_t);
- goto cmpid_result;
- }
-#endif
- plog(LLV_DEBUG, LOCATION, NULL,
- "check and compare ids : id type mismatch %s != %s\n",
- s_ipsecdoi_ident(id_bs->type),
- s_ipsecdoi_ident(id_bt->type));
-
- return 1;
- }
-
- if(id_bs->proto_id != id_bt->proto_id){
- plog(LLV_DEBUG, LOCATION, NULL,
- "check and compare ids : proto_id mismatch %d != %d\n",
- id_bs->proto_id, id_bt->proto_id);
-
- return 1;
- }
-
- /* compare the ID data. */
-
- switch (id_bt->type) {
- case IPSECDOI_ID_DER_ASN1_DN:
- case IPSECDOI_ID_DER_ASN1_GN:
- /* compare asn1 ids */
- result = eay_cmp_asn1dn(&ident_t, &ident_s);
- goto cmpid_result;
-
- case IPSECDOI_ID_IPV4_ADDR:
- /* validate lengths */
- if ((ident_t.l != sizeof(struct in_addr))||
- (ident_s.l != sizeof(struct in_addr)))
- goto cmpid_invalid;
- break;
-
- case IPSECDOI_ID_IPV4_ADDR_SUBNET:
- case IPSECDOI_ID_IPV4_ADDR_RANGE:
- /* validate lengths */
- if ((ident_t.l != (sizeof(struct in_addr)*2))||
- (ident_s.l != (sizeof(struct in_addr)*2)))
- goto cmpid_invalid;
- break;
-
-#ifdef INET6
- case IPSECDOI_ID_IPV6_ADDR:
- /* validate lengths */
- if ((ident_t.l != sizeof(struct in6_addr))||
- (ident_s.l != sizeof(struct in6_addr)))
- goto cmpid_invalid;
- break;
-
- case IPSECDOI_ID_IPV6_ADDR_SUBNET:
- case IPSECDOI_ID_IPV6_ADDR_RANGE:
- /* validate lengths */
- if ((ident_t.l != (sizeof(struct in6_addr)*2))||
- (ident_s.l != (sizeof(struct in6_addr)*2)))
- goto cmpid_invalid;
- break;
-#endif
- case IPSECDOI_ID_FQDN:
- case IPSECDOI_ID_USER_FQDN:
- case IPSECDOI_ID_KEY_ID:
- break;
-
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "Unhandled id type %i specified for comparison\n",
- id_bt->type);
- return -1;
- }
-
- /* validate matching data and length */
- if (ident_t.l == ident_s.l)
- result = memcmp(ident_t.v,ident_s.v,ident_t.l);
- else
- result = 1;
-
-cmpid_result:
-
- /* debug level output */
- if(loglevel >= LLV_DEBUG) {
- char *idstrt = ipsecdoi_id2str(idt);
- char *idstrs = ipsecdoi_id2str(ids);
-
- if (!result)
- plog(LLV_DEBUG, LOCATION, NULL,
- "check and compare ids : values matched (%s)\n",
- s_ipsecdoi_ident(id_bs->type) );
- else
- plog(LLV_DEBUG, LOCATION, NULL,
- "check and compare ids : value mismatch (%s)\n",
- s_ipsecdoi_ident(id_bs->type));
-
- plog(LLV_DEBUG, LOCATION, NULL, "cmpid target: \'%s\'\n", idstrt );
- plog(LLV_DEBUG, LOCATION, NULL, "cmpid source: \'%s\'\n", idstrs );
-
- racoon_free(idstrs);
- racoon_free(idstrt);
- }
-
- /* return result */
- if( !result )
- return 0;
- else
- return 1;
-
-cmpid_invalid:
-
- /* id integrity error */
- plog(LLV_DEBUG, LOCATION, NULL, "check and compare ids : %s integrity error\n",
- s_ipsecdoi_ident(id_bs->type));
- plog(LLV_DEBUG, LOCATION, NULL, "cmpid target: length = \'%zu\'\n", ident_t.l );
- plog(LLV_DEBUG, LOCATION, NULL, "cmpid source: length = \'%zu\'\n", ident_s.l );
-
- return -1;
-}
-
-/*
- * check the following:
- * - In main mode with pre-shared key, only address type can be used.
- * - if proper type for phase 1 ?
- * - if phase 1 ID payload conformed RFC2407 4.6.2.
- * (proto, port) must be (0, 0), (udp, 500) or (udp, [specified]).
- * - if ID payload sent from peer is equal to the ID expected by me.
- *
- * both of "id" and "id_p" should be ID payload without general header,
- */
-int
-ipsecdoi_checkid1(iph1)
- struct ph1handle *iph1;
-{
- struct ipsecdoi_id_b *id_b;
- struct sockaddr *sa;
- caddr_t sa1, sa2;
-
- if (iph1->id_p == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid iph1 passed id_p == NULL\n");
- return ISAKMP_INTERNAL_ERROR;
- }
- if (iph1->id_p->l < sizeof(*id_b)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid value passed as \"ident\" (len=%lu)\n",
- (u_long)iph1->id_p->l);
- return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
- }
-
- id_b = (struct ipsecdoi_id_b *)iph1->id_p->v;
-
-#ifndef ANDROID_PATCHED
- /* In main mode with pre-shared key, only address type can be used. */
- if (iph1->etype == ISAKMP_ETYPE_IDENT &&
- iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_PSKEY) {
- if (id_b->type != IPSECDOI_ID_IPV4_ADDR
- && id_b->type != IPSECDOI_ID_IPV6_ADDR) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Expecting IP address type in main mode, "
- "but %s.\n", s_ipsecdoi_ident(id_b->type));
- return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
- }
- }
-#endif
-
- /* if proper type for phase 1 ? */
- switch (id_b->type) {
- case IPSECDOI_ID_IPV4_ADDR_SUBNET:
- case IPSECDOI_ID_IPV6_ADDR_SUBNET:
- case IPSECDOI_ID_IPV4_ADDR_RANGE:
- case IPSECDOI_ID_IPV6_ADDR_RANGE:
- plog(LLV_WARNING, LOCATION, NULL,
- "such ID type %s is not proper.\n",
- s_ipsecdoi_ident(id_b->type));
- /*FALLTHROUGH*/
- }
-
- /* if phase 1 ID payload conformed RFC2407 4.6.2. */
- if (id_b->type == IPSECDOI_ID_IPV4_ADDR ||
- id_b->type == IPSECDOI_ID_IPV6_ADDR) {
-
- if (id_b->proto_id == 0 && ntohs(id_b->port) != 0) {
- plog(LLV_WARNING, LOCATION, NULL,
- "protocol ID and Port mismatched. "
- "proto_id:%d port:%d\n",
- id_b->proto_id, ntohs(id_b->port));
- /*FALLTHROUGH*/
-
- } else if (id_b->proto_id == IPPROTO_UDP) {
- /*
- * copmaring with expecting port.
- * always permit if port is equal to PORT_ISAKMP
- */
- if (ntohs(id_b->port) != PORT_ISAKMP) {
- u_int16_t port;
-
- port = extract_port(iph1->remote);
- if (ntohs(id_b->port) != port) {
- plog(LLV_WARNING, LOCATION, NULL,
- "port %d expected, but %d\n",
- port, ntohs(id_b->port));
- /*FALLTHROUGH*/
- }
- }
- }
- }
-
- /* compare with the ID if specified. */
- if (genlist_next(iph1->rmconf->idvl_p, 0)) {
- vchar_t *ident0 = NULL;
- vchar_t ident;
- struct idspec *id;
- struct genlist_entry *gpb;
-
- for (id = genlist_next (iph1->rmconf->idvl_p, &gpb); id; id = genlist_next (0, &gpb)) {
- /* check the type of both IDs */
- if (id->idtype != doi2idtype(id_b->type))
- continue; /* ID type mismatch */
- if (id->id == 0)
- goto matched;
-
- /* compare defined ID with the ID sent by peer. */
- if (ident0 != NULL)
- vfree(ident0);
- ident0 = getidval(id->idtype, id->id);
-
- switch (id->idtype) {
- case IDTYPE_ASN1DN:
- ident.v = iph1->id_p->v + sizeof(*id_b);
- ident.l = iph1->id_p->l - sizeof(*id_b);
- if (eay_cmp_asn1dn(ident0, &ident) == 0)
- goto matched;
- break;
- case IDTYPE_ADDRESS:
- sa = (struct sockaddr *)ident0->v;
- sa2 = (caddr_t)(id_b + 1);
- switch (sa->sa_family) {
- case AF_INET:
- if (iph1->id_p->l - sizeof(*id_b) != sizeof(struct in_addr))
- continue; /* ID value mismatch */
- sa1 = (caddr_t)&((struct sockaddr_in *)sa)->sin_addr;
- if (memcmp(sa1, sa2, sizeof(struct in_addr)) == 0)
- goto matched;
- break;
-#ifdef INET6
- case AF_INET6:
- if (iph1->id_p->l - sizeof(*id_b) != sizeof(struct in6_addr))
- continue; /* ID value mismatch */
- sa1 = (caddr_t)&((struct sockaddr_in6 *)sa)->sin6_addr;
- if (memcmp(sa1, sa2, sizeof(struct in6_addr)) == 0)
- goto matched;
- break;
-#endif
- default:
- break;
- }
- break;
- default:
- if (memcmp(ident0->v, id_b + 1, ident0->l) == 0)
- goto matched;
- break;
- }
- }
- if (ident0 != NULL) {
- vfree(ident0);
- ident0 = NULL;
- }
- plog(LLV_WARNING, LOCATION, NULL, "No ID match.\n");
- if (iph1->rmconf->verify_identifier)
- return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
-matched: /* ID value match */
- if (ident0 != NULL)
- vfree(ident0);
- }
-
- return 0;
-}
-
-/*
- * create ID payload for phase 1 and set into iph1->id.
- * NOT INCLUDING isakmp general header.
- * see, RFC2407 4.6.2.1
- */
-int
-ipsecdoi_setid1(iph1)
- struct ph1handle *iph1;
-{
- vchar_t *ret = NULL;
- struct ipsecdoi_id_b id_b;
- vchar_t *ident = NULL;
- struct sockaddr *ipid = NULL;
-
- /* init */
- id_b.proto_id = 0;
- id_b.port = 0;
- ident = NULL;
-
- switch (iph1->rmconf->idvtype) {
- case IDTYPE_FQDN:
- id_b.type = IPSECDOI_ID_FQDN;
- ident = getidval(iph1->rmconf->idvtype, iph1->rmconf->idv);
- break;
- case IDTYPE_USERFQDN:
- id_b.type = IPSECDOI_ID_USER_FQDN;
- ident = getidval(iph1->rmconf->idvtype, iph1->rmconf->idv);
- break;
- case IDTYPE_KEYID:
- id_b.type = IPSECDOI_ID_KEY_ID;
- ident = getidval(iph1->rmconf->idvtype, iph1->rmconf->idv);
- break;
- case IDTYPE_ASN1DN:
- id_b.type = IPSECDOI_ID_DER_ASN1_DN;
- if (iph1->rmconf->idv) {
- /* XXX it must be encoded to asn1dn. */
- ident = vdup(iph1->rmconf->idv);
- } else {
- if (oakley_getmycert(iph1) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get own CERT.\n");
- goto err;
- }
- ident = eay_get_x509asn1subjectname(&iph1->cert->cert);
- }
- break;
- case IDTYPE_ADDRESS:
- /*
- * if the value of the id type was set by the configuration
- * file, then use it. otherwise the value is get from local
- * ip address by using ike negotiation.
- */
- if (iph1->rmconf->idv)
- ipid = (struct sockaddr *)iph1->rmconf->idv->v;
- /*FALLTHROUGH*/
- default:
- {
- int l;
- caddr_t p;
-
- if (ipid == NULL)
- ipid = iph1->local;
-
- /* use IP address */
- switch (ipid->sa_family) {
- case AF_INET:
- id_b.type = IPSECDOI_ID_IPV4_ADDR;
- l = sizeof(struct in_addr);
- p = (caddr_t)&((struct sockaddr_in *)ipid)->sin_addr;
- break;
-#ifdef INET6
- case AF_INET6:
- id_b.type = IPSECDOI_ID_IPV6_ADDR;
- l = sizeof(struct in6_addr);
- p = (caddr_t)&((struct sockaddr_in6 *)ipid)->sin6_addr;
- break;
-#endif
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid address family.\n");
- goto err;
- }
- id_b.proto_id = IPPROTO_UDP;
- id_b.port = htons(PORT_ISAKMP);
- ident = vmalloc(l);
- if (!ident) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get ID buffer.\n");
- return 0;
- }
- memcpy(ident->v, p, ident->l);
- }
- }
- if (!ident) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get ID buffer.\n");
- return 0;
- }
-
- ret = vmalloc(sizeof(id_b) + ident->l);
- if (ret == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get ID buffer.\n");
- goto err;
- }
-
- memcpy(ret->v, &id_b, sizeof(id_b));
- memcpy(ret->v + sizeof(id_b), ident->v, ident->l);
-
- iph1->id = ret;
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "use ID type of %s\n", s_ipsecdoi_ident(id_b.type));
- if (ident)
- vfree(ident);
- return 0;
-
-err:
- if (ident)
- vfree(ident);
- plog(LLV_ERROR, LOCATION, NULL, "failed get my ID\n");
- return -1;
-}
-
-static vchar_t *
-getidval(type, val)
- int type;
- vchar_t *val;
-{
- vchar_t *new = NULL;
-
- if (val)
- new = vdup(val);
- else if (lcconf->ident[type])
- new = vdup(lcconf->ident[type]);
-
- return new;
-}
-
-/* it's only called by cfparse.y. */
-int
-set_identifier(vpp, type, value)
- vchar_t **vpp, *value;
- int type;
-{
- return set_identifier_qual(vpp, type, value, IDQUAL_UNSPEC);
-}
-
-int
-set_identifier_qual(vpp, type, value, qual)
- vchar_t **vpp, *value;
- int type;
- int qual;
-{
- vchar_t *new = NULL;
-
- /* simply return if value is null. */
- if (!value){
- if( type == IDTYPE_FQDN || type == IDTYPE_USERFQDN){
- plog(LLV_ERROR, LOCATION, NULL,
- "No %s\n", type == IDTYPE_FQDN ? "fqdn":"user fqdn");
- return -1;
- }
- return 0;
- }
-
- switch (type) {
- case IDTYPE_FQDN:
- case IDTYPE_USERFQDN:
- if(value->l <= 1){
- plog(LLV_ERROR, LOCATION, NULL,
- "Empty %s\n", type == IDTYPE_FQDN ? "fqdn":"user fqdn");
- return -1;
- }
- /* length is adjusted since QUOTEDSTRING teminates NULL. */
- new = vmalloc(value->l - 1);
- if (new == NULL)
- return -1;
- memcpy(new->v, value->v, new->l);
- break;
- case IDTYPE_KEYID:
- /*
- * If no qualifier is specified: IDQUAL_UNSPEC. It means
- * to use a file for backward compatibility sake.
- */
- switch(qual) {
- case IDQUAL_FILE:
- case IDQUAL_UNSPEC: {
- FILE *fp;
- char b[512];
- int tlen, len;
-
- fp = fopen(value->v, "r");
- if (fp == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "can not open %s\n", value->v);
- return -1;
- }
- tlen = 0;
- while ((len = fread(b, 1, sizeof(b), fp)) != 0) {
- new = vrealloc(new, tlen + len);
- if (!new) {
- fclose(fp);
- return -1;
- }
- memcpy(new->v + tlen, b, len);
- tlen += len;
- }
- break;
- }
-
- case IDQUAL_TAG:
- new = vmalloc(value->l - 1);
- if (new == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "can not allocate memory");
- return -1;
- }
- memcpy(new->v, value->v, new->l);
- break;
-
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "unknown qualifier");
- return -1;
- }
- break;
-
- case IDTYPE_ADDRESS: {
- struct sockaddr *sa;
-
- /* length is adjusted since QUOTEDSTRING teminates NULL. */
- if (value->l == 0)
- break;
-
- sa = str2saddr(value->v, NULL);
- if (sa == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid ip address %s\n", value->v);
- return -1;
- }
-
- new = vmalloc(sysdep_sa_len(sa));
- if (new == NULL) {
- racoon_free(sa);
- return -1;
- }
- memcpy(new->v, sa, new->l);
- racoon_free(sa);
- break;
- }
- case IDTYPE_ASN1DN:
- if (value->v[0] == '~')
- /* Hex-encoded ASN1 strings */
- new = eay_hex2asn1dn(value->v + 1, - 1);
- else
- /* DN encoded strings */
- new = eay_str2asn1dn(value->v, value->l - 1);
-
- if (new == NULL)
- return -1;
-
- if (loglevel >= LLV_DEBUG) {
- X509_NAME *xn;
- BIO *bio;
- unsigned char *ptr = (unsigned char *) new->v, *buf;
- size_t len;
-#if defined(ANDROID_CHANGES)
- char *bio_contents;
-#else
- char save;
-#endif
-
- xn = d2i_X509_NAME(NULL, (void *)&ptr, new->l);
- bio = BIO_new(BIO_s_mem());
-
- X509_NAME_print_ex(bio, xn, 0, 0);
-#if defined(ANDROID_CHANGES)
- BIO_write(bio, "\x00", 1);
- BIO_get_mem_data(bio, &bio_contents);
- plog(LLV_DEBUG, LOCATION, NULL, "Parsed DN: %s\n", bio_contents);
-#else
- len = BIO_get_mem_data(bio, &ptr);
- save = ptr[len];
- ptr[len] = 0;
- plog(LLV_DEBUG, LOCATION, NULL, "Parsed DN: %s\n", ptr);
- ptr[len] = save;
-#endif
- X509_NAME_free(xn);
- BIO_free(bio);
- }
-
- break;
- }
-
- *vpp = new;
-
- return 0;
-}
-
-/*
- * create ID payload for phase 2, and set into iph2->id and id_p. There are
- * NOT INCLUDING isakmp general header.
- * this function is for initiator. responder will get to copy from payload.
- * responder ID type is always address type.
- * see, RFC2407 4.6.2.1
- */
-int
-ipsecdoi_setid2(iph2)
- struct ph2handle *iph2;
-{
- struct secpolicy *sp;
-
- /* check there is phase 2 handler ? */
- sp = getspbyspid(iph2->spid);
- if (sp == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "no policy found for spid:%u.\n", iph2->spid);
- return -1;
- }
-
- iph2->id = ipsecdoi_sockaddr2id((struct sockaddr *)&sp->spidx.src,
- sp->spidx.prefs, sp->spidx.ul_proto);
- if (iph2->id == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get ID for %s\n",
- spidx2str(&sp->spidx));
- return -1;
- }
- plog(LLV_DEBUG, LOCATION, NULL, "use local ID type %s\n",
- s_ipsecdoi_ident(((struct ipsecdoi_id_b *)iph2->id->v)->type));
-
- /* remote side */
- iph2->id_p = ipsecdoi_sockaddr2id((struct sockaddr *)&sp->spidx.dst,
- sp->spidx.prefd, sp->spidx.ul_proto);
- if (iph2->id_p == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get ID for %s\n",
- spidx2str(&sp->spidx));
- VPTRINIT(iph2->id);
- return -1;
- }
- plog(LLV_DEBUG, LOCATION, NULL,
- "use remote ID type %s\n",
- s_ipsecdoi_ident(((struct ipsecdoi_id_b *)iph2->id_p->v)->type));
-
- return 0;
-}
-
-/*
- * set address type of ID.
- * NOT INCLUDING general header.
- */
-vchar_t *
-ipsecdoi_sockaddr2id(saddr, prefixlen, ul_proto)
- struct sockaddr *saddr;
- u_int prefixlen;
- u_int ul_proto;
-{
- vchar_t *new;
- int type, len1, len2;
- caddr_t sa;
- u_short port;
-
- /*
- * Q. When type is SUBNET, is it allowed to be ::1/128.
- * A. Yes. (consensus at bake-off)
- */
- switch (saddr->sa_family) {
- case AF_INET:
- len1 = sizeof(struct in_addr);
- if (prefixlen == (sizeof(struct in_addr) << 3)) {
- type = IPSECDOI_ID_IPV4_ADDR;
- len2 = 0;
- } else {
- type = IPSECDOI_ID_IPV4_ADDR_SUBNET;
- len2 = sizeof(struct in_addr);
- }
- sa = (caddr_t)&((struct sockaddr_in *)(saddr))->sin_addr;
- port = ((struct sockaddr_in *)(saddr))->sin_port;
- break;
-#ifdef INET6
- case AF_INET6:
- len1 = sizeof(struct in6_addr);
- if (prefixlen == (sizeof(struct in6_addr) << 3)) {
- type = IPSECDOI_ID_IPV6_ADDR;
- len2 = 0;
- } else {
- type = IPSECDOI_ID_IPV6_ADDR_SUBNET;
- len2 = sizeof(struct in6_addr);
- }
- sa = (caddr_t)&((struct sockaddr_in6 *)(saddr))->sin6_addr;
- port = ((struct sockaddr_in6 *)(saddr))->sin6_port;
- break;
-#endif
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid family: %d.\n", saddr->sa_family);
- return NULL;
- }
-
- /* get ID buffer */
- new = vmalloc(sizeof(struct ipsecdoi_id_b) + len1 + len2);
- if (new == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get ID buffer.\n");
- return NULL;
- }
-
- memset(new->v, 0, new->l);
-
- /* set the part of header. */
- ((struct ipsecdoi_id_b *)new->v)->type = type;
-
- /* set ul_proto and port */
- /*
- * NOTE: we use both IPSEC_ULPROTO_ANY and IPSEC_PORT_ANY as wild card
- * because 0 means port number of 0. Instead of 0, we use IPSEC_*_ANY.
- */
- ((struct ipsecdoi_id_b *)new->v)->proto_id =
- ul_proto == IPSEC_ULPROTO_ANY ? 0 : ul_proto;
- ((struct ipsecdoi_id_b *)new->v)->port =
- port == IPSEC_PORT_ANY ? 0 : port;
- memcpy(new->v + sizeof(struct ipsecdoi_id_b), sa, len1);
-
- /* set address */
-
- /* set prefix */
- if (len2) {
- u_char *p = (unsigned char *) new->v +
- sizeof(struct ipsecdoi_id_b) + len1;
- u_int bits = prefixlen;
-
- while (bits >= 8) {
- *p++ = 0xff;
- bits -= 8;
- }
-
- if (bits > 0)
- *p = ~((1 << (8 - bits)) - 1);
- }
-
- return new;
-}
-
-vchar_t *
-ipsecdoi_sockrange2id(laddr, haddr, ul_proto)
- struct sockaddr *laddr, *haddr;
- u_int ul_proto;
-{
- vchar_t *new;
- int type, len1, len2;
- u_short port;
-
- if (laddr->sa_family != haddr->sa_family) {
- plog(LLV_ERROR, LOCATION, NULL, "Address family mismatch\n");
- return NULL;
- }
-
- switch (laddr->sa_family) {
- case AF_INET:
- type = IPSECDOI_ID_IPV4_ADDR_RANGE;
- len1 = sizeof(struct in_addr);
- len2 = sizeof(struct in_addr);
- break;
-#ifdef INET6
- case AF_INET6:
- type = IPSECDOI_ID_IPV6_ADDR_RANGE;
- len1 = sizeof(struct in6_addr);
- len2 = sizeof(struct in6_addr);
- break;
-#endif
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid family: %d.\n", laddr->sa_family);
- return NULL;
- }
-
- /* get ID buffer */
- new = vmalloc(sizeof(struct ipsecdoi_id_b) + len1 + len2);
- if (new == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get ID buffer.\n");
- return NULL;
- }
-
- memset(new->v, 0, new->l);
- /* set the part of header. */
- ((struct ipsecdoi_id_b *)new->v)->type = type;
-
- /* set ul_proto and port */
- /*
- * NOTE: we use both IPSEC_ULPROTO_ANY and IPSEC_PORT_ANY as wild card
- * because 0 means port number of 0. Instead of 0, we use IPSEC_*_ANY.
- */
- ((struct ipsecdoi_id_b *)new->v)->proto_id =
- ul_proto == IPSEC_ULPROTO_ANY ? 0 : ul_proto;
- port = ((struct sockaddr_in *)(laddr))->sin_port;
- ((struct ipsecdoi_id_b *)new->v)->port =
- port == IPSEC_PORT_ANY ? 0 : port;
- memcpy(new->v + sizeof(struct ipsecdoi_id_b),
- (caddr_t)&((struct sockaddr_in *)(laddr))->sin_addr,
- len1);
- memcpy(new->v + sizeof(struct ipsecdoi_id_b) + len1,
- (caddr_t)&((struct sockaddr_in *)haddr)->sin_addr,
- len2);
- return new;
-}
-
-
-/*
- * create sockaddr structure from ID payload (buf).
- * buffers (saddr, prefixlen, ul_proto) must be allocated.
- * see, RFC2407 4.6.2.1
- */
-int
-ipsecdoi_id2sockaddr(buf, saddr, prefixlen, ul_proto)
- vchar_t *buf;
- struct sockaddr *saddr;
- u_int8_t *prefixlen;
- u_int16_t *ul_proto;
-{
- struct ipsecdoi_id_b *id_b = (struct ipsecdoi_id_b *)buf->v;
- u_int plen = 0;
-
- /*
- * When a ID payload of subnet type with a IP address of full bit
- * masked, it has to be processed as host address.
- * e.g. below 2 type are same.
- * type = ipv6 subnet, data = 2001::1/128
- * type = ipv6 address, data = 2001::1
- */
- switch (id_b->type) {
- case IPSECDOI_ID_IPV4_ADDR:
- case IPSECDOI_ID_IPV4_ADDR_SUBNET:
-#ifndef __linux__
- saddr->sa_len = sizeof(struct sockaddr_in);
-#endif
- saddr->sa_family = AF_INET;
- ((struct sockaddr_in *)saddr)->sin_port =
- (id_b->port == 0
- ? IPSEC_PORT_ANY
- : id_b->port); /* see sockaddr2id() */
- memcpy(&((struct sockaddr_in *)saddr)->sin_addr,
- buf->v + sizeof(*id_b), sizeof(struct in_addr));
- break;
-#ifdef INET6
- case IPSECDOI_ID_IPV6_ADDR:
- case IPSECDOI_ID_IPV6_ADDR_SUBNET:
-#ifndef __linux__
- saddr->sa_len = sizeof(struct sockaddr_in6);
-#endif
- saddr->sa_family = AF_INET6;
- ((struct sockaddr_in6 *)saddr)->sin6_port =
- (id_b->port == 0
- ? IPSEC_PORT_ANY
- : id_b->port); /* see sockaddr2id() */
- memcpy(&((struct sockaddr_in6 *)saddr)->sin6_addr,
- buf->v + sizeof(*id_b), sizeof(struct in6_addr));
- break;
-#endif
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "unsupported ID type %d\n", id_b->type);
- return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
- }
-
- /* get prefix length */
- switch (id_b->type) {
- case IPSECDOI_ID_IPV4_ADDR:
- plen = sizeof(struct in_addr) << 3;
- break;
-#ifdef INET6
- case IPSECDOI_ID_IPV6_ADDR:
- plen = sizeof(struct in6_addr) << 3;
- break;
-#endif
- case IPSECDOI_ID_IPV4_ADDR_SUBNET:
-#ifdef INET6
- case IPSECDOI_ID_IPV6_ADDR_SUBNET:
-#endif
- {
- u_char *p;
- u_int max;
- int alen = sizeof(struct in_addr);
-
- switch (id_b->type) {
- case IPSECDOI_ID_IPV4_ADDR_SUBNET:
- alen = sizeof(struct in_addr);
- break;
-#ifdef INET6
- case IPSECDOI_ID_IPV6_ADDR_SUBNET:
- alen = sizeof(struct in6_addr);
- break;
-#endif
- }
-
- /* sanity check */
- if (buf->l < alen)
- return ISAKMP_INTERNAL_ERROR;
-
- /* get subnet mask length */
- plen = 0;
- max = alen <<3;
-
- p = (unsigned char *) buf->v
- + sizeof(struct ipsecdoi_id_b)
- + alen;
-
- for (; *p == 0xff; p++) {
- plen += 8;
- if (plen >= max)
- break;
- }
-
- if (plen < max) {
- u_int l = 0;
- u_char b = ~(*p);
-
- while (b) {
- b >>= 1;
- l++;
- }
-
- l = 8 - l;
- plen += l;
- }
- }
- break;
- }
-
- *prefixlen = plen;
- *ul_proto = id_b->proto_id == 0
- ? IPSEC_ULPROTO_ANY
- : id_b->proto_id; /* see sockaddr2id() */
-
- return 0;
-}
-
-/*
- * make printable string from ID payload except of general header.
- */
-char *
-ipsecdoi_id2str(id)
- const vchar_t *id;
-{
-#define BUFLEN 512
- char * ret = NULL;
- int len = 0;
- char *dat;
- static char buf[BUFLEN];
- struct ipsecdoi_id_b *id_b = (struct ipsecdoi_id_b *)id->v;
- struct sockaddr_storage saddr_storage;
- struct sockaddr *saddr;
- struct sockaddr_in *saddr_in;
- struct sockaddr_in6 *saddr_in6;
- u_int plen = 0;
-
- saddr = (struct sockaddr *)&saddr_storage;
- saddr_in = (struct sockaddr_in *)&saddr_storage;
- saddr_in6 = (struct sockaddr_in6 *)&saddr_storage;
-
-
- switch (id_b->type) {
- case IPSECDOI_ID_IPV4_ADDR:
- case IPSECDOI_ID_IPV4_ADDR_SUBNET:
- case IPSECDOI_ID_IPV4_ADDR_RANGE:
-
-#ifndef __linux__
- saddr->sa_len = sizeof(struct sockaddr_in);
-#endif
- saddr->sa_family = AF_INET;
-
- saddr_in->sin_port = IPSEC_PORT_ANY;
- memcpy(&saddr_in->sin_addr,
- id->v + sizeof(*id_b), sizeof(struct in_addr));
- break;
-#ifdef INET6
- case IPSECDOI_ID_IPV6_ADDR:
- case IPSECDOI_ID_IPV6_ADDR_SUBNET:
- case IPSECDOI_ID_IPV6_ADDR_RANGE:
-
-#ifndef __linux__
- saddr->sa_len = sizeof(struct sockaddr_in6);
-#endif
- saddr->sa_family = AF_INET6;
-
- saddr_in6->sin6_port = IPSEC_PORT_ANY;
- memcpy(&saddr_in6->sin6_addr,
- id->v + sizeof(*id_b), sizeof(struct in6_addr));
- saddr_in6->sin6_scope_id =
- (IN6_IS_ADDR_LINKLOCAL(&saddr_in6->sin6_addr)
- ? ((struct sockaddr_in6 *)id_b)->sin6_scope_id
- : 0);
- break;
-#endif
- }
-
- switch (id_b->type) {
- case IPSECDOI_ID_IPV4_ADDR:
-#ifdef INET6
- case IPSECDOI_ID_IPV6_ADDR:
-#endif
- len = snprintf( buf, BUFLEN, "%s", saddrwop2str(saddr));
- break;
-
- case IPSECDOI_ID_IPV4_ADDR_SUBNET:
-#ifdef INET6
- case IPSECDOI_ID_IPV6_ADDR_SUBNET:
-#endif
- {
- u_char *p;
- u_int max;
- int alen = sizeof(struct in_addr);
-
- switch (id_b->type) {
- case IPSECDOI_ID_IPV4_ADDR_SUBNET:
- alen = sizeof(struct in_addr);
- break;
-#ifdef INET6
- case IPSECDOI_ID_IPV6_ADDR_SUBNET:
- alen = sizeof(struct in6_addr);
- break;
-#endif
- }
-
- /* sanity check */
- if (id->l < alen) {
- len = 0;
- break;
- }
-
- /* get subnet mask length */
- plen = 0;
- max = alen <<3;
-
- p = (unsigned char *) id->v
- + sizeof(struct ipsecdoi_id_b)
- + alen;
-
- for (; *p == 0xff; p++) {
- plen += 8;
- if (plen >= max)
- break;
- }
-
- if (plen < max) {
- u_int l = 0;
- u_char b = ~(*p);
-
- while (b) {
- b >>= 1;
- l++;
- }
-
- l = 8 - l;
- plen += l;
- }
-
- len = snprintf( buf, BUFLEN, "%s/%i", saddrwop2str(saddr), plen);
- }
- break;
-
- case IPSECDOI_ID_IPV4_ADDR_RANGE:
-
- len = snprintf( buf, BUFLEN, "%s-", saddrwop2str(saddr));
-
-#ifndef __linux__
- saddr->sa_len = sizeof(struct sockaddr_in);
-#endif
- saddr->sa_family = AF_INET;
- saddr_in->sin_port = IPSEC_PORT_ANY;
- memcpy(&saddr_in->sin_addr,
- id->v + sizeof(*id_b) + sizeof(struct in_addr),
- sizeof(struct in_addr));
-
- len += snprintf( buf + len, BUFLEN - len, "%s", saddrwop2str(saddr));
-
- break;
-
-#ifdef INET6
- case IPSECDOI_ID_IPV6_ADDR_RANGE:
-
- len = snprintf( buf, BUFLEN, "%s-", saddrwop2str(saddr));
-
-#ifndef __linux__
- saddr->sa_len = sizeof(struct sockaddr_in6);
-#endif
- saddr->sa_family = AF_INET6;
- saddr_in6->sin6_port = IPSEC_PORT_ANY;
- memcpy(&saddr_in6->sin6_addr,
- id->v + sizeof(*id_b) + sizeof(struct in6_addr),
- sizeof(struct in6_addr));
- saddr_in6->sin6_scope_id =
- (IN6_IS_ADDR_LINKLOCAL(&saddr_in6->sin6_addr)
- ? ((struct sockaddr_in6 *)id_b)->sin6_scope_id
- : 0);
-
- len += snprintf( buf + len, BUFLEN - len, "%s", saddrwop2str(saddr));
-
- break;
-#endif
-
- case IPSECDOI_ID_FQDN:
- case IPSECDOI_ID_USER_FQDN:
- len = id->l - sizeof(*id_b);
- if (len > BUFLEN)
- len = BUFLEN;
- memcpy(buf, id->v + sizeof(*id_b), len);
- break;
-
- case IPSECDOI_ID_DER_ASN1_DN:
- case IPSECDOI_ID_DER_ASN1_GN:
- {
- X509_NAME *xn = NULL;
-
- dat = id->v + sizeof(*id_b);
- len = id->l - sizeof(*id_b);
-
- if (d2i_X509_NAME(&xn, (void*) &dat, len) != NULL) {
- BIO *bio = BIO_new(BIO_s_mem());
- X509_NAME_print_ex(bio, xn, 0, 0);
- len = BIO_get_mem_data(bio, &dat);
- if (len > BUFLEN)
- len = BUFLEN;
- memcpy(buf,dat,len);
- BIO_free(bio);
- X509_NAME_free(xn);
- } else {
- plog(LLV_ERROR, LOCATION, NULL,
- "unable to extract asn1dn from id\n");
-
- len = sprintf(buf, "<ASN1-DN>");
- }
-
- break;
- }
-
- /* currently unhandled id types */
- case IPSECDOI_ID_KEY_ID:
- len = sprintf( buf, "<KEY-ID>");
- break;
-
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "unknown ID type %d\n", id_b->type);
- }
-
- if (!len)
- len = sprintf( buf, "<?>");
-
- ret = racoon_malloc(len+1);
- if (ret != NULL) {
- memcpy(ret,buf,len);
- ret[len]=0;
- }
-
- return ret;
-}
-
-/*
- * set IPsec data attributes into a proposal.
- * NOTE: MUST called per a transform.
- */
-int
-ipsecdoi_t2satrns(t, pp, pr, tr)
- struct isakmp_pl_t *t;
- struct saprop *pp;
- struct saproto *pr;
- struct satrns *tr;
-{
- struct isakmp_data *d, *prev;
- int flag, type;
- int error = -1;
- int life_t;
- int tlen;
-
- tr->trns_no = t->t_no;
- tr->trns_id = t->t_id;
-
- tlen = ntohs(t->h.len) - sizeof(*t);
- prev = (struct isakmp_data *)NULL;
- d = (struct isakmp_data *)(t + 1);
-
- /* default */
- life_t = IPSECDOI_ATTR_SA_LD_TYPE_DEFAULT;
- pp->lifetime = IPSECDOI_ATTR_SA_LD_SEC_DEFAULT;
- pp->lifebyte = 0;
- tr->authtype = IPSECDOI_ATTR_AUTH_NONE;
-
- while (tlen > 0) {
-
- type = ntohs(d->type) & ~ISAKMP_GEN_MASK;
- flag = ntohs(d->type) & ISAKMP_GEN_MASK;
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "type=%s, flag=0x%04x, lorv=%s\n",
- s_ipsecdoi_attr(type), flag,
- s_ipsecdoi_attr_v(type, ntohs(d->lorv)));
-
- switch (type) {
- case IPSECDOI_ATTR_SA_LD_TYPE:
- {
- int type = ntohs(d->lorv);
- switch (type) {
- case IPSECDOI_ATTR_SA_LD_TYPE_SEC:
- case IPSECDOI_ATTR_SA_LD_TYPE_KB:
- life_t = type;
- break;
- default:
- plog(LLV_WARNING, LOCATION, NULL,
- "invalid life duration type. "
- "use default\n");
- life_t = IPSECDOI_ATTR_SA_LD_TYPE_DEFAULT;
- break;
- }
- break;
- }
- case IPSECDOI_ATTR_SA_LD:
- if (prev == NULL
- || (ntohs(prev->type) & ~ISAKMP_GEN_MASK) !=
- IPSECDOI_ATTR_SA_LD_TYPE) {
- plog(LLV_ERROR, LOCATION, NULL,
- "life duration must follow ltype\n");
- break;
- }
-
- {
- u_int32_t t;
- vchar_t *ld_buf = NULL;
-
- if (flag) {
- /* i.e. ISAKMP_GEN_TV */
- ld_buf = vmalloc(sizeof(d->lorv));
- if (ld_buf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get LD buffer.\n");
- goto end;
- }
- memcpy(ld_buf->v, &d->lorv, sizeof(d->lorv));
- } else {
- int len = ntohs(d->lorv);
- /* i.e. ISAKMP_GEN_TLV */
- ld_buf = vmalloc(len);
- if (ld_buf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get LD buffer.\n");
- goto end;
- }
- memcpy(ld_buf->v, d + 1, len);
- }
- switch (life_t) {
- case IPSECDOI_ATTR_SA_LD_TYPE_SEC:
- t = ipsecdoi_set_ld(ld_buf);
- vfree(ld_buf);
- if (t == 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid life duration.\n");
- goto end;
- }
- /* lifetime must be equal in a proposal. */
- if (pp->lifetime == IPSECDOI_ATTR_SA_LD_SEC_DEFAULT)
- pp->lifetime = t;
- else if (pp->lifetime != t) {
- plog(LLV_ERROR, LOCATION, NULL,
- "lifetime mismatched "
- "in a proposal, "
- "prev:%ld curr:%u.\n",
- (long)pp->lifetime, t);
- goto end;
- }
- break;
- case IPSECDOI_ATTR_SA_LD_TYPE_KB:
- t = ipsecdoi_set_ld(ld_buf);
- vfree(ld_buf);
- if (t == 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid life duration.\n");
- goto end;
- }
- /* lifebyte must be equal in a proposal. */
- if (pp->lifebyte == 0)
- pp->lifebyte = t;
- else if (pp->lifebyte != t) {
- plog(LLV_ERROR, LOCATION, NULL,
- "lifebyte mismatched "
- "in a proposal, "
- "prev:%d curr:%u.\n",
- pp->lifebyte, t);
- goto end;
- }
- break;
- default:
- vfree(ld_buf);
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid life type: %d\n", life_t);
- goto end;
- }
- }
- break;
-
- case IPSECDOI_ATTR_GRP_DESC:
- /*
- * RFC2407: 4.5 IPSEC Security Association Attributes
- * Specifies the Oakley Group to be used in a PFS QM
- * negotiation. For a list of supported values, see
- * Appendix A of [IKE].
- */
- if (pp->pfs_group == 0)
- pp->pfs_group = (u_int16_t)ntohs(d->lorv);
- else if (pp->pfs_group != (u_int16_t)ntohs(d->lorv)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "pfs_group mismatched "
- "in a proposal.\n");
- goto end;
- }
- break;
-
- case IPSECDOI_ATTR_ENC_MODE:
- if (pr->encmode &&
- pr->encmode != (u_int16_t)ntohs(d->lorv)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "multiple encmode exist "
- "in a transform.\n");
- goto end;
- }
- pr->encmode = (u_int16_t)ntohs(d->lorv);
- break;
-
- case IPSECDOI_ATTR_AUTH:
- if (tr->authtype != IPSECDOI_ATTR_AUTH_NONE) {
- plog(LLV_ERROR, LOCATION, NULL,
- "multiple authtype exist "
- "in a transform.\n");
- goto end;
- }
- tr->authtype = (u_int16_t)ntohs(d->lorv);
- break;
-
- case IPSECDOI_ATTR_KEY_LENGTH:
- if (pr->proto_id != IPSECDOI_PROTO_IPSEC_ESP) {
- plog(LLV_ERROR, LOCATION, NULL,
- "key length defined but not ESP");
- goto end;
- }
- tr->encklen = ntohs(d->lorv);
- break;
-#ifdef HAVE_SECCTX
- case IPSECDOI_ATTR_SECCTX:
- {
- int len = ntohs(d->lorv);
- memcpy(&pp->sctx, d + 1, len);
- pp->sctx.ctx_strlen = ntohs(pp->sctx.ctx_strlen);
- break;
- }
-#endif /* HAVE_SECCTX */
- case IPSECDOI_ATTR_KEY_ROUNDS:
- case IPSECDOI_ATTR_COMP_DICT_SIZE:
- case IPSECDOI_ATTR_COMP_PRIVALG:
- default:
- break;
- }
-
- prev = d;
- if (flag) {
- tlen -= sizeof(*d);
- d = (struct isakmp_data *)((char *)d + sizeof(*d));
- } else {
- tlen -= (sizeof(*d) + ntohs(d->lorv));
- d = (struct isakmp_data *)((caddr_t)d + sizeof(*d) + ntohs(d->lorv));
- }
- }
-
- error = 0;
-end:
- return error;
-}
-
-int
-ipsecdoi_authalg2trnsid(alg)
- int alg;
-{
- switch (alg) {
- case IPSECDOI_ATTR_AUTH_HMAC_MD5:
- return IPSECDOI_AH_MD5;
- case IPSECDOI_ATTR_AUTH_HMAC_SHA1:
- return IPSECDOI_AH_SHA;
- case IPSECDOI_ATTR_AUTH_HMAC_SHA2_256:
- return IPSECDOI_AH_SHA256;
- case IPSECDOI_ATTR_AUTH_HMAC_SHA2_384:
- return IPSECDOI_AH_SHA384;
- case IPSECDOI_ATTR_AUTH_HMAC_SHA2_512:
- return IPSECDOI_AH_SHA512;
- case IPSECDOI_ATTR_AUTH_DES_MAC:
- return IPSECDOI_AH_DES;
- case IPSECDOI_ATTR_AUTH_KPDK:
- return IPSECDOI_AH_MD5; /* XXX */
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid authentication algorithm:%d\n", alg);
- }
- return -1;
-}
-
-#ifdef HAVE_GSSAPI
-struct isakmpsa *
-fixup_initiator_sa(match, received)
- struct isakmpsa *match, *received;
-{
- if (received->gssid != NULL)
- match->gssid = vdup(received->gssid);
-
- return match;
-}
-#endif
-
-static int rm_idtype2doi[] = {
- 255, /* IDTYPE_UNDEFINED, 0 */
- IPSECDOI_ID_FQDN, /* IDTYPE_FQDN, 1 */
- IPSECDOI_ID_USER_FQDN, /* IDTYPE_USERFQDN, 2 */
- IPSECDOI_ID_KEY_ID, /* IDTYPE_KEYID, 3 */
- 255, /* IDTYPE_ADDRESS, 4
- * it expands into 4 types by another function. */
- IPSECDOI_ID_DER_ASN1_DN, /* IDTYPE_ASN1DN, 5 */
-};
-
-/*
- * convert idtype to DOI value.
- * OUT 255 : NG
- * other: converted.
- */
-int
-idtype2doi(idtype)
- int idtype;
-{
- if (ARRAYLEN(rm_idtype2doi) > idtype)
- return rm_idtype2doi[idtype];
- return 255;
-}
-
-int
-doi2idtype(doi)
- int doi;
-{
- switch(doi) {
- case IPSECDOI_ID_FQDN:
- return(IDTYPE_FQDN);
- case IPSECDOI_ID_USER_FQDN:
- return(IDTYPE_USERFQDN);
- case IPSECDOI_ID_KEY_ID:
- return(IDTYPE_KEYID);
- case IPSECDOI_ID_DER_ASN1_DN:
- return(IDTYPE_ASN1DN);
- case IPSECDOI_ID_IPV4_ADDR:
- case IPSECDOI_ID_IPV4_ADDR_SUBNET:
- case IPSECDOI_ID_IPV6_ADDR:
- case IPSECDOI_ID_IPV6_ADDR_SUBNET:
- return(IDTYPE_ADDRESS);
- default:
- plog(LLV_WARNING, LOCATION, NULL,
- "Inproper idtype:%s in this function.\n",
- s_ipsecdoi_ident(doi));
- return(IDTYPE_ADDRESS); /* XXX */
- }
- /*NOTREACHED*/
-}
-
-#ifdef ENABLE_HYBRID
-static int
-switch_authmethod(authmethod)
- int authmethod;
-{
- switch(authmethod) {
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
- authmethod = OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I;
- break;
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
- authmethod = OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I;
- break;
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
- authmethod = OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I;
- break;
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
- authmethod = OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I;
- break;
- /* Those are not implemented */
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
- authmethod = OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I;
- break;
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
- authmethod = OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I;
- break;
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
- authmethod = OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I;
- break;
- default:
- break;
- }
-
- return authmethod;
-}
-#endif
diff --git a/src/racoon/ipsec_doi.h b/src/racoon/ipsec_doi.h
deleted file mode 100644
index 21dd93d..0000000
--- a/src/racoon/ipsec_doi.h
+++ /dev/null
@@ -1,243 +0,0 @@
-/* $NetBSD: ipsec_doi.h,v 1.9 2006/12/09 05:52:57 manu Exp $ */
-
-/* Id: ipsec_doi.h,v 1.15 2006/08/11 16:06:30 vanhu Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _IPSEC_DOI_H
-#define _IPSEC_DOI_H
-
-/* refered to RFC2407 */
-
-#define IPSEC_DOI 1
-
-/* 4.2 IPSEC Situation Definition */
-#define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001
-#define IPSECDOI_SIT_SECRECY 0x00000002
-#define IPSECDOI_SIT_INTEGRITY 0x00000004
-
-/* 4.4.1 IPSEC Security Protocol Identifiers */
- /* 4.4.2 IPSEC ISAKMP Transform Values */
-#define IPSECDOI_PROTO_ISAKMP 1
-#define IPSECDOI_KEY_IKE 1
-
-/* 4.4.1 IPSEC Security Protocol Identifiers */
-#define IPSECDOI_PROTO_IPSEC_AH 2
- /* 4.4.3 IPSEC AH Transform Values */
-#define IPSECDOI_AH_MD5 2
-#define IPSECDOI_AH_SHA 3
-#define IPSECDOI_AH_DES 4
-#define IPSECDOI_AH_SHA256 5
-#define IPSECDOI_AH_SHA384 6
-#define IPSECDOI_AH_SHA512 7
-
-/* 4.4.1 IPSEC Security Protocol Identifiers */
-#define IPSECDOI_PROTO_IPSEC_ESP 3
- /* 4.4.4 IPSEC ESP Transform Identifiers */
-#define IPSECDOI_ESP_DES_IV64 1
-#define IPSECDOI_ESP_DES 2
-#define IPSECDOI_ESP_3DES 3
-#define IPSECDOI_ESP_RC5 4
-#define IPSECDOI_ESP_IDEA 5
-#define IPSECDOI_ESP_CAST 6
-#define IPSECDOI_ESP_BLOWFISH 7
-#define IPSECDOI_ESP_3IDEA 8
-#define IPSECDOI_ESP_DES_IV32 9
-#define IPSECDOI_ESP_RC4 10
-#define IPSECDOI_ESP_NULL 11
-#define IPSECDOI_ESP_AES 12
-#define IPSECDOI_ESP_CAMELLIA 22
-#if 1
- /* draft-ietf-ipsec-ciph-aes-cbc-00.txt */
-#define IPSECDOI_ESP_TWOFISH 253
-#else
- /* SSH uses these value for now */
-#define IPSECDOI_ESP_TWOFISH 250
-#endif
-
-/* 4.4.1 IPSEC Security Protocol Identifiers */
-#define IPSECDOI_PROTO_IPCOMP 4
- /* 4.4.5 IPSEC IPCOMP Transform Identifiers */
-#define IPSECDOI_IPCOMP_OUI 1
-#define IPSECDOI_IPCOMP_DEFLATE 2
-#define IPSECDOI_IPCOMP_LZS 3
-
-/* 4.5 IPSEC Security Association Attributes */
-/* NOTE: default value is not included in a packet. */
-#define IPSECDOI_ATTR_SA_LD_TYPE 1 /* B */
-#define IPSECDOI_ATTR_SA_LD_TYPE_DEFAULT 1
-#define IPSECDOI_ATTR_SA_LD_TYPE_SEC 1
-#define IPSECDOI_ATTR_SA_LD_TYPE_KB 2
-#define IPSECDOI_ATTR_SA_LD_TYPE_MAX 3
-#define IPSECDOI_ATTR_SA_LD 2 /* V */
-#define IPSECDOI_ATTR_SA_LD_SEC_DEFAULT 28800 /* 8 hours */
-#define IPSECDOI_ATTR_SA_LD_KB_MAX (~(1 << ((sizeof(int) << 3) - 1)))
-#define IPSECDOI_ATTR_GRP_DESC 3 /* B */
-#define IPSECDOI_ATTR_ENC_MODE 4 /* B */
- /* default value: host dependent */
-#define IPSECDOI_ATTR_ENC_MODE_ANY 0 /* NOTE:internal use */
-#define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1
-#define IPSECDOI_ATTR_ENC_MODE_TRNS 2
-
-/* NAT-T draft-ietf-ipsec-nat-t-ike-05 and later */
-#define IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC 3
-#define IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC 4
-
-/* NAT-T up to draft-ietf-ipsec-nat-t-ike-04 */
-#define IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT 61443
-#define IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT 61444
-
-#define IPSECDOI_ATTR_AUTH 5 /* B */
- /* 0 means not to use authentication. */
-#define IPSECDOI_ATTR_AUTH_HMAC_MD5 1
-#define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2
-#define IPSECDOI_ATTR_AUTH_DES_MAC 3
-#define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/
-#define IPSECDOI_ATTR_AUTH_HMAC_SHA2_256 5
-#define IPSECDOI_ATTR_AUTH_HMAC_SHA2_384 6
-#define IPSECDOI_ATTR_AUTH_HMAC_SHA2_512 7
-#define IPSECDOI_ATTR_AUTH_NONE 254 /* NOTE:internal use */
- /*
- * When negotiating ESP without authentication, the Auth
- * Algorithm attribute MUST NOT be included in the proposal.
- * When negotiating ESP without confidentiality, the Auth
- * Algorithm attribute MUST be included in the proposal and
- * the ESP transform ID must be ESP_NULL.
- */
-#define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */
-#define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */
-#define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */
-#define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */
-
-#ifdef HAVE_SECCTX
-#define IPSECDOI_ATTR_SECCTX 10 /* V */
-#endif
-
-/* 4.6.1 Security Association Payload */
-struct ipsecdoi_pl_sa {
- struct isakmp_gen h;
- struct ipsecdoi_sa_b {
- u_int32_t doi; /* Domain of Interpretation */
- u_int32_t sit; /* Situation */
- } b;
- /* followed by Leveled Domain Identifier and so on. */
-} __attribute__((__packed__));
-
-struct ipsecdoi_secrecy_h {
- u_int16_t len;
- u_int16_t reserved;
- /* followed by the value */
-} __attribute__((__packed__));
-
-/* 4.6.2 Identification Payload Content */
-struct ipsecdoi_pl_id {
- struct isakmp_gen h;
- struct ipsecdoi_id_b {
- u_int8_t type; /* ID Type */
- u_int8_t proto_id; /* Protocol ID */
- u_int16_t port; /* Port */
- } b;
- /* followed by Identification Data */
-} __attribute__((__packed__));
-
-#define IPSECDOI_ID_IPV4_ADDR 1
-#define IPSECDOI_ID_FQDN 2
-#define IPSECDOI_ID_USER_FQDN 3
-#define IPSECDOI_ID_IPV4_ADDR_SUBNET 4
-#define IPSECDOI_ID_IPV6_ADDR 5
-#define IPSECDOI_ID_IPV6_ADDR_SUBNET 6
-#define IPSECDOI_ID_IPV4_ADDR_RANGE 7
-#define IPSECDOI_ID_IPV6_ADDR_RANGE 8
-#define IPSECDOI_ID_DER_ASN1_DN 9
-#define IPSECDOI_ID_DER_ASN1_GN 10
-#define IPSECDOI_ID_KEY_ID 11
-
-/* compressing doi type, it's internal use. */
-#define IDTYPE_UNDEFINED 0
-#define IDTYPE_FQDN 1
-#define IDTYPE_USERFQDN 2
-#define IDTYPE_KEYID 3
-#define IDTYPE_ADDRESS 4
-#define IDTYPE_ASN1DN 5
-#define IDTYPE_SUBNET 6
-
-/* qualifiers for KEYID (and maybe others) */
-#define IDQUAL_UNSPEC 0
-#define IDQUAL_FILE 1
-#define IDQUAL_TAG 2
-
-/* The use for checking proposal payload. This is not exchange type. */
-#define IPSECDOI_TYPE_PH1 0
-#define IPSECDOI_TYPE_PH2 1
-
-struct isakmpsa;
-struct ipsecdoi_pl_sa;
-struct saprop;
-struct saproto;
-struct satrns;
-struct prop_pair;
-
-extern int ipsecdoi_checkph1proposal __P((vchar_t *, struct ph1handle *));
-extern int ipsecdoi_selectph2proposal __P((struct ph2handle *));
-extern int ipsecdoi_checkph2proposal __P((struct ph2handle *));
-
-extern struct prop_pair **get_proppair __P((vchar_t *, int));
-extern vchar_t *get_sabyproppair __P((struct prop_pair *, struct ph1handle *));
-extern int ipsecdoi_updatespi __P((struct ph2handle *iph2));
-extern vchar_t *get_sabysaprop __P((struct saprop *, vchar_t *));
-extern int ipsecdoi_chkcmpids( const vchar_t *, const vchar_t *, int );
-extern int ipsecdoi_checkid1 __P((struct ph1handle *));
-extern int ipsecdoi_setid1 __P((struct ph1handle *));
-extern int set_identifier __P((vchar_t **, int, vchar_t *));
-extern int set_identifier_qual __P((vchar_t **, int, vchar_t *, int));
-extern int ipsecdoi_setid2 __P((struct ph2handle *));
-extern vchar_t *ipsecdoi_sockaddr2id __P((struct sockaddr *, u_int, u_int));
-extern int ipsecdoi_id2sockaddr __P((vchar_t *, struct sockaddr *,
- u_int8_t *, u_int16_t *));
-extern char *ipsecdoi_id2str __P((const vchar_t *));
-extern vchar_t *ipsecdoi_sockrange2id __P(( struct sockaddr *,
- struct sockaddr *, u_int));
-
-extern vchar_t *ipsecdoi_setph1proposal __P((struct isakmpsa *));
-extern int ipsecdoi_setph2proposal __P((struct ph2handle *));
-extern int ipsecdoi_transportmode __P((struct saprop *));
-extern int ipsecdoi_get_defaultlifetime __P((void));
-extern int ipsecdoi_checkalgtypes __P((int, int, int, int));
-extern int ipproto2doi __P((int));
-extern int doi2ipproto __P((int));
-
-extern int ipsecdoi_t2satrns __P((struct isakmp_pl_t *,
- struct saprop *, struct saproto *, struct satrns *));
-extern int ipsecdoi_authalg2trnsid __P((int));
-extern int idtype2doi __P((int));
-extern int doi2idtype __P((int));
-
-
-#endif /* _IPSEC_DOI_H */
diff --git a/src/racoon/isakmp.c b/src/racoon/isakmp.c
deleted file mode 100644
index b9fc5ee..0000000
--- a/src/racoon/isakmp.c
+++ /dev/null
@@ -1,3643 +0,0 @@
-/* $NetBSD: isakmp.c,v 1.20.6.13 2008/09/25 09:34:39 vanhu Exp $ */
-
-/* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-#include <sys/queue.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include PATH_IPSEC_H
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-#if TIME_WITH_SYS_TIME
-# include <sys/time.h>
-# include <time.h>
-#else
-# if HAVE_SYS_TIME_H
-# include <sys/time.h>
-# else
-# include <time.h>
-# endif
-#endif
-#include <netdb.h>
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-#include <ctype.h>
-#ifdef ENABLE_HYBRID
-#include <resolv.h>
-#endif
-
-#include "var.h"
-#include "misc.h"
-#include "vmbuf.h"
-#include "plog.h"
-#include "sockmisc.h"
-#include "schedule.h"
-#include "debug.h"
-
-#include "remoteconf.h"
-#include "localconf.h"
-#include "grabmyaddr.h"
-#include "admin.h"
-#include "privsep.h"
-#include "isakmp_var.h"
-#include "isakmp.h"
-#include "oakley.h"
-#include "evt.h"
-#include "handler.h"
-#include "ipsec_doi.h"
-#include "pfkey.h"
-#include "crypto_openssl.h"
-#include "policy.h"
-#include "isakmp_ident.h"
-#include "isakmp_agg.h"
-#include "isakmp_base.h"
-#include "isakmp_quick.h"
-#include "isakmp_inf.h"
-#include "isakmp_newg.h"
-#ifdef ENABLE_HYBRID
-#include "vendorid.h"
-#include "isakmp_xauth.h"
-#include "isakmp_unity.h"
-#include "isakmp_cfg.h"
-#endif
-#ifdef ENABLE_FRAG
-#include "isakmp_frag.h"
-#endif
-#include "strnames.h"
-
-#include <fcntl.h>
-
-#ifdef ENABLE_NATT
-# include "nattraversal.h"
-#endif
-# ifdef __linux__
-# include <linux/udp.h>
-# include <linux/ip.h>
-# ifndef SOL_UDP
-# define SOL_UDP 17
-# endif
-#if defined(__ANDROID__)
-#include <netinet/udp.h>
-#endif
-# endif /* __linux__ */
-# if defined(__NetBSD__) || defined(__FreeBSD__) || \
- (defined(__APPLE__) && defined(__MACH__))
-# include <netinet/in.h>
-# include <netinet/udp.h>
-# include <netinet/in_systm.h>
-# include <netinet/ip.h>
-# define SOL_UDP IPPROTO_UDP
-# endif /* __NetBSD__ / __FreeBSD__ */
-
-#ifdef ANDROID_CHANGES
-#include "NetdClient.h"
-#endif
-
-static int nostate1 __P((struct ph1handle *, vchar_t *));
-static int nostate2 __P((struct ph2handle *, vchar_t *));
-
-extern caddr_t val2str(const char *, size_t);
-
-static int (*ph1exchange[][2][PHASE1ST_MAX])
- __P((struct ph1handle *, vchar_t *)) = {
- /* error */
- { {}, {}, },
- /* Identity Protection exchange */
- {
- { nostate1, ident_i1send, nostate1, ident_i2recv, ident_i2send,
- ident_i3recv, ident_i3send, ident_i4recv, ident_i4send, nostate1, },
- { nostate1, ident_r1recv, ident_r1send, ident_r2recv, ident_r2send,
- ident_r3recv, ident_r3send, nostate1, nostate1, nostate1, },
- },
- /* Aggressive exchange */
- {
- { nostate1, agg_i1send, nostate1, agg_i2recv, agg_i2send,
- nostate1, nostate1, nostate1, nostate1, nostate1, },
- { nostate1, agg_r1recv, agg_r1send, agg_r2recv, agg_r2send,
- nostate1, nostate1, nostate1, nostate1, nostate1, },
- },
- /* Base exchange */
- {
- { nostate1, base_i1send, nostate1, base_i2recv, base_i2send,
- base_i3recv, base_i3send, nostate1, nostate1, nostate1, },
- { nostate1, base_r1recv, base_r1send, base_r2recv, base_r2send,
- nostate1, nostate1, nostate1, nostate1, nostate1, },
- },
-};
-
-static int (*ph2exchange[][2][PHASE2ST_MAX])
- __P((struct ph2handle *, vchar_t *)) = {
- /* error */
- { {}, {}, },
- /* Quick mode for IKE */
- {
- { nostate2, nostate2, quick_i1prep, nostate2, quick_i1send,
- quick_i2recv, quick_i2send, quick_i3recv, nostate2, nostate2, },
- { nostate2, quick_r1recv, quick_r1prep, nostate2, quick_r2send,
- quick_r3recv, quick_r3prep, quick_r3send, nostate2, nostate2, }
- },
-};
-
-static u_char r_ck0[] = { 0,0,0,0,0,0,0,0 }; /* used to verify the r_ck. */
-
-static int isakmp_main __P((vchar_t *, struct sockaddr *, struct sockaddr *));
-static int ph1_main __P((struct ph1handle *, vchar_t *));
-static int quick_main __P((struct ph2handle *, vchar_t *));
-static int isakmp_ph1begin_r __P((vchar_t *,
- struct sockaddr *, struct sockaddr *, u_int8_t));
-static int isakmp_ph2begin_i __P((struct ph1handle *, struct ph2handle *));
-static int isakmp_ph2begin_r __P((struct ph1handle *, vchar_t *));
-static int etypesw1 __P((int));
-static int etypesw2 __P((int));
-#ifdef ENABLE_FRAG
-static int frag_handler(struct ph1handle *,
- vchar_t *, struct sockaddr *, struct sockaddr *);
-#endif
-
-/*
- * isakmp packet handler
- */
-int
-isakmp_handler(so_isakmp)
- int so_isakmp;
-{
- struct isakmp isakmp;
- union {
- char buf[sizeof (isakmp) + 4];
- u_int32_t non_esp[2];
- char lbuf[sizeof(struct udphdr) +
-#ifdef __linux
- sizeof(struct iphdr) +
-#else
- sizeof(struct ip) +
-#endif
- sizeof(isakmp) + 4];
- } x;
- struct sockaddr_storage remote;
- struct sockaddr_storage local;
- unsigned int remote_len = sizeof(remote);
- unsigned int local_len = sizeof(local);
- int len = 0, extralen = 0;
- vchar_t *buf = NULL, *tmpbuf = NULL;
- int error = -1, res;
-
- /* read message by MSG_PEEK */
- while ((len = recvfromto(so_isakmp, x.buf, sizeof(x),
- MSG_PEEK, (struct sockaddr *)&remote, &remote_len,
- (struct sockaddr *)&local, &local_len)) < 0) {
- if (errno == EINTR)
- continue;
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to receive isakmp packet: %s\n",
- strerror (errno));
- goto end;
- }
-
- /* keep-alive packet - ignore */
- if (len == 1 && (x.buf[0]&0xff) == 0xff) {
- /* Pull the keep-alive packet */
- if ((len = recvfrom(so_isakmp, (char *)x.buf, 1,
- 0, (struct sockaddr *)&remote, &remote_len)) != 1) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to receive keep alive packet: %s\n",
- strerror (errno));
- }
- goto end;
- }
-
- /* Lucent IKE in UDP encapsulation */
- {
- struct udphdr *udp;
-#ifdef __linux__
- struct iphdr *ip;
-
- udp = (struct udphdr *)&x.lbuf[0];
- if (ntohs(udp->dest) == 501) {
- ip = (struct iphdr *)(x.lbuf + sizeof(*udp));
- extralen += sizeof(*udp) + ip->ihl;
- }
-#else
- struct ip *ip;
-
- udp = (struct udphdr *)&x.lbuf[0];
- if (ntohs(udp->uh_dport) == 501) {
- ip = (struct ip *)(x.lbuf + sizeof(*udp));
- extralen += sizeof(*udp) + ip->ip_hl;
- }
-#endif
- }
-
-#ifdef ENABLE_NATT
- /* we don't know about portchange yet,
- look for non-esp marker instead */
- if (x.non_esp[0] == 0 && x.non_esp[1] != 0)
- extralen = NON_ESP_MARKER_LEN;
-#endif
-
- /* now we know if there is an extra non-esp
- marker at the beginning or not */
- memcpy ((char *)&isakmp, x.buf + extralen, sizeof (isakmp));
-
- /* check isakmp header length, as well as sanity of header length */
- if (len < sizeof(isakmp) || ntohl(isakmp.len) < sizeof(isakmp)) {
- plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
- "packet shorter than isakmp header size (%u, %u, %zu)\n",
- len, ntohl(isakmp.len), sizeof(isakmp));
- /* dummy receive */
- if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
- 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to receive isakmp packet: %s\n",
- strerror (errno));
- }
- goto end;
- }
-
- /* reject it if the size is tooooo big. */
- if (ntohl(isakmp.len) > 0xffff) {
- plog(LLV_ERROR, LOCATION, NULL,
- "the length in the isakmp header is too big.\n");
- if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
- 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to receive isakmp packet: %s\n",
- strerror (errno));
- }
- goto end;
- }
-
- /* read real message */
- if ((tmpbuf = vmalloc(ntohl(isakmp.len) + extralen)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate reading buffer (%u Bytes)\n",
- ntohl(isakmp.len) + extralen);
- /* dummy receive */
- if ((len = recvfrom(so_isakmp, (char *)&isakmp, sizeof(isakmp),
- 0, (struct sockaddr *)&remote, &remote_len)) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to receive isakmp packet: %s\n",
- strerror (errno));
- }
- goto end;
- }
-
- while ((len = recvfromto(so_isakmp, (char *)tmpbuf->v, tmpbuf->l,
- 0, (struct sockaddr *)&remote, &remote_len,
- (struct sockaddr *)&local, &local_len)) < 0) {
- if (errno == EINTR)
- continue;
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to receive isakmp packet: %s\n",
- strerror (errno));
- goto end;
- }
-
- if ((buf = vmalloc(len - extralen)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate reading buffer (%u Bytes)\n",
- (len - extralen));
- goto end;
- }
-
- memcpy (buf->v, tmpbuf->v + extralen, buf->l);
-
- len -= extralen;
-
- if (len != buf->l) {
- plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
- "received invalid length (%d != %zu), why ?\n",
- len, buf->l);
- goto end;
- }
-
- plog(LLV_DEBUG, LOCATION, NULL, "===\n");
- plog(LLV_DEBUG, LOCATION, NULL,
- "%d bytes message received %s\n",
- len, saddr2str_fromto("from %s to %s",
- (struct sockaddr *)&remote,
- (struct sockaddr *)&local));
- plogdump(LLV_DEBUG, buf->v, buf->l);
-
- /* avoid packets with malicious port/address */
- if (extract_port((struct sockaddr *)&remote) == 0) {
- plog(LLV_ERROR, LOCATION, (struct sockaddr *)&remote,
- "src port == 0 (valid as UDP but not with IKE)\n");
- goto end;
- }
-
- /* XXX: check sender whether to be allowed or not to accept */
-
- /* XXX: I don't know how to check isakmp half connection attack. */
-
- /* simply reply if the packet was processed. */
- res=check_recvdpkt((struct sockaddr *)&remote,(struct sockaddr *)&local, buf);
- if (res) {
- plog(LLV_NOTIFY, LOCATION, NULL,
- "the packet is retransmitted by %s (%d).\n",
- saddr2str((struct sockaddr *)&remote), res);
- error = 0;
- goto end;
- }
-
- /* isakmp main routine */
- if (isakmp_main(buf, (struct sockaddr *)&remote,
- (struct sockaddr *)&local) != 0) goto end;
-
- error = 0;
-
-end:
- if (tmpbuf != NULL)
- vfree(tmpbuf);
- if (buf != NULL)
- vfree(buf);
-
- return(error);
-}
-
-/*
- * main processing to handle isakmp payload
- */
-static int
-isakmp_main(msg, remote, local)
- vchar_t *msg;
- struct sockaddr *remote, *local;
-{
- struct isakmp *isakmp = (struct isakmp *)msg->v;
- isakmp_index *index = (isakmp_index *)isakmp;
- u_int32_t msgid = isakmp->msgid;
- struct ph1handle *iph1;
-
-#ifdef HAVE_PRINT_ISAKMP_C
- isakmp_printpacket(msg, remote, local, 0);
-#endif
-
- /* the initiator's cookie must not be zero */
- if (memcmp(&isakmp->i_ck, r_ck0, sizeof(cookie_t)) == 0) {
- plog(LLV_ERROR, LOCATION, remote,
- "malformed cookie received.\n");
- return -1;
- }
-
- /* Check the Major and Minor Version fields. */
- /*
- * XXX Is is right to check version here ?
- * I think it may no be here because the version depends
- * on exchange status.
- */
- if (isakmp->v < ISAKMP_VERSION_NUMBER) {
- if (ISAKMP_GETMAJORV(isakmp->v) < ISAKMP_MAJOR_VERSION) {
- plog(LLV_ERROR, LOCATION, remote,
- "invalid major version %d.\n",
- ISAKMP_GETMAJORV(isakmp->v));
- return -1;
- }
-#if ISAKMP_MINOR_VERSION > 0
- if (ISAKMP_GETMINORV(isakmp->v) < ISAKMP_MINOR_VERSION) {
- plog(LLV_ERROR, LOCATION, remote,
- "invalid minor version %d.\n",
- ISAKMP_GETMINORV(isakmp->v));
- return -1;
- }
-#endif
- }
-
- /* check the Flags field. */
- /* XXX How is the exclusive check, E and A ? */
- if (isakmp->flags & ~(ISAKMP_FLAG_E | ISAKMP_FLAG_C | ISAKMP_FLAG_A)) {
- plog(LLV_ERROR, LOCATION, remote,
- "invalid flag 0x%02x.\n", isakmp->flags);
- return -1;
- }
-
- /* ignore commit bit. */
- if (ISSET(isakmp->flags, ISAKMP_FLAG_C)) {
- if (isakmp->msgid == 0) {
- isakmp_info_send_nx(isakmp, remote, local,
- ISAKMP_NTYPE_INVALID_FLAGS, NULL);
- plog(LLV_ERROR, LOCATION, remote,
- "Commit bit on phase1 forbidden.\n");
- return -1;
- }
- }
-
- iph1 = getph1byindex(index);
- if (iph1 != NULL) {
- /* validity check */
- if (memcmp(&isakmp->r_ck, r_ck0, sizeof(cookie_t)) == 0 &&
- iph1->side == INITIATOR) {
- plog(LLV_DEBUG, LOCATION, remote,
- "malformed cookie received or "
- "the initiator's cookies collide.\n");
- return -1;
- }
-
-#ifdef ENABLE_NATT
- /* Floating ports for NAT-T */
- if (NATT_AVAILABLE(iph1) &&
- ! (iph1->natt_flags & NAT_PORTS_CHANGED) &&
- ((cmpsaddrstrict(iph1->remote, remote) != 0) ||
- (cmpsaddrstrict(iph1->local, local) != 0)))
- {
- /* prevent memory leak */
- racoon_free(iph1->remote);
- racoon_free(iph1->local);
- iph1->remote = NULL;
- iph1->local = NULL;
-
- /* copy-in new addresses */
- iph1->remote = dupsaddr(remote);
- if (iph1->remote == NULL) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "phase1 failed: dupsaddr failed.\n");
- remph1(iph1);
- delph1(iph1);
- return -1;
- }
- iph1->local = dupsaddr(local);
- if (iph1->local == NULL) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "phase1 failed: dupsaddr failed.\n");
- remph1(iph1);
- delph1(iph1);
- return -1;
- }
-
- /* set the flag to prevent further port floating
- (FIXME: should we allow it? E.g. when the NAT gw
- is rebooted?) */
- iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER;
-
- /* print some neat info */
- plog (LLV_INFO, LOCATION, NULL,
- "NAT-T: ports changed to: %s\n",
- saddr2str_fromto ("%s<->%s", iph1->remote, iph1->local));
-
- natt_keepalive_add_ph1 (iph1);
- }
-#endif
-
- /* must be same addresses in one stream of a phase at least. */
- if (cmpsaddrstrict(iph1->remote, remote) != 0) {
- char *saddr_db, *saddr_act;
-
- saddr_db = racoon_strdup(saddr2str(iph1->remote));
- saddr_act = racoon_strdup(saddr2str(remote));
- STRDUP_FATAL(saddr_db);
- STRDUP_FATAL(saddr_act);
-
- plog(LLV_WARNING, LOCATION, remote,
- "remote address mismatched. db=%s, act=%s\n",
- saddr_db, saddr_act);
-
- racoon_free(saddr_db);
- racoon_free(saddr_act);
- }
-
- /*
- * don't check of exchange type here because other type will be
- * with same index, for example, informational exchange.
- */
-
- /* XXX more acceptable check */
- }
-
- switch (isakmp->etype) {
- case ISAKMP_ETYPE_IDENT:
- case ISAKMP_ETYPE_AGG:
- case ISAKMP_ETYPE_BASE:
- /* phase 1 validity check */
- if (isakmp->msgid != 0) {
- plog(LLV_ERROR, LOCATION, remote,
- "message id should be zero in phase1.\n");
- return -1;
- }
-
- /* search for isakmp status record of phase 1 */
- if (iph1 == NULL) {
- /*
- * the packet must be the 1st message from a initiator
- * or the 2nd message from the responder.
- */
-
- /* search for phase1 handle by index without r_ck */
- iph1 = getph1byindex0(index);
- if (iph1 == NULL) {
- /*it must be the 1st message from a initiator.*/
- if (memcmp(&isakmp->r_ck, r_ck0,
- sizeof(cookie_t)) != 0) {
-
- plog(LLV_DEBUG, LOCATION, remote,
- "malformed cookie received "
- "or the spi expired.\n");
- return -1;
- }
-
- /* it must be responder's 1st exchange. */
- if (isakmp_ph1begin_r(msg, remote, local,
- isakmp->etype) < 0)
- return -1;
- break;
-
- /*NOTREACHED*/
- }
-
- /* it must be the 2nd message from the responder. */
- if (iph1->side != INITIATOR) {
- plog(LLV_DEBUG, LOCATION, remote,
- "malformed cookie received. "
- "it has to be as the initiator. %s\n",
- isakmp_pindex(&iph1->index, 0));
- return -1;
- }
- }
-
- /*
- * Don't delete phase 1 handler when the exchange type
- * in handler is not equal to packet's one because of no
- * authencication completed.
- */
- if (iph1->etype != isakmp->etype) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "exchange type is mismatched: "
- "db=%s packet=%s, ignore it.\n",
- s_isakmp_etype(iph1->etype),
- s_isakmp_etype(isakmp->etype));
- return -1;
- }
-
-#ifdef ENABLE_FRAG
- if (isakmp->np == ISAKMP_NPTYPE_FRAG)
- return frag_handler(iph1, msg, remote, local);
-#endif
-
- /* call main process of phase 1 */
- if (ph1_main(iph1, msg) < 0) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "phase1 negotiation failed.\n");
- remph1(iph1);
- delph1(iph1);
- return -1;
- }
- break;
-
- case ISAKMP_ETYPE_AUTH:
- plog(LLV_INFO, LOCATION, remote,
- "unsupported exchange %d received.\n",
- isakmp->etype);
- break;
-
- case ISAKMP_ETYPE_INFO:
- case ISAKMP_ETYPE_ACKINFO:
- /*
- * iph1 must be present for Information message.
- * if iph1 is null then trying to get the phase1 status
- * as the packet from responder againt initiator's 1st
- * exchange in phase 1.
- * NOTE: We think such informational exchange should be ignored.
- */
- if (iph1 == NULL) {
- iph1 = getph1byindex0(index);
- if (iph1 == NULL) {
- plog(LLV_ERROR, LOCATION, remote,
- "unknown Informational "
- "exchange received.\n");
- return -1;
- }
- if (cmpsaddrstrict(iph1->remote, remote) != 0) {
- plog(LLV_WARNING, LOCATION, remote,
- "remote address mismatched. "
- "db=%s\n",
- saddr2str(iph1->remote));
- }
- }
-
-#ifdef ENABLE_FRAG
- if (isakmp->np == ISAKMP_NPTYPE_FRAG)
- return frag_handler(iph1, msg, remote, local);
-#endif
-
- if (isakmp_info_recv(iph1, msg) < 0)
- return -1;
- break;
-
- case ISAKMP_ETYPE_QUICK:
- {
- struct ph2handle *iph2;
-
- if (iph1 == NULL) {
- isakmp_info_send_nx(isakmp, remote, local,
- ISAKMP_NTYPE_INVALID_COOKIE, NULL);
- plog(LLV_ERROR, LOCATION, remote,
- "can't start the quick mode, "
- "there is no ISAKMP-SA, %s\n",
- isakmp_pindex((isakmp_index *)&isakmp->i_ck,
- isakmp->msgid));
- return -1;
- }
-#ifdef ENABLE_HYBRID
- /* Reinit the IVM if it's still there */
- if (iph1->mode_cfg && iph1->mode_cfg->ivm) {
- oakley_delivm(iph1->mode_cfg->ivm);
- iph1->mode_cfg->ivm = NULL;
- }
-#endif
-#ifdef ENABLE_FRAG
- if (isakmp->np == ISAKMP_NPTYPE_FRAG)
- return frag_handler(iph1, msg, remote, local);
-#endif
-
- /* check status of phase 1 whether negotiated or not. */
- if (iph1->status != PHASE1ST_ESTABLISHED) {
- plog(LLV_ERROR, LOCATION, remote,
- "can't start the quick mode, "
- "there is no valid ISAKMP-SA, %s\n",
- isakmp_pindex(&iph1->index, iph1->msgid));
- return -1;
- }
-
- /* search isakmp phase 2 stauts record. */
- iph2 = getph2bymsgid(iph1, msgid);
- if (iph2 == NULL) {
- /* it must be new negotiation as responder */
- if (isakmp_ph2begin_r(iph1, msg) < 0)
- return -1;
- return 0;
- /*NOTREACHED*/
- }
-
- /* commit bit. */
- /* XXX
- * we keep to set commit bit during negotiation.
- * When SA is configured, bit will be reset.
- * XXX
- * don't initiate commit bit. should be fixed in the future.
- */
- if (ISSET(isakmp->flags, ISAKMP_FLAG_C))
- iph2->flags |= ISAKMP_FLAG_C;
-
- /* call main process of quick mode */
- if (quick_main(iph2, msg) < 0) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "phase2 negotiation failed.\n");
- unbindph12(iph2);
- remph2(iph2);
- delph2(iph2);
- return -1;
- }
- }
- break;
-
- case ISAKMP_ETYPE_NEWGRP:
- if (iph1 == NULL) {
- plog(LLV_ERROR, LOCATION, remote,
- "Unknown new group mode exchange, "
- "there is no ISAKMP-SA.\n");
- return -1;
- }
-
-#ifdef ENABLE_FRAG
- if (isakmp->np == ISAKMP_NPTYPE_FRAG)
- return frag_handler(iph1, msg, remote, local);
-#endif
-
- isakmp_newgroup_r(iph1, msg);
- break;
-
-#ifdef ENABLE_HYBRID
- case ISAKMP_ETYPE_CFG:
- if (iph1 == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "mode config %d from %s, "
- "but we have no ISAKMP-SA.\n",
- isakmp->etype, saddr2str(remote));
- return -1;
- }
-
-#ifdef ENABLE_FRAG
- if (isakmp->np == ISAKMP_NPTYPE_FRAG)
- return frag_handler(iph1, msg, remote, local);
-#endif
-
- isakmp_cfg_r(iph1, msg);
- break;
-#endif
-
- case ISAKMP_ETYPE_NONE:
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "Invalid exchange type %d from %s.\n",
- isakmp->etype, saddr2str(remote));
- return -1;
- }
-
- return 0;
-}
-
-/*
- * main function of phase 1.
- */
-static int
-ph1_main(iph1, msg)
- struct ph1handle *iph1;
- vchar_t *msg;
-{
- int error;
-#ifdef ENABLE_STATS
- struct timeval start, end;
-#endif
-
- /* ignore a packet */
- if (iph1->status == PHASE1ST_ESTABLISHED)
- return 0;
-
-#ifdef ENABLE_STATS
- gettimeofday(&start, NULL);
-#endif
- /* receive */
- if (ph1exchange[etypesw1(iph1->etype)]
- [iph1->side]
- [iph1->status] == NULL) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "why isn't the function defined.\n");
- return -1;
- }
- error = (ph1exchange[etypesw1(iph1->etype)]
- [iph1->side]
- [iph1->status])(iph1, msg);
- if (error != 0) {
-
- /* XXX
- * When an invalid packet is received on phase1, it should
- * be selected to process this packet. That is to respond
- * with a notify and delete phase 1 handler, OR not to respond
- * and keep phase 1 handler. However, in PHASE1ST_START when
- * acting as RESPONDER we must not keep phase 1 handler or else
- * it will stay forever.
- */
-
- if (iph1->side == RESPONDER && iph1->status == PHASE1ST_START) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "failed to pre-process packet.\n");
- return -1;
- } else {
- /* ignore the error and keep phase 1 handler */
- return 0;
- }
- }
-
-#ifndef ENABLE_FRAG
- /* free resend buffer */
- if (iph1->sendbuf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "no buffer found as sendbuf\n");
- return -1;
- }
-#endif
-
- VPTRINIT(iph1->sendbuf);
-
- /* turn off schedule */
- SCHED_KILL(iph1->scr);
-
- /* send */
- plog(LLV_DEBUG, LOCATION, NULL, "===\n");
- if ((ph1exchange[etypesw1(iph1->etype)]
- [iph1->side]
- [iph1->status])(iph1, msg) != 0) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "failed to process packet.\n");
- return -1;
- }
-
-#ifdef ENABLE_STATS
- gettimeofday(&end, NULL);
- syslog(LOG_NOTICE, "%s(%s): %8.6f",
- "phase1", s_isakmp_state(iph1->etype, iph1->side, iph1->status),
- timedelta(&start, &end));
-#endif
- if (iph1->status == PHASE1ST_ESTABLISHED) {
-
-#ifdef ENABLE_STATS
- gettimeofday(&iph1->end, NULL);
- syslog(LOG_NOTICE, "%s(%s): %8.6f",
- "phase1", s_isakmp_etype(iph1->etype),
- timedelta(&iph1->start, &iph1->end));
-#endif
-
- /* save created date. */
- (void)time(&iph1->created);
-
- /* add to the schedule to expire, and seve back pointer. */
- iph1->sce = sched_new(iph1->approval->lifetime,
- isakmp_ph1expire_stub, iph1);
-#ifdef ENABLE_HYBRID
- if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
- switch(AUTHMETHOD(iph1)) {
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
- xauth_sendreq(iph1);
- /* XXX Don't process INITIAL_CONTACT */
- iph1->rmconf->ini_contact = 0;
- break;
- default:
- break;
- }
- }
-#endif
-#ifdef ENABLE_DPD
- /* Schedule the r_u_there.... */
- if(iph1->dpd_support && iph1->rmconf->dpd_interval)
- isakmp_sched_r_u(iph1, 0);
-#endif
-
- /* INITIAL-CONTACT processing */
- /* don't anything if local test mode. */
- if (!f_local
- && iph1->rmconf->ini_contact && !getcontacted(iph1->remote)) {
- /* send INITIAL-CONTACT */
- isakmp_info_send_n1(iph1,
- ISAKMP_NTYPE_INITIAL_CONTACT, NULL);
- /* insert a node into contacted list. */
- if (inscontacted(iph1->remote) == -1) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "failed to add contacted list.\n");
- /* ignore */
- }
- }
-
- log_ph1established(iph1);
- plog(LLV_DEBUG, LOCATION, NULL, "===\n");
-
- /*
- * SA up shell script hook: do it now,except if
- * ISAKMP mode config was requested. In the later
- * case it is done when we receive the configuration.
- */
- if ((iph1->status == PHASE1ST_ESTABLISHED) &&
- !iph1->rmconf->mode_cfg) {
- switch (AUTHMETHOD(iph1)) {
-#ifdef ENABLE_HYBRID
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
- /* Unimplemeted... */
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
- break;
-#endif
- default:
- script_hook(iph1, SCRIPT_PHASE1_UP);
- break;
- }
- }
- }
-
- return 0;
-}
-
-/*
- * main function of quick mode.
- */
-static int
-quick_main(iph2, msg)
- struct ph2handle *iph2;
- vchar_t *msg;
-{
- struct isakmp *isakmp = (struct isakmp *)msg->v;
- int error;
-#ifdef ENABLE_STATS
- struct timeval start, end;
-#endif
-
- /* ignore a packet */
- if (iph2->status == PHASE2ST_ESTABLISHED
- || iph2->status == PHASE2ST_GETSPISENT)
- return 0;
-
-#ifdef ENABLE_STATS
- gettimeofday(&start, NULL);
-#endif
-
- /* receive */
- if (ph2exchange[etypesw2(isakmp->etype)]
- [iph2->side]
- [iph2->status] == NULL) {
- plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
- "why isn't the function defined.\n");
- return -1;
- }
- error = (ph2exchange[etypesw2(isakmp->etype)]
- [iph2->side]
- [iph2->status])(iph2, msg);
- if (error != 0) {
- plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
- "failed to pre-process packet.\n");
- if (error == ISAKMP_INTERNAL_ERROR)
- return 0;
- isakmp_info_send_n1(iph2->ph1, error, NULL);
- return -1;
- }
-
- /* when using commit bit, status will be reached here. */
- if (iph2->status == PHASE2ST_ADDSA)
- return 0;
-
- /* free resend buffer */
- if (iph2->sendbuf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "no buffer found as sendbuf\n");
- return -1;
- }
- VPTRINIT(iph2->sendbuf);
-
- /* turn off schedule */
- SCHED_KILL(iph2->scr);
-
- /* send */
- plog(LLV_DEBUG, LOCATION, NULL, "===\n");
- if ((ph2exchange[etypesw2(isakmp->etype)]
- [iph2->side]
- [iph2->status])(iph2, msg) != 0) {
- plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
- "failed to process packet.\n");
- return -1;
- }
-
-#ifdef ENABLE_STATS
- gettimeofday(&end, NULL);
- syslog(LOG_NOTICE, "%s(%s): %8.6f",
- "phase2",
- s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
- timedelta(&start, &end));
-#endif
-
- return 0;
-}
-
-/* new negotiation of phase 1 for initiator */
-int
-isakmp_ph1begin_i(rmconf, remote, local)
- struct remoteconf *rmconf;
- struct sockaddr *remote, *local;
-{
- struct ph1handle *iph1;
-#ifdef ENABLE_STATS
- struct timeval start, end;
-#endif
-
- /* get new entry to isakmp status table. */
- iph1 = newph1();
- if (iph1 == NULL)
- return -1;
-
- iph1->status = PHASE1ST_START;
- iph1->rmconf = rmconf;
- iph1->side = INITIATOR;
- iph1->version = ISAKMP_VERSION_NUMBER;
- iph1->msgid = 0;
- iph1->flags = 0;
- iph1->ph2cnt = 0;
-#ifdef HAVE_GSSAPI
- iph1->gssapi_state = NULL;
-#endif
-#ifdef ENABLE_HYBRID
- if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) {
- delph1(iph1);
- return -1;
- }
-#endif
-#ifdef ENABLE_FRAG
-
- if(rmconf->ike_frag == ISAKMP_FRAG_FORCE)
- iph1->frag = 1;
- else
- iph1->frag = 0;
- iph1->frag_chain = NULL;
-#endif
- iph1->approval = NULL;
-
- /* XXX copy remote address */
- if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) {
- delph1(iph1);
- return -1;
- }
-
- (void)insph1(iph1);
-
- /* start phase 1 exchange */
- iph1->etype = rmconf->etypes->type;
-
- plog(LLV_DEBUG, LOCATION, NULL, "===\n");
- {
- char *a;
-
- a = racoon_strdup(saddr2str(iph1->local));
- STRDUP_FATAL(a);
-
- plog(LLV_INFO, LOCATION, NULL,
- "initiate new phase 1 negotiation: %s<=>%s\n",
- a, saddr2str(iph1->remote));
- racoon_free(a);
- }
- plog(LLV_INFO, LOCATION, NULL,
- "begin %s mode.\n",
- s_isakmp_etype(iph1->etype));
-
-#ifdef ENABLE_STATS
- gettimeofday(&iph1->start, NULL);
- gettimeofday(&start, NULL);
-#endif
- /* start exchange */
- if ((ph1exchange[etypesw1(iph1->etype)]
- [iph1->side]
- [iph1->status])(iph1, NULL) != 0) {
- /* failed to start phase 1 negotiation */
- remph1(iph1);
- delph1(iph1);
-
- return -1;
- }
-
-#ifdef ENABLE_STATS
- gettimeofday(&end, NULL);
- syslog(LOG_NOTICE, "%s(%s): %8.6f",
- "phase1",
- s_isakmp_state(iph1->etype, iph1->side, iph1->status),
- timedelta(&start, &end));
-#endif
-
- return 0;
-}
-
-/* new negotiation of phase 1 for responder */
-static int
-isakmp_ph1begin_r(vchar_t *msg, struct sockaddr *remote,
- struct sockaddr *local, u_int8_t etype)
-{
- struct isakmp *isakmp = (struct isakmp *)msg->v;
- struct remoteconf *rmconf;
- struct ph1handle *iph1;
- struct etypes *etypeok;
-#ifdef ENABLE_STATS
- struct timeval start, end;
-#endif
-
- /* look for my configuration */
- rmconf = getrmconf(remote);
- if (rmconf == NULL) {
- plog(LLV_ERROR, LOCATION, remote,
- "couldn't find "
- "configuration.\n");
- return -1;
- }
-
- /* check to be acceptable exchange type */
- etypeok = check_etypeok(rmconf, etype);
- if (etypeok == NULL) {
- plog(LLV_ERROR, LOCATION, remote,
- "not acceptable %s mode\n", s_isakmp_etype(etype));
- return -1;
- }
-
- /* get new entry to isakmp status table. */
- iph1 = newph1();
- if (iph1 == NULL)
- return -1;
-
- memcpy(&iph1->index.i_ck, &isakmp->i_ck, sizeof(iph1->index.i_ck));
- iph1->status = PHASE1ST_START;
- iph1->rmconf = rmconf;
- iph1->flags = 0;
- iph1->side = RESPONDER;
- iph1->etype = etypeok->type;
- iph1->version = isakmp->v;
- iph1->msgid = 0;
-#ifdef HAVE_GSSAPI
- iph1->gssapi_state = NULL;
-#endif
-#ifdef ENABLE_HYBRID
- if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL) {
- delph1(iph1);
- return -1;
- }
-#endif
-#ifdef ENABLE_FRAG
- iph1->frag = 0;
- iph1->frag_chain = NULL;
-#endif
- iph1->approval = NULL;
-
-#ifdef ENABLE_NATT
- /* RFC3947 says that we MUST accept new phases1 on NAT-T floated port.
- * We have to setup this flag now to correctly generate the first reply.
- * Don't know if a better check could be done for that ?
- */
- if(extract_port(local) == lcconf->port_isakmp_natt)
- iph1->natt_flags |= (NAT_PORTS_CHANGED);
-#endif
-
- /* copy remote address */
- if (copy_ph1addresses(iph1, rmconf, remote, local) < 0) {
- delph1(iph1);
- return -1;
- }
- (void)insph1(iph1);
-
- plog(LLV_DEBUG, LOCATION, NULL, "===\n");
- {
- char *a;
-
- a = racoon_strdup(saddr2str(iph1->local));
- STRDUP_FATAL(a);
-
- plog(LLV_INFO, LOCATION, NULL,
- "respond new phase 1 negotiation: %s<=>%s\n",
- a, saddr2str(iph1->remote));
- racoon_free(a);
- }
- plog(LLV_INFO, LOCATION, NULL,
- "begin %s mode.\n", s_isakmp_etype(etype));
-
-#ifdef ENABLE_STATS
- gettimeofday(&iph1->start, NULL);
- gettimeofday(&start, NULL);
-#endif
-
-#ifndef ENABLE_FRAG
-
- /* start exchange */
- if ((ph1exchange[etypesw1(iph1->etype)]
- [iph1->side]
- [iph1->status])(iph1, msg) < 0
- || (ph1exchange[etypesw1(iph1->etype)]
- [iph1->side]
- [iph1->status])(iph1, msg) < 0) {
- plog(LLV_ERROR, LOCATION, remote,
- "failed to process packet.\n");
- remph1(iph1);
- delph1(iph1);
- return -1;
- }
-
-#ifdef ENABLE_STATS
- gettimeofday(&end, NULL);
- syslog(LOG_NOTICE, "%s(%s): %8.6f",
- "phase1",
- s_isakmp_state(iph1->etype, iph1->side, iph1->status),
- timedelta(&start, &end));
-#endif
-
- return 0;
-
-#else /* ENABLE_FRAG */
-
- /* now that we have a phase1 handle, feed back into our
- * main receive function to catch fragmented packets
- */
-
- return isakmp_main(msg, remote, local);
-
-#endif /* ENABLE_FRAG */
-
-}
-
-/* new negotiation of phase 2 for initiator */
-static int
-isakmp_ph2begin_i(iph1, iph2)
- struct ph1handle *iph1;
- struct ph2handle *iph2;
-{
-#ifdef ENABLE_HYBRID
- if (xauth_check(iph1) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Attempt to start phase 2 whereas Xauth failed\n");
- return -1;
- }
-#endif
-
- /* found ISAKMP-SA. */
- plog(LLV_DEBUG, LOCATION, NULL, "===\n");
- plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
- {
- char *a;
- a = racoon_strdup(saddr2str(iph2->src));
- STRDUP_FATAL(a);
-
- plog(LLV_INFO, LOCATION, NULL,
- "initiate new phase 2 negotiation: %s<=>%s\n",
- a, saddr2str(iph2->dst));
- racoon_free(a);
- }
-
-#ifdef ENABLE_STATS
- gettimeofday(&iph2->start, NULL);
-#endif
- /* found isakmp-sa */
- bindph12(iph1, iph2);
- iph2->status = PHASE2ST_STATUS2;
-
- if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
- [iph2->side]
- [iph2->status])(iph2, NULL) < 0) {
- unbindph12(iph2);
- /* release ipsecsa handler due to internal error. */
- remph2(iph2);
- return -1;
- }
- return 0;
-}
-
-/* new negotiation of phase 2 for responder */
-static int
-isakmp_ph2begin_r(iph1, msg)
- struct ph1handle *iph1;
- vchar_t *msg;
-{
- struct isakmp *isakmp = (struct isakmp *)msg->v;
- struct ph2handle *iph2 = 0;
- int error;
-#ifdef ENABLE_STATS
- struct timeval start, end;
-#endif
-#ifdef ENABLE_HYBRID
- if (xauth_check(iph1) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Attempt to start phase 2 whereas Xauth failed\n");
- return -1;
- }
-#endif
-
- iph2 = newph2();
- if (iph2 == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate phase2 entry.\n");
- return -1;
- }
-
- iph2->ph1 = iph1;
- iph2->side = RESPONDER;
- iph2->status = PHASE2ST_START;
- iph2->flags = isakmp->flags;
- iph2->msgid = isakmp->msgid;
- iph2->seq = pk_getseq();
- iph2->ivm = oakley_newiv2(iph1, iph2->msgid);
- if (iph2->ivm == NULL) {
- delph2(iph2);
- return -1;
- }
- iph2->dst = dupsaddr(iph1->remote); /* XXX should be considered */
- if (iph2->dst == NULL) {
- delph2(iph2);
- return -1;
- }
- iph2->src = dupsaddr(iph1->local); /* XXX should be considered */
- if (iph2->src == NULL) {
- delph2(iph2);
- return -1;
- }
-#if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT))
- if (set_port(iph2->dst, 0) == NULL ||
- set_port(iph2->src, 0) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid family: %d\n", iph2->dst->sa_family);
- delph2(iph2);
- return -1;
- }
-#endif
-
- /* add new entry to isakmp status table */
- insph2(iph2);
- bindph12(iph1, iph2);
-
- plog(LLV_DEBUG, LOCATION, NULL, "===\n");
- {
- char *a;
-
- a = racoon_strdup(saddr2str(iph2->src));
- STRDUP_FATAL(a);
-
- plog(LLV_INFO, LOCATION, NULL,
- "respond new phase 2 negotiation: %s<=>%s\n",
- a, saddr2str(iph2->dst));
- racoon_free(a);
- }
-
-#ifdef ENABLE_STATS
- gettimeofday(&start, NULL);
-#endif
-
- error = (ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
- [iph2->side]
- [iph2->status])(iph2, msg);
- if (error != 0) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "failed to pre-process packet.\n");
- if (error != ISAKMP_INTERNAL_ERROR)
- isakmp_info_send_n1(iph2->ph1, error, NULL);
- /*
- * release handler because it's wrong that ph2handle is kept
- * after failed to check message for responder's.
- */
- unbindph12(iph2);
- remph2(iph2);
- delph2(iph2);
- return -1;
- }
-
- /* send */
- plog(LLV_DEBUG, LOCATION, NULL, "===\n");
- if ((ph2exchange[etypesw2(isakmp->etype)]
- [iph2->side]
- [iph2->status])(iph2, msg) < 0) {
- plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
- "failed to process packet.\n");
- /* don't release handler */
- return -1;
- }
-#ifdef ENABLE_STATS
- gettimeofday(&end, NULL);
- syslog(LOG_NOTICE, "%s(%s): %8.6f",
- "phase2",
- s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
- timedelta(&start, &end));
-#endif
-
- return 0;
-}
-
-/*
- * parse ISAKMP payloads, without ISAKMP base header.
- */
-vchar_t *
-isakmp_parsewoh(np0, gen, len)
- int np0;
- struct isakmp_gen *gen;
- int len;
-{
- u_char np = np0 & 0xff;
- int tlen, plen;
- vchar_t *result;
- struct isakmp_parse_t *p, *ep;
-
- plog(LLV_DEBUG, LOCATION, NULL, "begin.\n");
-
- /*
- * 5 is a magic number, but any value larger than 2 should be fine
- * as we do vrealloc() in the following loop.
- */
- result = vmalloc(sizeof(struct isakmp_parse_t) * 5);
- if (result == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get buffer.\n");
- return NULL;
- }
- p = (struct isakmp_parse_t *)result->v;
- ep = (struct isakmp_parse_t *)(result->v + result->l - sizeof(*ep));
-
- tlen = len;
-
- /* parse through general headers */
- while (0 < tlen && np != ISAKMP_NPTYPE_NONE) {
- if (tlen <= sizeof(struct isakmp_gen)) {
- /* don't send information, see isakmp_ident_r1() */
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid length of payload\n");
- vfree(result);
- return NULL;
- }
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "seen nptype=%u(%s)\n", np, s_isakmp_nptype(np));
-
- p->type = np;
- p->len = ntohs(gen->len);
- if (p->len < sizeof(struct isakmp_gen) || p->len > tlen) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "invalid length of payload\n");
- vfree(result);
- return NULL;
- }
- p->ptr = gen;
- p++;
- if (ep <= p) {
- int off;
-
- off = p - (struct isakmp_parse_t *)result->v;
- result = vrealloc(result, result->l * 2);
- if (result == NULL) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "failed to realloc buffer.\n");
- vfree(result);
- return NULL;
- }
- ep = (struct isakmp_parse_t *)
- (result->v + result->l - sizeof(*ep));
- p = (struct isakmp_parse_t *)result->v;
- p += off;
- }
-
- np = gen->np;
- plen = ntohs(gen->len);
- gen = (struct isakmp_gen *)((caddr_t)gen + plen);
- tlen -= plen;
- }
- p->type = ISAKMP_NPTYPE_NONE;
- p->len = 0;
- p->ptr = NULL;
-
- plog(LLV_DEBUG, LOCATION, NULL, "succeed.\n");
-
- return result;
-}
-
-/*
- * parse ISAKMP payloads, including ISAKMP base header.
- */
-vchar_t *
-isakmp_parse(buf)
- vchar_t *buf;
-{
- struct isakmp *isakmp = (struct isakmp *)buf->v;
- struct isakmp_gen *gen;
- int tlen;
- vchar_t *result;
- u_char np;
-
- np = isakmp->np;
- gen = (struct isakmp_gen *)(buf->v + sizeof(*isakmp));
- tlen = buf->l - sizeof(struct isakmp);
- result = isakmp_parsewoh(np, gen, tlen);
-
- return result;
-}
-
-/* %%% */
-int
-isakmp_init()
-{
- /* initialize a isakmp status table */
- initph1tree();
- initph2tree();
- initctdtree();
- init_recvdpkt();
-
- if (isakmp_open() < 0)
- goto err;
-
- return(0);
-
-err:
- isakmp_close();
- return(-1);
-}
-
-/*
- * make strings containing i_cookie + r_cookie + msgid
- */
-const char *
-isakmp_pindex(index, msgid)
- const isakmp_index *index;
- const u_int32_t msgid;
-{
- static char buf[64];
- const u_char *p;
- int i, j;
-
- memset(buf, 0, sizeof(buf));
-
- /* copy index */
- p = (const u_char *)index;
- for (j = 0, i = 0; i < sizeof(isakmp_index); i++) {
- snprintf((char *)&buf[j], sizeof(buf) - j, "%02x", p[i]);
- j += 2;
- switch (i) {
- case 7:
- buf[j++] = ':';
- }
- }
-
- if (msgid == 0)
- return buf;
-
- /* copy msgid */
- snprintf((char *)&buf[j], sizeof(buf) - j, ":%08x", ntohs(msgid));
-
- return buf;
-}
-
-/* open ISAKMP sockets. */
-int
-isakmp_open()
-{
- const int yes = 1;
- int ifnum = 0, encap_ifnum = 0;
-#ifdef INET6
- int pktinfo;
-#endif
- struct myaddrs *p;
-
- for (p = lcconf->myaddrs; p; p = p->next) {
- if (!p->addr)
- continue;
-
- /* warn if wildcard address - should we forbid this? */
- switch (p->addr->sa_family) {
- case AF_INET:
- if (((struct sockaddr_in *)p->addr)->sin_addr.s_addr == 0)
- plog(LLV_WARNING, LOCATION, NULL,
- "listening to wildcard address,"
- "broadcast IKE packet may kill you\n");
- break;
-#ifdef INET6
- case AF_INET6:
- if (IN6_IS_ADDR_UNSPECIFIED(&((struct sockaddr_in6 *)p->addr)->sin6_addr))
- plog(LLV_WARNING, LOCATION, NULL,
- "listening to wildcard address, "
- "broadcast IKE packet may kill you\n");
- break;
-#endif
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "unsupported address family %d\n",
- lcconf->default_af);
- goto err_and_next;
- }
-
-#ifdef INET6
- if (p->addr->sa_family == AF_INET6 &&
- IN6_IS_ADDR_MULTICAST(&((struct sockaddr_in6 *)
- p->addr)->sin6_addr))
- {
- plog(LLV_DEBUG, LOCATION, NULL,
- "Ignoring multicast address %s\n",
- saddr2str(p->addr));
- racoon_free(p->addr);
- p->addr = NULL;
- continue;
- }
-#endif
-
- if ((p->sock = socket(p->addr->sa_family, SOCK_DGRAM, 0)) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "socket (%s)\n", strerror(errno));
- goto err_and_next;
- }
-#ifdef ANDROID_CHANGES
- protectFromVpn(p->sock);
-#endif
-
- if (fcntl(p->sock, F_SETFL, O_NONBLOCK) == -1)
- plog(LLV_WARNING, LOCATION, NULL,
- "failed to put socket in non-blocking mode\n");
-
- /* receive my interface address on inbound packets. */
- switch (p->addr->sa_family) {
- case AF_INET:
- if (setsockopt(p->sock, IPPROTO_IP,
-#ifdef __linux__
- IP_PKTINFO,
-#else
- IP_RECVDSTADDR,
-#endif
- (const void *)&yes, sizeof(yes)) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "setsockopt IP_RECVDSTADDR (%s)\n",
- strerror(errno));
- goto err_and_next;
- }
- break;
-#ifdef INET6
- case AF_INET6:
-#ifdef INET6_ADVAPI
-#ifdef IPV6_RECVPKTINFO
- pktinfo = IPV6_RECVPKTINFO;
-#else /* old adv. API */
- pktinfo = IPV6_PKTINFO;
-#endif /* IPV6_RECVPKTINFO */
-#else
- pktinfo = IPV6_RECVDSTADDR;
-#endif
- if (setsockopt(p->sock, IPPROTO_IPV6, pktinfo,
- (const void *)&yes, sizeof(yes)) < 0)
- {
- plog(LLV_ERROR, LOCATION, NULL,
- "setsockopt IPV6_RECVDSTADDR (%d):%s\n",
- pktinfo, strerror(errno));
- goto err_and_next;
- }
- break;
-#endif
- }
-
-#ifdef IPV6_USE_MIN_MTU
- if (p->addr->sa_family == AF_INET6 &&
- setsockopt(p->sock, IPPROTO_IPV6, IPV6_USE_MIN_MTU,
- (void *)&yes, sizeof(yes)) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "setsockopt IPV6_USE_MIN_MTU (%s)\n",
- strerror(errno));
- return -1;
- }
-#endif
-
- if (setsockopt_bypass(p->sock, p->addr->sa_family) < 0)
- goto err_and_next;
-
- if (bind(p->sock, p->addr, sysdep_sa_len(p->addr)) < 0) {
- plog(LLV_ERROR, LOCATION, p->addr,
- "failed to bind to address %s (%s).\n",
- saddr2str(p->addr), strerror(errno));
- close(p->sock);
- goto err_and_next;
- }
-
- ifnum++;
-
- plog(LLV_INFO, LOCATION, NULL,
- "%s used as isakmp port (fd=%d)\n",
- saddr2str(p->addr), p->sock);
-
-#ifdef ENABLE_NATT
- if (p->addr->sa_family == AF_INET) {
- int option = -1;
-
-
- if(p->udp_encap)
- option = UDP_ENCAP_ESPINUDP;
-#if defined(ENABLE_NATT_00) || defined(ENABLE_NATT_01)
- else
- option = UDP_ENCAP_ESPINUDP_NON_IKE;
-#endif
- if(option != -1){
- if (setsockopt (p->sock, SOL_UDP,
- UDP_ENCAP, &option, sizeof (option)) < 0) {
- plog(LLV_WARNING, LOCATION, NULL,
- "setsockopt(%s): UDP_ENCAP %s\n",
- option == UDP_ENCAP_ESPINUDP ? "UDP_ENCAP_ESPINUDP" : "UDP_ENCAP_ESPINUDP_NON_IKE",
- strerror(errno));
- goto skip_encap;
- }
- else {
- plog(LLV_INFO, LOCATION, NULL,
- "%s used for NAT-T\n",
- saddr2str(p->addr));
- encap_ifnum++;
- }
- }
- }
-skip_encap:
-#endif
- continue;
-
- err_and_next:
- racoon_free(p->addr);
- p->addr = NULL;
- if (! lcconf->autograbaddr && lcconf->strict_address)
- return -1;
- continue;
- }
-
- if (!ifnum) {
- plog(LLV_ERROR, LOCATION, NULL,
- "no address could be bound.\n");
- return -1;
- }
-
-#ifdef ENABLE_NATT
- if (natt_enabled_in_rmconf() && !encap_ifnum) {
- plog(LLV_WARNING, LOCATION, NULL,
- "NAT-T is enabled in at least one remote{} section,\n");
- plog(LLV_WARNING, LOCATION, NULL,
- "but no 'isakmp_natt' address was specified!\n");
- }
-#endif
-
- return 0;
-}
-
-void
-isakmp_close()
-{
-#ifndef ANDROID_PATCHED
- struct myaddrs *p, *next;
-
- for (p = lcconf->myaddrs; p; p = next) {
- next = p->next;
-
- if (!p->addr) {
- racoon_free(p);
- continue;
- }
- close(p->sock);
- racoon_free(p->addr);
- racoon_free(p);
- }
-
- lcconf->myaddrs = NULL;
-#endif
-}
-
-int
-isakmp_send(iph1, sbuf)
- struct ph1handle *iph1;
- vchar_t *sbuf;
-{
- int len = 0;
- int s;
- vchar_t *vbuf = NULL, swap;
-
-#ifdef ENABLE_NATT
- size_t extralen = NON_ESP_MARKER_USE(iph1) ? NON_ESP_MARKER_LEN : 0;
-
- /* Check if NON_ESP_MARKER_LEN is already there (happens when resending packets)
- */
- if(extralen == NON_ESP_MARKER_LEN &&
- *(u_int32_t *)sbuf->v == 0)
- extralen = 0;
-
-#ifdef ENABLE_FRAG
- /*
- * Do not add the non ESP marker for a packet that will
- * be fragmented. The non ESP marker should appear in
- * all fragment's packets, but not in the fragmented packet
- */
- if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN)
- extralen = 0;
-#endif
- if (extralen)
- plog (LLV_DEBUG, LOCATION, NULL, "Adding NON-ESP marker\n");
-
- /* If NAT-T port floating is in use, 4 zero bytes (non-ESP marker)
- must added just before the packet itself. For this we must
- allocate a new buffer and release it at the end. */
- if (extralen) {
- if ((vbuf = vmalloc (sbuf->l + extralen)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "vbuf allocation failed\n");
- return -1;
- }
- *(u_int32_t *)vbuf->v = 0;
- memcpy (vbuf->v + extralen, sbuf->v, sbuf->l);
- /* ensures that the modified buffer will be sent back to the caller, so
- * add_recvdpkt() will add the correct buffer
- */
- swap = *sbuf;
- *sbuf = *vbuf;
- *vbuf = swap;
- vfree(vbuf);
- }
-#endif
-
- /* select the socket to be sent */
- s = getsockmyaddr(iph1->local);
- if (s == -1){
- return -1;
- }
-
- plog (LLV_DEBUG, LOCATION, NULL, "%zu bytes %s\n", sbuf->l,
- saddr2str_fromto("from %s to %s", iph1->local, iph1->remote));
-
-#ifdef ENABLE_FRAG
- if (iph1->frag && sbuf->l > ISAKMP_FRAG_MAXLEN) {
- if (isakmp_sendfrags(iph1, sbuf) == -1) {
- plog(LLV_ERROR, LOCATION, NULL,
- "isakmp_sendfrags failed\n");
- return -1;
- }
- } else
-#endif
- {
- len = sendfromto(s, sbuf->v, sbuf->l,
- iph1->local, iph1->remote, lcconf->count_persend);
-
- if (len == -1) {
- plog(LLV_ERROR, LOCATION, NULL, "sendfromto failed\n");
- return -1;
- }
- }
-
- return 0;
-}
-
-/* called from scheduler */
-void
-isakmp_ph1resend_stub(p)
- void *p;
-{
- struct ph1handle *iph1;
-
- iph1=(struct ph1handle *)p;
- if(isakmp_ph1resend(iph1) < 0){
- if(iph1->scr != NULL){
- /* Should not happen...
- */
- sched_kill(iph1->scr);
- iph1->scr=NULL;
- }
-
- remph1(iph1);
- delph1(iph1);
- }
-}
-
-int
-isakmp_ph1resend(iph1)
- struct ph1handle *iph1;
-{
- /* Note: NEVER do the rem/del here, it will be done by the caller or by the _stub function
- */
- if (iph1->retry_counter <= 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "phase1 negotiation failed due to time up. %s\n",
- isakmp_pindex(&iph1->index, iph1->msgid));
- EVT_PUSH(iph1->local, iph1->remote,
- EVTT_PEER_NO_RESPONSE, NULL);
-
- return -1;
- }
-
- if (isakmp_send(iph1, iph1->sendbuf) < 0){
- plog(LLV_ERROR, LOCATION, NULL,
- "phase1 negotiation failed due to send error. %s\n",
- isakmp_pindex(&iph1->index, iph1->msgid));
- EVT_PUSH(iph1->local, iph1->remote,
- EVTT_PEER_NO_RESPONSE, NULL);
- return -1;
- }
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "resend phase1 packet %s\n",
- isakmp_pindex(&iph1->index, iph1->msgid));
-
- iph1->retry_counter--;
-
- iph1->scr = sched_new(iph1->rmconf->retry_interval,
- isakmp_ph1resend_stub, iph1);
-
- return 0;
-}
-
-/* called from scheduler */
-void
-isakmp_ph2resend_stub(p)
- void *p;
-{
- struct ph2handle *iph2;
-
- iph2=(struct ph2handle *)p;
-
- if(isakmp_ph2resend(iph2) < 0){
- unbindph12(iph2);
- remph2(iph2);
- delph2(iph2);
- }
-}
-
-int
-isakmp_ph2resend(iph2)
- struct ph2handle *iph2;
-{
- /* Note: NEVER do the unbind/rem/del here, it will be done by the caller or by the _stub function
- */
- if (iph2->ph1->status == PHASE1ST_EXPIRED){
- plog(LLV_ERROR, LOCATION, NULL,
- "phase2 negotiation failed due to phase1 expired. %s\n",
- isakmp_pindex(&iph2->ph1->index, iph2->msgid));
- return -1;
- }
-
- if (iph2->retry_counter <= 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "phase2 negotiation failed due to time up. %s\n",
- isakmp_pindex(&iph2->ph1->index, iph2->msgid));
- EVT_PUSH(iph2->src, iph2->dst, EVTT_PEER_NO_RESPONSE, NULL);
- unbindph12(iph2);
- return -1;
- }
-
- if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0){
- plog(LLV_ERROR, LOCATION, NULL,
- "phase2 negotiation failed due to send error. %s\n",
- isakmp_pindex(&iph2->ph1->index, iph2->msgid));
- EVT_PUSH(iph2->src, iph2->dst, EVTT_PEER_NO_RESPONSE, NULL);
-
- return -1;
- }
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "resend phase2 packet %s\n",
- isakmp_pindex(&iph2->ph1->index, iph2->msgid));
-
- iph2->retry_counter--;
-
- iph2->scr = sched_new(iph2->ph1->rmconf->retry_interval,
- isakmp_ph2resend_stub, iph2);
-
- return 0;
-}
-
-/* called from scheduler */
-void
-isakmp_ph1expire_stub(p)
- void *p;
-{
-
- isakmp_ph1expire((struct ph1handle *)p);
-}
-
-void
-isakmp_ph1expire(iph1)
- struct ph1handle *iph1;
-{
- char *src, *dst;
-
- SCHED_KILL(iph1->sce);
-
- if(iph1->status != PHASE1ST_EXPIRED){
- src = racoon_strdup(saddr2str(iph1->local));
- dst = racoon_strdup(saddr2str(iph1->remote));
- STRDUP_FATAL(src);
- STRDUP_FATAL(dst);
-
- plog(LLV_INFO, LOCATION, NULL,
- "ISAKMP-SA expired %s-%s spi:%s\n",
- src, dst,
- isakmp_pindex(&iph1->index, 0));
- racoon_free(src);
- racoon_free(dst);
- iph1->status = PHASE1ST_EXPIRED;
- }
-
- /*
- * the phase1 deletion is postponed until there is no phase2.
- */
- if (LIST_FIRST(&iph1->ph2tree) != NULL) {
- iph1->sce = sched_new(1, isakmp_ph1expire_stub, iph1);
- return;
- }
-
- iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
-}
-
-/* called from scheduler */
-void
-isakmp_ph1delete_stub(p)
- void *p;
-{
-
- isakmp_ph1delete((struct ph1handle *)p);
-}
-
-void
-isakmp_ph1delete(iph1)
- struct ph1handle *iph1;
-{
- char *src, *dst;
-
- SCHED_KILL(iph1->sce);
-
- if (LIST_FIRST(&iph1->ph2tree) != NULL) {
- iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
- return;
- }
-
- /* don't re-negosiation when the phase 1 SA expires. */
-
- src = racoon_strdup(saddr2str(iph1->local));
- dst = racoon_strdup(saddr2str(iph1->remote));
- STRDUP_FATAL(src);
- STRDUP_FATAL(dst);
-
- plog(LLV_INFO, LOCATION, NULL,
- "ISAKMP-SA deleted %s-%s spi:%s\n",
- src, dst, isakmp_pindex(&iph1->index, 0));
- EVT_PUSH(iph1->local, iph1->remote, EVTT_PHASE1_DOWN, NULL);
- racoon_free(src);
- racoon_free(dst);
-
- remph1(iph1);
- delph1(iph1);
-
- return;
-}
-
-/* called from scheduler.
- * this function will call only isakmp_ph2delete().
- * phase 2 handler remain forever if kernel doesn't cry a expire of phase 2 SA
- * by something cause. That's why this function is called after phase 2 SA
- * expires in the userland.
- */
-void
-isakmp_ph2expire_stub(p)
- void *p;
-{
-
- isakmp_ph2expire((struct ph2handle *)p);
-}
-
-void
-isakmp_ph2expire(iph2)
- struct ph2handle *iph2;
-{
- char *src, *dst;
-
- SCHED_KILL(iph2->sce);
-
- src = racoon_strdup(saddrwop2str(iph2->src));
- dst = racoon_strdup(saddrwop2str(iph2->dst));
- STRDUP_FATAL(src);
- STRDUP_FATAL(dst);
-
- plog(LLV_INFO, LOCATION, NULL,
- "phase2 sa expired %s-%s\n", src, dst);
- racoon_free(src);
- racoon_free(dst);
-
- iph2->status = PHASE2ST_EXPIRED;
-
- iph2->sce = sched_new(1, isakmp_ph2delete_stub, iph2);
-
- return;
-}
-
-/* called from scheduler */
-void
-isakmp_ph2delete_stub(p)
- void *p;
-{
-
- isakmp_ph2delete((struct ph2handle *)p);
-}
-
-void
-isakmp_ph2delete(iph2)
- struct ph2handle *iph2;
-{
- char *src, *dst;
-
- SCHED_KILL(iph2->sce);
-
- src = racoon_strdup(saddrwop2str(iph2->src));
- dst = racoon_strdup(saddrwop2str(iph2->dst));
- STRDUP_FATAL(src);
- STRDUP_FATAL(dst);
-
- plog(LLV_INFO, LOCATION, NULL,
- "phase2 sa deleted %s-%s\n", src, dst);
- racoon_free(src);
- racoon_free(dst);
-
- unbindph12(iph2);
- remph2(iph2);
- delph2(iph2);
-
- return;
-}
-
-/* %%%
- * Interface between PF_KEYv2 and ISAKMP
- */
-/*
- * receive ACQUIRE from kernel, and begin either phase1 or phase2.
- * if phase1 has been finished, begin phase2.
- */
-int
-isakmp_post_acquire(iph2)
- struct ph2handle *iph2;
-{
- struct remoteconf *rmconf;
- struct ph1handle *iph1 = NULL;
-
- plog(LLV_DEBUG, LOCATION, NULL, "in post_acquire\n");
-
- /* search appropreate configuration with masking port. */
- rmconf = getrmconf(iph2->dst);
- if (rmconf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "no configuration found for %s.\n",
- saddrwop2str(iph2->dst));
- return -1;
- }
-
- /* if passive mode, ignore the acquire message */
- if (rmconf->passive) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "because of passive mode, "
- "ignore the acquire message for %s.\n",
- saddrwop2str(iph2->dst));
- return 0;
- }
-
- /*
- * Search isakmp status table by address and port
- * If NAT-T is in use, consider null ports as a
- * wildcard and use IKE ports instead.
- */
-#ifdef ENABLE_NATT
- if (!extract_port(iph2->src) && !extract_port(iph2->dst)) {
- if ((iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL) {
- set_port(iph2->src, extract_port(iph1->local));
- set_port(iph2->dst, extract_port(iph1->remote));
- }
- } else {
- iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
- }
-#else
- iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
-#endif
-
- /* no ISAKMP-SA found. */
- if (iph1 == NULL) {
- struct sched *sc;
-
- iph2->retry_checkph1 = lcconf->retry_checkph1;
- sc = sched_new(1, isakmp_chkph1there_stub, iph2);
- plog(LLV_INFO, LOCATION, NULL,
- "IPsec-SA request for %s queued "
- "due to no phase1 found.\n",
- saddrwop2str(iph2->dst));
-
- /* start phase 1 negotiation as a initiator. */
- if (isakmp_ph1begin_i(rmconf, iph2->dst, iph2->src) < 0) {
- SCHED_KILL(sc);
- return -1;
- }
-
- return 0;
- /*NOTREACHED*/
- }
-
- /* found ISAKMP-SA, but on negotiation. */
- if (iph1->status != PHASE1ST_ESTABLISHED) {
- iph2->retry_checkph1 = lcconf->retry_checkph1;
- sched_new(1, isakmp_chkph1there_stub, iph2);
- plog(LLV_INFO, LOCATION, iph2->dst,
- "request for establishing IPsec-SA was queued "
- "due to no phase1 found.\n");
- return 0;
- /*NOTREACHED*/
- }
-
- /* found established ISAKMP-SA */
- /* i.e. iph1->status == PHASE1ST_ESTABLISHED */
-
- /* found ISAKMP-SA. */
- plog(LLV_DEBUG, LOCATION, NULL, "begin QUICK mode.\n");
-
- /* begin quick mode */
- if (isakmp_ph2begin_i(iph1, iph2))
- return -1;
-
- return 0;
-}
-
-/*
- * receive GETSPI from kernel.
- */
-int
-isakmp_post_getspi(iph2)
- struct ph2handle *iph2;
-{
-#ifdef ENABLE_STATS
- struct timeval start, end;
-#endif
-
- /* don't process it because there is no suitable phase1-sa. */
- if (iph2->ph1->status == PHASE1ST_EXPIRED) {
- plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
- "the negotiation is stopped, "
- "because there is no suitable ISAKMP-SA.\n");
- return -1;
- }
-
-#ifdef ENABLE_STATS
- gettimeofday(&start, NULL);
-#endif
- if ((ph2exchange[etypesw2(ISAKMP_ETYPE_QUICK)]
- [iph2->side]
- [iph2->status])(iph2, NULL) != 0)
- return -1;
-#ifdef ENABLE_STATS
- gettimeofday(&end, NULL);
- syslog(LOG_NOTICE, "%s(%s): %8.6f",
- "phase2",
- s_isakmp_state(ISAKMP_ETYPE_QUICK, iph2->side, iph2->status),
- timedelta(&start, &end));
-#endif
-
- return 0;
-}
-
-/* called by scheduler */
-void
-isakmp_chkph1there_stub(p)
- void *p;
-{
- isakmp_chkph1there((struct ph2handle *)p);
-}
-
-void
-isakmp_chkph1there(iph2)
- struct ph2handle *iph2;
-{
- struct ph1handle *iph1;
-
- iph2->retry_checkph1--;
- if (iph2->retry_checkph1 < 0) {
- plog(LLV_ERROR, LOCATION, iph2->dst,
- "phase2 negotiation failed "
- "due to time up waiting for phase1. %s\n",
- sadbsecas2str(iph2->dst, iph2->src,
- iph2->satype, 0, 0));
- plog(LLV_INFO, LOCATION, NULL,
- "delete phase 2 handler.\n");
-
- /* send acquire to kernel as error */
- pk_sendeacquire(iph2);
-
- unbindph12(iph2);
- remph2(iph2);
- delph2(iph2);
-
- return;
- }
-
- /*
- * Search isakmp status table by address and port
- * If NAT-T is in use, consider null ports as a
- * wildcard and use IKE ports instead.
- */
-#ifdef ENABLE_NATT
- if (!extract_port(iph2->src) && !extract_port(iph2->dst)) {
- plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: extract_port.\n");
- if( (iph1 = getph1byaddrwop(iph2->src, iph2->dst)) != NULL){
- plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: found a ph1 wop.\n");
- }
- } else {
- plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: searching byaddr.\n");
- iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
- if(iph1 != NULL)
- plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: found byaddr.\n");
- }
-#else
- iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
-#endif
-
- /* XXX Even if ph1 as responder is there, should we not start
- * phase 2 negotiation ? */
- if (iph1 != NULL
- && iph1->status == PHASE1ST_ESTABLISHED) {
- /* found isakmp-sa */
-
- plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: got a ph1 handler, setting ports.\n");
- plog(LLV_DEBUG2, LOCATION, NULL, "iph1->local: %s\n", saddr2str(iph1->local));
- plog(LLV_DEBUG2, LOCATION, NULL, "iph1->remote: %s\n", saddr2str(iph1->remote));
- plog(LLV_DEBUG2, LOCATION, NULL, "before:\n");
- plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(iph2->src));
- plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(iph2->dst));
- set_port(iph2->src, extract_port(iph1->local));
- set_port(iph2->dst, extract_port(iph1->remote));
- plog(LLV_DEBUG2, LOCATION, NULL, "After:\n");
- plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(iph2->src));
- plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(iph2->dst));
-
- /* begin quick mode */
- (void)isakmp_ph2begin_i(iph1, iph2);
- return;
- }
-
- plog(LLV_DEBUG2, LOCATION, NULL, "CHKPH1THERE: no established ph1 handler found\n");
-
- /* no isakmp-sa found */
- sched_new(1, isakmp_chkph1there_stub, iph2);
-
- return;
-}
-
-/* copy variable data into ALLOCATED buffer. */
-caddr_t
-isakmp_set_attr_v(buf, type, val, len)
- caddr_t buf;
- int type;
- caddr_t val;
- int len;
-{
- struct isakmp_data *data;
-
- data = (struct isakmp_data *)buf;
- data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV);
- data->lorv = htons((u_int16_t)len);
- memcpy(data + 1, val, len);
-
- return buf + sizeof(*data) + len;
-}
-
-/* copy fixed length data into ALLOCATED buffer. */
-caddr_t
-isakmp_set_attr_l(buf, type, val)
- caddr_t buf;
- int type;
- u_int32_t val;
-{
- struct isakmp_data *data;
-
- data = (struct isakmp_data *)buf;
- data->type = htons((u_int16_t)type | ISAKMP_GEN_TV);
- data->lorv = htons((u_int16_t)val);
-
- return buf + sizeof(*data);
-}
-
-/* add a variable data attribute to the buffer by reallocating it. */
-vchar_t *
-isakmp_add_attr_v(buf0, type, val, len)
- vchar_t *buf0;
- int type;
- caddr_t val;
- int len;
-{
- vchar_t *buf = NULL;
- struct isakmp_data *data;
- int tlen;
- int oldlen = 0;
-
- tlen = sizeof(*data) + len;
-
- if (buf0) {
- oldlen = buf0->l;
- buf = vrealloc(buf0, oldlen + tlen);
- } else
- buf = vmalloc(tlen);
- if (!buf) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get a attribute buffer.\n");
- return NULL;
- }
-
- data = (struct isakmp_data *)(buf->v + oldlen);
- data->type = htons((u_int16_t)type | ISAKMP_GEN_TLV);
- data->lorv = htons((u_int16_t)len);
- memcpy(data + 1, val, len);
-
- return buf;
-}
-
-/* add a fixed data attribute to the buffer by reallocating it. */
-vchar_t *
-isakmp_add_attr_l(buf0, type, val)
- vchar_t *buf0;
- int type;
- u_int32_t val;
-{
- vchar_t *buf = NULL;
- struct isakmp_data *data;
- int tlen;
- int oldlen = 0;
-
- tlen = sizeof(*data);
-
- if (buf0) {
- oldlen = buf0->l;
- buf = vrealloc(buf0, oldlen + tlen);
- } else
- buf = vmalloc(tlen);
- if (!buf) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get a attribute buffer.\n");
- return NULL;
- }
-
- data = (struct isakmp_data *)(buf->v + oldlen);
- data->type = htons((u_int16_t)type | ISAKMP_GEN_TV);
- data->lorv = htons((u_int16_t)val);
-
- return buf;
-}
-
-/*
- * calculate cookie and set.
- */
-int
-isakmp_newcookie(place, remote, local)
- caddr_t place;
- struct sockaddr *remote;
- struct sockaddr *local;
-{
- vchar_t *buf = NULL, *buf2 = NULL;
- char *p;
- int blen;
- int alen;
- caddr_t sa1, sa2;
- time_t t;
- int error = -1;
- u_short port;
-
-
- if (remote->sa_family != local->sa_family) {
- plog(LLV_ERROR, LOCATION, NULL,
- "address family mismatch, remote:%d local:%d\n",
- remote->sa_family, local->sa_family);
- goto end;
- }
- switch (remote->sa_family) {
- case AF_INET:
- alen = sizeof(struct in_addr);
- sa1 = (caddr_t)&((struct sockaddr_in *)remote)->sin_addr;
- sa2 = (caddr_t)&((struct sockaddr_in *)local)->sin_addr;
- break;
-#ifdef INET6
- case AF_INET6:
- alen = sizeof(struct in6_addr);
- sa1 = (caddr_t)&((struct sockaddr_in6 *)remote)->sin6_addr;
- sa2 = (caddr_t)&((struct sockaddr_in6 *)local)->sin6_addr;
- break;
-#endif
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid family: %d\n", remote->sa_family);
- goto end;
- }
- blen = (alen + sizeof(u_short)) * 2
- + sizeof(time_t) + lcconf->secret_size;
- buf = vmalloc(blen);
- if (buf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get a cookie.\n");
- goto end;
- }
- p = buf->v;
-
- /* copy my address */
- memcpy(p, sa1, alen);
- p += alen;
- port = ((struct sockaddr_in *)remote)->sin_port;
- memcpy(p, &port, sizeof(u_short));
- p += sizeof(u_short);
-
- /* copy target address */
- memcpy(p, sa2, alen);
- p += alen;
- port = ((struct sockaddr_in *)local)->sin_port;
- memcpy(p, &port, sizeof(u_short));
- p += sizeof(u_short);
-
- /* copy time */
- t = time(0);
- memcpy(p, (caddr_t)&t, sizeof(t));
- p += sizeof(t);
-
- /* copy random value */
- buf2 = eay_set_random(lcconf->secret_size);
- if (buf2 == NULL)
- goto end;
- memcpy(p, buf2->v, lcconf->secret_size);
- p += lcconf->secret_size;
- vfree(buf2);
-
- buf2 = eay_sha1_one(buf);
- memcpy(place, buf2->v, sizeof(cookie_t));
-
- sa1 = val2str(place, sizeof (cookie_t));
- plog(LLV_DEBUG, LOCATION, NULL, "new cookie:\n%s\n", sa1);
- racoon_free(sa1);
-
- error = 0;
-end:
- if (buf != NULL)
- vfree(buf);
- if (buf2 != NULL)
- vfree(buf2);
- return error;
-}
-
-/*
- * save partner's(payload) data into phhandle.
- */
-int
-isakmp_p2ph(buf, gen)
- vchar_t **buf;
- struct isakmp_gen *gen;
-{
- /* XXX to be checked in each functions for logging. */
- if (*buf) {
- plog(LLV_WARNING, LOCATION, NULL,
- "ignore this payload, same payload type exist.\n");
- return -1;
- }
-
- *buf = vmalloc(ntohs(gen->len) - sizeof(*gen));
- if (*buf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get buffer.\n");
- return -1;
- }
- memcpy((*buf)->v, gen + 1, (*buf)->l);
-
- return 0;
-}
-
-u_int32_t
-isakmp_newmsgid2(iph1)
- struct ph1handle *iph1;
-{
- u_int32_t msgid2;
-
- do {
- msgid2 = eay_random();
- } while (getph2bymsgid(iph1, msgid2));
-
- return msgid2;
-}
-
-/*
- * set values into allocated buffer of isakmp header for phase 1
- */
-static caddr_t
-set_isakmp_header(vbuf, iph1, nptype, etype, flags, msgid)
- vchar_t *vbuf;
- struct ph1handle *iph1;
- int nptype;
- u_int8_t etype;
- u_int8_t flags;
- u_int32_t msgid;
-{
- struct isakmp *isakmp;
-
- if (vbuf->l < sizeof(*isakmp))
- return NULL;
-
- isakmp = (struct isakmp *)vbuf->v;
-
- memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(cookie_t));
- memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(cookie_t));
- isakmp->np = nptype;
- isakmp->v = iph1->version;
- isakmp->etype = etype;
- isakmp->flags = flags;
- isakmp->msgid = msgid;
- isakmp->len = htonl(vbuf->l);
-
- return vbuf->v + sizeof(*isakmp);
-}
-
-/*
- * set values into allocated buffer of isakmp header for phase 1
- */
-caddr_t
-set_isakmp_header1(vbuf, iph1, nptype)
- vchar_t *vbuf;
- struct ph1handle *iph1;
- int nptype;
-{
- return set_isakmp_header (vbuf, iph1, nptype, iph1->etype, iph1->flags, iph1->msgid);
-}
-
-/*
- * set values into allocated buffer of isakmp header for phase 2
- */
-caddr_t
-set_isakmp_header2(vbuf, iph2, nptype)
- vchar_t *vbuf;
- struct ph2handle *iph2;
- int nptype;
-{
- return set_isakmp_header (vbuf, iph2->ph1, nptype, ISAKMP_ETYPE_QUICK, iph2->flags, iph2->msgid);
-}
-
-/*
- * set values into allocated buffer of isakmp payload.
- */
-caddr_t
-set_isakmp_payload(buf, src, nptype)
- caddr_t buf;
- vchar_t *src;
- int nptype;
-{
- struct isakmp_gen *gen;
- caddr_t p = buf;
-
- plog(LLV_DEBUG, LOCATION, NULL, "add payload of len %zu, next type %d\n",
- src->l, nptype);
-
- gen = (struct isakmp_gen *)p;
- gen->np = nptype;
- gen->len = htons(sizeof(*gen) + src->l);
- p += sizeof(*gen);
- memcpy(p, src->v, src->l);
- p += src->l;
-
- return p;
-}
-
-static int
-etypesw1(etype)
- int etype;
-{
- switch (etype) {
- case ISAKMP_ETYPE_IDENT:
- return 1;
- case ISAKMP_ETYPE_AGG:
- return 2;
- case ISAKMP_ETYPE_BASE:
- return 3;
- default:
- return 0;
- }
- /*NOTREACHED*/
-}
-
-static int
-etypesw2(etype)
- int etype;
-{
- switch (etype) {
- case ISAKMP_ETYPE_QUICK:
- return 1;
- default:
- return 0;
- }
- /*NOTREACHED*/
-}
-
-#ifdef HAVE_PRINT_ISAKMP_C
-/* for print-isakmp.c */
-char *snapend;
-extern void isakmp_print __P((const u_char *, u_int, const u_char *));
-
-char *getname __P((const u_char *));
-#ifdef INET6
-char *getname6 __P((const u_char *));
-#endif
-int safeputchar __P((int));
-
-/*
- * Return a name for the IP address pointed to by ap. This address
- * is assumed to be in network byte order.
- */
-char *
-getname(ap)
- const u_char *ap;
-{
- struct sockaddr_in addr;
- static char ntop_buf[NI_MAXHOST];
-
- memset(&addr, 0, sizeof(addr));
-#ifndef __linux__
- addr.sin_len = sizeof(struct sockaddr_in);
-#endif
- addr.sin_family = AF_INET;
- memcpy(&addr.sin_addr, ap, sizeof(addr.sin_addr));
- if (getnameinfo((struct sockaddr *)&addr, sizeof(addr),
- ntop_buf, sizeof(ntop_buf), NULL, 0,
- NI_NUMERICHOST | niflags))
- strlcpy(ntop_buf, "?", sizeof(ntop_buf));
-
- return ntop_buf;
-}
-
-#ifdef INET6
-/*
- * Return a name for the IP6 address pointed to by ap. This address
- * is assumed to be in network byte order.
- */
-char *
-getname6(ap)
- const u_char *ap;
-{
- struct sockaddr_in6 addr;
- static char ntop_buf[NI_MAXHOST];
-
- memset(&addr, 0, sizeof(addr));
- addr.sin6_len = sizeof(struct sockaddr_in6);
- addr.sin6_family = AF_INET6;
- memcpy(&addr.sin6_addr, ap, sizeof(addr.sin6_addr));
- if (getnameinfo((struct sockaddr *)&addr, addr.sin6_len,
- ntop_buf, sizeof(ntop_buf), NULL, 0,
- NI_NUMERICHOST | niflags))
- strlcpy(ntop_buf, "?", sizeof(ntop_buf));
-
- return ntop_buf;
-}
-#endif /* INET6 */
-
-int
-safeputchar(c)
- int c;
-{
- unsigned char ch;
-
- ch = (unsigned char)(c & 0xff);
- if (c < 0x80 && isprint(c))
- return printf("%c", c & 0xff);
- else
- return printf("\\%03o", c & 0xff);
-}
-
-void
-isakmp_printpacket(msg, from, my, decoded)
- vchar_t *msg;
- struct sockaddr *from;
- struct sockaddr *my;
- int decoded;
-{
-#ifdef YIPS_DEBUG
- struct timeval tv;
- int s;
- char hostbuf[NI_MAXHOST];
- char portbuf[NI_MAXSERV];
- struct isakmp *isakmp;
- vchar_t *buf;
-#endif
-
- if (loglevel < LLV_DEBUG)
- return;
-
-#ifdef YIPS_DEBUG
- plog(LLV_DEBUG, LOCATION, NULL, "begin.\n");
-
- gettimeofday(&tv, NULL);
- s = tv.tv_sec % 3600;
- printf("%02d:%02d.%06u ", s / 60, s % 60, (u_int32_t)tv.tv_usec);
-
- if (from) {
- if (getnameinfo(from, sysdep_sa_len(from), hostbuf, sizeof(hostbuf),
- portbuf, sizeof(portbuf),
- NI_NUMERICHOST | NI_NUMERICSERV | niflags)) {
- strlcpy(hostbuf, "?", sizeof(hostbuf));
- strlcpy(portbuf, "?", sizeof(portbuf));
- }
- printf("%s:%s", hostbuf, portbuf);
- } else
- printf("?");
- printf(" -> ");
- if (my) {
- if (getnameinfo(my, sysdep_sa_len(my), hostbuf, sizeof(hostbuf),
- portbuf, sizeof(portbuf),
- NI_NUMERICHOST | NI_NUMERICSERV | niflags)) {
- strlcpy(hostbuf, "?", sizeof(hostbuf));
- strlcpy(portbuf, "?", sizeof(portbuf));
- }
- printf("%s:%s", hostbuf, portbuf);
- } else
- printf("?");
- printf(": ");
-
- buf = vdup(msg);
- if (!buf) {
- printf("(malloc fail)\n");
- return;
- }
- if (decoded) {
- isakmp = (struct isakmp *)buf->v;
- if (isakmp->flags & ISAKMP_FLAG_E) {
-#if 0
- int pad;
- pad = *(u_char *)(buf->v + buf->l - 1);
- if (buf->l < pad && 2 < vflag)
- printf("(wrong padding)");
-#endif
- isakmp->flags &= ~ISAKMP_FLAG_E;
- }
- }
-
- snapend = buf->v + buf->l;
- isakmp_print(buf->v, buf->l, NULL);
- vfree(buf);
- printf("\n");
- fflush(stdout);
-
- return;
-#endif
-}
-#endif /*HAVE_PRINT_ISAKMP_C*/
-
-int
-copy_ph1addresses(iph1, rmconf, remote, local)
- struct ph1handle *iph1;
- struct remoteconf *rmconf;
- struct sockaddr *remote, *local;
-{
- u_int16_t port;
-
- /* address portion must be grabbed from real remote address "remote" */
- iph1->remote = dupsaddr(remote);
- if (iph1->remote == NULL)
- return -1;
-
- /*
- * if remote has no port # (in case of initiator - from ACQUIRE msg)
- * - if remote.conf specifies port #, use that
- * - if remote.conf does not, use 500
- * if remote has port # (in case of responder - from recvfrom(2))
- * respect content of "remote".
- */
- if (extract_port(iph1->remote) == 0) {
- port = extract_port(rmconf->remote);
- if (port == 0)
- port = PORT_ISAKMP;
- set_port(iph1->remote, port);
- }
-
- if (local == NULL)
- iph1->local = getlocaladdr(iph1->remote);
- else
- iph1->local = dupsaddr(local);
- if (iph1->local == NULL)
- return -1;
-
- if (extract_port(iph1->local) == 0)
- set_port(iph1->local, PORT_ISAKMP);
-
-#ifdef ENABLE_NATT
- if (extract_port(iph1->local) == lcconf->port_isakmp_natt) {
- plog(LLV_DEBUG, LOCATION, NULL, "Marking ports as changed\n");
- iph1->natt_flags |= NAT_ADD_NON_ESP_MARKER;
- }
-#endif
-
- return 0;
-}
-
-static int
-nostate1(iph1, msg)
- struct ph1handle *iph1;
- vchar_t *msg;
-{
- plog(LLV_ERROR, LOCATION, iph1->remote, "wrong state %u.\n",
- iph1->status);
- return -1;
-}
-
-static int
-nostate2(iph2, msg)
- struct ph2handle *iph2;
- vchar_t *msg;
-{
- plog(LLV_ERROR, LOCATION, iph2->ph1->remote, "wrong state %u.\n",
- iph2->status);
- return -1;
-}
-
-void
-log_ph1established(iph1)
- const struct ph1handle *iph1;
-{
- char *src, *dst;
-
- src = racoon_strdup(saddr2str(iph1->local));
- dst = racoon_strdup(saddr2str(iph1->remote));
- STRDUP_FATAL(src);
- STRDUP_FATAL(dst);
-
- plog(LLV_INFO, LOCATION, NULL,
- "ISAKMP-SA established %s-%s spi:%s\n",
- src, dst,
- isakmp_pindex(&iph1->index, 0));
-
- EVT_PUSH(iph1->local, iph1->remote, EVTT_PHASE1_UP, NULL);
- if(!iph1->rmconf->mode_cfg) {
- EVT_PUSH(iph1->local, iph1->remote, EVTT_NO_ISAKMP_CFG, NULL);
- }
-
- racoon_free(src);
- racoon_free(dst);
-
- return;
-}
-
-struct payload_list *
-isakmp_plist_append (struct payload_list *plist, vchar_t *payload, int payload_type)
-{
- if (! plist) {
- plist = racoon_malloc (sizeof (struct payload_list));
- plist->prev = NULL;
- }
- else {
- plist->next = racoon_malloc (sizeof (struct payload_list));
- plist->next->prev = plist;
- plist = plist->next;
- }
-
- plist->next = NULL;
- plist->payload = payload;
- plist->payload_type = payload_type;
-
- return plist;
-}
-
-vchar_t *
-isakmp_plist_set_all (struct payload_list **plist, struct ph1handle *iph1)
-{
- struct payload_list *ptr = *plist, *first;
- size_t tlen = sizeof (struct isakmp), n = 0;
- vchar_t *buf = NULL;
- char *p;
-
- /* Seek to the first item. */
- while (ptr->prev) ptr = ptr->prev;
- first = ptr;
-
- /* Compute the whole length. */
- while (ptr) {
- tlen += ptr->payload->l + sizeof (struct isakmp_gen);
- ptr = ptr->next;
- }
-
- buf = vmalloc(tlen);
- if (buf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get buffer to send.\n");
- goto end;
- }
-
- ptr = first;
-
- p = set_isakmp_header1(buf, iph1, ptr->payload_type);
- if (p == NULL)
- goto end;
-
- while (ptr)
- {
- p = set_isakmp_payload (p, ptr->payload, ptr->next ? ptr->next->payload_type : ISAKMP_NPTYPE_NONE);
- first = ptr;
- ptr = ptr->next;
- racoon_free (first);
- /* ptr->prev = NULL; first = NULL; ... omitted. */
- n++;
- }
-
- *plist = NULL;
-
- return buf;
-end:
- if (buf != NULL)
- vfree(buf);
- return NULL;
-}
-
-#ifdef ENABLE_FRAG
-int
-frag_handler(iph1, msg, remote, local)
- struct ph1handle *iph1;
- vchar_t *msg;
- struct sockaddr *remote;
- struct sockaddr *local;
-{
- vchar_t *newmsg;
-
- if (isakmp_frag_extract(iph1, msg) == 1) {
- if ((newmsg = isakmp_frag_reassembly(iph1)) == NULL) {
- plog(LLV_ERROR, LOCATION, remote,
- "Packet reassembly failed\n");
- return -1;
- }
- return isakmp_main(newmsg, remote, local);
- }
-
- return 0;
-}
-#endif
-
-void
-script_hook(iph1, script)
- struct ph1handle *iph1;
- int script;
-{
-#define IP_MAX 40
-#define PORT_MAX 6
- char addrstr[IP_MAX];
- char portstr[PORT_MAX];
- char **envp = NULL;
- int envc = 1;
- struct sockaddr_in *sin;
- char **c;
-
- if (iph1 == NULL ||
- iph1->rmconf == NULL ||
- iph1->rmconf->script[script] == NULL)
- return;
-
-#ifdef ENABLE_HYBRID
- (void)isakmp_cfg_setenv(iph1, &envp, &envc);
-#endif
-
- /* local address */
- sin = (struct sockaddr_in *)iph1->local;
- inet_ntop(sin->sin_family, &sin->sin_addr, addrstr, IP_MAX);
- snprintf(portstr, PORT_MAX, "%d", ntohs(sin->sin_port));
-
- if (script_env_append(&envp, &envc, "LOCAL_ADDR", addrstr) != 0) {
- plog(LLV_ERROR, LOCATION, NULL, "Cannot set LOCAL_ADDR\n");
- goto out;
- }
-
- if (script_env_append(&envp, &envc, "LOCAL_PORT", portstr) != 0) {
- plog(LLV_ERROR, LOCATION, NULL, "Cannot set LOCAL_PORT\n");
- goto out;
- }
-
- /* Peer address */
- if (iph1->remote != NULL) {
- sin = (struct sockaddr_in *)iph1->remote;
- inet_ntop(sin->sin_family, &sin->sin_addr, addrstr, IP_MAX);
- snprintf(portstr, PORT_MAX, "%d", ntohs(sin->sin_port));
-
- if (script_env_append(&envp, &envc,
- "REMOTE_ADDR", addrstr) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot set REMOTE_ADDR\n");
- goto out;
- }
-
- if (script_env_append(&envp, &envc,
- "REMOTE_PORT", portstr) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot set REMOTEL_PORT\n");
- goto out;
- }
- }
-
- if (privsep_script_exec(iph1->rmconf->script[script]->v,
- script, envp) != 0)
- plog(LLV_ERROR, LOCATION, NULL,
- "Script %s execution failed\n", script_names[script]);
-
-out:
- for (c = envp; *c; c++)
- racoon_free(*c);
-
- racoon_free(envp);
-
- return;
-}
-
-int
-script_env_append(envp, envc, name, value)
- char ***envp;
- int *envc;
- char *name;
- char *value;
-{
- char *envitem;
- char **newenvp;
- int newenvc;
-
- if (value == NULL) {
- value = "";
- }
-
- envitem = racoon_malloc(strlen(name) + 1 + strlen(value) + 1);
- if (envitem == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot allocate memory: %s\n", strerror(errno));
- return -1;
- }
- sprintf(envitem, "%s=%s", name, value);
-
- newenvc = (*envc) + 1;
- newenvp = racoon_realloc(*envp, newenvc * sizeof(char *));
- if (newenvp == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot allocate memory: %s\n", strerror(errno));
- racoon_free(envitem);
- return -1;
- }
-
- newenvp[newenvc - 2] = envitem;
- newenvp[newenvc - 1] = NULL;
-
- *envp = newenvp;
- *envc = newenvc;
- return 0;
-}
-
-int
-script_exec(script, name, envp)
- char *script;
- int name;
- char *const envp[];
-{
- char *argv[] = { NULL, NULL, NULL };
-
- argv[0] = script;
- argv[1] = script_names[name];
- argv[2] = NULL;
-
- switch (fork()) {
- case 0:
- execve(argv[0], argv, envp);
- plog(LLV_ERROR, LOCATION, NULL,
- "execve(\"%s\") failed: %s\n",
- argv[0], strerror(errno));
- _exit(1);
- break;
- case -1:
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot fork: %s\n", strerror(errno));
- return -1;
- break;
- default:
- break;
- }
- return 0;
-
-}
-
-void
-purge_remote(iph1)
- struct ph1handle *iph1;
-{
- vchar_t *buf = NULL;
- struct sadb_msg *msg, *next, *end;
- struct sadb_sa *sa;
- struct sockaddr *src, *dst;
- caddr_t mhp[SADB_EXT_MAX + 1];
- u_int proto_id;
- struct ph2handle *iph2;
- struct ph1handle *new_iph1;
-
- plog(LLV_INFO, LOCATION, NULL,
- "purging ISAKMP-SA spi=%s.\n",
- isakmp_pindex(&(iph1->index), iph1->msgid));
-
- /* Mark as expired. */
- iph1->status = PHASE1ST_EXPIRED;
-
- /* Check if we have another, still valid, phase1 SA. */
- new_iph1 = getph1byaddr(iph1->local, iph1->remote, 1);
-
- /*
- * Delete all orphaned or binded to the deleting ph1handle phase2 SAs.
- * Keep all others phase2 SAs.
- */
- buf = pfkey_dump_sadb(SADB_SATYPE_UNSPEC);
- if (buf == NULL) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "pfkey_dump_sadb returned nothing.\n");
- return;
- }
-
- msg = (struct sadb_msg *)buf->v;
- end = (struct sadb_msg *)(buf->v + buf->l);
-
- while (msg < end) {
- if ((msg->sadb_msg_len << 3) < sizeof(*msg))
- break;
- next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3));
- if (msg->sadb_msg_type != SADB_DUMP) {
- msg = next;
- continue;
- }
-
- if (pfkey_align(msg, mhp) || pfkey_check(mhp)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "pfkey_check (%s)\n", ipsec_strerror());
- msg = next;
- continue;
- }
-
- sa = (struct sadb_sa *)(mhp[SADB_EXT_SA]);
- if (!sa ||
- !mhp[SADB_EXT_ADDRESS_SRC] ||
- !mhp[SADB_EXT_ADDRESS_DST]) {
- msg = next;
- continue;
- }
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
-
- if (sa->sadb_sa_state != SADB_SASTATE_LARVAL &&
- sa->sadb_sa_state != SADB_SASTATE_MATURE &&
- sa->sadb_sa_state != SADB_SASTATE_DYING) {
- msg = next;
- continue;
- }
-
- /*
- * check in/outbound SAs.
- * Select only SAs where src == local and dst == remote (outgoing)
- * or src == remote and dst == local (incoming).
- */
- if ((CMPSADDR(iph1->local, src) || CMPSADDR(iph1->remote, dst)) &&
- (CMPSADDR(iph1->local, dst) || CMPSADDR(iph1->remote, src))) {
- msg = next;
- continue;
- }
-
- proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
- iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi);
-
- /* Check if there is another valid ISAKMP-SA */
- if (new_iph1 != NULL) {
-
- if (iph2 == NULL) {
- /* No handler... still send a pfkey_delete message, but log this !*/
- plog(LLV_INFO, LOCATION, NULL,
- "Unknown IPsec-SA spi=%u, hmmmm?\n",
- ntohl(sa->sadb_sa_spi));
- }else{
-
- /*
- * If we have a new ph1, do not purge IPsec-SAs binded
- * to a different ISAKMP-SA
- */
- if (iph2->ph1 != NULL && iph2->ph1 != iph1){
- msg = next;
- continue;
- }
-
- /* If the ph2handle is established, do not purge IPsec-SA */
- if (iph2->status == PHASE2ST_ESTABLISHED ||
- iph2->status == PHASE2ST_EXPIRED) {
-
- plog(LLV_INFO, LOCATION, NULL,
- "keeping IPsec-SA spi=%u - found valid ISAKMP-SA spi=%s.\n",
- ntohl(sa->sadb_sa_spi),
- isakmp_pindex(&(new_iph1->index), new_iph1->msgid));
- msg = next;
- continue;
- }
- }
- }
-
-
- pfkey_send_delete(lcconf->sock_pfkey,
- msg->sadb_msg_satype,
- IPSEC_MODE_ANY,
- src, dst, sa->sadb_sa_spi);
-
- /* delete a relative phase 2 handle. */
- if (iph2 != NULL) {
- delete_spd(iph2, 0);
- unbindph12(iph2);
- remph2(iph2);
- delph2(iph2);
- }
-
- plog(LLV_INFO, LOCATION, NULL,
- "purged IPsec-SA spi=%u.\n",
- ntohl(sa->sadb_sa_spi));
-
- msg = next;
- }
-
- if (buf)
- vfree(buf);
-
- /* Mark the phase1 handler as EXPIRED */
- plog(LLV_INFO, LOCATION, NULL,
- "purged ISAKMP-SA spi=%s.\n",
- isakmp_pindex(&(iph1->index), iph1->msgid));
-
- SCHED_KILL(iph1->sce);
-
- iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
-}
-
-void
-delete_spd(iph2, created)
- struct ph2handle *iph2;
- u_int64_t created;
-{
- struct policyindex spidx;
- struct sockaddr_storage addr;
- u_int8_t pref;
- struct sockaddr *src;
- struct sockaddr *dst;
- int error;
- int idi2type = 0;/* switch whether copy IDs into id[src,dst]. */
-
- if (iph2 == NULL)
- return;
-
- /* Delete the SPD entry if we generated it
- */
- if (! iph2->generated_spidx )
- return;
-
- src = iph2->src;
- dst = iph2->dst;
-
- plog(LLV_INFO, LOCATION, NULL,
- "generated policy, deleting it.\n");
-
- memset(&spidx, 0, sizeof(spidx));
- iph2->spidx_gen = (caddr_t )&spidx;
-
- /* make inbound policy */
- iph2->src = dst;
- iph2->dst = src;
- spidx.dir = IPSEC_DIR_INBOUND;
- spidx.ul_proto = 0;
-
- /*
- * Note: code from get_proposal_r
- */
-
-#define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type
-
- /*
- * make destination address in spidx from either ID payload
- * or phase 1 address into a address in spidx.
- */
- if (iph2->id != NULL
- && (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
- || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR
- || _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET
- || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
- /* get a destination address of a policy */
- error = ipsecdoi_id2sockaddr(iph2->id,
- (struct sockaddr *)&spidx.dst,
- &spidx.prefd, &spidx.ul_proto);
- if (error)
- goto purge;
-
-#ifdef INET6
- /*
- * get scopeid from the SA address.
- * note that the phase 1 source address is used as
- * a destination address to search for a inbound
- * policy entry because rcoon is responder.
- */
- if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) {
- if ((error =
- setscopeid((struct sockaddr *)&spidx.dst,
- iph2->src)) != 0)
- goto purge;
- }
-#endif
-
- if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
- || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR)
- idi2type = _XIDT(iph2->id);
-
- } else {
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "get a destination address of SP index "
- "from phase1 address "
- "due to no ID payloads found "
- "OR because ID type is not address.\n");
-
- /*
- * copy the SOURCE address of IKE into the
- * DESTINATION address of the key to search the
- * SPD because the direction of policy is inbound.
- */
- memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src));
- switch (spidx.dst.ss_family) {
- case AF_INET:
- spidx.prefd =
- sizeof(struct in_addr) << 3;
- break;
-#ifdef INET6
- case AF_INET6:
- spidx.prefd =
- sizeof(struct in6_addr) << 3;
- break;
-#endif
- default:
- spidx.prefd = 0;
- break;
- }
- }
-
- /* make source address in spidx */
- if (iph2->id_p != NULL
- && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR
- || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR
- || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET
- || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
- /* get a source address of inbound SA */
- error = ipsecdoi_id2sockaddr(iph2->id_p,
- (struct sockaddr *)&spidx.src,
- &spidx.prefs, &spidx.ul_proto);
- if (error)
- goto purge;
-
-#ifdef INET6
- /*
- * get scopeid from the SA address.
- * for more detail, see above of this function.
- */
- if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) {
- error =
- setscopeid((struct sockaddr *)&spidx.src,
- iph2->dst);
- if (error)
- goto purge;
- }
-#endif
-
- /* make id[src,dst] if both ID types are IP address and same */
- if (_XIDT(iph2->id_p) == idi2type
- && spidx.dst.ss_family == spidx.src.ss_family) {
- iph2->src_id =
- dupsaddr((struct sockaddr *)&spidx.dst);
- if (iph2->src_id == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "allocation failed\n");
- goto purge;
- }
- iph2->dst_id =
- dupsaddr((struct sockaddr *)&spidx.src);
- if (iph2->dst_id == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "allocation failed\n");
- goto purge;
- }
- }
-
- } else {
- plog(LLV_DEBUG, LOCATION, NULL,
- "get a source address of SP index "
- "from phase1 address "
- "due to no ID payloads found "
- "OR because ID type is not address.\n");
-
- /* see above comment. */
- memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst));
- switch (spidx.src.ss_family) {
- case AF_INET:
- spidx.prefs =
- sizeof(struct in_addr) << 3;
- break;
-#ifdef INET6
- case AF_INET6:
- spidx.prefs =
- sizeof(struct in6_addr) << 3;
- break;
-#endif
- default:
- spidx.prefs = 0;
- break;
- }
- }
-
-#undef _XIDT
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "get a src address from ID payload "
- "%s prefixlen=%u ul_proto=%u\n",
- saddr2str((struct sockaddr *)&spidx.src),
- spidx.prefs, spidx.ul_proto);
- plog(LLV_DEBUG, LOCATION, NULL,
- "get dst address from ID payload "
- "%s prefixlen=%u ul_proto=%u\n",
- saddr2str((struct sockaddr *)&spidx.dst),
- spidx.prefd, spidx.ul_proto);
-
- /*
- * convert the ul_proto if it is 0
- * because 0 in ID payload means a wild card.
- */
- if (spidx.ul_proto == 0)
- spidx.ul_proto = IPSEC_ULPROTO_ANY;
-
-#undef _XIDT
-
- /* Check if the generated SPD has the same timestamp as the SA.
- * If timestamps are different, this means that the SPD entry has been
- * refreshed by another SA, and should NOT be deleted with the current SA.
- */
- if( created ){
- struct secpolicy *p;
-
- p = getsp(&spidx);
- if(p != NULL){
- /* just do no test if p is NULL, because this probably just means
- * that the policy has already be deleted for some reason.
- */
- if(p->spidx.created != created)
- goto purge;
- }
- }
-
- /* End of code from get_proposal_r
- */
-
- if (pk_sendspddelete(iph2) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "pfkey spddelete(inbound) failed.\n");
- }else{
- plog(LLV_DEBUG, LOCATION, NULL,
- "pfkey spddelete(inbound) sent.\n");
- }
-
-#ifdef HAVE_POLICY_FWD
- /* make forward policy if required */
- if (tunnel_mode_prop(iph2->approval)) {
- spidx.dir = IPSEC_DIR_FWD;
- if (pk_sendspddelete(iph2) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "pfkey spddelete(forward) failed.\n");
- }else{
- plog(LLV_DEBUG, LOCATION, NULL,
- "pfkey spddelete(forward) sent.\n");
- }
- }
-#endif
-
- /* make outbound policy */
- iph2->src = src;
- iph2->dst = dst;
- spidx.dir = IPSEC_DIR_OUTBOUND;
- addr = spidx.src;
- spidx.src = spidx.dst;
- spidx.dst = addr;
- pref = spidx.prefs;
- spidx.prefs = spidx.prefd;
- spidx.prefd = pref;
-
- if (pk_sendspddelete(iph2) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "pfkey spddelete(outbound) failed.\n");
- }else{
- plog(LLV_DEBUG, LOCATION, NULL,
- "pfkey spddelete(outbound) sent.\n");
- }
-purge:
- iph2->spidx_gen=NULL;
-}
-
-
-#ifdef INET6
-u_int32_t
-setscopeid(sp_addr0, sa_addr0)
- struct sockaddr *sp_addr0, *sa_addr0;
-{
- struct sockaddr_in6 *sp_addr, *sa_addr;
-
- sp_addr = (struct sockaddr_in6 *)sp_addr0;
- sa_addr = (struct sockaddr_in6 *)sa_addr0;
-
- if (!IN6_IS_ADDR_LINKLOCAL(&sp_addr->sin6_addr)
- && !IN6_IS_ADDR_SITELOCAL(&sp_addr->sin6_addr)
- && !IN6_IS_ADDR_MULTICAST(&sp_addr->sin6_addr))
- return 0;
-
- /* this check should not be here ? */
- if (sa_addr->sin6_family != AF_INET6) {
- plog(LLV_ERROR, LOCATION, NULL,
- "can't get scope ID: family mismatch\n");
- return -1;
- }
-
- if (!IN6_IS_ADDR_LINKLOCAL(&sa_addr->sin6_addr)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "scope ID is not supported except of lladdr.\n");
- return -1;
- }
-
- sp_addr->sin6_scope_id = sa_addr->sin6_scope_id;
-
- return 0;
-}
-#endif
diff --git a/src/racoon/isakmp.h b/src/racoon/isakmp.h
deleted file mode 100644
index d0fd242..0000000
--- a/src/racoon/isakmp.h
+++ /dev/null
@@ -1,429 +0,0 @@
-/* $NetBSD: isakmp.h,v 1.4 2006/09/09 16:22:09 manu Exp $ */
-
-/* Id: isakmp.h,v 1.11 2005/04/25 22:19:39 manubsd Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _ISAKMP_H
-#define _ISAKMP_H
-
-/* refer to RFC 2408 */
-
-/* must include <netinet/in.h> first. */
-/* must include "isakmp_var.h" first. */
-
-#define INITIATOR 0 /* synonym sender */
-#define RESPONDER 1 /* synonym receiver */
-
-#define GENERATE 1
-#define VALIDATE 0
-
-/* 3.1 ISAKMP Header Format
- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- ! Initiator !
- ! Cookie !
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- ! Responder !
- ! Cookie !
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- ! Message ID !
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- ! Length !
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-*/
-struct isakmp {
- cookie_t i_ck; /* Initiator Cookie */
- cookie_t r_ck; /* Responder Cookie */
- u_int8_t np; /* Next Payload Type */
- u_int8_t v;
- u_int8_t etype; /* Exchange Type */
- u_int8_t flags; /* Flags */
- u_int32_t msgid;
- u_int32_t len; /* Length */
-} __attribute__((__packed__));
-
-/* Next Payload Type */
-#define ISAKMP_NPTYPE_NONE 0 /* NONE*/
-#define ISAKMP_NPTYPE_SA 1 /* Security Association */
-#define ISAKMP_NPTYPE_P 2 /* Proposal */
-#define ISAKMP_NPTYPE_T 3 /* Transform */
-#define ISAKMP_NPTYPE_KE 4 /* Key Exchange */
-#define ISAKMP_NPTYPE_ID 5 /* Identification */
-#define ISAKMP_NPTYPE_CERT 6 /* Certificate */
-#define ISAKMP_NPTYPE_CR 7 /* Certificate Request */
-#define ISAKMP_NPTYPE_HASH 8 /* Hash */
-#define ISAKMP_NPTYPE_SIG 9 /* Signature */
-#define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
-#define ISAKMP_NPTYPE_N 11 /* Notification */
-#define ISAKMP_NPTYPE_D 12 /* Delete */
-#define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
-#define ISAKMP_NPTYPE_ATTR 14 /* Attribute */
-
-
-/* NAT-T draft-ietf-ipsec-nat-t-ike-05 and later */
-/* XXX conflicts with values assigned to RFC 3547 */
-#define ISAKMP_NPTYPE_NATD_BADDRAFT 15 /* NAT Discovery */
-#define ISAKMP_NPTYPE_NATOA_BADDRAFT 16 /* NAT Original Address */
-
-
-/* NAT-T RFC */
-#define ISAKMP_NPTYPE_NATD_RFC 20 /* NAT Discovery */
-#define ISAKMP_NPTYPE_NATOA_RFC 21 /* NAT Original Address */
-
-/* NAT-T up to draft-ietf-ipsec-nat-t-ike-04 */
-#define ISAKMP_NPTYPE_NATD_DRAFT 130 /* NAT Discovery */
-#define ISAKMP_NPTYPE_NATOA_DRAFT 131 /* NAT Original Address */
-
-/* Frag does not seems to be documented */
-#define ISAKMP_NPTYPE_FRAG 132 /* IKE fragmentation payload */
-
-#define ISAKMP_NPTYPE_MAX 17
- /* 128 - 255 Private Use */
-
-/*
- * The following are valid when the Vendor ID is one of the
- * following:
- *
- * MD5("A GSS-API Authentication Method for IKE")
- * MD5("GSSAPI") (recognized by Windows 2000)
- * MD5("MS NT5 ISAKMPOAKLEY") (sent by Windows 2000)
- *
- * See draft-ietf-ipsec-isakmp-gss-auth-06.txt.
- */
-#define ISAKMP_NPTYPE_GSS 129 /* GSS token */
-
-#define ISAKMP_MAJOR_VERSION 1
-#define ISAKMP_MINOR_VERSION 0
-#define ISAKMP_VERSION_NUMBER 0x10
-#define ISAKMP_GETMAJORV(v) (((v) & 0xf0) >> 4)
-#define ISAKMP_SETMAJORV(v, m) ((v) = ((v) & 0x0f) | (((m) << 4) & 0xf0))
-#define ISAKMP_GETMINORV(v) ((v) & 0x0f)
-#define ISAKMP_SETMINORV(v, m) ((v) = ((v) & 0xf0) | ((m) & 0x0f))
-
-/* Exchange Type */
-#define ISAKMP_ETYPE_NONE 0 /* NONE */
-#define ISAKMP_ETYPE_BASE 1 /* Base */
-#define ISAKMP_ETYPE_IDENT 2 /* Identity Proteciton */
-#define ISAKMP_ETYPE_AUTH 3 /* Authentication Only */
-#define ISAKMP_ETYPE_AGG 4 /* Aggressive */
-#define ISAKMP_ETYPE_INFO 5 /* Informational */
-#define ISAKMP_ETYPE_CFG 6 /* Mode config */
-/* Additional Exchange Type */
-#define ISAKMP_ETYPE_QUICK 32 /* Quick Mode */
-#define ISAKMP_ETYPE_NEWGRP 33 /* New group Mode */
-#define ISAKMP_ETYPE_ACKINFO 34 /* Acknowledged Informational */
-
-/* Flags */
-#define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
-#define ISAKMP_FLAG_C 0x02 /* Commit Bit */
-#define ISAKMP_FLAG_A 0x04 /* Authentication Only Bit */
-
-/* 3.2 Payload Generic Header
- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- ! Next Payload ! RESERVED ! Payload Length !
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-*/
-struct isakmp_gen {
- u_int8_t np; /* Next Payload */
- u_int8_t reserved; /* RESERVED, unused, must set to 0 */
- u_int16_t len; /* Payload Length */
-} __attribute__((__packed__));
-
-/* 3.3 Data Attributes
- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- !A! Attribute Type ! AF=0 Attribute Length !
- !F! ! AF=1 Attribute Value !
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- . AF=0 Attribute Value .
- . AF=1 Not Transmitted .
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-*/
-struct isakmp_data {
- u_int16_t type; /* defined by DOI-spec, and Attribute Format */
- u_int16_t lorv; /* if f equal 1, Attribute Length */
- /* if f equal 0, Attribute Value */
- /* if f equal 1, Attribute Value */
-} __attribute__((__packed__));
-#define ISAKMP_GEN_TLV 0x0000
-#define ISAKMP_GEN_TV 0x8000
- /* mask for type of attribute format */
-#define ISAKMP_GEN_MASK 0x8000
-
-#if 0
-/* MAY NOT be used, because of being defined in ipsec-doi. */
-/* 3.4 Security Association Payload */
-struct isakmp_pl_sa {
- struct isakmp_gen h;
- u_int32_t doi; /* Domain of Interpretation */
- u_int32_t sit; /* Situation */
-} __attribute__((__packed__));
-#endif
-
-/* 3.5 Proposal Payload */
- /*
- The value of the next payload field MUST only contain the value "2"
- or "0". If there are additional Proposal payloads in the message,
- then this field will be 2. If the current Proposal payload is the
- last within the security association proposal, then this field will
- be 0.
- */
-struct isakmp_pl_p {
- struct isakmp_gen h;
- u_int8_t p_no; /* Proposal # */
- u_int8_t proto_id; /* Protocol */
- u_int8_t spi_size; /* SPI Size */
- u_int8_t num_t; /* Number of Transforms */
- /* SPI */
-} __attribute__((__packed__));
-
-/* 3.6 Transform Payload */
- /*
- The value of the next payload field MUST only contain the value "3"
- or "0". If there are additional Transform payloads in the proposal,
- then this field will be 3. If the current Transform payload is the
- last within the proposal, then this field will be 0.
- */
-struct isakmp_pl_t {
- struct isakmp_gen h;
- u_int8_t t_no; /* Transform # */
- u_int8_t t_id; /* Transform-Id */
- u_int16_t reserved; /* RESERVED2 */
- /* SA Attributes */
-} __attribute__((__packed__));
-
-/* 3.7 Key Exchange Payload */
-struct isakmp_pl_ke {
- struct isakmp_gen h;
- /* Key Exchange Data */
-} __attribute__((__packed__));
-
-#if 0
-/* NOTE: MUST NOT use because of being defined in ipsec-doi instead them. */
-/* 3.8 Identification Payload */
-struct isakmp_pl_id {
- struct isakmp_gen h;
- union {
- u_int8_t id_type; /* ID Type */
- u_int32_t doi_data; /* DOI Specific ID Data */
- } d;
- /* Identification Data */
-} __attribute__((__packed__));
-/* A.4 ISAKMP Identification Type Values */
-#define ISAKMP_ID_IPV4_ADDR 0
-#define ISAKMP_ID_IPV4_ADDR_SUBNET 1
-#define ISAKMP_ID_IPV6_ADDR 2
-#define ISAKMP_ID_IPV6_ADDR_SUBNET 3
-#endif
-
-/* 3.9 Certificate Payload */
-struct isakmp_pl_cert {
- struct isakmp_gen h;
- /*
- * Encoding type of 1 octet follows immediately,
- * variable length CERT data follows encoding type.
- */
-} __attribute__((__packed__));
-
-/* Certificate Type */
-#define ISAKMP_CERT_NONE 0
-#define ISAKMP_CERT_PKCS7 1
-#define ISAKMP_CERT_PGP 2
-#define ISAKMP_CERT_DNS 3
-#define ISAKMP_CERT_X509SIGN 4
-#define ISAKMP_CERT_X509KE 5
-#define ISAKMP_CERT_KERBEROS 6
-#define ISAKMP_CERT_CRL 7
-#define ISAKMP_CERT_ARL 8
-#define ISAKMP_CERT_SPKI 9
-#define ISAKMP_CERT_X509ATTR 10
-#define ISAKMP_CERT_PLAINRSA 11
-
-/* the method to get peers certificate */
-#define ISAKMP_GETCERT_PAYLOAD 1
-#define ISAKMP_GETCERT_LOCALFILE 2
-#define ISAKMP_GETCERT_DNS 3
-
-/* 3.10 Certificate Request Payload */
-struct isakmp_pl_cr {
- struct isakmp_gen h;
- u_int8_t num_cert; /* # Cert. Types */
- /*
- Certificate Types (variable length)
- -- Contains a list of the types of certificates requested,
- sorted in order of preference. Each individual certificate
- type is 1 octet. This field is NOT required.
- */
- /* # Certificate Authorities (1 octet) */
- /* Certificate Authorities (variable length) */
-} __attribute__((__packed__));
-
-/* 3.11 Hash Payload */
-struct isakmp_pl_hash {
- struct isakmp_gen h;
- /* Hash Data */
-} __attribute__((__packed__));
-
-/* 3.12 Signature Payload */
-struct isakmp_pl_sig {
- struct isakmp_gen h;
- /* Signature Data */
-} __attribute__((__packed__));
-
-/* 3.13 Nonce Payload */
-struct isakmp_pl_nonce {
- struct isakmp_gen h;
- /* Nonce Data */
-} __attribute__((__packed__));
-
-/* 3.14 Notification Payload */
-struct isakmp_pl_n {
- struct isakmp_gen h;
- u_int32_t doi; /* Domain of Interpretation */
- u_int8_t proto_id; /* Protocol-ID */
- u_int8_t spi_size; /* SPI Size */
- u_int16_t type; /* Notify Message Type */
- /* SPI */
- /* Notification Data */
-} __attribute__((__packed__));
-
-/* 3.14.1 Notify Message Types */
-/* NOTIFY MESSAGES - ERROR TYPES */
-#define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1
-#define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2
-#define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3
-#define ISAKMP_NTYPE_INVALID_COOKIE 4
-#define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5
-#define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6
-#define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7
-#define ISAKMP_NTYPE_INVALID_FLAGS 8
-#define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9
-#define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10
-#define ISAKMP_NTYPE_INVALID_SPI 11
-#define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12
-#define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13
-#define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14
-#define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15
-#define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16
-#define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17
-#define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18
-#define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19
-#define ISAKMP_NTYPE_INVALID_CERTIFICATE 20
-#define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21
-#define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22
-#define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23
-#define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24
-#define ISAKMP_NTYPE_INVALID_SIGNATURE 25
-#define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26
-#define ISAKMP_NTYPE_NOTIFY_SA_LIFETIME 27
-#define ISAKMP_NTYPE_CERTIFICATE_UNAVAILABLE 28
-#define ISAKMP_NTYPE_UNSUPPORTED_EXCHANGE_TYPE 29
-#define ISAKMP_NTYPE_UNEQUAL_PAYLOAD_LENGTHS 30
-#define ISAKMP_NTYPE_MINERROR 1
-#define ISAKMP_NTYPE_MAXERROR 16383
-/* NOTIFY MESSAGES - STATUS TYPES */
-#define ISAKMP_NTYPE_CONNECTED 16384
-/* 4.6.3 IPSEC DOI Notify Message Types */
-#define ISAKMP_NTYPE_RESPONDER_LIFETIME 24576
-#define ISAKMP_NTYPE_REPLAY_STATUS 24577
-#define ISAKMP_NTYPE_INITIAL_CONTACT 24578
-
-/* DPD */
-#define ISAKMP_NTYPE_R_U_THERE 36136
-#define ISAKMP_NTYPE_R_U_THERE_ACK 36137
-
-#define ISAKMP_NTYPE_HEARTBEAT 40503
-
-/* using only to log */
-#define ISAKMP_LOG_RETRY_LIMIT_REACHED 65530
-
-/* XXX means internal error but it's not reserved by any drafts... */
-#define ISAKMP_INTERNAL_ERROR -1
-
-/* 3.15 Delete Payload */
-struct isakmp_pl_d {
- struct isakmp_gen h;
- u_int32_t doi; /* Domain of Interpretation */
- u_int8_t proto_id; /* Protocol-Id */
- u_int8_t spi_size; /* SPI Size */
- u_int16_t num_spi; /* # of SPIs */
- /* SPI(es) */
-} __attribute__((__packed__));
-
-struct payload_list {
- struct payload_list *next, *prev;
- vchar_t *payload;
- int payload_type;
-};
-
-
-/* See draft-ietf-ipsec-isakmp-mode-cfg-04.txt, 3.2 */
-struct isakmp_pl_attr {
- struct isakmp_gen h;
- u_int8_t type; /* Exchange type */
- u_int8_t res2;
- u_int16_t id; /* Per transaction id */
-} __attribute__((__packed__));
-
-/* Exchange type */
-#define ISAKMP_CFG_REQUEST 1
-#define ISAKMP_CFG_REPLY 2
-#define ISAKMP_CFG_SET 3
-#define ISAKMP_CFG_ACK 4
-
-/* IKE fragmentation payload */
-struct isakmp_frag {
- u_int16_t unknown0; /* always set to zero? */
- u_int16_t len;
- u_int16_t unknown1; /* always set to 1? */
- u_int8_t index;
- u_int8_t flags;
-} __attribute__((__packed__));
-
-/* flags */
-#define ISAKMP_FRAG_LAST 1
-
-/* DPD R-U-THERE / R-U-THERE-ACK Payload */
-struct isakmp_pl_ru {
- struct isakmp_gen h;
- u_int32_t doi; /* Domain of Interpretation */
- u_int8_t proto_id; /* Protocol-Id */
- u_int8_t spi_size; /* SPI Size */
- u_int16_t type; /* Notify type */
- cookie_t i_ck; /* Initiator Cookie */
- cookie_t r_ck; /* Responder cookie*/
- u_int32_t data; /* Notification data */
-} __attribute__((__packed__));
-
-#endif /* _ISAKMP_H */
diff --git a/src/racoon/isakmp_agg.c b/src/racoon/isakmp_agg.c
deleted file mode 100644
index d9b89d9..0000000
--- a/src/racoon/isakmp_agg.c
+++ /dev/null
@@ -1,1489 +0,0 @@
-/* $NetBSD: isakmp_agg.c,v 1.9 2006/09/30 21:49:37 manu Exp $ */
-
-/* Id: isakmp_agg.c,v 1.28 2006/04/06 16:46:08 manubsd Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* Aggressive Exchange (Aggressive Mode) */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-#if TIME_WITH_SYS_TIME
-# include <sys/time.h>
-# include <time.h>
-#else
-# if HAVE_SYS_TIME_H
-# include <sys/time.h>
-# else
-# include <time.h>
-# endif
-#endif
-
-#include "var.h"
-#include "misc.h"
-#include "vmbuf.h"
-#include "plog.h"
-#include "sockmisc.h"
-#include "schedule.h"
-#include "debug.h"
-
-#ifdef ENABLE_HYBRID
-#include <resolv.h>
-#endif
-
-#include "localconf.h"
-#include "remoteconf.h"
-#include "isakmp_var.h"
-#include "isakmp.h"
-#include "evt.h"
-#include "oakley.h"
-#include "handler.h"
-#include "ipsec_doi.h"
-#include "crypto_openssl.h"
-#include "pfkey.h"
-#include "isakmp_agg.h"
-#include "isakmp_inf.h"
-#ifdef ENABLE_HYBRID
-#include "isakmp_xauth.h"
-#include "isakmp_cfg.h"
-#endif
-#ifdef ENABLE_FRAG
-#include "isakmp_frag.h"
-#endif
-#include "vendorid.h"
-#include "strnames.h"
-
-#ifdef ENABLE_NATT
-#include "nattraversal.h"
-#endif
-
-#ifdef HAVE_GSSAPI
-#include "gssapi.h"
-#endif
-
-/*
- * begin Aggressive Mode as initiator.
- */
-/*
- * send to responder
- * psk: HDR, SA, KE, Ni, IDi1
- * sig: HDR, SA, KE, Ni, IDi1 [, CR ]
- * gssapi: HDR, SA, KE, Ni, IDi1, GSSi
- * rsa: HDR, SA, [ HASH(1),] KE, <IDi1_b>Pubkey_r, <Ni_b>Pubkey_r
- * rev: HDR, SA, [ HASH(1),] <Ni_b>Pubkey_r, <KE_b>Ke_i,
- * <IDii_b>Ke_i [, <Cert-I_b>Ke_i ]
- */
-int
-agg_i1send(iph1, msg)
- struct ph1handle *iph1;
- vchar_t *msg; /* must be null */
-{
- struct payload_list *plist = NULL;
- int need_cr = 0;
- vchar_t *cr = NULL;
- int error = -1;
-#ifdef ENABLE_NATT
- vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL };
- int i;
-#endif
-#ifdef ENABLE_HYBRID
- vchar_t *vid_xauth = NULL;
- vchar_t *vid_unity = NULL;
-#endif
-#ifdef ENABLE_FRAG
- vchar_t *vid_frag = NULL;
-#endif
-#ifdef HAVE_GSSAPI
- vchar_t *gsstoken = NULL;
- int len;
-#endif
-#ifdef ENABLE_DPD
- vchar_t *vid_dpd = NULL;
-#endif
-
-
- /* validity check */
- if (msg != NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "msg has to be NULL in this function.\n");
- goto end;
- }
- if (iph1->status != PHASE1ST_START) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph1->status);
- goto end;
- }
-
- /* create isakmp index */
- memset(&iph1->index, 0, sizeof(iph1->index));
- isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local);
-
- /* make ID payload into isakmp status */
- if (ipsecdoi_setid1(iph1) < 0)
- goto end;
-
- /* create SA payload for my proposal */
- iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf->proposal);
- if (iph1->sa == NULL)
- goto end;
-
- /* consistency check of proposals */
- if (iph1->rmconf->dhgrp == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "configuration failure about DH group.\n");
- goto end;
- }
-
- /* generate DH public value */
- if (oakley_dh_generate(iph1->rmconf->dhgrp,
- &iph1->dhpub, &iph1->dhpriv) < 0)
- goto end;
-
- /* generate NONCE value */
- iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
- if (iph1->nonce == NULL)
- goto end;
-
-#ifdef ENABLE_HYBRID
- /* Do we need Xauth VID? */
- switch (RMAUTHMETHOD(iph1)) {
- case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
- if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL)
- plog(LLV_ERROR, LOCATION, NULL,
- "Xauth vendor ID generation failed\n");
- if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
- plog(LLV_ERROR, LOCATION, NULL,
- "Unity vendor ID generation failed\n");
- break;
- default:
- break;
- }
-#endif
-
-#ifdef ENABLE_FRAG
- if (iph1->rmconf->ike_frag) {
- vid_frag = set_vendorid(VENDORID_FRAG);
- if (vid_frag != NULL)
- vid_frag = isakmp_frag_addcap(vid_frag,
- VENDORID_FRAG_AGG);
- if (vid_frag == NULL)
- plog(LLV_ERROR, LOCATION, NULL,
- "Frag vendorID construction failed\n");
- }
-#endif
-
- /* create CR if need */
- if (iph1->rmconf->send_cr
- && oakley_needcr(iph1->rmconf->proposal->authmethod)
- && iph1->rmconf->peerscertfile == NULL) {
- need_cr = 1;
- cr = oakley_getcr(iph1);
- if (cr == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get cr buffer.\n");
- goto end;
- }
- }
-
- plog(LLV_DEBUG, LOCATION, NULL, "authmethod is %s\n",
- s_oakley_attr_method(iph1->rmconf->proposal->authmethod));
-#ifdef HAVE_GSSAPI
- if (RMAUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
- gssapi_get_itoken(iph1, &len);
-#endif
-
- /* set SA payload to propose */
- plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA);
-
- /* create isakmp KE payload */
- plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
-
- /* create isakmp NONCE payload */
- plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
-
- /* create isakmp ID payload */
- plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
-
-#ifdef HAVE_GSSAPI
- if (RMAUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
- gssapi_get_token_to_send(iph1, &gsstoken);
- plist = isakmp_plist_append(plist, gsstoken, ISAKMP_NPTYPE_GSS);
- }
-#endif
- /* create isakmp CR payload */
- if (need_cr)
- plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
-
-#ifdef ENABLE_FRAG
- if (vid_frag)
- plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID);
-#endif
-#ifdef ENABLE_NATT
- /*
- * set VID payload for NAT-T if NAT-T
- * support allowed in the config file
- */
- if (iph1->rmconf->nat_traversal)
- plist = isakmp_plist_append_natt_vids(plist, vid_natt);
-#endif
-#ifdef ENABLE_HYBRID
- if (vid_xauth)
- plist = isakmp_plist_append(plist,
- vid_xauth, ISAKMP_NPTYPE_VID);
- if (vid_unity)
- plist = isakmp_plist_append(plist,
- vid_unity, ISAKMP_NPTYPE_VID);
-#endif
-#ifdef ENABLE_DPD
- if(iph1->rmconf->dpd){
- vid_dpd = set_vendorid(VENDORID_DPD);
- if (vid_dpd != NULL)
- plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID);
- }
-#endif
-
- iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
-
-#ifdef HAVE_PRINT_ISAKMP_C
- isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
-#endif
-
- /* send the packet, add to the schedule to resend */
- iph1->retry_counter = iph1->rmconf->retry_counter;
- if (isakmp_ph1resend(iph1) == -1)
- goto end;
-
- iph1->status = PHASE1ST_MSG1SENT;
-
- error = 0;
-
-end:
- if (cr)
- vfree(cr);
-#ifdef HAVE_GSSAPI
- if (gsstoken)
- vfree(gsstoken);
-#endif
-#ifdef ENABLE_FRAG
- if (vid_frag)
- vfree(vid_frag);
-#endif
-#ifdef ENABLE_NATT
- for (i = 0; i < MAX_NATT_VID_COUNT && vid_natt[i] != NULL; i++)
- vfree(vid_natt[i]);
-#endif
-#ifdef ENABLE_HYBRID
- if (vid_xauth != NULL)
- vfree(vid_xauth);
- if (vid_unity != NULL)
- vfree(vid_unity);
-#endif
-#ifdef ENABLE_DPD
- if (vid_dpd != NULL)
- vfree(vid_dpd);
-#endif
-
- return error;
-}
-
-/*
- * receive from responder
- * psk: HDR, SA, KE, Nr, IDr1, HASH_R
- * sig: HDR, SA, KE, Nr, IDr1, [ CR, ] [ CERT, ] SIG_R
- * gssapi: HDR, SA, KE, Nr, IDr1, GSSr, HASH_R
- * rsa: HDR, SA, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i, HASH_R
- * rev: HDR, SA, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDir_b>Ke_r, HASH_R
- */
-int
-agg_i2recv(iph1, msg)
- struct ph1handle *iph1;
- vchar_t *msg;
-{
- vchar_t *pbuf = NULL;
- struct isakmp_parse_t *pa;
- vchar_t *satmp = NULL;
- int error = -1;
- int vid_numeric;
- int ptype;
-#ifdef ENABLE_HYBRID
- vchar_t *unity_vid;
- vchar_t *xauth_vid;
-#endif
-#ifdef HAVE_GSSAPI
- vchar_t *gsstoken = NULL;
-#endif
-
-#ifdef ENABLE_NATT
- int natd_seq = 0;
- struct natd_payload {
- int seq;
- vchar_t *payload;
- TAILQ_ENTRY(natd_payload) chain;
- };
- TAILQ_HEAD(_natd_payload, natd_payload) natd_tree;
- TAILQ_INIT(&natd_tree);
-#endif
-
- /* validity check */
- if (iph1->status != PHASE1ST_MSG1SENT) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph1->status);
- goto end;
- }
-
- /* validate the type of next payload */
- pbuf = isakmp_parse(msg);
- if (pbuf == NULL)
- goto end;
- pa = (struct isakmp_parse_t *)pbuf->v;
-
- iph1->pl_hash = NULL;
-
- /* SA payload is fixed postion */
- if (pa->type != ISAKMP_NPTYPE_SA) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "received invalid next payload type %d, "
- "expecting %d.\n",
- pa->type, ISAKMP_NPTYPE_SA);
- goto end;
- }
-
- if (isakmp_p2ph(&satmp, pa->ptr) < 0)
- goto end;
- pa++;
-
- for (/*nothing*/;
- pa->type != ISAKMP_NPTYPE_NONE;
- pa++) {
-
- switch (pa->type) {
- case ISAKMP_NPTYPE_KE:
- if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0)
- goto end;
- break;
- case ISAKMP_NPTYPE_NONCE:
- if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0)
- goto end;
- break;
- case ISAKMP_NPTYPE_ID:
- if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0)
- goto end;
- break;
- case ISAKMP_NPTYPE_HASH:
- iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
- break;
- case ISAKMP_NPTYPE_CR:
- if (oakley_savecr(iph1, pa->ptr) < 0)
- goto end;
- break;
- case ISAKMP_NPTYPE_CERT:
- if (oakley_savecert(iph1, pa->ptr) < 0)
- goto end;
- break;
- case ISAKMP_NPTYPE_SIG:
- if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0)
- goto end;
- break;
- case ISAKMP_NPTYPE_VID:
- handle_vendorid(iph1, pa->ptr);
- break;
- case ISAKMP_NPTYPE_N:
- isakmp_check_notify(pa->ptr, iph1);
- break;
-#ifdef HAVE_GSSAPI
- case ISAKMP_NPTYPE_GSS:
- if (isakmp_p2ph(&gsstoken, pa->ptr) < 0)
- goto end;
- gssapi_save_received_token(iph1, gsstoken);
- break;
-#endif
-
-#ifdef ENABLE_NATT
- case ISAKMP_NPTYPE_NATD_DRAFT:
- case ISAKMP_NPTYPE_NATD_RFC:
- if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
- pa->type == iph1->natt_options->payload_nat_d) {
- struct natd_payload *natd;
- natd = (struct natd_payload *)racoon_malloc(sizeof(*natd));
- if (!natd)
- goto end;
-
- natd->payload = NULL;
-
- if (isakmp_p2ph (&natd->payload, pa->ptr) < 0)
- goto end;
-
- natd->seq = natd_seq++;
-
- TAILQ_INSERT_TAIL(&natd_tree, natd, chain);
- break;
- }
- /* passthrough to default... */
-#endif
-
- default:
- /* don't send information, see isakmp_ident_r1() */
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "ignore the packet, "
- "received unexpecting payload type %d.\n",
- pa->type);
- goto end;
- }
- }
-
- /* payload existency check */
- if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "few isakmp message received.\n");
- goto end;
- }
-
- /* verify identifier */
- if (ipsecdoi_checkid1(iph1) != 0) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "invalid ID payload.\n");
- goto end;
- }
-
- /* check SA payload and set approval SA for use */
- if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "failed to get valid proposal.\n");
- /* XXX send information */
- goto end;
- }
- VPTRINIT(iph1->sa_ret);
-
- /* fix isakmp index */
- memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck,
- sizeof(cookie_t));
-
-#ifdef ENABLE_NATT
- if (NATT_AVAILABLE(iph1)) {
- struct natd_payload *natd = NULL;
- int natd_verified;
-
- plog(LLV_INFO, LOCATION, iph1->remote,
- "Selected NAT-T version: %s\n",
- vid_string_by_id(iph1->natt_options->version));
-
- /* set both bits first so that we can clear them
- upon verifying hashes */
- iph1->natt_flags |= NAT_DETECTED;
-
- while ((natd = TAILQ_FIRST(&natd_tree)) != NULL) {
- /* this function will clear appropriate bits bits
- from iph1->natt_flags */
- natd_verified = natt_compare_addr_hash (iph1,
- natd->payload, natd->seq);
-
- plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
- natd->seq - 1,
- natd_verified ? "verified" : "doesn't match");
-
- vfree (natd->payload);
-
- TAILQ_REMOVE(&natd_tree, natd, chain);
- racoon_free (natd);
- }
-
- plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
- iph1->natt_flags & NAT_DETECTED ?
- "detected:" : "not detected",
- iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
- iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
-
- if (iph1->natt_flags & NAT_DETECTED)
- natt_float_ports (iph1);
- }
-#endif
-
- /* compute sharing secret of DH */
- if (oakley_dh_compute(iph1->rmconf->dhgrp, iph1->dhpub,
- iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0)
- goto end;
-
- /* generate SKEYIDs & IV & final cipher key */
- if (oakley_skeyid(iph1) < 0)
- goto end;
- if (oakley_skeyid_dae(iph1) < 0)
- goto end;
- if (oakley_compute_enckey(iph1) < 0)
- goto end;
- if (oakley_newiv(iph1) < 0)
- goto end;
-
- /* validate authentication value */
- ptype = oakley_validate_auth(iph1);
- if (ptype != 0) {
- if (ptype == -1) {
- /* message printed inner oakley_validate_auth() */
- goto end;
- }
- EVT_PUSH(iph1->local, iph1->remote,
- EVTT_PEERPH1AUTH_FAILED, NULL);
- isakmp_info_send_n1(iph1, ptype, NULL);
- goto end;
- }
-
- if (oakley_checkcr(iph1) < 0) {
- /* Ignore this error in order to be interoperability. */
- ;
- }
-
- /* change status of isakmp status entry */
- iph1->status = PHASE1ST_MSG2RECEIVED;
-
- error = 0;
-
-end:
-#ifdef HAVE_GSSAPI
- if (gsstoken)
- vfree(gsstoken);
-#endif
- if (pbuf)
- vfree(pbuf);
- if (satmp)
- vfree(satmp);
- if (error) {
- VPTRINIT(iph1->dhpub_p);
- VPTRINIT(iph1->nonce_p);
- VPTRINIT(iph1->id_p);
- oakley_delcert(iph1->cert_p);
- iph1->cert_p = NULL;
- oakley_delcert(iph1->crl_p);
- iph1->crl_p = NULL;
- VPTRINIT(iph1->sig_p);
- oakley_delcert(iph1->cr_p);
- iph1->cr_p = NULL;
- }
-
- return error;
-}
-
-/*
- * send to responder
- * psk: HDR, HASH_I
- * gssapi: HDR, HASH_I
- * sig: HDR, [ CERT, ] SIG_I
- * rsa: HDR, HASH_I
- * rev: HDR, HASH_I
- */
-int
-agg_i2send(iph1, msg)
- struct ph1handle *iph1;
- vchar_t *msg;
-{
- struct payload_list *plist = NULL;
- int need_cert = 0;
- int error = -1;
- vchar_t *gsshash = NULL;
-
- /* validity check */
- if (iph1->status != PHASE1ST_MSG2RECEIVED) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph1->status);
- goto end;
- }
-
- /* generate HASH to send */
- plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n");
- iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
- if (iph1->hash == NULL) {
-#ifdef HAVE_GSSAPI
- if (gssapi_more_tokens(iph1) &&
-#ifdef ENABLE_HYBRID
- !iph1->rmconf->xauth &&
-#endif
- 1)
- isakmp_info_send_n1(iph1,
- ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL);
-#endif
- goto end;
- }
-
- switch (AUTHMETHOD(iph1)) {
- case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
-#ifdef ENABLE_HYBRID
- case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
-#endif
- /* set HASH payload */
- plist = isakmp_plist_append(plist,
- iph1->hash, ISAKMP_NPTYPE_HASH);
- break;
-
- case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
- case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
-#ifdef ENABLE_HYBRID
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
-#endif
- /* XXX if there is CR or not ? */
-
- if (oakley_getmycert(iph1) < 0)
- goto end;
-
- if (oakley_getsign(iph1) < 0)
- goto end;
-
- if (iph1->cert != NULL && iph1->rmconf->send_cert)
- need_cert = 1;
-
- /* add CERT payload if there */
- if (need_cert)
- plist = isakmp_plist_append(plist,
- iph1->cert->pl, ISAKMP_NPTYPE_CERT);
-
- /* add SIG payload */
- plist = isakmp_plist_append(plist,
- iph1->sig, ISAKMP_NPTYPE_SIG);
- break;
-
- case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
- case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
-#ifdef ENABLE_HYBRID
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
-#endif
- break;
-#ifdef HAVE_GSSAPI
- case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
- gsshash = gssapi_wraphash(iph1);
- if (gsshash == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to wrap hash\n");
- isakmp_info_send_n1(iph1,
- ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL);
- goto end;
- }
-
- plist = isakmp_plist_append(plist,
- gsshash, ISAKMP_NPTYPE_HASH);
- break;
-#endif
- }
-
-#ifdef ENABLE_NATT
- /* generate NAT-D payloads */
- if (NATT_AVAILABLE(iph1)) {
- vchar_t *natd[2] = { NULL, NULL };
-
- plog(LLV_INFO, LOCATION,
- NULL, "Adding remote and local NAT-D payloads.\n");
-
- if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "NAT-D hashing failed for %s\n",
- saddr2str(iph1->remote));
- goto end;
- }
-
- if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "NAT-D hashing failed for %s\n",
- saddr2str(iph1->local));
- goto end;
- }
-
- plist = isakmp_plist_append(plist,
- natd[0], iph1->natt_options->payload_nat_d);
- plist = isakmp_plist_append(plist,
- natd[1], iph1->natt_options->payload_nat_d);
- }
-#endif
-
- iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
-
-#ifdef HAVE_PRINT_ISAKMP_C
- isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
-#endif
-
- /* send to responder */
- if (isakmp_send(iph1, iph1->sendbuf) < 0)
- goto end;
-
- /* the sending message is added to the received-list. */
- if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) {
- plog(LLV_ERROR , LOCATION, NULL,
- "failed to add a response packet to the tree.\n");
- goto end;
- }
-
- /* set encryption flag */
- iph1->flags |= ISAKMP_FLAG_E;
-
- iph1->status = PHASE1ST_ESTABLISHED;
-
- error = 0;
-
-end:
- if (gsshash)
- vfree(gsshash);
- return error;
-}
-
-/*
- * receive from initiator
- * psk: HDR, SA, KE, Ni, IDi1
- * sig: HDR, SA, KE, Ni, IDi1 [, CR ]
- * gssapi: HDR, SA, KE, Ni, IDi1 , GSSi
- * rsa: HDR, SA, [ HASH(1),] KE, <IDi1_b>Pubkey_r, <Ni_b>Pubkey_r
- * rev: HDR, SA, [ HASH(1),] <Ni_b>Pubkey_r, <KE_b>Ke_i,
- * <IDii_b>Ke_i [, <Cert-I_b>Ke_i ]
- */
-int
-agg_r1recv(iph1, msg)
- struct ph1handle *iph1;
- vchar_t *msg;
-{
- int error = -1;
- vchar_t *pbuf = NULL;
- struct isakmp_parse_t *pa;
- int vid_numeric;
-#ifdef HAVE_GSSAPI
- vchar_t *gsstoken = NULL;
-#endif
-
- /* validity check */
- if (iph1->status != PHASE1ST_START) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph1->status);
- goto end;
- }
-
- /* validate the type of next payload */
- pbuf = isakmp_parse(msg);
- if (pbuf == NULL)
- goto end;
- pa = (struct isakmp_parse_t *)pbuf->v;
-
- /* SA payload is fixed postion */
- if (pa->type != ISAKMP_NPTYPE_SA) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "received invalid next payload type %d, "
- "expecting %d.\n",
- pa->type, ISAKMP_NPTYPE_SA);
- goto end;
- }
- if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0)
- goto end;
- pa++;
-
- for (/*nothing*/;
- pa->type != ISAKMP_NPTYPE_NONE;
- pa++) {
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "received payload of type %s\n",
- s_isakmp_nptype(pa->type));
-
- switch (pa->type) {
- case ISAKMP_NPTYPE_KE:
- if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0)
- goto end;
- break;
- case ISAKMP_NPTYPE_NONCE:
- if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0)
- goto end;
- break;
- case ISAKMP_NPTYPE_ID:
- if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0)
- goto end;
- break;
- case ISAKMP_NPTYPE_VID:
- vid_numeric = handle_vendorid(iph1, pa->ptr);
-#ifdef ENABLE_FRAG
- if ((vid_numeric == VENDORID_FRAG) &&
- (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_AGG))
- iph1->frag = 1;
-#endif
- break;
-
- case ISAKMP_NPTYPE_CR:
- if (oakley_savecr(iph1, pa->ptr) < 0)
- goto end;
- break;
-
-#ifdef HAVE_GSSAPI
- case ISAKMP_NPTYPE_GSS:
- if (isakmp_p2ph(&gsstoken, pa->ptr) < 0)
- goto end;
- gssapi_save_received_token(iph1, gsstoken);
- break;
-#endif
- default:
- /* don't send information, see isakmp_ident_r1() */
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "ignore the packet, "
- "received unexpecting payload type %d.\n",
- pa->type);
- goto end;
- }
- }
-
- /* payload existency check */
- if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "few isakmp message received.\n");
- goto end;
- }
-
- /* verify identifier */
- if (ipsecdoi_checkid1(iph1) != 0) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "invalid ID payload.\n");
- goto end;
- }
-
-#ifdef ENABLE_NATT
- if (NATT_AVAILABLE(iph1))
- plog(LLV_INFO, LOCATION, iph1->remote,
- "Selected NAT-T version: %s\n",
- vid_string_by_id(iph1->natt_options->version));
-#endif
-
- /* check SA payload and set approval SA for use */
- if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "failed to get valid proposal.\n");
- /* XXX send information */
- goto end;
- }
-
- if (oakley_checkcr(iph1) < 0) {
- /* Ignore this error in order to be interoperability. */
- ;
- }
-
- iph1->status = PHASE1ST_MSG1RECEIVED;
-
- error = 0;
-
-end:
-#ifdef HAVE_GSSAPI
- if (gsstoken)
- vfree(gsstoken);
-#endif
- if (pbuf)
- vfree(pbuf);
- if (error) {
- VPTRINIT(iph1->sa);
- VPTRINIT(iph1->dhpub_p);
- VPTRINIT(iph1->nonce_p);
- VPTRINIT(iph1->id_p);
- oakley_delcert(iph1->cr_p);
- iph1->cr_p = NULL;
- }
-
- return error;
-}
-
-/*
- * send to initiator
- * psk: HDR, SA, KE, Nr, IDr1, HASH_R
- * sig: HDR, SA, KE, Nr, IDr1, [ CR, ] [ CERT, ] SIG_R
- * gssapi: HDR, SA, KE, Nr, IDr1, GSSr, HASH_R
- * rsa: HDR, SA, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i, HASH_R
- * rev: HDR, SA, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDir_b>Ke_r, HASH_R
- */
-int
-agg_r1send(iph1, msg)
- struct ph1handle *iph1;
- vchar_t *msg;
-{
- struct payload_list *plist = NULL;
- int need_cr = 0;
- int need_cert = 0;
- vchar_t *cr = NULL;
- int error = -1;
-#ifdef ENABLE_HYBRID
- vchar_t *xauth_vid = NULL;
- vchar_t *unity_vid = NULL;
-#endif
-#ifdef ENABLE_NATT
- vchar_t *vid_natt = NULL;
- vchar_t *natd[2] = { NULL, NULL };
-#endif
-#ifdef ENABLE_DPD
- vchar_t *vid_dpd = NULL;
-#endif
-#ifdef ENABLE_FRAG
- vchar_t *vid_frag = NULL;
-#endif
-
-#ifdef HAVE_GSSAPI
- int gsslen;
- vchar_t *gsstoken = NULL, *gsshash = NULL;
- vchar_t *gss_sa = NULL;
- int free_gss_sa = 0;
-#endif
-
- /* validity check */
- if (iph1->status != PHASE1ST_MSG1RECEIVED) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph1->status);
- goto end;
- }
-
- /* set responder's cookie */
- isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local);
-
- /* make ID payload into isakmp status */
- if (ipsecdoi_setid1(iph1) < 0)
- goto end;
-
- /* generate DH public value */
- if (oakley_dh_generate(iph1->rmconf->dhgrp,
- &iph1->dhpub, &iph1->dhpriv) < 0)
- goto end;
-
- /* generate NONCE value */
- iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
- if (iph1->nonce == NULL)
- goto end;
-
- /* compute sharing secret of DH */
- if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
- iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0)
- goto end;
-
- /* generate SKEYIDs & IV & final cipher key */
- if (oakley_skeyid(iph1) < 0)
- goto end;
- if (oakley_skeyid_dae(iph1) < 0)
- goto end;
- if (oakley_compute_enckey(iph1) < 0)
- goto end;
- if (oakley_newiv(iph1) < 0)
- goto end;
-
-#ifdef HAVE_GSSAPI
- if (RMAUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
- gssapi_get_rtoken(iph1, &gsslen);
-#endif
-
- /* generate HASH to send */
- plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_R\n");
- iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
- if (iph1->hash == NULL) {
-#ifdef HAVE_GSSAPI
- if (gssapi_more_tokens(iph1))
- isakmp_info_send_n1(iph1,
- ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL);
-#endif
- goto end;
- }
-
- /* create CR if need */
- if (iph1->rmconf->send_cr
- && oakley_needcr(iph1->approval->authmethod)
- && iph1->rmconf->peerscertfile == NULL) {
- need_cr = 1;
- cr = oakley_getcr(iph1);
- if (cr == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get cr buffer.\n");
- goto end;
- }
- }
-
-#ifdef ENABLE_NATT
- /* Has the peer announced NAT-T? */
- if (NATT_AVAILABLE(iph1)) {
- /* set chosen VID */
- vid_natt = set_vendorid(iph1->natt_options->version);
-
- /* generate NAT-D payloads */
- plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n");
- if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "NAT-D hashing failed for %s\n", saddr2str(iph1->remote));
- goto end;
- }
-
- if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "NAT-D hashing failed for %s\n", saddr2str(iph1->local));
- goto end;
- }
- }
-#endif
-#ifdef ENABLE_DPD
- /* Only send DPD support if remote announced DPD and if DPD support is active */
- if (iph1->dpd_support && iph1->rmconf->dpd)
- vid_dpd = set_vendorid(VENDORID_DPD);
-#endif
-#ifdef ENABLE_FRAG
- if (iph1->frag) {
- vid_frag = set_vendorid(VENDORID_FRAG);
- if (vid_frag != NULL)
- vid_frag = isakmp_frag_addcap(vid_frag,
- VENDORID_FRAG_AGG);
- if (vid_frag == NULL)
- plog(LLV_ERROR, LOCATION, NULL,
- "Frag vendorID construction failed\n");
- }
-#endif
-
- switch (AUTHMETHOD(iph1)) {
- case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
-#ifdef ENABLE_HYBRID
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
-#endif
- /* set SA payload to reply */
- plist = isakmp_plist_append(plist,
- iph1->sa_ret, ISAKMP_NPTYPE_SA);
-
- /* create isakmp KE payload */
- plist = isakmp_plist_append(plist,
- iph1->dhpub, ISAKMP_NPTYPE_KE);
-
- /* create isakmp NONCE payload */
- plist = isakmp_plist_append(plist,
- iph1->nonce, ISAKMP_NPTYPE_NONCE);
-
- /* create isakmp ID payload */
- plist = isakmp_plist_append(plist,
- iph1->id, ISAKMP_NPTYPE_ID);
-
- /* create isakmp HASH payload */
- plist = isakmp_plist_append(plist,
- iph1->hash, ISAKMP_NPTYPE_HASH);
-
- /* create isakmp CR payload if needed */
- if (need_cr)
- plist = isakmp_plist_append(plist,
- cr, ISAKMP_NPTYPE_CR);
- break;
- case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
- case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
-#ifdef ENABLE_HYBRID
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
-#endif
- /* XXX if there is CR or not ? */
-
- if (oakley_getmycert(iph1) < 0)
- goto end;
-
- if (oakley_getsign(iph1) < 0)
- goto end;
-
- if (iph1->cert != NULL && iph1->rmconf->send_cert)
- need_cert = 1;
-
- /* set SA payload to reply */
- plist = isakmp_plist_append(plist,
- iph1->sa_ret, ISAKMP_NPTYPE_SA);
-
- /* create isakmp KE payload */
- plist = isakmp_plist_append(plist,
- iph1->dhpub, ISAKMP_NPTYPE_KE);
-
- /* create isakmp NONCE payload */
- plist = isakmp_plist_append(plist,
- iph1->nonce, ISAKMP_NPTYPE_NONCE);
-
- /* add ID payload */
- plist = isakmp_plist_append(plist,
- iph1->id, ISAKMP_NPTYPE_ID);
-
- /* add CERT payload if there */
- if (need_cert)
- plist = isakmp_plist_append(plist,
- iph1->cert->pl, ISAKMP_NPTYPE_CERT);
-
- /* add SIG payload */
- plist = isakmp_plist_append(plist,
- iph1->sig, ISAKMP_NPTYPE_SIG);
-
- /* create isakmp CR payload if needed */
- if (need_cr)
- plist = isakmp_plist_append(plist,
- cr, ISAKMP_NPTYPE_CR);
- break;
-
- case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
- case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
-#ifdef ENABLE_HYBRID
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
-#endif
- break;
-#ifdef HAVE_GSSAPI
- case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
- /* create buffer to send isakmp payload */
- gsshash = gssapi_wraphash(iph1);
- if (gsshash == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to wrap hash\n");
- /*
- * This is probably due to the GSS
- * roundtrips not being finished yet.
- * Return this error in the hope that
- * a fallback to main mode will be done.
- */
- isakmp_info_send_n1(iph1,
- ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, NULL);
- goto end;
- }
- if (iph1->approval->gssid != NULL)
- gss_sa =
- ipsecdoi_setph1proposal(iph1->approval);
- else
- gss_sa = iph1->sa_ret;
-
- if (gss_sa != iph1->sa_ret)
- free_gss_sa = 1;
-
- /* set SA payload to reply */
- plist = isakmp_plist_append(plist,
- gss_sa, ISAKMP_NPTYPE_SA);
-
- /* create isakmp KE payload */
- plist = isakmp_plist_append(plist,
- iph1->dhpub, ISAKMP_NPTYPE_KE);
-
- /* create isakmp NONCE payload */
- plist = isakmp_plist_append(plist,
- iph1->nonce, ISAKMP_NPTYPE_NONCE);
-
- /* create isakmp ID payload */
- plist = isakmp_plist_append(plist,
- iph1->id, ISAKMP_NPTYPE_ID);
-
- /* create GSS payload */
- gssapi_get_token_to_send(iph1, &gsstoken);
- plist = isakmp_plist_append(plist,
- gsstoken, ISAKMP_NPTYPE_GSS);
-
- /* create isakmp HASH payload */
- plist = isakmp_plist_append(plist,
- gsshash, ISAKMP_NPTYPE_HASH);
-
- /* append vendor id, if needed */
- break;
-#endif
- }
-
-#ifdef ENABLE_HYBRID
- if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
- plog (LLV_INFO, LOCATION, NULL, "Adding xauth VID payload.\n");
- if ((xauth_vid = set_vendorid(VENDORID_XAUTH)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot create Xauth vendor ID\n");
- goto end;
- }
- plist = isakmp_plist_append(plist,
- xauth_vid, ISAKMP_NPTYPE_VID);
- }
-
- if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) {
- if ((unity_vid = set_vendorid(VENDORID_UNITY)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot create Unity vendor ID\n");
- goto end;
- }
- plist = isakmp_plist_append(plist,
- unity_vid, ISAKMP_NPTYPE_VID);
- }
-#endif
-
-#ifdef ENABLE_NATT
- /* append NAT-T payloads */
- if (vid_natt) {
- /* chosen VID */
- plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID);
- /* NAT-D */
- plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
- plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
- }
-#endif
-
-#ifdef ENABLE_FRAG
- if (vid_frag)
- plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID);
-#endif
-
-#ifdef ENABLE_DPD
- if (vid_dpd)
- plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID);
-#endif
-
- iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
-
-#ifdef HAVE_PRINT_ISAKMP_C
- isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 1);
-#endif
-
- /* send the packet, add to the schedule to resend */
- iph1->retry_counter = iph1->rmconf->retry_counter;
- if (isakmp_ph1resend(iph1) == -1)
- goto end;
-
- /* the sending message is added to the received-list. */
- if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) {
- plog(LLV_ERROR , LOCATION, NULL,
- "failed to add a response packet to the tree.\n");
- goto end;
- }
-
- iph1->status = PHASE1ST_MSG1SENT;
-
- error = 0;
-
-end:
- if (cr)
- vfree(cr);
-#ifdef ENABLE_HYBRID
- if (xauth_vid)
- vfree(xauth_vid);
- if (unity_vid)
- vfree(unity_vid);
-#endif
-#ifdef HAVE_GSSAPI
- if (gsstoken)
- vfree(gsstoken);
- if (gsshash)
- vfree(gsshash);
- if (free_gss_sa)
- vfree(gss_sa);
-#endif
-#ifdef ENABLE_DPD
- if (vid_dpd)
- vfree(vid_dpd);
-#endif
-#ifdef ENABLE_FRAG
- if (vid_frag)
- vfree(vid_frag);
-#endif
-
- return error;
-}
-
-/*
- * receive from initiator
- * psk: HDR, HASH_I
- * gssapi: HDR, HASH_I
- * sig: HDR, [ CERT, ] SIG_I
- * rsa: HDR, HASH_I
- * rev: HDR, HASH_I
- */
-int
-agg_r2recv(iph1, msg0)
- struct ph1handle *iph1;
- vchar_t *msg0;
-{
- vchar_t *msg = NULL;
- vchar_t *pbuf = NULL;
- struct isakmp_parse_t *pa;
- int error = -1;
- int ptype;
-
-#ifdef ENABLE_NATT
- int natd_seq = 0;
-#endif
-
- /* validity check */
- if (iph1->status != PHASE1ST_MSG1SENT) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph1->status);
- goto end;
- }
-
- /* decrypting if need. */
- /* XXX configurable ? */
- if (ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
- msg = oakley_do_decrypt(iph1, msg0,
- iph1->ivm->iv, iph1->ivm->ive);
- if (msg == NULL)
- goto end;
- } else
- msg = vdup(msg0);
-
- /* validate the type of next payload */
- pbuf = isakmp_parse(msg);
- if (pbuf == NULL)
- goto end;
-
- iph1->pl_hash = NULL;
-
- for (pa = (struct isakmp_parse_t *)pbuf->v;
- pa->type != ISAKMP_NPTYPE_NONE;
- pa++) {
-
- switch (pa->type) {
- case ISAKMP_NPTYPE_HASH:
- iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
- break;
- case ISAKMP_NPTYPE_VID:
- handle_vendorid(iph1, pa->ptr);
- break;
- case ISAKMP_NPTYPE_CERT:
- if (oakley_savecert(iph1, pa->ptr) < 0)
- goto end;
- break;
- case ISAKMP_NPTYPE_SIG:
- if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0)
- goto end;
- break;
- case ISAKMP_NPTYPE_N:
- isakmp_check_notify(pa->ptr, iph1);
- break;
-
-#ifdef ENABLE_NATT
- case ISAKMP_NPTYPE_NATD_DRAFT:
- case ISAKMP_NPTYPE_NATD_RFC:
- if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
- pa->type == iph1->natt_options->payload_nat_d)
- {
- vchar_t *natd_received = NULL;
- int natd_verified;
-
- if (isakmp_p2ph (&natd_received, pa->ptr) < 0)
- goto end;
-
- if (natd_seq == 0)
- iph1->natt_flags |= NAT_DETECTED;
-
- natd_verified = natt_compare_addr_hash (iph1,
- natd_received, natd_seq++);
-
- plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
- natd_seq - 1,
- natd_verified ? "verified" : "doesn't match");
-
- vfree (natd_received);
- break;
- }
- /* passthrough to default... */
-#endif
-
- default:
- /* don't send information, see isakmp_ident_r1() */
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "ignore the packet, "
- "received unexpecting payload type %d.\n",
- pa->type);
- goto end;
- }
- }
-
-#ifdef ENABLE_NATT
- if (NATT_AVAILABLE(iph1))
- plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
- iph1->natt_flags & NAT_DETECTED ?
- "detected:" : "not detected",
- iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
- iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
-#endif
-
- /* validate authentication value */
- ptype = oakley_validate_auth(iph1);
- if (ptype != 0) {
- if (ptype == -1) {
- /* message printed inner oakley_validate_auth() */
- goto end;
- }
- EVT_PUSH(iph1->local, iph1->remote,
- EVTT_PEERPH1AUTH_FAILED, NULL);
- isakmp_info_send_n1(iph1, ptype, NULL);
- goto end;
- }
-
- iph1->status = PHASE1ST_MSG2RECEIVED;
-
- error = 0;
-
-end:
- if (pbuf)
- vfree(pbuf);
- if (msg)
- vfree(msg);
- if (error) {
- oakley_delcert(iph1->cert_p);
- iph1->cert_p = NULL;
- oakley_delcert(iph1->crl_p);
- iph1->crl_p = NULL;
- VPTRINIT(iph1->sig_p);
- }
-
- return error;
-}
-
-/*
- * status update and establish isakmp sa.
- */
-int
-agg_r2send(iph1, msg)
- struct ph1handle *iph1;
- vchar_t *msg;
-{
- int error = -1;
-
- /* validity check */
- if (iph1->status != PHASE1ST_MSG2RECEIVED) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph1->status);
- goto end;
- }
-
- /* IV synchronized when packet encrypted. */
- /* see handler.h about IV synchronization. */
- if (ISSET(((struct isakmp *)msg->v)->flags, ISAKMP_FLAG_E))
- memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l);
-
- /* set encryption flag */
- iph1->flags |= ISAKMP_FLAG_E;
-
- iph1->status = PHASE1ST_ESTABLISHED;
-
- error = 0;
-
-end:
- return error;
-}
diff --git a/src/racoon/isakmp_agg.h b/src/racoon/isakmp_agg.h
deleted file mode 100644
index 89645eb..0000000
--- a/src/racoon/isakmp_agg.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/* $NetBSD: isakmp_agg.h,v 1.4 2006/09/09 16:22:09 manu Exp $ */
-
-/* Id: isakmp_agg.h,v 1.3 2004/06/11 16:00:16 ludvigm Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _ISAKMP_AGG_H
-#define _ISAKMP_AGG_H
-
-extern int agg_i1send __P((struct ph1handle *, vchar_t *));
-extern int agg_i2recv __P((struct ph1handle *, vchar_t *));
-extern int agg_i2send __P((struct ph1handle *, vchar_t *));
-
-extern int agg_r1recv __P((struct ph1handle *, vchar_t *));
-extern int agg_r1send __P((struct ph1handle *, vchar_t *));
-extern int agg_r2recv __P((struct ph1handle *, vchar_t *));
-extern int agg_r2send __P((struct ph1handle *, vchar_t *));
-
-#endif /* _ISAKMP_AGG_H */
diff --git a/src/racoon/isakmp_base.c b/src/racoon/isakmp_base.c
deleted file mode 100644
index 308c3e3..0000000
--- a/src/racoon/isakmp_base.c
+++ /dev/null
@@ -1,1407 +0,0 @@
-/* $NetBSD: isakmp_base.c,v 1.7 2006/10/02 21:51:33 manu Exp $ */
-
-/* $KAME: isakmp_base.c,v 1.49 2003/11/13 02:30:20 sakane Exp $ */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* Base Exchange (Base Mode) */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-#if TIME_WITH_SYS_TIME
-# include <sys/time.h>
-# include <time.h>
-#else
-# if HAVE_SYS_TIME_H
-# include <sys/time.h>
-# else
-# include <time.h>
-# endif
-#endif
-
-#include "var.h"
-#include "misc.h"
-#include "vmbuf.h"
-#include "plog.h"
-#include "sockmisc.h"
-#include "schedule.h"
-#include "debug.h"
-
-#ifdef ENABLE_HYBRID
-#include <resolv.h>
-#endif
-
-#include "localconf.h"
-#include "remoteconf.h"
-#include "isakmp_var.h"
-#include "isakmp.h"
-#include "evt.h"
-#include "oakley.h"
-#include "handler.h"
-#include "ipsec_doi.h"
-#include "crypto_openssl.h"
-#include "pfkey.h"
-#include "isakmp_base.h"
-#include "isakmp_inf.h"
-#include "vendorid.h"
-#ifdef ENABLE_NATT
-#include "nattraversal.h"
-#endif
-#ifdef ENABLE_FRAG
-#include "isakmp_frag.h"
-#endif
-#ifdef ENABLE_HYBRID
-#include "isakmp_xauth.h"
-#include "isakmp_cfg.h"
-#endif
-
-/* %%%
- * begin Identity Protection Mode as initiator.
- */
-/*
- * send to responder
- * psk: HDR, SA, Idii, Ni_b
- * sig: HDR, SA, Idii, Ni_b
- * rsa: HDR, SA, [HASH(1),] <IDii_b>Pubkey_r, <Ni_b>Pubkey_r
- * rev: HDR, SA, [HASH(1),] <Ni_b>Pubkey_r, <IDii_b>Ke_i
- */
-int
-base_i1send(iph1, msg)
- struct ph1handle *iph1;
- vchar_t *msg; /* must be null */
-{
- struct payload_list *plist = NULL;
- int error = -1;
-#ifdef ENABLE_NATT
- vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL };
- int i, vid_natt_i = 0;
-#endif
-#ifdef ENABLE_FRAG
- vchar_t *vid_frag = NULL;
-#endif
-#ifdef ENABLE_HYBRID
- vchar_t *vid_xauth = NULL;
- vchar_t *vid_unity = NULL;
-#endif
-#ifdef ENABLE_DPD
- vchar_t *vid_dpd = NULL;
-#endif
-
-
- /* validity check */
- if (msg != NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "msg has to be NULL in this function.\n");
- goto end;
- }
- if (iph1->status != PHASE1ST_START) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph1->status);
- goto end;
- }
-
- /* create isakmp index */
- memset(&iph1->index, 0, sizeof(iph1->index));
- isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local);
-
- /* make ID payload into isakmp status */
- if (ipsecdoi_setid1(iph1) < 0)
- goto end;
-
- /* create SA payload for my proposal */
- iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf->proposal);
- if (iph1->sa == NULL)
- goto end;
-
- /* generate NONCE value */
- iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
- if (iph1->nonce == NULL)
- goto end;
-
-#ifdef ENABLE_HYBRID
- /* Do we need Xauth VID? */
- switch (RMAUTHMETHOD(iph1)) {
- case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
- if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL)
- plog(LLV_ERROR, LOCATION, NULL,
- "Xauth vendor ID generation failed\n");
-
- if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
- plog(LLV_ERROR, LOCATION, NULL,
- "Unity vendor ID generation failed\n");
- break;
- default:
- break;
- }
-#endif
-#ifdef ENABLE_FRAG
- if (iph1->rmconf->ike_frag) {
- vid_frag = set_vendorid(VENDORID_FRAG);
- if (vid_frag != NULL)
- vid_frag = isakmp_frag_addcap(vid_frag,
- VENDORID_FRAG_BASE);
- if (vid_frag == NULL)
- plog(LLV_ERROR, LOCATION, NULL,
- "Frag vendorID construction failed\n");
- }
-#endif
-#ifdef ENABLE_NATT
- /* Is NAT-T support allowed in the config file? */
- if (iph1->rmconf->nat_traversal) {
- /* Advertise NAT-T capability */
- memset (vid_natt, 0, sizeof (vid_natt));
-#ifdef VENDORID_NATT_00
- if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_00)) != NULL)
- vid_natt_i++;
-#endif
-#ifdef VENDORID_NATT_02
- if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_02)) != NULL)
- vid_natt_i++;
-#endif
-#ifdef VENDORID_NATT_02_N
- if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_02_N)) != NULL)
- vid_natt_i++;
-#endif
-#ifdef VENDORID_NATT_RFC
- if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_RFC)) != NULL)
- vid_natt_i++;
-#endif
- }
-#endif
-
- /* set SA payload to propose */
- plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA);
-
- /* create isakmp ID payload */
- plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
-
- /* create isakmp NONCE payload */
- plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
-
-#ifdef ENABLE_FRAG
- if (vid_frag)
- plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID);
-#endif
-#ifdef ENABLE_HYBRID
- if (vid_xauth)
- plist = isakmp_plist_append(plist,
- vid_xauth, ISAKMP_NPTYPE_VID);
- if (vid_unity)
- plist = isakmp_plist_append(plist,
- vid_unity, ISAKMP_NPTYPE_VID);
-#endif
-#ifdef ENABLE_DPD
- if (iph1->rmconf->dpd) {
- vid_dpd = set_vendorid(VENDORID_DPD);
- if (vid_dpd != NULL)
- plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID);
- }
-#endif
-#ifdef ENABLE_NATT
- /* set VID payload for NAT-T */
- for (i = 0; i < vid_natt_i; i++)
- plist = isakmp_plist_append(plist, vid_natt[i], ISAKMP_NPTYPE_VID);
-#endif
- iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
-
-
-#ifdef HAVE_PRINT_ISAKMP_C
- isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
-#endif
-
- /* send the packet, add to the schedule to resend */
- iph1->retry_counter = iph1->rmconf->retry_counter;
- if (isakmp_ph1resend(iph1) == -1)
- goto end;
-
- iph1->status = PHASE1ST_MSG1SENT;
-
- error = 0;
-
-end:
-#ifdef ENABLE_FRAG
- if (vid_frag)
- vfree(vid_frag);
-#endif
-#ifdef ENABLE_NATT
- for (i = 0; i < vid_natt_i; i++)
- vfree(vid_natt[i]);
-#endif
-#ifdef ENABLE_HYBRID
- if (vid_xauth != NULL)
- vfree(vid_xauth);
- if (vid_unity != NULL)
- vfree(vid_unity);
-#endif
-#ifdef ENABLE_DPD
- if (vid_dpd != NULL)
- vfree(vid_dpd);
-#endif
-
- return error;
-}
-
-/*
- * receive from responder
- * psk: HDR, SA, Idir, Nr_b
- * sig: HDR, SA, Idir, Nr_b, [ CR ]
- * rsa: HDR, SA, <IDir_b>PubKey_i, <Nr_b>PubKey_i
- * rev: HDR, SA, <Nr_b>PubKey_i, <IDir_b>Ke_r
- */
-int
-base_i2recv(iph1, msg)
- struct ph1handle *iph1;
- vchar_t *msg;
-{
- vchar_t *pbuf = NULL;
- struct isakmp_parse_t *pa;
- vchar_t *satmp = NULL;
- int error = -1;
- int vid_numeric;
-#ifdef ENABLE_HYBRID
- vchar_t *unity_vid;
- vchar_t *xauth_vid;
-#endif
-
- /* validity check */
- if (iph1->status != PHASE1ST_MSG1SENT) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph1->status);
- goto end;
- }
-
- /* validate the type of next payload */
- pbuf = isakmp_parse(msg);
- if (pbuf == NULL)
- goto end;
- pa = (struct isakmp_parse_t *)pbuf->v;
-
- /* SA payload is fixed postion */
- if (pa->type != ISAKMP_NPTYPE_SA) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "received invalid next payload type %d, "
- "expecting %d.\n",
- pa->type, ISAKMP_NPTYPE_SA);
- goto end;
- }
- if (isakmp_p2ph(&satmp, pa->ptr) < 0)
- goto end;
- pa++;
-
- for (/*nothing*/;
- pa->type != ISAKMP_NPTYPE_NONE;
- pa++) {
-
- switch (pa->type) {
- case ISAKMP_NPTYPE_NONCE:
- if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0)
- goto end;
- break;
- case ISAKMP_NPTYPE_ID:
- if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0)
- goto end;
- break;
- case ISAKMP_NPTYPE_VID:
- handle_vendorid(iph1, pa->ptr);
- break;
- default:
- /* don't send information, see ident_r1recv() */
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "ignore the packet, "
- "received unexpecting payload type %d.\n",
- pa->type);
- goto end;
- }
- }
-
- if (iph1->nonce_p == NULL || iph1->id_p == NULL) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "few isakmp message received.\n");
- goto end;
- }
-
- /* verify identifier */
- if (ipsecdoi_checkid1(iph1) != 0) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "invalid ID payload.\n");
- goto end;
- }
-
-#ifdef ENABLE_NATT
- if (NATT_AVAILABLE(iph1))
- plog(LLV_INFO, LOCATION, iph1->remote,
- "Selected NAT-T version: %s\n",
- vid_string_by_id(iph1->natt_options->version));
-#endif
-
- /* check SA payload and set approval SA for use */
- if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "failed to get valid proposal.\n");
- /* XXX send information */
- goto end;
- }
- VPTRINIT(iph1->sa_ret);
-
- iph1->status = PHASE1ST_MSG2RECEIVED;
-
- error = 0;
-
-end:
- if (pbuf)
- vfree(pbuf);
- if (satmp)
- vfree(satmp);
-
- if (error) {
- VPTRINIT(iph1->nonce_p);
- VPTRINIT(iph1->id_p);
- }
-
- return error;
-}
-
-/*
- * send to responder
- * psk: HDR, KE, HASH_I
- * sig: HDR, KE, [ CR, ] [CERT,] SIG_I
- * rsa: HDR, KE, HASH_I
- * rev: HDR, <KE>Ke_i, HASH_I
- */
-int
-base_i2send(iph1, msg)
- struct ph1handle *iph1;
- vchar_t *msg;
-{
- struct payload_list *plist = NULL;
- vchar_t *vid = NULL;
- int need_cert = 0;
- int error = -1;
-
- /* validity check */
- if (iph1->status != PHASE1ST_MSG2RECEIVED) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph1->status);
- goto end;
- }
-
- /* fix isakmp index */
- memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck,
- sizeof(cookie_t));
-
- /* generate DH public value */
- if (oakley_dh_generate(iph1->approval->dhgrp,
- &iph1->dhpub, &iph1->dhpriv) < 0)
- goto end;
-
- /* generate SKEYID to compute hash if not signature mode */
- switch (AUTHMETHOD(iph1)) {
- case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
- case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
-#ifdef ENABLE_HYBRID
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
-#endif
- break;
- default:
- if (oakley_skeyid(iph1) < 0)
- goto end;
- break;
- }
-
- /* generate HASH to send */
- plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n");
- iph1->hash = oakley_ph1hash_base_i(iph1, GENERATE);
- if (iph1->hash == NULL)
- goto end;
- switch (AUTHMETHOD(iph1)) {
- case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
-#ifdef ENABLE_HYBRID
- case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
-#endif
- vid = set_vendorid(iph1->approval->vendorid);
-
- /* create isakmp KE payload */
- plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
-
- /* create isakmp HASH payload */
- plist = isakmp_plist_append(plist, iph1->hash, ISAKMP_NPTYPE_HASH);
-
- /* append vendor id, if needed */
- if (vid)
- plist = isakmp_plist_append(plist, vid, ISAKMP_NPTYPE_VID);
- break;
- case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
- case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
-#ifdef ENABLE_HYBRID
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
-#endif
- /* XXX if there is CR or not ? */
-
- if (oakley_getmycert(iph1) < 0)
- goto end;
-
- if (oakley_getsign(iph1) < 0)
- goto end;
-
- if (iph1->cert && iph1->rmconf->send_cert)
- need_cert = 1;
-
- /* create isakmp KE payload */
- plist = isakmp_plist_append(plist,
- iph1->dhpub, ISAKMP_NPTYPE_KE);
-
- /* add CERT payload if there */
- if (need_cert)
- plist = isakmp_plist_append(plist,
- iph1->cert->pl, ISAKMP_NPTYPE_CERT);
-
- /* add SIG payload */
- plist = isakmp_plist_append(plist,
- iph1->sig, ISAKMP_NPTYPE_SIG);
-
- break;
-#ifdef HAVE_GSSAPI
- case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
- /* ... */
- break;
-#endif
- case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
- case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
-#ifdef ENABLE_HYBRID
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
-#endif
- break;
- }
-
-#ifdef ENABLE_NATT
- /* generate NAT-D payloads */
- if (NATT_AVAILABLE(iph1))
- {
- vchar_t *natd[2] = { NULL, NULL };
-
- plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n");
- if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "NAT-D hashing failed for %s\n", saddr2str(iph1->remote));
- goto end;
- }
-
- if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "NAT-D hashing failed for %s\n", saddr2str(iph1->local));
- goto end;
- }
-
- plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
- plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
- }
-#endif
-
- iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
-
-#ifdef HAVE_PRINT_ISAKMP_C
- isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
-#endif
-
- /* send the packet, add to the schedule to resend */
- iph1->retry_counter = iph1->rmconf->retry_counter;
- if (isakmp_ph1resend(iph1) == -1)
- goto end;
-
- /* the sending message is added to the received-list. */
- if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) {
- plog(LLV_ERROR , LOCATION, NULL,
- "failed to add a response packet to the tree.\n");
- goto end;
- }
-
- iph1->status = PHASE1ST_MSG2SENT;
-
- error = 0;
-
-end:
- if (vid)
- vfree(vid);
- return error;
-}
-
-/*
- * receive from responder
- * psk: HDR, KE, HASH_R
- * sig: HDR, KE, [CERT,] SIG_R
- * rsa: HDR, KE, HASH_R
- * rev: HDR, <KE>_Ke_r, HASH_R
- */
-int
-base_i3recv(iph1, msg)
- struct ph1handle *iph1;
- vchar_t *msg;
-{
- vchar_t *pbuf = NULL;
- struct isakmp_parse_t *pa;
- int error = -1;
- int ptype;
-#ifdef ENABLE_NATT
- vchar_t *natd_received;
- int natd_seq = 0, natd_verified;
-#endif
-
- /* validity check */
- if (iph1->status != PHASE1ST_MSG2SENT) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph1->status);
- goto end;
- }
-
- /* validate the type of next payload */
- pbuf = isakmp_parse(msg);
- if (pbuf == NULL)
- goto end;
-
- for (pa = (struct isakmp_parse_t *)pbuf->v;
- pa->type != ISAKMP_NPTYPE_NONE;
- pa++) {
-
- switch (pa->type) {
- case ISAKMP_NPTYPE_KE:
- if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0)
- goto end;
- break;
- case ISAKMP_NPTYPE_HASH:
- iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
- break;
- case ISAKMP_NPTYPE_CERT:
- if (oakley_savecert(iph1, pa->ptr) < 0)
- goto end;
- break;
- case ISAKMP_NPTYPE_SIG:
- if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0)
- goto end;
- break;
- case ISAKMP_NPTYPE_VID:
- handle_vendorid(iph1, pa->ptr);
- break;
-
-#ifdef ENABLE_NATT
- case ISAKMP_NPTYPE_NATD_DRAFT:
- case ISAKMP_NPTYPE_NATD_RFC:
- if (NATT_AVAILABLE(iph1) && iph1->natt_options &&
- pa->type == iph1->natt_options->payload_nat_d) {
- natd_received = NULL;
- if (isakmp_p2ph (&natd_received, pa->ptr) < 0)
- goto end;
-
- /* set both bits first so that we can clear them
- upon verifying hashes */
- if (natd_seq == 0)
- iph1->natt_flags |= NAT_DETECTED;
-
- /* this function will clear appropriate bits bits
- from iph1->natt_flags */
- natd_verified = natt_compare_addr_hash (iph1,
- natd_received, natd_seq++);
-
- plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
- natd_seq - 1,
- natd_verified ? "verified" : "doesn't match");
-
- vfree (natd_received);
- break;
- }
- /* passthrough to default... */
-#endif
-
- default:
- /* don't send information, see ident_r1recv() */
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "ignore the packet, "
- "received unexpecting payload type %d.\n",
- pa->type);
- goto end;
- }
- }
-
-#ifdef ENABLE_NATT
- if (NATT_AVAILABLE(iph1)) {
- plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
- iph1->natt_flags & NAT_DETECTED ?
- "detected:" : "not detected",
- iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
- iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
- if (iph1->natt_flags & NAT_DETECTED)
- natt_float_ports (iph1);
- }
-#endif
-
- /* payload existency check */
- /* validate authentication value */
- ptype = oakley_validate_auth(iph1);
- if (ptype != 0) {
- if (ptype == -1) {
- /* message printed inner oakley_validate_auth() */
- goto end;
- }
- EVT_PUSH(iph1->local, iph1->remote,
- EVTT_PEERPH1AUTH_FAILED, NULL);
- isakmp_info_send_n1(iph1, ptype, NULL);
- goto end;
- }
-
- /* compute sharing secret of DH */
- if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
- iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0)
- goto end;
-
- /* generate SKEYID to compute hash if signature mode */
- switch (AUTHMETHOD(iph1)) {
- case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
- case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
-#ifdef ENABLE_HYBRID
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
-#endif
- if (oakley_skeyid(iph1) < 0)
- goto end;
- break;
- default:
- break;
- }
-
- /* generate SKEYIDs & IV & final cipher key */
- if (oakley_skeyid_dae(iph1) < 0)
- goto end;
- if (oakley_compute_enckey(iph1) < 0)
- goto end;
- if (oakley_newiv(iph1) < 0)
- goto end;
-
- /* see handler.h about IV synchronization. */
- memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l);
-
- /* set encryption flag */
- iph1->flags |= ISAKMP_FLAG_E;
-
- iph1->status = PHASE1ST_MSG3RECEIVED;
-
- error = 0;
-
-end:
- if (pbuf)
- vfree(pbuf);
-
- if (error) {
- VPTRINIT(iph1->dhpub_p);
- oakley_delcert(iph1->cert_p);
- iph1->cert_p = NULL;
- oakley_delcert(iph1->crl_p);
- iph1->crl_p = NULL;
- VPTRINIT(iph1->sig_p);
- }
-
- return error;
-}
-
-/*
- * status update and establish isakmp sa.
- */
-int
-base_i3send(iph1, msg)
- struct ph1handle *iph1;
- vchar_t *msg;
-{
- int error = -1;
-
- /* validity check */
- if (iph1->status != PHASE1ST_MSG3RECEIVED) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph1->status);
- goto end;
- }
-
- iph1->status = PHASE1ST_ESTABLISHED;
-
- error = 0;
-
-end:
- return error;
-}
-
-/*
- * receive from initiator
- * psk: HDR, SA, Idii, Ni_b
- * sig: HDR, SA, Idii, Ni_b
- * rsa: HDR, SA, [HASH(1),] <IDii_b>Pubkey_r, <Ni_b>Pubkey_r
- * rev: HDR, SA, [HASH(1),] <Ni_b>Pubkey_r, <IDii_b>Ke_i
- */
-int
-base_r1recv(iph1, msg)
- struct ph1handle *iph1;
- vchar_t *msg;
-{
- vchar_t *pbuf = NULL;
- struct isakmp_parse_t *pa;
- int error = -1;
- int vid_numeric;
-
- /* validity check */
- if (iph1->status != PHASE1ST_START) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph1->status);
- goto end;
- }
-
- /* validate the type of next payload */
- /*
- * NOTE: XXX even if multiple VID, we'll silently ignore those.
- */
- pbuf = isakmp_parse(msg);
- if (pbuf == NULL)
- goto end;
- pa = (struct isakmp_parse_t *)pbuf->v;
-
- /* check the position of SA payload */
- if (pa->type != ISAKMP_NPTYPE_SA) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "received invalid next payload type %d, "
- "expecting %d.\n",
- pa->type, ISAKMP_NPTYPE_SA);
- goto end;
- }
- if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0)
- goto end;
- pa++;
-
- for (/*nothing*/;
- pa->type != ISAKMP_NPTYPE_NONE;
- pa++) {
-
- switch (pa->type) {
- case ISAKMP_NPTYPE_NONCE:
- if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0)
- goto end;
- break;
- case ISAKMP_NPTYPE_ID:
- if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0)
- goto end;
- break;
- case ISAKMP_NPTYPE_VID:
- vid_numeric = handle_vendorid(iph1, pa->ptr);
-#ifdef ENABLE_FRAG
- if ((vid_numeric == VENDORID_FRAG) &&
- (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_BASE))
- iph1->frag = 1;
-#endif
- break;
- default:
- /* don't send information, see ident_r1recv() */
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "ignore the packet, "
- "received unexpecting payload type %d.\n",
- pa->type);
- goto end;
- }
- }
-
- if (iph1->nonce_p == NULL || iph1->id_p == NULL) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "few isakmp message received.\n");
- goto end;
- }
-
- /* verify identifier */
- if (ipsecdoi_checkid1(iph1) != 0) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "invalid ID payload.\n");
- goto end;
- }
-
-#ifdef ENABLE_NATT
- if (NATT_AVAILABLE(iph1))
- plog(LLV_INFO, LOCATION, iph1->remote,
- "Selected NAT-T version: %s\n",
- vid_string_by_id(iph1->natt_options->version));
-#endif
-
- /* check SA payload and set approval SA for use */
- if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "failed to get valid proposal.\n");
- /* XXX send information */
- goto end;
- }
-
- iph1->status = PHASE1ST_MSG1RECEIVED;
-
- error = 0;
-
-end:
- if (pbuf)
- vfree(pbuf);
-
- if (error) {
- VPTRINIT(iph1->sa);
- VPTRINIT(iph1->nonce_p);
- VPTRINIT(iph1->id_p);
- }
-
- return error;
-}
-
-/*
- * send to initiator
- * psk: HDR, SA, Idir, Nr_b
- * sig: HDR, SA, Idir, Nr_b, [ CR ]
- * rsa: HDR, SA, <IDir_b>PubKey_i, <Nr_b>PubKey_i
- * rev: HDR, SA, <Nr_b>PubKey_i, <IDir_b>Ke_r
- */
-int
-base_r1send(iph1, msg)
- struct ph1handle *iph1;
- vchar_t *msg;
-{
- struct payload_list *plist = NULL;
- int error = -1;
-#ifdef ENABLE_NATT
- vchar_t *vid_natt = NULL;
-#endif
-#ifdef ENABLE_HYBRID
- vchar_t *vid_xauth = NULL;
- vchar_t *vid_unity = NULL;
-#endif
-#ifdef ENABLE_FRAG
- vchar_t *vid_frag = NULL;
-#endif
-#ifdef ENABLE_DPD
- vchar_t *vid_dpd = NULL;
-#endif
-
- /* validity check */
- if (iph1->status != PHASE1ST_MSG1RECEIVED) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph1->status);
- goto end;
- }
-
- /* set responder's cookie */
- isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local);
-
- /* make ID payload into isakmp status */
- if (ipsecdoi_setid1(iph1) < 0)
- goto end;
-
- /* generate NONCE value */
- iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
- if (iph1->nonce == NULL)
- goto end;
-
- /* set SA payload to reply */
- plist = isakmp_plist_append(plist, iph1->sa_ret, ISAKMP_NPTYPE_SA);
-
- /* create isakmp ID payload */
- plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
-
- /* create isakmp NONCE payload */
- plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
-
-#ifdef ENABLE_NATT
- /* has the peer announced nat-t? */
- if (NATT_AVAILABLE(iph1))
- vid_natt = set_vendorid(iph1->natt_options->version);
- if (vid_natt)
- plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID);
-#endif
-#ifdef ENABLE_HYBRID
- if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
- plog (LLV_INFO, LOCATION, NULL, "Adding xauth VID payload.\n");
- if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot create Xauth vendor ID\n");
- goto end;
- }
- plist = isakmp_plist_append(plist,
- vid_xauth, ISAKMP_NPTYPE_VID);
- }
-
- if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) {
- if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot create Unity vendor ID\n");
- goto end;
- }
- plist = isakmp_plist_append(plist,
- vid_unity, ISAKMP_NPTYPE_VID);
- }
-#endif
-#ifdef ENABLE_DPD
- /*
- * Only send DPD support if remote announced DPD
- * and if DPD support is active
- */
- if (iph1->dpd_support && iph1->rmconf->dpd) {
- if ((vid_dpd = set_vendorid(VENDORID_DPD)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "DPD vendorID construction failed\n");
- } else {
- plist = isakmp_plist_append(plist, vid_dpd,
- ISAKMP_NPTYPE_VID);
- }
- }
-#endif
-#ifdef ENABLE_FRAG
- if (iph1->rmconf->ike_frag) {
- if ((vid_frag = set_vendorid(VENDORID_FRAG)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Frag vendorID construction failed\n");
- } else {
- vid_frag = isakmp_frag_addcap(vid_frag,
- VENDORID_FRAG_BASE);
- plist = isakmp_plist_append(plist,
- vid_frag, ISAKMP_NPTYPE_VID);
- }
- }
-#endif
-
- iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
-
-#ifdef HAVE_PRINT_ISAKMP_C
- isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
-#endif
-
- /* send the packet, add to the schedule to resend */
- iph1->retry_counter = iph1->rmconf->retry_counter;
- if (isakmp_ph1resend(iph1) == -1) {
- iph1 = NULL;
- goto end;
- }
-
- /* the sending message is added to the received-list. */
- if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) {
- plog(LLV_ERROR , LOCATION, NULL,
- "failed to add a response packet to the tree.\n");
- goto end;
- }
-
- iph1->status = PHASE1ST_MSG1SENT;
-
- error = 0;
-
-end:
-#ifdef ENABLE_NATT
- if (vid_natt)
- vfree(vid_natt);
-#endif
-#ifdef ENABLE_HYBRID
- if (vid_xauth != NULL)
- vfree(vid_xauth);
- if (vid_unity != NULL)
- vfree(vid_unity);
-#endif
-#ifdef ENABLE_FRAG
- if (vid_frag)
- vfree(vid_frag);
-#endif
-#ifdef ENABLE_DPD
- if (vid_dpd)
- vfree(vid_dpd);
-#endif
-
- if (iph1 != NULL)
- VPTRINIT(iph1->sa_ret);
-
- return error;
-}
-
-/*
- * receive from initiator
- * psk: HDR, KE, HASH_I
- * sig: HDR, KE, [ CR, ] [CERT,] SIG_I
- * rsa: HDR, KE, HASH_I
- * rev: HDR, <KE>Ke_i, HASH_I
- */
-int
-base_r2recv(iph1, msg)
- struct ph1handle *iph1;
- vchar_t *msg;
-{
- vchar_t *pbuf = NULL;
- struct isakmp_parse_t *pa;
- int error = -1;
- int ptype;
-#ifdef ENABLE_NATT
- int natd_seq = 0;
-#endif
-
- /* validity check */
- if (iph1->status != PHASE1ST_MSG1SENT) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph1->status);
- goto end;
- }
-
- /* validate the type of next payload */
- pbuf = isakmp_parse(msg);
- if (pbuf == NULL)
- goto end;
-
- iph1->pl_hash = NULL;
-
- for (pa = (struct isakmp_parse_t *)pbuf->v;
- pa->type != ISAKMP_NPTYPE_NONE;
- pa++) {
-
- switch (pa->type) {
- case ISAKMP_NPTYPE_KE:
- if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0)
- goto end;
- break;
- case ISAKMP_NPTYPE_HASH:
- iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
- break;
- case ISAKMP_NPTYPE_CERT:
- if (oakley_savecert(iph1, pa->ptr) < 0)
- goto end;
- break;
- case ISAKMP_NPTYPE_SIG:
- if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0)
- goto end;
- break;
- case ISAKMP_NPTYPE_VID:
- handle_vendorid(iph1, pa->ptr);
- break;
-
-#ifdef ENABLE_NATT
- case ISAKMP_NPTYPE_NATD_DRAFT:
- case ISAKMP_NPTYPE_NATD_RFC:
- if (pa->type == iph1->natt_options->payload_nat_d)
- {
- vchar_t *natd_received = NULL;
- int natd_verified;
-
- if (isakmp_p2ph (&natd_received, pa->ptr) < 0)
- goto end;
-
- if (natd_seq == 0)
- iph1->natt_flags |= NAT_DETECTED;
-
- natd_verified = natt_compare_addr_hash (iph1,
- natd_received, natd_seq++);
-
- plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
- natd_seq - 1,
- natd_verified ? "verified" : "doesn't match");
-
- vfree (natd_received);
- break;
- }
- /* passthrough to default... */
-#endif
-
- default:
- /* don't send information, see ident_r1recv() */
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "ignore the packet, "
- "received unexpecting payload type %d.\n",
- pa->type);
- goto end;
- }
- }
-
- /* generate DH public value */
- if (oakley_dh_generate(iph1->approval->dhgrp,
- &iph1->dhpub, &iph1->dhpriv) < 0)
- goto end;
-
- /* compute sharing secret of DH */
- if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
- iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0)
- goto end;
-
- /* generate SKEYID */
- if (oakley_skeyid(iph1) < 0)
- goto end;
-
-#ifdef ENABLE_NATT
- if (NATT_AVAILABLE(iph1))
- plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
- iph1->natt_flags & NAT_DETECTED ?
- "detected:" : "not detected",
- iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
- iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
-#endif
-
- /* payload existency check */
- /* validate authentication value */
- ptype = oakley_validate_auth(iph1);
- if (ptype != 0) {
- if (ptype == -1) {
- /* message printed inner oakley_validate_auth() */
- goto end;
- }
- EVT_PUSH(iph1->local, iph1->remote,
- EVTT_PEERPH1AUTH_FAILED, NULL);
- isakmp_info_send_n1(iph1, ptype, NULL);
- goto end;
- }
-
- iph1->status = PHASE1ST_MSG2RECEIVED;
-
- error = 0;
-
-end:
- if (pbuf)
- vfree(pbuf);
-
- if (error) {
- VPTRINIT(iph1->dhpub_p);
- oakley_delcert(iph1->cert_p);
- iph1->cert_p = NULL;
- oakley_delcert(iph1->crl_p);
- iph1->crl_p = NULL;
- VPTRINIT(iph1->sig_p);
- }
-
- return error;
-}
-
-/*
- * send to initiator
- * psk: HDR, KE, HASH_R
- * sig: HDR, KE, [CERT,] SIG_R
- * rsa: HDR, KE, HASH_R
- * rev: HDR, <KE>_Ke_r, HASH_R
- */
-int
-base_r2send(iph1, msg)
- struct ph1handle *iph1;
- vchar_t *msg;
-{
- struct payload_list *plist = NULL;
- vchar_t *vid = NULL;
- int need_cert = 0;
- int error = -1;
-
- /* validity check */
- if (iph1->status != PHASE1ST_MSG2RECEIVED) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph1->status);
- goto end;
- }
-
- /* generate HASH to send */
- plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_I\n");
- switch (AUTHMETHOD(iph1)) {
- case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
-#ifdef ENABLE_HYBRID
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
-#endif
- case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
- case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
-#ifdef ENABLE_HYBRID
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
-#endif
- iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
- break;
- case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
- case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
-#ifdef ENABLE_HYBRID
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
-#endif
-#ifdef HAVE_GSSAPI
- case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
-#endif
- iph1->hash = oakley_ph1hash_base_r(iph1, GENERATE);
- break;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid authentication method %d\n",
- iph1->approval->authmethod);
- goto end;
- }
- if (iph1->hash == NULL)
- goto end;
-
- switch (AUTHMETHOD(iph1)) {
- case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
-#ifdef ENABLE_HYBRID
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
-#endif
- vid = set_vendorid(iph1->approval->vendorid);
-
- /* create isakmp KE payload */
- plist = isakmp_plist_append(plist,
- iph1->dhpub, ISAKMP_NPTYPE_KE);
-
- /* create isakmp HASH payload */
- plist = isakmp_plist_append(plist,
- iph1->hash, ISAKMP_NPTYPE_HASH);
-
- /* append vendor id, if needed */
- if (vid)
- plist = isakmp_plist_append(plist,
- vid, ISAKMP_NPTYPE_VID);
- break;
- case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
- case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
-#ifdef ENABLE_HYBRID
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
-#endif
- /* XXX if there is CR or not ? */
-
- if (oakley_getmycert(iph1) < 0)
- goto end;
-
- if (oakley_getsign(iph1) < 0)
- goto end;
-
- if (iph1->cert && iph1->rmconf->send_cert)
- need_cert = 1;
-
- /* create isakmp KE payload */
- plist = isakmp_plist_append(plist,
- iph1->dhpub, ISAKMP_NPTYPE_KE);
-
- /* add CERT payload if there */
- if (need_cert)
- plist = isakmp_plist_append(plist,
- iph1->cert->pl, ISAKMP_NPTYPE_CERT);
- /* add SIG payload */
- plist = isakmp_plist_append(plist,
- iph1->sig, ISAKMP_NPTYPE_SIG);
- break;
-#ifdef HAVE_GSSAPI
- case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
- /* ... */
- break;
-#endif
- case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
- case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
-#ifdef ENABLE_HYBRID
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
-#endif
- break;
- }
-
-#ifdef ENABLE_NATT
- /* generate NAT-D payloads */
- if (NATT_AVAILABLE(iph1)) {
- vchar_t *natd[2] = { NULL, NULL };
-
- plog(LLV_INFO, LOCATION,
- NULL, "Adding remote and local NAT-D payloads.\n");
- if ((natd[0] = natt_hash_addr(iph1, iph1->remote)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "NAT-D hashing failed for %s\n",
- saddr2str(iph1->remote));
- goto end;
- }
-
- if ((natd[1] = natt_hash_addr(iph1, iph1->local)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "NAT-D hashing failed for %s\n",
- saddr2str(iph1->local));
- goto end;
- }
-
- plist = isakmp_plist_append(plist,
- natd[0], iph1->natt_options->payload_nat_d);
- plist = isakmp_plist_append(plist,
- natd[1], iph1->natt_options->payload_nat_d);
- }
-#endif
-
- iph1->sendbuf = isakmp_plist_set_all(&plist, iph1);
-
-#ifdef HAVE_PRINT_ISAKMP_C
- isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
-#endif
-
- /* send HDR;KE;NONCE to responder */
- if (isakmp_send(iph1, iph1->sendbuf) < 0)
- goto end;
-
- /* the sending message is added to the received-list. */
- if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) {
- plog(LLV_ERROR , LOCATION, NULL,
- "failed to add a response packet to the tree.\n");
- goto end;
- }
-
- /* generate SKEYIDs & IV & final cipher key */
- if (oakley_skeyid_dae(iph1) < 0)
- goto end;
- if (oakley_compute_enckey(iph1) < 0)
- goto end;
- if (oakley_newiv(iph1) < 0)
- goto end;
-
- /* set encryption flag */
- iph1->flags |= ISAKMP_FLAG_E;
-
- iph1->status = PHASE1ST_ESTABLISHED;
-
- error = 0;
-
-end:
- if (vid)
- vfree(vid);
- return error;
-}
diff --git a/src/racoon/isakmp_base.h b/src/racoon/isakmp_base.h
deleted file mode 100644
index 560880e..0000000
--- a/src/racoon/isakmp_base.h
+++ /dev/null
@@ -1,48 +0,0 @@
-/* $NetBSD: isakmp_base.h,v 1.4 2006/09/09 16:22:09 manu Exp $ */
-
-/* Id: isakmp_base.h,v 1.3 2004/06/11 16:00:16 ludvigm Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _ISAKMP_BASE_H
-#define _ISAKMP_BASE_H
-
-extern int base_i1send __P((struct ph1handle *, vchar_t *));
-extern int base_i2recv __P((struct ph1handle *, vchar_t *));
-extern int base_i2send __P((struct ph1handle *, vchar_t *));
-extern int base_i3recv __P((struct ph1handle *, vchar_t *));
-extern int base_i3send __P((struct ph1handle *, vchar_t *));
-
-extern int base_r1recv __P((struct ph1handle *, vchar_t *));
-extern int base_r1send __P((struct ph1handle *, vchar_t *));
-extern int base_r2recv __P((struct ph1handle *, vchar_t *));
-extern int base_r2send __P((struct ph1handle *, vchar_t *));
-
-#endif /* _ISAKMP_BASE_H */
diff --git a/src/racoon/isakmp_cfg.c b/src/racoon/isakmp_cfg.c
deleted file mode 100644
index fa127dc..0000000
--- a/src/racoon/isakmp_cfg.c
+++ /dev/null
@@ -1,2194 +0,0 @@
-/* $NetBSD: isakmp_cfg.c,v 1.12.6.4 2008/11/27 15:25:20 vanhu Exp $ */
-
-/* Id: isakmp_cfg.c,v 1.55 2006/08/22 18:17:17 manubsd Exp */
-
-/*
- * Copyright (C) 2004-2006 Emmanuel Dreyfus
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-#include <sys/queue.h>
-
-#ifndef ANDROID_PATCHED
-#include <utmp.h>
-#endif
-#if defined(__APPLE__) && defined(__MACH__)
-#include <util.h>
-#endif
-
-#ifdef __FreeBSD__
-# include <libutil.h>
-#endif
-#ifdef __NetBSD__
-# include <util.h>
-#endif
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-#if TIME_WITH_SYS_TIME
-# include <sys/time.h>
-# include <time.h>
-#else
-# if HAVE_SYS_TIME_H
-# include <sys/time.h>
-# else
-# include <time.h>
-# endif
-#endif
-#include <netdb.h>
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-#if HAVE_STDINT_H
-#include <stdint.h>
-#endif
-#include <ctype.h>
-#include <resolv.h>
-
-#ifdef HAVE_LIBRADIUS
-#include <sys/utsname.h>
-#include <radlib.h>
-#endif
-
-#include "var.h"
-#include "misc.h"
-#include "vmbuf.h"
-#include "plog.h"
-#include "sockmisc.h"
-#include "schedule.h"
-#include "debug.h"
-
-#include "isakmp_var.h"
-#include "isakmp.h"
-#include "handler.h"
-#include "evt.h"
-#include "throttle.h"
-#include "remoteconf.h"
-#include "crypto_openssl.h"
-#include "isakmp_inf.h"
-#include "isakmp_xauth.h"
-#include "isakmp_unity.h"
-#include "isakmp_cfg.h"
-#include "strnames.h"
-#include "admin.h"
-#include "privsep.h"
-
-struct isakmp_cfg_config isakmp_cfg_config;
-
-static vchar_t *buffer_cat(vchar_t *s, vchar_t *append);
-static vchar_t *isakmp_cfg_net(struct ph1handle *, struct isakmp_data *);
-#if 0
-static vchar_t *isakmp_cfg_void(struct ph1handle *, struct isakmp_data *);
-#endif
-static vchar_t *isakmp_cfg_addr4(struct ph1handle *,
- struct isakmp_data *, in_addr_t *);
-static void isakmp_cfg_getaddr4(struct isakmp_data *, struct in_addr *);
-static vchar_t *isakmp_cfg_addr4_list(struct ph1handle *,
- struct isakmp_data *, in_addr_t *, int);
-static void isakmp_cfg_appendaddr4(struct isakmp_data *,
- struct in_addr *, int *, int);
-static void isakmp_cfg_getstring(struct isakmp_data *,char *);
-void isakmp_cfg_iplist_to_str(char *, int, void *, int);
-
-#define ISAKMP_CFG_LOGIN 1
-#define ISAKMP_CFG_LOGOUT 2
-static int isakmp_cfg_accounting(struct ph1handle *, int);
-#ifdef HAVE_LIBRADIUS
-static int isakmp_cfg_accounting_radius(struct ph1handle *, int);
-#endif
-
-/*
- * Handle an ISAKMP config mode packet
- * We expect HDR, HASH, ATTR
- */
-void
-isakmp_cfg_r(iph1, msg)
- struct ph1handle *iph1;
- vchar_t *msg;
-{
- struct isakmp *packet;
- struct isakmp_gen *ph;
- int tlen;
- char *npp;
- int np;
- vchar_t *dmsg;
- struct isakmp_ivm *ivm;
-
- /* Check that the packet is long enough to have a header */
- if (msg->l < sizeof(*packet)) {
- plog(LLV_ERROR, LOCATION, NULL, "Unexpected short packet\n");
- return;
- }
-
- packet = (struct isakmp *)msg->v;
-
- /* Is it encrypted? It should be encrypted */
- if ((packet->flags & ISAKMP_FLAG_E) == 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "User credentials sent in cleartext!\n");
- return;
- }
-
- /*
- * Decrypt the packet. If this is the beginning of a new
- * exchange, reinitialize the IV
- */
- if (iph1->mode_cfg->ivm == NULL ||
- iph1->mode_cfg->last_msgid != packet->msgid )
- iph1->mode_cfg->ivm =
- isakmp_cfg_newiv(iph1, packet->msgid);
- ivm = iph1->mode_cfg->ivm;
-
- dmsg = oakley_do_decrypt(iph1, msg, ivm->iv, ivm->ive);
- if (dmsg == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to decrypt message\n");
- return;
- }
-
- plog(LLV_DEBUG, LOCATION, NULL, "MODE_CFG packet\n");
- plogdump(LLV_DEBUG, dmsg->v, dmsg->l);
-
- /* Now work with the decrypted packet */
- packet = (struct isakmp *)dmsg->v;
- tlen = dmsg->l - sizeof(*packet);
- ph = (struct isakmp_gen *)(packet + 1);
-
- np = packet->np;
- while ((tlen > 0) && (np != ISAKMP_NPTYPE_NONE)) {
- /* Check that the payload header fits in the packet */
- if (tlen < sizeof(*ph)) {
- plog(LLV_WARNING, LOCATION, NULL,
- "Short payload header\n");
- goto out;
- }
-
- /* Check that the payload fits in the packet */
- if (tlen < ntohs(ph->len)) {
- plog(LLV_WARNING, LOCATION, NULL,
- "Short payload\n");
- goto out;
- }
-
- plog(LLV_DEBUG, LOCATION, NULL, "Seen payload %d\n", np);
- plogdump(LLV_DEBUG, ph, ntohs(ph->len));
-
- switch(np) {
- case ISAKMP_NPTYPE_HASH: {
- vchar_t *check;
- vchar_t *payload;
- size_t plen;
- struct isakmp_gen *nph;
-
- plen = ntohs(ph->len);
- nph = (struct isakmp_gen *)((char *)ph + plen);
- plen = ntohs(nph->len);
-
- if ((payload = vmalloc(plen)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot allocate memory\n");
- goto out;
- }
- memcpy(payload->v, nph, plen);
-
- if ((check = oakley_compute_hash1(iph1,
- packet->msgid, payload)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot compute hash\n");
- vfree(payload);
- goto out;
- }
-
- if (memcmp(ph + 1, check->v, check->l) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Hash verification failed\n");
- vfree(payload);
- vfree(check);
- goto out;
- }
- vfree(payload);
- vfree(check);
- break;
- }
- case ISAKMP_NPTYPE_ATTR: {
- struct isakmp_pl_attr *attrpl;
-
- attrpl = (struct isakmp_pl_attr *)ph;
- isakmp_cfg_attr_r(iph1, packet->msgid, attrpl);
-
- break;
- }
- default:
- plog(LLV_WARNING, LOCATION, NULL,
- "Unexpected next payload %d\n", np);
- /* Skip to the next payload */
- break;
- }
-
- /* Move to the next payload */
- np = ph->np;
- tlen -= ntohs(ph->len);
- npp = (char *)ph;
- ph = (struct isakmp_gen *)(npp + ntohs(ph->len));
- }
-
-out:
- vfree(dmsg);
-}
-
-int
-isakmp_cfg_attr_r(iph1, msgid, attrpl)
- struct ph1handle *iph1;
- u_int32_t msgid;
- struct isakmp_pl_attr *attrpl;
-{
- int type = attrpl->type;
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "Configuration exchange type %s\n", s_isakmp_cfg_ptype(type));
- switch (type) {
- case ISAKMP_CFG_ACK:
- /* ignore, but this is the time to reinit the IV */
- oakley_delivm(iph1->mode_cfg->ivm);
- iph1->mode_cfg->ivm = NULL;
- return 0;
- break;
-
- case ISAKMP_CFG_REPLY:
- return isakmp_cfg_reply(iph1, attrpl);
- break;
-
- case ISAKMP_CFG_REQUEST:
- iph1->msgid = msgid;
- return isakmp_cfg_request(iph1, attrpl);
- break;
-
- case ISAKMP_CFG_SET:
- iph1->msgid = msgid;
- return isakmp_cfg_set(iph1, attrpl);
- break;
-
- default:
- plog(LLV_WARNING, LOCATION, NULL,
- "Unepected configuration exchange type %d\n", type);
- return -1;
- break;
- }
-
- return 0;
-}
-
-int
-isakmp_cfg_reply(iph1, attrpl)
- struct ph1handle *iph1;
- struct isakmp_pl_attr *attrpl;
-{
- struct isakmp_data *attr;
- int tlen;
- size_t alen;
- char *npp;
- int type;
- struct sockaddr_in *sin;
- int error;
-
- tlen = ntohs(attrpl->h.len);
- attr = (struct isakmp_data *)(attrpl + 1);
- tlen -= sizeof(*attrpl);
-
- while (tlen > 0) {
- type = ntohs(attr->type);
-
- /* Handle short attributes */
- if ((type & ISAKMP_GEN_MASK) == ISAKMP_GEN_TV) {
- type &= ~ISAKMP_GEN_MASK;
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "Short attribute %s = %d\n",
- s_isakmp_cfg_type(type), ntohs(attr->lorv));
-
- switch (type) {
- case XAUTH_TYPE:
- if ((error = xauth_attr_reply(iph1,
- attr, ntohs(attrpl->id))) != 0)
- return error;
- break;
-
- default:
- plog(LLV_WARNING, LOCATION, NULL,
- "Ignored short attribute %s\n",
- s_isakmp_cfg_type(type));
- break;
- }
-
- tlen -= sizeof(*attr);
- attr++;
- continue;
- }
-
- type = ntohs(attr->type);
- alen = ntohs(attr->lorv);
-
- /* Check that the attribute fit in the packet */
- if (tlen < alen) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Short attribute %s\n",
- s_isakmp_cfg_type(type));
- return -1;
- }
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "Attribute %s, len %zu\n",
- s_isakmp_cfg_type(type), alen);
-
- switch(type) {
- case XAUTH_TYPE:
- case XAUTH_USER_NAME:
- case XAUTH_USER_PASSWORD:
- case XAUTH_PASSCODE:
- case XAUTH_MESSAGE:
- case XAUTH_CHALLENGE:
- case XAUTH_DOMAIN:
- case XAUTH_STATUS:
- case XAUTH_NEXT_PIN:
- case XAUTH_ANSWER:
- if ((error = xauth_attr_reply(iph1,
- attr, ntohs(attrpl->id))) != 0)
- return error;
- break;
- case INTERNAL_IP4_ADDRESS:
- isakmp_cfg_getaddr4(attr, &iph1->mode_cfg->addr4);
- iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_ADDR4;
- break;
- case INTERNAL_IP4_NETMASK:
- isakmp_cfg_getaddr4(attr, &iph1->mode_cfg->mask4);
- iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_MASK4;
- break;
- case INTERNAL_IP4_DNS:
- isakmp_cfg_appendaddr4(attr,
- &iph1->mode_cfg->dns4[iph1->mode_cfg->dns4_index],
- &iph1->mode_cfg->dns4_index, MAXNS);
- iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_DNS4;
- break;
- case INTERNAL_IP4_NBNS:
- isakmp_cfg_appendaddr4(attr,
- &iph1->mode_cfg->wins4[iph1->mode_cfg->wins4_index],
- &iph1->mode_cfg->wins4_index, MAXNS);
- iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_WINS4;
- break;
- case UNITY_DEF_DOMAIN:
- isakmp_cfg_getstring(attr,
- iph1->mode_cfg->default_domain);
- iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_DEFAULT_DOMAIN;
- break;
- case UNITY_SPLIT_INCLUDE:
- case UNITY_LOCAL_LAN:
- case UNITY_SPLITDNS_NAME:
- case UNITY_BANNER:
- case UNITY_SAVE_PASSWD:
- case UNITY_NATT_PORT:
- case UNITY_PFS:
- case UNITY_FW_TYPE:
- case UNITY_BACKUP_SERVERS:
- case UNITY_DDNS_HOSTNAME:
- isakmp_unity_reply(iph1, attr);
- break;
- case INTERNAL_IP4_SUBNET:
- case INTERNAL_ADDRESS_EXPIRY:
- default:
- plog(LLV_WARNING, LOCATION, NULL,
- "Ignored attribute %s\n",
- s_isakmp_cfg_type(type));
- break;
- }
-
- npp = (char *)attr;
- attr = (struct isakmp_data *)(npp + sizeof(*attr) + alen);
- tlen -= (sizeof(*attr) + alen);
- }
-
- /*
- * Call the SA up script hook now that we have the configuration
- * It is done at the end of phase 1 if ISAKMP mode config is not
- * requested.
- */
-
- if ((iph1->status == PHASE1ST_ESTABLISHED) &&
- iph1->rmconf->mode_cfg) {
- switch (AUTHMETHOD(iph1)) {
- case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
- /* Unimplemented */
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
- script_hook(iph1, SCRIPT_PHASE1_UP);
- break;
- default:
- break;
- }
- }
-
-
-#ifdef ENABLE_ADMINPORT
- {
- vchar_t *buf;
-
- alen = ntohs(attrpl->h.len) - sizeof(*attrpl);
- if ((buf = vmalloc(alen)) == NULL) {
- plog(LLV_WARNING, LOCATION, NULL,
- "Cannot allocate memory: %s\n", strerror(errno));
- } else {
- memcpy(buf->v, attrpl + 1, buf->l);
- EVT_PUSH(iph1->local, iph1->remote,
- EVTT_ISAKMP_CFG_DONE, buf);
- vfree(buf);
- }
- }
-#endif
-
- return 0;
-}
-
-int
-isakmp_cfg_request(iph1, attrpl)
- struct ph1handle *iph1;
- struct isakmp_pl_attr *attrpl;
-{
- struct isakmp_data *attr;
- int tlen;
- size_t alen;
- char *npp;
- vchar_t *payload;
- struct isakmp_pl_attr *reply;
- vchar_t *reply_attr;
- int type;
- int error = -1;
-
- if ((payload = vmalloc(sizeof(*reply))) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
- return -1;
- }
- memset(payload->v, 0, sizeof(*reply));
-
- tlen = ntohs(attrpl->h.len);
- attr = (struct isakmp_data *)(attrpl + 1);
- tlen -= sizeof(*attrpl);
-
- while (tlen > 0) {
- reply_attr = NULL;
- type = ntohs(attr->type);
-
- /* Handle short attributes */
- if ((type & ISAKMP_GEN_MASK) == ISAKMP_GEN_TV) {
- type &= ~ISAKMP_GEN_MASK;
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "Short attribute %s = %d\n",
- s_isakmp_cfg_type(type), ntohs(attr->lorv));
-
- switch (type) {
- case XAUTH_TYPE:
- reply_attr = isakmp_xauth_req(iph1, attr);
- break;
- default:
- plog(LLV_WARNING, LOCATION, NULL,
- "Ignored short attribute %s\n",
- s_isakmp_cfg_type(type));
- break;
- }
-
- tlen -= sizeof(*attr);
- attr++;
-
- if (reply_attr != NULL) {
- payload = buffer_cat(payload, reply_attr);
- vfree(reply_attr);
- }
-
- continue;
- }
-
- type = ntohs(attr->type);
- alen = ntohs(attr->lorv);
-
- /* Check that the attribute fit in the packet */
- if (tlen < alen) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Short attribute %s\n",
- s_isakmp_cfg_type(type));
- goto end;
- }
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "Attribute %s, len %zu\n",
- s_isakmp_cfg_type(type), alen);
-
- switch(type) {
- case INTERNAL_IP4_ADDRESS:
- case INTERNAL_IP4_NETMASK:
- case INTERNAL_IP4_DNS:
- case INTERNAL_IP4_NBNS:
- case INTERNAL_IP4_SUBNET:
- reply_attr = isakmp_cfg_net(iph1, attr);
- break;
-
- case XAUTH_TYPE:
- case XAUTH_USER_NAME:
- case XAUTH_USER_PASSWORD:
- case XAUTH_PASSCODE:
- case XAUTH_MESSAGE:
- case XAUTH_CHALLENGE:
- case XAUTH_DOMAIN:
- case XAUTH_STATUS:
- case XAUTH_NEXT_PIN:
- case XAUTH_ANSWER:
- reply_attr = isakmp_xauth_req(iph1, attr);
- break;
-
- case APPLICATION_VERSION:
- reply_attr = isakmp_cfg_string(iph1,
- attr, ISAKMP_CFG_RACOON_VERSION);
- break;
-
- case UNITY_BANNER:
- case UNITY_PFS:
- case UNITY_SAVE_PASSWD:
- case UNITY_DEF_DOMAIN:
- case UNITY_DDNS_HOSTNAME:
- case UNITY_FW_TYPE:
- case UNITY_SPLITDNS_NAME:
- case UNITY_SPLIT_INCLUDE:
- case UNITY_LOCAL_LAN:
- case UNITY_NATT_PORT:
- case UNITY_BACKUP_SERVERS:
- reply_attr = isakmp_unity_req(iph1, attr);
- break;
-
- case INTERNAL_ADDRESS_EXPIRY:
- default:
- plog(LLV_WARNING, LOCATION, NULL,
- "Ignored attribute %s\n",
- s_isakmp_cfg_type(type));
- break;
- }
-
- npp = (char *)attr;
- attr = (struct isakmp_data *)(npp + sizeof(*attr) + alen);
- tlen -= (sizeof(*attr) + alen);
-
- if (reply_attr != NULL) {
- payload = buffer_cat(payload, reply_attr);
- vfree(reply_attr);
- }
-
- }
-
- reply = (struct isakmp_pl_attr *)payload->v;
- reply->h.len = htons(payload->l);
- reply->type = ISAKMP_CFG_REPLY;
- reply->id = attrpl->id;
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "Sending MODE_CFG REPLY\n");
-
- error = isakmp_cfg_send(iph1, payload,
- ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 0);
-
- if (iph1->status == PHASE1ST_ESTABLISHED) {
- switch (AUTHMETHOD(iph1)) {
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
- /* Unimplemented */
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
- script_hook(iph1, SCRIPT_PHASE1_UP);
- break;
- default:
- break;
- }
- }
-
-end:
- vfree(payload);
-
- return error;
-}
-
-int
-isakmp_cfg_set(iph1, attrpl)
- struct ph1handle *iph1;
- struct isakmp_pl_attr *attrpl;
-{
- struct isakmp_data *attr;
- int tlen;
- size_t alen;
- char *npp;
- vchar_t *payload;
- struct isakmp_pl_attr *reply;
- vchar_t *reply_attr;
- int type;
- int error = -1;
-
- if ((payload = vmalloc(sizeof(*reply))) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
- return -1;
- }
- memset(payload->v, 0, sizeof(*reply));
-
- tlen = ntohs(attrpl->h.len);
- attr = (struct isakmp_data *)(attrpl + 1);
- tlen -= sizeof(*attrpl);
-
- /*
- * We should send ack for the attributes we accepted
- */
- while (tlen > 0) {
- reply_attr = NULL;
- type = ntohs(attr->type);
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "Attribute %s\n",
- s_isakmp_cfg_type(type & ~ISAKMP_GEN_MASK));
-
- switch (type & ~ISAKMP_GEN_MASK) {
- case XAUTH_STATUS:
- reply_attr = isakmp_xauth_set(iph1, attr);
- break;
- default:
- plog(LLV_DEBUG, LOCATION, NULL,
- "Unexpected SET attribute %s\n",
- s_isakmp_cfg_type(type & ~ISAKMP_GEN_MASK));
- break;
- }
-
- if (reply_attr != NULL) {
- payload = buffer_cat(payload, reply_attr);
- vfree(reply_attr);
- }
-
- /*
- * Move to next attribute. If we run out of the packet,
- * tlen becomes negative and we exit.
- */
- if ((type & ISAKMP_GEN_MASK) == ISAKMP_GEN_TV) {
- tlen -= sizeof(*attr);
- attr++;
- } else {
- alen = ntohs(attr->lorv);
- tlen -= (sizeof(*attr) + alen);
- npp = (char *)attr;
- attr = (struct isakmp_data *)
- (npp + sizeof(*attr) + alen);
- }
- }
-
- reply = (struct isakmp_pl_attr *)payload->v;
- reply->h.len = htons(payload->l);
- reply->type = ISAKMP_CFG_ACK;
- reply->id = attrpl->id;
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "Sending MODE_CFG ACK\n");
-
- error = isakmp_cfg_send(iph1, payload,
- ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 0);
-
- if (iph1->mode_cfg->flags & ISAKMP_CFG_DELETE_PH1) {
- if (iph1->status == PHASE1ST_ESTABLISHED)
- isakmp_info_send_d1(iph1);
- remph1(iph1);
- delph1(iph1);
- iph1 = NULL;
- }
-end:
- vfree(payload);
-
- /*
- * If required, request ISAKMP mode config information
- */
- if ((iph1 != NULL) && (iph1->rmconf->mode_cfg) && (error == 0))
- error = isakmp_cfg_getconfig(iph1);
-
- return error;
-}
-
-
-static vchar_t *
-buffer_cat(s, append)
- vchar_t *s;
- vchar_t *append;
-{
- vchar_t *new;
-
- new = vmalloc(s->l + append->l);
- if (new == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot allocate memory\n");
- return s;
- }
-
- memcpy(new->v, s->v, s->l);
- memcpy(new->v + s->l, append->v, append->l);
-
- vfree(s);
- return new;
-}
-
-static vchar_t *
-isakmp_cfg_net(iph1, attr)
- struct ph1handle *iph1;
- struct isakmp_data *attr;
-{
- int type;
- int confsource;
- in_addr_t addr4;
-
- type = ntohs(attr->type);
-
- /*
- * Don't give an address to a peer that did not succeed Xauth
- */
- if (xauth_check(iph1) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Attempt to start phase config whereas Xauth failed\n");
- return NULL;
- }
-
- confsource = isakmp_cfg_config.confsource;
- /*
- * If we have to fall back to a local
- * configuration source, we will jump
- * back to this point.
- */
-retry_source:
-
- switch(type) {
- case INTERNAL_IP4_ADDRESS:
- switch(confsource) {
-#ifdef HAVE_LIBLDAP
- case ISAKMP_CFG_CONF_LDAP:
- if (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN)
- break;
- plog(LLV_INFO, LOCATION, NULL,
- "No IP from LDAP, using local pool\n");
- /* FALLTHROUGH */
- confsource = ISAKMP_CFG_CONF_LOCAL;
- goto retry_source;
-#endif
-#ifdef HAVE_LIBRADIUS
- case ISAKMP_CFG_CONF_RADIUS:
- if ((iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN)
- && (iph1->mode_cfg->addr4.s_addr != htonl(-2)))
- /*
- * -2 is 255.255.255.254, RADIUS uses that
- * to instruct the NAS to use a local pool
- */
- break;
- plog(LLV_INFO, LOCATION, NULL,
- "No IP from RADIUS, using local pool\n");
- /* FALLTHROUGH */
- confsource = ISAKMP_CFG_CONF_LOCAL;
- goto retry_source;
-#endif
- case ISAKMP_CFG_CONF_LOCAL:
- if (isakmp_cfg_getport(iph1) == -1) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Port pool depleted\n");
- break;
- }
-
- iph1->mode_cfg->addr4.s_addr =
- htonl(ntohl(isakmp_cfg_config.network4)
- + iph1->mode_cfg->port);
- iph1->mode_cfg->flags |= ISAKMP_CFG_ADDR4_LOCAL;
- break;
-
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "Unexpected confsource\n");
- }
-
- if (isakmp_cfg_accounting(iph1, ISAKMP_CFG_LOGIN) != 0)
- plog(LLV_ERROR, LOCATION, NULL, "Accounting failed\n");
-
- return isakmp_cfg_addr4(iph1,
- attr, &iph1->mode_cfg->addr4.s_addr);
- break;
-
- case INTERNAL_IP4_NETMASK:
- switch(confsource) {
-#ifdef HAVE_LIBLDAP
- case ISAKMP_CFG_CONF_LDAP:
- if (iph1->mode_cfg->flags & ISAKMP_CFG_MASK4_EXTERN)
- break;
- plog(LLV_INFO, LOCATION, NULL,
- "No mask from LDAP, using local pool\n");
- /* FALLTHROUGH */
- confsource = ISAKMP_CFG_CONF_LOCAL;
- goto retry_source;
-#endif
-#ifdef HAVE_LIBRADIUS
- case ISAKMP_CFG_CONF_RADIUS:
- if (iph1->mode_cfg->flags & ISAKMP_CFG_MASK4_EXTERN)
- break;
- plog(LLV_INFO, LOCATION, NULL,
- "No mask from RADIUS, using local pool\n");
- /* FALLTHROUGH */
- confsource = ISAKMP_CFG_CONF_LOCAL;
- goto retry_source;
-#endif
- case ISAKMP_CFG_CONF_LOCAL:
- iph1->mode_cfg->mask4.s_addr
- = isakmp_cfg_config.netmask4;
- iph1->mode_cfg->flags |= ISAKMP_CFG_MASK4_LOCAL;
- break;
-
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "Unexpected confsource\n");
- }
- return isakmp_cfg_addr4(iph1, attr,
- &iph1->mode_cfg->mask4.s_addr);
- break;
-
- case INTERNAL_IP4_DNS:
- return isakmp_cfg_addr4_list(iph1,
- attr, &isakmp_cfg_config.dns4[0],
- isakmp_cfg_config.dns4_index);
- break;
-
- case INTERNAL_IP4_NBNS:
- return isakmp_cfg_addr4_list(iph1,
- attr, &isakmp_cfg_config.nbns4[0],
- isakmp_cfg_config.nbns4_index);
- break;
-
- case INTERNAL_IP4_SUBNET:
- return isakmp_cfg_addr4(iph1,
- attr, &isakmp_cfg_config.network4);
- break;
-
- default:
- plog(LLV_ERROR, LOCATION, NULL, "Unexpected type %d\n", type);
- break;
- }
- return NULL;
-}
-
-#if 0
-static vchar_t *
-isakmp_cfg_void(iph1, attr)
- struct ph1handle *iph1;
- struct isakmp_data *attr;
-{
- vchar_t *buffer;
- struct isakmp_data *new;
-
- if ((buffer = vmalloc(sizeof(*attr))) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
- return NULL;
- }
-
- new = (struct isakmp_data *)buffer->v;
-
- new->type = attr->type;
- new->lorv = htons(0);
-
- return buffer;
-}
-#endif
-
-vchar_t *
-isakmp_cfg_copy(iph1, attr)
- struct ph1handle *iph1;
- struct isakmp_data *attr;
-{
- vchar_t *buffer;
- size_t len = 0;
-
- if ((ntohs(attr->type) & ISAKMP_GEN_MASK) == ISAKMP_GEN_TLV)
- len = ntohs(attr->lorv);
-
- if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
- return NULL;
- }
-
- memcpy(buffer->v, attr, sizeof(*attr) + ntohs(attr->lorv));
-
- return buffer;
-}
-
-vchar_t *
-isakmp_cfg_short(iph1, attr, value)
- struct ph1handle *iph1;
- struct isakmp_data *attr;
- int value;
-{
- vchar_t *buffer;
- struct isakmp_data *new;
- int type;
-
- if ((buffer = vmalloc(sizeof(*attr))) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
- return NULL;
- }
-
- new = (struct isakmp_data *)buffer->v;
- type = ntohs(attr->type) & ~ISAKMP_GEN_MASK;
-
- new->type = htons(type | ISAKMP_GEN_TV);
- new->lorv = htons(value);
-
- return buffer;
-}
-
-vchar_t *
-isakmp_cfg_varlen(iph1, attr, string, len)
- struct ph1handle *iph1;
- struct isakmp_data *attr;
- char *string;
- size_t len;
-{
- vchar_t *buffer;
- struct isakmp_data *new;
- char *data;
-
- if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
- return NULL;
- }
-
- new = (struct isakmp_data *)buffer->v;
-
- new->type = attr->type;
- new->lorv = htons(len);
- data = (char *)(new + 1);
-
- memcpy(data, string, len);
-
- return buffer;
-}
-vchar_t *
-isakmp_cfg_string(iph1, attr, string)
- struct ph1handle *iph1;
- struct isakmp_data *attr;
- char *string;
-{
- size_t len = strlen(string);
- return isakmp_cfg_varlen(iph1, attr, string, len);
-}
-
-static vchar_t *
-isakmp_cfg_addr4(iph1, attr, addr)
- struct ph1handle *iph1;
- struct isakmp_data *attr;
- in_addr_t *addr;
-{
- vchar_t *buffer;
- struct isakmp_data *new;
- size_t len;
-
- len = sizeof(*addr);
- if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
- return NULL;
- }
-
- new = (struct isakmp_data *)buffer->v;
-
- new->type = attr->type;
- new->lorv = htons(len);
- memcpy(new + 1, addr, len);
-
- return buffer;
-}
-
-static vchar_t *
-isakmp_cfg_addr4_list(iph1, attr, addr, nbr)
- struct ph1handle *iph1;
- struct isakmp_data *attr;
- in_addr_t *addr;
- int nbr;
-{
- int error = -1;
- vchar_t *buffer = NULL;
- vchar_t *bufone = NULL;
- struct isakmp_data *new;
- size_t len;
- int i;
-
- len = sizeof(*addr);
- if ((buffer = vmalloc(0)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
- goto out;
- }
- for(i = 0; i < nbr; i++) {
- if ((bufone = vmalloc(sizeof(*attr) + len)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot allocate memory\n");
- goto out;
- }
- new = (struct isakmp_data *)bufone->v;
- new->type = attr->type;
- new->lorv = htons(len);
- memcpy(new + 1, &addr[i], len);
- new += (len + sizeof(*attr));
- buffer = buffer_cat(buffer, bufone);
- vfree(bufone);
- }
-
- error = 0;
-
-out:
- if ((error != 0) && (buffer != NULL)) {
- vfree(buffer);
- buffer = NULL;
- }
-
- return buffer;
-}
-
-struct isakmp_ivm *
-isakmp_cfg_newiv(iph1, msgid)
- struct ph1handle *iph1;
- u_int32_t msgid;
-{
- struct isakmp_cfg_state *ics = iph1->mode_cfg;
-
- if (ics == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "isakmp_cfg_newiv called without mode config state\n");
- return NULL;
- }
-
- if (ics->ivm != NULL)
- oakley_delivm(ics->ivm);
-
- ics->ivm = oakley_newiv2(iph1, msgid);
- ics->last_msgid = msgid;
-
- return ics->ivm;
-}
-
-/* Derived from isakmp_info_send_common */
-int
-isakmp_cfg_send(iph1, payload, np, flags, new_exchange)
- struct ph1handle *iph1;
- vchar_t *payload;
- u_int32_t np;
- int flags;
- int new_exchange;
-{
- struct ph2handle *iph2 = NULL;
- vchar_t *hash = NULL;
- struct isakmp *isakmp;
- struct isakmp_gen *gen;
- char *p;
- int tlen;
- int error = -1;
- struct isakmp_cfg_state *ics = iph1->mode_cfg;
-
- /* Check if phase 1 is established */
- if ((iph1->status != PHASE1ST_ESTABLISHED) ||
- (iph1->local == NULL) ||
- (iph1->remote == NULL)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "ISAKMP mode config exchange with immature phase 1\n");
- goto end;
- }
-
- /* add new entry to isakmp status table */
- iph2 = newph2();
- if (iph2 == NULL)
- goto end;
-
- iph2->dst = dupsaddr(iph1->remote);
- if (iph2->dst == NULL) {
- delph2(iph2);
- goto end;
- }
- iph2->src = dupsaddr(iph1->local);
- if (iph2->src == NULL) {
- delph2(iph2);
- goto end;
- }
-
-#if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT))
- if (set_port(iph2->dst, 0) == NULL ||
- set_port(iph2->src, 0) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid family: %d\n", iph1->remote->sa_family);
- delph2(iph2);
- goto end;
- }
-#endif
- iph2->ph1 = iph1;
- iph2->side = INITIATOR;
- iph2->status = PHASE2ST_START;
-
- if (new_exchange)
- iph2->msgid = isakmp_newmsgid2(iph1);
- else
- iph2->msgid = iph1->msgid;
-
- /* get IV and HASH(1) if skeyid_a was generated. */
- if (iph1->skeyid_a != NULL) {
- if (new_exchange) {
- if (isakmp_cfg_newiv(iph1, iph2->msgid) == NULL) {
- delph2(iph2);
- goto end;
- }
- }
-
- /* generate HASH(1) */
- hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, payload);
- if (hash == NULL) {
- delph2(iph2);
- goto end;
- }
-
- /* initialized total buffer length */
- tlen = hash->l;
- tlen += sizeof(*gen);
- } else {
- /* IKE-SA is not established */
- hash = NULL;
-
- /* initialized total buffer length */
- tlen = 0;
- }
- if ((flags & ISAKMP_FLAG_A) == 0)
- iph2->flags = (hash == NULL ? 0 : ISAKMP_FLAG_E);
- else
- iph2->flags = (hash == NULL ? 0 : ISAKMP_FLAG_A);
-
- insph2(iph2);
- bindph12(iph1, iph2);
-
- tlen += sizeof(*isakmp) + payload->l;
-
- /* create buffer for isakmp payload */
- iph2->sendbuf = vmalloc(tlen);
- if (iph2->sendbuf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get buffer to send.\n");
- goto err;
- }
-
- /* create isakmp header */
- isakmp = (struct isakmp *)iph2->sendbuf->v;
- memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(cookie_t));
- memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(cookie_t));
- isakmp->np = hash == NULL ? (np & 0xff) : ISAKMP_NPTYPE_HASH;
- isakmp->v = iph1->version;
- isakmp->etype = ISAKMP_ETYPE_CFG;
- isakmp->flags = iph2->flags;
- memcpy(&isakmp->msgid, &iph2->msgid, sizeof(isakmp->msgid));
- isakmp->len = htonl(tlen);
- p = (char *)(isakmp + 1);
-
- /* create HASH payload */
- if (hash != NULL) {
- gen = (struct isakmp_gen *)p;
- gen->np = np & 0xff;
- gen->len = htons(sizeof(*gen) + hash->l);
- p += sizeof(*gen);
- memcpy(p, hash->v, hash->l);
- p += hash->l;
- }
-
- /* add payload */
- memcpy(p, payload->v, payload->l);
- p += payload->l;
-
-#ifdef HAVE_PRINT_ISAKMP_C
- isakmp_printpacket(iph2->sendbuf, iph1->local, iph1->remote, 1);
-#endif
-
- plog(LLV_DEBUG, LOCATION, NULL, "MODE_CFG packet to send\n");
- plogdump(LLV_DEBUG, iph2->sendbuf->v, iph2->sendbuf->l);
-
- /* encoding */
- if (ISSET(isakmp->flags, ISAKMP_FLAG_E)) {
- vchar_t *tmp;
-
- tmp = oakley_do_encrypt(iph2->ph1, iph2->sendbuf,
- ics->ivm->ive, ics->ivm->iv);
- VPTRINIT(iph2->sendbuf);
- if (tmp == NULL)
- goto err;
- iph2->sendbuf = tmp;
- }
-
- /* HDR*, HASH(1), ATTR */
- if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) {
- VPTRINIT(iph2->sendbuf);
- goto err;
- }
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "sendto mode config %s.\n", s_isakmp_nptype(np));
-
- /*
- * XXX We might need to resend the message...
- */
-
- error = 0;
- VPTRINIT(iph2->sendbuf);
-
-err:
- if (iph2->sendbuf != NULL)
- vfree(iph2->sendbuf);
-
- unbindph12(iph2);
- remph2(iph2);
- delph2(iph2);
-end:
- if (hash)
- vfree(hash);
- return error;
-}
-
-
-void
-isakmp_cfg_rmstate(iph1)
- struct ph1handle *iph1;
-{
- struct isakmp_cfg_state *state = iph1->mode_cfg;
-
- if (isakmp_cfg_accounting(iph1, ISAKMP_CFG_LOGOUT) != 0)
- plog(LLV_ERROR, LOCATION, NULL, "Accounting failed\n");
-
- if (state->flags & ISAKMP_CFG_PORT_ALLOCATED)
- isakmp_cfg_putport(iph1, state->port);
-
- /* Delete the IV if it's still there */
- if(iph1->mode_cfg->ivm) {
- oakley_delivm(iph1->mode_cfg->ivm);
- iph1->mode_cfg->ivm = NULL;
- }
-
- /* Free any allocated splitnet lists */
- if(iph1->mode_cfg->split_include != NULL)
- splitnet_list_free(iph1->mode_cfg->split_include,
- &iph1->mode_cfg->include_count);
- if(iph1->mode_cfg->split_local != NULL)
- splitnet_list_free(iph1->mode_cfg->split_local,
- &iph1->mode_cfg->local_count);
-
- xauth_rmstate(&state->xauth);
-
- racoon_free(state);
- iph1->mode_cfg = NULL;
-
- return;
-}
-
-struct isakmp_cfg_state *
-isakmp_cfg_mkstate(void)
-{
- struct isakmp_cfg_state *state;
-
- if ((state = racoon_malloc(sizeof(*state))) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot allocate memory for mode config state\n");
- return NULL;
- }
- memset(state, 0, sizeof(*state));
-
- return state;
-}
-
-int
-isakmp_cfg_getport(iph1)
- struct ph1handle *iph1;
-{
- unsigned int i;
- size_t size = isakmp_cfg_config.pool_size;
-
- if (iph1->mode_cfg->flags & ISAKMP_CFG_PORT_ALLOCATED)
- return iph1->mode_cfg->port;
-
- if (isakmp_cfg_config.port_pool == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "isakmp_cfg_config.port_pool == NULL\n");
- return -1;
- }
-
- for (i = 0; i < size; i++) {
- if (isakmp_cfg_config.port_pool[i].used == 0)
- break;
- }
-
- if (i == size) {
- plog(LLV_ERROR, LOCATION, NULL,
- "No more addresses available\n");
- return -1;
- }
-
- isakmp_cfg_config.port_pool[i].used = 1;
-
- plog(LLV_INFO, LOCATION, NULL, "Using port %d\n", i);
-
- iph1->mode_cfg->flags |= ISAKMP_CFG_PORT_ALLOCATED;
- iph1->mode_cfg->port = i;
-
- return i;
-}
-
-int
-isakmp_cfg_putport(iph1, index)
- struct ph1handle *iph1;
- unsigned int index;
-{
- if (isakmp_cfg_config.port_pool == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "isakmp_cfg_config.port_pool == NULL\n");
- return -1;
- }
-
- if (isakmp_cfg_config.port_pool[index].used == 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Attempt to release an unallocated address (port %d)\n",
- index);
- return -1;
- }
-
-#ifdef HAVE_LIBPAM
- /* Cleanup PAM status associated with the port */
- if (isakmp_cfg_config.authsource == ISAKMP_CFG_AUTH_PAM)
- privsep_cleanup_pam(index);
-#endif
- isakmp_cfg_config.port_pool[index].used = 0;
- iph1->mode_cfg->flags &= ISAKMP_CFG_PORT_ALLOCATED;
-
- plog(LLV_INFO, LOCATION, NULL, "Released port %d\n", index);
-
- return 0;
-}
-
-#ifdef HAVE_LIBPAM
-void
-cleanup_pam(port)
- int port;
-{
- if (isakmp_cfg_config.port_pool[port].pam != NULL) {
- pam_end(isakmp_cfg_config.port_pool[port].pam, PAM_SUCCESS);
- isakmp_cfg_config.port_pool[port].pam = NULL;
- }
-
- return;
-}
-#endif
-
-/* Accounting, only for RADIUS or PAM */
-static int
-isakmp_cfg_accounting(iph1, inout)
- struct ph1handle *iph1;
- int inout;
-{
-#ifdef HAVE_LIBPAM
- if (isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_PAM)
- return privsep_accounting_pam(iph1->mode_cfg->port,
- inout);
-#endif
-#ifdef HAVE_LIBRADIUS
- if (isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_RADIUS)
- return isakmp_cfg_accounting_radius(iph1, inout);
-#endif
- if (isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_SYSTEM)
- return privsep_accounting_system(iph1->mode_cfg->port,
- iph1->remote, iph1->mode_cfg->login, inout);
- return 0;
-}
-
-#ifdef HAVE_LIBPAM
-int
-isakmp_cfg_accounting_pam(port, inout)
- int port;
- int inout;
-{
- int error = 0;
- pam_handle_t *pam;
-
- if (isakmp_cfg_config.port_pool == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "isakmp_cfg_config.port_pool == NULL\n");
- return -1;
- }
-
- pam = isakmp_cfg_config.port_pool[port].pam;
- if (pam == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "pam handle is NULL\n");
- return -1;
- }
-
- switch (inout) {
- case ISAKMP_CFG_LOGIN:
- error = pam_open_session(pam, 0);
- break;
- case ISAKMP_CFG_LOGOUT:
- error = pam_close_session(pam, 0);
- pam_end(pam, error);
- isakmp_cfg_config.port_pool[port].pam = NULL;
- break;
- default:
- plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n");
- break;
- }
-
- if (error != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "pam_open_session/pam_close_session failed: %s\n",
- pam_strerror(pam, error));
- return -1;
- }
-
- return 0;
-}
-#endif /* HAVE_LIBPAM */
-
-#ifdef HAVE_LIBRADIUS
-static int
-isakmp_cfg_accounting_radius(iph1, inout)
- struct ph1handle *iph1;
- int inout;
-{
- /* For first time use, initialize Radius */
- if (radius_acct_state == NULL) {
- if ((radius_acct_state = rad_acct_open()) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot init librradius\n");
- return -1;
- }
-
- if (rad_config(radius_acct_state, NULL) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot open librarius config file: %s\n",
- rad_strerror(radius_acct_state));
- rad_close(radius_acct_state);
- radius_acct_state = NULL;
- return -1;
- }
- }
-
- if (rad_create_request(radius_acct_state,
- RAD_ACCOUNTING_REQUEST) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "rad_create_request failed: %s\n",
- rad_strerror(radius_acct_state));
- return -1;
- }
-
- if (rad_put_string(radius_acct_state, RAD_USER_NAME,
- iph1->mode_cfg->login) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "rad_put_string failed: %s\n",
- rad_strerror(radius_acct_state));
- return -1;
- }
-
- switch (inout) {
- case ISAKMP_CFG_LOGIN:
- inout = RAD_START;
- break;
- case ISAKMP_CFG_LOGOUT:
- inout = RAD_STOP;
- break;
- default:
- plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n");
- break;
- }
-
- if (rad_put_addr(radius_acct_state,
- RAD_FRAMED_IP_ADDRESS, iph1->mode_cfg->addr4) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "rad_put_addr failed: %s\n",
- rad_strerror(radius_acct_state));
- return -1;
- }
-
- if (rad_put_addr(radius_acct_state,
- RAD_LOGIN_IP_HOST, iph1->mode_cfg->addr4) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "rad_put_addr failed: %s\n",
- rad_strerror(radius_acct_state));
- return -1;
- }
-
- if (rad_put_int(radius_acct_state, RAD_ACCT_STATUS_TYPE, inout) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "rad_put_int failed: %s\n",
- rad_strerror(radius_acct_state));
- return -1;
- }
-
- if (isakmp_cfg_radius_common(radius_acct_state,
- iph1->mode_cfg->port) != 0)
- return -1;
-
- if (rad_send_request(radius_acct_state) != RAD_ACCOUNTING_RESPONSE) {
- plog(LLV_ERROR, LOCATION, NULL,
- "rad_send_request failed: %s\n",
- rad_strerror(radius_acct_state));
- return -1;
- }
-
- return 0;
-}
-#endif /* HAVE_LIBRADIUS */
-
-/*
- * Attributes common to all RADIUS requests
- */
-#ifdef HAVE_LIBRADIUS
-int
-isakmp_cfg_radius_common(radius_state, port)
- struct rad_handle *radius_state;
- int port;
-{
- struct utsname name;
- static struct hostent *host = NULL;
- struct in_addr nas_addr;
-
- /*
- * Find our own IP by resolving our nodename
- */
- if (host == NULL) {
- if (uname(&name) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "uname failed: %s\n", strerror(errno));
- return -1;
- }
-
- if ((host = gethostbyname(name.nodename)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "gethostbyname failed: %s\n", strerror(errno));
- return -1;
- }
- }
-
- memcpy(&nas_addr, host->h_addr, sizeof(nas_addr));
- if (rad_put_addr(radius_state, RAD_NAS_IP_ADDRESS, nas_addr) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "rad_put_addr failed: %s\n",
- rad_strerror(radius_state));
- return -1;
- }
-
- if (rad_put_int(radius_state, RAD_NAS_PORT, port) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "rad_put_int failed: %s\n",
- rad_strerror(radius_state));
- return -1;
- }
-
- if (rad_put_int(radius_state, RAD_NAS_PORT_TYPE, RAD_VIRTUAL) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "rad_put_int failed: %s\n",
- rad_strerror(radius_state));
- return -1;
- }
-
- if (rad_put_int(radius_state, RAD_SERVICE_TYPE, RAD_FRAMED) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "rad_put_int failed: %s\n",
- rad_strerror(radius_state));
- return -1;
- }
-
- return 0;
-}
-#endif
-
-#ifndef ANDROID_PATCHED
-
-/*
- Logs the user into the utmp system files.
-*/
-
-int
-isakmp_cfg_accounting_system(port, raddr, usr, inout)
- int port;
- struct sockaddr *raddr;
- char *usr;
- int inout;
-{
- int error = 0;
- struct utmp ut;
- char term[UT_LINESIZE];
- char addr[NI_MAXHOST];
-
- if (usr == NULL || usr[0]=='\0') {
- plog(LLV_ERROR, LOCATION, NULL,
- "system accounting : no login found\n");
- return -1;
- }
-
- sprintf(term, TERMSPEC, port);
-
- switch (inout) {
- case ISAKMP_CFG_LOGIN:
- strncpy(ut.ut_name, usr, UT_NAMESIZE);
- ut.ut_name[UT_NAMESIZE - 1] = '\0';
-
- strncpy(ut.ut_line, term, UT_LINESIZE);
- ut.ut_line[UT_LINESIZE - 1] = '\0';
-
- GETNAMEINFO_NULL(raddr, addr);
- strncpy(ut.ut_host, addr, UT_HOSTSIZE);
- ut.ut_host[UT_HOSTSIZE - 1] = '\0';
-
- ut.ut_time = time(NULL);
-
- plog(LLV_INFO, LOCATION, NULL,
- "Accounting : '%s' logging on '%s' from %s.\n",
- ut.ut_name, ut.ut_line, ut.ut_host);
-
- login(&ut);
-
- break;
- case ISAKMP_CFG_LOGOUT:
-
- plog(LLV_INFO, LOCATION, NULL,
- "Accounting : '%s' unlogging from '%s'.\n",
- usr, term);
-
- logout(term);
-
- break;
- default:
- plog(LLV_ERROR, LOCATION, NULL, "Unepected inout\n");
- break;
- }
-
- return 0;
-}
-
-#endif
-
-int
-isakmp_cfg_getconfig(iph1)
- struct ph1handle *iph1;
-{
- vchar_t *buffer;
- struct isakmp_pl_attr *attrpl;
- struct isakmp_data *attr;
- size_t len;
- int error;
- int attrcount;
- int i;
- int attrlist[] = {
- INTERNAL_IP4_ADDRESS,
- INTERNAL_IP4_NETMASK,
- INTERNAL_IP4_DNS,
- INTERNAL_IP4_NBNS,
- UNITY_BANNER,
- UNITY_DEF_DOMAIN,
- UNITY_SPLITDNS_NAME,
- UNITY_SPLIT_INCLUDE,
- UNITY_LOCAL_LAN,
- APPLICATION_VERSION,
- };
-
- attrcount = sizeof(attrlist) / sizeof(*attrlist);
- len = sizeof(*attrpl) + sizeof(*attr) * attrcount;
-
- if ((buffer = vmalloc(len)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
- return -1;
- }
-
- attrpl = (struct isakmp_pl_attr *)buffer->v;
- attrpl->h.len = htons(len);
- attrpl->type = ISAKMP_CFG_REQUEST;
- attrpl->id = htons((u_int16_t)(eay_random() & 0xffff));
-
- attr = (struct isakmp_data *)(attrpl + 1);
-
- for (i = 0; i < attrcount; i++) {
- attr->type = htons(attrlist[i]);
- attr->lorv = htons(0);
- attr++;
- }
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "Sending MODE_CFG REQUEST\n");
-
- error = isakmp_cfg_send(iph1, buffer,
- ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1);
-
- vfree(buffer);
-
- return error;
-}
-
-static void
-isakmp_cfg_getaddr4(attr, ip)
- struct isakmp_data *attr;
- struct in_addr *ip;
-{
- size_t alen = ntohs(attr->lorv);
- in_addr_t *addr;
-
- if (alen != sizeof(*ip)) {
- plog(LLV_ERROR, LOCATION, NULL, "Bad IPv4 address len\n");
- return;
- }
-
- addr = (in_addr_t *)(attr + 1);
- ip->s_addr = *addr;
-
- return;
-}
-
-static void
-isakmp_cfg_appendaddr4(attr, ip, num, max)
- struct isakmp_data *attr;
- struct in_addr *ip;
- int *num;
- int max;
-{
- size_t alen = ntohs(attr->lorv);
- in_addr_t *addr;
-
- if (alen != sizeof(*ip)) {
- plog(LLV_ERROR, LOCATION, NULL, "Bad IPv4 address len\n");
- return;
- }
- if (*num == max) {
- plog(LLV_ERROR, LOCATION, NULL, "Too many addresses given\n");
- return;
- }
-
- addr = (in_addr_t *)(attr + 1);
- ip->s_addr = *addr;
- (*num)++;
-
- return;
-}
-
-static void
-isakmp_cfg_getstring(attr, str)
- struct isakmp_data *attr;
- char *str;
-{
- size_t alen = ntohs(attr->lorv);
- char *src;
- src = (char *)(attr + 1);
-
- memcpy(str, src, (alen > MAXPATHLEN ? MAXPATHLEN : alen));
-
- return;
-}
-
-#define IP_MAX 40
-
-void
-isakmp_cfg_iplist_to_str(dest, count, addr, withmask)
- char *dest;
- int count;
- void *addr;
- int withmask;
-{
- int i;
- int p;
- int l;
- struct unity_network tmp;
- for(i = 0, p = 0; i < count; i++) {
- if(withmask == 1)
- l = sizeof(struct unity_network);
- else
- l = sizeof(struct in_addr);
- memcpy(&tmp, addr, l);
-#if defined(ANDROID_CHANGES)
- addr = ((uint8_t*) addr) + l;
-#else
- addr += l;
-#endif
- if((uint32_t)tmp.addr4.s_addr == 0)
- break;
-
- inet_ntop(AF_INET, &tmp.addr4, dest + p, IP_MAX);
- p += strlen(dest + p);
- if(withmask == 1) {
- dest[p] = '/';
- p++;
- inet_ntop(AF_INET, &tmp.mask4, dest + p, IP_MAX);
- p += strlen(dest + p);
- }
- dest[p] = ' ';
- p++;
- }
- if(p > 0)
- dest[p-1] = '\0';
- else
- dest[0] = '\0';
-}
-
-int
-isakmp_cfg_setenv(iph1, envp, envc)
- struct ph1handle *iph1;
- char ***envp;
- int *envc;
-{
- char addrstr[IP_MAX];
- char addrlist[IP_MAX * MAXNS + MAXNS];
- char *splitlist = addrlist;
- char *splitlist_cidr;
- char defdom[MAXPATHLEN + 1];
- int cidr, tmp;
- char cidrstr[4];
- int i, p;
- int test;
-
- plog(LLV_DEBUG, LOCATION, NULL, "Starting a script.\n");
-
- /*
- * Internal IPv4 address, either if
- * we are a client or a server.
- */
- if ((iph1->mode_cfg->flags & ISAKMP_CFG_GOT_ADDR4) ||
-#ifdef HAVE_LIBLDAP
- (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) ||
-#endif
-#ifdef HAVE_LIBRADIUS
- (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_EXTERN) ||
-#endif
- (iph1->mode_cfg->flags & ISAKMP_CFG_ADDR4_LOCAL)) {
- inet_ntop(AF_INET, &iph1->mode_cfg->addr4,
- addrstr, IP_MAX);
- } else
- addrstr[0] = '\0';
-
- if (script_env_append(envp, envc, "INTERNAL_ADDR4", addrstr) != 0) {
- plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_ADDR4\n");
- return -1;
- }
-
- if (iph1->mode_cfg->xauth.authdata.generic.usr != NULL) {
- if (script_env_append(envp, envc, "XAUTH_USER",
- iph1->mode_cfg->xauth.authdata.generic.usr) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot set XAUTH_USER\n");
- return -1;
- }
- }
-
- /* Internal IPv4 mask */
- if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_MASK4)
- inet_ntop(AF_INET, &iph1->mode_cfg->mask4,
- addrstr, IP_MAX);
- else
- addrstr[0] = '\0';
-
- /*
- * During several releases, documentation adverised INTERNAL_NETMASK4
- * while code was using INTERNAL_MASK4. We now do both.
- */
-
- if (script_env_append(envp, envc, "INTERNAL_MASK4", addrstr) != 0) {
- plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_MASK4\n");
- return -1;
- }
-
- if (script_env_append(envp, envc, "INTERNAL_NETMASK4", addrstr) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot set INTERNAL_NETMASK4\n");
- return -1;
- }
-
- tmp = ntohl(iph1->mode_cfg->mask4.s_addr);
- for (cidr = 0; tmp != 0; cidr++)
- tmp <<= 1;
- snprintf(cidrstr, 3, "%d", cidr);
-
- if (script_env_append(envp, envc, "INTERNAL_CIDR4", cidrstr) != 0) {
- plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_CIDR4\n");
- return -1;
- }
-
- /* Internal IPv4 DNS */
- if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_DNS4) {
- /* First Internal IPv4 DNS (for compatibilty with older code */
- inet_ntop(AF_INET, &iph1->mode_cfg->dns4[0],
- addrstr, IP_MAX);
-
- /* Internal IPv4 DNS - all */
- isakmp_cfg_iplist_to_str(addrlist, iph1->mode_cfg->dns4_index,
- (void *)iph1->mode_cfg->dns4, 0);
- } else {
- addrstr[0] = '\0';
- addrlist[0] = '\0';
- }
-
- if (script_env_append(envp, envc, "INTERNAL_DNS4", addrstr) != 0) {
- plog(LLV_ERROR, LOCATION, NULL, "Cannot set INTERNAL_DNS4\n");
- return -1;
- }
- if (script_env_append(envp, envc, "INTERNAL_DNS4_LIST", addrlist) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot set INTERNAL_DNS4_LIST\n");
- return -1;
- }
-
- /* Internal IPv4 WINS */
- if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_WINS4) {
- /*
- * First Internal IPv4 WINS
- * (for compatibilty with older code
- */
- inet_ntop(AF_INET, &iph1->mode_cfg->wins4[0],
- addrstr, IP_MAX);
-
- /* Internal IPv4 WINS - all */
- isakmp_cfg_iplist_to_str(addrlist, iph1->mode_cfg->wins4_index,
- (void *)iph1->mode_cfg->wins4, 0);
- } else {
- addrstr[0] = '\0';
- addrlist[0] = '\0';
- }
-
- if (script_env_append(envp, envc, "INTERNAL_WINS4", addrstr) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot set INTERNAL_WINS4\n");
- return -1;
- }
- if (script_env_append(envp, envc,
- "INTERNAL_WINS4_LIST", addrlist) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot set INTERNAL_WINS4_LIST\n");
- return -1;
- }
-
- /* Deault domain */
- if(iph1->mode_cfg->flags & ISAKMP_CFG_GOT_DEFAULT_DOMAIN)
- strncpy(defdom,
- iph1->mode_cfg->default_domain,
- MAXPATHLEN + 1);
- else
- defdom[0] = '\0';
-
- if (script_env_append(envp, envc, "DEFAULT_DOMAIN", defdom) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot set DEFAULT_DOMAIN\n");
- return -1;
- }
-
- /* Split networks */
- if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_SPLIT_INCLUDE) {
- splitlist =
- splitnet_list_2str(iph1->mode_cfg->split_include, NETMASK);
- splitlist_cidr =
- splitnet_list_2str(iph1->mode_cfg->split_include, CIDR);
- } else {
- splitlist = addrlist;
- splitlist_cidr = addrlist;
- addrlist[0] = '\0';
- }
-
- if (script_env_append(envp, envc, "SPLIT_INCLUDE", splitlist) != 0) {
- plog(LLV_ERROR, LOCATION, NULL, "Cannot set SPLIT_INCLUDE\n");
- return -1;
- }
- if (script_env_append(envp, envc,
- "SPLIT_INCLUDE_CIDR", splitlist_cidr) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot set SPLIT_INCLUDE_CIDR\n");
- return -1;
- }
- if (splitlist != addrlist)
- racoon_free(splitlist);
- if (splitlist_cidr != addrlist)
- racoon_free(splitlist_cidr);
-
- if (iph1->mode_cfg->flags & ISAKMP_CFG_GOT_SPLIT_LOCAL) {
- splitlist =
- splitnet_list_2str(iph1->mode_cfg->split_local, NETMASK);
- splitlist_cidr =
- splitnet_list_2str(iph1->mode_cfg->split_local, CIDR);
- } else {
- splitlist = addrlist;
- splitlist_cidr = addrlist;
- addrlist[0] = '\0';
- }
-
- if (script_env_append(envp, envc, "SPLIT_LOCAL", splitlist) != 0) {
- plog(LLV_ERROR, LOCATION, NULL, "Cannot set SPLIT_LOCAL\n");
- return -1;
- }
- if (script_env_append(envp, envc,
- "SPLIT_LOCAL_CIDR", splitlist_cidr) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot set SPLIT_LOCAL_CIDR\n");
- return -1;
- }
- if (splitlist != addrlist)
- racoon_free(splitlist);
- if (splitlist_cidr != addrlist)
- racoon_free(splitlist_cidr);
-
- return 0;
-}
-
-int
-isakmp_cfg_resize_pool(size)
- int size;
-{
- struct isakmp_cfg_port *new_pool;
- size_t len;
- int i;
-
- if (size == isakmp_cfg_config.pool_size)
- return 0;
-
- plog(LLV_INFO, LOCATION, NULL,
- "Resize address pool from %zu to %d\n",
- isakmp_cfg_config.pool_size, size);
-
- /* If a pool already exists, check if we can shrink it */
- if ((isakmp_cfg_config.port_pool != NULL) &&
- (size < isakmp_cfg_config.pool_size)) {
- for (i = isakmp_cfg_config.pool_size-1; i >= size; --i) {
- if (isakmp_cfg_config.port_pool[i].used) {
- plog(LLV_ERROR, LOCATION, NULL,
- "resize pool from %zu to %d impossible "
- "port %d is in use\n",
- isakmp_cfg_config.pool_size, size, i);
- size = i;
- break;
- }
- }
- }
-
- len = size * sizeof(*isakmp_cfg_config.port_pool);
- new_pool = racoon_realloc(isakmp_cfg_config.port_pool, len);
- if (new_pool == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "resize pool from %zu to %d impossible: %s",
- isakmp_cfg_config.pool_size, size, strerror(errno));
- return -1;
- }
-
- /* If size increase, intialize correctly the new records */
- if (size > isakmp_cfg_config.pool_size) {
- size_t unit;
- size_t old_size;
-
- unit = sizeof(*isakmp_cfg_config.port_pool);
- old_size = isakmp_cfg_config.pool_size;
-
- bzero((char *)new_pool + (old_size * unit),
- (size - old_size) * unit);
- }
-
- isakmp_cfg_config.port_pool = new_pool;
- isakmp_cfg_config.pool_size = size;
-
- return 0;
-}
-
-int
-isakmp_cfg_init(cold)
- int cold;
-{
- int i;
- int error;
-
- isakmp_cfg_config.network4 = (in_addr_t)0x00000000;
- isakmp_cfg_config.netmask4 = (in_addr_t)0x00000000;
- for (i = 0; i < MAXNS; i++)
- isakmp_cfg_config.dns4[i] = (in_addr_t)0x00000000;
- isakmp_cfg_config.dns4_index = 0;
- for (i = 0; i < MAXWINS; i++)
- isakmp_cfg_config.nbns4[i] = (in_addr_t)0x00000000;
- isakmp_cfg_config.nbns4_index = 0;
- if (cold == ISAKMP_CFG_INIT_COLD)
- isakmp_cfg_config.port_pool = NULL;
- isakmp_cfg_config.authsource = ISAKMP_CFG_AUTH_SYSTEM;
- isakmp_cfg_config.groupsource = ISAKMP_CFG_GROUP_SYSTEM;
- if (cold == ISAKMP_CFG_INIT_COLD) {
- if (isakmp_cfg_config.grouplist != NULL) {
- for (i = 0; i < isakmp_cfg_config.groupcount; i++)
- racoon_free(isakmp_cfg_config.grouplist[i]);
- racoon_free(isakmp_cfg_config.grouplist);
- }
- }
- isakmp_cfg_config.grouplist = NULL;
- isakmp_cfg_config.groupcount = 0;
- isakmp_cfg_config.confsource = ISAKMP_CFG_CONF_LOCAL;
- isakmp_cfg_config.accounting = ISAKMP_CFG_ACCT_NONE;
- if (cold == ISAKMP_CFG_INIT_COLD)
- isakmp_cfg_config.pool_size = 0;
- isakmp_cfg_config.auth_throttle = THROTTLE_PENALTY;
- strlcpy(isakmp_cfg_config.default_domain, ISAKMP_CFG_DEFAULT_DOMAIN,
- MAXPATHLEN);
- strlcpy(isakmp_cfg_config.motd, ISAKMP_CFG_MOTD, MAXPATHLEN);
-
- if (cold != ISAKMP_CFG_INIT_COLD )
- if (isakmp_cfg_config.splitnet_list != NULL)
- splitnet_list_free(isakmp_cfg_config.splitnet_list,
- &isakmp_cfg_config.splitnet_count);
- isakmp_cfg_config.splitnet_list = NULL;
- isakmp_cfg_config.splitnet_count = 0;
- isakmp_cfg_config.splitnet_type = 0;
-
- isakmp_cfg_config.pfs_group = 0;
- isakmp_cfg_config.save_passwd = 0;
-
- if (cold != ISAKMP_CFG_INIT_COLD )
- if (isakmp_cfg_config.splitdns_list != NULL)
- racoon_free(isakmp_cfg_config.splitdns_list);
- isakmp_cfg_config.splitdns_list = NULL;
- isakmp_cfg_config.splitdns_len = 0;
-
-#if 0
- if (cold == ISAKMP_CFG_INIT_COLD) {
- if ((error = isakmp_cfg_resize_pool(ISAKMP_CFG_MAX_CNX)) != 0)
- return error;
- }
-#endif
-
- return 0;
-}
-
diff --git a/src/racoon/isakmp_cfg.h b/src/racoon/isakmp_cfg.h
deleted file mode 100644
index 253a17f..0000000
--- a/src/racoon/isakmp_cfg.h
+++ /dev/null
@@ -1,229 +0,0 @@
-/* $NetBSD: isakmp_cfg.h,v 1.6 2006/09/09 16:22:09 manu Exp $ */
-
-/* $KAME$ */
-
-/*
- * Copyright (C) 2004 Emmanuel Dreyfus
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifdef HAVE_LIBPAM
-#include <security/pam_appl.h>
-#endif
-
-#ifdef ANDROID_PATCHED
-#include <arpa/inet.h>
-#ifndef MAXNS
-#define MAXNS 2
-#endif
-#endif
-
-/*
- * XXX don't forget to update
- * src/racoon/handler.c:exclude_cfg_addr()
- * if you add IPv6 capability
- */
-
-/* Attribute types */
-#define INTERNAL_IP4_ADDRESS 1
-#define INTERNAL_IP4_NETMASK 2
-#define INTERNAL_IP4_DNS 3
-#define INTERNAL_IP4_NBNS 4
-#define INTERNAL_ADDRESS_EXPIRY 5
-#define INTERNAL_IP4_DHCP 6
-#define APPLICATION_VERSION 7
-#define INTERNAL_IP6_ADDRESS 8
-#define INTERNAL_IP6_NETMASK 9
-#define INTERNAL_IP6_DNS 10
-#define INTERNAL_IP6_NBNS 11
-#define INTERNAL_IP6_DHCP 12
-#define INTERNAL_IP4_SUBNET 13
-#define SUPPORTED_ATTRIBUTES 14
-#define INTERNAL_IP6_SUBNET 15
-
-/* For APPLICATION_VERSION */
-#define ISAKMP_CFG_RACOON_VERSION "racoon / IPsec-tools"
-
-/* For the wins servers -- XXX find the value somewhere ? */
-#define MAXWINS 4
-
-/*
- * Global configuration for ISAKMP mode confiration address allocation
- * Read from the mode_cfg section of racoon.conf
- */
-struct isakmp_cfg_port {
- char used;
-#ifdef HAVE_LIBPAM
- pam_handle_t *pam;
-#endif
-};
-
-struct isakmp_cfg_config {
- in_addr_t network4;
- in_addr_t netmask4;
- in_addr_t dns4[MAXNS];
- int dns4_index;
- in_addr_t nbns4[MAXWINS];
- int nbns4_index;
- struct isakmp_cfg_port *port_pool;
- int authsource;
- int groupsource;
- char **grouplist;
- int groupcount;
- int confsource;
- int accounting;
- size_t pool_size;
- int auth_throttle;
- /* XXX move this to a unity specific sub-structure */
- char default_domain[MAXPATHLEN + 1];
- char motd[MAXPATHLEN + 1];
- struct unity_netentry *splitnet_list;
- int splitnet_count;
- int splitnet_type;
- char *splitdns_list;
- int splitdns_len;
- int pfs_group;
- int save_passwd;
-};
-
-/* For utmp updating */
-#define TERMSPEC "vpn%d"
-
-/* For authsource */
-#define ISAKMP_CFG_AUTH_SYSTEM 0
-#define ISAKMP_CFG_AUTH_RADIUS 1
-#define ISAKMP_CFG_AUTH_PAM 2
-#define ISAKMP_CFG_AUTH_LDAP 4
-
-/* For groupsource */
-#define ISAKMP_CFG_GROUP_SYSTEM 0
-#define ISAKMP_CFG_GROUP_LDAP 1
-
-/* For confsource */
-#define ISAKMP_CFG_CONF_LOCAL 0
-#define ISAKMP_CFG_CONF_RADIUS 1
-#define ISAKMP_CFG_CONF_LDAP 2
-
-/* For accounting */
-#define ISAKMP_CFG_ACCT_NONE 0
-#define ISAKMP_CFG_ACCT_RADIUS 1
-#define ISAKMP_CFG_ACCT_PAM 2
-#define ISAKMP_CFG_ACCT_LDAP 3
-#define ISAKMP_CFG_ACCT_SYSTEM 4
-
-/* For pool_size */
-#define ISAKMP_CFG_MAX_CNX 255
-
-/* For motd */
-#define ISAKMP_CFG_MOTD "/etc/motd"
-
-/* For default domain */
-#define ISAKMP_CFG_DEFAULT_DOMAIN ""
-
-extern struct isakmp_cfg_config isakmp_cfg_config;
-
-/*
- * ISAKMP mode config state
- */
-#define LOGINLEN 31
-struct isakmp_cfg_state {
- int flags; /* See below */
- unsigned int port; /* address index */
- char login[LOGINLEN + 1]; /* login */
- struct in_addr addr4; /* IPv4 address */
- struct in_addr mask4; /* IPv4 netmask */
- struct in_addr dns4[MAXNS]; /* IPv4 DNS (when client only) */
- int dns4_index; /* Number of IPv4 DNS (client only) */
- struct in_addr wins4[MAXWINS]; /* IPv4 WINS (when client only) */
- int wins4_index; /* Number of IPv4 WINS (client only) */
- char default_domain[MAXPATHLEN + 1]; /* Default domain recieved */
- struct unity_netentry
- *split_include; /* UNITY_SPLIT_INCLUDE */
- int include_count; /* Number of SPLIT_INCLUDES */
- struct unity_netentry
- *split_local; /* UNITY_LOCAL_LAN */
- int local_count; /* Number of SPLIT_LOCAL */
- struct xauth_state xauth; /* Xauth state, if revelant */
- struct isakmp_ivm *ivm; /* XXX Use iph1's ivm? */
- u_int32_t last_msgid; /* Last message-ID */
-};
-
-/* flags */
-#define ISAKMP_CFG_VENDORID_XAUTH 0x01 /* Supports Xauth */
-#define ISAKMP_CFG_VENDORID_UNITY 0x02 /* Cisco Unity compliant */
-#define ISAKMP_CFG_PORT_ALLOCATED 0x04 /* Port allocated */
-#define ISAKMP_CFG_ADDR4_EXTERN 0x08 /* Address from external config */
-#define ISAKMP_CFG_MASK4_EXTERN 0x10 /* Netmask from external config */
-#define ISAKMP_CFG_ADDR4_LOCAL 0x20 /* Address from local pool */
-#define ISAKMP_CFG_MASK4_LOCAL 0x40 /* Netmask from local pool */
-#define ISAKMP_CFG_GOT_ADDR4 0x80 /* Client got address */
-#define ISAKMP_CFG_GOT_MASK4 0x100 /* Client got mask */
-#define ISAKMP_CFG_GOT_DNS4 0x200 /* Client got DNS */
-#define ISAKMP_CFG_GOT_WINS4 0x400 /* Client got WINS */
-#define ISAKMP_CFG_DELETE_PH1 0x800 /* phase 1 should be deleted */
-#define ISAKMP_CFG_GOT_DEFAULT_DOMAIN 0x1000 /* Client got default domain */
-#define ISAKMP_CFG_GOT_SPLIT_INCLUDE 0x2000 /* Client got a split network config */
-#define ISAKMP_CFG_GOT_SPLIT_LOCAL 0x4000 /* Client got a split LAN config */
-
-struct isakmp_pl_attr;
-struct ph1handle;
-struct isakmp_ivm;
-void isakmp_cfg_r(struct ph1handle *, vchar_t *);
-int isakmp_cfg_attr_r(struct ph1handle *, u_int32_t, struct isakmp_pl_attr *);
-int isakmp_cfg_reply(struct ph1handle *, struct isakmp_pl_attr *);
-int isakmp_cfg_request(struct ph1handle *, struct isakmp_pl_attr *);
-int isakmp_cfg_set(struct ph1handle *, struct isakmp_pl_attr *);
-int isakmp_cfg_send(struct ph1handle *, vchar_t *, u_int32_t, int, int);
-struct isakmp_ivm *isakmp_cfg_newiv(struct ph1handle *, u_int32_t);
-void isakmp_cfg_rmstate(struct ph1handle *);
-struct isakmp_cfg_state *isakmp_cfg_mkstate(void);
-vchar_t *isakmp_cfg_copy(struct ph1handle *, struct isakmp_data *);
-vchar_t *isakmp_cfg_short(struct ph1handle *, struct isakmp_data *, int);
-vchar_t *isakmp_cfg_varlen(struct ph1handle *, struct isakmp_data *, char *, size_t);
-vchar_t *isakmp_cfg_string(struct ph1handle *, struct isakmp_data *, char *);
-int isakmp_cfg_getconfig(struct ph1handle *);
-int isakmp_cfg_setenv(struct ph1handle *, char ***, int *);
-
-int isakmp_cfg_resize_pool(int);
-int isakmp_cfg_getport(struct ph1handle *);
-int isakmp_cfg_putport(struct ph1handle *, unsigned int);
-int isakmp_cfg_init(int);
-#define ISAKMP_CFG_INIT_COLD 1
-#define ISAKMP_CFG_INIT_WARM 0
-
-#ifdef HAVE_LIBRADIUS
-struct rad_handle;
-extern struct rad_handle *radius_acct_state;
-int isakmp_cfg_radius_common(struct rad_handle *, int);
-#endif
-
-#ifdef HAVE_LIBPAM
-int isakmp_cfg_accounting_pam(int, int);
-void cleanup_pam(int);
-#endif
-
-int isakmp_cfg_accounting_system(int, struct sockaddr *, char *, int);
diff --git a/src/racoon/isakmp_frag.c b/src/racoon/isakmp_frag.c
deleted file mode 100644
index 6fac6a2..0000000
--- a/src/racoon/isakmp_frag.c
+++ /dev/null
@@ -1,356 +0,0 @@
-/* $NetBSD: isakmp_frag.c,v 1.4.6.1 2009/04/22 11:25:35 tteras Exp $ */
-
-/* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
-
-/*
- * Copyright (C) 2004 Emmanuel Dreyfus
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-#include <sys/queue.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include <openssl/md5.h>
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <fcntl.h>
-#include <string.h>
-#include <errno.h>
-#if TIME_WITH_SYS_TIME
-# include <sys/time.h>
-# include <time.h>
-#else
-# if HAVE_SYS_TIME_H
-# include <sys/time.h>
-# else
-# include <time.h>
-# endif
-#endif
-#include <netdb.h>
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-#include <ctype.h>
-
-#include "var.h"
-#include "misc.h"
-#include "vmbuf.h"
-#include "plog.h"
-#include "sockmisc.h"
-#include "schedule.h"
-#include "debug.h"
-
-#include "isakmp_var.h"
-#include "isakmp.h"
-#include "handler.h"
-#include "isakmp_frag.h"
-#include "strnames.h"
-
-int
-isakmp_sendfrags(iph1, buf)
- struct ph1handle *iph1;
- vchar_t *buf;
-{
- struct isakmp *hdr;
- struct isakmp_frag *fraghdr;
- caddr_t data;
- caddr_t sdata;
- size_t datalen;
- size_t max_datalen;
- size_t fraglen;
- vchar_t *frag;
- unsigned int trailer;
- unsigned int fragnum = 0;
- size_t len;
- int etype;
-
- /*
- * Catch the exchange type for later: the fragments and the
- * fragmented packet must have the same exchange type.
- */
- hdr = (struct isakmp *)buf->v;
- etype = hdr->etype;
-
- /*
- * We want to send a a packet smaller than ISAKMP_FRAG_MAXLEN
- * First compute the maximum data length that will fit in it
- */
- max_datalen = ISAKMP_FRAG_MAXLEN -
- (sizeof(*hdr) + sizeof(*fraghdr) + sizeof(trailer));
-
- sdata = buf->v;
- len = buf->l;
-
- while (len > 0) {
- fragnum++;
-
- if (len > max_datalen)
- datalen = max_datalen;
- else
- datalen = len;
-
- fraglen = sizeof(*hdr)
- + sizeof(*fraghdr)
- + datalen;
-
- if ((frag = vmalloc(fraglen)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot allocate memory\n");
- return -1;
- }
-
- set_isakmp_header1(frag, iph1, ISAKMP_NPTYPE_FRAG);
- hdr = (struct isakmp *)frag->v;
- hdr->etype = etype;
-
- fraghdr = (struct isakmp_frag *)(hdr + 1);
- fraghdr->unknown0 = htons(0);
- fraghdr->len = htons(fraglen - sizeof(*hdr));
- fraghdr->unknown1 = htons(1);
- fraghdr->index = fragnum;
- if (len == datalen)
- fraghdr->flags = ISAKMP_FRAG_LAST;
- else
- fraghdr->flags = 0;
-
- data = (caddr_t)(fraghdr + 1);
- memcpy(data, sdata, datalen);
-
- if (isakmp_send(iph1, frag) < 0) {
- plog(LLV_ERROR, LOCATION, NULL, "isakmp_send failed\n");
- return -1;
- }
-
- vfree(frag);
-
- len -= datalen;
- sdata += datalen;
- }
-
- return fragnum;
-}
-
-unsigned int
-vendorid_frag_cap(gen)
- struct isakmp_gen *gen;
-{
- int *hp;
-
- hp = (int *)(gen + 1);
-
- return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]);
-}
-
-int
-isakmp_frag_extract(iph1, msg)
- struct ph1handle *iph1;
- vchar_t *msg;
-{
- struct isakmp *isakmp;
- struct isakmp_frag *frag;
- struct isakmp_frag_item *item;
- vchar_t *buf;
- size_t len;
- int last_frag = 0;
- char *data;
- int i;
-
- if (msg->l < sizeof(*isakmp) + sizeof(*frag)) {
- plog(LLV_ERROR, LOCATION, NULL, "Message too short\n");
- return -1;
- }
-
- isakmp = (struct isakmp *)msg->v;
- frag = (struct isakmp_frag *)(isakmp + 1);
-
- /*
- * frag->len is the frag payload data plus the frag payload header,
- * whose size is sizeof(*frag)
- */
- if (msg->l < sizeof(*isakmp) + ntohs(frag->len) ||
- ntohs(frag->len) < sizeof(*frag) + 1) {
- plog(LLV_ERROR, LOCATION, NULL, "Fragment too short\n");
- return -1;
- }
-
- if ((buf = vmalloc(ntohs(frag->len) - sizeof(*frag))) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
- return -1;
- }
-
- if ((item = racoon_malloc(sizeof(*item))) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
- vfree(buf);
- return -1;
- }
-
- data = (char *)(frag + 1);
- memcpy(buf->v, data, buf->l);
-
- item->frag_num = frag->index;
- item->frag_last = (frag->flags & ISAKMP_FRAG_LAST);
- item->frag_next = NULL;
- item->frag_packet = buf;
-
- /* Look for the last frag while inserting the new item in the chain */
- if (item->frag_last)
- last_frag = item->frag_num;
-
- if (iph1->frag_chain == NULL) {
- iph1->frag_chain = item;
- } else {
- struct isakmp_frag_item *current;
-
- current = iph1->frag_chain;
- while (current->frag_next) {
- if (current->frag_last)
- last_frag = item->frag_num;
- current = current->frag_next;
- }
- current->frag_next = item;
- }
-
- /* If we saw the last frag, check if the chain is complete */
- if (last_frag != 0) {
- for (i = 1; i <= last_frag; i++) {
- item = iph1->frag_chain;
- do {
- if (item->frag_num == i)
- break;
- item = item->frag_next;
- } while (item != NULL);
-
- if (item == NULL) /* Not found */
- break;
- }
-
- if (item != NULL) /* It is complete */
- return 1;
- }
-
- return 0;
-}
-
-vchar_t *
-isakmp_frag_reassembly(iph1)
- struct ph1handle *iph1;
-{
- struct isakmp_frag_item *item;
- size_t len = 0;
- vchar_t *buf = NULL;
- int frag_count = 0;
- int i;
- char *data;
-
- if ((item = iph1->frag_chain) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "No fragment to reassemble\n");
- goto out;
- }
-
- do {
- frag_count++;
- len += item->frag_packet->l;
- item = item->frag_next;
- } while (item != NULL);
-
- if ((buf = vmalloc(len)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
- goto out;
- }
- data = buf->v;
-
- for (i = 1; i <= frag_count; i++) {
- item = iph1->frag_chain;
- do {
- if (item->frag_num == i)
- break;
- item = item->frag_next;
- } while (item != NULL);
-
- if (item == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Missing fragment #%d\n", i);
- vfree(buf);
- buf = NULL;
- goto out;
- }
- memcpy(data, item->frag_packet->v, item->frag_packet->l);
- data += item->frag_packet->l;
- }
-
-out:
- item = iph1->frag_chain;
- do {
- struct isakmp_frag_item *next_item;
-
- next_item = item->frag_next;
-
- vfree(item->frag_packet);
- racoon_free(item);
-
- item = next_item;
- } while (item != NULL);
-
- iph1->frag_chain = NULL;
-
- return buf;
-}
-
-vchar_t *
-isakmp_frag_addcap(buf, cap)
- vchar_t *buf;
- int cap;
-{
- int *capp;
- size_t len;
-
- /* If the capability has not been added, add room now */
- len = buf->l;
- if (len == MD5_DIGEST_LENGTH) {
- if ((buf = vrealloc(buf, len + sizeof(cap))) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot allocate memory\n");
- return NULL;
- }
- capp = (int *)(buf->v + len);
- *capp = htonl(0);
- }
-
- capp = (int *)(buf->v + MD5_DIGEST_LENGTH);
- *capp |= htonl(cap);
-
- return buf;
-}
-
diff --git a/src/racoon/isakmp_frag.h b/src/racoon/isakmp_frag.h
deleted file mode 100644
index f2d4c33..0000000
--- a/src/racoon/isakmp_frag.h
+++ /dev/null
@@ -1,58 +0,0 @@
-/* $NetBSD: isakmp_frag.h,v 1.5 2006/09/18 20:32:40 manu Exp $ */
-
-/* Id: isakmp_frag.h,v 1.3 2005/04/09 16:25:24 manubsd Exp */
-
-/*
- * Copyright (C) 2004 Emmanuel Dreyfus
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* These are the values from parsing "remote {}"
- block of the config file. */
-#define ISAKMP_FRAG_OFF FLASE /* = 0 */
-#define ISAKMP_FRAG_ON TRUE /* = 1 */
-#define ISAKMP_FRAG_FORCE 2
-
-/* IKE fragmentation capabilities */
-#define VENDORID_FRAG_IDENT 0x80000000
-#define VENDORID_FRAG_BASE 0x40000000
-#define VENDORID_FRAG_AGG 0x80000000
-
-#define ISAKMP_FRAG_MAXLEN 552
-
-struct isakmp_frag_item {
- int frag_num;
- int frag_last;
- struct isakmp_frag_item *frag_next;
- vchar_t *frag_packet;
-};
-
-int isakmp_sendfrags(struct ph1handle *, vchar_t *);
-unsigned int vendorid_frag_cap(struct isakmp_gen *);
-int isakmp_frag_extract(struct ph1handle *, vchar_t *);
-vchar_t *isakmp_frag_reassembly(struct ph1handle *);
-vchar_t *isakmp_frag_addcap(vchar_t *, int);
diff --git a/src/racoon/isakmp_ident.c b/src/racoon/isakmp_ident.c
deleted file mode 100644
index c3f71b3..0000000
--- a/src/racoon/isakmp_ident.c
+++ /dev/null
@@ -1,1911 +0,0 @@
-/* $NetBSD: isakmp_ident.c,v 1.6 2006/10/02 21:41:59 manu Exp $ */
-
-/* Id: isakmp_ident.c,v 1.21 2006/04/06 16:46:08 manubsd Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* Identity Protecion Exchange (Main Mode) */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-#if TIME_WITH_SYS_TIME
-# include <sys/time.h>
-# include <time.h>
-#else
-# if HAVE_SYS_TIME_H
-# include <sys/time.h>
-# else
-# include <time.h>
-# endif
-#endif
-
-#include "var.h"
-#include "misc.h"
-#include "vmbuf.h"
-#include "plog.h"
-#include "sockmisc.h"
-#include "schedule.h"
-#include "debug.h"
-
-#include "localconf.h"
-#include "remoteconf.h"
-#include "isakmp_var.h"
-#include "isakmp.h"
-#include "evt.h"
-#include "oakley.h"
-#include "handler.h"
-#include "ipsec_doi.h"
-#include "crypto_openssl.h"
-#include "pfkey.h"
-#include "isakmp_ident.h"
-#include "isakmp_inf.h"
-#include "vendorid.h"
-
-#ifdef ENABLE_NATT
-#include "nattraversal.h"
-#endif
-#ifdef HAVE_GSSAPI
-#include "gssapi.h"
-#endif
-#ifdef ENABLE_HYBRID
-#include <resolv.h>
-#include "isakmp_xauth.h"
-#include "isakmp_cfg.h"
-#endif
-#ifdef ENABLE_FRAG
-#include "isakmp_frag.h"
-#endif
-
-static vchar_t *ident_ir2mx __P((struct ph1handle *));
-static vchar_t *ident_ir3mx __P((struct ph1handle *));
-
-/* %%%
- * begin Identity Protection Mode as initiator.
- */
-/*
- * send to responder
- * psk: HDR, SA
- * sig: HDR, SA
- * rsa: HDR, SA
- * rev: HDR, SA
- */
-int
-ident_i1send(iph1, msg)
- struct ph1handle *iph1;
- vchar_t *msg; /* must be null */
-{
- struct payload_list *plist = NULL;
- int error = -1;
-#ifdef ENABLE_NATT
- vchar_t *vid_natt[MAX_NATT_VID_COUNT] = { NULL };
- int i;
-#endif
-#ifdef ENABLE_HYBRID
- vchar_t *vid_xauth = NULL;
- vchar_t *vid_unity = NULL;
-#endif
-#ifdef ENABLE_FRAG
- vchar_t *vid_frag = NULL;
-#endif
-#ifdef ENABLE_DPD
- vchar_t *vid_dpd = NULL;
-#endif
- /* validity check */
- if (msg != NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "msg has to be NULL in this function.\n");
- goto end;
- }
- if (iph1->status != PHASE1ST_START) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph1->status);
- goto end;
- }
-
- /* create isakmp index */
- memset(&iph1->index, 0, sizeof(iph1->index));
- isakmp_newcookie((caddr_t)&iph1->index, iph1->remote, iph1->local);
-
- /* create SA payload for my proposal */
- iph1->sa = ipsecdoi_setph1proposal(iph1->rmconf->proposal);
- if (iph1->sa == NULL)
- goto end;
-
- /* set SA payload to propose */
- plist = isakmp_plist_append(plist, iph1->sa, ISAKMP_NPTYPE_SA);
-
-#ifdef ENABLE_NATT
- /* set VID payload for NAT-T if NAT-T support allowed in the config file */
- if (iph1->rmconf->nat_traversal)
- plist = isakmp_plist_append_natt_vids(plist, vid_natt);
-#endif
-#ifdef ENABLE_HYBRID
- /* Do we need Xauth VID? */
- switch (RMAUTHMETHOD(iph1)) {
- case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
- if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL)
- plog(LLV_ERROR, LOCATION, NULL,
- "Xauth vendor ID generation failed\n");
- else
- plist = isakmp_plist_append(plist,
- vid_xauth, ISAKMP_NPTYPE_VID);
-
- if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
- plog(LLV_ERROR, LOCATION, NULL,
- "Unity vendor ID generation failed\n");
- else
- plist = isakmp_plist_append(plist,
- vid_unity, ISAKMP_NPTYPE_VID);
- break;
- default:
- break;
- }
-#endif
-#ifdef ENABLE_FRAG
- if (iph1->rmconf->ike_frag) {
- if ((vid_frag = set_vendorid(VENDORID_FRAG)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Frag vendorID construction failed\n");
- } else {
- vid_frag = isakmp_frag_addcap(vid_frag,
- VENDORID_FRAG_IDENT);
- plist = isakmp_plist_append(plist,
- vid_frag, ISAKMP_NPTYPE_VID);
- }
- }
-#endif
-#ifdef ENABLE_DPD
- if(iph1->rmconf->dpd){
- vid_dpd = set_vendorid(VENDORID_DPD);
- if (vid_dpd != NULL)
- plist = isakmp_plist_append(plist, vid_dpd,
- ISAKMP_NPTYPE_VID);
- }
-#endif
-
- iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
-
-#ifdef HAVE_PRINT_ISAKMP_C
- isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
-#endif
-
- /* send the packet, add to the schedule to resend */
- iph1->retry_counter = iph1->rmconf->retry_counter;
- if (isakmp_ph1resend(iph1) == -1)
- goto end;
-
- iph1->status = PHASE1ST_MSG1SENT;
-
- error = 0;
-
-end:
-#ifdef ENABLE_FRAG
- if (vid_frag)
- vfree(vid_frag);
-#endif
-#ifdef ENABLE_NATT
- for (i = 0; i < MAX_NATT_VID_COUNT && vid_natt[i] != NULL; i++)
- vfree(vid_natt[i]);
-#endif
-#ifdef ENABLE_HYBRID
- if (vid_xauth != NULL)
- vfree(vid_xauth);
- if (vid_unity != NULL)
- vfree(vid_unity);
-#endif
-#ifdef ENABLE_DPD
- if (vid_dpd != NULL)
- vfree(vid_dpd);
-#endif
-
- return error;
-}
-
-/*
- * receive from responder
- * psk: HDR, SA
- * sig: HDR, SA
- * rsa: HDR, SA
- * rev: HDR, SA
- */
-int
-ident_i2recv(iph1, msg)
- struct ph1handle *iph1;
- vchar_t *msg;
-{
- vchar_t *pbuf = NULL;
- struct isakmp_parse_t *pa;
- vchar_t *satmp = NULL;
- int error = -1;
- int vid_numeric;
-
- /* validity check */
- if (iph1->status != PHASE1ST_MSG1SENT) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph1->status);
- goto end;
- }
-
- /* validate the type of next payload */
- /*
- * NOTE: RedCreek(as responder) attaches N[responder-lifetime] here,
- * if proposal-lifetime > lifetime-redcreek-wants.
- * (see doi-08 4.5.4)
- * => According to the seciton 4.6.3 in RFC 2407, This is illegal.
- * NOTE: we do not really care about ordering of VID and N.
- * does it matters?
- * NOTE: even if there's multiple VID/N, we'll ignore them.
- */
- pbuf = isakmp_parse(msg);
- if (pbuf == NULL)
- goto end;
- pa = (struct isakmp_parse_t *)pbuf->v;
-
- /* SA payload is fixed postion */
- if (pa->type != ISAKMP_NPTYPE_SA) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "received invalid next payload type %d, "
- "expecting %d.\n",
- pa->type, ISAKMP_NPTYPE_SA);
- goto end;
- }
- if (isakmp_p2ph(&satmp, pa->ptr) < 0)
- goto end;
- pa++;
-
- for (/*nothing*/;
- pa->type != ISAKMP_NPTYPE_NONE;
- pa++) {
-
- switch (pa->type) {
- case ISAKMP_NPTYPE_VID:
- handle_vendorid(iph1, pa->ptr);
- break;
- default:
- /* don't send information, see ident_r1recv() */
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "ignore the packet, "
- "received unexpecting payload type %d.\n",
- pa->type);
- goto end;
- }
- }
-
-#ifdef ENABLE_NATT
- if (NATT_AVAILABLE(iph1))
- plog(LLV_INFO, LOCATION, iph1->remote,
- "Selected NAT-T version: %s\n",
- vid_string_by_id(iph1->natt_options->version));
-#endif
-
- /* check SA payload and set approval SA for use */
- if (ipsecdoi_checkph1proposal(satmp, iph1) < 0) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "failed to get valid proposal.\n");
- /* XXX send information */
- goto end;
- }
- VPTRINIT(iph1->sa_ret);
-
- iph1->status = PHASE1ST_MSG2RECEIVED;
-
- error = 0;
-
-end:
- if (pbuf)
- vfree(pbuf);
- if (satmp)
- vfree(satmp);
- return error;
-}
-
-/*
- * send to responder
- * psk: HDR, KE, Ni
- * sig: HDR, KE, Ni
- * gssapi: HDR, KE, Ni, GSSi
- * rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
- * rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i,
- * <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i]
- */
-int
-ident_i2send(iph1, msg)
- struct ph1handle *iph1;
- vchar_t *msg;
-{
- int error = -1;
-
- /* validity check */
- if (iph1->status != PHASE1ST_MSG2RECEIVED) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph1->status);
- goto end;
- }
-
- /* fix isakmp index */
- memcpy(&iph1->index.r_ck, &((struct isakmp *)msg->v)->r_ck,
- sizeof(cookie_t));
-
- /* generate DH public value */
- if (oakley_dh_generate(iph1->approval->dhgrp,
- &iph1->dhpub, &iph1->dhpriv) < 0)
- goto end;
-
- /* generate NONCE value */
- iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
- if (iph1->nonce == NULL)
- goto end;
-
-#ifdef HAVE_GSSAPI
- if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB &&
- gssapi_get_itoken(iph1, NULL) < 0)
- goto end;
-#endif
-
- /* create buffer to send isakmp payload */
- iph1->sendbuf = ident_ir2mx(iph1);
- if (iph1->sendbuf == NULL)
- goto end;
-
-#ifdef HAVE_PRINT_ISAKMP_C
- isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
-#endif
-
- /* send the packet, add to the schedule to resend */
- iph1->retry_counter = iph1->rmconf->retry_counter;
- if (isakmp_ph1resend(iph1) == -1)
- goto end;
-
- /* the sending message is added to the received-list. */
- if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) {
- plog(LLV_ERROR , LOCATION, NULL,
- "failed to add a response packet to the tree.\n");
- goto end;
- }
-
- iph1->status = PHASE1ST_MSG2SENT;
-
- error = 0;
-
-end:
- return error;
-}
-
-/*
- * receive from responder
- * psk: HDR, KE, Nr
- * sig: HDR, KE, Nr [, CR ]
- * gssapi: HDR, KE, Nr, GSSr
- * rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
- * rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r,
- */
-int
-ident_i3recv(iph1, msg)
- struct ph1handle *iph1;
- vchar_t *msg;
-{
- vchar_t *pbuf = NULL;
- struct isakmp_parse_t *pa;
- int error = -1;
-#ifdef HAVE_GSSAPI
- vchar_t *gsstoken = NULL;
-#endif
-#ifdef ENABLE_NATT
- vchar_t *natd_received;
- int natd_seq = 0, natd_verified;
-#endif
-
- /* validity check */
- if (iph1->status != PHASE1ST_MSG2SENT) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph1->status);
- goto end;
- }
-
- /* validate the type of next payload */
- pbuf = isakmp_parse(msg);
- if (pbuf == NULL)
- goto end;
-
- for (pa = (struct isakmp_parse_t *)pbuf->v;
- pa->type != ISAKMP_NPTYPE_NONE;
- pa++) {
-
- switch (pa->type) {
- case ISAKMP_NPTYPE_KE:
- if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0)
- goto end;
- break;
- case ISAKMP_NPTYPE_NONCE:
- if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0)
- goto end;
- break;
- case ISAKMP_NPTYPE_VID:
- handle_vendorid(iph1, pa->ptr);
- break;
- case ISAKMP_NPTYPE_CR:
- if (oakley_savecr(iph1, pa->ptr) < 0)
- goto end;
- break;
-#ifdef HAVE_GSSAPI
- case ISAKMP_NPTYPE_GSS:
- if (isakmp_p2ph(&gsstoken, pa->ptr) < 0)
- goto end;
- gssapi_save_received_token(iph1, gsstoken);
- break;
-#endif
-
-#ifdef ENABLE_NATT
- case ISAKMP_NPTYPE_NATD_DRAFT:
- case ISAKMP_NPTYPE_NATD_RFC:
- if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
- pa->type == iph1->natt_options->payload_nat_d) {
- natd_received = NULL;
- if (isakmp_p2ph (&natd_received, pa->ptr) < 0)
- goto end;
-
- /* set both bits first so that we can clear them
- upon verifying hashes */
- if (natd_seq == 0)
- iph1->natt_flags |= NAT_DETECTED;
-
- /* this function will clear appropriate bits bits
- from iph1->natt_flags */
- natd_verified = natt_compare_addr_hash (iph1,
- natd_received, natd_seq++);
-
- plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
- natd_seq - 1,
- natd_verified ? "verified" : "doesn't match");
-
- vfree (natd_received);
- break;
- }
- /* passthrough to default... */
-#endif
-
- default:
- /* don't send information, see ident_r1recv() */
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "ignore the packet, "
- "received unexpecting payload type %d.\n",
- pa->type);
- goto end;
- }
- }
-
-#ifdef ENABLE_NATT
- if (NATT_AVAILABLE(iph1)) {
- plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
- iph1->natt_flags & NAT_DETECTED ?
- "detected:" : "not detected",
- iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
- iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
- if (iph1->natt_flags & NAT_DETECTED)
- natt_float_ports (iph1);
- }
-#endif
-
- /* payload existency check */
- if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "few isakmp message received.\n");
- goto end;
- }
-
- if (oakley_checkcr(iph1) < 0) {
- /* Ignore this error in order to be interoperability. */
- ;
- }
-
- iph1->status = PHASE1ST_MSG3RECEIVED;
-
- error = 0;
-
-end:
-#ifdef HAVE_GSSAPI
- if (gsstoken)
- vfree(gsstoken);
-#endif
- if (pbuf)
- vfree(pbuf);
- if (error) {
- VPTRINIT(iph1->dhpub_p);
- VPTRINIT(iph1->nonce_p);
- VPTRINIT(iph1->id_p);
- oakley_delcert(iph1->cr_p);
- iph1->cr_p = NULL;
- }
-
- return error;
-}
-
-/*
- * send to responder
- * psk: HDR*, IDi1, HASH_I
- * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I
- * gssapi: HDR*, IDi1, < Gssi(n) | HASH_I >
- * rsa: HDR*, HASH_I
- * rev: HDR*, HASH_I
- */
-int
-ident_i3send(iph1, msg0)
- struct ph1handle *iph1;
- vchar_t *msg0;
-{
- int error = -1;
- int dohash = 1;
-#ifdef HAVE_GSSAPI
- int len;
-#endif
-
- /* validity check */
- if (iph1->status != PHASE1ST_MSG3RECEIVED) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph1->status);
- goto end;
- }
-
- /* compute sharing secret of DH */
- if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
- iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0)
- goto end;
-
- /* generate SKEYIDs & IV & final cipher key */
- if (oakley_skeyid(iph1) < 0)
- goto end;
- if (oakley_skeyid_dae(iph1) < 0)
- goto end;
- if (oakley_compute_enckey(iph1) < 0)
- goto end;
- if (oakley_newiv(iph1) < 0)
- goto end;
-
- /* make ID payload into isakmp status */
- if (ipsecdoi_setid1(iph1) < 0)
- goto end;
-
-#ifdef HAVE_GSSAPI
- if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB &&
- gssapi_more_tokens(iph1)) {
- plog(LLV_DEBUG, LOCATION, NULL, "calling get_itoken\n");
- if (gssapi_get_itoken(iph1, &len) < 0)
- goto end;
- if (len != 0)
- dohash = 0;
- }
-#endif
-
- /* generate HASH to send */
- if (dohash) {
- iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
- if (iph1->hash == NULL)
- goto end;
- } else
- iph1->hash = NULL;
-
- /* set encryption flag */
- iph1->flags |= ISAKMP_FLAG_E;
-
- /* create HDR;ID;HASH payload */
- iph1->sendbuf = ident_ir3mx(iph1);
- if (iph1->sendbuf == NULL)
- goto end;
-
- /* send the packet, add to the schedule to resend */
- iph1->retry_counter = iph1->rmconf->retry_counter;
- if (isakmp_ph1resend(iph1) == -1)
- goto end;
-
- /* the sending message is added to the received-list. */
- if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg0) == -1) {
- plog(LLV_ERROR , LOCATION, NULL,
- "failed to add a response packet to the tree.\n");
- goto end;
- }
-
- /* see handler.h about IV synchronization. */
- memcpy(iph1->ivm->ive->v, iph1->ivm->iv->v, iph1->ivm->iv->l);
-
- iph1->status = PHASE1ST_MSG3SENT;
-
- error = 0;
-
-end:
- return error;
-}
-
-/*
- * receive from responder
- * psk: HDR*, IDr1, HASH_R
- * sig: HDR*, IDr1, [ CERT, ] SIG_R
- * gssapi: HDR*, IDr1, < GSSr(n) | HASH_R >
- * rsa: HDR*, HASH_R
- * rev: HDR*, HASH_R
- */
-int
-ident_i4recv(iph1, msg0)
- struct ph1handle *iph1;
- vchar_t *msg0;
-{
- vchar_t *pbuf = NULL;
- struct isakmp_parse_t *pa;
- vchar_t *msg = NULL;
- int error = -1;
- int type;
-#ifdef HAVE_GSSAPI
- vchar_t *gsstoken = NULL;
-#endif
-
- /* validity check */
- if (iph1->status != PHASE1ST_MSG3SENT) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph1->status);
- goto end;
- }
-
- /* decrypting */
- if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "ignore the packet, "
- "expecting the packet encrypted.\n");
- goto end;
- }
- msg = oakley_do_decrypt(iph1, msg0, iph1->ivm->iv, iph1->ivm->ive);
- if (msg == NULL)
- goto end;
-
- /* validate the type of next payload */
- pbuf = isakmp_parse(msg);
- if (pbuf == NULL)
- goto end;
-
- iph1->pl_hash = NULL;
-
- for (pa = (struct isakmp_parse_t *)pbuf->v;
- pa->type != ISAKMP_NPTYPE_NONE;
- pa++) {
-
- switch (pa->type) {
- case ISAKMP_NPTYPE_ID:
- if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0)
- goto end;
- break;
- case ISAKMP_NPTYPE_HASH:
- iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
- break;
- case ISAKMP_NPTYPE_CERT:
- if (oakley_savecert(iph1, pa->ptr) < 0)
- goto end;
- break;
- case ISAKMP_NPTYPE_SIG:
- if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0)
- goto end;
- break;
-#ifdef HAVE_GSSAPI
- case ISAKMP_NPTYPE_GSS:
- if (isakmp_p2ph(&gsstoken, pa->ptr) < 0)
- goto end;
- gssapi_save_received_token(iph1, gsstoken);
- break;
-#endif
- case ISAKMP_NPTYPE_VID:
- handle_vendorid(iph1, pa->ptr);
- break;
- case ISAKMP_NPTYPE_N:
- isakmp_check_notify(pa->ptr, iph1);
- break;
- default:
- /* don't send information, see ident_r1recv() */
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "ignore the packet, "
- "received unexpecting payload type %d.\n",
- pa->type);
- goto end;
- }
- }
-
- /* payload existency check */
-
- /* verify identifier */
- if (ipsecdoi_checkid1(iph1) != 0) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "invalid ID payload.\n");
- goto end;
- }
-
- /* validate authentication value */
-#ifdef HAVE_GSSAPI
- if (gsstoken == NULL) {
-#endif
- type = oakley_validate_auth(iph1);
- if (type != 0) {
- if (type == -1) {
- /* msg printed inner oakley_validate_auth() */
- goto end;
- }
- EVT_PUSH(iph1->local, iph1->remote,
- EVTT_PEERPH1AUTH_FAILED, NULL);
- isakmp_info_send_n1(iph1, type, NULL);
- goto end;
- }
-#ifdef HAVE_GSSAPI
- }
-#endif
-
- /*
- * XXX: Should we do compare two addresses, ph1handle's and ID
- * payload's.
- */
-
- plog(LLV_DEBUG, LOCATION, iph1->remote, "peer's ID:");
- plogdump(LLV_DEBUG, iph1->id_p->v, iph1->id_p->l);
-
- /* see handler.h about IV synchronization. */
- memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->ive->l);
-
- /*
- * If we got a GSS token, we need to this roundtrip again.
- */
-#ifdef HAVE_GSSAPI
- iph1->status = gsstoken != 0 ? PHASE1ST_MSG3RECEIVED :
- PHASE1ST_MSG4RECEIVED;
-#else
- iph1->status = PHASE1ST_MSG4RECEIVED;
-#endif
-
- error = 0;
-
-end:
- if (pbuf)
- vfree(pbuf);
- if (msg)
- vfree(msg);
-#ifdef HAVE_GSSAPI
- if (gsstoken)
- vfree(gsstoken);
-#endif
-
- if (error) {
- VPTRINIT(iph1->id_p);
- oakley_delcert(iph1->cert_p);
- iph1->cert_p = NULL;
- oakley_delcert(iph1->crl_p);
- iph1->crl_p = NULL;
- VPTRINIT(iph1->sig_p);
- }
-
- return error;
-}
-
-/*
- * status update and establish isakmp sa.
- */
-int
-ident_i4send(iph1, msg)
- struct ph1handle *iph1;
- vchar_t *msg;
-{
- int error = -1;
-
- /* validity check */
- if (iph1->status != PHASE1ST_MSG4RECEIVED) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph1->status);
- goto end;
- }
-
- /* see handler.h about IV synchronization. */
- memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->iv->l);
-
- iph1->status = PHASE1ST_ESTABLISHED;
-
- error = 0;
-
-end:
- return error;
-}
-
-/*
- * receive from initiator
- * psk: HDR, SA
- * sig: HDR, SA
- * rsa: HDR, SA
- * rev: HDR, SA
- */
-int
-ident_r1recv(iph1, msg)
- struct ph1handle *iph1;
- vchar_t *msg;
-{
- vchar_t *pbuf = NULL;
- struct isakmp_parse_t *pa;
- int error = -1;
- int vid_numeric;
-
- /* validity check */
- if (iph1->status != PHASE1ST_START) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph1->status);
- goto end;
- }
-
- /* validate the type of next payload */
- /*
- * NOTE: XXX even if multiple VID, we'll silently ignore those.
- */
- pbuf = isakmp_parse(msg);
- if (pbuf == NULL)
- goto end;
- pa = (struct isakmp_parse_t *)pbuf->v;
-
- /* check the position of SA payload */
- if (pa->type != ISAKMP_NPTYPE_SA) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "received invalid next payload type %d, "
- "expecting %d.\n",
- pa->type, ISAKMP_NPTYPE_SA);
- goto end;
- }
- if (isakmp_p2ph(&iph1->sa, pa->ptr) < 0)
- goto end;
- pa++;
-
- for (/*nothing*/;
- pa->type != ISAKMP_NPTYPE_NONE;
- pa++) {
-
- switch (pa->type) {
- case ISAKMP_NPTYPE_VID:
- vid_numeric = handle_vendorid(iph1, pa->ptr);
-#ifdef ENABLE_FRAG
- if ((vid_numeric == VENDORID_FRAG) &&
- (vendorid_frag_cap(pa->ptr) & VENDORID_FRAG_IDENT))
- iph1->frag = 1;
-#endif
- break;
- default:
- /*
- * We don't send information to the peer even
- * if we received malformed packet. Because we
- * can't distinguish the malformed packet and
- * the re-sent packet. And we do same behavior
- * when we expect encrypted packet.
- */
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "ignore the packet, "
- "received unexpecting payload type %d.\n",
- pa->type);
- goto end;
- }
- }
-
-#ifdef ENABLE_NATT
- if (NATT_AVAILABLE(iph1))
- plog(LLV_INFO, LOCATION, iph1->remote,
- "Selected NAT-T version: %s\n",
- vid_string_by_id(iph1->natt_options->version));
-#endif
-
- /* check SA payload and set approval SA for use */
- if (ipsecdoi_checkph1proposal(iph1->sa, iph1) < 0) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "failed to get valid proposal.\n");
- /* XXX send information */
- goto end;
- }
-
- iph1->status = PHASE1ST_MSG1RECEIVED;
-
- error = 0;
-
-end:
- if (pbuf)
- vfree(pbuf);
- if (error) {
- VPTRINIT(iph1->sa);
- }
-
- return error;
-}
-
-/*
- * send to initiator
- * psk: HDR, SA
- * sig: HDR, SA
- * rsa: HDR, SA
- * rev: HDR, SA
- */
-int
-ident_r1send(iph1, msg)
- struct ph1handle *iph1;
- vchar_t *msg;
-{
- struct payload_list *plist = NULL;
- int error = -1;
- vchar_t *gss_sa = NULL;
-#ifdef HAVE_GSSAPI
- int free_gss_sa = 0;
-#endif
-#ifdef ENABLE_NATT
- vchar_t *vid_natt = NULL;
-#endif
-#ifdef ENABLE_HYBRID
- vchar_t *vid_xauth = NULL;
- vchar_t *vid_unity = NULL;
-#endif
-#ifdef ENABLE_DPD
- vchar_t *vid_dpd = NULL;
-#endif
-#ifdef ENABLE_FRAG
- vchar_t *vid_frag = NULL;
-#endif
-
- /* validity check */
- if (iph1->status != PHASE1ST_MSG1RECEIVED) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph1->status);
- goto end;
- }
-
- /* set responder's cookie */
- isakmp_newcookie((caddr_t)&iph1->index.r_ck, iph1->remote, iph1->local);
-
-#ifdef HAVE_GSSAPI
- if (iph1->approval->gssid != NULL) {
- gss_sa = ipsecdoi_setph1proposal(iph1->approval);
- if (gss_sa != iph1->sa_ret)
- free_gss_sa = 1;
- } else
-#endif
- gss_sa = iph1->sa_ret;
-
- /* set SA payload to reply */
- plist = isakmp_plist_append(plist, gss_sa, ISAKMP_NPTYPE_SA);
-
-#ifdef ENABLE_HYBRID
- if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) {
- plog (LLV_INFO, LOCATION, NULL, "Adding xauth VID payload.\n");
- if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot create Xauth vendor ID\n");
- goto end;
- }
- plist = isakmp_plist_append(plist,
- vid_xauth, ISAKMP_NPTYPE_VID);
- }
-
- if (iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) {
- if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot create Unity vendor ID\n");
- goto end;
- }
- plist = isakmp_plist_append(plist,
- vid_unity, ISAKMP_NPTYPE_VID);
- }
-#endif
-#ifdef ENABLE_NATT
- /* Has the peer announced NAT-T? */
- if (NATT_AVAILABLE(iph1))
- vid_natt = set_vendorid(iph1->natt_options->version);
-
- if (vid_natt)
- plist = isakmp_plist_append(plist, vid_natt, ISAKMP_NPTYPE_VID);
-#endif
-#ifdef ENABLE_DPD
- /* XXX only send DPD VID if remote sent it ? */
- if(iph1->rmconf->dpd){
- vid_dpd = set_vendorid(VENDORID_DPD);
- if (vid_dpd != NULL)
- plist = isakmp_plist_append(plist, vid_dpd, ISAKMP_NPTYPE_VID);
- }
-#endif
-#ifdef ENABLE_FRAG
- if (iph1->frag) {
- vid_frag = set_vendorid(VENDORID_FRAG);
- if (vid_frag != NULL)
- vid_frag = isakmp_frag_addcap(vid_frag,
- VENDORID_FRAG_IDENT);
- if (vid_frag == NULL)
- plog(LLV_ERROR, LOCATION, NULL,
- "Frag vendorID construction failed\n");
- else
- plist = isakmp_plist_append(plist,
- vid_frag, ISAKMP_NPTYPE_VID);
- }
-#endif
-
- iph1->sendbuf = isakmp_plist_set_all (&plist, iph1);
-
-#ifdef HAVE_PRINT_ISAKMP_C
- isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
-#endif
-
- /* send the packet, add to the schedule to resend */
- iph1->retry_counter = iph1->rmconf->retry_counter;
- if (isakmp_ph1resend(iph1) == -1) {
- goto end;
- }
-
- /* the sending message is added to the received-list. */
- if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) {
- plog(LLV_ERROR , LOCATION, NULL,
- "failed to add a response packet to the tree.\n");
- goto end;
- }
-
- iph1->status = PHASE1ST_MSG1SENT;
-
- error = 0;
-
-end:
-#ifdef HAVE_GSSAPI
- if (free_gss_sa)
- vfree(gss_sa);
-#endif
-#ifdef ENABLE_NATT
- if (vid_natt)
- vfree(vid_natt);
-#endif
-#ifdef ENABLE_HYBRID
- if (vid_xauth != NULL)
- vfree(vid_xauth);
- if (vid_unity != NULL)
- vfree(vid_unity);
-#endif
-#ifdef ENABLE_DPD
- if (vid_dpd != NULL)
- vfree(vid_dpd);
-#endif
-#ifdef ENABLE_FRAG
- if (vid_frag != NULL)
- vfree(vid_frag);
-#endif
-
- return error;
-}
-
-/*
- * receive from initiator
- * psk: HDR, KE, Ni
- * sig: HDR, KE, Ni
- * gssapi: HDR, KE, Ni, GSSi
- * rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
- * rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i,
- * <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i]
- */
-int
-ident_r2recv(iph1, msg)
- struct ph1handle *iph1;
- vchar_t *msg;
-{
- vchar_t *pbuf = NULL;
- struct isakmp_parse_t *pa;
- int error = -1;
-#ifdef HAVE_GSSAPI
- vchar_t *gsstoken = NULL;
-#endif
-#ifdef ENABLE_NATT
- int natd_seq = 0;
-#endif
-
- /* validity check */
- if (iph1->status != PHASE1ST_MSG1SENT) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph1->status);
- goto end;
- }
-
- /* validate the type of next payload */
- pbuf = isakmp_parse(msg);
- if (pbuf == NULL)
- goto end;
-
- for (pa = (struct isakmp_parse_t *)pbuf->v;
- pa->type != ISAKMP_NPTYPE_NONE;
- pa++) {
- switch (pa->type) {
- case ISAKMP_NPTYPE_KE:
- if (isakmp_p2ph(&iph1->dhpub_p, pa->ptr) < 0)
- goto end;
- break;
- case ISAKMP_NPTYPE_NONCE:
- if (isakmp_p2ph(&iph1->nonce_p, pa->ptr) < 0)
- goto end;
- break;
- case ISAKMP_NPTYPE_VID:
- handle_vendorid(iph1, pa->ptr);
- break;
- case ISAKMP_NPTYPE_CR:
- plog(LLV_WARNING, LOCATION, iph1->remote,
- "CR received, ignore it. "
- "It should be in other exchange.\n");
- break;
-#ifdef HAVE_GSSAPI
- case ISAKMP_NPTYPE_GSS:
- if (isakmp_p2ph(&gsstoken, pa->ptr) < 0)
- goto end;
- gssapi_save_received_token(iph1, gsstoken);
- break;
-#endif
-
-#ifdef ENABLE_NATT
- case ISAKMP_NPTYPE_NATD_DRAFT:
- case ISAKMP_NPTYPE_NATD_RFC:
- if (NATT_AVAILABLE(iph1) && iph1->natt_options != NULL &&
- pa->type == iph1->natt_options->payload_nat_d)
- {
- vchar_t *natd_received = NULL;
- int natd_verified;
-
- if (isakmp_p2ph (&natd_received, pa->ptr) < 0)
- goto end;
-
- if (natd_seq == 0)
- iph1->natt_flags |= NAT_DETECTED;
-
- natd_verified = natt_compare_addr_hash (iph1,
- natd_received, natd_seq++);
-
- plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
- natd_seq - 1,
- natd_verified ? "verified" : "doesn't match");
-
- vfree (natd_received);
- break;
- }
- /* passthrough to default... */
-#endif
-
- default:
- /* don't send information, see ident_r1recv() */
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "ignore the packet, "
- "received unexpecting payload type %d.\n",
- pa->type);
- goto end;
- }
- }
-
-#ifdef ENABLE_NATT
- if (NATT_AVAILABLE(iph1))
- plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
- iph1->natt_flags & NAT_DETECTED ?
- "detected:" : "not detected",
- iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
- iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
-#endif
-
- /* payload existency check */
- if (iph1->dhpub_p == NULL || iph1->nonce_p == NULL) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "few isakmp message received.\n");
- goto end;
- }
-
- iph1->status = PHASE1ST_MSG2RECEIVED;
-
- error = 0;
-
-end:
- if (pbuf)
- vfree(pbuf);
-#ifdef HAVE_GSSAPI
- if (gsstoken)
- vfree(gsstoken);
-#endif
-
- if (error) {
- VPTRINIT(iph1->dhpub_p);
- VPTRINIT(iph1->nonce_p);
- VPTRINIT(iph1->id_p);
- }
-
- return error;
-}
-
-/*
- * send to initiator
- * psk: HDR, KE, Nr
- * sig: HDR, KE, Nr [, CR ]
- * gssapi: HDR, KE, Nr, GSSr
- * rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
- * rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r,
- */
-int
-ident_r2send(iph1, msg)
- struct ph1handle *iph1;
- vchar_t *msg;
-{
- int error = -1;
-
- /* validity check */
- if (iph1->status != PHASE1ST_MSG2RECEIVED) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph1->status);
- goto end;
- }
-
- /* generate DH public value */
- if (oakley_dh_generate(iph1->approval->dhgrp,
- &iph1->dhpub, &iph1->dhpriv) < 0)
- goto end;
-
- /* generate NONCE value */
- iph1->nonce = eay_set_random(iph1->rmconf->nonce_size);
- if (iph1->nonce == NULL)
- goto end;
-
-#ifdef HAVE_GSSAPI
- if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
- gssapi_get_rtoken(iph1, NULL);
-#endif
-
- /* create HDR;KE;NONCE payload */
- iph1->sendbuf = ident_ir2mx(iph1);
- if (iph1->sendbuf == NULL)
- goto end;
-
-#ifdef HAVE_PRINT_ISAKMP_C
- isakmp_printpacket(iph1->sendbuf, iph1->local, iph1->remote, 0);
-#endif
-
- /* send the packet, add to the schedule to resend */
- iph1->retry_counter = iph1->rmconf->retry_counter;
- if (isakmp_ph1resend(iph1) == -1)
- goto end;
-
- /* the sending message is added to the received-list. */
- if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) {
- plog(LLV_ERROR , LOCATION, NULL,
- "failed to add a response packet to the tree.\n");
- goto end;
- }
-
- /* compute sharing secret of DH */
- if (oakley_dh_compute(iph1->approval->dhgrp, iph1->dhpub,
- iph1->dhpriv, iph1->dhpub_p, &iph1->dhgxy) < 0)
- goto end;
-
- /* generate SKEYIDs & IV & final cipher key */
- if (oakley_skeyid(iph1) < 0)
- goto end;
- if (oakley_skeyid_dae(iph1) < 0)
- goto end;
- if (oakley_compute_enckey(iph1) < 0)
- goto end;
- if (oakley_newiv(iph1) < 0)
- goto end;
-
- iph1->status = PHASE1ST_MSG2SENT;
-
- error = 0;
-
-end:
- return error;
-}
-
-/*
- * receive from initiator
- * psk: HDR*, IDi1, HASH_I
- * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I
- * gssapi: HDR*, [ IDi1, ] < GSSi(n) | HASH_I >
- * rsa: HDR*, HASH_I
- * rev: HDR*, HASH_I
- */
-int
-ident_r3recv(iph1, msg0)
- struct ph1handle *iph1;
- vchar_t *msg0;
-{
- vchar_t *msg = NULL;
- vchar_t *pbuf = NULL;
- struct isakmp_parse_t *pa;
- int error = -1;
- int type;
-#ifdef HAVE_GSSAPI
- vchar_t *gsstoken = NULL;
-#endif
-
- /* validity check */
- if (iph1->status != PHASE1ST_MSG2SENT) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph1->status);
- goto end;
- }
-
- /* decrypting */
- if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "reject the packet, "
- "expecting the packet encrypted.\n");
- goto end;
- }
- msg = oakley_do_decrypt(iph1, msg0, iph1->ivm->iv, iph1->ivm->ive);
- if (msg == NULL)
- goto end;
-
- /* validate the type of next payload */
- pbuf = isakmp_parse(msg);
- if (pbuf == NULL)
- goto end;
-
- iph1->pl_hash = NULL;
-
- for (pa = (struct isakmp_parse_t *)pbuf->v;
- pa->type != ISAKMP_NPTYPE_NONE;
- pa++) {
-
- switch (pa->type) {
- case ISAKMP_NPTYPE_ID:
- if (isakmp_p2ph(&iph1->id_p, pa->ptr) < 0)
- goto end;
- break;
- case ISAKMP_NPTYPE_HASH:
- iph1->pl_hash = (struct isakmp_pl_hash *)pa->ptr;
- break;
- case ISAKMP_NPTYPE_CR:
- if (oakley_savecr(iph1, pa->ptr) < 0)
- goto end;
- break;
- case ISAKMP_NPTYPE_CERT:
- if (oakley_savecert(iph1, pa->ptr) < 0)
- goto end;
- break;
- case ISAKMP_NPTYPE_SIG:
- if (isakmp_p2ph(&iph1->sig_p, pa->ptr) < 0)
- goto end;
- break;
-#ifdef HAVE_GSSAPI
- case ISAKMP_NPTYPE_GSS:
- if (isakmp_p2ph(&gsstoken, pa->ptr) < 0)
- goto end;
- gssapi_save_received_token(iph1, gsstoken);
- break;
-#endif
- case ISAKMP_NPTYPE_VID:
- handle_vendorid(iph1, pa->ptr);
- break;
- case ISAKMP_NPTYPE_N:
- isakmp_check_notify(pa->ptr, iph1);
- break;
- default:
- /* don't send information, see ident_r1recv() */
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "ignore the packet, "
- "received unexpecting payload type %d.\n",
- pa->type);
- goto end;
- }
- }
-
- /* payload existency check */
- /* XXX same as ident_i4recv(), should be merged. */
- {
- int ng = 0;
-
- switch (AUTHMETHOD(iph1)) {
- case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
-#ifdef ENABLE_HYBRID
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
-#endif
- if (iph1->id_p == NULL || iph1->pl_hash == NULL)
- ng++;
- break;
- case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
- case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
-#ifdef ENABLE_HYBRID
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
-#endif
- if (iph1->id_p == NULL || iph1->sig_p == NULL)
- ng++;
- break;
- case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
- case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
-#ifdef ENABLE_HYBRID
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
-#endif
- if (iph1->pl_hash == NULL)
- ng++;
- break;
-#ifdef HAVE_GSSAPI
- case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
- if (gsstoken == NULL && iph1->pl_hash == NULL)
- ng++;
- break;
-#endif
- default:
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "invalid authmethod %d why ?\n",
- iph1->approval->authmethod);
- goto end;
- }
- if (ng) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "few isakmp message received.\n");
- goto end;
- }
- }
-
- /* verify identifier */
- if (ipsecdoi_checkid1(iph1) != 0) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "invalid ID payload.\n");
- goto end;
- }
-
- /* validate authentication value */
-#ifdef HAVE_GSSAPI
- if (gsstoken == NULL) {
-#endif
- type = oakley_validate_auth(iph1);
- if (type != 0) {
- if (type == -1) {
- /* msg printed inner oakley_validate_auth() */
- goto end;
- }
- EVT_PUSH(iph1->local, iph1->remote,
- EVTT_PEERPH1AUTH_FAILED, NULL);
- isakmp_info_send_n1(iph1, type, NULL);
- goto end;
- }
-#ifdef HAVE_GSSAPI
- }
-#endif
-
- if (oakley_checkcr(iph1) < 0) {
- /* Ignore this error in order to be interoperability. */
- ;
- }
-
- /*
- * XXX: Should we do compare two addresses, ph1handle's and ID
- * payload's.
- */
-
- plog(LLV_DEBUG, LOCATION, iph1->remote, "peer's ID\n");
- plogdump(LLV_DEBUG, iph1->id_p->v, iph1->id_p->l);
-
- /* see handler.h about IV synchronization. */
- memcpy(iph1->ivm->iv->v, iph1->ivm->ive->v, iph1->ivm->ive->l);
-
-#ifdef HAVE_GSSAPI
- iph1->status = gsstoken != NULL ? PHASE1ST_MSG2RECEIVED :
- PHASE1ST_MSG3RECEIVED;
-#else
- iph1->status = PHASE1ST_MSG3RECEIVED;
-#endif
-
- error = 0;
-
-end:
- if (pbuf)
- vfree(pbuf);
- if (msg)
- vfree(msg);
-#ifdef HAVE_GSSAPI
- if (gsstoken)
- vfree(gsstoken);
-#endif
-
- if (error) {
- VPTRINIT(iph1->id_p);
- oakley_delcert(iph1->cert_p);
- iph1->cert_p = NULL;
- oakley_delcert(iph1->crl_p);
- iph1->crl_p = NULL;
- VPTRINIT(iph1->sig_p);
- oakley_delcert(iph1->cr_p);
- iph1->cr_p = NULL;
- }
-
- return error;
-}
-
-/*
- * send to initiator
- * psk: HDR*, IDr1, HASH_R
- * sig: HDR*, IDr1, [ CERT, ] SIG_R
- * gssapi: HDR*, IDr1, < GSSr(n) | HASH_R >
- * rsa: HDR*, HASH_R
- * rev: HDR*, HASH_R
- */
-int
-ident_r3send(iph1, msg)
- struct ph1handle *iph1;
- vchar_t *msg;
-{
- int error = -1;
- int dohash = 1;
-#ifdef HAVE_GSSAPI
- int len;
-#endif
-
- /* validity check */
- if (iph1->status != PHASE1ST_MSG3RECEIVED) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph1->status);
- goto end;
- }
-
- /* make ID payload into isakmp status */
- if (ipsecdoi_setid1(iph1) < 0)
- goto end;
-
-#ifdef HAVE_GSSAPI
- if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB &&
- gssapi_more_tokens(iph1)) {
- gssapi_get_rtoken(iph1, &len);
- if (len != 0)
- dohash = 0;
- }
-#endif
-
- if (dohash) {
- /* generate HASH to send */
- plog(LLV_DEBUG, LOCATION, NULL, "generate HASH_R\n");
- iph1->hash = oakley_ph1hash_common(iph1, GENERATE);
- if (iph1->hash == NULL)
- goto end;
- } else
- iph1->hash = NULL;
-
- /* set encryption flag */
- iph1->flags |= ISAKMP_FLAG_E;
-
- /* create HDR;ID;HASH payload */
- iph1->sendbuf = ident_ir3mx(iph1);
- if (iph1->sendbuf == NULL)
- goto end;
-
- /* send HDR;ID;HASH to responder */
- if (isakmp_send(iph1, iph1->sendbuf) < 0)
- goto end;
-
- /* the sending message is added to the received-list. */
- if (add_recvdpkt(iph1->remote, iph1->local, iph1->sendbuf, msg) == -1) {
- plog(LLV_ERROR , LOCATION, NULL,
- "failed to add a response packet to the tree.\n");
- goto end;
- }
-
- /* see handler.h about IV synchronization. */
- memcpy(iph1->ivm->ive->v, iph1->ivm->iv->v, iph1->ivm->iv->l);
-
- iph1->status = PHASE1ST_ESTABLISHED;
-
- error = 0;
-
-end:
-
- return error;
-}
-
-/*
- * This is used in main mode for:
- * initiator's 3rd exchange send to responder
- * psk: HDR, KE, Ni
- * sig: HDR, KE, Ni
- * rsa: HDR, KE, [ HASH(1), ] <IDi1_b>PubKey_r, <Ni_b>PubKey_r
- * rev: HDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i,
- * <IDi1_b>Ke_i, [<<Cert-I_b>Ke_i]
- * responders 2nd exchnage send to initiator
- * psk: HDR, KE, Nr
- * sig: HDR, KE, Nr [, CR ]
- * rsa: HDR, KE, <IDr1_b>PubKey_i, <Nr_b>PubKey_i
- * rev: HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDr1_b>Ke_r,
- */
-static vchar_t *
-ident_ir2mx(iph1)
- struct ph1handle *iph1;
-{
- vchar_t *buf = 0;
- struct payload_list *plist = NULL;
- int need_cr = 0;
- vchar_t *cr = NULL;
- vchar_t *vid = NULL;
- int error = -1;
-#ifdef HAVE_GSSAPI
- vchar_t *gsstoken = NULL;
-#endif
-#ifdef ENABLE_NATT
- vchar_t *natd[2] = { NULL, NULL };
-#endif
-
- /* create CR if need */
- if (iph1->side == RESPONDER
- && iph1->rmconf->send_cr
- && oakley_needcr(iph1->approval->authmethod)
- && iph1->rmconf->peerscertfile == NULL) {
- need_cr = 1;
- cr = oakley_getcr(iph1);
- if (cr == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get cr buffer.\n");
- goto end;
- }
- }
-
-#ifdef HAVE_GSSAPI
- if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
- gssapi_get_token_to_send(iph1, &gsstoken);
-#endif
-
- /* create isakmp KE payload */
- plist = isakmp_plist_append(plist, iph1->dhpub, ISAKMP_NPTYPE_KE);
-
- /* create isakmp NONCE payload */
- plist = isakmp_plist_append(plist, iph1->nonce, ISAKMP_NPTYPE_NONCE);
-
-#ifdef HAVE_GSSAPI
- if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB)
- plist = isakmp_plist_append(plist, gsstoken, ISAKMP_NPTYPE_GSS);
-#endif
-
- /* append vendor id, if needed */
- if (vid)
- plist = isakmp_plist_append(plist, vid, ISAKMP_NPTYPE_VID);
-
- /* create isakmp CR payload if needed */
- if (need_cr)
- plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
-
-#ifdef ENABLE_NATT
- /* generate and append NAT-D payloads */
- if (NATT_AVAILABLE(iph1) && iph1->status == PHASE1ST_MSG2RECEIVED)
- {
- if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "NAT-D hashing failed for %s\n", saddr2str(iph1->remote));
- goto end;
- }
-
- if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "NAT-D hashing failed for %s\n", saddr2str(iph1->local));
- goto end;
- }
-
- plog (LLV_INFO, LOCATION, NULL, "Adding remote and local NAT-D payloads.\n");
- plist = isakmp_plist_append(plist, natd[0], iph1->natt_options->payload_nat_d);
- plist = isakmp_plist_append(plist, natd[1], iph1->natt_options->payload_nat_d);
- }
-#endif
-
- buf = isakmp_plist_set_all (&plist, iph1);
-
- error = 0;
-
-end:
- if (error && buf != NULL) {
- vfree(buf);
- buf = NULL;
- }
- if (cr)
- vfree(cr);
-#ifdef HAVE_GSSAPI
- if (gsstoken)
- vfree(gsstoken);
-#endif
- if (vid)
- vfree(vid);
-
-#ifdef ENABLE_NATT
- if (natd[0])
- vfree(natd[0]);
- if (natd[1])
- vfree(natd[1]);
-#endif
-
- return buf;
-}
-
-/*
- * This is used in main mode for:
- * initiator's 4th exchange send to responder
- * psk: HDR*, IDi1, HASH_I
- * sig: HDR*, IDi1, [ CR, ] [ CERT, ] SIG_I
- * gssapi: HDR*, [ IDi1, ] < GSSi(n) | HASH_I >
- * rsa: HDR*, HASH_I
- * rev: HDR*, HASH_I
- * responders 3rd exchnage send to initiator
- * psk: HDR*, IDr1, HASH_R
- * sig: HDR*, IDr1, [ CERT, ] SIG_R
- * gssapi: HDR*, [ IDr1, ] < GSSr(n) | HASH_R >
- * rsa: HDR*, HASH_R
- * rev: HDR*, HASH_R
- */
-static vchar_t *
-ident_ir3mx(iph1)
- struct ph1handle *iph1;
-{
- struct payload_list *plist = NULL;
- vchar_t *buf = NULL, *new = NULL;
- int need_cr = 0;
- int need_cert = 0;
- vchar_t *cr = NULL;
- int error = -1;
-#ifdef HAVE_GSSAPI
- int nptype;
- vchar_t *gsstoken = NULL;
- vchar_t *gsshash = NULL;
-#endif
-
- switch (AUTHMETHOD(iph1)) {
- case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
-#ifdef ENABLE_HYBRID
- case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
-#endif
- /* create isakmp ID payload */
- plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
-
- /* create isakmp HASH payload */
- plist = isakmp_plist_append(plist, iph1->hash, ISAKMP_NPTYPE_HASH);
- break;
- case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
- case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
-#ifdef ENABLE_HYBRID
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
-#endif
- if (oakley_getmycert(iph1) < 0)
- goto end;
-
- if (oakley_getsign(iph1) < 0)
- goto end;
-
- /* create CR if need */
- if (iph1->side == INITIATOR
- && iph1->rmconf->send_cr
- && oakley_needcr(iph1->approval->authmethod)
- && iph1->rmconf->peerscertfile == NULL) {
- need_cr = 1;
- cr = oakley_getcr(iph1);
- if (cr == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get cr buffer.\n");
- goto end;
- }
- }
-
- if (iph1->cert != NULL && iph1->rmconf->send_cert)
- need_cert = 1;
-
- /* add ID payload */
- plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
-
- /* add CERT payload if there */
- if (need_cert)
- plist = isakmp_plist_append(plist, iph1->cert->pl, ISAKMP_NPTYPE_CERT);
- /* add SIG payload */
- plist = isakmp_plist_append(plist, iph1->sig, ISAKMP_NPTYPE_SIG);
-
- /* create isakmp CR payload */
- if (need_cr)
- plist = isakmp_plist_append(plist, cr, ISAKMP_NPTYPE_CR);
- break;
-#ifdef HAVE_GSSAPI
- case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
- if (iph1->hash != NULL) {
- gsshash = gssapi_wraphash(iph1);
- if (gsshash == NULL)
- goto end;
- } else {
- gssapi_get_token_to_send(iph1, &gsstoken);
- }
-
- if (!gssapi_id_sent(iph1)) {
- /* create isakmp ID payload */
- plist = isakmp_plist_append(plist, iph1->id, ISAKMP_NPTYPE_ID);
- gssapi_set_id_sent(iph1);
- }
-
- if (iph1->hash != NULL)
- /* create isakmp HASH payload */
- plist = isakmp_plist_append(plist, gsshash, ISAKMP_NPTYPE_HASH);
- else
- plist = isakmp_plist_append(plist, gsstoken, ISAKMP_NPTYPE_GSS);
- break;
-#endif
- case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
- case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
-#ifdef ENABLE_HYBRID
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
-#endif
- plog(LLV_ERROR, LOCATION, NULL,
- "not supported authentication type %d\n",
- iph1->approval->authmethod);
- goto end;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid authentication type %d\n",
- iph1->approval->authmethod);
- goto end;
- }
-
- buf = isakmp_plist_set_all (&plist, iph1);
-
-#ifdef HAVE_PRINT_ISAKMP_C
- isakmp_printpacket(buf, iph1->local, iph1->remote, 1);
-#endif
-
- /* encoding */
- new = oakley_do_encrypt(iph1, buf, iph1->ivm->ive, iph1->ivm->iv);
- if (new == NULL)
- goto end;
-
- vfree(buf);
-
- buf = new;
-
- error = 0;
-
-end:
-#ifdef HAVE_GSSAPI
- if (gsstoken)
- vfree(gsstoken);
-#endif
- if (cr)
- vfree(cr);
- if (error && buf != NULL) {
- vfree(buf);
- buf = NULL;
- }
-
- return buf;
-}
diff --git a/src/racoon/isakmp_ident.h b/src/racoon/isakmp_ident.h
deleted file mode 100644
index ea5595d..0000000
--- a/src/racoon/isakmp_ident.h
+++ /dev/null
@@ -1,52 +0,0 @@
-/* $NetBSD: isakmp_ident.h,v 1.4 2006/09/09 16:22:09 manu Exp $ */
-
-/* Id: isakmp_ident.h,v 1.3 2004/06/11 16:00:16 ludvigm Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _ISAKMP_IDENT_H
-#define _ISAKMP_IDENT_H
-
-extern int ident_i1send __P((struct ph1handle *, vchar_t *));
-extern int ident_i2recv __P((struct ph1handle *, vchar_t *));
-extern int ident_i2send __P((struct ph1handle *, vchar_t *));
-extern int ident_i3recv __P((struct ph1handle *, vchar_t *));
-extern int ident_i3send __P((struct ph1handle *, vchar_t *));
-extern int ident_i4recv __P((struct ph1handle *, vchar_t *));
-extern int ident_i4send __P((struct ph1handle *, vchar_t *));
-
-extern int ident_r1recv __P((struct ph1handle *, vchar_t *));
-extern int ident_r1send __P((struct ph1handle *, vchar_t *));
-extern int ident_r2recv __P((struct ph1handle *, vchar_t *));
-extern int ident_r2send __P((struct ph1handle *, vchar_t *));
-extern int ident_r3recv __P((struct ph1handle *, vchar_t *));
-extern int ident_r3send __P((struct ph1handle *, vchar_t *));
-
-#endif /* _ISAKMP_IDENT_H */
diff --git a/src/racoon/isakmp_inf.c b/src/racoon/isakmp_inf.c
deleted file mode 100644
index 5f487d2..0000000
--- a/src/racoon/isakmp_inf.c
+++ /dev/null
@@ -1,1714 +0,0 @@
-/* $NetBSD: isakmp_inf.c,v 1.14.4.17 2009/05/18 17:07:46 tteras Exp $ */
-
-/* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-
-#include <net/pfkeyv2.h>
-#include <netinet/in.h>
-#include <sys/queue.h>
-#include PATH_IPSEC_H
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-#if TIME_WITH_SYS_TIME
-# include <sys/time.h>
-# include <time.h>
-#else
-# if HAVE_SYS_TIME_H
-# include <sys/time.h>
-# else
-# include <time.h>
-# endif
-#endif
-#ifdef ENABLE_HYBRID
-#include <resolv.h>
-#endif
-
-#include "libpfkey.h"
-
-#include "var.h"
-#include "vmbuf.h"
-#include "schedule.h"
-#include "str2val.h"
-#include "misc.h"
-#include "plog.h"
-#include "debug.h"
-
-#include "localconf.h"
-#include "remoteconf.h"
-#include "sockmisc.h"
-#include "handler.h"
-#include "policy.h"
-#include "proposal.h"
-#include "isakmp_var.h"
-#include "evt.h"
-#include "isakmp.h"
-#ifdef ENABLE_HYBRID
-#include "isakmp_xauth.h"
-#include "isakmp_unity.h"
-#include "isakmp_cfg.h"
-#endif
-#include "isakmp_inf.h"
-#include "oakley.h"
-#include "ipsec_doi.h"
-#include "crypto_openssl.h"
-#include "pfkey.h"
-#include "policy.h"
-#include "algorithm.h"
-#include "proposal.h"
-#include "admin.h"
-#include "strnames.h"
-#ifdef ENABLE_NATT
-#include "nattraversal.h"
-#endif
-
-/* information exchange */
-static int isakmp_info_recv_n (struct ph1handle *, struct isakmp_pl_n *, u_int32_t, int);
-static int isakmp_info_recv_d (struct ph1handle *, struct isakmp_pl_d *, u_int32_t, int);
-
-#ifdef ENABLE_DPD
-static int isakmp_info_recv_r_u __P((struct ph1handle *,
- struct isakmp_pl_ru *, u_int32_t));
-static int isakmp_info_recv_r_u_ack __P((struct ph1handle *,
- struct isakmp_pl_ru *, u_int32_t));
-static void isakmp_info_send_r_u __P((void *));
-#endif
-
-static void purge_isakmp_spi __P((int, isakmp_index *, size_t));
-static void info_recv_initialcontact __P((struct ph1handle *));
-
-/* %%%
- * Information Exchange
- */
-/*
- * receive Information
- */
-int
-isakmp_info_recv(iph1, msg0)
- struct ph1handle *iph1;
- vchar_t *msg0;
-{
- vchar_t *msg = NULL;
- vchar_t *pbuf = NULL;
- u_int32_t msgid = 0;
- int error = -1;
- struct isakmp *isakmp;
- struct isakmp_gen *gen;
- struct isakmp_parse_t *pa, *pap;
- void *p;
- vchar_t *hash, *payload;
- struct isakmp_gen *nd;
- u_int8_t np;
- int encrypted;
-
- plog(LLV_DEBUG, LOCATION, NULL, "receive Information.\n");
-
- encrypted = ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E);
- msgid = ((struct isakmp *)msg0->v)->msgid;
-
- /* Use new IV to decrypt Informational message. */
- if (encrypted) {
- struct isakmp_ivm *ivm;
-
- if (iph1->ivm == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "iph1->ivm == NULL\n");
- return -1;
- }
-
- /* compute IV */
- ivm = oakley_newiv2(iph1, ((struct isakmp *)msg0->v)->msgid);
- if (ivm == NULL)
- return -1;
-
- msg = oakley_do_decrypt(iph1, msg0, ivm->iv, ivm->ive);
- oakley_delivm(ivm);
- if (msg == NULL)
- return -1;
-
- } else
- msg = vdup(msg0);
-
- /* Safety check */
- if (msg->l < sizeof(*isakmp) + sizeof(*gen)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "ignore information because the "
- "message is way too short - %zu byte(s).\n", msg->l);
- goto end;
- }
-
- isakmp = (struct isakmp *)msg->v;
- gen = (struct isakmp_gen *)((caddr_t)isakmp + sizeof(struct isakmp));
- np = gen->np;
-
- if (encrypted) {
- if (isakmp->np != ISAKMP_NPTYPE_HASH) {
- plog(LLV_ERROR, LOCATION, NULL,
- "ignore information because the"
- "message has no hash payload.\n");
- goto end;
- }
-
- if (iph1->status != PHASE1ST_ESTABLISHED) {
- plog(LLV_ERROR, LOCATION, NULL,
- "ignore information because ISAKMP-SA"
- "has not been established yet.\n");
- goto end;
- }
-
- /* Safety check */
- if (msg->l < sizeof(*isakmp) + ntohs(gen->len) + sizeof(*nd)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "ignore information because the "
- "message is too short - %zu byte(s).\n", msg->l);
- goto end;
- }
-
- p = (caddr_t) gen + sizeof(struct isakmp_gen);
- nd = (struct isakmp_gen *) ((caddr_t) gen + ntohs(gen->len));
-
- /* nd length check */
- if (ntohs(nd->len) > msg->l - (sizeof(struct isakmp) +
- ntohs(gen->len))) {
- plog(LLV_ERROR, LOCATION, NULL,
- "too long payload length (broken message?)\n");
- goto end;
- }
-
- if (ntohs(nd->len) < sizeof(*nd)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "too short payload length (broken message?)\n");
- goto end;
- }
-
- payload = vmalloc(ntohs(nd->len));
- if (payload == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "cannot allocate memory\n");
- goto end;
- }
-
- memcpy(payload->v, (caddr_t) nd, ntohs(nd->len));
-
- /* compute HASH */
- hash = oakley_compute_hash1(iph1, isakmp->msgid, payload);
- if (hash == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "cannot compute hash\n");
-
- vfree(payload);
- goto end;
- }
-
- if (ntohs(gen->len) - sizeof(struct isakmp_gen) != hash->l) {
- plog(LLV_ERROR, LOCATION, NULL,
- "ignore information due to hash length mismatch\n");
-
- vfree(hash);
- vfree(payload);
- goto end;
- }
-
- if (memcmp(p, hash->v, hash->l) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "ignore information due to hash mismatch\n");
-
- vfree(hash);
- vfree(payload);
- goto end;
- }
-
- plog(LLV_DEBUG, LOCATION, NULL, "hash validated.\n");
-
- vfree(hash);
- vfree(payload);
- } else {
- /* make sure the packet was encrypted after the beginning of phase 1. */
- switch (iph1->etype) {
- case ISAKMP_ETYPE_AGG:
- case ISAKMP_ETYPE_BASE:
- case ISAKMP_ETYPE_IDENT:
- if ((iph1->side == INITIATOR && iph1->status < PHASE1ST_MSG3SENT)
- || (iph1->side == RESPONDER && iph1->status < PHASE1ST_MSG2SENT)) {
- break;
- }
- /*FALLTHRU*/
- default:
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "%s message must be encrypted\n",
- s_isakmp_nptype(np));
- error = 0;
- goto end;
- }
- }
-
- if (!(pbuf = isakmp_parse(msg))) {
- error = -1;
- goto end;
- }
-
- error = 0;
- for (pa = (struct isakmp_parse_t *)pbuf->v; pa->type; pa++) {
- switch (pa->type) {
- case ISAKMP_NPTYPE_HASH:
- /* Handled above */
- break;
- case ISAKMP_NPTYPE_N:
- error = isakmp_info_recv_n(iph1,
- (struct isakmp_pl_n *)pa->ptr,
- msgid, encrypted);
- break;
- case ISAKMP_NPTYPE_D:
- error = isakmp_info_recv_d(iph1,
- (struct isakmp_pl_d *)pa->ptr,
- msgid, encrypted);
- break;
- case ISAKMP_NPTYPE_NONCE:
- /* XXX to be 6.4.2 ike-01.txt */
- /* XXX IV is to be synchronized. */
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "ignore Acknowledged Informational\n");
- break;
- default:
- /* don't send information, see isakmp_ident_r1() */
- error = 0;
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "reject the packet, "
- "received unexpected payload type %s.\n",
- s_isakmp_nptype(gen->np));
- }
- if (error < 0)
- break;
- }
- end:
- if (msg != NULL)
- vfree(msg);
- if (pbuf != NULL)
- vfree(pbuf);
- return error;
-}
-
-/*
- * handling of Notification payload
- */
-static int
-isakmp_info_recv_n(iph1, notify, msgid, encrypted)
- struct ph1handle *iph1;
- struct isakmp_pl_n *notify;
- u_int32_t msgid;
- int encrypted;
-{
- u_int type;
- vchar_t *pbuf;
- char *nraw, *ndata;
- size_t l;
- char *spi;
-
- type = ntohs(notify->type);
-
- switch (type) {
- case ISAKMP_NTYPE_CONNECTED:
- case ISAKMP_NTYPE_RESPONDER_LIFETIME:
- case ISAKMP_NTYPE_REPLAY_STATUS:
-#ifdef ENABLE_HYBRID
- case ISAKMP_NTYPE_UNITY_HEARTBEAT:
-#endif
- /* do something */
- break;
- case ISAKMP_NTYPE_INITIAL_CONTACT:
- if (encrypted)
- info_recv_initialcontact(iph1);
- return 0;
- break;
-#ifdef ENABLE_DPD
- case ISAKMP_NTYPE_R_U_THERE:
- if (encrypted)
- return isakmp_info_recv_r_u(iph1,
- (struct isakmp_pl_ru *)notify, msgid);
- break;
- case ISAKMP_NTYPE_R_U_THERE_ACK:
- if (encrypted)
- return isakmp_info_recv_r_u_ack(iph1,
- (struct isakmp_pl_ru *)notify, msgid);
- break;
-#endif
- default:
- {
- /* XXX there is a potential of dos attack. */
- if(type >= ISAKMP_NTYPE_MINERROR &&
- type <= ISAKMP_NTYPE_MAXERROR) {
- if (msgid == 0) {
- /* don't think this realy deletes ph1 ? */
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "delete phase1 handle.\n");
- return -1;
- } else {
- if (getph2bymsgid(iph1, msgid) == NULL) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "fatal %s notify messsage, "
- "phase1 should be deleted.\n",
- s_isakmp_notify_msg(type));
- } else {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "fatal %s notify messsage, "
- "phase2 should be deleted.\n",
- s_isakmp_notify_msg(type));
- }
- }
- } else {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "unhandled notify message %s, "
- "no phase2 handle found.\n",
- s_isakmp_notify_msg(type));
- }
- }
- break;
- }
-
- /* get spi if specified and allocate */
- if(notify->spi_size > 0) {
- if (ntohs(notify->h.len) < sizeof(*notify) + notify->spi_size) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "invalid spi_size in notification payload.\n");
- return -1;
- }
- spi = val2str((char *)(notify + 1), notify->spi_size);
-
- plog(LLV_DEBUG, LOCATION, iph1->remote,
- "notification message %d:%s, "
- "doi=%d proto_id=%d spi=%s(size=%d).\n",
- type, s_isakmp_notify_msg(type),
- ntohl(notify->doi), notify->proto_id, spi, notify->spi_size);
-
- racoon_free(spi);
- }
-
- /* Send the message data to the logs */
- if(type >= ISAKMP_NTYPE_MINERROR &&
- type <= ISAKMP_NTYPE_MAXERROR) {
- l = ntohs(notify->h.len) - sizeof(*notify) - notify->spi_size;
- if (l > 0) {
- nraw = (char*)notify;
- nraw += sizeof(*notify) + notify->spi_size;
- ndata = binsanitize(nraw, l);
- if (ndata != NULL) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "Message: '%s'.\n",
- ndata);
- racoon_free(ndata);
- } else {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "Cannot allocate memory\n");
- }
- }
- }
- return 0;
-}
-
-/*
- * handling of Deletion payload
- */
-static int
-isakmp_info_recv_d(iph1, delete, msgid, encrypted)
- struct ph1handle *iph1;
- struct isakmp_pl_d *delete;
- u_int32_t msgid;
- int encrypted;
-{
- int tlen, num_spi;
- vchar_t *pbuf;
- int protected = 0;
- struct ph1handle *del_ph1;
- struct ph2handle *iph2;
- union {
- u_int32_t spi32;
- u_int16_t spi16[2];
- } spi;
-
- if (ntohl(delete->doi) != IPSEC_DOI) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "delete payload with invalid doi:%d.\n",
- ntohl(delete->doi));
-#ifdef ENABLE_HYBRID
- /*
- * At deconnexion time, Cisco VPN client does this
- * with a zero DOI. Don't give up in that situation.
- */
- if (((iph1->mode_cfg->flags &
- ISAKMP_CFG_VENDORID_UNITY) == 0) || (delete->doi != 0))
- return 0;
-#else
- return 0;
-#endif
- }
-
- num_spi = ntohs(delete->num_spi);
- tlen = ntohs(delete->h.len) - sizeof(struct isakmp_pl_d);
-
- if (tlen != num_spi * delete->spi_size) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "deletion payload with invalid length.\n");
- return 0;
- }
-
- plog(LLV_DEBUG, LOCATION, iph1->remote,
- "delete payload for protocol %s\n",
- s_ipsecdoi_proto(delete->proto_id));
-
- if(!iph1->rmconf->weak_phase1_check && !encrypted) {
- plog(LLV_WARNING, LOCATION, iph1->remote,
- "Ignoring unencrypted delete payload "
- "(check the weak_phase1_check option)\n");
- return 0;
- }
-
- switch (delete->proto_id) {
- case IPSECDOI_PROTO_ISAKMP:
- if (delete->spi_size != sizeof(isakmp_index)) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "delete payload with strange spi "
- "size %d(proto_id:%d)\n",
- delete->spi_size, delete->proto_id);
- return 0;
- }
-
- del_ph1=getph1byindex((isakmp_index *)(delete + 1));
- if(del_ph1 != NULL){
-
- EVT_PUSH(del_ph1->local, del_ph1->remote,
- EVTT_PEERPH1_NOPROP, NULL);
- if (del_ph1->scr)
- SCHED_KILL(del_ph1->scr);
-
- /*
- * Do not delete IPsec SAs when receiving an IKE delete notification.
- * Just delete the IKE SA.
- */
- isakmp_ph1expire(del_ph1);
- }
- break;
-
- case IPSECDOI_PROTO_IPSEC_AH:
- case IPSECDOI_PROTO_IPSEC_ESP:
- if (delete->spi_size != sizeof(u_int32_t)) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "delete payload with strange spi "
- "size %d(proto_id:%d)\n",
- delete->spi_size, delete->proto_id);
- return 0;
- }
- EVT_PUSH(iph1->local, iph1->remote,
- EVTT_PEER_DELETE, NULL);
- purge_ipsec_spi(iph1->remote, delete->proto_id,
- (u_int32_t *)(delete + 1), num_spi);
- break;
-
- case IPSECDOI_PROTO_IPCOMP:
- /* need to handle both 16bit/32bit SPI */
- memset(&spi, 0, sizeof(spi));
- if (delete->spi_size == sizeof(spi.spi16[1])) {
- memcpy(&spi.spi16[1], delete + 1,
- sizeof(spi.spi16[1]));
- } else if (delete->spi_size == sizeof(spi.spi32))
- memcpy(&spi.spi32, delete + 1, sizeof(spi.spi32));
- else {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "delete payload with strange spi "
- "size %d(proto_id:%d)\n",
- delete->spi_size, delete->proto_id);
- return 0;
- }
- purge_ipsec_spi(iph1->remote, delete->proto_id,
- &spi.spi32, num_spi);
- break;
-
- default:
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "deletion message received, "
- "invalid proto_id: %d\n",
- delete->proto_id);
- return 0;
- }
-
- plog(LLV_DEBUG, LOCATION, NULL, "purged SAs.\n");
-
- return 0;
-}
-
-/*
- * send Delete payload (for ISAKMP SA) in Informational exchange.
- */
-int
-isakmp_info_send_d1(iph1)
- struct ph1handle *iph1;
-{
- struct isakmp_pl_d *d;
- vchar_t *payload = NULL;
- int tlen;
- int error = 0;
-
- if (iph1->status != PHASE2ST_ESTABLISHED)
- return 0;
-
- /* create delete payload */
-
- /* send SPIs of inbound SAs. */
- /* XXX should send outbound SAs's ? */
- tlen = sizeof(*d) + sizeof(isakmp_index);
- payload = vmalloc(tlen);
- if (payload == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get buffer for payload.\n");
- return errno;
- }
-
- d = (struct isakmp_pl_d *)payload->v;
- d->h.np = ISAKMP_NPTYPE_NONE;
- d->h.len = htons(tlen);
- d->doi = htonl(IPSEC_DOI);
- d->proto_id = IPSECDOI_PROTO_ISAKMP;
- d->spi_size = sizeof(isakmp_index);
- d->num_spi = htons(1);
- memcpy(d + 1, &iph1->index, sizeof(isakmp_index));
-
- error = isakmp_info_send_common(iph1, payload,
- ISAKMP_NPTYPE_D, 0);
- vfree(payload);
-
- return error;
-}
-
-/*
- * send Delete payload (for IPsec SA) in Informational exchange, based on
- * pfkey msg. It sends always single SPI.
- */
-int
-isakmp_info_send_d2(iph2)
- struct ph2handle *iph2;
-{
- struct ph1handle *iph1;
- struct saproto *pr;
- struct isakmp_pl_d *d;
- vchar_t *payload = NULL;
- int tlen;
- int error = 0;
- u_int8_t *spi;
-
- if (iph2->status != PHASE2ST_ESTABLISHED)
- return 0;
-
- /*
- * don't send delete information if there is no phase 1 handler.
- * It's nonsensical to negotiate phase 1 to send the information.
- */
- iph1 = getph1byaddr(iph2->src, iph2->dst, 0);
- if (iph1 == NULL){
- plog(LLV_DEBUG2, LOCATION, NULL,
- "No ph1 handler found, could not send DELETE_SA\n");
- return 0;
- }
-
- /* create delete payload */
- for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
-
- /* send SPIs of inbound SAs. */
- /*
- * XXX should I send outbound SAs's ?
- * I send inbound SAs's SPI only at the moment because I can't
- * decode any more if peer send encoded packet without aware of
- * deletion of SA. Outbound SAs don't come under the situation.
- */
- tlen = sizeof(*d) + pr->spisize;
- payload = vmalloc(tlen);
- if (payload == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get buffer for payload.\n");
- return errno;
- }
-
- d = (struct isakmp_pl_d *)payload->v;
- d->h.np = ISAKMP_NPTYPE_NONE;
- d->h.len = htons(tlen);
- d->doi = htonl(IPSEC_DOI);
- d->proto_id = pr->proto_id;
- d->spi_size = pr->spisize;
- d->num_spi = htons(1);
- /*
- * XXX SPI bits are left-filled, for use with IPComp.
- * we should be switching to variable-length spi field...
- */
- spi = (u_int8_t *)&pr->spi;
- spi += sizeof(pr->spi);
- spi -= pr->spisize;
- memcpy(d + 1, spi, pr->spisize);
-
- error = isakmp_info_send_common(iph1, payload,
- ISAKMP_NPTYPE_D, 0);
- vfree(payload);
- }
-
- return error;
-}
-
-/*
- * send Notification payload (for without ISAKMP SA) in Informational exchange
- */
-int
-isakmp_info_send_nx(isakmp, remote, local, type, data)
- struct isakmp *isakmp;
- struct sockaddr *remote, *local;
- int type;
- vchar_t *data;
-{
- struct ph1handle *iph1 = NULL;
- struct remoteconf *rmconf;
- vchar_t *payload = NULL;
- int tlen;
- int error = -1;
- struct isakmp_pl_n *n;
- int spisiz = 0; /* see below */
-
- /* search appropreate configuration */
- rmconf = getrmconf(remote);
- if (rmconf == NULL) {
- plog(LLV_ERROR, LOCATION, remote,
- "no configuration found for peer address.\n");
- goto end;
- }
-
- /* add new entry to isakmp status table. */
- iph1 = newph1();
- if (iph1 == NULL)
- return -1;
-
- memcpy(&iph1->index.i_ck, &isakmp->i_ck, sizeof(cookie_t));
- isakmp_newcookie((char *)&iph1->index.r_ck, remote, local);
- iph1->status = PHASE1ST_START;
- iph1->rmconf = rmconf;
- iph1->side = INITIATOR;
- iph1->version = isakmp->v;
- iph1->flags = 0;
- iph1->msgid = 0; /* XXX */
-#ifdef ENABLE_HYBRID
- if ((iph1->mode_cfg = isakmp_cfg_mkstate()) == NULL)
- goto end;
-#endif
-#ifdef ENABLE_FRAG
- iph1->frag = 0;
- iph1->frag_chain = NULL;
-#endif
-
- /* copy remote address */
- if (copy_ph1addresses(iph1, rmconf, remote, local) < 0)
- goto end;
-
- tlen = sizeof(*n) + spisiz;
- if (data)
- tlen += data->l;
- payload = vmalloc(tlen);
- if (payload == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get buffer to send.\n");
- goto end;
- }
-
- n = (struct isakmp_pl_n *)payload->v;
- n->h.np = ISAKMP_NPTYPE_NONE;
- n->h.len = htons(tlen);
- n->doi = htonl(IPSEC_DOI);
- n->proto_id = IPSECDOI_KEY_IKE;
- n->spi_size = spisiz;
- n->type = htons(type);
- if (spisiz)
- memset(n + 1, 0, spisiz); /* XXX spisiz is always 0 */
- if (data)
- memcpy((caddr_t)(n + 1) + spisiz, data->v, data->l);
-
- error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, 0);
- vfree(payload);
-
- end:
- if (iph1 != NULL)
- delph1(iph1);
-
- return error;
-}
-
-/*
- * send Notification payload (for ISAKMP SA) in Informational exchange
- */
-int
-isakmp_info_send_n1(iph1, type, data)
- struct ph1handle *iph1;
- int type;
- vchar_t *data;
-{
- vchar_t *payload = NULL;
- int tlen;
- int error = 0;
- struct isakmp_pl_n *n;
- int spisiz;
-
- /*
- * note on SPI size: which description is correct? I have chosen
- * this to be 0.
- *
- * RFC2408 3.1, 2nd paragraph says: ISAKMP SA is identified by
- * Initiator/Responder cookie and SPI has no meaning, SPI size = 0.
- * RFC2408 3.1, first paragraph on page 40: ISAKMP SA is identified
- * by cookie and SPI has no meaning, 0 <= SPI size <= 16.
- * RFC2407 4.6.3.3, INITIAL-CONTACT is required to set to 16.
- */
- if (type == ISAKMP_NTYPE_INITIAL_CONTACT)
- spisiz = sizeof(isakmp_index);
- else
- spisiz = 0;
-
- tlen = sizeof(*n) + spisiz;
- if (data)
- tlen += data->l;
- payload = vmalloc(tlen);
- if (payload == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get buffer to send.\n");
- return errno;
- }
-
- n = (struct isakmp_pl_n *)payload->v;
- n->h.np = ISAKMP_NPTYPE_NONE;
- n->h.len = htons(tlen);
- n->doi = htonl(iph1->rmconf->doitype);
- n->proto_id = IPSECDOI_PROTO_ISAKMP; /* XXX to be configurable ? */
- n->spi_size = spisiz;
- n->type = htons(type);
- if (spisiz)
- memcpy(n + 1, &iph1->index, sizeof(isakmp_index));
- if (data)
- memcpy((caddr_t)(n + 1) + spisiz, data->v, data->l);
-
- error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, iph1->flags);
- vfree(payload);
-
- return error;
-}
-
-/*
- * send Notification payload (for IPsec SA) in Informational exchange
- */
-int
-isakmp_info_send_n2(iph2, type, data)
- struct ph2handle *iph2;
- int type;
- vchar_t *data;
-{
- struct ph1handle *iph1 = iph2->ph1;
- vchar_t *payload = NULL;
- int tlen;
- int error = 0;
- struct isakmp_pl_n *n;
- struct saproto *pr;
-
- if (!iph2->approval)
- return EINVAL;
-
- pr = iph2->approval->head;
-
- /* XXX must be get proper spi */
- tlen = sizeof(*n) + pr->spisize;
- if (data)
- tlen += data->l;
- payload = vmalloc(tlen);
- if (payload == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get buffer to send.\n");
- return errno;
- }
-
- n = (struct isakmp_pl_n *)payload->v;
- n->h.np = ISAKMP_NPTYPE_NONE;
- n->h.len = htons(tlen);
- n->doi = htonl(IPSEC_DOI); /* IPSEC DOI (1) */
- n->proto_id = pr->proto_id; /* IPSEC AH/ESP/whatever*/
- n->spi_size = pr->spisize;
- n->type = htons(type);
- *(u_int32_t *)(n + 1) = pr->spi;
- if (data)
- memcpy((caddr_t)(n + 1) + pr->spisize, data->v, data->l);
-
- iph2->flags |= ISAKMP_FLAG_E; /* XXX Should we do FLAG_A ? */
- error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, iph2->flags);
- vfree(payload);
-
- return error;
-}
-
-/*
- * send Information
- * When ph1->skeyid_a == NULL, send message without encoding.
- */
-int
-isakmp_info_send_common(iph1, payload, np, flags)
- struct ph1handle *iph1;
- vchar_t *payload;
- u_int32_t np;
- int flags;
-{
- struct ph2handle *iph2 = NULL;
- vchar_t *hash = NULL;
- struct isakmp *isakmp;
- struct isakmp_gen *gen;
- char *p;
- int tlen;
- int error = -1;
-
- /* add new entry to isakmp status table */
- iph2 = newph2();
- if (iph2 == NULL)
- goto end;
-
- iph2->dst = dupsaddr(iph1->remote);
- if (iph2->dst == NULL) {
- delph2(iph2);
- goto end;
- }
- iph2->src = dupsaddr(iph1->local);
- if (iph2->src == NULL) {
- delph2(iph2);
- goto end;
- }
-#if (!defined(ENABLE_NATT)) || (defined(BROKEN_NATT))
- if (set_port(iph2->dst, 0) == NULL ||
- set_port(iph2->src, 0) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid family: %d\n", iph1->remote->sa_family);
- delph2(iph2);
- goto end;
- }
-#endif
- iph2->ph1 = iph1;
- iph2->side = INITIATOR;
- iph2->status = PHASE2ST_START;
- iph2->msgid = isakmp_newmsgid2(iph1);
-
- /* get IV and HASH(1) if skeyid_a was generated. */
- if (iph1->skeyid_a != NULL) {
- iph2->ivm = oakley_newiv2(iph1, iph2->msgid);
- if (iph2->ivm == NULL) {
- delph2(iph2);
- goto end;
- }
-
- /* generate HASH(1) */
- hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, payload);
- if (hash == NULL) {
- delph2(iph2);
- goto end;
- }
-
- /* initialized total buffer length */
- tlen = hash->l;
- tlen += sizeof(*gen);
- } else {
- /* IKE-SA is not established */
- hash = NULL;
-
- /* initialized total buffer length */
- tlen = 0;
- }
- if ((flags & ISAKMP_FLAG_A) == 0)
- iph2->flags = (hash == NULL ? 0 : ISAKMP_FLAG_E);
- else
- iph2->flags = (hash == NULL ? 0 : ISAKMP_FLAG_A);
-
- insph2(iph2);
- bindph12(iph1, iph2);
-
- tlen += sizeof(*isakmp) + payload->l;
-
- /* create buffer for isakmp payload */
- iph2->sendbuf = vmalloc(tlen);
- if (iph2->sendbuf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get buffer to send.\n");
- goto err;
- }
-
- /* create isakmp header */
- isakmp = (struct isakmp *)iph2->sendbuf->v;
- memcpy(&isakmp->i_ck, &iph1->index.i_ck, sizeof(cookie_t));
- memcpy(&isakmp->r_ck, &iph1->index.r_ck, sizeof(cookie_t));
- isakmp->np = hash == NULL ? (np & 0xff) : ISAKMP_NPTYPE_HASH;
- isakmp->v = iph1->version;
- isakmp->etype = ISAKMP_ETYPE_INFO;
- isakmp->flags = iph2->flags;
- memcpy(&isakmp->msgid, &iph2->msgid, sizeof(isakmp->msgid));
- isakmp->len = htonl(tlen);
- p = (char *)(isakmp + 1);
-
- /* create HASH payload */
- if (hash != NULL) {
- gen = (struct isakmp_gen *)p;
- gen->np = np & 0xff;
- gen->len = htons(sizeof(*gen) + hash->l);
- p += sizeof(*gen);
- memcpy(p, hash->v, hash->l);
- p += hash->l;
- }
-
- /* add payload */
- memcpy(p, payload->v, payload->l);
- p += payload->l;
-
-#ifdef HAVE_PRINT_ISAKMP_C
- isakmp_printpacket(iph2->sendbuf, iph1->local, iph1->remote, 1);
-#endif
-
- /* encoding */
- if (ISSET(isakmp->flags, ISAKMP_FLAG_E)) {
- vchar_t *tmp;
-
- tmp = oakley_do_encrypt(iph2->ph1, iph2->sendbuf, iph2->ivm->ive,
- iph2->ivm->iv);
- VPTRINIT(iph2->sendbuf);
- if (tmp == NULL)
- goto err;
- iph2->sendbuf = tmp;
- }
-
- /* HDR*, HASH(1), N */
- if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0) {
- VPTRINIT(iph2->sendbuf);
- goto err;
- }
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "sendto Information %s.\n", s_isakmp_nptype(np));
-
- /*
- * don't resend notify message because peer can use Acknowledged
- * Informational if peer requires the reply of the notify message.
- */
-
- /* XXX If Acknowledged Informational required, don't delete ph2handle */
- error = 0;
- VPTRINIT(iph2->sendbuf);
- goto err; /* XXX */
-
-end:
- if (hash)
- vfree(hash);
- return error;
-
-err:
- unbindph12(iph2);
- remph2(iph2);
- delph2(iph2);
- goto end;
-}
-
-/*
- * add a notify payload to buffer by reallocating buffer.
- * If buf == NULL, the function only create a notify payload.
- *
- * XXX Which is SPI to be included, inbound or outbound ?
- */
-vchar_t *
-isakmp_add_pl_n(buf0, np_p, type, pr, data)
- vchar_t *buf0;
- u_int8_t **np_p;
- int type;
- struct saproto *pr;
- vchar_t *data;
-{
- vchar_t *buf = NULL;
- struct isakmp_pl_n *n;
- int tlen;
- int oldlen = 0;
-
- if (*np_p)
- **np_p = ISAKMP_NPTYPE_N;
-
- tlen = sizeof(*n) + pr->spisize;
-
- if (data)
- tlen += data->l;
- if (buf0) {
- oldlen = buf0->l;
- buf = vrealloc(buf0, buf0->l + tlen);
- } else
- buf = vmalloc(tlen);
- if (!buf) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get a payload buffer.\n");
- return NULL;
- }
-
- n = (struct isakmp_pl_n *)(buf->v + oldlen);
- n->h.np = ISAKMP_NPTYPE_NONE;
- n->h.len = htons(tlen);
- n->doi = htonl(IPSEC_DOI); /* IPSEC DOI (1) */
- n->proto_id = pr->proto_id; /* IPSEC AH/ESP/whatever*/
- n->spi_size = pr->spisize;
- n->type = htons(type);
- *(u_int32_t *)(n + 1) = pr->spi; /* XXX */
- if (data)
- memcpy((caddr_t)(n + 1) + pr->spisize, data->v, data->l);
-
- /* save the pointer of next payload type */
- *np_p = &n->h.np;
-
- return buf;
-}
-
-static void
-purge_isakmp_spi(proto, spi, n)
- int proto;
- isakmp_index *spi; /*network byteorder*/
- size_t n;
-{
- struct ph1handle *iph1;
- size_t i;
-
- for (i = 0; i < n; i++) {
- iph1 = getph1byindex(&spi[i]);
- if (!iph1)
- continue;
-
- plog(LLV_INFO, LOCATION, NULL,
- "purged ISAKMP-SA proto_id=%s spi=%s.\n",
- s_ipsecdoi_proto(proto),
- isakmp_pindex(&spi[i], 0));
-
- SCHED_KILL(iph1->sce);
- iph1->status = PHASE1ST_EXPIRED;
- iph1->sce = sched_new(1, isakmp_ph1delete_stub, iph1);
- }
-}
-
-
-
-void
-purge_ipsec_spi(dst0, proto, spi, n)
- struct sockaddr *dst0;
- int proto;
- u_int32_t *spi; /*network byteorder*/
- size_t n;
-{
- vchar_t *buf = NULL;
- struct sadb_msg *msg, *next, *end;
- struct sadb_sa *sa;
- struct sadb_lifetime *lt;
- struct sockaddr *src, *dst;
- struct ph2handle *iph2;
- u_int64_t created;
- size_t i;
- caddr_t mhp[SADB_EXT_MAX + 1];
-#ifdef ENABLE_NATT
- struct sadb_x_nat_t_type *natt_type;
- struct sadb_x_nat_t_port *natt_port;
-#endif
-
- plog(LLV_DEBUG2, LOCATION, NULL,
- "purge_ipsec_spi:\n");
- plog(LLV_DEBUG2, LOCATION, NULL, "dst0: %s\n", saddr2str(dst0));
- plog(LLV_DEBUG2, LOCATION, NULL, "SPI: %08X\n", ntohl(spi[0]));
-
- buf = pfkey_dump_sadb(ipsecdoi2pfkey_proto(proto));
- if (buf == NULL) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "pfkey_dump_sadb returned nothing.\n");
- return;
- }
-
- msg = (struct sadb_msg *)buf->v;
- end = (struct sadb_msg *)(buf->v + buf->l);
-
- while (msg < end) {
- if ((msg->sadb_msg_len << 3) < sizeof(*msg))
- break;
- next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3));
- if (msg->sadb_msg_type != SADB_DUMP) {
- msg = next;
- continue;
- }
-
- if (pfkey_align(msg, mhp) || pfkey_check(mhp)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "pfkey_check (%s)\n", ipsec_strerror());
- msg = next;
- continue;
- }
-
- sa = (struct sadb_sa *)(mhp[SADB_EXT_SA]);
- if (!sa
- || !mhp[SADB_EXT_ADDRESS_SRC]
- || !mhp[SADB_EXT_ADDRESS_DST]) {
- msg = next;
- continue;
- }
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
- lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
- if(lt != NULL)
- created = lt->sadb_lifetime_addtime;
- else
- created = 0;
-
- if (sa->sadb_sa_state != SADB_SASTATE_MATURE
- && sa->sadb_sa_state != SADB_SASTATE_DYING) {
- msg = next;
- continue;
- }
-#ifdef ENABLE_NATT
- natt_type = (void *)mhp[SADB_X_EXT_NAT_T_TYPE];
- if (natt_type && natt_type->sadb_x_nat_t_type_type) {
- /* NAT-T is enabled for this SADB entry; copy
- * the ports from NAT-T extensions */
- natt_port = (void *)mhp[SADB_X_EXT_NAT_T_SPORT];
- if (extract_port(src) == 0 && natt_port != NULL)
- set_port(src, ntohs(natt_port->sadb_x_nat_t_port_port));
-
- natt_port = (void *)mhp[SADB_X_EXT_NAT_T_DPORT];
- if (extract_port(dst) == 0 && natt_port != NULL)
- set_port(dst, ntohs(natt_port->sadb_x_nat_t_port_port));
- }else{
- /* Force default UDP ports, so CMPSADDR will match SAs with NO encapsulation
- */
- set_port(src, PORT_ISAKMP);
- set_port(dst, PORT_ISAKMP);
- }
-#endif
- plog(LLV_DEBUG2, LOCATION, NULL, "src: %s\n", saddr2str(src));
- plog(LLV_DEBUG2, LOCATION, NULL, "dst: %s\n", saddr2str(dst));
-
- /* XXX n^2 algorithm, inefficient */
-
- /* don't delete inbound SAs at the moment */
- /* XXX should we remove SAs with opposite direction as well? */
- if (CMPSADDR(dst0, dst)) {
- msg = next;
- continue;
- }
-
-#ifdef ENABLE_NATT
- if (natt_type == NULL ||
- ! natt_type->sadb_x_nat_t_type_type) {
- /* Set back port to 0 if it was forced to default UDP port
- */
- set_port(src, 0);
- set_port(dst, 0);
- }
-#endif
- for (i = 0; i < n; i++) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "check spi(packet)=%u spi(db)=%u.\n",
- ntohl(spi[i]), ntohl(sa->sadb_sa_spi));
- if (spi[i] != sa->sadb_sa_spi)
- continue;
-
- pfkey_send_delete(lcconf->sock_pfkey,
- msg->sadb_msg_satype,
- IPSEC_MODE_ANY,
- src, dst, sa->sadb_sa_spi);
-
- /*
- * delete a relative phase 2 handler.
- * continue to process if no relative phase 2 handler
- * exists.
- */
- iph2 = getph2bysaidx(src, dst, proto, spi[i]);
- if(iph2 != NULL){
- delete_spd(iph2, created);
- unbindph12(iph2);
- remph2(iph2);
- delph2(iph2);
- }
-
- plog(LLV_INFO, LOCATION, NULL,
- "purged IPsec-SA proto_id=%s spi=%u.\n",
- s_ipsecdoi_proto(proto),
- ntohl(spi[i]));
- }
-
- msg = next;
- }
-
- if (buf)
- vfree(buf);
-}
-
-/*
- * delete all phase2 sa relatived to the destination address.
- * Don't delete Phase 1 handlers on INITIAL-CONTACT, and don't ignore
- * an INITIAL-CONTACT if we have contacted the peer. This matches the
- * Sun IKE behavior, and makes rekeying work much better when the peer
- * restarts.
- */
-static void
-info_recv_initialcontact(iph1)
- struct ph1handle *iph1;
-{
- vchar_t *buf = NULL;
- struct sadb_msg *msg, *next, *end;
- struct sadb_sa *sa;
- struct sockaddr *src, *dst;
- caddr_t mhp[SADB_EXT_MAX + 1];
- int proto_id, i;
- struct ph2handle *iph2;
-#if 0
- char *loc, *rem;
-#endif
-
- if (f_local)
- return;
-
-#if 0
- loc = racoon_strdup(saddrwop2str(iph1->local));
- rem = racoon_strdup(saddrwop2str(iph1->remote));
- STRDUP_FATAL(loc);
- STRDUP_FATAL(rem);
-
- /*
- * Purge all IPSEC-SAs for the peer. We can do this
- * the easy way (using a PF_KEY SADB_DELETE extension)
- * or we can do it the hard way.
- */
- for (i = 0; i < pfkey_nsatypes; i++) {
- proto_id = pfkey2ipsecdoi_proto(pfkey_satypes[i].ps_satype);
-
- plog(LLV_INFO, LOCATION, NULL,
- "purging %s SAs for %s -> %s\n",
- pfkey_satypes[i].ps_name, loc, rem);
- if (pfkey_send_delete_all(lcconf->sock_pfkey,
- pfkey_satypes[i].ps_satype, IPSEC_MODE_ANY,
- iph1->local, iph1->remote) == -1) {
- plog(LLV_ERROR, LOCATION, NULL,
- "delete_all %s -> %s failed for %s (%s)\n",
- loc, rem,
- pfkey_satypes[i].ps_name, ipsec_strerror());
- goto the_hard_way;
- }
-
- deleteallph2(iph1->local, iph1->remote, proto_id);
-
- plog(LLV_INFO, LOCATION, NULL,
- "purging %s SAs for %s -> %s\n",
- pfkey_satypes[i].ps_name, rem, loc);
- if (pfkey_send_delete_all(lcconf->sock_pfkey,
- pfkey_satypes[i].ps_satype, IPSEC_MODE_ANY,
- iph1->remote, iph1->local) == -1) {
- plog(LLV_ERROR, LOCATION, NULL,
- "delete_all %s -> %s failed for %s (%s)\n",
- rem, loc,
- pfkey_satypes[i].ps_name, ipsec_strerror());
- goto the_hard_way;
- }
-
- deleteallph2(iph1->remote, iph1->local, proto_id);
- }
-
- racoon_free(loc);
- racoon_free(rem);
- return;
-
- the_hard_way:
- racoon_free(loc);
- racoon_free(rem);
-#endif
-
- buf = pfkey_dump_sadb(SADB_SATYPE_UNSPEC);
- if (buf == NULL) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "pfkey_dump_sadb returned nothing.\n");
- return;
- }
-
- msg = (struct sadb_msg *)buf->v;
- end = (struct sadb_msg *)(buf->v + buf->l);
-
- while (msg < end) {
- if ((msg->sadb_msg_len << 3) < sizeof(*msg))
- break;
- next = (struct sadb_msg *)((caddr_t)msg + (msg->sadb_msg_len << 3));
- if (msg->sadb_msg_type != SADB_DUMP) {
- msg = next;
- continue;
- }
-
- if (pfkey_align(msg, mhp) || pfkey_check(mhp)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "pfkey_check (%s)\n", ipsec_strerror());
- msg = next;
- continue;
- }
-
- if (mhp[SADB_EXT_SA] == NULL
- || mhp[SADB_EXT_ADDRESS_SRC] == NULL
- || mhp[SADB_EXT_ADDRESS_DST] == NULL) {
- msg = next;
- continue;
- }
- sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
-
- if (sa->sadb_sa_state != SADB_SASTATE_MATURE
- && sa->sadb_sa_state != SADB_SASTATE_DYING) {
- msg = next;
- continue;
- }
-
- /*
- * RFC2407 4.6.3.3 INITIAL-CONTACT is the message that
- * announces the sender of the message was rebooted.
- * it is interpreted to delete all SAs which source address
- * is the sender of the message.
- * racoon only deletes SA which is matched both the
- * source address and the destination accress.
- */
-#ifdef ENABLE_NATT
- /*
- * XXX RFC 3947 says that whe MUST NOT use IP+port to find old SAs
- * from this peer !
- */
- if(iph1->natt_flags & NAT_DETECTED){
- if (CMPSADDR(iph1->local, src) == 0 &&
- CMPSADDR(iph1->remote, dst) == 0)
- ;
- else if (CMPSADDR(iph1->remote, src) == 0 &&
- CMPSADDR(iph1->local, dst) == 0)
- ;
- else {
- msg = next;
- continue;
- }
- } else
-#endif
- /* If there is no NAT-T, we don't have to check addr + port...
- * XXX what about a configuration with a remote peers which is not
- * NATed, but which NATs some other peers ?
- * Here, the INITIAl-CONTACT would also flush all those NATed peers !!
- */
- if (cmpsaddrwop(iph1->local, src) == 0 &&
- cmpsaddrwop(iph1->remote, dst) == 0)
- ;
- else if (cmpsaddrwop(iph1->remote, src) == 0 &&
- cmpsaddrwop(iph1->local, dst) == 0)
- ;
- else {
- msg = next;
- continue;
- }
-
- /*
- * Make sure this is an SATYPE that we manage.
- * This is gross; too bad we couldn't do it the
- * easy way.
- */
- for (i = 0; i < pfkey_nsatypes; i++) {
- if (pfkey_satypes[i].ps_satype ==
- msg->sadb_msg_satype)
- break;
- }
- if (i == pfkey_nsatypes) {
- msg = next;
- continue;
- }
-
- plog(LLV_INFO, LOCATION, NULL,
- "purging spi=%u.\n", ntohl(sa->sadb_sa_spi));
- pfkey_send_delete(lcconf->sock_pfkey,
- msg->sadb_msg_satype,
- IPSEC_MODE_ANY, src, dst, sa->sadb_sa_spi);
-
- /*
- * delete a relative phase 2 handler.
- * continue to process if no relative phase 2 handler
- * exists.
- */
- proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
- iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi);
- if (iph2) {
- delete_spd(iph2, 0);
- unbindph12(iph2);
- remph2(iph2);
- delph2(iph2);
- }
-
- msg = next;
- }
-
- vfree(buf);
-}
-
-void
-isakmp_check_notify(gen, iph1)
- struct isakmp_gen *gen; /* points to Notify payload */
- struct ph1handle *iph1;
-{
- struct isakmp_pl_n *notify = (struct isakmp_pl_n *)gen;
-
- plog(LLV_DEBUG, LOCATION, iph1->remote,
- "Notify Message received\n");
-
- switch (ntohs(notify->type)) {
- case ISAKMP_NTYPE_CONNECTED:
- case ISAKMP_NTYPE_RESPONDER_LIFETIME:
- case ISAKMP_NTYPE_REPLAY_STATUS:
- case ISAKMP_NTYPE_HEARTBEAT:
-#ifdef ENABLE_HYBRID
- case ISAKMP_NTYPE_UNITY_HEARTBEAT:
-#endif
- plog(LLV_WARNING, LOCATION, iph1->remote,
- "ignore %s notification.\n",
- s_isakmp_notify_msg(ntohs(notify->type)));
- break;
- case ISAKMP_NTYPE_INITIAL_CONTACT:
- plog(LLV_WARNING, LOCATION, iph1->remote,
- "ignore INITIAL-CONTACT notification, "
- "because it is only accepted after phase1.\n");
- break;
- default:
- isakmp_info_send_n1(iph1, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE, NULL);
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "received unknown notification type %s.\n",
- s_isakmp_notify_msg(ntohs(notify->type)));
- }
-
- return;
-}
-
-
-#ifdef ENABLE_DPD
-static int
-isakmp_info_recv_r_u (iph1, ru, msgid)
- struct ph1handle *iph1;
- struct isakmp_pl_ru *ru;
- u_int32_t msgid;
-{
- struct isakmp_pl_ru *ru_ack;
- vchar_t *payload = NULL;
- int tlen;
- int error = 0;
-
- plog(LLV_DEBUG, LOCATION, iph1->remote,
- "DPD R-U-There received\n");
-
- /* XXX should compare cookies with iph1->index?
- Or is this already done by calling function? */
- tlen = sizeof(*ru_ack);
- payload = vmalloc(tlen);
- if (payload == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get buffer to send.\n");
- return errno;
- }
-
- ru_ack = (struct isakmp_pl_ru *)payload->v;
- ru_ack->h.np = ISAKMP_NPTYPE_NONE;
- ru_ack->h.len = htons(tlen);
- ru_ack->doi = htonl(IPSEC_DOI);
- ru_ack->type = htons(ISAKMP_NTYPE_R_U_THERE_ACK);
- ru_ack->proto_id = IPSECDOI_PROTO_ISAKMP; /* XXX ? */
- ru_ack->spi_size = sizeof(isakmp_index);
- memcpy(ru_ack->i_ck, ru->i_ck, sizeof(cookie_t));
- memcpy(ru_ack->r_ck, ru->r_ck, sizeof(cookie_t));
- ru_ack->data = ru->data;
-
- /* XXX Should we do FLAG_A ? */
- error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N,
- ISAKMP_FLAG_E);
- vfree(payload);
-
- plog(LLV_DEBUG, LOCATION, NULL, "received a valid R-U-THERE, ACK sent\n");
-
- /* Should we mark tunnel as active ? */
- return error;
-}
-
-static int
-isakmp_info_recv_r_u_ack (iph1, ru, msgid)
- struct ph1handle *iph1;
- struct isakmp_pl_ru *ru;
- u_int32_t msgid;
-{
-
- plog(LLV_DEBUG, LOCATION, iph1->remote,
- "DPD R-U-There-Ack received\n");
-
- /* XXX Maintain window of acceptable sequence numbers ?
- * => ru->data <= iph2->dpd_seq &&
- * ru->data >= iph2->dpd_seq - iph2->dpd_fails ? */
- if (ntohl(ru->data) != iph1->dpd_seq-1) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "Wrong DPD sequence number (%d, %d expected).\n",
- ntohl(ru->data), iph1->dpd_seq-1);
- return 0;
- }
-
- if (memcmp(ru->i_ck, iph1->index.i_ck, sizeof(cookie_t)) ||
- memcmp(ru->r_ck, iph1->index.r_ck, sizeof(cookie_t))) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "Cookie mismatch in DPD ACK!.\n");
- return 0;
- }
-
- iph1->dpd_fails = 0;
-
- /* Useless ??? */
- iph1->dpd_lastack = time(NULL);
-
- SCHED_KILL(iph1->dpd_r_u);
-
- isakmp_sched_r_u(iph1, 0);
-
- plog(LLV_DEBUG, LOCATION, NULL, "received an R-U-THERE-ACK\n");
-
- return 0;
-}
-
-
-
-
-/*
- * send DPD R-U-THERE payload in Informational exchange.
- */
-static void
-isakmp_info_send_r_u(arg)
- void *arg;
-{
- struct ph1handle *iph1 = arg;
-
- /* create R-U-THERE payload */
- struct isakmp_pl_ru *ru;
- vchar_t *payload = NULL;
- int tlen;
- int error = 0;
-
- plog(LLV_DEBUG, LOCATION, iph1->remote, "DPD monitoring....\n");
-
- iph1->dpd_r_u=NULL;
-
- if (iph1->dpd_fails >= iph1->rmconf->dpd_maxfails) {
-
- plog(LLV_INFO, LOCATION, iph1->remote,
- "DPD: remote (ISAKMP-SA spi=%s) seems to be dead.\n",
- isakmp_pindex(&iph1->index, 0));
-
- EVT_PUSH(iph1->local, iph1->remote, EVTT_DPD_TIMEOUT, NULL);
- purge_remote(iph1);
-
- /* Do not reschedule here: phase1 is deleted,
- * DPD will be reactivated when a new ph1 will be negociated
- */
- return;
- }
-
- /* TODO: check recent activity to avoid useless sends... */
-
- tlen = sizeof(*ru);
- payload = vmalloc(tlen);
- if (payload == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get buffer for payload.\n");
- return;
- }
- ru = (struct isakmp_pl_ru *)payload->v;
- ru->h.np = ISAKMP_NPTYPE_NONE;
- ru->h.len = htons(tlen);
- ru->doi = htonl(IPSEC_DOI);
- ru->type = htons(ISAKMP_NTYPE_R_U_THERE);
- ru->proto_id = IPSECDOI_PROTO_ISAKMP; /* XXX ?*/
- ru->spi_size = sizeof(isakmp_index);
-
- memcpy(ru->i_ck, iph1->index.i_ck, sizeof(cookie_t));
- memcpy(ru->r_ck, iph1->index.r_ck, sizeof(cookie_t));
-
- if (iph1->dpd_seq == 0){
- /* generate a random seq which is not too big */
- srand(time(NULL));
- iph1->dpd_seq = rand() & 0x0fff;
- }
-
- ru->data = htonl(iph1->dpd_seq);
-
- error = isakmp_info_send_common(iph1, payload, ISAKMP_NPTYPE_N, 0);
- vfree(payload);
-
- plog(LLV_DEBUG, LOCATION, iph1->remote,
- "DPD R-U-There sent (%d)\n", error);
-
- /* will be decreased if ACK received... */
- iph1->dpd_fails++;
-
- /* XXX should be increased only when ACKed ? */
- iph1->dpd_seq++;
-
- /* Reschedule the r_u_there with a short delay,
- * will be deleted/rescheduled if ACK received before */
- isakmp_sched_r_u(iph1, 1);
-
- plog(LLV_DEBUG, LOCATION, iph1->remote,
- "rescheduling send_r_u (%d).\n", iph1->rmconf->dpd_retry);
-}
-
-/* Schedule a new R-U-THERE */
-int
-isakmp_sched_r_u(iph1, retry)
- struct ph1handle *iph1;
- int retry;
-{
- if(iph1 == NULL ||
- iph1->rmconf == NULL)
- return 1;
-
-
- if(iph1->dpd_support == 0 ||
- iph1->rmconf->dpd_interval == 0)
- return 0;
-
- if(retry)
- iph1->dpd_r_u = sched_new(iph1->rmconf->dpd_retry,
- isakmp_info_send_r_u, iph1);
- else
- iph1->dpd_r_u = sched_new(iph1->rmconf->dpd_interval,
- isakmp_info_send_r_u, iph1);
-
- return 0;
-}
-#endif
diff --git a/src/racoon/isakmp_inf.h b/src/racoon/isakmp_inf.h
deleted file mode 100644
index c7682d9..0000000
--- a/src/racoon/isakmp_inf.h
+++ /dev/null
@@ -1,60 +0,0 @@
-/* $NetBSD: isakmp_inf.h,v 1.4 2006/09/09 16:22:09 manu Exp $ */
-
-/* Id: isakmp_inf.h,v 1.6 2005/05/07 14:15:59 manubsd Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _ISAKMP_INF_H
-#define _ISAKMP_INF_H
-
-struct saproto;
-extern int isakmp_info_recv __P((struct ph1handle *, vchar_t *));
-extern int isakmp_info_send_d1 __P((struct ph1handle *));
-extern int isakmp_info_send_d2 __P((struct ph2handle *));
-extern int isakmp_info_send_nx __P((struct isakmp *,
- struct sockaddr *, struct sockaddr *, int, vchar_t *));
-extern int isakmp_info_send_n1 __P((struct ph1handle *, int, vchar_t *));
-extern int isakmp_info_send_n2 __P((struct ph2handle *, int, vchar_t *));
-extern int isakmp_info_send_common __P((struct ph1handle *,
- vchar_t *, u_int32_t, int));
-
-extern vchar_t * isakmp_add_pl_n __P((vchar_t *, u_int8_t **, int,
- struct saproto *, vchar_t *));
-
-extern void isakmp_check_notify __P((struct isakmp_gen *, struct ph1handle *));
-
-#ifdef ENABLE_DPD
-extern int isakmp_sched_r_u __P((struct ph1handle *, int));
-#endif
-
-extern void purge_ipsec_spi __P((struct sockaddr *, int, u_int32_t *, size_t));
-extern int tunnel_mode_prop __P((struct saprop *));
-
-#endif /* _ISAKMP_INF_H */
diff --git a/src/racoon/isakmp_newg.c b/src/racoon/isakmp_newg.c
deleted file mode 100644
index 85b91b9..0000000
--- a/src/racoon/isakmp_newg.c
+++ /dev/null
@@ -1,232 +0,0 @@
-/* $NetBSD: isakmp_newg.c,v 1.4 2006/09/09 16:22:09 manu Exp $ */
-
-/* $KAME: isakmp_newg.c,v 1.10 2002/09/27 05:55:52 itojun Exp $ */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-
-#include "var.h"
-#include "misc.h"
-#include "vmbuf.h"
-#include "plog.h"
-#include "sockmisc.h"
-#include "debug.h"
-
-#include "schedule.h"
-#include "cfparse_proto.h"
-#include "isakmp_var.h"
-#include "isakmp.h"
-#include "isakmp_newg.h"
-#include "oakley.h"
-#include "ipsec_doi.h"
-#include "crypto_openssl.h"
-#include "handler.h"
-#include "pfkey.h"
-#include "admin.h"
-#include "str2val.h"
-#include "vendorid.h"
-
-/*
- * New group mode as responder
- */
-int
-isakmp_newgroup_r(iph1, msg)
- struct ph1handle *iph1;
- vchar_t *msg;
-{
-#if 0
- struct isakmp *isakmp = (struct isakmp *)msg->v;
- struct isakmp_pl_hash *hash = NULL;
- struct isakmp_pl_sa *sa = NULL;
- int error = -1;
- vchar_t *buf;
- struct oakley_sa *osa;
- int len;
-
- /* validate the type of next payload */
- /*
- * ISAKMP_ETYPE_NEWGRP,
- * ISAKMP_NPTYPE_HASH, (ISAKMP_NPTYPE_VID), ISAKMP_NPTYPE_SA,
- * ISAKMP_NPTYPE_NONE
- */
- {
- vchar_t *pbuf = NULL;
- struct isakmp_parse_t *pa;
-
- if ((pbuf = isakmp_parse(msg)) == NULL)
- goto end;
-
- for (pa = (struct isakmp_parse_t *)pbuf->v;
- pa->type != ISAKMP_NPTYPE_NONE;
- pa++) {
-
- switch (pa->type) {
- case ISAKMP_NPTYPE_HASH:
- if (hash) {
- isakmp_info_send_n1(iph1, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE, NULL);
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "received multiple payload type %d.\n",
- pa->type);
- vfree(pbuf);
- goto end;
- }
- hash = (struct isakmp_pl_hash *)pa->ptr;
- break;
- case ISAKMP_NPTYPE_SA:
- if (sa) {
- isakmp_info_send_n1(iph1, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE, NULL);
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "received multiple payload type %d.\n",
- pa->type);
- vfree(pbuf);
- goto end;
- }
- sa = (struct isakmp_pl_sa *)pa->ptr;
- break;
- case ISAKMP_NPTYPE_VID:
- handle_vendorid(iph1, pa->ptr);
- break;
- default:
- isakmp_info_send_n1(iph1, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE, NULL);
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "ignore the packet, "
- "received unexpecting payload type %d.\n",
- pa->type);
- vfree(pbuf);
- goto end;
- }
- }
- vfree(pbuf);
-
- if (!hash || !sa) {
- isakmp_info_send_n1(iph1, ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE, NULL);
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "no HASH, or no SA payload.\n");
- goto end;
- }
- }
-
- /* validate HASH */
- {
- char *r_hash;
- vchar_t *my_hash = NULL;
- int result;
-
- plog(LLV_DEBUG, LOCATION, NULL, "validate HASH\n");
-
- len = sizeof(isakmp->msgid) + ntohs(sa->h.len);
- buf = vmalloc(len);
- if (buf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get buffer to send.\n");
- goto end;
- }
- memcpy(buf->v, &isakmp->msgid, sizeof(isakmp->msgid));
- memcpy(buf->v + sizeof(isakmp->msgid), sa, ntohs(sa->h.len));
-
- plog(LLV_DEBUG, LOCATION, NULL, "hash source\n");
- plogdump(LLV_DEBUG, buf->v, buf->l);
-
- my_hash = isakmp_prf(iph1->skeyid_a, buf, iph1);
- vfree(buf);
- if (my_hash == NULL)
- goto end;
-
- plog(LLV_DEBUG, LOCATION, NULL, "hash result\n");
- plogdump(LLV_DEBUG, my_hash->v, my_hash->l);
-
- r_hash = (char *)hash + sizeof(*hash);
-
- plog(LLV_DEBUG, LOCATION, NULL, "original hash\n"));
- plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash)));
-
- result = memcmp(my_hash->v, r_hash, my_hash->l);
- vfree(my_hash);
-
- if (result) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "HASH mismatch.\n");
- isakmp_info_send_n1(iph1, ISAKMP_NTYPE_INVALID_HASH_INFORMATION, NULL);
- goto end;
- }
- }
-
- /* check SA payload and get new one for use */
- buf = ipsecdoi_get_proposal((struct ipsecdoi_sa *)sa,
- OAKLEY_NEWGROUP_MODE);
- if (buf == NULL) {
- isakmp_info_send_n1(iph1, ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED, NULL);
- goto end;
- }
-
- /* save sa parameters */
- osa = ipsecdoi_get_oakley(buf);
- if (osa == NULL) {
- isakmp_info_send_n1(iph1, ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED, NULL);
- goto end;
- }
- vfree(buf);
-
- switch (osa->dhgrp) {
- case OAKLEY_ATTR_GRP_DESC_MODP768:
- case OAKLEY_ATTR_GRP_DESC_MODP1024:
- case OAKLEY_ATTR_GRP_DESC_MODP1536:
- /*XXX*/
- default:
- isakmp_info_send_n1(iph1, ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED, NULL);
- plog(LLV_ERROR, LOCATION, NULL,
- "dh group %d isn't supported.\n", osa->dhgrp);
- goto end;
- }
-
- plog(LLV_INFO, LOCATION, iph1->remote,
- "got new dh group %s.\n", isakmp_pindex(&iph1->index, 0));
-
- error = 0;
-
-end:
- if (error) {
- if (iph1 != NULL)
- (void)isakmp_free_ph1(iph1);
- }
- return error;
-#endif
- return 0;
-}
-
diff --git a/src/racoon/isakmp_newg.h b/src/racoon/isakmp_newg.h
deleted file mode 100644
index 1562c41..0000000
--- a/src/racoon/isakmp_newg.h
+++ /dev/null
@@ -1,39 +0,0 @@
-/* $NetBSD: isakmp_newg.h,v 1.4 2006/09/09 16:22:09 manu Exp $ */
-
-/* Id: isakmp_newg.h,v 1.3 2004/06/11 16:00:16 ludvigm Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _ISAKMP_NEWG_H
-#define _ISAKMP_NEWG_H
-
-extern int isakmp_newgroup_r __P((struct ph1handle *, vchar_t *));
-
-#endif /* _ISAKMP_NEWG_H */
diff --git a/src/racoon/isakmp_quick.c b/src/racoon/isakmp_quick.c
deleted file mode 100644
index 963438d..0000000
--- a/src/racoon/isakmp_quick.c
+++ /dev/null
@@ -1,2189 +0,0 @@
-/* $NetBSD: isakmp_quick.c,v 1.11.4.1 2007/08/01 11:52:21 vanhu Exp $ */
-
-/* Id: isakmp_quick.c,v 1.29 2006/08/22 18:17:17 manubsd Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-#if TIME_WITH_SYS_TIME
-# include <sys/time.h>
-# include <time.h>
-#else
-# if HAVE_SYS_TIME_H
-# include <sys/time.h>
-# else
-# include <time.h>
-# endif
-#endif
-#ifdef ENABLE_HYBRID
-#include <resolv.h>
-#endif
-
-#include PATH_IPSEC_H
-
-#include "var.h"
-#include "vmbuf.h"
-#include "schedule.h"
-#include "misc.h"
-#include "plog.h"
-#include "debug.h"
-
-#include "localconf.h"
-#include "remoteconf.h"
-#include "handler.h"
-#include "policy.h"
-#include "proposal.h"
-#include "isakmp_var.h"
-#include "isakmp.h"
-#include "isakmp_inf.h"
-#include "isakmp_quick.h"
-#include "oakley.h"
-#include "ipsec_doi.h"
-#include "crypto_openssl.h"
-#include "pfkey.h"
-#include "policy.h"
-#include "algorithm.h"
-#include "sockmisc.h"
-#include "proposal.h"
-#include "sainfo.h"
-#include "admin.h"
-#include "strnames.h"
-
-/* quick mode */
-static vchar_t *quick_ir1mx __P((struct ph2handle *, vchar_t *, vchar_t *));
-static int get_sainfo_r __P((struct ph2handle *));
-static int get_proposal_r __P((struct ph2handle *));
-
-/* %%%
- * Quick Mode
- */
-/*
- * begin Quick Mode as initiator. send pfkey getspi message to kernel.
- */
-int
-quick_i1prep(iph2, msg)
- struct ph2handle *iph2;
- vchar_t *msg; /* must be null pointer */
-{
- int error = ISAKMP_INTERNAL_ERROR;
-
- /* validity check */
- if (iph2->status != PHASE2ST_STATUS2) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph2->status);
- goto end;
- }
-
- iph2->msgid = isakmp_newmsgid2(iph2->ph1);
- iph2->ivm = oakley_newiv2(iph2->ph1, iph2->msgid);
- if (iph2->ivm == NULL)
- return 0;
-
- iph2->status = PHASE2ST_GETSPISENT;
-
- /* don't anything if local test mode. */
- if (f_local) {
- error = 0;
- goto end;
- }
-
- /* send getspi message */
- if (pk_sendgetspi(iph2) < 0)
- goto end;
-
- plog(LLV_DEBUG, LOCATION, NULL, "pfkey getspi sent.\n");
-
- iph2->sce = sched_new(lcconf->wait_ph2complete,
- pfkey_timeover_stub, iph2);
-
- error = 0;
-
-end:
- return error;
-}
-
-/*
- * send to responder
- * HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ]
- */
-int
-quick_i1send(iph2, msg)
- struct ph2handle *iph2;
- vchar_t *msg; /* must be null pointer */
-{
- vchar_t *body = NULL;
- vchar_t *hash = NULL;
- struct isakmp_gen *gen;
- char *p;
- int tlen;
- int error = ISAKMP_INTERNAL_ERROR;
- int pfsgroup, idci, idcr;
- int np;
- struct ipsecdoi_id_b *id, *id_p;
-
- /* validity check */
- if (msg != NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "msg has to be NULL in this function.\n");
- goto end;
- }
- if (iph2->status != PHASE2ST_GETSPIDONE) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph2->status);
- goto end;
- }
-
- /* create SA payload for my proposal */
- if (ipsecdoi_setph2proposal(iph2) < 0)
- goto end;
-
- /* generate NONCE value */
- iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size);
- if (iph2->nonce == NULL)
- goto end;
-
- /*
- * DH value calculation is kicked out into cfparse.y.
- * because pfs group can not be negotiated, it's only to be checked
- * acceptable.
- */
- /* generate KE value if need */
- pfsgroup = iph2->proposal->pfs_group;
- if (pfsgroup) {
- /* DH group settting if PFS is required. */
- if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to set DH value.\n");
- goto end;
- }
- if (oakley_dh_generate(iph2->pfsgrp,
- &iph2->dhpub, &iph2->dhpriv) < 0) {
- goto end;
- }
- }
-
- /* generate ID value */
- if (ipsecdoi_setid2(iph2) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get ID.\n");
- goto end;
- }
- plog(LLV_DEBUG, LOCATION, NULL, "IDci:\n");
- plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l);
- plog(LLV_DEBUG, LOCATION, NULL, "IDcr:\n");
- plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l);
-
- /*
- * we do not attach IDci nor IDcr, under the following condition:
- * - all proposals are transport mode
- * - no MIP6 or proxy
- * - id payload suggests to encrypt all the traffic (no specific
- * protocol type)
- */
- id = (struct ipsecdoi_id_b *)iph2->id->v;
- id_p = (struct ipsecdoi_id_b *)iph2->id_p->v;
- if (id->proto_id == 0
- && id_p->proto_id == 0
- && iph2->ph1->rmconf->support_proxy == 0
- && ipsecdoi_transportmode(iph2->proposal)) {
- idci = idcr = 0;
- } else
- idci = idcr = 1;
-
- /* create SA;NONCE payload, and KE if need, and IDii, IDir. */
- tlen = + sizeof(*gen) + iph2->sa->l
- + sizeof(*gen) + iph2->nonce->l;
- if (pfsgroup)
- tlen += (sizeof(*gen) + iph2->dhpub->l);
- if (idci)
- tlen += sizeof(*gen) + iph2->id->l;
- if (idcr)
- tlen += sizeof(*gen) + iph2->id_p->l;
-
- body = vmalloc(tlen);
- if (body == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get buffer to send.\n");
- goto end;
- }
-
- p = body->v;
-
- /* add SA payload */
- p = set_isakmp_payload(p, iph2->sa, ISAKMP_NPTYPE_NONCE);
-
- /* add NONCE payload */
- if (pfsgroup)
- np = ISAKMP_NPTYPE_KE;
- else if (idci || idcr)
- np = ISAKMP_NPTYPE_ID;
- else
- np = ISAKMP_NPTYPE_NONE;
- p = set_isakmp_payload(p, iph2->nonce, np);
-
- /* add KE payload if need. */
- np = (idci || idcr) ? ISAKMP_NPTYPE_ID : ISAKMP_NPTYPE_NONE;
- if (pfsgroup)
- p = set_isakmp_payload(p, iph2->dhpub, np);
-
- /* IDci */
- np = (idcr) ? ISAKMP_NPTYPE_ID : ISAKMP_NPTYPE_NONE;
- if (idci)
- p = set_isakmp_payload(p, iph2->id, np);
-
- /* IDcr */
- if (idcr)
- p = set_isakmp_payload(p, iph2->id_p, ISAKMP_NPTYPE_NONE);
-
- /* generate HASH(1) */
- hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, body);
- if (hash == NULL)
- goto end;
-
- /* send isakmp payload */
- iph2->sendbuf = quick_ir1mx(iph2, body, hash);
- if (iph2->sendbuf == NULL)
- goto end;
-
- /* send the packet, add to the schedule to resend */
- iph2->retry_counter = iph2->ph1->rmconf->retry_counter;
- if (isakmp_ph2resend(iph2) == -1)
- goto end;
-
- /* change status of isakmp status entry */
- iph2->status = PHASE2ST_MSG1SENT;
-
- error = 0;
-
-end:
- if (body != NULL)
- vfree(body);
- if (hash != NULL)
- vfree(hash);
-
- return error;
-}
-
-/*
- * receive from responder
- * HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ]
- */
-int
-quick_i2recv(iph2, msg0)
- struct ph2handle *iph2;
- vchar_t *msg0;
-{
- vchar_t *msg = NULL;
- vchar_t *hbuf = NULL; /* for hash computing. */
- vchar_t *pbuf = NULL; /* for payload parsing */
- struct isakmp_parse_t *pa;
- struct isakmp *isakmp = (struct isakmp *)msg0->v;
- struct isakmp_pl_hash *hash = NULL;
- int f_id;
- char *p;
- int tlen;
- int error = ISAKMP_INTERNAL_ERROR;
-
- /* validity check */
- if (iph2->status != PHASE2ST_MSG1SENT) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph2->status);
- goto end;
- }
-
- /* decrypt packet */
- if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
- plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
- "Packet wasn't encrypted.\n");
- goto end;
- }
- msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
- if (msg == NULL)
- goto end;
-
- /* create buffer for validating HASH(2) */
- /*
- * ordering rule:
- * 1. the first one must be HASH
- * 2. the second one must be SA (added in isakmp-oakley-05!)
- * 3. two IDs must be considered as IDci, then IDcr
- */
- pbuf = isakmp_parse(msg);
- if (pbuf == NULL)
- goto end;
- pa = (struct isakmp_parse_t *)pbuf->v;
-
- /* HASH payload is fixed postion */
- if (pa->type != ISAKMP_NPTYPE_HASH) {
- plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
- "received invalid next payload type %d, "
- "expecting %d.\n",
- pa->type, ISAKMP_NPTYPE_HASH);
- goto end;
- }
- hash = (struct isakmp_pl_hash *)pa->ptr;
- pa++;
-
- /*
- * this restriction was introduced in isakmp-oakley-05.
- * we do not check this for backward compatibility.
- * TODO: command line/config file option to enable/disable this code
- */
- /* HASH payload is fixed postion */
- if (pa->type != ISAKMP_NPTYPE_SA) {
- plog(LLV_WARNING, LOCATION, iph2->ph1->remote,
- "received invalid next payload type %d, "
- "expecting %d.\n",
- pa->type, ISAKMP_NPTYPE_HASH);
- }
-
- /* allocate buffer for computing HASH(2) */
- tlen = iph2->nonce->l
- + ntohl(isakmp->len) - sizeof(*isakmp);
- hbuf = vmalloc(tlen);
- if (hbuf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get hash buffer.\n");
- goto end;
- }
- p = hbuf->v + iph2->nonce->l; /* retain the space for Ni_b */
-
- /*
- * parse the payloads.
- * copy non-HASH payloads into hbuf, so that we can validate HASH.
- */
- iph2->sa_ret = NULL;
- f_id = 0; /* flag to use checking ID */
- tlen = 0; /* count payload length except of HASH payload. */
- for (; pa->type; pa++) {
-
- /* copy to buffer for HASH */
- /* Don't modify the payload */
- memcpy(p, pa->ptr, pa->len);
-
- switch (pa->type) {
- case ISAKMP_NPTYPE_SA:
- if (iph2->sa_ret != NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Ignored, multiple SA "
- "isn't supported.\n");
- break;
- }
- if (isakmp_p2ph(&iph2->sa_ret, pa->ptr) < 0)
- goto end;
- break;
-
- case ISAKMP_NPTYPE_NONCE:
- if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0)
- goto end;
- break;
-
- case ISAKMP_NPTYPE_KE:
- if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0)
- goto end;
- break;
-
- case ISAKMP_NPTYPE_ID:
- {
- vchar_t *vp;
-
- /* check ID value */
- if (f_id == 0) {
- /* for IDci */
- f_id = 1;
- vp = iph2->id;
- } else {
- /* for IDcr */
- vp = iph2->id_p;
- }
-
-#ifndef ANDROID_PATCHED
- if (memcmp(vp->v, (caddr_t)pa->ptr + sizeof(struct isakmp_gen), vp->l)) {
-
- plog(LLV_ERROR, LOCATION, NULL,
- "mismatched ID was returned.\n");
- error = ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED;
- goto end;
- }
-#endif
- }
- break;
-
- case ISAKMP_NPTYPE_N:
- isakmp_check_notify(pa->ptr, iph2->ph1);
- break;
-
-#ifdef ENABLE_NATT
- case ISAKMP_NPTYPE_NATOA_DRAFT:
- case ISAKMP_NPTYPE_NATOA_RFC:
- /* Ignore original source/destination messages */
- break;
-#endif
-
- default:
- /* don't send information, see ident_r1recv() */
- plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
- "ignore the packet, "
- "received unexpecting payload type %d.\n",
- pa->type);
- goto end;
- }
-
- p += pa->len;
-
- /* compute true length of payload. */
- tlen += pa->len;
- }
-
- /* payload existency check */
- if (hash == NULL || iph2->sa_ret == NULL || iph2->nonce_p == NULL) {
- plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
- "few isakmp message received.\n");
- goto end;
- }
-
- /* Fixed buffer for calculating HASH */
- memcpy(hbuf->v, iph2->nonce->v, iph2->nonce->l);
- plog(LLV_DEBUG, LOCATION, NULL,
- "HASH allocated:hbuf->l=%zu actual:tlen=%zu\n",
- hbuf->l, tlen + iph2->nonce->l);
- /* adjust buffer length for HASH */
- hbuf->l = iph2->nonce->l + tlen;
-
- /* validate HASH(2) */
- {
- char *r_hash;
- vchar_t *my_hash = NULL;
- int result;
-
- r_hash = (char *)hash + sizeof(*hash);
-
- plog(LLV_DEBUG, LOCATION, NULL, "HASH(2) received:");
- plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
-
- my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf);
- if (my_hash == NULL)
- goto end;
-
- result = memcmp(my_hash->v, r_hash, my_hash->l);
- vfree(my_hash);
-
- if (result) {
- plog(LLV_DEBUG, LOCATION, iph2->ph1->remote,
- "HASH(2) mismatch.\n");
- error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
- goto end;
- }
- }
-
- /* validity check SA payload sent from responder */
- if (ipsecdoi_checkph2proposal(iph2) < 0) {
- error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
- goto end;
- }
-
- /* change status of isakmp status entry */
- iph2->status = PHASE2ST_STATUS6;
-
- error = 0;
-
-end:
- if (hbuf)
- vfree(hbuf);
- if (pbuf)
- vfree(pbuf);
- if (msg)
- vfree(msg);
-
- if (error) {
- VPTRINIT(iph2->sa_ret);
- VPTRINIT(iph2->nonce_p);
- VPTRINIT(iph2->dhpub_p);
- VPTRINIT(iph2->id);
- VPTRINIT(iph2->id_p);
- }
-
- return error;
-}
-
-/*
- * send to responder
- * HDR*, HASH(3)
- */
-int
-quick_i2send(iph2, msg0)
- struct ph2handle *iph2;
- vchar_t *msg0;
-{
- vchar_t *msg = NULL;
- vchar_t *buf = NULL;
- vchar_t *hash = NULL;
- char *p = NULL;
- int tlen;
- int error = ISAKMP_INTERNAL_ERROR;
-
- /* validity check */
- if (iph2->status != PHASE2ST_STATUS6) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph2->status);
- goto end;
- }
-
- /* generate HASH(3) */
- {
- vchar_t *tmp = NULL;
-
- plog(LLV_DEBUG, LOCATION, NULL, "HASH(3) generate\n");
-
- tmp = vmalloc(iph2->nonce->l + iph2->nonce_p->l);
- if (tmp == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get hash buffer.\n");
- goto end;
- }
- memcpy(tmp->v, iph2->nonce->v, iph2->nonce->l);
- memcpy(tmp->v + iph2->nonce->l, iph2->nonce_p->v, iph2->nonce_p->l);
-
- hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp);
- vfree(tmp);
-
- if (hash == NULL)
- goto end;
- }
-
- /* create buffer for isakmp payload */
- tlen = sizeof(struct isakmp)
- + sizeof(struct isakmp_gen) + hash->l;
- buf = vmalloc(tlen);
- if (buf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get buffer to send.\n");
- goto end;
- }
-
- /* create isakmp header */
- p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
- if (p == NULL)
- goto end;
-
- /* add HASH(3) payload */
- p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_NONE);
-
-#ifdef HAVE_PRINT_ISAKMP_C
- isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
-#endif
-
- /* encoding */
- iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
- if (iph2->sendbuf == NULL)
- goto end;
-
- /* if there is commit bit, need resending */
- if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
- /* send the packet, add to the schedule to resend */
- iph2->retry_counter = iph2->ph1->rmconf->retry_counter;
- if (isakmp_ph2resend(iph2) == -1)
- goto end;
- } else {
- /* send the packet */
- if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0)
- goto end;
- }
-
- /* the sending message is added to the received-list. */
- if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local,
- iph2->sendbuf, msg0) == -1) {
- plog(LLV_ERROR , LOCATION, NULL,
- "failed to add a response packet to the tree.\n");
- goto end;
- }
-
- /* compute both of KEYMATs */
- if (oakley_compute_keymat(iph2, INITIATOR) < 0)
- goto end;
-
- iph2->status = PHASE2ST_ADDSA;
-
- /* don't anything if local test mode. */
- if (f_local) {
- error = 0;
- goto end;
- }
-
- /* if there is commit bit don't set up SA now. */
- if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
- iph2->status = PHASE2ST_COMMIT;
- error = 0;
- goto end;
- }
-
- /* Do UPDATE for initiator */
- plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n");
- if (pk_sendupdate(iph2) < 0) {
- plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n");
- goto end;
- }
- plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
-
- /* Do ADD for responder */
- if (pk_sendadd(iph2) < 0) {
- plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
- goto end;
- }
- plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n");
-
- error = 0;
-
-end:
- if (buf != NULL)
- vfree(buf);
- if (msg != NULL)
- vfree(msg);
- if (hash != NULL)
- vfree(hash);
-
- return error;
-}
-
-/*
- * receive from responder
- * HDR#*, HASH(4), notify
- */
-int
-quick_i3recv(iph2, msg0)
- struct ph2handle *iph2;
- vchar_t *msg0;
-{
- vchar_t *msg = NULL;
- vchar_t *pbuf = NULL; /* for payload parsing */
- struct isakmp_parse_t *pa;
- struct isakmp_pl_hash *hash = NULL;
- vchar_t *notify = NULL;
- int error = ISAKMP_INTERNAL_ERROR;
-
- /* validity check */
- if (iph2->status != PHASE2ST_COMMIT) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph2->status);
- goto end;
- }
-
- /* decrypt packet */
- if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
- plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
- "Packet wasn't encrypted.\n");
- goto end;
- }
- msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
- if (msg == NULL)
- goto end;
-
- /* validate the type of next payload */
- pbuf = isakmp_parse(msg);
- if (pbuf == NULL)
- goto end;
-
- for (pa = (struct isakmp_parse_t *)pbuf->v;
- pa->type != ISAKMP_NPTYPE_NONE;
- pa++) {
-
- switch (pa->type) {
- case ISAKMP_NPTYPE_HASH:
- hash = (struct isakmp_pl_hash *)pa->ptr;
- break;
- case ISAKMP_NPTYPE_N:
- if (notify != NULL) {
- plog(LLV_WARNING, LOCATION, NULL,
- "Ignoring multiples notifications\n");
- break;
- }
- isakmp_check_notify(pa->ptr, iph2->ph1);
- notify = vmalloc(pa->len);
- if (notify == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get notify buffer.\n");
- goto end;
- }
- memcpy(notify->v, pa->ptr, notify->l);
- break;
- default:
- /* don't send information, see ident_r1recv() */
- plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
- "ignore the packet, "
- "received unexpecting payload type %d.\n",
- pa->type);
- goto end;
- }
- }
-
- /* payload existency check */
- if (hash == NULL) {
- plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
- "few isakmp message received.\n");
- goto end;
- }
-
- /* validate HASH(4) */
- {
- char *r_hash;
- vchar_t *my_hash = NULL;
- vchar_t *tmp = NULL;
- int result;
-
- r_hash = (char *)hash + sizeof(*hash);
-
- plog(LLV_DEBUG, LOCATION, NULL, "HASH(4) validate:");
- plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
-
- my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify);
- vfree(tmp);
- if (my_hash == NULL)
- goto end;
-
- result = memcmp(my_hash->v, r_hash, my_hash->l);
- vfree(my_hash);
-
- if (result) {
- plog(LLV_DEBUG, LOCATION, iph2->ph1->remote,
- "HASH(4) mismatch.\n");
- error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
- goto end;
- }
- }
-
- iph2->status = PHASE2ST_ADDSA;
- iph2->flags ^= ISAKMP_FLAG_C; /* reset bit */
-
- /* don't anything if local test mode. */
- if (f_local) {
- error = 0;
- goto end;
- }
-
- /* Do UPDATE for initiator */
- plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n");
- if (pk_sendupdate(iph2) < 0) {
- plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n");
- goto end;
- }
- plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
-
- /* Do ADD for responder */
- if (pk_sendadd(iph2) < 0) {
- plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
- goto end;
- }
- plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n");
-
- error = 0;
-
-end:
- if (msg != NULL)
- vfree(msg);
- if (pbuf != NULL)
- vfree(pbuf);
- if (notify != NULL)
- vfree(notify);
-
- return error;
-}
-
-/*
- * receive from initiator
- * HDR*, HASH(1), SA, Ni [, KE ] [, IDi2, IDr2 ]
- */
-int
-quick_r1recv(iph2, msg0)
- struct ph2handle *iph2;
- vchar_t *msg0;
-{
- vchar_t *msg = NULL;
- vchar_t *hbuf = NULL; /* for hash computing. */
- vchar_t *pbuf = NULL; /* for payload parsing */
- struct isakmp_parse_t *pa;
- struct isakmp *isakmp = (struct isakmp *)msg0->v;
- struct isakmp_pl_hash *hash = NULL;
- char *p;
- int tlen;
- int f_id_order; /* for ID payload detection */
- int error = ISAKMP_INTERNAL_ERROR;
-
- /* validity check */
- if (iph2->status != PHASE2ST_START) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph2->status);
- goto end;
- }
-
- /* decrypting */
- if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
- plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
- "Packet wasn't encrypted.\n");
- error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
- goto end;
- }
- /* decrypt packet */
- msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
- if (msg == NULL)
- goto end;
-
- /* create buffer for using to validate HASH(1) */
- /*
- * ordering rule:
- * 1. the first one must be HASH
- * 2. the second one must be SA (added in isakmp-oakley-05!)
- * 3. two IDs must be considered as IDci, then IDcr
- */
- pbuf = isakmp_parse(msg);
- if (pbuf == NULL)
- goto end;
- pa = (struct isakmp_parse_t *)pbuf->v;
-
- /* HASH payload is fixed postion */
- if (pa->type != ISAKMP_NPTYPE_HASH) {
- plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
- "received invalid next payload type %d, "
- "expecting %d.\n",
- pa->type, ISAKMP_NPTYPE_HASH);
- error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX;
- goto end;
- }
- hash = (struct isakmp_pl_hash *)pa->ptr;
- pa++;
-
- /*
- * this restriction was introduced in isakmp-oakley-05.
- * we do not check this for backward compatibility.
- * TODO: command line/config file option to enable/disable this code
- */
- /* HASH payload is fixed postion */
- if (pa->type != ISAKMP_NPTYPE_SA) {
- plog(LLV_WARNING, LOCATION, iph2->ph1->remote,
- "received invalid next payload type %d, "
- "expecting %d.\n",
- pa->type, ISAKMP_NPTYPE_SA);
- error = ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX;
- }
-
- /* allocate buffer for computing HASH(1) */
- tlen = ntohl(isakmp->len) - sizeof(*isakmp);
- hbuf = vmalloc(tlen);
- if (hbuf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get hash buffer.\n");
- goto end;
- }
- p = hbuf->v;
-
- /*
- * parse the payloads.
- * copy non-HASH payloads into hbuf, so that we can validate HASH.
- */
- iph2->sa = NULL; /* we don't support multi SAs. */
- iph2->nonce_p = NULL;
- iph2->dhpub_p = NULL;
- iph2->id_p = NULL;
- iph2->id = NULL;
- tlen = 0; /* count payload length except of HASH payload. */
-
- /*
- * IDi2 MUST be immediatelly followed by IDr2. We allowed the
- * illegal case, but logged. First ID payload is to be IDi2.
- * And next ID payload is to be IDr2.
- */
- f_id_order = 0;
-
- for (; pa->type; pa++) {
-
- /* copy to buffer for HASH */
- /* Don't modify the payload */
- memcpy(p, pa->ptr, pa->len);
-
- if (pa->type != ISAKMP_NPTYPE_ID)
- f_id_order = 0;
-
- switch (pa->type) {
- case ISAKMP_NPTYPE_SA:
- if (iph2->sa != NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Multi SAs isn't supported.\n");
- goto end;
- }
- if (isakmp_p2ph(&iph2->sa, pa->ptr) < 0)
- goto end;
- break;
-
- case ISAKMP_NPTYPE_NONCE:
- if (isakmp_p2ph(&iph2->nonce_p, pa->ptr) < 0)
- goto end;
- break;
-
- case ISAKMP_NPTYPE_KE:
- if (isakmp_p2ph(&iph2->dhpub_p, pa->ptr) < 0)
- goto end;
- break;
-
- case ISAKMP_NPTYPE_ID:
- if (iph2->id_p == NULL) {
- /* for IDci */
- f_id_order++;
-
- if (isakmp_p2ph(&iph2->id_p, pa->ptr) < 0)
- goto end;
-
- } else if (iph2->id == NULL) {
- /* for IDcr */
- if (f_id_order == 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "IDr2 payload is not "
- "immediatelly followed "
- "by IDi2. We allowed.\n");
- /* XXX we allowed in this case. */
- }
-
- if (isakmp_p2ph(&iph2->id, pa->ptr) < 0)
- goto end;
- } else {
- plog(LLV_ERROR, LOCATION, NULL,
- "received too many ID payloads.\n");
- plogdump(LLV_ERROR, iph2->id->v, iph2->id->l);
- error = ISAKMP_NTYPE_INVALID_ID_INFORMATION;
- goto end;
- }
- break;
-
- case ISAKMP_NPTYPE_N:
- isakmp_check_notify(pa->ptr, iph2->ph1);
- break;
-
-#ifdef ENABLE_NATT
- case ISAKMP_NPTYPE_NATOA_DRAFT:
- case ISAKMP_NPTYPE_NATOA_RFC:
- /* Ignore original source/destination messages */
- break;
-#endif
-
- default:
- plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
- "ignore the packet, "
- "received unexpecting payload type %d.\n",
- pa->type);
- error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
- goto end;
- }
-
- p += pa->len;
-
- /* compute true length of payload. */
- tlen += pa->len;
- }
-
- /* payload existency check */
- if (hash == NULL || iph2->sa == NULL || iph2->nonce_p == NULL) {
- plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
- "few isakmp message received.\n");
- error = ISAKMP_NTYPE_PAYLOAD_MALFORMED;
- goto end;
- }
-
- if (iph2->id_p) {
- plog(LLV_DEBUG, LOCATION, NULL, "received IDci2:");
- plogdump(LLV_DEBUG, iph2->id_p->v, iph2->id_p->l);
- }
- if (iph2->id) {
- plog(LLV_DEBUG, LOCATION, NULL, "received IDcr2:");
- plogdump(LLV_DEBUG, iph2->id->v, iph2->id->l);
- }
-
- /* adjust buffer length for HASH */
- hbuf->l = tlen;
-
- /* validate HASH(1) */
- {
- char *r_hash;
- vchar_t *my_hash = NULL;
- int result;
-
- r_hash = (caddr_t)hash + sizeof(*hash);
-
- plog(LLV_DEBUG, LOCATION, NULL, "HASH(1) validate:");
- plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
-
- my_hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, hbuf);
- if (my_hash == NULL)
- goto end;
-
- result = memcmp(my_hash->v, r_hash, my_hash->l);
- vfree(my_hash);
-
- if (result) {
- plog(LLV_DEBUG, LOCATION, iph2->ph1->remote,
- "HASH(1) mismatch.\n");
- error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
- goto end;
- }
- }
-
- /* get sainfo */
- error = get_sainfo_r(iph2);
- if (error) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get sainfo.\n");
- goto end;
- }
-
-
- /* check the existence of ID payload and create responder's proposal */
- error = get_proposal_r(iph2);
- switch (error) {
- case -2:
- /* generate a policy template from peer's proposal */
- if (set_proposal_from_proposal(iph2)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to generate a proposal template "
- "from client's proposal.\n");
- return ISAKMP_INTERNAL_ERROR;
- }
- /*FALLTHROUGH*/
- case 0:
- /* select single proposal or reject it. */
- if (ipsecdoi_selectph2proposal(iph2) < 0) {
- error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
- goto end;
- }
- break;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get proposal for responder.\n");
- goto end;
- }
-
- /* check KE and attribute of PFS */
- if (iph2->dhpub_p != NULL && iph2->approval->pfs_group == 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "no PFS is specified, but peer sends KE.\n");
- error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
- goto end;
- }
- if (iph2->dhpub_p == NULL && iph2->approval->pfs_group != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "PFS is specified, but peer doesn't sends KE.\n");
- error = ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN;
- goto end;
- }
-
- /*
- * save the packet from the initiator in order to resend the
- * responder's first packet against this packet.
- */
- iph2->msg1 = vdup(msg0);
-
- /* change status of isakmp status entry */
- iph2->status = PHASE2ST_STATUS2;
-
- error = 0;
-
-end:
- if (hbuf)
- vfree(hbuf);
- if (msg)
- vfree(msg);
- if (pbuf)
- vfree(pbuf);
-
- if (error) {
- VPTRINIT(iph2->sa);
- VPTRINIT(iph2->nonce_p);
- VPTRINIT(iph2->dhpub_p);
- VPTRINIT(iph2->id);
- VPTRINIT(iph2->id_p);
- }
-
- return error;
-}
-
-/*
- * call pfkey_getspi.
- */
-int
-quick_r1prep(iph2, msg)
- struct ph2handle *iph2;
- vchar_t *msg;
-{
- int error = ISAKMP_INTERNAL_ERROR;
-
- /* validity check */
- if (iph2->status != PHASE2ST_STATUS2) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph2->status);
- goto end;
- }
-
- iph2->status = PHASE2ST_GETSPISENT;
-
- /* send getspi message */
- if (pk_sendgetspi(iph2) < 0)
- goto end;
-
- plog(LLV_DEBUG, LOCATION, NULL, "pfkey getspi sent.\n");
-
- iph2->sce = sched_new(lcconf->wait_ph2complete,
- pfkey_timeover_stub, iph2);
-
- error = 0;
-
-end:
- return error;
-}
-
-/*
- * send to initiator
- * HDR*, HASH(2), SA, Nr [, KE ] [, IDi2, IDr2 ]
- */
-int
-quick_r2send(iph2, msg)
- struct ph2handle *iph2;
- vchar_t *msg;
-{
- vchar_t *body = NULL;
- vchar_t *hash = NULL;
- struct isakmp_gen *gen;
- char *p;
- int tlen;
- int error = ISAKMP_INTERNAL_ERROR;
- int pfsgroup;
- u_int8_t *np_p = NULL;
-
- /* validity check */
- if (msg != NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "msg has to be NULL in this function.\n");
- goto end;
- }
- if (iph2->status != PHASE2ST_GETSPIDONE) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph2->status);
- goto end;
- }
-
- /* update responders SPI */
- if (ipsecdoi_updatespi(iph2) < 0) {
- plog(LLV_ERROR, LOCATION, NULL, "failed to update spi.\n");
- goto end;
- }
-
- /* generate NONCE value */
- iph2->nonce = eay_set_random(iph2->ph1->rmconf->nonce_size);
- if (iph2->nonce == NULL)
- goto end;
-
- /* generate KE value if need */
- pfsgroup = iph2->approval->pfs_group;
- if (iph2->dhpub_p != NULL && pfsgroup != 0) {
- /* DH group settting if PFS is required. */
- if (oakley_setdhgroup(pfsgroup, &iph2->pfsgrp) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to set DH value.\n");
- goto end;
- }
- /* generate DH public value */
- if (oakley_dh_generate(iph2->pfsgrp,
- &iph2->dhpub, &iph2->dhpriv) < 0) {
- goto end;
- }
- }
-
- /* create SA;NONCE payload, and KE and ID if need */
- tlen = sizeof(*gen) + iph2->sa_ret->l
- + sizeof(*gen) + iph2->nonce->l;
- if (iph2->dhpub_p != NULL && pfsgroup != 0)
- tlen += (sizeof(*gen) + iph2->dhpub->l);
- if (iph2->id_p != NULL)
- tlen += (sizeof(*gen) + iph2->id_p->l
- + sizeof(*gen) + iph2->id->l);
-
- body = vmalloc(tlen);
- if (body == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get buffer to send.\n");
- goto end;
- }
- p = body->v;
-
- /* make SA payload */
- p = set_isakmp_payload(body->v, iph2->sa_ret, ISAKMP_NPTYPE_NONCE);
-
- /* add NONCE payload */
- np_p = &((struct isakmp_gen *)p)->np; /* XXX */
- p = set_isakmp_payload(p, iph2->nonce,
- (iph2->dhpub_p != NULL && pfsgroup != 0)
- ? ISAKMP_NPTYPE_KE
- : (iph2->id_p != NULL
- ? ISAKMP_NPTYPE_ID
- : ISAKMP_NPTYPE_NONE));
-
- /* add KE payload if need. */
- if (iph2->dhpub_p != NULL && pfsgroup != 0) {
- np_p = &((struct isakmp_gen *)p)->np; /* XXX */
- p = set_isakmp_payload(p, iph2->dhpub,
- (iph2->id_p == NULL)
- ? ISAKMP_NPTYPE_NONE
- : ISAKMP_NPTYPE_ID);
- }
-
- /* add ID payloads received. */
- if (iph2->id_p != NULL) {
- /* IDci */
- p = set_isakmp_payload(p, iph2->id_p, ISAKMP_NPTYPE_ID);
- /* IDcr */
- np_p = &((struct isakmp_gen *)p)->np; /* XXX */
- p = set_isakmp_payload(p, iph2->id, ISAKMP_NPTYPE_NONE);
- }
-
- /* add a RESPONDER-LIFETIME notify payload if needed */
- {
- vchar_t *data = NULL;
- struct saprop *pp = iph2->approval;
- struct saproto *pr;
-
- if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_SEC) {
- u_int32_t v = htonl((u_int32_t)pp->lifetime);
- data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE,
- IPSECDOI_ATTR_SA_LD_TYPE_SEC);
- if (!data)
- goto end;
- data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD,
- (caddr_t)&v, sizeof(v));
- if (!data)
- goto end;
- }
- if (pp->claim & IPSECDOI_ATTR_SA_LD_TYPE_KB) {
- u_int32_t v = htonl((u_int32_t)pp->lifebyte);
- data = isakmp_add_attr_l(data, IPSECDOI_ATTR_SA_LD_TYPE,
- IPSECDOI_ATTR_SA_LD_TYPE_KB);
- if (!data)
- goto end;
- data = isakmp_add_attr_v(data, IPSECDOI_ATTR_SA_LD,
- (caddr_t)&v, sizeof(v));
- if (!data)
- goto end;
- }
-
- /*
- * XXX Is there only single RESPONDER-LIFETIME payload in a IKE message
- * in the case of SA bundle ?
- */
- if (data) {
- for (pr = pp->head; pr; pr = pr->next) {
- body = isakmp_add_pl_n(body, &np_p,
- ISAKMP_NTYPE_RESPONDER_LIFETIME, pr, data);
- if (!body) {
- vfree(data);
- return error; /* XXX */
- }
- }
- vfree(data);
- }
- }
-
- /* generate HASH(2) */
- {
- vchar_t *tmp;
-
- tmp = vmalloc(iph2->nonce_p->l + body->l);
- if (tmp == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get hash buffer.\n");
- goto end;
- }
- memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l);
- memcpy(tmp->v + iph2->nonce_p->l, body->v, body->l);
-
- hash = oakley_compute_hash1(iph2->ph1, iph2->msgid, tmp);
- vfree(tmp);
-
- if (hash == NULL)
- goto end;
- }
-
- /* send isakmp payload */
- iph2->sendbuf = quick_ir1mx(iph2, body, hash);
- if (iph2->sendbuf == NULL)
- goto end;
-
- /* send the packet, add to the schedule to resend */
- iph2->retry_counter = iph2->ph1->rmconf->retry_counter;
- if (isakmp_ph2resend(iph2) == -1)
- goto end;
-
- /* the sending message is added to the received-list. */
- if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, iph2->msg1) == -1) {
- plog(LLV_ERROR , LOCATION, NULL,
- "failed to add a response packet to the tree.\n");
- goto end;
- }
-
- /* change status of isakmp status entry */
- iph2->status = PHASE2ST_MSG1SENT;
-
- error = 0;
-
-end:
- if (body != NULL)
- vfree(body);
- if (hash != NULL)
- vfree(hash);
-
- return error;
-}
-
-/*
- * receive from initiator
- * HDR*, HASH(3)
- */
-int
-quick_r3recv(iph2, msg0)
- struct ph2handle *iph2;
- vchar_t *msg0;
-{
- vchar_t *msg = NULL;
- vchar_t *pbuf = NULL; /* for payload parsing */
- struct isakmp_parse_t *pa;
- struct isakmp_pl_hash *hash = NULL;
- int error = ISAKMP_INTERNAL_ERROR;
-
- /* validity check */
- if (iph2->status != PHASE2ST_MSG1SENT) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph2->status);
- goto end;
- }
-
- /* decrypt packet */
- if (!ISSET(((struct isakmp *)msg0->v)->flags, ISAKMP_FLAG_E)) {
- plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
- "Packet wasn't encrypted.\n");
- goto end;
- }
- msg = oakley_do_decrypt(iph2->ph1, msg0, iph2->ivm->iv, iph2->ivm->ive);
- if (msg == NULL)
- goto end;
-
- /* validate the type of next payload */
- pbuf = isakmp_parse(msg);
- if (pbuf == NULL)
- goto end;
-
- for (pa = (struct isakmp_parse_t *)pbuf->v;
- pa->type != ISAKMP_NPTYPE_NONE;
- pa++) {
-
- switch (pa->type) {
- case ISAKMP_NPTYPE_HASH:
- hash = (struct isakmp_pl_hash *)pa->ptr;
- break;
- case ISAKMP_NPTYPE_N:
- isakmp_check_notify(pa->ptr, iph2->ph1);
- break;
- default:
- /* don't send information, see ident_r1recv() */
- plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
- "ignore the packet, "
- "received unexpecting payload type %d.\n",
- pa->type);
- goto end;
- }
- }
-
- /* payload existency check */
- if (hash == NULL) {
- plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
- "few isakmp message received.\n");
- goto end;
- }
-
- /* validate HASH(3) */
- /* HASH(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b) */
- {
- char *r_hash;
- vchar_t *my_hash = NULL;
- vchar_t *tmp = NULL;
- int result;
-
- r_hash = (char *)hash + sizeof(*hash);
-
- plog(LLV_DEBUG, LOCATION, NULL, "HASH(3) validate:");
- plogdump(LLV_DEBUG, r_hash, ntohs(hash->h.len) - sizeof(*hash));
-
- tmp = vmalloc(iph2->nonce_p->l + iph2->nonce->l);
- if (tmp == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get hash buffer.\n");
- goto end;
- }
- memcpy(tmp->v, iph2->nonce_p->v, iph2->nonce_p->l);
- memcpy(tmp->v + iph2->nonce_p->l, iph2->nonce->v, iph2->nonce->l);
-
- my_hash = oakley_compute_hash3(iph2->ph1, iph2->msgid, tmp);
- vfree(tmp);
- if (my_hash == NULL)
- goto end;
-
- result = memcmp(my_hash->v, r_hash, my_hash->l);
- vfree(my_hash);
-
- if (result) {
- plog(LLV_ERROR, LOCATION, iph2->ph1->remote,
- "HASH(3) mismatch.\n");
- error = ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
- goto end;
- }
- }
-
- /* if there is commit bit, don't set up SA now. */
- if (ISSET(iph2->flags, ISAKMP_FLAG_C)) {
- iph2->status = PHASE2ST_COMMIT;
- } else
- iph2->status = PHASE2ST_STATUS6;
-
- error = 0;
-
-end:
- if (pbuf != NULL)
- vfree(pbuf);
- if (msg != NULL)
- vfree(msg);
-
- return error;
-}
-
-/*
- * send to initiator
- * HDR#*, HASH(4), notify
- */
-int
-quick_r3send(iph2, msg0)
- struct ph2handle *iph2;
- vchar_t *msg0;
-{
- vchar_t *buf = NULL;
- vchar_t *myhash = NULL;
- struct isakmp_pl_n *n;
- vchar_t *notify = NULL;
- char *p;
- int tlen;
- int error = ISAKMP_INTERNAL_ERROR;
-
- /* validity check */
- if (iph2->status != PHASE2ST_COMMIT) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph2->status);
- goto end;
- }
-
- /* generate HASH(4) */
- /* XXX What can I do in the case of multiple different SA */
- plog(LLV_DEBUG, LOCATION, NULL, "HASH(4) generate\n");
-
- /* XXX What should I do if there are multiple SAs ? */
- tlen = sizeof(struct isakmp_pl_n) + iph2->approval->head->spisize;
- notify = vmalloc(tlen);
- if (notify == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get notify buffer.\n");
- goto end;
- }
- n = (struct isakmp_pl_n *)notify->v;
- n->h.np = ISAKMP_NPTYPE_NONE;
- n->h.len = htons(tlen);
- n->doi = htonl(IPSEC_DOI);
- n->proto_id = iph2->approval->head->proto_id;
- n->spi_size = sizeof(iph2->approval->head->spisize);
- n->type = htons(ISAKMP_NTYPE_CONNECTED);
- memcpy(n + 1, &iph2->approval->head->spi, iph2->approval->head->spisize);
-
- myhash = oakley_compute_hash1(iph2->ph1, iph2->msgid, notify);
- if (myhash == NULL)
- goto end;
-
- /* create buffer for isakmp payload */
- tlen = sizeof(struct isakmp)
- + sizeof(struct isakmp_gen) + myhash->l
- + notify->l;
- buf = vmalloc(tlen);
- if (buf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get buffer to send.\n");
- goto end;
- }
-
- /* create isakmp header */
- p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
- if (p == NULL)
- goto end;
-
- /* add HASH(4) payload */
- p = set_isakmp_payload(p, myhash, ISAKMP_NPTYPE_N);
-
- /* add notify payload */
- memcpy(p, notify->v, notify->l);
-
-#ifdef HAVE_PRINT_ISAKMP_C
- isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
-#endif
-
- /* encoding */
- iph2->sendbuf = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
- if (iph2->sendbuf == NULL)
- goto end;
-
- /* send the packet */
- if (isakmp_send(iph2->ph1, iph2->sendbuf) < 0)
- goto end;
-
- /* the sending message is added to the received-list. */
- if (add_recvdpkt(iph2->ph1->remote, iph2->ph1->local, iph2->sendbuf, msg0) == -1) {
- plog(LLV_ERROR , LOCATION, NULL,
- "failed to add a response packet to the tree.\n");
- goto end;
- }
-
- iph2->status = PHASE2ST_COMMIT;
-
- error = 0;
-
-end:
- if (buf != NULL)
- vfree(buf);
- if (myhash != NULL)
- vfree(myhash);
- if (notify != NULL)
- vfree(notify);
-
- return error;
-}
-
-int
-tunnel_mode_prop(p)
- struct saprop *p;
-{
- struct saproto *pr;
-
- for (pr = p->head; pr; pr = pr->next)
- if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL)
- return 1;
- return 0;
-}
-
-/*
- * set SA to kernel.
- */
-int
-quick_r3prep(iph2, msg0)
- struct ph2handle *iph2;
- vchar_t *msg0;
-{
- int error = ISAKMP_INTERNAL_ERROR;
-
- /* validity check */
- if (iph2->status != PHASE2ST_STATUS6) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatched %d.\n", iph2->status);
- goto end;
- }
-
- /* compute both of KEYMATs */
- if (oakley_compute_keymat(iph2, RESPONDER) < 0)
- goto end;
-
- iph2->status = PHASE2ST_ADDSA;
- iph2->flags ^= ISAKMP_FLAG_C; /* reset bit */
-
- /* don't anything if local test mode. */
- if (f_local) {
- error = 0;
- goto end;
- }
-
- /* Do UPDATE as responder */
- plog(LLV_DEBUG, LOCATION, NULL, "call pk_sendupdate\n");
- if (pk_sendupdate(iph2) < 0) {
- plog(LLV_ERROR, LOCATION, NULL, "pfkey update failed.\n");
- goto end;
- }
- plog(LLV_DEBUG, LOCATION, NULL, "pfkey update sent.\n");
-
- /* Do ADD for responder */
- if (pk_sendadd(iph2) < 0) {
- plog(LLV_ERROR, LOCATION, NULL, "pfkey add failed.\n");
- goto end;
- }
- plog(LLV_DEBUG, LOCATION, NULL, "pfkey add sent.\n");
-
- /*
- * set policies into SPD if the policy is generated
- * from peer's policy.
- */
- if (iph2->spidx_gen) {
-
- struct policyindex *spidx;
- struct sockaddr_storage addr;
- u_int8_t pref;
- struct sockaddr *src = iph2->src;
- struct sockaddr *dst = iph2->dst;
-
- /* make inbound policy */
- iph2->src = dst;
- iph2->dst = src;
- if (pk_sendspdupdate2(iph2) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "pfkey spdupdate2(inbound) failed.\n");
- goto end;
- }
- plog(LLV_DEBUG, LOCATION, NULL,
- "pfkey spdupdate2(inbound) sent.\n");
-
- spidx = (struct policyindex *)iph2->spidx_gen;
-#ifdef HAVE_POLICY_FWD
- /* make forward policy if required */
- if (tunnel_mode_prop(iph2->approval)) {
- spidx->dir = IPSEC_DIR_FWD;
- if (pk_sendspdupdate2(iph2) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "pfkey spdupdate2(forward) failed.\n");
- goto end;
- }
- plog(LLV_DEBUG, LOCATION, NULL,
- "pfkey spdupdate2(forward) sent.\n");
- }
-#endif
-
- /* make outbound policy */
- iph2->src = src;
- iph2->dst = dst;
- spidx->dir = IPSEC_DIR_OUTBOUND;
- addr = spidx->src;
- spidx->src = spidx->dst;
- spidx->dst = addr;
- pref = spidx->prefs;
- spidx->prefs = spidx->prefd;
- spidx->prefd = pref;
-
- if (pk_sendspdupdate2(iph2) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "pfkey spdupdate2(outbound) failed.\n");
- goto end;
- }
- plog(LLV_DEBUG, LOCATION, NULL,
- "pfkey spdupdate2(outbound) sent.\n");
-
- /* spidx_gen is unnecessary any more */
- delsp_bothdir((struct policyindex *)iph2->spidx_gen);
- racoon_free(iph2->spidx_gen);
- iph2->spidx_gen = NULL;
- iph2->generated_spidx=1;
- }
-
- error = 0;
-
-end:
- return error;
-}
-
-/*
- * create HASH, body (SA, NONCE) payload with isakmp header.
- */
-static vchar_t *
-quick_ir1mx(iph2, body, hash)
- struct ph2handle *iph2;
- vchar_t *body, *hash;
-{
- struct isakmp *isakmp;
- vchar_t *buf = NULL, *new = NULL;
- char *p;
- int tlen;
- struct isakmp_gen *gen;
- int error = ISAKMP_INTERNAL_ERROR;
-
- /* create buffer for isakmp payload */
- tlen = sizeof(*isakmp)
- + sizeof(*gen) + hash->l
- + body->l;
- buf = vmalloc(tlen);
- if (buf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get buffer to send.\n");
- goto end;
- }
-
- /* re-set encryption flag, for serurity. */
- iph2->flags |= ISAKMP_FLAG_E;
-
- /* set isakmp header */
- p = set_isakmp_header2(buf, iph2, ISAKMP_NPTYPE_HASH);
- if (p == NULL)
- goto end;
-
- /* add HASH payload */
- /* XXX is next type always SA ? */
- p = set_isakmp_payload(p, hash, ISAKMP_NPTYPE_SA);
-
- /* add body payload */
- memcpy(p, body->v, body->l);
-
-#ifdef HAVE_PRINT_ISAKMP_C
- isakmp_printpacket(buf, iph2->ph1->local, iph2->ph1->remote, 1);
-#endif
-
- /* encoding */
- new = oakley_do_encrypt(iph2->ph1, buf, iph2->ivm->ive, iph2->ivm->iv);
-
- if (new == NULL)
- goto end;
-
- vfree(buf);
-
- buf = new;
-
- error = 0;
-
-end:
- if (error && buf != NULL) {
- vfree(buf);
- buf = NULL;
- }
-
- return buf;
-}
-
-/*
- * get remote's sainfo.
- * NOTE: this function is for responder.
- */
-static int
-get_sainfo_r(iph2)
- struct ph2handle *iph2;
-{
- vchar_t *idsrc = NULL, *iddst = NULL;
- int prefixlen;
- int error = ISAKMP_INTERNAL_ERROR;
- int remoteid = 0;
-
- if (iph2->id == NULL) {
- switch (iph2->src->sa_family) {
- case AF_INET:
- prefixlen = sizeof(struct in_addr) << 3;
- break;
- case AF_INET6:
- prefixlen = sizeof(struct in6_addr) << 3;
- break;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid family: %d\n", iph2->src->sa_family);
- goto end;
- }
- idsrc = ipsecdoi_sockaddr2id(iph2->src, prefixlen,
- IPSEC_ULPROTO_ANY);
- } else {
- idsrc = vdup(iph2->id);
- }
- if (idsrc == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to set ID for source.\n");
- goto end;
- }
-
- if (iph2->id_p == NULL) {
- switch (iph2->dst->sa_family) {
- case AF_INET:
- prefixlen = sizeof(struct in_addr) << 3;
- break;
- case AF_INET6:
- prefixlen = sizeof(struct in6_addr) << 3;
- break;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid family: %d\n", iph2->dst->sa_family);
- goto end;
- }
- iddst = ipsecdoi_sockaddr2id(iph2->dst, prefixlen,
- IPSEC_ULPROTO_ANY);
- } else {
- iddst = vdup(iph2->id_p);
- }
- if (iddst == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to set ID for destination.\n");
- goto end;
- }
-
- {
- struct remoteconf *conf;
- conf = getrmconf(iph2->dst);
- if (conf != NULL)
- remoteid=conf->ph1id;
- else{
- plog(LLV_DEBUG, LOCATION, NULL, "Warning: no valid rmconf !\n");
- remoteid=0;
- }
-
- }
-
- iph2->sainfo = getsainfo(idsrc, iddst, iph2->ph1->id_p, remoteid);
- if (iph2->sainfo == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get sainfo.\n");
- goto end;
- }
-
-#ifdef ENABLE_HYBRID
- /* xauth group inclusion check */
- if (iph2->sainfo->group != NULL)
- if(group_check(iph2->ph1,&iph2->sainfo->group->v,1))
- goto end;
-#endif
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "selected sainfo: %s\n", sainfo2str(iph2->sainfo));
-
- error = 0;
-end:
- if (idsrc)
- vfree(idsrc);
- if (iddst)
- vfree(iddst);
-
- return error;
-}
-
-/*
- * Copy both IP addresses in ID payloads into [src,dst]_id if both ID types
- * are IP address and same address family.
- * Then get remote's policy from SPD copied from kernel.
- * If the type of ID payload is address or subnet type, then the index is
- * made from the payload. If there is no ID payload, or the type of ID
- * payload is NOT address type, then the index is made from the address
- * pair of phase 1.
- * NOTE: This function is only for responder.
- */
-static int
-get_proposal_r(iph2)
- struct ph2handle *iph2;
-{
- struct policyindex spidx;
- struct secpolicy *sp_in, *sp_out;
- int idi2type = 0; /* switch whether copy IDs into id[src,dst]. */
- int error = ISAKMP_INTERNAL_ERROR;
-
- /* check the existence of ID payload */
- if ((iph2->id_p != NULL && iph2->id == NULL)
- || (iph2->id_p == NULL && iph2->id != NULL)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Both IDs wasn't found in payload.\n");
- return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
- }
-
- /* make sure if id[src,dst] is null. */
- if (iph2->src_id || iph2->dst_id) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Why do ID[src,dst] exist already.\n");
- return ISAKMP_INTERNAL_ERROR;
- }
-
- memset(&spidx, 0, sizeof(spidx));
-
-#define _XIDT(d) ((struct ipsecdoi_id_b *)(d)->v)->type
-
- /* make a spidx; a key to search SPD */
- spidx.dir = IPSEC_DIR_INBOUND;
- spidx.ul_proto = 0;
-
- /*
- * make destination address in spidx from either ID payload
- * or phase 1 address into a address in spidx.
- */
- if (iph2->id != NULL
- && (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
- || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR
- || _XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR_SUBNET
- || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
- /* get a destination address of a policy */
- error = ipsecdoi_id2sockaddr(iph2->id,
- (struct sockaddr *)&spidx.dst,
- &spidx.prefd, &spidx.ul_proto);
- if (error)
- return error;
-
-#ifdef INET6
- /*
- * get scopeid from the SA address.
- * note that the phase 1 source address is used as
- * a destination address to search for a inbound policy entry
- * because rcoon is responder.
- */
- if (_XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR) {
- error = setscopeid((struct sockaddr *)&spidx.dst,
- iph2->src);
- if (error)
- return error;
- }
-#endif
-
- if (_XIDT(iph2->id) == IPSECDOI_ID_IPV4_ADDR
- || _XIDT(iph2->id) == IPSECDOI_ID_IPV6_ADDR)
- idi2type = _XIDT(iph2->id);
-
- } else {
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "get a destination address of SP index "
- "from phase1 address "
- "due to no ID payloads found "
- "OR because ID type is not address.\n");
-
- /*
- * copy the SOURCE address of IKE into the DESTINATION address
- * of the key to search the SPD because the direction of policy
- * is inbound.
- */
- memcpy(&spidx.dst, iph2->src, sysdep_sa_len(iph2->src));
- switch (spidx.dst.ss_family) {
- case AF_INET:
- spidx.prefd = sizeof(struct in_addr) << 3;
- break;
-#ifdef INET6
- case AF_INET6:
- spidx.prefd = sizeof(struct in6_addr) << 3;
- break;
-#endif
- default:
- spidx.prefd = 0;
- break;
- }
- }
-
- /* make source address in spidx */
- if (iph2->id_p != NULL
- && (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR
- || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR
- || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV4_ADDR_SUBNET
- || _XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR_SUBNET)) {
- /* get a source address of inbound SA */
- error = ipsecdoi_id2sockaddr(iph2->id_p,
- (struct sockaddr *)&spidx.src,
- &spidx.prefs, &spidx.ul_proto);
- if (error)
- return error;
-
-#ifdef INET6
- /*
- * get scopeid from the SA address.
- * for more detail, see above of this function.
- */
- if (_XIDT(iph2->id_p) == IPSECDOI_ID_IPV6_ADDR) {
- error = setscopeid((struct sockaddr *)&spidx.src,
- iph2->dst);
- if (error)
- return error;
- }
-#endif
-
- /* make id[src,dst] if both ID types are IP address and same */
- if (_XIDT(iph2->id_p) == idi2type
- && spidx.dst.ss_family == spidx.src.ss_family) {
- iph2->src_id = dupsaddr((struct sockaddr *)&spidx.dst);
- if (iph2->src_id == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "buffer allocation failed.\n");
- return ISAKMP_INTERNAL_ERROR;
- }
- iph2->dst_id = dupsaddr((struct sockaddr *)&spidx.src);
- if (iph2->dst_id == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "buffer allocation failed.\n");
- return ISAKMP_INTERNAL_ERROR;
- }
- }
-
- } else {
- plog(LLV_DEBUG, LOCATION, NULL,
- "get a source address of SP index "
- "from phase1 address "
- "due to no ID payloads found "
- "OR because ID type is not address.\n");
-
- /* see above comment. */
- memcpy(&spidx.src, iph2->dst, sysdep_sa_len(iph2->dst));
- switch (spidx.src.ss_family) {
- case AF_INET:
- spidx.prefs = sizeof(struct in_addr) << 3;
- break;
-#ifdef INET6
- case AF_INET6:
- spidx.prefs = sizeof(struct in6_addr) << 3;
- break;
-#endif
- default:
- spidx.prefs = 0;
- break;
- }
- }
-
-#undef _XIDT
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "get a src address from ID payload "
- "%s prefixlen=%u ul_proto=%u\n",
- saddr2str((struct sockaddr *)&spidx.src),
- spidx.prefs, spidx.ul_proto);
- plog(LLV_DEBUG, LOCATION, NULL,
- "get dst address from ID payload "
- "%s prefixlen=%u ul_proto=%u\n",
- saddr2str((struct sockaddr *)&spidx.dst),
- spidx.prefd, spidx.ul_proto);
-
- /*
- * convert the ul_proto if it is 0
- * because 0 in ID payload means a wild card.
- */
- if (spidx.ul_proto == 0)
- spidx.ul_proto = IPSEC_ULPROTO_ANY;
-
-#ifdef HAVE_SECCTX
- /*
- * Need to use security context in spidx to ensure the correct
- * policy is selected. The only way to get the security context
- * is to look into the proposal sent by peer ahead of time.
- */
- if (get_security_context(iph2->sa, &spidx)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "error occurred trying to get security context.\n");
- return ISAKMP_INTERNAL_ERROR;
- }
-#endif /* HAVE_SECCTX */
-
- /* get inbound policy */
- sp_in = getsp_r(&spidx);
- if (sp_in == NULL) {
- if (iph2->ph1->rmconf->gen_policy) {
- plog(LLV_INFO, LOCATION, NULL,
- "no policy found, "
- "try to generate the policy : %s\n",
- spidx2str(&spidx));
- iph2->spidx_gen = racoon_malloc(sizeof(spidx));
- if (!iph2->spidx_gen) {
- plog(LLV_ERROR, LOCATION, NULL,
- "buffer allocation failed.\n");
- return ISAKMP_INTERNAL_ERROR;
- }
- memcpy(iph2->spidx_gen, &spidx, sizeof(spidx));
- return -2; /* special value */
- }
- plog(LLV_ERROR, LOCATION, NULL,
- "no policy found: %s\n", spidx2str(&spidx));
- return ISAKMP_INTERNAL_ERROR;
- }
- /* Refresh existing generated policies
- */
- if (iph2->ph1->rmconf->gen_policy) {
- plog(LLV_INFO, LOCATION, NULL,
- "Update the generated policy : %s\n",
- spidx2str(&spidx));
- iph2->spidx_gen = racoon_malloc(sizeof(spidx));
- if (!iph2->spidx_gen) {
- plog(LLV_ERROR, LOCATION, NULL,
- "buffer allocation failed.\n");
- return ISAKMP_INTERNAL_ERROR;
- }
- memcpy(iph2->spidx_gen, &spidx, sizeof(spidx));
- }
-
- /* get outbound policy */
- {
- struct sockaddr_storage addr;
- u_int8_t pref;
-
- spidx.dir = IPSEC_DIR_OUTBOUND;
- addr = spidx.src;
- spidx.src = spidx.dst;
- spidx.dst = addr;
- pref = spidx.prefs;
- spidx.prefs = spidx.prefd;
- spidx.prefd = pref;
-
- sp_out = getsp_r(&spidx);
- if (!sp_out) {
- plog(LLV_WARNING, LOCATION, NULL,
- "no outbound policy found: %s\n",
- spidx2str(&spidx));
- }
- }
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "suitable SP found:%s\n", spidx2str(&spidx));
-
- /*
- * In the responder side, the inbound policy should be using IPsec.
- * outbound policy is not checked currently.
- */
- if (sp_in->policy != IPSEC_POLICY_IPSEC) {
- plog(LLV_ERROR, LOCATION, NULL,
- "policy found, but no IPsec required: %s\n",
- spidx2str(&spidx));
- return ISAKMP_INTERNAL_ERROR;
- }
-
- /* set new proposal derived from a policy into the iph2->proposal. */
- if (set_proposal_from_policy(iph2, sp_in, sp_out) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to create saprop.\n");
- return ISAKMP_INTERNAL_ERROR;
- }
-
-#ifdef HAVE_SECCTX
- if (spidx.sec_ctx.ctx_str) {
- set_secctx_in_proposal(iph2, spidx);
- }
-#endif /* HAVE_SECCTX */
-
- return 0;
-}
-
diff --git a/src/racoon/isakmp_quick.h b/src/racoon/isakmp_quick.h
deleted file mode 100644
index 71eeecf..0000000
--- a/src/racoon/isakmp_quick.h
+++ /dev/null
@@ -1,50 +0,0 @@
-/* $NetBSD: isakmp_quick.h,v 1.4 2006/09/09 16:22:09 manu Exp $ */
-
-/* Id: isakmp_quick.h,v 1.3 2004/06/11 16:00:16 ludvigm Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _ISAKMP_QUICK_H
-#define _ISAKMP_QUICK_H
-
-extern int quick_i1prep __P((struct ph2handle *, vchar_t *));
-extern int quick_i1send __P((struct ph2handle *, vchar_t *));
-extern int quick_i2recv __P((struct ph2handle *, vchar_t *));
-extern int quick_i2send __P((struct ph2handle *, vchar_t *));
-extern int quick_i3recv __P((struct ph2handle *, vchar_t *));
-
-extern int quick_r1recv __P((struct ph2handle *, vchar_t *));
-extern int quick_r1prep __P((struct ph2handle *, vchar_t *));
-extern int quick_r2send __P((struct ph2handle *, vchar_t *));
-extern int quick_r3recv __P((struct ph2handle *, vchar_t *));
-extern int quick_r3send __P((struct ph2handle *, vchar_t *));
-extern int quick_r3prep __P((struct ph2handle *, vchar_t *));
-
-#endif /* _ISAKMP_QUICK_H */
diff --git a/src/racoon/isakmp_unity.c b/src/racoon/isakmp_unity.c
deleted file mode 100644
index 7a332e3..0000000
--- a/src/racoon/isakmp_unity.c
+++ /dev/null
@@ -1,411 +0,0 @@
-/* $NetBSD: isakmp_unity.c,v 1.7 2006/10/09 06:17:20 manu Exp $ */
-
-/* Id: isakmp_unity.c,v 1.10 2006/07/31 04:49:23 manubsd Exp */
-
-/*
- * Copyright (C) 2004 Emmanuel Dreyfus
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-#include <sys/queue.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <fcntl.h>
-#include <string.h>
-#include <errno.h>
-#if TIME_WITH_SYS_TIME
-# include <sys/time.h>
-# include <time.h>
-#else
-# if HAVE_SYS_TIME_H
-# include <sys/time.h>
-# else
-# include <time.h>
-# endif
-#endif
-#include <netdb.h>
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-#include <ctype.h>
-#include <resolv.h>
-
-#include "var.h"
-#include "misc.h"
-#include "vmbuf.h"
-#include "plog.h"
-#include "sockmisc.h"
-#include "schedule.h"
-#include "debug.h"
-
-#include "isakmp_var.h"
-#include "isakmp.h"
-#include "handler.h"
-#include "isakmp_xauth.h"
-#include "isakmp_unity.h"
-#include "isakmp_cfg.h"
-#include "strnames.h"
-
-static vchar_t *isakmp_cfg_split(struct ph1handle *,
- struct isakmp_data *, struct unity_netentry*,int);
-
-vchar_t *
-isakmp_unity_req(iph1, attr)
- struct ph1handle *iph1;
- struct isakmp_data *attr;
-{
- int type;
- vchar_t *reply_attr = NULL;
-
- if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_UNITY) == 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Unity mode config request but the peer "
- "did not declare itself as unity compliant\n");
- return NULL;
- }
-
- type = ntohs(attr->type);
-
- /* Handle short attributes */
- if ((type & ISAKMP_GEN_MASK) == ISAKMP_GEN_TV) {
- type &= ~ISAKMP_GEN_MASK;
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "Short attribute %s = %d\n",
- s_isakmp_cfg_type(type), ntohs(attr->lorv));
-
- switch (type) {
- default:
- plog(LLV_DEBUG, LOCATION, NULL,
- "Ignored short attribute %s\n",
- s_isakmp_cfg_type(type));
- break;
- }
-
- return reply_attr;
- }
-
- switch(type) {
- case UNITY_BANNER: {
-#define MAXMOTD 65536
- char buf[MAXMOTD + 1];
- int fd;
- char *filename = &isakmp_cfg_config.motd[0];
- int len;
-
- if ((fd = open(filename, O_RDONLY, 0)) == -1) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot open \"%s\"\n", filename);
- return NULL;
- }
-
- if ((len = read(fd, buf, MAXMOTD)) == -1) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot read \"%s\"\n", filename);
- close(fd);
- return NULL;
- }
- close(fd);
-
- buf[len] = '\0';
- reply_attr = isakmp_cfg_string(iph1, attr, buf);
-
- break;
- }
-
- case UNITY_PFS:
- reply_attr = isakmp_cfg_short(iph1, attr,
- isakmp_cfg_config.pfs_group);
- break;
-
- case UNITY_SAVE_PASSWD:
- reply_attr = isakmp_cfg_short(iph1, attr,
- isakmp_cfg_config.save_passwd);
- break;
-
- case UNITY_DDNS_HOSTNAME:
- reply_attr = isakmp_cfg_copy(iph1, attr);
- break;
-
- case UNITY_DEF_DOMAIN:
- reply_attr = isakmp_cfg_string(iph1,
- attr, isakmp_cfg_config.default_domain);
- break;
-
- case UNITY_SPLIT_INCLUDE:
- if(isakmp_cfg_config.splitnet_type == UNITY_SPLIT_INCLUDE)
- reply_attr = isakmp_cfg_split(iph1, attr,
- isakmp_cfg_config.splitnet_list,
- isakmp_cfg_config.splitnet_count);
- else
- return NULL;
- break;
- case UNITY_LOCAL_LAN:
- if(isakmp_cfg_config.splitnet_type == UNITY_LOCAL_LAN)
- reply_attr = isakmp_cfg_split(iph1, attr,
- isakmp_cfg_config.splitnet_list,
- isakmp_cfg_config.splitnet_count);
- else
- return NULL;
- break;
- case UNITY_SPLITDNS_NAME:
- reply_attr = isakmp_cfg_varlen(iph1, attr,
- isakmp_cfg_config.splitdns_list,
- isakmp_cfg_config.splitdns_len);
- break;
- case UNITY_FW_TYPE:
- case UNITY_NATT_PORT:
- case UNITY_BACKUP_SERVERS:
- default:
- plog(LLV_DEBUG, LOCATION, NULL,
- "Ignored attribute %s\n", s_isakmp_cfg_type(type));
- return NULL;
- break;
- }
-
- return reply_attr;
-}
-
-void
-isakmp_unity_reply(iph1, attr)
- struct ph1handle *iph1;
- struct isakmp_data *attr;
-{
- int type = ntohs(attr->type);
- int alen = ntohs(attr->lorv);
-
- struct unity_network *network = (struct unity_network *)(attr + 1);
- int index = 0;
- int count = 0;
-
- switch(type) {
- case UNITY_SPLIT_INCLUDE:
- {
- if (alen)
- count = alen / sizeof(struct unity_network);
-
- for(;index < count; index++)
- splitnet_list_add(
- &iph1->mode_cfg->split_include,
- &network[index],
- &iph1->mode_cfg->include_count);
-
- iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_SPLIT_INCLUDE;
- break;
- }
- case UNITY_LOCAL_LAN:
- {
- if (alen)
- count = alen / sizeof(struct unity_network);
-
- for(;index < count; index++)
- splitnet_list_add(
- &iph1->mode_cfg->split_local,
- &network[index],
- &iph1->mode_cfg->local_count);
-
- iph1->mode_cfg->flags |= ISAKMP_CFG_GOT_SPLIT_LOCAL;
- break;
- }
- case UNITY_SPLITDNS_NAME:
- case UNITY_BANNER:
- case UNITY_SAVE_PASSWD:
- case UNITY_NATT_PORT:
- case UNITY_PFS:
- case UNITY_FW_TYPE:
- case UNITY_BACKUP_SERVERS:
- case UNITY_DDNS_HOSTNAME:
- default:
- plog(LLV_WARNING, LOCATION, NULL,
- "Ignored attribute %s\n",
- s_isakmp_cfg_type(type));
- break;
- }
- return;
-}
-
-static vchar_t *
-isakmp_cfg_split(iph1, attr, netentry, count)
- struct ph1handle *iph1;
- struct isakmp_data *attr;
- struct unity_netentry *netentry;
- int count;
-{
- vchar_t *buffer;
- struct isakmp_data *new;
- struct unity_network * network;
- size_t len;
- int index = 0;
-
- char tmp1[40];
- char tmp2[40];
-
- len = sizeof(struct unity_network) * count;
- if ((buffer = vmalloc(sizeof(*attr) + len)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate memory\n");
- return NULL;
- }
-
- new = (struct isakmp_data *)buffer->v;
- new->type = attr->type;
- new->lorv = htons(len);
-
- network = (struct unity_network *)(new + 1);
- for (; index < count; index++) {
-
- memcpy(&network[index],
- &netentry->network,
- sizeof(struct unity_network));
-
- inet_ntop(AF_INET, &netentry->network.addr4, tmp1, 40);
- inet_ntop(AF_INET, &netentry->network.mask4, tmp2, 40);
- plog(LLV_DEBUG, LOCATION, NULL, "splitnet: %s/%s\n", tmp1, tmp2);
-
- netentry = netentry->next;
- }
-
- return buffer;
-}
-
-int splitnet_list_add(list, network, count)
- struct unity_netentry ** list;
- struct unity_network * network;
- int *count;
-{
- struct unity_netentry * newentry;
-
- /*
- * allocate new netentry and copy
- * new splitnet network data
- */
- newentry = (struct unity_netentry *)
- racoon_malloc(sizeof(struct unity_netentry));
- if (newentry == NULL)
- return -1;
-
- memcpy(&newentry->network,network,
- sizeof(struct unity_network));
- newentry->next = NULL;
-
- /*
- * locate the last netentry in our
- * splitnet list and add our entry
- */
- if (*list == NULL)
- *list = newentry;
- else {
- struct unity_netentry * tmpentry = *list;
- while (tmpentry->next != NULL)
- tmpentry = tmpentry->next;
- tmpentry->next = newentry;
- }
-
- (*count)++;
-
- return 0;
-}
-
-void splitnet_list_free(list, count)
- struct unity_netentry * list;
- int *count;
-{
- struct unity_netentry * netentry = list;
- struct unity_netentry * delentry;
-
- *count = 0;
-
- while (netentry != NULL) {
- delentry = netentry;
- netentry = netentry->next;
- racoon_free(delentry);
- }
-}
-
-char * splitnet_list_2str(list, splitnet_ipaddr)
- struct unity_netentry * list;
- enum splinet_ipaddr splitnet_ipaddr;
-{
- struct unity_netentry * netentry;
- char tmp1[40];
- char tmp2[40];
- char * str;
- int len;
-
- /* determine string length */
- len = 1;
- netentry = list;
- while (netentry != NULL) {
-
- inet_ntop(AF_INET, &netentry->network.addr4, tmp1, 40);
- inet_ntop(AF_INET, &netentry->network.mask4, tmp2, 40);
- len += strlen(tmp1);
- len += strlen(tmp2);
- len += 2;
-
- netentry = netentry->next;
- }
-
- /* allocate network list string */
- str = racoon_malloc(len);
- if (str == NULL)
- return NULL;
-
- /* create network list string */
- len = 0;
- netentry = list;
- while (netentry != NULL) {
-
- inet_ntop(AF_INET, &netentry->network.addr4, tmp1, 40);
- inet_ntop(AF_INET, &netentry->network.mask4, tmp2, 40);
- if (splitnet_ipaddr == CIDR) {
- uint32_t tmp3;
- int cidrmask;
-
- tmp3 = ntohl(netentry->network.mask4.s_addr);
- for (cidrmask = 0; tmp3 != 0; cidrmask++)
- tmp3 <<= 1;
- len += sprintf(str+len, "%s/%d ", tmp1, cidrmask);
- } else {
- len += sprintf(str+len, "%s/%s ", tmp1, tmp2);
- }
-
- netentry = netentry->next;
- }
-
- str[len]=0;
-
- return str;
-}
diff --git a/src/racoon/isakmp_unity.h b/src/racoon/isakmp_unity.h
deleted file mode 100644
index f564197..0000000
--- a/src/racoon/isakmp_unity.h
+++ /dev/null
@@ -1,74 +0,0 @@
-/* $NetBSD: isakmp_unity.h,v 1.4 2006/09/09 16:22:09 manu Exp $ */
-
-/* $KAME$ */
-
-/*
- * Copyright (C) 2004 Emmanuel Dreyfus
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-enum splinet_ipaddr { NETMASK, CIDR };
-
-/* ISAKMP notifies specific to the Unity vendor Id */
-/* Sent during xauth if the user types his password too slowly */
-#define ISAKMP_NTYPE_UNITY_HEARTBEAT 40500
-
-/* ISAKMP mode config attributes specific to the Unity vendor Id */
-#define UNITY_BANNER 28672
-#define UNITY_SAVE_PASSWD 28673
-#define UNITY_DEF_DOMAIN 28674
-#define UNITY_SPLITDNS_NAME 28675
-#define UNITY_SPLIT_INCLUDE 28676
-#define UNITY_NATT_PORT 28677
-#define UNITY_LOCAL_LAN 28678
-#define UNITY_PFS 28679
-#define UNITY_FW_TYPE 28680
-#define UNITY_BACKUP_SERVERS 28681
-#define UNITY_DDNS_HOSTNAME 28682
-
-/*
- * Unity adress/mask lists
- * XXX : the padding is probably there for something !
- */
-
-struct unity_network {
- struct in_addr addr4;
- struct in_addr mask4;
- char padding[6];
-} __attribute__((__packed__));
-
-struct unity_netentry {
- struct unity_network network;
- struct unity_netentry *next;
-};
-
-int splitnet_list_add(struct unity_netentry **, struct unity_network *, int *);
-void splitnet_list_free(struct unity_netentry *, int *);
-char * splitnet_list_2str(struct unity_netentry *, enum splinet_ipaddr);
-
-vchar_t *isakmp_unity_req(struct ph1handle *, struct isakmp_data *);
-void isakmp_unity_reply(struct ph1handle *, struct isakmp_data *);
diff --git a/src/racoon/isakmp_var.h b/src/racoon/isakmp_var.h
deleted file mode 100644
index f4ef45d..0000000
--- a/src/racoon/isakmp_var.h
+++ /dev/null
@@ -1,132 +0,0 @@
-/* $NetBSD: isakmp_var.h,v 1.6.6.1 2007/02/20 09:08:49 vanhu Exp $ */
-
-/* Id: isakmp_var.h,v 1.12 2005/05/07 14:45:31 manubsd Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _ISAKMP_VAR_H
-#define _ISAKMP_VAR_H
-
-#include "vmbuf.h"
-
-#define PORT_ISAKMP 500
-#define PORT_ISAKMP_NATT 4500
-
-#define DEFAULT_NONCE_SIZE 16
-
-typedef u_char cookie_t[8];
-typedef u_char msgid_t[4];
-
-typedef struct { /* i_cookie + r_cookie */
- cookie_t i_ck;
- cookie_t r_ck;
-} isakmp_index;
-
-struct isakmp_gen;
-struct sched;
-
-struct sockaddr;
-struct ph1handle;
-struct ph2handle;
-struct remoteconf;
-struct isakmp_gen;
-struct ipsecdoi_pl_id; /* XXX */
-struct isakmp_pl_ke; /* XXX */
-struct isakmp_pl_nonce; /* XXX */
-
-extern int isakmp_handler __P((int));
-extern int isakmp_ph1begin_i __P((struct remoteconf *, struct sockaddr *,
- struct sockaddr *));
-
-extern vchar_t *isakmp_parsewoh __P((int, struct isakmp_gen *, int));
-extern vchar_t *isakmp_parse __P((vchar_t *));
-
-extern int isakmp_init __P((void));
-extern const char *isakmp_pindex __P((const isakmp_index *, const u_int32_t));
-extern int isakmp_open __P((void));
-extern void isakmp_close __P((void));
-extern int isakmp_send __P((struct ph1handle *, vchar_t *));
-
-extern void isakmp_ph1resend_stub __P((void *));
-extern int isakmp_ph1resend __P((struct ph1handle *));
-extern void isakmp_ph2resend_stub __P((void *));
-extern int isakmp_ph2resend __P((struct ph2handle *));
-extern void isakmp_ph1expire_stub __P((void *));
-extern void isakmp_ph1expire __P((struct ph1handle *));
-extern void isakmp_ph1delete_stub __P((void *));
-extern void isakmp_ph1delete __P((struct ph1handle *));
-extern void isakmp_ph2expire_stub __P((void *));
-extern void isakmp_ph2expire __P((struct ph2handle *));
-extern void isakmp_ph2delete_stub __P((void *));
-extern void isakmp_ph2delete __P((struct ph2handle *));
-
-extern int isakmp_post_acquire __P((struct ph2handle *));
-extern int isakmp_post_getspi __P((struct ph2handle *));
-extern void isakmp_chkph1there_stub __P((void *));
-extern void isakmp_chkph1there __P((struct ph2handle *));
-
-extern caddr_t isakmp_set_attr_v __P((caddr_t, int, caddr_t, int));
-extern caddr_t isakmp_set_attr_l __P((caddr_t, int, u_int32_t));
-extern vchar_t *isakmp_add_attr_v __P((vchar_t *, int, caddr_t, int));
-extern vchar_t *isakmp_add_attr_l __P((vchar_t *, int, u_int32_t));
-
-extern int isakmp_newcookie __P((caddr_t, struct sockaddr *, struct sockaddr *));
-
-extern int isakmp_p2ph __P((vchar_t **, struct isakmp_gen *));
-
-extern u_int32_t isakmp_newmsgid2 __P((struct ph1handle *));
-extern caddr_t set_isakmp_header1 __P((vchar_t *, struct ph1handle *, int));
-extern caddr_t set_isakmp_header2 __P((vchar_t *, struct ph2handle *, int));
-extern caddr_t set_isakmp_payload __P((caddr_t, vchar_t *, int));
-
-extern struct payload_list *isakmp_plist_append __P((struct payload_list *plist,
- vchar_t *payload, int payload_type));
-extern vchar_t *isakmp_plist_set_all __P((struct payload_list **plist,
- struct ph1handle *iph1));
-
-#ifdef HAVE_PRINT_ISAKMP_C
-extern void isakmp_printpacket __P((vchar_t *, struct sockaddr *,
- struct sockaddr *, int));
-#endif
-
-extern int copy_ph1addresses __P(( struct ph1handle *,
- struct remoteconf *, struct sockaddr *, struct sockaddr *));
-extern void log_ph1established __P((const struct ph1handle *));
-
-extern void script_hook __P((struct ph1handle *, int));
-extern int script_env_append __P((char ***, int *, char *, char *));
-extern int script_exec __P((char *, int, char * const *));
-
-void purge_remote __P((struct ph1handle *));
-void delete_spd __P((struct ph2handle *, u_int64_t));
-#ifdef INET6
-u_int32_t setscopeid __P((struct sockaddr *, struct sockaddr *));
-#endif
-#endif /* _ISAKMP_VAR_H */
diff --git a/src/racoon/isakmp_xauth.c b/src/racoon/isakmp_xauth.c
deleted file mode 100644
index 3f62587..0000000
--- a/src/racoon/isakmp_xauth.c
+++ /dev/null
@@ -1,1704 +0,0 @@
-/* $NetBSD: isakmp_xauth.c,v 1.11.6.2 2009/04/20 13:35:36 tteras Exp $ */
-
-/* Id: isakmp_xauth.c,v 1.38 2006/08/22 18:17:17 manubsd Exp */
-
-/*
- * Copyright (C) 2004-2005 Emmanuel Dreyfus
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-#include <sys/queue.h>
-
-#include <netinet/in.h>
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-#include <pwd.h>
-#include <grp.h>
-#if TIME_WITH_SYS_TIME
-# include <sys/time.h>
-# include <time.h>
-#else
-# if HAVE_SYS_TIME_H
-# include <sys/time.h>
-# else
-# include <time.h>
-# endif
-#endif
-#include <netdb.h>
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-#include <ctype.h>
-#include <resolv.h>
-
-#ifdef HAVE_SHADOW_H
-#include <shadow.h>
-#endif
-
-#include "var.h"
-#include "misc.h"
-#include "vmbuf.h"
-#include "plog.h"
-#include "sockmisc.h"
-#include "schedule.h"
-#include "debug.h"
-
-#include "crypto_openssl.h"
-#include "isakmp_var.h"
-#include "isakmp.h"
-#include "admin.h"
-#include "privsep.h"
-#include "evt.h"
-#include "handler.h"
-#include "throttle.h"
-#include "remoteconf.h"
-#include "isakmp_inf.h"
-#include "isakmp_xauth.h"
-#include "isakmp_unity.h"
-#include "isakmp_cfg.h"
-#include "strnames.h"
-#include "ipsec_doi.h"
-#include "remoteconf.h"
-#include "localconf.h"
-
-#ifdef HAVE_LIBRADIUS
-#include <radlib.h>
-
-struct rad_handle *radius_auth_state = NULL;
-struct rad_handle *radius_acct_state = NULL;
-#endif
-
-#ifdef HAVE_LIBPAM
-#include <security/pam_appl.h>
-
-static char *PAM_usr = NULL;
-static char *PAM_pwd = NULL;
-static int PAM_conv(int, const struct pam_message **,
- struct pam_response **, void *);
-static struct pam_conv PAM_chat = { &PAM_conv, NULL };
-#endif
-
-#ifdef HAVE_LIBLDAP
-#include "ldap.h"
-#include <arpa/inet.h>
-struct xauth_ldap_config xauth_ldap_config;
-#endif
-
-void
-xauth_sendreq(iph1)
- struct ph1handle *iph1;
-{
- vchar_t *buffer;
- struct isakmp_pl_attr *attr;
- struct isakmp_data *typeattr;
- struct isakmp_data *usrattr;
- struct isakmp_data *pwdattr;
- struct xauth_state *xst = &iph1->mode_cfg->xauth;
- size_t tlen;
-
- /* Status checks */
- if (iph1->status != PHASE1ST_ESTABLISHED) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Xauth request while phase 1 is not completed\n");
- return;
- }
-
- if (xst->status != XAUTHST_NOTYET) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Xauth request whith Xauth state %d\n", xst->status);
- return;
- }
-
- plog(LLV_INFO, LOCATION, NULL, "Sending Xauth request\n");
-
- tlen = sizeof(*attr) +
- + sizeof(*typeattr) +
- + sizeof(*usrattr) +
- + sizeof(*pwdattr);
-
- if ((buffer = vmalloc(tlen)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate buffer\n");
- return;
- }
-
- attr = (struct isakmp_pl_attr *)buffer->v;
- memset(attr, 0, tlen);
-
- attr->h.len = htons(tlen);
- attr->type = ISAKMP_CFG_REQUEST;
- attr->id = htons(eay_random());
-
- typeattr = (struct isakmp_data *)(attr + 1);
- typeattr->type = htons(XAUTH_TYPE | ISAKMP_GEN_TV);
- typeattr->lorv = htons(XAUTH_TYPE_GENERIC);
-
- usrattr = (struct isakmp_data *)(typeattr + 1);
- usrattr->type = htons(XAUTH_USER_NAME | ISAKMP_GEN_TLV);
- usrattr->lorv = htons(0);
-
- pwdattr = (struct isakmp_data *)(usrattr + 1);
- pwdattr->type = htons(XAUTH_USER_PASSWORD | ISAKMP_GEN_TLV);
- pwdattr->lorv = htons(0);
-
- isakmp_cfg_send(iph1, buffer,
- ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1);
-
- vfree(buffer);
-
- xst->status = XAUTHST_REQSENT;
-
- return;
-}
-
-int
-xauth_attr_reply(iph1, attr, id)
- struct ph1handle *iph1;
- struct isakmp_data *attr;
- int id;
-{
- char **outlet = NULL;
- size_t alen = 0;
- int type;
- struct xauth_state *xst = &iph1->mode_cfg->xauth;
-
- if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Xauth reply but peer did not declare "
- "itself as Xauth capable\n");
- return -1;
- }
-
- if (xst->status != XAUTHST_REQSENT) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Xauth reply while Xauth state is %d\n", xst->status);
- return -1;
- }
-
- type = ntohs(attr->type) & ~ISAKMP_GEN_MASK;
- switch (type) {
- case XAUTH_TYPE:
- switch (ntohs(attr->lorv)) {
- case XAUTH_TYPE_GENERIC:
- xst->authtype = XAUTH_TYPE_GENERIC;
- break;
- default:
- plog(LLV_WARNING, LOCATION, NULL,
- "Unexpected authentication type %d\n",
- ntohs(type));
- return -1;
- }
- break;
-
- case XAUTH_USER_NAME:
- outlet = &xst->authdata.generic.usr;
- break;
-
- case XAUTH_USER_PASSWORD:
- outlet = &xst->authdata.generic.pwd;
- break;
-
- default:
- plog(LLV_WARNING, LOCATION, NULL,
- "ignored Xauth attribute %d\n", type);
- break;
- }
-
- if (outlet != NULL) {
- alen = ntohs(attr->lorv);
-
- if ((*outlet = racoon_malloc(alen + 1)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot allocate memory for Xauth Data\n");
- return -1;
- }
-
- memcpy(*outlet, attr + 1, alen);
- (*outlet)[alen] = '\0';
- outlet = NULL;
- }
-
-
- if ((xst->authdata.generic.usr != NULL) &&
- (xst->authdata.generic.pwd != NULL)) {
- int port;
- int res;
- char *usr = xst->authdata.generic.usr;
- char *pwd = xst->authdata.generic.pwd;
- time_t throttle_delay = 0;
-
-#if 0 /* Real debug, don't do that at home */
- plog(LLV_DEBUG, LOCATION, NULL,
- "Got username \"%s\", password \"%s\"\n", usr, pwd);
-#endif
- strncpy(iph1->mode_cfg->login, usr, LOGINLEN);
- iph1->mode_cfg->login[LOGINLEN] = '\0';
-
- res = -1;
- if ((port = isakmp_cfg_getport(iph1)) == -1) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Port pool depleted\n");
- goto skip_auth;
- }
-
- switch (isakmp_cfg_config.authsource) {
- case ISAKMP_CFG_AUTH_SYSTEM:
- res = privsep_xauth_login_system(usr, pwd);
- break;
-#ifdef HAVE_LIBRADIUS
- case ISAKMP_CFG_AUTH_RADIUS:
- res = xauth_login_radius(iph1, usr, pwd);
- break;
-#endif
-#ifdef HAVE_LIBPAM
- case ISAKMP_CFG_AUTH_PAM:
- res = privsep_xauth_login_pam(iph1->mode_cfg->port,
- iph1->remote, usr, pwd);
- break;
-#endif
-#ifdef HAVE_LIBLDAP
- case ISAKMP_CFG_AUTH_LDAP:
- res = xauth_login_ldap(iph1, usr, pwd);
- break;
-#endif
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "Unexpected authentication source\n");
- res = -1;
- break;
- }
-
- /*
- * Optional group authentication
- */
- if (!res && (isakmp_cfg_config.groupcount))
- res = group_check(iph1,
- isakmp_cfg_config.grouplist,
- isakmp_cfg_config.groupcount);
-
- /*
- * On failure, throttle the connexion for the remote host
- * in order to make password attacks more difficult.
- */
- throttle_delay = throttle_host(iph1->remote, res) - time(NULL);
- if (throttle_delay > 0) {
- char *str;
-
- str = saddrwop2str(iph1->remote);
-
- plog(LLV_ERROR, LOCATION, NULL,
- "Throttling in action for %s: delay %lds\n",
- str, (unsigned long)throttle_delay);
- res = -1;
- } else {
- throttle_delay = 0;
- }
-
-skip_auth:
- if (throttle_delay != 0) {
- struct xauth_reply_arg *xra;
-
- if ((xra = racoon_malloc(sizeof(*xra))) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "malloc failed, bypass throttling\n");
- return xauth_reply(iph1, port, id, res);
- }
-
- /*
- * We need to store the ph1, but it might have
- * disapeared when xauth_reply is called, so
- * store the index instead.
- */
- xra->index = iph1->index;
- xra->port = port;
- xra->id = id;
- xra->res = res;
- sched_new(throttle_delay, xauth_reply_stub, xra);
- } else {
- return xauth_reply(iph1, port, id, res);
- }
- }
-
- return 0;
-}
-
-void
-xauth_reply_stub(args)
- void *args;
-{
- struct xauth_reply_arg *xra = (struct xauth_reply_arg *)args;
- struct ph1handle *iph1;
-
- if ((iph1 = getph1byindex(&xra->index)) != NULL)
- (void)xauth_reply(iph1, xra->port, xra->id, xra->res);
- else
- plog(LLV_ERROR, LOCATION, NULL,
- "Delayed Xauth reply: phase 1 no longer exists.\n");
-
- racoon_free(xra);
- return;
-}
-
-int
-xauth_reply(iph1, port, id, res)
- struct ph1handle *iph1;
- int port;
- int id;
-#if defined(ANDROID_CHANGES)
- int res;
-#endif
-{
- struct xauth_state *xst = &iph1->mode_cfg->xauth;
- char *usr = xst->authdata.generic.usr;
-
- if (res != 0) {
- if (port != -1)
- isakmp_cfg_putport(iph1, port);
-
- plog(LLV_INFO, LOCATION, NULL,
- "login failed for user \"%s\"\n", usr);
-
- xauth_sendstatus(iph1, XAUTH_STATUS_FAIL, id);
- xst->status = XAUTHST_NOTYET;
-
- /* Delete Phase 1 SA */
- if (iph1->status == PHASE1ST_ESTABLISHED)
- isakmp_info_send_d1(iph1);
- remph1(iph1);
- delph1(iph1);
-
- return -1;
- }
-
- xst->status = XAUTHST_OK;
- plog(LLV_INFO, LOCATION, NULL,
- "login succeeded for user \"%s\"\n", usr);
-
- xauth_sendstatus(iph1, XAUTH_STATUS_OK, id);
-
- return 0;
-}
-
-void
-xauth_sendstatus(iph1, status, id)
- struct ph1handle *iph1;
- int status;
- int id;
-{
- vchar_t *buffer;
- struct isakmp_pl_attr *attr;
- struct isakmp_data *stattr;
- size_t tlen;
-
- tlen = sizeof(*attr) +
- + sizeof(*stattr);
-
- if ((buffer = vmalloc(tlen)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "Cannot allocate buffer\n");
- return;
- }
-
- attr = (struct isakmp_pl_attr *)buffer->v;
- memset(attr, 0, tlen);
-
- attr->h.len = htons(tlen);
- attr->type = ISAKMP_CFG_SET;
- attr->id = htons(id);
-
- stattr = (struct isakmp_data *)(attr + 1);
- stattr->type = htons(XAUTH_STATUS | ISAKMP_GEN_TV);
- stattr->lorv = htons(status);
-
- isakmp_cfg_send(iph1, buffer,
- ISAKMP_NPTYPE_ATTR, ISAKMP_FLAG_E, 1);
-
- vfree(buffer);
-
- return;
-}
-
-#ifdef HAVE_LIBRADIUS
-int
-xauth_radius_init(void)
-{
- /* For first time use, initialize Radius */
- if ((isakmp_cfg_config.authsource == ISAKMP_CFG_AUTH_RADIUS) &&
- (radius_auth_state == NULL)) {
- if ((radius_auth_state = rad_auth_open()) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot init libradius\n");
- return -1;
- }
-
- if (rad_config(radius_auth_state, NULL) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot open librarius config file: %s\n",
- rad_strerror(radius_auth_state));
- rad_close(radius_auth_state);
- radius_auth_state = NULL;
- return -1;
- }
- }
-
- if ((isakmp_cfg_config.accounting == ISAKMP_CFG_ACCT_RADIUS) &&
- (radius_acct_state == NULL)) {
- if ((radius_acct_state = rad_acct_open()) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot init libradius\n");
- return -1;
- }
-
- if (rad_config(radius_acct_state, NULL) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot open librarius config file: %s\n",
- rad_strerror(radius_acct_state));
- rad_close(radius_acct_state);
- radius_acct_state = NULL;
- return -1;
- }
- }
-
- return 0;
-}
-
-int
-xauth_login_radius(iph1, usr, pwd)
- struct ph1handle *iph1;
- char *usr;
- char *pwd;
-{
- int res;
- const void *data;
- size_t len;
- int type;
-
- if (rad_create_request(radius_auth_state, RAD_ACCESS_REQUEST) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "rad_create_request failed: %s\n",
- rad_strerror(radius_auth_state));
- return -1;
- }
-
- if (rad_put_string(radius_auth_state, RAD_USER_NAME, usr) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "rad_put_string failed: %s\n",
- rad_strerror(radius_auth_state));
- return -1;
- }
-
- if (rad_put_string(radius_auth_state, RAD_USER_PASSWORD, pwd) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "rad_put_string failed: %s\n",
- rad_strerror(radius_auth_state));
- return -1;
- }
-
- if (isakmp_cfg_radius_common(radius_auth_state, iph1->mode_cfg->port) != 0)
- return -1;
-
- switch (res = rad_send_request(radius_auth_state)) {
- case RAD_ACCESS_ACCEPT:
- while ((type = rad_get_attr(radius_auth_state, &data, &len)) != 0) {
- switch (type) {
- case RAD_FRAMED_IP_ADDRESS:
- iph1->mode_cfg->addr4 = rad_cvt_addr(data);
- iph1->mode_cfg->flags
- |= ISAKMP_CFG_ADDR4_EXTERN;
- break;
-
- case RAD_FRAMED_IP_NETMASK:
- iph1->mode_cfg->mask4 = rad_cvt_addr(data);
- iph1->mode_cfg->flags
- |= ISAKMP_CFG_MASK4_EXTERN;
- break;
-
- default:
- plog(LLV_INFO, LOCATION, NULL,
- "Unexpected attribute: %d\n", type);
- break;
- }
- }
-
- return 0;
- break;
-
- case RAD_ACCESS_REJECT:
- return -1;
- break;
-
- case -1:
- plog(LLV_ERROR, LOCATION, NULL,
- "rad_send_request failed: %s\n",
- rad_strerror(radius_auth_state));
- return -1;
- break;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "rad_send_request returned %d\n", res);
- return -1;
- break;
- }
-
- return -1;
-}
-#endif
-
-#ifdef HAVE_LIBPAM
-static int
-PAM_conv(msg_count, msg, rsp, dontcare)
- int msg_count;
- const struct pam_message **msg;
- struct pam_response **rsp;
- void *dontcare;
-{
- int i;
- int replies = 0;
- struct pam_response *reply = NULL;
-
- if ((reply = racoon_malloc(sizeof(*reply) * msg_count)) == NULL)
- return PAM_CONV_ERR;
- bzero(reply, sizeof(*reply) * msg_count);
-
- for (i = 0; i < msg_count; i++) {
- switch (msg[i]->msg_style) {
- case PAM_PROMPT_ECHO_ON:
- /* Send the username, libpam frees resp */
- reply[i].resp_retcode = PAM_SUCCESS;
- if ((reply[i].resp = strdup(PAM_usr)) == NULL) {
- plog(LLV_ERROR, LOCATION,
- NULL, "strdup failed\n");
- exit(1);
- }
- break;
-
- case PAM_PROMPT_ECHO_OFF:
- /* Send the password, libpam frees resp */
- reply[i].resp_retcode = PAM_SUCCESS;
- if ((reply[i].resp = strdup(PAM_pwd)) == NULL) {
- plog(LLV_ERROR, LOCATION,
- NULL, "strdup failed\n");
- exit(1);
- }
- break;
-
- case PAM_TEXT_INFO:
- case PAM_ERROR_MSG:
- reply[i].resp_retcode = PAM_SUCCESS;
- reply[i].resp = NULL;
- break;
-
- default:
- if (reply != NULL)
- racoon_free(reply);
- return PAM_CONV_ERR;
- break;
- }
- }
-
- if (reply != NULL)
- *rsp = reply;
-
- return PAM_SUCCESS;
-}
-
-int
-xauth_login_pam(port, raddr, usr, pwd)
- int port;
- struct sockaddr *raddr;
- char *usr;
- char *pwd;
-{
- int error;
- int res;
- const void *data;
- size_t len;
- int type;
- char *remote = NULL;
- pam_handle_t *pam = NULL;
-
- if (isakmp_cfg_config.port_pool == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "isakmp_cfg_config.port_pool == NULL\n");
- return -1;
- }
-
- if ((error = pam_start("racoon", usr,
- &PAM_chat, &isakmp_cfg_config.port_pool[port].pam)) != 0) {
- if (isakmp_cfg_config.port_pool[port].pam == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "pam_start failed\n");
- return -1;
- } else {
- plog(LLV_ERROR, LOCATION, NULL,
- "pam_start failed: %s\n",
- pam_strerror(isakmp_cfg_config.port_pool[port].pam,
- error));
- goto out;
- }
- }
- pam = isakmp_cfg_config.port_pool[port].pam;
-
- if ((remote = strdup(saddrwop2str(raddr))) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "cannot allocate memory: %s\n", strerror(errno));
- goto out;
- }
-
- if ((error = pam_set_item(pam, PAM_RHOST, remote)) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "pam_set_item failed: %s\n",
- pam_strerror(pam, error));
- goto out;
- }
-
- PAM_usr = usr;
- PAM_pwd = pwd;
- error = pam_authenticate(pam, 0);
- PAM_usr = NULL;
- PAM_pwd = NULL;
- if (error != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "pam_authenticate failed: %s\n",
- pam_strerror(pam, error));
- goto out;
- }
-
- if ((error = pam_acct_mgmt(pam, 0)) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "pam_acct_mgmt failed: %s\n",
- pam_strerror(pam, error));
- goto out;
- }
-
- if ((error = pam_setcred(pam, 0)) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "pam_setcred failed: %s\n",
- pam_strerror(pam, error));
- goto out;
- }
-
- if (remote != NULL)
- free(remote);
-
- return 0;
-
-out:
- pam_end(pam, error);
- isakmp_cfg_config.port_pool[port].pam = NULL;
- if (remote != NULL)
- free(remote);
- return -1;
-}
-#endif
-
-#ifdef HAVE_LIBLDAP
-int
-xauth_ldap_init(void)
-{
- int tmplen;
- int error = -1;
-
- xauth_ldap_config.pver = 3;
- xauth_ldap_config.host = NULL;
- xauth_ldap_config.port = LDAP_PORT;
- xauth_ldap_config.base = NULL;
- xauth_ldap_config.subtree = 0;
- xauth_ldap_config.bind_dn = NULL;
- xauth_ldap_config.bind_pw = NULL;
- xauth_ldap_config.auth_type = LDAP_AUTH_SIMPLE;
- xauth_ldap_config.attr_user = NULL;
- xauth_ldap_config.attr_addr = NULL;
- xauth_ldap_config.attr_mask = NULL;
- xauth_ldap_config.attr_group = NULL;
- xauth_ldap_config.attr_member = NULL;
-
- /* set default host */
- tmplen = strlen(LDAP_DFLT_HOST);
- xauth_ldap_config.host = vmalloc(tmplen);
- if (xauth_ldap_config.host == NULL)
- goto out;
- memcpy(xauth_ldap_config.host->v, LDAP_DFLT_HOST, tmplen);
-
- /* set default user naming attribute */
- tmplen = strlen(LDAP_DFLT_USER);
- xauth_ldap_config.attr_user = vmalloc(tmplen);
- if (xauth_ldap_config.attr_user == NULL)
- goto out;
- memcpy(xauth_ldap_config.attr_user->v, LDAP_DFLT_USER, tmplen);
-
- /* set default address attribute */
- tmplen = strlen(LDAP_DFLT_ADDR);
- xauth_ldap_config.attr_addr = vmalloc(tmplen);
- if (xauth_ldap_config.attr_addr == NULL)
- goto out;
- memcpy(xauth_ldap_config.attr_addr->v, LDAP_DFLT_ADDR, tmplen);
-
- /* set default netmask attribute */
- tmplen = strlen(LDAP_DFLT_MASK);
- xauth_ldap_config.attr_mask = vmalloc(tmplen);
- if (xauth_ldap_config.attr_mask == NULL)
- goto out;
- memcpy(xauth_ldap_config.attr_mask->v, LDAP_DFLT_MASK, tmplen);
-
- /* set default group naming attribute */
- tmplen = strlen(LDAP_DFLT_GROUP);
- xauth_ldap_config.attr_group = vmalloc(tmplen);
- if (xauth_ldap_config.attr_group == NULL)
- goto out;
- memcpy(xauth_ldap_config.attr_group->v, LDAP_DFLT_GROUP, tmplen);
-
- /* set default member attribute */
- tmplen = strlen(LDAP_DFLT_MEMBER);
- xauth_ldap_config.attr_member = vmalloc(tmplen);
- if (xauth_ldap_config.attr_member == NULL)
- goto out;
- memcpy(xauth_ldap_config.attr_member->v, LDAP_DFLT_MEMBER, tmplen);
-
- error = 0;
-out:
- if (error != 0)
- plog(LLV_ERROR, LOCATION, NULL, "cannot allocate memory\n");
-
- return error;
-}
-
-int
-xauth_login_ldap(iph1, usr, pwd)
- struct ph1handle *iph1;
- char *usr;
- char *pwd;
-{
- int rtn = -1;
- int res = -1;
- LDAP *ld = NULL;
- LDAPMessage *lr = NULL;
- LDAPMessage *le = NULL;
- struct berval cred;
- struct berval **bv = NULL;
- struct timeval timeout;
- char *init = NULL;
- char *filter = NULL;
- char *atlist[3];
- char *basedn = NULL;
- char *userdn = NULL;
- int tmplen = 0;
- int ecount = 0;
- int scope = LDAP_SCOPE_ONE;
-
- atlist[0] = NULL;
- atlist[1] = NULL;
- atlist[2] = NULL;
-
- /* build our initialization url */
- tmplen = strlen("ldap://:") + 17;
- tmplen += strlen(xauth_ldap_config.host->v);
- init = racoon_malloc(tmplen);
- if (init == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "unable to alloc ldap init url\n");
- goto ldap_end;
- }
- sprintf(init,"ldap://%s:%d",
- xauth_ldap_config.host->v,
- xauth_ldap_config.port );
-
- /* initialize the ldap handle */
- res = ldap_initialize(&ld, init);
- if (res != LDAP_SUCCESS) {
- plog(LLV_ERROR, LOCATION, NULL,
- "ldap_initialize failed: %s\n",
- ldap_err2string(res));
- goto ldap_end;
- }
-
- /* initialize the protocol version */
- ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
- &xauth_ldap_config.pver);
-
- /*
- * attempt to bind to the ldap server.
- * default to anonymous bind unless a
- * user dn and password has been
- * specified in our configuration
- */
- if ((xauth_ldap_config.bind_dn != NULL)&&
- (xauth_ldap_config.bind_pw != NULL))
- {
- cred.bv_val = xauth_ldap_config.bind_pw->v;
- cred.bv_len = strlen( cred.bv_val );
- res = ldap_sasl_bind_s(ld,
- xauth_ldap_config.bind_dn->v, NULL, &cred,
- NULL, NULL, NULL);
- }
- else
- {
- res = ldap_sasl_bind_s(ld,
- NULL, NULL, NULL,
- NULL, NULL, NULL);
- }
-
- if (res!=LDAP_SUCCESS) {
- plog(LLV_ERROR, LOCATION, NULL,
- "ldap_sasl_bind_s (search) failed: %s\n",
- ldap_err2string(res));
- goto ldap_end;
- }
-
- /* build an ldap user search filter */
- tmplen = strlen(xauth_ldap_config.attr_user->v);
- tmplen += 1;
- tmplen += strlen(usr);
- tmplen += 1;
- filter = racoon_malloc(tmplen);
- if (filter == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "unable to alloc ldap search filter buffer\n");
- goto ldap_end;
- }
- sprintf(filter, "%s=%s",
- xauth_ldap_config.attr_user->v, usr);
-
- /* build our return attribute list */
- tmplen = strlen(xauth_ldap_config.attr_addr->v) + 1;
- atlist[0] = racoon_malloc(tmplen);
- tmplen = strlen(xauth_ldap_config.attr_mask->v) + 1;
- atlist[1] = racoon_malloc(tmplen);
- if ((atlist[0] == NULL)||(atlist[1] == NULL)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "unable to alloc ldap attrib list buffer\n");
- goto ldap_end;
- }
- strcpy(atlist[0],xauth_ldap_config.attr_addr->v);
- strcpy(atlist[1],xauth_ldap_config.attr_mask->v);
-
- /* attempt to locate the user dn */
- if (xauth_ldap_config.base != NULL)
- basedn = xauth_ldap_config.base->v;
- if (xauth_ldap_config.subtree)
- scope = LDAP_SCOPE_SUBTREE;
- timeout.tv_sec = 15;
- timeout.tv_usec = 0;
- res = ldap_search_ext_s(ld, basedn, scope,
- filter, atlist, 0, NULL, NULL,
- &timeout, 2, &lr);
- if (res != LDAP_SUCCESS) {
- plog(LLV_ERROR, LOCATION, NULL,
- "ldap_search_ext_s failed: %s\n",
- ldap_err2string(res));
- goto ldap_end;
- }
-
- /* check the number of ldap entries returned */
- ecount = ldap_count_entries(ld, lr);
- if (ecount < 1) {
- plog(LLV_WARNING, LOCATION, NULL,
- "no ldap results for filter \'%s\'\n",
- filter);
- goto ldap_end;
- }
- if (ecount > 1) {
- plog(LLV_WARNING, LOCATION, NULL,
- "multiple (%i) ldap results for filter \'%s\'\n",
- ecount, filter);
- }
-
- /* obtain the dn from the first result */
- le = ldap_first_entry(ld, lr);
- if (le == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "ldap_first_entry failed: invalid entry returned\n");
- goto ldap_end;
- }
- userdn = ldap_get_dn(ld, le);
- if (userdn == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "ldap_get_dn failed: invalid string returned\n");
- goto ldap_end;
- }
-
- /* cache the user dn in the xauth state */
- iph1->mode_cfg->xauth.udn = racoon_malloc(strlen(userdn)+1);
- strcpy(iph1->mode_cfg->xauth.udn,userdn);
-
- /* retrieve modecfg address */
- bv = ldap_get_values_len(ld, le, xauth_ldap_config.attr_addr->v);
- if (bv != NULL) {
- char tmpaddr[16];
- /* sanity check for address value */
- if ((bv[0]->bv_len < 7)||(bv[0]->bv_len > 15)) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "ldap returned invalid modecfg address\n");
- ldap_value_free_len(bv);
- goto ldap_end;
- }
- memcpy(tmpaddr,bv[0]->bv_val,bv[0]->bv_len);
- tmpaddr[bv[0]->bv_len]=0;
- iph1->mode_cfg->addr4.s_addr = inet_addr(tmpaddr);
- iph1->mode_cfg->flags |= ISAKMP_CFG_ADDR4_EXTERN;
- plog(LLV_INFO, LOCATION, NULL,
- "ldap returned modecfg address %s\n", tmpaddr);
- ldap_value_free_len(bv);
- }
-
- /* retrieve modecfg netmask */
- bv = ldap_get_values_len(ld, le, xauth_ldap_config.attr_mask->v);
- if (bv != NULL) {
- char tmpmask[16];
- /* sanity check for netmask value */
- if ((bv[0]->bv_len < 7)||(bv[0]->bv_len > 15)) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "ldap returned invalid modecfg netmask\n");
- ldap_value_free_len(bv);
- goto ldap_end;
- }
- memcpy(tmpmask,bv[0]->bv_val,bv[0]->bv_len);
- tmpmask[bv[0]->bv_len]=0;
- iph1->mode_cfg->mask4.s_addr = inet_addr(tmpmask);
- iph1->mode_cfg->flags |= ISAKMP_CFG_MASK4_EXTERN;
- plog(LLV_INFO, LOCATION, NULL,
- "ldap returned modecfg netmask %s\n", tmpmask);
- ldap_value_free_len(bv);
- }
-
- /*
- * finally, use the dn and the xauth
- * password to check the users given
- * credentials by attempting to bind
- * to the ldap server
- */
- plog(LLV_INFO, LOCATION, NULL,
- "attempting ldap bind for dn \'%s\'\n", userdn);
- cred.bv_val = pwd;
- cred.bv_len = strlen( cred.bv_val );
- res = ldap_sasl_bind_s(ld,
- userdn, NULL, &cred,
- NULL, NULL, NULL);
- if(res==LDAP_SUCCESS)
- rtn = 0;
-
-ldap_end:
-
- /* free ldap resources */
- if (userdn != NULL)
- ldap_memfree(userdn);
- if (atlist[0] != NULL)
- racoon_free(atlist[0]);
- if (atlist[1] != NULL)
- racoon_free(atlist[1]);
- if (filter != NULL)
- racoon_free(filter);
- if (lr != NULL)
- ldap_msgfree(lr);
- if (init != NULL)
- racoon_free(init);
-
- ldap_unbind_ext_s(ld, NULL, NULL);
-
- return rtn;
-}
-
-int
-xauth_group_ldap(udn, grp)
- char * udn;
- char * grp;
-{
- int rtn = -1;
- int res = -1;
- LDAP *ld = NULL;
- LDAPMessage *lr = NULL;
- LDAPMessage *le = NULL;
- struct berval cred;
- struct timeval timeout;
- char *init = NULL;
- char *filter = NULL;
- char *basedn = NULL;
- char *groupdn = NULL;
- int tmplen = 0;
- int ecount = 0;
- int scope = LDAP_SCOPE_ONE;
-
- /* build our initialization url */
- tmplen = strlen("ldap://:") + 17;
- tmplen += strlen(xauth_ldap_config.host->v);
- init = racoon_malloc(tmplen);
- if (init == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "unable to alloc ldap init url\n");
- goto ldap_group_end;
- }
- sprintf(init,"ldap://%s:%d",
- xauth_ldap_config.host->v,
- xauth_ldap_config.port );
-
- /* initialize the ldap handle */
- res = ldap_initialize(&ld, init);
- if (res != LDAP_SUCCESS) {
- plog(LLV_ERROR, LOCATION, NULL,
- "ldap_initialize failed: %s\n",
- ldap_err2string(res));
- goto ldap_group_end;
- }
-
- /* initialize the protocol version */
- ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION,
- &xauth_ldap_config.pver);
-
- /*
- * attempt to bind to the ldap server.
- * default to anonymous bind unless a
- * user dn and password has been
- * specified in our configuration
- */
- if ((xauth_ldap_config.bind_dn != NULL)&&
- (xauth_ldap_config.bind_pw != NULL))
- {
- cred.bv_val = xauth_ldap_config.bind_pw->v;
- cred.bv_len = strlen( cred.bv_val );
- res = ldap_sasl_bind_s(ld,
- xauth_ldap_config.bind_dn->v, NULL, &cred,
- NULL, NULL, NULL);
- }
- else
- {
- res = ldap_sasl_bind_s(ld,
- NULL, NULL, NULL,
- NULL, NULL, NULL);
- }
-
- if (res!=LDAP_SUCCESS) {
- plog(LLV_ERROR, LOCATION, NULL,
- "ldap_sasl_bind_s (search) failed: %s\n",
- ldap_err2string(res));
- goto ldap_group_end;
- }
-
- /* build an ldap group search filter */
- tmplen = strlen("(&(=)(=))") + 1;
- tmplen += strlen(xauth_ldap_config.attr_group->v);
- tmplen += strlen(grp);
- tmplen += strlen(xauth_ldap_config.attr_member->v);
- tmplen += strlen(udn);
- filter = racoon_malloc(tmplen);
- if (filter == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "unable to alloc ldap search filter buffer\n");
- goto ldap_group_end;
- }
- sprintf(filter, "(&(%s=%s)(%s=%s))",
- xauth_ldap_config.attr_group->v, grp,
- xauth_ldap_config.attr_member->v, udn);
-
- /* attempt to locate the group dn */
- if (xauth_ldap_config.base != NULL)
- basedn = xauth_ldap_config.base->v;
- if (xauth_ldap_config.subtree)
- scope = LDAP_SCOPE_SUBTREE;
- timeout.tv_sec = 15;
- timeout.tv_usec = 0;
- res = ldap_search_ext_s(ld, basedn, scope,
- filter, NULL, 0, NULL, NULL,
- &timeout, 2, &lr);
- if (res != LDAP_SUCCESS) {
- plog(LLV_ERROR, LOCATION, NULL,
- "ldap_search_ext_s failed: %s\n",
- ldap_err2string(res));
- goto ldap_group_end;
- }
-
- /* check the number of ldap entries returned */
- ecount = ldap_count_entries(ld, lr);
- if (ecount < 1) {
- plog(LLV_WARNING, LOCATION, NULL,
- "no ldap results for filter \'%s\'\n",
- filter);
- goto ldap_group_end;
- }
-
- /* success */
- rtn = 0;
-
- /* obtain the dn from the first result */
- le = ldap_first_entry(ld, lr);
- if (le == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "ldap_first_entry failed: invalid entry returned\n");
- goto ldap_group_end;
- }
- groupdn = ldap_get_dn(ld, le);
- if (groupdn == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "ldap_get_dn failed: invalid string returned\n");
- goto ldap_group_end;
- }
-
- plog(LLV_INFO, LOCATION, NULL,
- "ldap membership group returned \'%s\'\n", groupdn);
-ldap_group_end:
-
- /* free ldap resources */
- if (groupdn != NULL)
- ldap_memfree(groupdn);
- if (filter != NULL)
- racoon_free(filter);
- if (lr != NULL)
- ldap_msgfree(lr);
- if (init != NULL)
- racoon_free(init);
-
- ldap_unbind_ext_s(ld, NULL, NULL);
-
- return rtn;
-}
-
-#endif
-
-#ifndef ANDROID_PATCHED
-
-int
-xauth_login_system(usr, pwd)
- char *usr;
- char *pwd;
-{
- struct passwd *pw;
- char *cryptpwd;
- char *syscryptpwd;
-#ifdef HAVE_SHADOW_H
- struct spwd *spw;
-
- if ((spw = getspnam(usr)) == NULL)
- return -1;
-
- syscryptpwd = spw->sp_pwdp;
-#endif
-
- if ((pw = getpwnam(usr)) == NULL)
- return -1;
-
-#ifndef HAVE_SHADOW_H
- syscryptpwd = pw->pw_passwd;
-#endif
-
- /* No root login. Ever. */
- if (pw->pw_uid == 0)
- return -1;
-
- if ((cryptpwd = crypt(pwd, syscryptpwd)) == NULL)
- return -1;
-
- if (strcmp(cryptpwd, syscryptpwd) == 0)
- return 0;
-
- return -1;
-}
-
-#endif
-
-int
-xauth_group_system(usr, grp)
- char * usr;
- char * grp;
-{
- struct group * gr;
- char * member;
- int index = 0;
-
- gr = getgrnam(grp);
- if (gr == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "the system group name \'%s\' is unknown\n",
- grp);
- return -1;
- }
-
- while ((member = gr->gr_mem[index++])!=NULL) {
- if (!strcmp(member,usr)) {
- plog(LLV_INFO, LOCATION, NULL,
- "membership validated\n");
- return 0;
- }
- }
-
- return -1;
-}
-
-int
-xauth_check(iph1)
- struct ph1handle *iph1;
-{
- struct xauth_state *xst = &iph1->mode_cfg->xauth;
-
- /*
- * Only the server side (edge device) really check for Xauth
- * status. It does it if the chose authmethod is using Xauth.
- * On the client side (roadwarrior), we don't check anything.
- */
- switch (AUTHMETHOD(iph1)) {
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
- /* The following are not yet implemented */
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
- if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Hybrid auth negotiated but peer did not "
- "announced as Xauth capable\n");
- return -1;
- }
-
- if (xst->status != XAUTHST_OK) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Hybrid auth negotiated but peer did not "
- "succeed Xauth exchange\n");
- return -1;
- }
-
- return 0;
- break;
- default:
- return 0;
- break;
- }
-
- return 0;
-}
-
-int
-group_check(iph1, grp_list, grp_count)
- struct ph1handle *iph1;
- char **grp_list;
- int grp_count;
-{
- int res = -1;
- int grp_index = 0;
- char * usr = NULL;
-
- /* check for presence of modecfg data */
-
- if(iph1->mode_cfg == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "xauth group specified but modecfg not found\n");
- return res;
- }
-
- /* loop through our group list */
-
- for(; grp_index < grp_count; grp_index++) {
-
- /* check for presence of xauth data */
-
- usr = iph1->mode_cfg->xauth.authdata.generic.usr;
-
- if(usr == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "xauth group specified but xauth not found\n");
- return res;
- }
-
- /* call appropriate group validation funtion */
-
- switch (isakmp_cfg_config.groupsource) {
-
- case ISAKMP_CFG_GROUP_SYSTEM:
- res = xauth_group_system(
- usr,
- grp_list[grp_index]);
- break;
-
-#ifdef HAVE_LIBLDAP
- case ISAKMP_CFG_GROUP_LDAP:
- res = xauth_group_ldap(
- iph1->mode_cfg->xauth.udn,
- grp_list[grp_index]);
- break;
-#endif
-
- default:
- /* we should never get here */
- plog(LLV_ERROR, LOCATION, NULL,
- "Unknown group auth source\n");
- break;
- }
-
- if( !res ) {
- plog(LLV_INFO, LOCATION, NULL,
- "user \"%s\" is a member of group \"%s\"\n",
- usr,
- grp_list[grp_index]);
- break;
- } else {
- plog(LLV_INFO, LOCATION, NULL,
- "user \"%s\" is not a member of group \"%s\"\n",
- usr,
- grp_list[grp_index]);
- }
- }
-
- return res;
-}
-
-vchar_t *
-isakmp_xauth_req(iph1, attr)
- struct ph1handle *iph1;
- struct isakmp_data *attr;
-{
- int type;
- size_t dlen = 0;
- int ashort = 0;
- int value = 0;
- vchar_t *buffer = NULL;
- char *mraw = NULL, *mdata;
- char *data;
- vchar_t *usr = NULL;
- vchar_t *pwd = NULL;
- size_t skip = 0;
- int freepwd = 0;
-
- if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Xauth mode config request but peer "
- "did not declare itself as Xauth capable\n");
- return NULL;
- }
-
- type = ntohs(attr->type) & ~ISAKMP_GEN_MASK;
-
- /* Sanity checks */
- switch(type) {
- case XAUTH_TYPE:
- if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Unexpected long XAUTH_TYPE attribute\n");
- return NULL;
- }
- if (ntohs(attr->lorv) != XAUTH_TYPE_GENERIC) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Unsupported Xauth authentication %d\n",
- ntohs(attr->lorv));
- return NULL;
- }
- ashort = 1;
- dlen = 0;
- value = XAUTH_TYPE_GENERIC;
- break;
-
- case XAUTH_USER_NAME:
- if (!iph1->rmconf->xauth || !iph1->rmconf->xauth->login) {
- plog(LLV_ERROR, LOCATION, NULL, "Xauth performed "
- "with no login supplied\n");
- return NULL;
- }
-
- dlen = iph1->rmconf->xauth->login->l - 1;
- iph1->rmconf->xauth->state |= XAUTH_SENT_USERNAME;
- break;
-
-#ifdef ANDROID_PATCHED
- case XAUTH_PASSCODE:
-#endif
- case XAUTH_USER_PASSWORD:
- if (!iph1->rmconf->xauth || !iph1->rmconf->xauth->login)
- return NULL;
-
- skip = sizeof(struct ipsecdoi_id_b);
- usr = vmalloc(iph1->rmconf->xauth->login->l - 1 + skip);
- if (usr == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot allocate memory\n");
- return NULL;
- }
- memset(usr->v, 0, skip);
- memcpy(usr->v + skip,
- iph1->rmconf->xauth->login->v,
- iph1->rmconf->xauth->login->l - 1);
-
- if (iph1->rmconf->xauth->pass) {
- /* A key given through racoonctl */
- pwd = iph1->rmconf->xauth->pass;
- } else {
- if ((pwd = getpskbyname(usr)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "No password was found for login %s\n",
- iph1->rmconf->xauth->login->v);
- vfree(usr);
- return NULL;
- }
- /* We have to free it before returning */
- freepwd = 1;
- }
- vfree(usr);
-
- iph1->rmconf->xauth->state |= XAUTH_SENT_PASSWORD;
- dlen = pwd->l;
-
- break;
- case XAUTH_MESSAGE:
- if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) {
- dlen = ntohs(attr->lorv);
- if (dlen > 0) {
- mraw = (char*)(attr + 1);
- mdata = binsanitize(mraw, dlen);
- if (mdata == NULL) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "Cannot allocate memory\n");
- return NULL;
- }
- plog(LLV_NOTIFY,LOCATION, iph1->remote,
- "XAUTH Message: '%s'.\n",
- mdata);
- racoon_free(mdata);
- }
- }
- return NULL;
- default:
- plog(LLV_WARNING, LOCATION, NULL,
- "Ignored attribute %s\n", s_isakmp_cfg_type(type));
- return NULL;
- break;
- }
-
- if ((buffer = vmalloc(sizeof(*attr) + dlen)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot allocate memory\n");
- goto out;
- }
-
- attr = (struct isakmp_data *)buffer->v;
- if (ashort) {
- attr->type = htons(type | ISAKMP_GEN_TV);
- attr->lorv = htons(value);
- goto out;
- }
-
- attr->type = htons(type | ISAKMP_GEN_TLV);
- attr->lorv = htons(dlen);
- data = (char *)(attr + 1);
-
- switch(type) {
- case XAUTH_USER_NAME:
- /*
- * iph1->rmconf->xauth->login->v is valid,
- * we just checked it in the previous switch case
- */
- memcpy(data, iph1->rmconf->xauth->login->v, dlen);
- break;
-#ifdef ANDROID_PATCHED
- case XAUTH_PASSCODE:
-#endif
- case XAUTH_USER_PASSWORD:
- memcpy(data, pwd->v, dlen);
- break;
- default:
- break;
- }
-
-out:
- if (freepwd)
- vfree(pwd);
-
- return buffer;
-}
-
-vchar_t *
-isakmp_xauth_set(iph1, attr)
- struct ph1handle *iph1;
- struct isakmp_data *attr;
-{
- int type;
- vchar_t *buffer = NULL;
- char *data;
- struct xauth_state *xst;
- size_t dlen = 0;
- char* mraw = NULL, *mdata;
-
- if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Xauth mode config set but peer "
- "did not declare itself as Xauth capable\n");
- return NULL;
- }
-
- type = ntohs(attr->type) & ~ISAKMP_GEN_MASK;
-
- switch(type) {
- case XAUTH_STATUS:
- /*
- * We should only receive ISAKMP mode_cfg SET XAUTH_STATUS
- * when running as a client (initiator).
- */
- xst = &iph1->mode_cfg->xauth;
- switch(AUTHMETHOD(iph1)) {
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
- case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
- /* Not implemented ... */
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
- break;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "Unexpected XAUTH_STATUS_OK\n");
- return NULL;
- break;
- }
-
- /* If we got a failure, delete iph1 */
- if (ntohs(attr->lorv) != XAUTH_STATUS_OK) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Xauth authentication failed\n");
-
- EVT_PUSH(iph1->local, iph1->remote,
- EVTT_XAUTH_FAILED, NULL);
-
- iph1->mode_cfg->flags |= ISAKMP_CFG_DELETE_PH1;
- } else {
- EVT_PUSH(iph1->local, iph1->remote,
- EVTT_XAUTH_SUCCESS, NULL);
- }
-
-
- /* We acknowledge it */
- break;
- case XAUTH_MESSAGE:
- if ((ntohs(attr->type) & ISAKMP_GEN_TV) == 0) {
- dlen = ntohs(attr->lorv);
- if (dlen > 0) {
- mraw = (char*)(attr + 1);
- mdata = binsanitize(mraw, dlen);
- if (mdata == NULL) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "Cannot allocate memory\n");
- return NULL;
- }
- plog(LLV_NOTIFY,LOCATION, iph1->remote,
- "XAUTH Message: '%s'.\n",
- mdata);
- racoon_free(mdata);
- }
- }
-
- default:
- plog(LLV_WARNING, LOCATION, NULL,
- "Ignored attribute %s\n", s_isakmp_cfg_type(type));
- return NULL;
- break;
- }
-
- if ((buffer = vmalloc(sizeof(*attr))) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot allocate memory\n");
- return NULL;
- }
-
- attr = (struct isakmp_data *)buffer->v;
- attr->type = htons(type | ISAKMP_GEN_TV);
- attr->lorv = htons(0);
-
- return buffer;
-}
-
-
-void
-xauth_rmstate(xst)
- struct xauth_state *xst;
-{
- switch (xst->authtype) {
- case XAUTH_TYPE_GENERIC:
- if (xst->authdata.generic.usr)
- racoon_free(xst->authdata.generic.usr);
-
- if (xst->authdata.generic.pwd)
- racoon_free(xst->authdata.generic.pwd);
-
- break;
-
- case XAUTH_TYPE_CHAP:
- case XAUTH_TYPE_OTP:
- case XAUTH_TYPE_SKEY:
- plog(LLV_WARNING, LOCATION, NULL,
- "Unsupported authtype %d\n", xst->authtype);
- break;
-
- default:
- plog(LLV_WARNING, LOCATION, NULL,
- "Unexpected authtype %d\n", xst->authtype);
- break;
- }
-
-#ifdef HAVE_LIBLDAP
- if (xst->udn != NULL)
- racoon_free(xst->udn);
-#endif
- return;
-}
-
-int
-xauth_rmconf_used(xauth_rmconf)
- struct xauth_rmconf **xauth_rmconf;
-{
- if (*xauth_rmconf == NULL) {
- *xauth_rmconf = racoon_malloc(sizeof(**xauth_rmconf));
- if (*xauth_rmconf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "xauth_rmconf_used: malloc failed\n");
- return -1;
- }
-
- (*xauth_rmconf)->login = NULL;
- (*xauth_rmconf)->pass = NULL;
- (*xauth_rmconf)->state = 0;
- }
-
- return 0;
-}
-
-void
-xauth_rmconf_delete(xauth_rmconf)
- struct xauth_rmconf **xauth_rmconf;
-{
- if (*xauth_rmconf != NULL) {
- if ((*xauth_rmconf)->login != NULL)
- vfree((*xauth_rmconf)->login);
- if ((*xauth_rmconf)->pass != NULL)
- vfree((*xauth_rmconf)->pass);
-
- racoon_free(*xauth_rmconf);
- *xauth_rmconf = NULL;
- }
-
- return;
-}
diff --git a/src/racoon/isakmp_xauth.h b/src/racoon/isakmp_xauth.h
deleted file mode 100644
index ebb5214..0000000
--- a/src/racoon/isakmp_xauth.h
+++ /dev/null
@@ -1,155 +0,0 @@
-/* $NetBSD: isakmp_xauth.h,v 1.4 2006/09/09 16:22:09 manu Exp $ */
-
-/* $KAME$ */
-
-/*
- * Copyright (C) 2004 Emmanuel Dreyfus
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _ISAKMP_XAUTH_H
-#define _ISAKMP_XAUTH_H
-
-/* ISAKMP mode config attribute types specific to the Xauth vendor ID */
-#define XAUTH_TYPE 16520
-#define XAUTH_USER_NAME 16521
-#define XAUTH_USER_PASSWORD 16522
-#define XAUTH_PASSCODE 16523
-#define XAUTH_MESSAGE 16524
-#define XAUTH_CHALLENGE 16525
-#define XAUTH_DOMAIN 16526
-#define XAUTH_STATUS 16527
-#define XAUTH_NEXT_PIN 16528
-#define XAUTH_ANSWER 16529
-
-/* Types for XAUTH_TYPE */
-#define XAUTH_TYPE_GENERIC 0
-#define XAUTH_TYPE_CHAP 1
-#define XAUTH_TYPE_OTP 2
-#define XAUTH_TYPE_SKEY 3
-
-/* Values for XAUTH_STATUS */
-#define XAUTH_STATUS_FAIL 0
-#define XAUTH_STATUS_OK 1
-
-/* For phase 1 Xauth status */
-struct xauth_state {
- int status; /* authentication status, used only on server side */
- int vendorid;
- int authtype;
- union {
- struct authgeneric {
- char *usr;
- char *pwd;
- } generic;
- } authdata;
-#ifdef HAVE_LIBLDAP
- char *udn; /* ldap user dn */
-#endif
-};
-
-/* What's been sent */
-#define XAUTH_SENT_USERNAME 1
-#define XAUTH_SENT_PASSWORD 2
-#define XAUTH_SENT_EVERYTHING (XAUTH_SENT_USERNAME | XAUTH_SENT_PASSWORD)
-
-/* For rmconf Xauth data */
-struct xauth_rmconf {
- vchar_t *login; /* xauth login */
- vchar_t *pass; /* xauth password */
- int state; /* what's been sent */
-};
-
-/* status */
-#define XAUTHST_NOTYET 0
-#define XAUTHST_REQSENT 1
-#define XAUTHST_OK 2
-
-struct xauth_reply_arg {
- isakmp_index index;
- int port;
- int id;
- int res;
-};
-
-struct ph1handle;
-struct isakmp_data;
-void xauth_sendreq(struct ph1handle *);
-int xauth_attr_reply(struct ph1handle *, struct isakmp_data *, int);
-int xauth_login_system(char *, char *);
-void xauth_sendstatus(struct ph1handle *, int, int);
-int xauth_check(struct ph1handle *);
-int group_check(struct ph1handle *, char **, int);
-vchar_t *isakmp_xauth_req(struct ph1handle *, struct isakmp_data *);
-vchar_t *isakmp_xauth_set(struct ph1handle *, struct isakmp_data *);
-void xauth_rmstate(struct xauth_state *);
-void xauth_reply_stub(void *);
-int xauth_reply(struct ph1handle *, int, int, int);
-int xauth_rmconf_used(struct xauth_rmconf **);
-void xauth_rmconf_delete(struct xauth_rmconf **);
-
-#ifdef HAVE_LIBRADIUS
-int xauth_login_radius(struct ph1handle *, char *, char *);
-int xauth_radius_init(void);
-#endif
-
-#ifdef HAVE_LIBPAM
-int xauth_login_pam(int, struct sockaddr *, char *, char *);
-#endif
-
-#ifdef HAVE_LIBLDAP
-
-#define LDAP_DFLT_HOST "localhost"
-#define LDAP_DFLT_USER "cn"
-#define LDAP_DFLT_ADDR "racoon-address"
-#define LDAP_DFLT_MASK "racoon-netmask"
-#define LDAP_DFLT_GROUP "cn"
-#define LDAP_DFLT_MEMBER "member"
-
-struct xauth_ldap_config {
- int pver;
- vchar_t *host;
- int port;
- vchar_t *base;
- int subtree;
- vchar_t *bind_dn;
- vchar_t *bind_pw;
- int auth_type;
- vchar_t *attr_user;
- vchar_t *attr_addr;
- vchar_t *attr_mask;
- vchar_t *attr_group;
- vchar_t *attr_member;
-};
-
-extern struct xauth_ldap_config xauth_ldap_config;
-
-int xauth_ldap_init(void);
-int xauth_login_ldap(struct ph1handle *, char *, char *);
-#endif
-
-#endif /* _ISAKMP_XAUTH_H */
diff --git a/src/racoon/kmpstat.c b/src/racoon/kmpstat.c
deleted file mode 100644
index c59e43a..0000000
--- a/src/racoon/kmpstat.c
+++ /dev/null
@@ -1,227 +0,0 @@
-/* $NetBSD: kmpstat.c,v 1.4.6.2 2007/11/06 16:41:33 vanhu Exp $ */
-
-/* $KAME: kmpstat.c,v 1.33 2004/08/16 08:20:28 itojun Exp $ */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-#include <sys/un.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <net/pfkeyv2.h>
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-#if TIME_WITH_SYS_TIME
-# include <sys/time.h>
-# include <time.h>
-#else
-# if HAVE_SYS_TIME_H
-# include <sys/time.h>
-# else
-# include <time.h>
-# endif
-#endif
-#include <netdb.h>
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-#include <err.h>
-#include <sys/ioctl.h>
-#include <resolv.h>
-
-#include "libpfkey.h"
-
-#include "var.h"
-#include "misc.h"
-#include "vmbuf.h"
-#include "plog.h"
-#include "debug.h"
-#include "sockmisc.h"
-
-#include "racoonctl.h"
-#include "admin.h"
-#include "schedule.h"
-#include "isakmp_var.h"
-#include "isakmp.h"
-#include "isakmp_xauth.h"
-#include "isakmp_var.h"
-#include "isakmp_cfg.h"
-#include "oakley.h"
-#include "handler.h"
-#include "pfkey.h"
-#include "admin.h"
-#include "evt.h"
-#include "admin_var.h"
-#include "ipsec_doi.h"
-
-u_int32_t racoonctl_interface = RACOONCTL_INTERFACE;
-u_int32_t racoonctl_interface_major = RACOONCTL_INTERFACE_MAJOR;
-
-static int so;
-u_int32_t loglevel = 0;
-
-int
-com_init()
-{
- struct sockaddr_un name;
-
- memset(&name, 0, sizeof(name));
- name.sun_family = AF_UNIX;
- snprintf(name.sun_path, sizeof(name.sun_path),
- "%s", adminsock_path);
-
- so = socket(AF_UNIX, SOCK_STREAM, 0);
- if (so < 0)
- return -1;
-
- if (connect(so, (struct sockaddr *)&name, sizeof(name)) < 0) {
- (void)close(so);
- return -1;
- }
-
- return 0;
-}
-
-int
-com_send(combuf)
- vchar_t *combuf;
-{
- int len;
-
- if ((len = send(so, combuf->v, combuf->l, 0)) == -1) {
- perror("send");
- (void)close(so);
- return -1;
- }
-
- return 0;
-}
-
-int
-com_recv(combufp)
- vchar_t **combufp;
-{
- struct admin_com h, *com;
- caddr_t buf;
- int len;
- int l = 0;
- caddr_t p;
-
- if (combufp == NULL)
- return -1;
-
- /* receive by PEEK */
- if ((len = recv(so, &h, sizeof(h), MSG_PEEK)) == -1)
- goto bad1;
-
- /* sanity check */
- if (len < sizeof(h))
- goto bad1;
-
- if (h.ac_errno) {
- errno = h.ac_errno;
- goto bad1;
- }
-
- /* allocate buffer */
- if ((*combufp = vmalloc(h.ac_len)) == NULL)
- goto bad1;
-
- /* read real message */
- p = (*combufp)->v;
- while (l < len) {
- if ((len = recv(so, p, h.ac_len, 0)) < 0) {
- perror("recv");
- goto bad2;
- }
- l += len;
- p += len;
- }
-
- return 0;
-
-bad2:
- vfree(*combufp);
-bad1:
- *combufp = NULL;
- return -1;
-}
-
-/*
- * Dumb plog functions (used by sockmisc.c)
- */
-void
-_plog(int pri, const char *func, struct sockaddr *sa, const char *fmt, ...)
-{
- va_list ap;
-
- va_start(ap, fmt);
- vprintf(fmt, ap);
- va_end(ap);
-}
-
-void
-plogdump(pri, data, len)
- int pri;
- void *data;
- size_t len;
-{
- return;
-}
-
-struct sockaddr *
-get_sockaddr(family, name, port)
- int family;
- char *name, *port;
-{
- struct addrinfo hint, *ai;
- int error;
-
- memset(&hint, 0, sizeof(hint));
- hint.ai_family = PF_UNSPEC;
- hint.ai_family = family;
- hint.ai_socktype = SOCK_STREAM;
-
- error = getaddrinfo(name, port, &hint, &ai);
- if (error != 0) {
- printf("%s: %s/%s\n", gai_strerror(error), name, port);
- return NULL;
- }
-
- return ai->ai_addr;
-}
diff --git a/src/racoon/localconf.c b/src/racoon/localconf.c
deleted file mode 100644
index ede1d9b..0000000
--- a/src/racoon/localconf.c
+++ /dev/null
@@ -1,371 +0,0 @@
-/* $NetBSD: localconf.c,v 1.4 2006/09/09 16:22:09 manu Exp $ */
-
-/* $KAME: localconf.c,v 1.33 2001/08/09 07:32:19 sakane Exp $ */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-#include <ctype.h>
-#include <err.h>
-
-#include "var.h"
-#include "misc.h"
-#include "vmbuf.h"
-#include "plog.h"
-#include "debug.h"
-
-#include "localconf.h"
-#include "algorithm.h"
-#include "admin.h"
-#include "privsep.h"
-#include "isakmp_var.h"
-#include "isakmp.h"
-#include "ipsec_doi.h"
-#include "grabmyaddr.h"
-#include "vendorid.h"
-#include "str2val.h"
-#include "safefile.h"
-#include "admin.h"
-#include "gcmalloc.h"
-
-struct localconf *lcconf;
-
-static void setdefault __P((void));
-
-void
-initlcconf()
-{
- lcconf = racoon_calloc(1, sizeof(*lcconf));
- if (lcconf == NULL)
- errx(1, "failed to allocate local conf.");
-
- setdefault();
-
- lcconf->racoon_conf = LC_DEFAULT_CF;
-}
-
-void
-flushlcconf()
-{
- int i;
-
- setdefault();
- clear_myaddr(&lcconf->myaddrs);
- for (i = 0; i < LC_PATHTYPE_MAX; i++) {
- if (lcconf->pathinfo[i]) {
- racoon_free(lcconf->pathinfo[i]);
- lcconf->pathinfo[i] = NULL;
- }
- }
- for (i = 0; i < LC_IDENTTYPE_MAX; i++) {
- if (lcconf->ident[i])
- vfree(lcconf->ident[i]);
- lcconf->ident[i] = NULL;
- }
-}
-
-static void
-setdefault()
-{
- lcconf->uid = 0;
- lcconf->gid = 0;
- lcconf->chroot = NULL;
- lcconf->autograbaddr = 1;
- lcconf->port_isakmp = PORT_ISAKMP;
- lcconf->port_isakmp_natt = PORT_ISAKMP_NATT;
- lcconf->default_af = AF_INET;
- lcconf->pad_random = LC_DEFAULT_PAD_RANDOM;
- lcconf->pad_randomlen = LC_DEFAULT_PAD_RANDOMLEN;
- lcconf->pad_maxsize = LC_DEFAULT_PAD_MAXSIZE;
- lcconf->pad_strict = LC_DEFAULT_PAD_STRICT;
- lcconf->pad_excltail = LC_DEFAULT_PAD_EXCLTAIL;
- lcconf->retry_counter = LC_DEFAULT_RETRY_COUNTER;
- lcconf->retry_interval = LC_DEFAULT_RETRY_INTERVAL;
- lcconf->count_persend = LC_DEFAULT_COUNT_PERSEND;
- lcconf->secret_size = LC_DEFAULT_SECRETSIZE;
- lcconf->retry_checkph1 = LC_DEFAULT_RETRY_CHECKPH1;
- lcconf->wait_ph2complete = LC_DEFAULT_WAIT_PH2COMPLETE;
- lcconf->strict_address = FALSE;
- lcconf->complex_bundle = TRUE; /*XXX FALSE;*/
- lcconf->gss_id_enc = LC_GSSENC_UTF16LE; /* Windows compatibility */
- lcconf->natt_ka_interval = LC_DEFAULT_NATT_KA_INTERVAL;
-}
-
-/*
- * get PSK by string.
- */
-vchar_t *
-getpskbyname(id0)
- vchar_t *id0;
-{
- char *id;
- vchar_t *key = NULL;
-
- id = racoon_calloc(1, 1 + id0->l - sizeof(struct ipsecdoi_id_b));
- if (id == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get psk buffer.\n");
- goto end;
- }
- memcpy(id, id0->v + sizeof(struct ipsecdoi_id_b),
- id0->l - sizeof(struct ipsecdoi_id_b));
- id[id0->l - sizeof(struct ipsecdoi_id_b)] = '\0';
-
- key = privsep_getpsk(id, id0->l - sizeof(struct ipsecdoi_id_b));
-
-end:
- if (id)
- racoon_free(id);
- return key;
-}
-
-/*
- * get PSK by address.
- */
-vchar_t *
-getpskbyaddr(remote)
- struct sockaddr *remote;
-{
- vchar_t *key = NULL;
- char addr[NI_MAXHOST], port[NI_MAXSERV];
-
- GETNAMEINFO(remote, addr, port);
-
- key = privsep_getpsk(addr, strlen(addr));
-
- return key;
-}
-
-vchar_t *
-getpsk(str, len)
- const char *str;
- const int len;
-{
- FILE *fp;
- char buf[1024]; /* XXX how is variable length ? */
- vchar_t *key = NULL;
- char *p, *q;
- size_t keylen;
- char *k = NULL;
-
- if (safefile(lcconf->pathinfo[LC_PATHTYPE_PSK], 1) == 0)
- fp = fopen(lcconf->pathinfo[LC_PATHTYPE_PSK], "r");
- else
- fp = NULL;
- if (fp == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to open pre_share_key file %s\n",
- lcconf->pathinfo[LC_PATHTYPE_PSK]);
- return NULL;
- }
-
- while (fgets(buf, sizeof(buf), fp) != NULL) {
- /* comment line */
- if (buf[0] == '#')
- continue;
-
- /* search the end of 1st string. */
- for (p = buf; *p != '\0' && !isspace((int)*p); p++)
- ;
- if (*p == '\0')
- continue; /* no 2nd parameter */
- *p = '\0';
- /* search the 1st of 2nd string. */
- while (isspace((int)*++p))
- ;
- if (*p == '\0')
- continue; /* no 2nd parameter */
- p--;
- if (strncmp(buf, str, len) == 0 && buf[len] == '\0') {
- p++;
- keylen = 0;
- for (q = p; *q != '\0' && *q != '\n'; q++)
- keylen++;
- *q = '\0';
-
- /* fix key if hex string */
- if (strncmp(p, "0x", 2) == 0) {
- k = str2val(p + 2, 16, &keylen);
- if (k == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get psk buffer.\n");
- goto end;
- }
- p = k;
- }
-
- key = vmalloc(keylen);
- if (key == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate key buffer.\n");
- goto end;
- }
- memcpy(key->v, p, key->l);
- if (k)
- racoon_free(k);
- goto end;
- }
- }
-
-end:
- fclose(fp);
- return key;
-}
-
-/*
- * get a file name of a type specified.
- */
-void
-getpathname(path, len, type, name)
- char *path;
- int len, type;
- const char *name;
-{
- snprintf(path, len, "%s%s%s",
- name[0] == '/' ? "" : lcconf->pathinfo[type],
- name[0] == '/' ? "" : "/",
- name);
-
- plog(LLV_DEBUG, LOCATION, NULL, "filename: %s\n", path);
-}
-
-#if 0 /* DELETEIT */
-static int lc_doi2idtype[] = {
- -1,
- -1,
- LC_IDENTTYPE_FQDN,
- LC_IDENTTYPE_USERFQDN,
- -1,
- -1,
- -1,
- -1,
- -1,
- LC_IDENTTYPE_CERTNAME,
- -1,
- LC_IDENTTYPE_KEYID,
-};
-
-/*
- * convert DOI value to idtype
- * OUT -1 : NG
- * other: converted.
- */
-int
-doi2idtype(idtype)
- int idtype;
-{
- if (ARRAYLEN(lc_doi2idtype) > idtype)
- return lc_doi2idtype[idtype];
- return -1;
-}
-#endif
-
-static int lc_sittype2doi[] = {
- IPSECDOI_SIT_IDENTITY_ONLY,
- IPSECDOI_SIT_SECRECY,
- IPSECDOI_SIT_INTEGRITY,
-};
-
-/*
- * convert sittype to DOI value.
- * OUT -1 : NG
- * other: converted.
- */
-int
-sittype2doi(sittype)
- int sittype;
-{
- if (ARRAYLEN(lc_sittype2doi) > sittype)
- return lc_sittype2doi[sittype];
- return -1;
-}
-
-static int lc_doitype2doi[] = {
- IPSEC_DOI,
-};
-
-/*
- * convert doitype to DOI value.
- * OUT -1 : NG
- * other: converted.
- */
-int
-doitype2doi(doitype)
- int doitype;
-{
- if (ARRAYLEN(lc_doitype2doi) > doitype)
- return lc_doitype2doi[doitype];
- return -1;
-}
-
-
-
-static void
-saverestore_params(f)
- int f;
-{
- static u_int16_t s_port_isakmp;
-#ifdef ENABLE_ADMINPORT
- static u_int16_t s_port_admin;
-#endif
-
- /* 0: save, 1: restore */
- if (f) {
- lcconf->port_isakmp = s_port_isakmp;
-#ifdef ENABLE_ADMINPORT
- lcconf->port_admin = s_port_admin;
-#endif
- } else {
- s_port_isakmp = lcconf->port_isakmp;
-#ifdef ENABLE_ADMINPORT
- s_port_admin = lcconf->port_admin;
-#endif
- }
-}
-
-void
-restore_params()
-{
- saverestore_params(1);
-}
-
-void
-save_params()
-{
- saverestore_params(0);
-}
diff --git a/src/racoon/localconf.h b/src/racoon/localconf.h
deleted file mode 100644
index f7cf33a..0000000
--- a/src/racoon/localconf.h
+++ /dev/null
@@ -1,137 +0,0 @@
-/* $NetBSD: localconf.h,v 1.4 2006/09/09 16:22:09 manu Exp $ */
-
-/* Id: localconf.h,v 1.13 2005/11/06 18:13:18 monas Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _LOCALCONF_H
-#define _LOCALCONF_H
-
-/* local configuration */
-
-#define LC_DEFAULT_CF SYSCONFDIR "/racoon.conf"
-
-#define LC_PATHTYPE_INCLUDE 0
-#define LC_PATHTYPE_PSK 1
-#define LC_PATHTYPE_CERT 2
-#define LC_PATHTYPE_BACKUPSA 3
-#define LC_PATHTYPE_SCRIPT 4
-#define LC_PATHTYPE_PIDFILE 5
-#define LC_PATHTYPE_MAX 6
-
-#define LC_DEFAULT_PAD_MAXSIZE 20
-#define LC_DEFAULT_PAD_RANDOM TRUE
-#define LC_DEFAULT_PAD_RANDOMLEN FALSE
-#define LC_DEFAULT_PAD_STRICT FALSE
-#define LC_DEFAULT_PAD_EXCLTAIL TRUE
-#define LC_DEFAULT_RETRY_COUNTER 5
-#define LC_DEFAULT_RETRY_INTERVAL 10
-#define LC_DEFAULT_COUNT_PERSEND 1
-#define LC_DEFAULT_RETRY_CHECKPH1 30
-#define LC_DEFAULT_WAIT_PH2COMPLETE 30
-#define LC_DEFAULT_NATT_KA_INTERVAL 20
-
-#define LC_DEFAULT_SECRETSIZE 16 /* 128 bits */
-
-#define LC_IDENTTYPE_MAX 5 /* XXX */
-
-#define LC_GSSENC_UTF16LE 0 /* GSS ID in UTF-16LE */
-#define LC_GSSENC_LATIN1 1 /* GSS ID in ISO-Latin-1 */
-#define LC_GSSENC_MAX 2
-
-struct localconf {
- char *racoon_conf; /* configuration filename */
-
- uid_t uid;
- gid_t gid;
- char *chroot; /* chroot path */
- u_int16_t port_isakmp; /* port for isakmp as default */
- u_int16_t port_isakmp_natt; /* port for NAT-T use */
- u_int16_t port_admin; /* port for admin */
- int default_af; /* default address family */
-
- int sock_admin;
- int sock_pfkey;
- int rtsock; /* routing socket */
-
- int autograbaddr;
- struct myaddrs *myaddrs;
-
- char *pathinfo[LC_PATHTYPE_MAX];
- vchar_t *ident[LC_IDENTTYPE_MAX]; /* base of Identifier payload. */
-
- int pad_random;
- int pad_randomlen;
- int pad_maxsize;
- int pad_strict;
- int pad_excltail;
-
- int retry_counter; /* times to retry. */
- int retry_interval; /* interval each retry. */
- int count_persend; /* the number of packets each retry. */
- /* above 3 values are copied into a handler. */
-
- int retry_checkph1;
- int wait_ph2complete;
-
- int natt_ka_interval; /* NAT-T keepalive interval. */
-
- int secret_size;
- int strict_address; /* strictly check addresses. */
-
- int complex_bundle;
- /*
- * If we want to make a packet "IP2 AH ESP IP1 ULP",
- * the SPD in KAME expresses AH transport + ESP tunnel.
- * So racoon sent the proposal contained such the order.
- * But lots of implementation interprets AH tunnel + ESP
- * tunnel in this case. racoon has changed the format,
- * usually uses this format. If the option, 'complex_bundle'
- * is enable, racoon uses old format.
- */
-
- int gss_id_enc; /* GSS ID encoding to use */
-};
-
-extern struct localconf *lcconf;
-
-extern void initlcconf __P((void));
-extern void flushlcconf __P((void));
-extern vchar_t *getpskbyname __P((vchar_t *));
-extern vchar_t *getpskbyaddr __P((struct sockaddr *));
-extern void getpathname __P((char *, int, int, const char *));
-extern int sittype2doi __P((int));
-extern int doitype2doi __P((int));
-extern vchar_t *getpsk __P((const char *, const int));
-
-extern void restore_params __P((void));
-extern void save_params __P((void));
-
-#endif /* _LOCALCONF_H */
diff --git a/src/racoon/logger.c b/src/racoon/logger.c
deleted file mode 100644
index 06991cc..0000000
--- a/src/racoon/logger.c
+++ /dev/null
@@ -1,262 +0,0 @@
-/* $NetBSD: logger.c,v 1.4 2006/09/09 16:22:09 manu Exp $ */
-
-/* $KAME: logger.c,v 1.9 2002/09/03 14:37:03 itojun Exp $ */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-#ifdef HAVE_STDARG_H
-#include <stdarg.h>
-#else
-#include <varargs.h>
-#endif
-#if TIME_WITH_SYS_TIME
-# include <sys/time.h>
-# include <time.h>
-#else
-# if HAVE_SYS_TIME_H
-# include <sys/time.h>
-# else
-# include <time.h>
-# endif
-#endif
-
-#include "logger.h"
-#include "var.h"
-#include "gcmalloc.h"
-
-struct log *
-log_open(siz, fname)
- size_t siz;
- char *fname;
-{
- struct log *p;
-
- p = (struct log *)racoon_malloc(sizeof(*p));
- if (p == NULL)
- return NULL;
- memset(p, 0, sizeof(*p));
-
- p->buf = (char **)racoon_malloc(sizeof(char *) * siz);
- if (p->buf == NULL) {
- racoon_free(p);
- return NULL;
- }
- memset(p->buf, 0, sizeof(char *) * siz);
-
- p->tbuf = (time_t *)racoon_malloc(sizeof(time_t *) * siz);
- if (p->tbuf == NULL) {
- racoon_free(p->buf);
- racoon_free(p);
- return NULL;
- }
- memset(p->tbuf, 0, sizeof(time_t *) * siz);
-
- p->siz = siz;
- if (fname)
- p->fname = racoon_strdup(fname);
-
- return p;
-}
-
-/*
- * append string to ring buffer.
- * string must be \n-terminated (since we add timestamps).
- * even if not, we'll add \n to avoid formatting mistake (see log_close()).
- */
-void
-log_add(p, str)
- struct log *p;
- char *str;
-{
- /* syslog if p->fname == NULL? */
- if (p->buf[p->head])
- racoon_free(p->buf[p->head]);
- p->buf[p->head] = racoon_strdup(str);
- p->tbuf[p->head] = time(NULL);
- p->head++;
- p->head %= p->siz;
-}
-
-/*
- * write out string to the log file, as is.
- * \n-termination is up to the caller. if you don't add \n, the file
- * format may be broken.
- */
-int
-log_print(p, str)
- struct log *p;
- char *str;
-{
- FILE *fp;
-
- if (p->fname == NULL)
- return -1; /*XXX syslog?*/
- fp = fopen(p->fname, "a");
- if (fp == NULL)
- return -1;
- fprintf(fp, "%s", str);
- fclose(fp);
-
- return 0;
-}
-
-int
-log_vprint(struct log *p, const char *fmt, ...)
-{
- va_list ap;
-
- FILE *fp;
-
- if (p->fname == NULL)
- return -1; /*XXX syslog?*/
- fp = fopen(p->fname, "a");
- if (fp == NULL)
- return -1;
- va_start(ap, fmt);
- vfprintf(fp, fmt, ap);
- va_end(ap);
-
- fclose(fp);
-
- return 0;
-}
-
-int
-log_vaprint(struct log *p, const char *fmt, va_list ap)
-{
- FILE *fp;
-
- if (p->fname == NULL)
- return -1; /*XXX syslog?*/
- fp = fopen(p->fname, "a");
- if (fp == NULL)
- return -1;
- vfprintf(fp, fmt, ap);
- fclose(fp);
-
- return 0;
-}
-
-/*
- * write out content of ring buffer, and reclaim the log structure
- */
-int
-log_close(p)
- struct log *p;
-{
- FILE *fp;
- int i, j;
- char ts[256];
- struct tm *tm;
-
- if (p->fname == NULL)
- goto nowrite;
- fp = fopen(p->fname, "a");
- if (fp == NULL)
- goto nowrite;
-
- for (i = 0; i < p->siz; i++) {
- j = (p->head + i) % p->siz;
- if (p->buf[j]) {
- tm = localtime(&p->tbuf[j]);
- strftime(ts, sizeof(ts), "%B %d %T", tm);
- fprintf(fp, "%s: %s\n", ts, p->buf[j]);
- if (*(p->buf[j] + strlen(p->buf[j]) - 1) != '\n')
- fprintf(fp, "\n");
- }
- }
- fclose(fp);
-
-nowrite:
- log_free(p);
- return 0;
-}
-
-void
-log_free(p)
- struct log *p;
-{
- int i;
-
- for (i = 0; i < p->siz; i++)
- racoon_free(p->buf[i]);
- racoon_free(p->buf);
- racoon_free(p->tbuf);
- if (p->fname)
- racoon_free(p->fname);
- racoon_free(p);
-}
-
-#ifdef TEST
-struct log *l;
-
-void
-vatest(const char *fmt, ...)
-{
- va_list ap;
- va_start(ap, fmt);
- log_vaprint(l, fmt, ap);
- va_end(ap);
-}
-
-int
-main(argc, argv)
- int argc;
- char **argv;
-{
- int i;
-
- l = log_open(30, "/tmp/hoge");
- if (l == NULL)
- errx(1, "hoge");
-
- for (i = 0; i < 50; i++) {
- log_add(l, "foo");
- log_add(l, "baa");
- log_add(l, "baz");
- }
- log_print(l, "hoge\n");
- log_vprint(l, "hoge %s\n", "this is test");
- vatest("%s %s\n", "this is", "vprint test");
- abort();
- log_free(l);
-}
-
-#endif
-
diff --git a/src/racoon/logger.h b/src/racoon/logger.h
deleted file mode 100644
index 3fd3e94..0000000
--- a/src/racoon/logger.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/* $NetBSD: logger.h,v 1.4 2006/09/09 16:22:09 manu Exp $ */
-
-/* Id: logger.h,v 1.3 2004/06/11 16:00:16 ludvigm Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _LOGGER_H
-#define _LOGGER_H
-
-struct log {
- int head;
- int siz;
- char **buf;
- time_t *tbuf;
- char *fname;
-};
-
-extern struct log *log_open __P((size_t, char *));
-extern void log_add __P((struct log *, char *));
-extern int log_print __P((struct log *, char *));
-extern int log_vprint __P((struct log *, const char *, ...));
-extern int log_vaprint __P((struct log *, const char *, va_list));
-extern int log_close __P((struct log *));
-extern void log_free __P((struct log *));
-
-#endif /* _LOGGER_H */
diff --git a/src/racoon/main.c b/src/racoon/main.c
deleted file mode 100644
index 094026e..0000000
--- a/src/racoon/main.c
+++ /dev/null
@@ -1,398 +0,0 @@
-/* $NetBSD: main.c,v 1.6.6.2 2008/11/27 15:25:26 vanhu Exp $ */
-
-/* Id: main.c,v 1.25 2006/06/20 20:31:34 manubsd Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-#include <sys/stat.h>
-
-#include <netinet/in.h>
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-#include <limits.h>
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-#include <paths.h>
-#include <err.h>
-
-/*
- * If we're using a debugging malloc library, this may define our
- * wrapper stubs.
- */
-#define RACOON_MAIN_PROGRAM
-#include "gcmalloc.h"
-
-#include "var.h"
-#include "misc.h"
-#include "vmbuf.h"
-#include "plog.h"
-#include "debug.h"
-
-#include "cfparse_proto.h"
-#include "isakmp_var.h"
-#ifdef ENABLE_HYBRID
-#include <resolv.h>
-#include "isakmp.h"
-#include "isakmp_xauth.h"
-#include "isakmp_cfg.h"
-#endif
-#include "remoteconf.h"
-#include "localconf.h"
-#include "session.h"
-#include "oakley.h"
-#include "pfkey.h"
-#include "policy.h"
-#include "crypto_openssl.h"
-#include "backupsa.h"
-#include "vendorid.h"
-
-#include "package_version.h"
-
-int f_local = 0; /* local test mode. behave like a wall. */
-int vflag = 1; /* for print-isakmp.c */
-static int loading_sa = 0; /* install sa when racoon boots up. */
-static int dump_config = 0; /* dump parsed config file. */
-
-#ifdef TOP_PACKAGE
-static char version[] = "@(#)" TOP_PACKAGE_STRING " (" TOP_PACKAGE_URL ")";
-#else /* TOP_PACKAGE */
-static char version[] = "@(#) racoon / IPsec-tools";
-#endif /* TOP_PACKAGE */
-
-int main __P((int, char **));
-static void usage __P((void));
-static void parse __P((int, char **));
-#if 0
-static void cleanup_pidfile __P((void));
-#endif
-
-void
-usage()
-{
- printf("usage: racoon [-BdFv%s] %s[-f (file)] [-l (file)] [-p (port)]\n",
-#ifdef INET6
- "46",
-#else
- "",
-#endif
-#ifdef ENABLE_ADMINPORT
- "[-a (port)] "
-#else
- ""
-#endif
- );
- printf(" -B: install SA to the kernel from the file "
- "specified by the configuration file.\n");
- printf(" -d: debug level, more -d will generate more debug message.\n");
- printf(" -C: dump parsed config file.\n");
- printf(" -L: include location in debug messages\n");
- printf(" -F: run in foreground, do not become daemon.\n");
- printf(" -v: be more verbose\n");
-#ifdef INET6
- printf(" -4: IPv4 mode.\n");
- printf(" -6: IPv6 mode.\n");
-#endif
-#ifdef ENABLE_ADMINPORT
- printf(" -a: port number for admin port.\n");
-#endif
- printf(" -f: pathname for configuration file.\n");
- printf(" -l: pathname for log file.\n");
- printf(" -p: port number for isakmp (default: %d).\n", PORT_ISAKMP);
- printf(" -P: port number for NAT-T (default: %d).\n", PORT_ISAKMP_NATT);
- exit(1);
-}
-
-int
-main(ac, av)
- int ac;
- char **av;
-{
- int error;
-
- if (geteuid() != 0) {
- errx(1, "must be root to invoke this program.");
- /* NOTREACHED*/
- }
-
- /*
- * Don't let anyone read files I write. Although some files (such as
- * the PID file) can be other readable, we dare to use the global mask,
- * because racoon uses fopen(3), which can't specify the permission
- * at the creation time.
- */
- umask(077);
- if (umask(077) != 077) {
- errx(1, "could not set umask");
- /* NOTREACHED*/
- }
-
-#ifdef DEBUG_RECORD_MALLOCATION
- DRM_init();
-#endif
-
-#ifdef HAVE_SECCTX
- init_avc();
-#endif
- eay_init();
- initlcconf();
- initrmconf();
- oakley_dhinit();
- compute_vendorids();
-
- parse(ac, av);
-
- ploginit();
-
- plog(LLV_INFO, LOCATION, NULL, "%s\n", version);
- plog(LLV_INFO, LOCATION, NULL, "@(#)"
- "This product linked %s (http://www.openssl.org/)"
- "\n", eay_version());
- plog(LLV_INFO, LOCATION, NULL, "Reading configuration from \"%s\"\n",
- lcconf->racoon_conf);
-
- if (pfkey_init() < 0) {
- errx(1, "something error happened "
- "while pfkey initializing.");
- /* NOTREACHED*/
- }
-
-#ifdef ENABLE_HYBRID
- if (isakmp_cfg_init(ISAKMP_CFG_INIT_COLD))
- errx(1, "could not initialize ISAKMP mode config structures");
-#endif
-
-#ifdef HAVE_LIBLDAP
- if (xauth_ldap_init() != 0)
- errx(1, "could not initialize libldap");
-#endif
-
- /*
- * in order to prefer the parameters by command line,
- * saving some parameters before parsing configuration file.
- */
- save_params();
- error = cfparse();
- if (error != 0)
- errx(1, "failed to parse configuration file.");
- restore_params();
-
-#ifdef ENABLE_HYBRID
- if(isakmp_cfg_config.network4 && isakmp_cfg_config.pool_size == 0)
- if ((error = isakmp_cfg_resize_pool(ISAKMP_CFG_MAX_CNX)) != 0)
- return error;
-#endif
-
- if (dump_config)
- dumprmconf ();
-
-#ifdef HAVE_LIBRADIUS
- if (xauth_radius_init() != 0) {
- errx(1, "could not initialize libradius");
- /* NOTREACHED*/
- }
-#endif
-
- /*
- * install SAs from the specified file. If the file is not specified
- * by the configuration file, racoon will exit.
- */
- if (loading_sa && !f_local) {
- if (backupsa_from_file() != 0)
- errx(1, "something error happened "
- "SA recovering.");
- }
-
- if (f_foreground)
- close(0);
- else {
- if (daemon(0, 0) < 0) {
- errx(1, "failed to be daemon. (%s)",
- strerror(errno));
- }
-#ifndef __linux__
- /*
- * In case somebody has started inetd manually, we need to
- * clear the logname, so that old servers run as root do not
- * get the user's logname..
- */
- if (setlogin("") < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "cannot clear logname: %s\n", strerror(errno));
- /* no big deal if it fails.. */
- }
-#endif
- if (!f_local) {
-#if 0
- if (atexit(cleanup_pidfile) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "cannot register pidfile cleanup");
- }
-#endif
- }
- }
-
- session();
-
- exit(0);
-}
-
-#if 0
-static void
-cleanup_pidfile()
-{
- pid_t p = getpid();
-
- /* if it's not child process, clean everything */
- if (racoon_pid == p) {
- const char *pid_file = _PATH_VARRUN "racoon.pid";
-
- (void) unlink(pid_file);
- }
-}
-#endif
-
-static void
-parse(ac, av)
- int ac;
- char **av;
-{
- extern char *optarg;
- extern int optind;
- int c;
-#ifdef YYDEBUG
- extern int yydebug;
-#endif
-
- pname = strrchr(*av, '/');
- if (pname)
- pname++;
- else
- pname = *av;
-
- while ((c = getopt(ac, av, "dLFp:P:a:f:l:vZBC"
-#ifdef YYDEBUG
- "y"
-#endif
-#ifdef INET6
- "46"
-#endif
- )) != -1) {
- switch (c) {
- case 'd':
- loglevel++;
- break;
- case 'L':
- print_location = 1;
- break;
- case 'F':
- printf("Foreground mode.\n");
- f_foreground = 1;
- break;
- case 'p':
- lcconf->port_isakmp = atoi(optarg);
- break;
- case 'P':
- lcconf->port_isakmp_natt = atoi(optarg);
- break;
- case 'a':
-#ifdef ENABLE_ADMINPORT
- lcconf->port_admin = atoi(optarg);
- break;
-#else
- fprintf(stderr, "%s: the option is disabled "
- "in the configuration\n", pname);
- exit(1);
-#endif
- case 'f':
- lcconf->racoon_conf = optarg;
- break;
- case 'l':
- plogset(optarg);
- break;
- case 'v':
- vflag++;
- break;
- case 'Z':
- /*
- * only local test.
- * To specify -Z option and to choice a appropriate
- * port number for ISAKMP, you can launch some racoons
- * on the local host for debug.
- * pk_sendadd() on initiator side is always failed
- * even if this flag is used. Because there is same
- * spi in the SAD which is inserted by pk_sendgetspi()
- * on responder side.
- */
- printf("Local test mode.\n");
- f_local = 1;
- break;
-#ifdef YYDEBUG
- case 'y':
- yydebug = 1;
- break;
-#endif
-#ifdef INET6
- case '4':
- lcconf->default_af = AF_INET;
- break;
- case '6':
- lcconf->default_af = AF_INET6;
- break;
-#endif
- case 'B':
- loading_sa++;
- break;
- case 'C':
- dump_config++;
- break;
- default:
- usage();
- /* NOTREACHED */
- }
- }
- ac -= optind;
- av += optind;
-
- if (ac != 0) {
- usage();
- /* NOTREACHED */
- }
-
- return;
-}
diff --git a/src/racoon/misc.c b/src/racoon/misc.c
deleted file mode 100644
index 18a4f19..0000000
--- a/src/racoon/misc.c
+++ /dev/null
@@ -1,171 +0,0 @@
-/* $NetBSD: misc.c,v 1.4.6.1 2008/07/15 00:55:48 mgrooms Exp $ */
-
-/* $KAME: misc.c,v 1.23 2001/08/16 14:37:29 itojun Exp $ */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/stat.h>
-#include <sys/time.h>
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-#include <syslog.h>
-#include <ctype.h>
-
-#include "var.h"
-#include "misc.h"
-#include "debug.h"
-
-#if 0
-static int bindump __P((void *, size_t));
-
-static int
-bindump(buf0, len)
- void *buf0;
- size_t len;
-{
- unsigned char *buf = (unsigned char *)buf0;
- size_t i;
-
- for (i = 0; i < len; i++) {
- if ((buf[i] & 0x80) || !isprint(buf[i]))
- printf("\\x%x", buf[i]);
- else
- printf("%c", buf[i]);
- }
- printf("\n");
-
- return 0;
-}
-#endif
-
-int
-racoon_hexdump(buf0, len)
- const void *buf0;
- size_t len;
-{
- const unsigned char *buf = buf0;
- size_t i;
-
- for (i = 0; i < len; i++) {
- if (i != 0 && i % 32 == 0)
- printf("\n");
- if (i % 4 == 0)
- printf(" ");
- printf("%02x", buf[i]);
- }
- printf("\n");
-
- return 0;
-}
-
-char *
-bit2str(n, bl)
- int n, bl;
-{
-#define MAXBITLEN 128
- static char b[MAXBITLEN + 1];
- int i;
-
- if (bl > MAXBITLEN)
- return "Failed to convert."; /* NG */
- memset(b, '0', bl);
- b[bl] = '\0';
-
- for (i = 0; i < bl; i++) {
- if (n & (1 << i))
- b[bl - 1 - i] = '1';
- }
-
- return b;
-}
-
-const char *
-debug_location(file, line, func)
- const char *file;
- int line;
- const char *func;
-{
- static char buf[1024];
- const char *p;
-
- /* truncate pathname */
- p = strrchr(file, '/');
- if (p)
- p++;
- else
- p = file;
-
- if (func)
- snprintf(buf, sizeof(buf), "%s:%d:%s()", p, line, func);
- else
- snprintf(buf, sizeof(buf), "%s:%d", p, line);
-
- return buf;
-}
-
-/*
- * get file size.
- * -1: error occured.
- */
-int
-getfsize(path)
- char *path;
-{
- struct stat st;
-
- if (stat(path, &st) != 0)
- return -1;
- else
- return st.st_size;
-}
-
-/*
- * calculate the difference between two times.
- * t1: start
- * t2: end
- */
-double
-timedelta(t1, t2)
- struct timeval *t1, *t2;
-{
- if (t2->tv_usec >= t1->tv_usec)
- return t2->tv_sec - t1->tv_sec +
- (double)(t2->tv_usec - t1->tv_usec) / 1000000;
-
- return t2->tv_sec - t1->tv_sec - 1 +
- (double)(1000000 + t2->tv_usec - t1->tv_usec) / 1000000;
-}
diff --git a/src/racoon/misc.h b/src/racoon/misc.h
deleted file mode 100644
index 4979802..0000000
--- a/src/racoon/misc.h
+++ /dev/null
@@ -1,77 +0,0 @@
-/* $NetBSD: misc.h,v 1.4.6.1 2008/07/15 00:55:48 mgrooms Exp $ */
-
-/* Id: misc.h,v 1.9 2006/04/06 14:00:06 manubsd Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _MISC_H
-#define _MISC_H
-
-#define BIT2STR(b) bit2str(b, sizeof(b)<<3)
-
-#ifdef HAVE_FUNC_MACRO
-#define LOCATION debug_location(__FILE__, __LINE__, __func__)
-#else
-#define LOCATION debug_location(__FILE__, __LINE__, NULL)
-#endif
-
-extern int racoon_hexdump __P((const void *, size_t));
-extern char *bit2str __P((int, int));
-extern void *get_newbuf __P((void *, size_t));
-extern const char *debug_location __P((const char *, int, const char *));
-extern int getfsize __P((char *));
-struct timeval;
-extern double timedelta __P((struct timeval *, struct timeval *));
-char *strdup __P((const char *));
-
-#if defined(__APPLE__) && defined(__MACH__)
-#define RACOON_TAILQ_FOREACH_REVERSE(var, head, headname ,field) \
- TAILQ_FOREACH_REVERSE(var, head, field, headname)
-#else
-#define RACOON_TAILQ_FOREACH_REVERSE(var, head, headname ,field) \
- TAILQ_FOREACH_REVERSE(var, head, headname, field)
-#endif
-
-#ifndef HAVE_STRLCPY
-#define strlcpy(d,s,l) (strncpy(d,s,l), (d)[(l)-1] = '\0')
-#endif
-
-#ifndef HAVE_STRLCAT
-#define strlcat(d,s,l) strncat(d,s,(l)-strlen(d)-1)
-#endif
-
-#define STRDUP_FATAL(x) if (x == NULL) { \
- plog(LLV_ERROR, LOCATION, NULL, "strdup failed\n"); \
- exit(1); \
-}
-
-#include "libpfkey.h"
-
-#endif /* _MISC_H */
diff --git a/src/racoon/missing/crypto/rijndael/boxes-fst.dat b/src/racoon/missing/crypto/rijndael/boxes-fst.dat
deleted file mode 100644
index 28d15d3..0000000
--- a/src/racoon/missing/crypto/rijndael/boxes-fst.dat
+++ /dev/null
@@ -1,957 +0,0 @@
-/* $KAME: boxes-fst.dat,v 1.1.1.1 2001/08/08 09:56:27 sakane Exp $ */
-
-const word8 S[256] = {
- 99, 124, 119, 123, 242, 107, 111, 197, 48, 1, 103, 43, 254, 215, 171, 118,
-202, 130, 201, 125, 250, 89, 71, 240, 173, 212, 162, 175, 156, 164, 114, 192,
-183, 253, 147, 38, 54, 63, 247, 204, 52, 165, 229, 241, 113, 216, 49, 21,
- 4, 199, 35, 195, 24, 150, 5, 154, 7, 18, 128, 226, 235, 39, 178, 117,
- 9, 131, 44, 26, 27, 110, 90, 160, 82, 59, 214, 179, 41, 227, 47, 132,
- 83, 209, 0, 237, 32, 252, 177, 91, 106, 203, 190, 57, 74, 76, 88, 207,
-208, 239, 170, 251, 67, 77, 51, 133, 69, 249, 2, 127, 80, 60, 159, 168,
- 81, 163, 64, 143, 146, 157, 56, 245, 188, 182, 218, 33, 16, 255, 243, 210,
-205, 12, 19, 236, 95, 151, 68, 23, 196, 167, 126, 61, 100, 93, 25, 115,
- 96, 129, 79, 220, 34, 42, 144, 136, 70, 238, 184, 20, 222, 94, 11, 219,
-224, 50, 58, 10, 73, 6, 36, 92, 194, 211, 172, 98, 145, 149, 228, 121,
-231, 200, 55, 109, 141, 213, 78, 169, 108, 86, 244, 234, 101, 122, 174, 8,
-186, 120, 37, 46, 28, 166, 180, 198, 232, 221, 116, 31, 75, 189, 139, 138,
-112, 62, 181, 102, 72, 3, 246, 14, 97, 53, 87, 185, 134, 193, 29, 158,
-225, 248, 152, 17, 105, 217, 142, 148, 155, 30, 135, 233, 206, 85, 40, 223,
-140, 161, 137, 13, 191, 230, 66, 104, 65, 153, 45, 15, 176, 84, 187, 22
-};
-
-#ifdef INTERMEDIATE_VALUE_KAT
-static const word8 Si[256] = {
- 82, 9, 106, 213, 48, 54, 165, 56, 191, 64, 163, 158, 129, 243, 215, 251,
-124, 227, 57, 130, 155, 47, 255, 135, 52, 142, 67, 68, 196, 222, 233, 203,
- 84, 123, 148, 50, 166, 194, 35, 61, 238, 76, 149, 11, 66, 250, 195, 78,
- 8, 46, 161, 102, 40, 217, 36, 178, 118, 91, 162, 73, 109, 139, 209, 37,
-114, 248, 246, 100, 134, 104, 152, 22, 212, 164, 92, 204, 93, 101, 182, 146,
-108, 112, 72, 80, 253, 237, 185, 218, 94, 21, 70, 87, 167, 141, 157, 132,
-144, 216, 171, 0, 140, 188, 211, 10, 247, 228, 88, 5, 184, 179, 69, 6,
-208, 44, 30, 143, 202, 63, 15, 2, 193, 175, 189, 3, 1, 19, 138, 107,
- 58, 145, 17, 65, 79, 103, 220, 234, 151, 242, 207, 206, 240, 180, 230, 115,
-150, 172, 116, 34, 231, 173, 53, 133, 226, 249, 55, 232, 28, 117, 223, 110,
- 71, 241, 26, 113, 29, 41, 197, 137, 111, 183, 98, 14, 170, 24, 190, 27,
-252, 86, 62, 75, 198, 210, 121, 32, 154, 219, 192, 254, 120, 205, 90, 244,
- 31, 221, 168, 51, 136, 7, 199, 49, 177, 18, 16, 89, 39, 128, 236, 95,
- 96, 81, 127, 169, 25, 181, 74, 13, 45, 229, 122, 159, 147, 201, 156, 239,
-160, 224, 59, 77, 174, 42, 245, 176, 200, 235, 187, 60, 131, 83, 153, 97,
- 23, 43, 4, 126, 186, 119, 214, 38, 225, 105, 20, 99, 85, 33, 12, 125
-};
-#endif /* INTERMEDIATE_VALUE_KAT */
-
-union xtab {
- word32 xt32[256];
- word8 xt8[256][4];
-};
-
-static const union xtab xT1 = {
- .xt8 = {
-{0xc6,0x63,0x63,0xa5}, {0xf8,0x7c,0x7c,0x84}, {0xee,0x77,0x77,0x99}, {0xf6,0x7b,0x7b,0x8d},
-{0xff,0xf2,0xf2,0x0d}, {0xd6,0x6b,0x6b,0xbd}, {0xde,0x6f,0x6f,0xb1}, {0x91,0xc5,0xc5,0x54},
-{0x60,0x30,0x30,0x50}, {0x02,0x01,0x01,0x03}, {0xce,0x67,0x67,0xa9}, {0x56,0x2b,0x2b,0x7d},
-{0xe7,0xfe,0xfe,0x19}, {0xb5,0xd7,0xd7,0x62}, {0x4d,0xab,0xab,0xe6}, {0xec,0x76,0x76,0x9a},
-{0x8f,0xca,0xca,0x45}, {0x1f,0x82,0x82,0x9d}, {0x89,0xc9,0xc9,0x40}, {0xfa,0x7d,0x7d,0x87},
-{0xef,0xfa,0xfa,0x15}, {0xb2,0x59,0x59,0xeb}, {0x8e,0x47,0x47,0xc9}, {0xfb,0xf0,0xf0,0x0b},
-{0x41,0xad,0xad,0xec}, {0xb3,0xd4,0xd4,0x67}, {0x5f,0xa2,0xa2,0xfd}, {0x45,0xaf,0xaf,0xea},
-{0x23,0x9c,0x9c,0xbf}, {0x53,0xa4,0xa4,0xf7}, {0xe4,0x72,0x72,0x96}, {0x9b,0xc0,0xc0,0x5b},
-{0x75,0xb7,0xb7,0xc2}, {0xe1,0xfd,0xfd,0x1c}, {0x3d,0x93,0x93,0xae}, {0x4c,0x26,0x26,0x6a},
-{0x6c,0x36,0x36,0x5a}, {0x7e,0x3f,0x3f,0x41}, {0xf5,0xf7,0xf7,0x02}, {0x83,0xcc,0xcc,0x4f},
-{0x68,0x34,0x34,0x5c}, {0x51,0xa5,0xa5,0xf4}, {0xd1,0xe5,0xe5,0x34}, {0xf9,0xf1,0xf1,0x08},
-{0xe2,0x71,0x71,0x93}, {0xab,0xd8,0xd8,0x73}, {0x62,0x31,0x31,0x53}, {0x2a,0x15,0x15,0x3f},
-{0x08,0x04,0x04,0x0c}, {0x95,0xc7,0xc7,0x52}, {0x46,0x23,0x23,0x65}, {0x9d,0xc3,0xc3,0x5e},
-{0x30,0x18,0x18,0x28}, {0x37,0x96,0x96,0xa1}, {0x0a,0x05,0x05,0x0f}, {0x2f,0x9a,0x9a,0xb5},
-{0x0e,0x07,0x07,0x09}, {0x24,0x12,0x12,0x36}, {0x1b,0x80,0x80,0x9b}, {0xdf,0xe2,0xe2,0x3d},
-{0xcd,0xeb,0xeb,0x26}, {0x4e,0x27,0x27,0x69}, {0x7f,0xb2,0xb2,0xcd}, {0xea,0x75,0x75,0x9f},
-{0x12,0x09,0x09,0x1b}, {0x1d,0x83,0x83,0x9e}, {0x58,0x2c,0x2c,0x74}, {0x34,0x1a,0x1a,0x2e},
-{0x36,0x1b,0x1b,0x2d}, {0xdc,0x6e,0x6e,0xb2}, {0xb4,0x5a,0x5a,0xee}, {0x5b,0xa0,0xa0,0xfb},
-{0xa4,0x52,0x52,0xf6}, {0x76,0x3b,0x3b,0x4d}, {0xb7,0xd6,0xd6,0x61}, {0x7d,0xb3,0xb3,0xce},
-{0x52,0x29,0x29,0x7b}, {0xdd,0xe3,0xe3,0x3e}, {0x5e,0x2f,0x2f,0x71}, {0x13,0x84,0x84,0x97},
-{0xa6,0x53,0x53,0xf5}, {0xb9,0xd1,0xd1,0x68}, {0x00,0x00,0x00,0x00}, {0xc1,0xed,0xed,0x2c},
-{0x40,0x20,0x20,0x60}, {0xe3,0xfc,0xfc,0x1f}, {0x79,0xb1,0xb1,0xc8}, {0xb6,0x5b,0x5b,0xed},
-{0xd4,0x6a,0x6a,0xbe}, {0x8d,0xcb,0xcb,0x46}, {0x67,0xbe,0xbe,0xd9}, {0x72,0x39,0x39,0x4b},
-{0x94,0x4a,0x4a,0xde}, {0x98,0x4c,0x4c,0xd4}, {0xb0,0x58,0x58,0xe8}, {0x85,0xcf,0xcf,0x4a},
-{0xbb,0xd0,0xd0,0x6b}, {0xc5,0xef,0xef,0x2a}, {0x4f,0xaa,0xaa,0xe5}, {0xed,0xfb,0xfb,0x16},
-{0x86,0x43,0x43,0xc5}, {0x9a,0x4d,0x4d,0xd7}, {0x66,0x33,0x33,0x55}, {0x11,0x85,0x85,0x94},
-{0x8a,0x45,0x45,0xcf}, {0xe9,0xf9,0xf9,0x10}, {0x04,0x02,0x02,0x06}, {0xfe,0x7f,0x7f,0x81},
-{0xa0,0x50,0x50,0xf0}, {0x78,0x3c,0x3c,0x44}, {0x25,0x9f,0x9f,0xba}, {0x4b,0xa8,0xa8,0xe3},
-{0xa2,0x51,0x51,0xf3}, {0x5d,0xa3,0xa3,0xfe}, {0x80,0x40,0x40,0xc0}, {0x05,0x8f,0x8f,0x8a},
-{0x3f,0x92,0x92,0xad}, {0x21,0x9d,0x9d,0xbc}, {0x70,0x38,0x38,0x48}, {0xf1,0xf5,0xf5,0x04},
-{0x63,0xbc,0xbc,0xdf}, {0x77,0xb6,0xb6,0xc1}, {0xaf,0xda,0xda,0x75}, {0x42,0x21,0x21,0x63},
-{0x20,0x10,0x10,0x30}, {0xe5,0xff,0xff,0x1a}, {0xfd,0xf3,0xf3,0x0e}, {0xbf,0xd2,0xd2,0x6d},
-{0x81,0xcd,0xcd,0x4c}, {0x18,0x0c,0x0c,0x14}, {0x26,0x13,0x13,0x35}, {0xc3,0xec,0xec,0x2f},
-{0xbe,0x5f,0x5f,0xe1}, {0x35,0x97,0x97,0xa2}, {0x88,0x44,0x44,0xcc}, {0x2e,0x17,0x17,0x39},
-{0x93,0xc4,0xc4,0x57}, {0x55,0xa7,0xa7,0xf2}, {0xfc,0x7e,0x7e,0x82}, {0x7a,0x3d,0x3d,0x47},
-{0xc8,0x64,0x64,0xac}, {0xba,0x5d,0x5d,0xe7}, {0x32,0x19,0x19,0x2b}, {0xe6,0x73,0x73,0x95},
-{0xc0,0x60,0x60,0xa0}, {0x19,0x81,0x81,0x98}, {0x9e,0x4f,0x4f,0xd1}, {0xa3,0xdc,0xdc,0x7f},
-{0x44,0x22,0x22,0x66}, {0x54,0x2a,0x2a,0x7e}, {0x3b,0x90,0x90,0xab}, {0x0b,0x88,0x88,0x83},
-{0x8c,0x46,0x46,0xca}, {0xc7,0xee,0xee,0x29}, {0x6b,0xb8,0xb8,0xd3}, {0x28,0x14,0x14,0x3c},
-{0xa7,0xde,0xde,0x79}, {0xbc,0x5e,0x5e,0xe2}, {0x16,0x0b,0x0b,0x1d}, {0xad,0xdb,0xdb,0x76},
-{0xdb,0xe0,0xe0,0x3b}, {0x64,0x32,0x32,0x56}, {0x74,0x3a,0x3a,0x4e}, {0x14,0x0a,0x0a,0x1e},
-{0x92,0x49,0x49,0xdb}, {0x0c,0x06,0x06,0x0a}, {0x48,0x24,0x24,0x6c}, {0xb8,0x5c,0x5c,0xe4},
-{0x9f,0xc2,0xc2,0x5d}, {0xbd,0xd3,0xd3,0x6e}, {0x43,0xac,0xac,0xef}, {0xc4,0x62,0x62,0xa6},
-{0x39,0x91,0x91,0xa8}, {0x31,0x95,0x95,0xa4}, {0xd3,0xe4,0xe4,0x37}, {0xf2,0x79,0x79,0x8b},
-{0xd5,0xe7,0xe7,0x32}, {0x8b,0xc8,0xc8,0x43}, {0x6e,0x37,0x37,0x59}, {0xda,0x6d,0x6d,0xb7},
-{0x01,0x8d,0x8d,0x8c}, {0xb1,0xd5,0xd5,0x64}, {0x9c,0x4e,0x4e,0xd2}, {0x49,0xa9,0xa9,0xe0},
-{0xd8,0x6c,0x6c,0xb4}, {0xac,0x56,0x56,0xfa}, {0xf3,0xf4,0xf4,0x07}, {0xcf,0xea,0xea,0x25},
-{0xca,0x65,0x65,0xaf}, {0xf4,0x7a,0x7a,0x8e}, {0x47,0xae,0xae,0xe9}, {0x10,0x08,0x08,0x18},
-{0x6f,0xba,0xba,0xd5}, {0xf0,0x78,0x78,0x88}, {0x4a,0x25,0x25,0x6f}, {0x5c,0x2e,0x2e,0x72},
-{0x38,0x1c,0x1c,0x24}, {0x57,0xa6,0xa6,0xf1}, {0x73,0xb4,0xb4,0xc7}, {0x97,0xc6,0xc6,0x51},
-{0xcb,0xe8,0xe8,0x23}, {0xa1,0xdd,0xdd,0x7c}, {0xe8,0x74,0x74,0x9c}, {0x3e,0x1f,0x1f,0x21},
-{0x96,0x4b,0x4b,0xdd}, {0x61,0xbd,0xbd,0xdc}, {0x0d,0x8b,0x8b,0x86}, {0x0f,0x8a,0x8a,0x85},
-{0xe0,0x70,0x70,0x90}, {0x7c,0x3e,0x3e,0x42}, {0x71,0xb5,0xb5,0xc4}, {0xcc,0x66,0x66,0xaa},
-{0x90,0x48,0x48,0xd8}, {0x06,0x03,0x03,0x05}, {0xf7,0xf6,0xf6,0x01}, {0x1c,0x0e,0x0e,0x12},
-{0xc2,0x61,0x61,0xa3}, {0x6a,0x35,0x35,0x5f}, {0xae,0x57,0x57,0xf9}, {0x69,0xb9,0xb9,0xd0},
-{0x17,0x86,0x86,0x91}, {0x99,0xc1,0xc1,0x58}, {0x3a,0x1d,0x1d,0x27}, {0x27,0x9e,0x9e,0xb9},
-{0xd9,0xe1,0xe1,0x38}, {0xeb,0xf8,0xf8,0x13}, {0x2b,0x98,0x98,0xb3}, {0x22,0x11,0x11,0x33},
-{0xd2,0x69,0x69,0xbb}, {0xa9,0xd9,0xd9,0x70}, {0x07,0x8e,0x8e,0x89}, {0x33,0x94,0x94,0xa7},
-{0x2d,0x9b,0x9b,0xb6}, {0x3c,0x1e,0x1e,0x22}, {0x15,0x87,0x87,0x92}, {0xc9,0xe9,0xe9,0x20},
-{0x87,0xce,0xce,0x49}, {0xaa,0x55,0x55,0xff}, {0x50,0x28,0x28,0x78}, {0xa5,0xdf,0xdf,0x7a},
-{0x03,0x8c,0x8c,0x8f}, {0x59,0xa1,0xa1,0xf8}, {0x09,0x89,0x89,0x80}, {0x1a,0x0d,0x0d,0x17},
-{0x65,0xbf,0xbf,0xda}, {0xd7,0xe6,0xe6,0x31}, {0x84,0x42,0x42,0xc6}, {0xd0,0x68,0x68,0xb8},
-{0x82,0x41,0x41,0xc3}, {0x29,0x99,0x99,0xb0}, {0x5a,0x2d,0x2d,0x77}, {0x1e,0x0f,0x0f,0x11},
-{0x7b,0xb0,0xb0,0xcb}, {0xa8,0x54,0x54,0xfc}, {0x6d,0xbb,0xbb,0xd6}, {0x2c,0x16,0x16,0x3a}
- }
-};
-#define T1 xT1.xt8
-
-static const union xtab xT2 = {
- .xt8 = {
-{0xa5,0xc6,0x63,0x63}, {0x84,0xf8,0x7c,0x7c}, {0x99,0xee,0x77,0x77}, {0x8d,0xf6,0x7b,0x7b},
-{0x0d,0xff,0xf2,0xf2}, {0xbd,0xd6,0x6b,0x6b}, {0xb1,0xde,0x6f,0x6f}, {0x54,0x91,0xc5,0xc5},
-{0x50,0x60,0x30,0x30}, {0x03,0x02,0x01,0x01}, {0xa9,0xce,0x67,0x67}, {0x7d,0x56,0x2b,0x2b},
-{0x19,0xe7,0xfe,0xfe}, {0x62,0xb5,0xd7,0xd7}, {0xe6,0x4d,0xab,0xab}, {0x9a,0xec,0x76,0x76},
-{0x45,0x8f,0xca,0xca}, {0x9d,0x1f,0x82,0x82}, {0x40,0x89,0xc9,0xc9}, {0x87,0xfa,0x7d,0x7d},
-{0x15,0xef,0xfa,0xfa}, {0xeb,0xb2,0x59,0x59}, {0xc9,0x8e,0x47,0x47}, {0x0b,0xfb,0xf0,0xf0},
-{0xec,0x41,0xad,0xad}, {0x67,0xb3,0xd4,0xd4}, {0xfd,0x5f,0xa2,0xa2}, {0xea,0x45,0xaf,0xaf},
-{0xbf,0x23,0x9c,0x9c}, {0xf7,0x53,0xa4,0xa4}, {0x96,0xe4,0x72,0x72}, {0x5b,0x9b,0xc0,0xc0},
-{0xc2,0x75,0xb7,0xb7}, {0x1c,0xe1,0xfd,0xfd}, {0xae,0x3d,0x93,0x93}, {0x6a,0x4c,0x26,0x26},
-{0x5a,0x6c,0x36,0x36}, {0x41,0x7e,0x3f,0x3f}, {0x02,0xf5,0xf7,0xf7}, {0x4f,0x83,0xcc,0xcc},
-{0x5c,0x68,0x34,0x34}, {0xf4,0x51,0xa5,0xa5}, {0x34,0xd1,0xe5,0xe5}, {0x08,0xf9,0xf1,0xf1},
-{0x93,0xe2,0x71,0x71}, {0x73,0xab,0xd8,0xd8}, {0x53,0x62,0x31,0x31}, {0x3f,0x2a,0x15,0x15},
-{0x0c,0x08,0x04,0x04}, {0x52,0x95,0xc7,0xc7}, {0x65,0x46,0x23,0x23}, {0x5e,0x9d,0xc3,0xc3},
-{0x28,0x30,0x18,0x18}, {0xa1,0x37,0x96,0x96}, {0x0f,0x0a,0x05,0x05}, {0xb5,0x2f,0x9a,0x9a},
-{0x09,0x0e,0x07,0x07}, {0x36,0x24,0x12,0x12}, {0x9b,0x1b,0x80,0x80}, {0x3d,0xdf,0xe2,0xe2},
-{0x26,0xcd,0xeb,0xeb}, {0x69,0x4e,0x27,0x27}, {0xcd,0x7f,0xb2,0xb2}, {0x9f,0xea,0x75,0x75},
-{0x1b,0x12,0x09,0x09}, {0x9e,0x1d,0x83,0x83}, {0x74,0x58,0x2c,0x2c}, {0x2e,0x34,0x1a,0x1a},
-{0x2d,0x36,0x1b,0x1b}, {0xb2,0xdc,0x6e,0x6e}, {0xee,0xb4,0x5a,0x5a}, {0xfb,0x5b,0xa0,0xa0},
-{0xf6,0xa4,0x52,0x52}, {0x4d,0x76,0x3b,0x3b}, {0x61,0xb7,0xd6,0xd6}, {0xce,0x7d,0xb3,0xb3},
-{0x7b,0x52,0x29,0x29}, {0x3e,0xdd,0xe3,0xe3}, {0x71,0x5e,0x2f,0x2f}, {0x97,0x13,0x84,0x84},
-{0xf5,0xa6,0x53,0x53}, {0x68,0xb9,0xd1,0xd1}, {0x00,0x00,0x00,0x00}, {0x2c,0xc1,0xed,0xed},
-{0x60,0x40,0x20,0x20}, {0x1f,0xe3,0xfc,0xfc}, {0xc8,0x79,0xb1,0xb1}, {0xed,0xb6,0x5b,0x5b},
-{0xbe,0xd4,0x6a,0x6a}, {0x46,0x8d,0xcb,0xcb}, {0xd9,0x67,0xbe,0xbe}, {0x4b,0x72,0x39,0x39},
-{0xde,0x94,0x4a,0x4a}, {0xd4,0x98,0x4c,0x4c}, {0xe8,0xb0,0x58,0x58}, {0x4a,0x85,0xcf,0xcf},
-{0x6b,0xbb,0xd0,0xd0}, {0x2a,0xc5,0xef,0xef}, {0xe5,0x4f,0xaa,0xaa}, {0x16,0xed,0xfb,0xfb},
-{0xc5,0x86,0x43,0x43}, {0xd7,0x9a,0x4d,0x4d}, {0x55,0x66,0x33,0x33}, {0x94,0x11,0x85,0x85},
-{0xcf,0x8a,0x45,0x45}, {0x10,0xe9,0xf9,0xf9}, {0x06,0x04,0x02,0x02}, {0x81,0xfe,0x7f,0x7f},
-{0xf0,0xa0,0x50,0x50}, {0x44,0x78,0x3c,0x3c}, {0xba,0x25,0x9f,0x9f}, {0xe3,0x4b,0xa8,0xa8},
-{0xf3,0xa2,0x51,0x51}, {0xfe,0x5d,0xa3,0xa3}, {0xc0,0x80,0x40,0x40}, {0x8a,0x05,0x8f,0x8f},
-{0xad,0x3f,0x92,0x92}, {0xbc,0x21,0x9d,0x9d}, {0x48,0x70,0x38,0x38}, {0x04,0xf1,0xf5,0xf5},
-{0xdf,0x63,0xbc,0xbc}, {0xc1,0x77,0xb6,0xb6}, {0x75,0xaf,0xda,0xda}, {0x63,0x42,0x21,0x21},
-{0x30,0x20,0x10,0x10}, {0x1a,0xe5,0xff,0xff}, {0x0e,0xfd,0xf3,0xf3}, {0x6d,0xbf,0xd2,0xd2},
-{0x4c,0x81,0xcd,0xcd}, {0x14,0x18,0x0c,0x0c}, {0x35,0x26,0x13,0x13}, {0x2f,0xc3,0xec,0xec},
-{0xe1,0xbe,0x5f,0x5f}, {0xa2,0x35,0x97,0x97}, {0xcc,0x88,0x44,0x44}, {0x39,0x2e,0x17,0x17},
-{0x57,0x93,0xc4,0xc4}, {0xf2,0x55,0xa7,0xa7}, {0x82,0xfc,0x7e,0x7e}, {0x47,0x7a,0x3d,0x3d},
-{0xac,0xc8,0x64,0x64}, {0xe7,0xba,0x5d,0x5d}, {0x2b,0x32,0x19,0x19}, {0x95,0xe6,0x73,0x73},
-{0xa0,0xc0,0x60,0x60}, {0x98,0x19,0x81,0x81}, {0xd1,0x9e,0x4f,0x4f}, {0x7f,0xa3,0xdc,0xdc},
-{0x66,0x44,0x22,0x22}, {0x7e,0x54,0x2a,0x2a}, {0xab,0x3b,0x90,0x90}, {0x83,0x0b,0x88,0x88},
-{0xca,0x8c,0x46,0x46}, {0x29,0xc7,0xee,0xee}, {0xd3,0x6b,0xb8,0xb8}, {0x3c,0x28,0x14,0x14},
-{0x79,0xa7,0xde,0xde}, {0xe2,0xbc,0x5e,0x5e}, {0x1d,0x16,0x0b,0x0b}, {0x76,0xad,0xdb,0xdb},
-{0x3b,0xdb,0xe0,0xe0}, {0x56,0x64,0x32,0x32}, {0x4e,0x74,0x3a,0x3a}, {0x1e,0x14,0x0a,0x0a},
-{0xdb,0x92,0x49,0x49}, {0x0a,0x0c,0x06,0x06}, {0x6c,0x48,0x24,0x24}, {0xe4,0xb8,0x5c,0x5c},
-{0x5d,0x9f,0xc2,0xc2}, {0x6e,0xbd,0xd3,0xd3}, {0xef,0x43,0xac,0xac}, {0xa6,0xc4,0x62,0x62},
-{0xa8,0x39,0x91,0x91}, {0xa4,0x31,0x95,0x95}, {0x37,0xd3,0xe4,0xe4}, {0x8b,0xf2,0x79,0x79},
-{0x32,0xd5,0xe7,0xe7}, {0x43,0x8b,0xc8,0xc8}, {0x59,0x6e,0x37,0x37}, {0xb7,0xda,0x6d,0x6d},
-{0x8c,0x01,0x8d,0x8d}, {0x64,0xb1,0xd5,0xd5}, {0xd2,0x9c,0x4e,0x4e}, {0xe0,0x49,0xa9,0xa9},
-{0xb4,0xd8,0x6c,0x6c}, {0xfa,0xac,0x56,0x56}, {0x07,0xf3,0xf4,0xf4}, {0x25,0xcf,0xea,0xea},
-{0xaf,0xca,0x65,0x65}, {0x8e,0xf4,0x7a,0x7a}, {0xe9,0x47,0xae,0xae}, {0x18,0x10,0x08,0x08},
-{0xd5,0x6f,0xba,0xba}, {0x88,0xf0,0x78,0x78}, {0x6f,0x4a,0x25,0x25}, {0x72,0x5c,0x2e,0x2e},
-{0x24,0x38,0x1c,0x1c}, {0xf1,0x57,0xa6,0xa6}, {0xc7,0x73,0xb4,0xb4}, {0x51,0x97,0xc6,0xc6},
-{0x23,0xcb,0xe8,0xe8}, {0x7c,0xa1,0xdd,0xdd}, {0x9c,0xe8,0x74,0x74}, {0x21,0x3e,0x1f,0x1f},
-{0xdd,0x96,0x4b,0x4b}, {0xdc,0x61,0xbd,0xbd}, {0x86,0x0d,0x8b,0x8b}, {0x85,0x0f,0x8a,0x8a},
-{0x90,0xe0,0x70,0x70}, {0x42,0x7c,0x3e,0x3e}, {0xc4,0x71,0xb5,0xb5}, {0xaa,0xcc,0x66,0x66},
-{0xd8,0x90,0x48,0x48}, {0x05,0x06,0x03,0x03}, {0x01,0xf7,0xf6,0xf6}, {0x12,0x1c,0x0e,0x0e},
-{0xa3,0xc2,0x61,0x61}, {0x5f,0x6a,0x35,0x35}, {0xf9,0xae,0x57,0x57}, {0xd0,0x69,0xb9,0xb9},
-{0x91,0x17,0x86,0x86}, {0x58,0x99,0xc1,0xc1}, {0x27,0x3a,0x1d,0x1d}, {0xb9,0x27,0x9e,0x9e},
-{0x38,0xd9,0xe1,0xe1}, {0x13,0xeb,0xf8,0xf8}, {0xb3,0x2b,0x98,0x98}, {0x33,0x22,0x11,0x11},
-{0xbb,0xd2,0x69,0x69}, {0x70,0xa9,0xd9,0xd9}, {0x89,0x07,0x8e,0x8e}, {0xa7,0x33,0x94,0x94},
-{0xb6,0x2d,0x9b,0x9b}, {0x22,0x3c,0x1e,0x1e}, {0x92,0x15,0x87,0x87}, {0x20,0xc9,0xe9,0xe9},
-{0x49,0x87,0xce,0xce}, {0xff,0xaa,0x55,0x55}, {0x78,0x50,0x28,0x28}, {0x7a,0xa5,0xdf,0xdf},
-{0x8f,0x03,0x8c,0x8c}, {0xf8,0x59,0xa1,0xa1}, {0x80,0x09,0x89,0x89}, {0x17,0x1a,0x0d,0x0d},
-{0xda,0x65,0xbf,0xbf}, {0x31,0xd7,0xe6,0xe6}, {0xc6,0x84,0x42,0x42}, {0xb8,0xd0,0x68,0x68},
-{0xc3,0x82,0x41,0x41}, {0xb0,0x29,0x99,0x99}, {0x77,0x5a,0x2d,0x2d}, {0x11,0x1e,0x0f,0x0f},
-{0xcb,0x7b,0xb0,0xb0}, {0xfc,0xa8,0x54,0x54}, {0xd6,0x6d,0xbb,0xbb}, {0x3a,0x2c,0x16,0x16}
- }
-};
-#define T2 xT2.xt8
-
-static const union xtab xT3 = {
- .xt8 = {
-{0x63,0xa5,0xc6,0x63}, {0x7c,0x84,0xf8,0x7c}, {0x77,0x99,0xee,0x77}, {0x7b,0x8d,0xf6,0x7b},
-{0xf2,0x0d,0xff,0xf2}, {0x6b,0xbd,0xd6,0x6b}, {0x6f,0xb1,0xde,0x6f}, {0xc5,0x54,0x91,0xc5},
-{0x30,0x50,0x60,0x30}, {0x01,0x03,0x02,0x01}, {0x67,0xa9,0xce,0x67}, {0x2b,0x7d,0x56,0x2b},
-{0xfe,0x19,0xe7,0xfe}, {0xd7,0x62,0xb5,0xd7}, {0xab,0xe6,0x4d,0xab}, {0x76,0x9a,0xec,0x76},
-{0xca,0x45,0x8f,0xca}, {0x82,0x9d,0x1f,0x82}, {0xc9,0x40,0x89,0xc9}, {0x7d,0x87,0xfa,0x7d},
-{0xfa,0x15,0xef,0xfa}, {0x59,0xeb,0xb2,0x59}, {0x47,0xc9,0x8e,0x47}, {0xf0,0x0b,0xfb,0xf0},
-{0xad,0xec,0x41,0xad}, {0xd4,0x67,0xb3,0xd4}, {0xa2,0xfd,0x5f,0xa2}, {0xaf,0xea,0x45,0xaf},
-{0x9c,0xbf,0x23,0x9c}, {0xa4,0xf7,0x53,0xa4}, {0x72,0x96,0xe4,0x72}, {0xc0,0x5b,0x9b,0xc0},
-{0xb7,0xc2,0x75,0xb7}, {0xfd,0x1c,0xe1,0xfd}, {0x93,0xae,0x3d,0x93}, {0x26,0x6a,0x4c,0x26},
-{0x36,0x5a,0x6c,0x36}, {0x3f,0x41,0x7e,0x3f}, {0xf7,0x02,0xf5,0xf7}, {0xcc,0x4f,0x83,0xcc},
-{0x34,0x5c,0x68,0x34}, {0xa5,0xf4,0x51,0xa5}, {0xe5,0x34,0xd1,0xe5}, {0xf1,0x08,0xf9,0xf1},
-{0x71,0x93,0xe2,0x71}, {0xd8,0x73,0xab,0xd8}, {0x31,0x53,0x62,0x31}, {0x15,0x3f,0x2a,0x15},
-{0x04,0x0c,0x08,0x04}, {0xc7,0x52,0x95,0xc7}, {0x23,0x65,0x46,0x23}, {0xc3,0x5e,0x9d,0xc3},
-{0x18,0x28,0x30,0x18}, {0x96,0xa1,0x37,0x96}, {0x05,0x0f,0x0a,0x05}, {0x9a,0xb5,0x2f,0x9a},
-{0x07,0x09,0x0e,0x07}, {0x12,0x36,0x24,0x12}, {0x80,0x9b,0x1b,0x80}, {0xe2,0x3d,0xdf,0xe2},
-{0xeb,0x26,0xcd,0xeb}, {0x27,0x69,0x4e,0x27}, {0xb2,0xcd,0x7f,0xb2}, {0x75,0x9f,0xea,0x75},
-{0x09,0x1b,0x12,0x09}, {0x83,0x9e,0x1d,0x83}, {0x2c,0x74,0x58,0x2c}, {0x1a,0x2e,0x34,0x1a},
-{0x1b,0x2d,0x36,0x1b}, {0x6e,0xb2,0xdc,0x6e}, {0x5a,0xee,0xb4,0x5a}, {0xa0,0xfb,0x5b,0xa0},
-{0x52,0xf6,0xa4,0x52}, {0x3b,0x4d,0x76,0x3b}, {0xd6,0x61,0xb7,0xd6}, {0xb3,0xce,0x7d,0xb3},
-{0x29,0x7b,0x52,0x29}, {0xe3,0x3e,0xdd,0xe3}, {0x2f,0x71,0x5e,0x2f}, {0x84,0x97,0x13,0x84},
-{0x53,0xf5,0xa6,0x53}, {0xd1,0x68,0xb9,0xd1}, {0x00,0x00,0x00,0x00}, {0xed,0x2c,0xc1,0xed},
-{0x20,0x60,0x40,0x20}, {0xfc,0x1f,0xe3,0xfc}, {0xb1,0xc8,0x79,0xb1}, {0x5b,0xed,0xb6,0x5b},
-{0x6a,0xbe,0xd4,0x6a}, {0xcb,0x46,0x8d,0xcb}, {0xbe,0xd9,0x67,0xbe}, {0x39,0x4b,0x72,0x39},
-{0x4a,0xde,0x94,0x4a}, {0x4c,0xd4,0x98,0x4c}, {0x58,0xe8,0xb0,0x58}, {0xcf,0x4a,0x85,0xcf},
-{0xd0,0x6b,0xbb,0xd0}, {0xef,0x2a,0xc5,0xef}, {0xaa,0xe5,0x4f,0xaa}, {0xfb,0x16,0xed,0xfb},
-{0x43,0xc5,0x86,0x43}, {0x4d,0xd7,0x9a,0x4d}, {0x33,0x55,0x66,0x33}, {0x85,0x94,0x11,0x85},
-{0x45,0xcf,0x8a,0x45}, {0xf9,0x10,0xe9,0xf9}, {0x02,0x06,0x04,0x02}, {0x7f,0x81,0xfe,0x7f},
-{0x50,0xf0,0xa0,0x50}, {0x3c,0x44,0x78,0x3c}, {0x9f,0xba,0x25,0x9f}, {0xa8,0xe3,0x4b,0xa8},
-{0x51,0xf3,0xa2,0x51}, {0xa3,0xfe,0x5d,0xa3}, {0x40,0xc0,0x80,0x40}, {0x8f,0x8a,0x05,0x8f},
-{0x92,0xad,0x3f,0x92}, {0x9d,0xbc,0x21,0x9d}, {0x38,0x48,0x70,0x38}, {0xf5,0x04,0xf1,0xf5},
-{0xbc,0xdf,0x63,0xbc}, {0xb6,0xc1,0x77,0xb6}, {0xda,0x75,0xaf,0xda}, {0x21,0x63,0x42,0x21},
-{0x10,0x30,0x20,0x10}, {0xff,0x1a,0xe5,0xff}, {0xf3,0x0e,0xfd,0xf3}, {0xd2,0x6d,0xbf,0xd2},
-{0xcd,0x4c,0x81,0xcd}, {0x0c,0x14,0x18,0x0c}, {0x13,0x35,0x26,0x13}, {0xec,0x2f,0xc3,0xec},
-{0x5f,0xe1,0xbe,0x5f}, {0x97,0xa2,0x35,0x97}, {0x44,0xcc,0x88,0x44}, {0x17,0x39,0x2e,0x17},
-{0xc4,0x57,0x93,0xc4}, {0xa7,0xf2,0x55,0xa7}, {0x7e,0x82,0xfc,0x7e}, {0x3d,0x47,0x7a,0x3d},
-{0x64,0xac,0xc8,0x64}, {0x5d,0xe7,0xba,0x5d}, {0x19,0x2b,0x32,0x19}, {0x73,0x95,0xe6,0x73},
-{0x60,0xa0,0xc0,0x60}, {0x81,0x98,0x19,0x81}, {0x4f,0xd1,0x9e,0x4f}, {0xdc,0x7f,0xa3,0xdc},
-{0x22,0x66,0x44,0x22}, {0x2a,0x7e,0x54,0x2a}, {0x90,0xab,0x3b,0x90}, {0x88,0x83,0x0b,0x88},
-{0x46,0xca,0x8c,0x46}, {0xee,0x29,0xc7,0xee}, {0xb8,0xd3,0x6b,0xb8}, {0x14,0x3c,0x28,0x14},
-{0xde,0x79,0xa7,0xde}, {0x5e,0xe2,0xbc,0x5e}, {0x0b,0x1d,0x16,0x0b}, {0xdb,0x76,0xad,0xdb},
-{0xe0,0x3b,0xdb,0xe0}, {0x32,0x56,0x64,0x32}, {0x3a,0x4e,0x74,0x3a}, {0x0a,0x1e,0x14,0x0a},
-{0x49,0xdb,0x92,0x49}, {0x06,0x0a,0x0c,0x06}, {0x24,0x6c,0x48,0x24}, {0x5c,0xe4,0xb8,0x5c},
-{0xc2,0x5d,0x9f,0xc2}, {0xd3,0x6e,0xbd,0xd3}, {0xac,0xef,0x43,0xac}, {0x62,0xa6,0xc4,0x62},
-{0x91,0xa8,0x39,0x91}, {0x95,0xa4,0x31,0x95}, {0xe4,0x37,0xd3,0xe4}, {0x79,0x8b,0xf2,0x79},
-{0xe7,0x32,0xd5,0xe7}, {0xc8,0x43,0x8b,0xc8}, {0x37,0x59,0x6e,0x37}, {0x6d,0xb7,0xda,0x6d},
-{0x8d,0x8c,0x01,0x8d}, {0xd5,0x64,0xb1,0xd5}, {0x4e,0xd2,0x9c,0x4e}, {0xa9,0xe0,0x49,0xa9},
-{0x6c,0xb4,0xd8,0x6c}, {0x56,0xfa,0xac,0x56}, {0xf4,0x07,0xf3,0xf4}, {0xea,0x25,0xcf,0xea},
-{0x65,0xaf,0xca,0x65}, {0x7a,0x8e,0xf4,0x7a}, {0xae,0xe9,0x47,0xae}, {0x08,0x18,0x10,0x08},
-{0xba,0xd5,0x6f,0xba}, {0x78,0x88,0xf0,0x78}, {0x25,0x6f,0x4a,0x25}, {0x2e,0x72,0x5c,0x2e},
-{0x1c,0x24,0x38,0x1c}, {0xa6,0xf1,0x57,0xa6}, {0xb4,0xc7,0x73,0xb4}, {0xc6,0x51,0x97,0xc6},
-{0xe8,0x23,0xcb,0xe8}, {0xdd,0x7c,0xa1,0xdd}, {0x74,0x9c,0xe8,0x74}, {0x1f,0x21,0x3e,0x1f},
-{0x4b,0xdd,0x96,0x4b}, {0xbd,0xdc,0x61,0xbd}, {0x8b,0x86,0x0d,0x8b}, {0x8a,0x85,0x0f,0x8a},
-{0x70,0x90,0xe0,0x70}, {0x3e,0x42,0x7c,0x3e}, {0xb5,0xc4,0x71,0xb5}, {0x66,0xaa,0xcc,0x66},
-{0x48,0xd8,0x90,0x48}, {0x03,0x05,0x06,0x03}, {0xf6,0x01,0xf7,0xf6}, {0x0e,0x12,0x1c,0x0e},
-{0x61,0xa3,0xc2,0x61}, {0x35,0x5f,0x6a,0x35}, {0x57,0xf9,0xae,0x57}, {0xb9,0xd0,0x69,0xb9},
-{0x86,0x91,0x17,0x86}, {0xc1,0x58,0x99,0xc1}, {0x1d,0x27,0x3a,0x1d}, {0x9e,0xb9,0x27,0x9e},
-{0xe1,0x38,0xd9,0xe1}, {0xf8,0x13,0xeb,0xf8}, {0x98,0xb3,0x2b,0x98}, {0x11,0x33,0x22,0x11},
-{0x69,0xbb,0xd2,0x69}, {0xd9,0x70,0xa9,0xd9}, {0x8e,0x89,0x07,0x8e}, {0x94,0xa7,0x33,0x94},
-{0x9b,0xb6,0x2d,0x9b}, {0x1e,0x22,0x3c,0x1e}, {0x87,0x92,0x15,0x87}, {0xe9,0x20,0xc9,0xe9},
-{0xce,0x49,0x87,0xce}, {0x55,0xff,0xaa,0x55}, {0x28,0x78,0x50,0x28}, {0xdf,0x7a,0xa5,0xdf},
-{0x8c,0x8f,0x03,0x8c}, {0xa1,0xf8,0x59,0xa1}, {0x89,0x80,0x09,0x89}, {0x0d,0x17,0x1a,0x0d},
-{0xbf,0xda,0x65,0xbf}, {0xe6,0x31,0xd7,0xe6}, {0x42,0xc6,0x84,0x42}, {0x68,0xb8,0xd0,0x68},
-{0x41,0xc3,0x82,0x41}, {0x99,0xb0,0x29,0x99}, {0x2d,0x77,0x5a,0x2d}, {0x0f,0x11,0x1e,0x0f},
-{0xb0,0xcb,0x7b,0xb0}, {0x54,0xfc,0xa8,0x54}, {0xbb,0xd6,0x6d,0xbb}, {0x16,0x3a,0x2c,0x16}
- }
-};
-#define T3 xT3.xt8
-
-static const union xtab xT4 = {
- .xt8 = {
-{0x63,0x63,0xa5,0xc6}, {0x7c,0x7c,0x84,0xf8}, {0x77,0x77,0x99,0xee}, {0x7b,0x7b,0x8d,0xf6},
-{0xf2,0xf2,0x0d,0xff}, {0x6b,0x6b,0xbd,0xd6}, {0x6f,0x6f,0xb1,0xde}, {0xc5,0xc5,0x54,0x91},
-{0x30,0x30,0x50,0x60}, {0x01,0x01,0x03,0x02}, {0x67,0x67,0xa9,0xce}, {0x2b,0x2b,0x7d,0x56},
-{0xfe,0xfe,0x19,0xe7}, {0xd7,0xd7,0x62,0xb5}, {0xab,0xab,0xe6,0x4d}, {0x76,0x76,0x9a,0xec},
-{0xca,0xca,0x45,0x8f}, {0x82,0x82,0x9d,0x1f}, {0xc9,0xc9,0x40,0x89}, {0x7d,0x7d,0x87,0xfa},
-{0xfa,0xfa,0x15,0xef}, {0x59,0x59,0xeb,0xb2}, {0x47,0x47,0xc9,0x8e}, {0xf0,0xf0,0x0b,0xfb},
-{0xad,0xad,0xec,0x41}, {0xd4,0xd4,0x67,0xb3}, {0xa2,0xa2,0xfd,0x5f}, {0xaf,0xaf,0xea,0x45},
-{0x9c,0x9c,0xbf,0x23}, {0xa4,0xa4,0xf7,0x53}, {0x72,0x72,0x96,0xe4}, {0xc0,0xc0,0x5b,0x9b},
-{0xb7,0xb7,0xc2,0x75}, {0xfd,0xfd,0x1c,0xe1}, {0x93,0x93,0xae,0x3d}, {0x26,0x26,0x6a,0x4c},
-{0x36,0x36,0x5a,0x6c}, {0x3f,0x3f,0x41,0x7e}, {0xf7,0xf7,0x02,0xf5}, {0xcc,0xcc,0x4f,0x83},
-{0x34,0x34,0x5c,0x68}, {0xa5,0xa5,0xf4,0x51}, {0xe5,0xe5,0x34,0xd1}, {0xf1,0xf1,0x08,0xf9},
-{0x71,0x71,0x93,0xe2}, {0xd8,0xd8,0x73,0xab}, {0x31,0x31,0x53,0x62}, {0x15,0x15,0x3f,0x2a},
-{0x04,0x04,0x0c,0x08}, {0xc7,0xc7,0x52,0x95}, {0x23,0x23,0x65,0x46}, {0xc3,0xc3,0x5e,0x9d},
-{0x18,0x18,0x28,0x30}, {0x96,0x96,0xa1,0x37}, {0x05,0x05,0x0f,0x0a}, {0x9a,0x9a,0xb5,0x2f},
-{0x07,0x07,0x09,0x0e}, {0x12,0x12,0x36,0x24}, {0x80,0x80,0x9b,0x1b}, {0xe2,0xe2,0x3d,0xdf},
-{0xeb,0xeb,0x26,0xcd}, {0x27,0x27,0x69,0x4e}, {0xb2,0xb2,0xcd,0x7f}, {0x75,0x75,0x9f,0xea},
-{0x09,0x09,0x1b,0x12}, {0x83,0x83,0x9e,0x1d}, {0x2c,0x2c,0x74,0x58}, {0x1a,0x1a,0x2e,0x34},
-{0x1b,0x1b,0x2d,0x36}, {0x6e,0x6e,0xb2,0xdc}, {0x5a,0x5a,0xee,0xb4}, {0xa0,0xa0,0xfb,0x5b},
-{0x52,0x52,0xf6,0xa4}, {0x3b,0x3b,0x4d,0x76}, {0xd6,0xd6,0x61,0xb7}, {0xb3,0xb3,0xce,0x7d},
-{0x29,0x29,0x7b,0x52}, {0xe3,0xe3,0x3e,0xdd}, {0x2f,0x2f,0x71,0x5e}, {0x84,0x84,0x97,0x13},
-{0x53,0x53,0xf5,0xa6}, {0xd1,0xd1,0x68,0xb9}, {0x00,0x00,0x00,0x00}, {0xed,0xed,0x2c,0xc1},
-{0x20,0x20,0x60,0x40}, {0xfc,0xfc,0x1f,0xe3}, {0xb1,0xb1,0xc8,0x79}, {0x5b,0x5b,0xed,0xb6},
-{0x6a,0x6a,0xbe,0xd4}, {0xcb,0xcb,0x46,0x8d}, {0xbe,0xbe,0xd9,0x67}, {0x39,0x39,0x4b,0x72},
-{0x4a,0x4a,0xde,0x94}, {0x4c,0x4c,0xd4,0x98}, {0x58,0x58,0xe8,0xb0}, {0xcf,0xcf,0x4a,0x85},
-{0xd0,0xd0,0x6b,0xbb}, {0xef,0xef,0x2a,0xc5}, {0xaa,0xaa,0xe5,0x4f}, {0xfb,0xfb,0x16,0xed},
-{0x43,0x43,0xc5,0x86}, {0x4d,0x4d,0xd7,0x9a}, {0x33,0x33,0x55,0x66}, {0x85,0x85,0x94,0x11},
-{0x45,0x45,0xcf,0x8a}, {0xf9,0xf9,0x10,0xe9}, {0x02,0x02,0x06,0x04}, {0x7f,0x7f,0x81,0xfe},
-{0x50,0x50,0xf0,0xa0}, {0x3c,0x3c,0x44,0x78}, {0x9f,0x9f,0xba,0x25}, {0xa8,0xa8,0xe3,0x4b},
-{0x51,0x51,0xf3,0xa2}, {0xa3,0xa3,0xfe,0x5d}, {0x40,0x40,0xc0,0x80}, {0x8f,0x8f,0x8a,0x05},
-{0x92,0x92,0xad,0x3f}, {0x9d,0x9d,0xbc,0x21}, {0x38,0x38,0x48,0x70}, {0xf5,0xf5,0x04,0xf1},
-{0xbc,0xbc,0xdf,0x63}, {0xb6,0xb6,0xc1,0x77}, {0xda,0xda,0x75,0xaf}, {0x21,0x21,0x63,0x42},
-{0x10,0x10,0x30,0x20}, {0xff,0xff,0x1a,0xe5}, {0xf3,0xf3,0x0e,0xfd}, {0xd2,0xd2,0x6d,0xbf},
-{0xcd,0xcd,0x4c,0x81}, {0x0c,0x0c,0x14,0x18}, {0x13,0x13,0x35,0x26}, {0xec,0xec,0x2f,0xc3},
-{0x5f,0x5f,0xe1,0xbe}, {0x97,0x97,0xa2,0x35}, {0x44,0x44,0xcc,0x88}, {0x17,0x17,0x39,0x2e},
-{0xc4,0xc4,0x57,0x93}, {0xa7,0xa7,0xf2,0x55}, {0x7e,0x7e,0x82,0xfc}, {0x3d,0x3d,0x47,0x7a},
-{0x64,0x64,0xac,0xc8}, {0x5d,0x5d,0xe7,0xba}, {0x19,0x19,0x2b,0x32}, {0x73,0x73,0x95,0xe6},
-{0x60,0x60,0xa0,0xc0}, {0x81,0x81,0x98,0x19}, {0x4f,0x4f,0xd1,0x9e}, {0xdc,0xdc,0x7f,0xa3},
-{0x22,0x22,0x66,0x44}, {0x2a,0x2a,0x7e,0x54}, {0x90,0x90,0xab,0x3b}, {0x88,0x88,0x83,0x0b},
-{0x46,0x46,0xca,0x8c}, {0xee,0xee,0x29,0xc7}, {0xb8,0xb8,0xd3,0x6b}, {0x14,0x14,0x3c,0x28},
-{0xde,0xde,0x79,0xa7}, {0x5e,0x5e,0xe2,0xbc}, {0x0b,0x0b,0x1d,0x16}, {0xdb,0xdb,0x76,0xad},
-{0xe0,0xe0,0x3b,0xdb}, {0x32,0x32,0x56,0x64}, {0x3a,0x3a,0x4e,0x74}, {0x0a,0x0a,0x1e,0x14},
-{0x49,0x49,0xdb,0x92}, {0x06,0x06,0x0a,0x0c}, {0x24,0x24,0x6c,0x48}, {0x5c,0x5c,0xe4,0xb8},
-{0xc2,0xc2,0x5d,0x9f}, {0xd3,0xd3,0x6e,0xbd}, {0xac,0xac,0xef,0x43}, {0x62,0x62,0xa6,0xc4},
-{0x91,0x91,0xa8,0x39}, {0x95,0x95,0xa4,0x31}, {0xe4,0xe4,0x37,0xd3}, {0x79,0x79,0x8b,0xf2},
-{0xe7,0xe7,0x32,0xd5}, {0xc8,0xc8,0x43,0x8b}, {0x37,0x37,0x59,0x6e}, {0x6d,0x6d,0xb7,0xda},
-{0x8d,0x8d,0x8c,0x01}, {0xd5,0xd5,0x64,0xb1}, {0x4e,0x4e,0xd2,0x9c}, {0xa9,0xa9,0xe0,0x49},
-{0x6c,0x6c,0xb4,0xd8}, {0x56,0x56,0xfa,0xac}, {0xf4,0xf4,0x07,0xf3}, {0xea,0xea,0x25,0xcf},
-{0x65,0x65,0xaf,0xca}, {0x7a,0x7a,0x8e,0xf4}, {0xae,0xae,0xe9,0x47}, {0x08,0x08,0x18,0x10},
-{0xba,0xba,0xd5,0x6f}, {0x78,0x78,0x88,0xf0}, {0x25,0x25,0x6f,0x4a}, {0x2e,0x2e,0x72,0x5c},
-{0x1c,0x1c,0x24,0x38}, {0xa6,0xa6,0xf1,0x57}, {0xb4,0xb4,0xc7,0x73}, {0xc6,0xc6,0x51,0x97},
-{0xe8,0xe8,0x23,0xcb}, {0xdd,0xdd,0x7c,0xa1}, {0x74,0x74,0x9c,0xe8}, {0x1f,0x1f,0x21,0x3e},
-{0x4b,0x4b,0xdd,0x96}, {0xbd,0xbd,0xdc,0x61}, {0x8b,0x8b,0x86,0x0d}, {0x8a,0x8a,0x85,0x0f},
-{0x70,0x70,0x90,0xe0}, {0x3e,0x3e,0x42,0x7c}, {0xb5,0xb5,0xc4,0x71}, {0x66,0x66,0xaa,0xcc},
-{0x48,0x48,0xd8,0x90}, {0x03,0x03,0x05,0x06}, {0xf6,0xf6,0x01,0xf7}, {0x0e,0x0e,0x12,0x1c},
-{0x61,0x61,0xa3,0xc2}, {0x35,0x35,0x5f,0x6a}, {0x57,0x57,0xf9,0xae}, {0xb9,0xb9,0xd0,0x69},
-{0x86,0x86,0x91,0x17}, {0xc1,0xc1,0x58,0x99}, {0x1d,0x1d,0x27,0x3a}, {0x9e,0x9e,0xb9,0x27},
-{0xe1,0xe1,0x38,0xd9}, {0xf8,0xf8,0x13,0xeb}, {0x98,0x98,0xb3,0x2b}, {0x11,0x11,0x33,0x22},
-{0x69,0x69,0xbb,0xd2}, {0xd9,0xd9,0x70,0xa9}, {0x8e,0x8e,0x89,0x07}, {0x94,0x94,0xa7,0x33},
-{0x9b,0x9b,0xb6,0x2d}, {0x1e,0x1e,0x22,0x3c}, {0x87,0x87,0x92,0x15}, {0xe9,0xe9,0x20,0xc9},
-{0xce,0xce,0x49,0x87}, {0x55,0x55,0xff,0xaa}, {0x28,0x28,0x78,0x50}, {0xdf,0xdf,0x7a,0xa5},
-{0x8c,0x8c,0x8f,0x03}, {0xa1,0xa1,0xf8,0x59}, {0x89,0x89,0x80,0x09}, {0x0d,0x0d,0x17,0x1a},
-{0xbf,0xbf,0xda,0x65}, {0xe6,0xe6,0x31,0xd7}, {0x42,0x42,0xc6,0x84}, {0x68,0x68,0xb8,0xd0},
-{0x41,0x41,0xc3,0x82}, {0x99,0x99,0xb0,0x29}, {0x2d,0x2d,0x77,0x5a}, {0x0f,0x0f,0x11,0x1e},
-{0xb0,0xb0,0xcb,0x7b}, {0x54,0x54,0xfc,0xa8}, {0xbb,0xbb,0xd6,0x6d}, {0x16,0x16,0x3a,0x2c}
- }
-};
-#define T4 xT4.xt8
-
-static const union xtab xT5 = {
- .xt8 = {
-{0x51,0xf4,0xa7,0x50}, {0x7e,0x41,0x65,0x53}, {0x1a,0x17,0xa4,0xc3}, {0x3a,0x27,0x5e,0x96},
-{0x3b,0xab,0x6b,0xcb}, {0x1f,0x9d,0x45,0xf1}, {0xac,0xfa,0x58,0xab}, {0x4b,0xe3,0x03,0x93},
-{0x20,0x30,0xfa,0x55}, {0xad,0x76,0x6d,0xf6}, {0x88,0xcc,0x76,0x91}, {0xf5,0x02,0x4c,0x25},
-{0x4f,0xe5,0xd7,0xfc}, {0xc5,0x2a,0xcb,0xd7}, {0x26,0x35,0x44,0x80}, {0xb5,0x62,0xa3,0x8f},
-{0xde,0xb1,0x5a,0x49}, {0x25,0xba,0x1b,0x67}, {0x45,0xea,0x0e,0x98}, {0x5d,0xfe,0xc0,0xe1},
-{0xc3,0x2f,0x75,0x02}, {0x81,0x4c,0xf0,0x12}, {0x8d,0x46,0x97,0xa3}, {0x6b,0xd3,0xf9,0xc6},
-{0x03,0x8f,0x5f,0xe7}, {0x15,0x92,0x9c,0x95}, {0xbf,0x6d,0x7a,0xeb}, {0x95,0x52,0x59,0xda},
-{0xd4,0xbe,0x83,0x2d}, {0x58,0x74,0x21,0xd3}, {0x49,0xe0,0x69,0x29}, {0x8e,0xc9,0xc8,0x44},
-{0x75,0xc2,0x89,0x6a}, {0xf4,0x8e,0x79,0x78}, {0x99,0x58,0x3e,0x6b}, {0x27,0xb9,0x71,0xdd},
-{0xbe,0xe1,0x4f,0xb6}, {0xf0,0x88,0xad,0x17}, {0xc9,0x20,0xac,0x66}, {0x7d,0xce,0x3a,0xb4},
-{0x63,0xdf,0x4a,0x18}, {0xe5,0x1a,0x31,0x82}, {0x97,0x51,0x33,0x60}, {0x62,0x53,0x7f,0x45},
-{0xb1,0x64,0x77,0xe0}, {0xbb,0x6b,0xae,0x84}, {0xfe,0x81,0xa0,0x1c}, {0xf9,0x08,0x2b,0x94},
-{0x70,0x48,0x68,0x58}, {0x8f,0x45,0xfd,0x19}, {0x94,0xde,0x6c,0x87}, {0x52,0x7b,0xf8,0xb7},
-{0xab,0x73,0xd3,0x23}, {0x72,0x4b,0x02,0xe2}, {0xe3,0x1f,0x8f,0x57}, {0x66,0x55,0xab,0x2a},
-{0xb2,0xeb,0x28,0x07}, {0x2f,0xb5,0xc2,0x03}, {0x86,0xc5,0x7b,0x9a}, {0xd3,0x37,0x08,0xa5},
-{0x30,0x28,0x87,0xf2}, {0x23,0xbf,0xa5,0xb2}, {0x02,0x03,0x6a,0xba}, {0xed,0x16,0x82,0x5c},
-{0x8a,0xcf,0x1c,0x2b}, {0xa7,0x79,0xb4,0x92}, {0xf3,0x07,0xf2,0xf0}, {0x4e,0x69,0xe2,0xa1},
-{0x65,0xda,0xf4,0xcd}, {0x06,0x05,0xbe,0xd5}, {0xd1,0x34,0x62,0x1f}, {0xc4,0xa6,0xfe,0x8a},
-{0x34,0x2e,0x53,0x9d}, {0xa2,0xf3,0x55,0xa0}, {0x05,0x8a,0xe1,0x32}, {0xa4,0xf6,0xeb,0x75},
-{0x0b,0x83,0xec,0x39}, {0x40,0x60,0xef,0xaa}, {0x5e,0x71,0x9f,0x06}, {0xbd,0x6e,0x10,0x51},
-{0x3e,0x21,0x8a,0xf9}, {0x96,0xdd,0x06,0x3d}, {0xdd,0x3e,0x05,0xae}, {0x4d,0xe6,0xbd,0x46},
-{0x91,0x54,0x8d,0xb5}, {0x71,0xc4,0x5d,0x05}, {0x04,0x06,0xd4,0x6f}, {0x60,0x50,0x15,0xff},
-{0x19,0x98,0xfb,0x24}, {0xd6,0xbd,0xe9,0x97}, {0x89,0x40,0x43,0xcc}, {0x67,0xd9,0x9e,0x77},
-{0xb0,0xe8,0x42,0xbd}, {0x07,0x89,0x8b,0x88}, {0xe7,0x19,0x5b,0x38}, {0x79,0xc8,0xee,0xdb},
-{0xa1,0x7c,0x0a,0x47}, {0x7c,0x42,0x0f,0xe9}, {0xf8,0x84,0x1e,0xc9}, {0x00,0x00,0x00,0x00},
-{0x09,0x80,0x86,0x83}, {0x32,0x2b,0xed,0x48}, {0x1e,0x11,0x70,0xac}, {0x6c,0x5a,0x72,0x4e},
-{0xfd,0x0e,0xff,0xfb}, {0x0f,0x85,0x38,0x56}, {0x3d,0xae,0xd5,0x1e}, {0x36,0x2d,0x39,0x27},
-{0x0a,0x0f,0xd9,0x64}, {0x68,0x5c,0xa6,0x21}, {0x9b,0x5b,0x54,0xd1}, {0x24,0x36,0x2e,0x3a},
-{0x0c,0x0a,0x67,0xb1}, {0x93,0x57,0xe7,0x0f}, {0xb4,0xee,0x96,0xd2}, {0x1b,0x9b,0x91,0x9e},
-{0x80,0xc0,0xc5,0x4f}, {0x61,0xdc,0x20,0xa2}, {0x5a,0x77,0x4b,0x69}, {0x1c,0x12,0x1a,0x16},
-{0xe2,0x93,0xba,0x0a}, {0xc0,0xa0,0x2a,0xe5}, {0x3c,0x22,0xe0,0x43}, {0x12,0x1b,0x17,0x1d},
-{0x0e,0x09,0x0d,0x0b}, {0xf2,0x8b,0xc7,0xad}, {0x2d,0xb6,0xa8,0xb9}, {0x14,0x1e,0xa9,0xc8},
-{0x57,0xf1,0x19,0x85}, {0xaf,0x75,0x07,0x4c}, {0xee,0x99,0xdd,0xbb}, {0xa3,0x7f,0x60,0xfd},
-{0xf7,0x01,0x26,0x9f}, {0x5c,0x72,0xf5,0xbc}, {0x44,0x66,0x3b,0xc5}, {0x5b,0xfb,0x7e,0x34},
-{0x8b,0x43,0x29,0x76}, {0xcb,0x23,0xc6,0xdc}, {0xb6,0xed,0xfc,0x68}, {0xb8,0xe4,0xf1,0x63},
-{0xd7,0x31,0xdc,0xca}, {0x42,0x63,0x85,0x10}, {0x13,0x97,0x22,0x40}, {0x84,0xc6,0x11,0x20},
-{0x85,0x4a,0x24,0x7d}, {0xd2,0xbb,0x3d,0xf8}, {0xae,0xf9,0x32,0x11}, {0xc7,0x29,0xa1,0x6d},
-{0x1d,0x9e,0x2f,0x4b}, {0xdc,0xb2,0x30,0xf3}, {0x0d,0x86,0x52,0xec}, {0x77,0xc1,0xe3,0xd0},
-{0x2b,0xb3,0x16,0x6c}, {0xa9,0x70,0xb9,0x99}, {0x11,0x94,0x48,0xfa}, {0x47,0xe9,0x64,0x22},
-{0xa8,0xfc,0x8c,0xc4}, {0xa0,0xf0,0x3f,0x1a}, {0x56,0x7d,0x2c,0xd8}, {0x22,0x33,0x90,0xef},
-{0x87,0x49,0x4e,0xc7}, {0xd9,0x38,0xd1,0xc1}, {0x8c,0xca,0xa2,0xfe}, {0x98,0xd4,0x0b,0x36},
-{0xa6,0xf5,0x81,0xcf}, {0xa5,0x7a,0xde,0x28}, {0xda,0xb7,0x8e,0x26}, {0x3f,0xad,0xbf,0xa4},
-{0x2c,0x3a,0x9d,0xe4}, {0x50,0x78,0x92,0x0d}, {0x6a,0x5f,0xcc,0x9b}, {0x54,0x7e,0x46,0x62},
-{0xf6,0x8d,0x13,0xc2}, {0x90,0xd8,0xb8,0xe8}, {0x2e,0x39,0xf7,0x5e}, {0x82,0xc3,0xaf,0xf5},
-{0x9f,0x5d,0x80,0xbe}, {0x69,0xd0,0x93,0x7c}, {0x6f,0xd5,0x2d,0xa9}, {0xcf,0x25,0x12,0xb3},
-{0xc8,0xac,0x99,0x3b}, {0x10,0x18,0x7d,0xa7}, {0xe8,0x9c,0x63,0x6e}, {0xdb,0x3b,0xbb,0x7b},
-{0xcd,0x26,0x78,0x09}, {0x6e,0x59,0x18,0xf4}, {0xec,0x9a,0xb7,0x01}, {0x83,0x4f,0x9a,0xa8},
-{0xe6,0x95,0x6e,0x65}, {0xaa,0xff,0xe6,0x7e}, {0x21,0xbc,0xcf,0x08}, {0xef,0x15,0xe8,0xe6},
-{0xba,0xe7,0x9b,0xd9}, {0x4a,0x6f,0x36,0xce}, {0xea,0x9f,0x09,0xd4}, {0x29,0xb0,0x7c,0xd6},
-{0x31,0xa4,0xb2,0xaf}, {0x2a,0x3f,0x23,0x31}, {0xc6,0xa5,0x94,0x30}, {0x35,0xa2,0x66,0xc0},
-{0x74,0x4e,0xbc,0x37}, {0xfc,0x82,0xca,0xa6}, {0xe0,0x90,0xd0,0xb0}, {0x33,0xa7,0xd8,0x15},
-{0xf1,0x04,0x98,0x4a}, {0x41,0xec,0xda,0xf7}, {0x7f,0xcd,0x50,0x0e}, {0x17,0x91,0xf6,0x2f},
-{0x76,0x4d,0xd6,0x8d}, {0x43,0xef,0xb0,0x4d}, {0xcc,0xaa,0x4d,0x54}, {0xe4,0x96,0x04,0xdf},
-{0x9e,0xd1,0xb5,0xe3}, {0x4c,0x6a,0x88,0x1b}, {0xc1,0x2c,0x1f,0xb8}, {0x46,0x65,0x51,0x7f},
-{0x9d,0x5e,0xea,0x04}, {0x01,0x8c,0x35,0x5d}, {0xfa,0x87,0x74,0x73}, {0xfb,0x0b,0x41,0x2e},
-{0xb3,0x67,0x1d,0x5a}, {0x92,0xdb,0xd2,0x52}, {0xe9,0x10,0x56,0x33}, {0x6d,0xd6,0x47,0x13},
-{0x9a,0xd7,0x61,0x8c}, {0x37,0xa1,0x0c,0x7a}, {0x59,0xf8,0x14,0x8e}, {0xeb,0x13,0x3c,0x89},
-{0xce,0xa9,0x27,0xee}, {0xb7,0x61,0xc9,0x35}, {0xe1,0x1c,0xe5,0xed}, {0x7a,0x47,0xb1,0x3c},
-{0x9c,0xd2,0xdf,0x59}, {0x55,0xf2,0x73,0x3f}, {0x18,0x14,0xce,0x79}, {0x73,0xc7,0x37,0xbf},
-{0x53,0xf7,0xcd,0xea}, {0x5f,0xfd,0xaa,0x5b}, {0xdf,0x3d,0x6f,0x14}, {0x78,0x44,0xdb,0x86},
-{0xca,0xaf,0xf3,0x81}, {0xb9,0x68,0xc4,0x3e}, {0x38,0x24,0x34,0x2c}, {0xc2,0xa3,0x40,0x5f},
-{0x16,0x1d,0xc3,0x72}, {0xbc,0xe2,0x25,0x0c}, {0x28,0x3c,0x49,0x8b}, {0xff,0x0d,0x95,0x41},
-{0x39,0xa8,0x01,0x71}, {0x08,0x0c,0xb3,0xde}, {0xd8,0xb4,0xe4,0x9c}, {0x64,0x56,0xc1,0x90},
-{0x7b,0xcb,0x84,0x61}, {0xd5,0x32,0xb6,0x70}, {0x48,0x6c,0x5c,0x74}, {0xd0,0xb8,0x57,0x42}
- }
-};
-#define T5 xT5.xt8
-
-static const union xtab xT6 = {
- .xt8 = {
-{0x50,0x51,0xf4,0xa7}, {0x53,0x7e,0x41,0x65}, {0xc3,0x1a,0x17,0xa4}, {0x96,0x3a,0x27,0x5e},
-{0xcb,0x3b,0xab,0x6b}, {0xf1,0x1f,0x9d,0x45}, {0xab,0xac,0xfa,0x58}, {0x93,0x4b,0xe3,0x03},
-{0x55,0x20,0x30,0xfa}, {0xf6,0xad,0x76,0x6d}, {0x91,0x88,0xcc,0x76}, {0x25,0xf5,0x02,0x4c},
-{0xfc,0x4f,0xe5,0xd7}, {0xd7,0xc5,0x2a,0xcb}, {0x80,0x26,0x35,0x44}, {0x8f,0xb5,0x62,0xa3},
-{0x49,0xde,0xb1,0x5a}, {0x67,0x25,0xba,0x1b}, {0x98,0x45,0xea,0x0e}, {0xe1,0x5d,0xfe,0xc0},
-{0x02,0xc3,0x2f,0x75}, {0x12,0x81,0x4c,0xf0}, {0xa3,0x8d,0x46,0x97}, {0xc6,0x6b,0xd3,0xf9},
-{0xe7,0x03,0x8f,0x5f}, {0x95,0x15,0x92,0x9c}, {0xeb,0xbf,0x6d,0x7a}, {0xda,0x95,0x52,0x59},
-{0x2d,0xd4,0xbe,0x83}, {0xd3,0x58,0x74,0x21}, {0x29,0x49,0xe0,0x69}, {0x44,0x8e,0xc9,0xc8},
-{0x6a,0x75,0xc2,0x89}, {0x78,0xf4,0x8e,0x79}, {0x6b,0x99,0x58,0x3e}, {0xdd,0x27,0xb9,0x71},
-{0xb6,0xbe,0xe1,0x4f}, {0x17,0xf0,0x88,0xad}, {0x66,0xc9,0x20,0xac}, {0xb4,0x7d,0xce,0x3a},
-{0x18,0x63,0xdf,0x4a}, {0x82,0xe5,0x1a,0x31}, {0x60,0x97,0x51,0x33}, {0x45,0x62,0x53,0x7f},
-{0xe0,0xb1,0x64,0x77}, {0x84,0xbb,0x6b,0xae}, {0x1c,0xfe,0x81,0xa0}, {0x94,0xf9,0x08,0x2b},
-{0x58,0x70,0x48,0x68}, {0x19,0x8f,0x45,0xfd}, {0x87,0x94,0xde,0x6c}, {0xb7,0x52,0x7b,0xf8},
-{0x23,0xab,0x73,0xd3}, {0xe2,0x72,0x4b,0x02}, {0x57,0xe3,0x1f,0x8f}, {0x2a,0x66,0x55,0xab},
-{0x07,0xb2,0xeb,0x28}, {0x03,0x2f,0xb5,0xc2}, {0x9a,0x86,0xc5,0x7b}, {0xa5,0xd3,0x37,0x08},
-{0xf2,0x30,0x28,0x87}, {0xb2,0x23,0xbf,0xa5}, {0xba,0x02,0x03,0x6a}, {0x5c,0xed,0x16,0x82},
-{0x2b,0x8a,0xcf,0x1c}, {0x92,0xa7,0x79,0xb4}, {0xf0,0xf3,0x07,0xf2}, {0xa1,0x4e,0x69,0xe2},
-{0xcd,0x65,0xda,0xf4}, {0xd5,0x06,0x05,0xbe}, {0x1f,0xd1,0x34,0x62}, {0x8a,0xc4,0xa6,0xfe},
-{0x9d,0x34,0x2e,0x53}, {0xa0,0xa2,0xf3,0x55}, {0x32,0x05,0x8a,0xe1}, {0x75,0xa4,0xf6,0xeb},
-{0x39,0x0b,0x83,0xec}, {0xaa,0x40,0x60,0xef}, {0x06,0x5e,0x71,0x9f}, {0x51,0xbd,0x6e,0x10},
-{0xf9,0x3e,0x21,0x8a}, {0x3d,0x96,0xdd,0x06}, {0xae,0xdd,0x3e,0x05}, {0x46,0x4d,0xe6,0xbd},
-{0xb5,0x91,0x54,0x8d}, {0x05,0x71,0xc4,0x5d}, {0x6f,0x04,0x06,0xd4}, {0xff,0x60,0x50,0x15},
-{0x24,0x19,0x98,0xfb}, {0x97,0xd6,0xbd,0xe9}, {0xcc,0x89,0x40,0x43}, {0x77,0x67,0xd9,0x9e},
-{0xbd,0xb0,0xe8,0x42}, {0x88,0x07,0x89,0x8b}, {0x38,0xe7,0x19,0x5b}, {0xdb,0x79,0xc8,0xee},
-{0x47,0xa1,0x7c,0x0a}, {0xe9,0x7c,0x42,0x0f}, {0xc9,0xf8,0x84,0x1e}, {0x00,0x00,0x00,0x00},
-{0x83,0x09,0x80,0x86}, {0x48,0x32,0x2b,0xed}, {0xac,0x1e,0x11,0x70}, {0x4e,0x6c,0x5a,0x72},
-{0xfb,0xfd,0x0e,0xff}, {0x56,0x0f,0x85,0x38}, {0x1e,0x3d,0xae,0xd5}, {0x27,0x36,0x2d,0x39},
-{0x64,0x0a,0x0f,0xd9}, {0x21,0x68,0x5c,0xa6}, {0xd1,0x9b,0x5b,0x54}, {0x3a,0x24,0x36,0x2e},
-{0xb1,0x0c,0x0a,0x67}, {0x0f,0x93,0x57,0xe7}, {0xd2,0xb4,0xee,0x96}, {0x9e,0x1b,0x9b,0x91},
-{0x4f,0x80,0xc0,0xc5}, {0xa2,0x61,0xdc,0x20}, {0x69,0x5a,0x77,0x4b}, {0x16,0x1c,0x12,0x1a},
-{0x0a,0xe2,0x93,0xba}, {0xe5,0xc0,0xa0,0x2a}, {0x43,0x3c,0x22,0xe0}, {0x1d,0x12,0x1b,0x17},
-{0x0b,0x0e,0x09,0x0d}, {0xad,0xf2,0x8b,0xc7}, {0xb9,0x2d,0xb6,0xa8}, {0xc8,0x14,0x1e,0xa9},
-{0x85,0x57,0xf1,0x19}, {0x4c,0xaf,0x75,0x07}, {0xbb,0xee,0x99,0xdd}, {0xfd,0xa3,0x7f,0x60},
-{0x9f,0xf7,0x01,0x26}, {0xbc,0x5c,0x72,0xf5}, {0xc5,0x44,0x66,0x3b}, {0x34,0x5b,0xfb,0x7e},
-{0x76,0x8b,0x43,0x29}, {0xdc,0xcb,0x23,0xc6}, {0x68,0xb6,0xed,0xfc}, {0x63,0xb8,0xe4,0xf1},
-{0xca,0xd7,0x31,0xdc}, {0x10,0x42,0x63,0x85}, {0x40,0x13,0x97,0x22}, {0x20,0x84,0xc6,0x11},
-{0x7d,0x85,0x4a,0x24}, {0xf8,0xd2,0xbb,0x3d}, {0x11,0xae,0xf9,0x32}, {0x6d,0xc7,0x29,0xa1},
-{0x4b,0x1d,0x9e,0x2f}, {0xf3,0xdc,0xb2,0x30}, {0xec,0x0d,0x86,0x52}, {0xd0,0x77,0xc1,0xe3},
-{0x6c,0x2b,0xb3,0x16}, {0x99,0xa9,0x70,0xb9}, {0xfa,0x11,0x94,0x48}, {0x22,0x47,0xe9,0x64},
-{0xc4,0xa8,0xfc,0x8c}, {0x1a,0xa0,0xf0,0x3f}, {0xd8,0x56,0x7d,0x2c}, {0xef,0x22,0x33,0x90},
-{0xc7,0x87,0x49,0x4e}, {0xc1,0xd9,0x38,0xd1}, {0xfe,0x8c,0xca,0xa2}, {0x36,0x98,0xd4,0x0b},
-{0xcf,0xa6,0xf5,0x81}, {0x28,0xa5,0x7a,0xde}, {0x26,0xda,0xb7,0x8e}, {0xa4,0x3f,0xad,0xbf},
-{0xe4,0x2c,0x3a,0x9d}, {0x0d,0x50,0x78,0x92}, {0x9b,0x6a,0x5f,0xcc}, {0x62,0x54,0x7e,0x46},
-{0xc2,0xf6,0x8d,0x13}, {0xe8,0x90,0xd8,0xb8}, {0x5e,0x2e,0x39,0xf7}, {0xf5,0x82,0xc3,0xaf},
-{0xbe,0x9f,0x5d,0x80}, {0x7c,0x69,0xd0,0x93}, {0xa9,0x6f,0xd5,0x2d}, {0xb3,0xcf,0x25,0x12},
-{0x3b,0xc8,0xac,0x99}, {0xa7,0x10,0x18,0x7d}, {0x6e,0xe8,0x9c,0x63}, {0x7b,0xdb,0x3b,0xbb},
-{0x09,0xcd,0x26,0x78}, {0xf4,0x6e,0x59,0x18}, {0x01,0xec,0x9a,0xb7}, {0xa8,0x83,0x4f,0x9a},
-{0x65,0xe6,0x95,0x6e}, {0x7e,0xaa,0xff,0xe6}, {0x08,0x21,0xbc,0xcf}, {0xe6,0xef,0x15,0xe8},
-{0xd9,0xba,0xe7,0x9b}, {0xce,0x4a,0x6f,0x36}, {0xd4,0xea,0x9f,0x09}, {0xd6,0x29,0xb0,0x7c},
-{0xaf,0x31,0xa4,0xb2}, {0x31,0x2a,0x3f,0x23}, {0x30,0xc6,0xa5,0x94}, {0xc0,0x35,0xa2,0x66},
-{0x37,0x74,0x4e,0xbc}, {0xa6,0xfc,0x82,0xca}, {0xb0,0xe0,0x90,0xd0}, {0x15,0x33,0xa7,0xd8},
-{0x4a,0xf1,0x04,0x98}, {0xf7,0x41,0xec,0xda}, {0x0e,0x7f,0xcd,0x50}, {0x2f,0x17,0x91,0xf6},
-{0x8d,0x76,0x4d,0xd6}, {0x4d,0x43,0xef,0xb0}, {0x54,0xcc,0xaa,0x4d}, {0xdf,0xe4,0x96,0x04},
-{0xe3,0x9e,0xd1,0xb5}, {0x1b,0x4c,0x6a,0x88}, {0xb8,0xc1,0x2c,0x1f}, {0x7f,0x46,0x65,0x51},
-{0x04,0x9d,0x5e,0xea}, {0x5d,0x01,0x8c,0x35}, {0x73,0xfa,0x87,0x74}, {0x2e,0xfb,0x0b,0x41},
-{0x5a,0xb3,0x67,0x1d}, {0x52,0x92,0xdb,0xd2}, {0x33,0xe9,0x10,0x56}, {0x13,0x6d,0xd6,0x47},
-{0x8c,0x9a,0xd7,0x61}, {0x7a,0x37,0xa1,0x0c}, {0x8e,0x59,0xf8,0x14}, {0x89,0xeb,0x13,0x3c},
-{0xee,0xce,0xa9,0x27}, {0x35,0xb7,0x61,0xc9}, {0xed,0xe1,0x1c,0xe5}, {0x3c,0x7a,0x47,0xb1},
-{0x59,0x9c,0xd2,0xdf}, {0x3f,0x55,0xf2,0x73}, {0x79,0x18,0x14,0xce}, {0xbf,0x73,0xc7,0x37},
-{0xea,0x53,0xf7,0xcd}, {0x5b,0x5f,0xfd,0xaa}, {0x14,0xdf,0x3d,0x6f}, {0x86,0x78,0x44,0xdb},
-{0x81,0xca,0xaf,0xf3}, {0x3e,0xb9,0x68,0xc4}, {0x2c,0x38,0x24,0x34}, {0x5f,0xc2,0xa3,0x40},
-{0x72,0x16,0x1d,0xc3}, {0x0c,0xbc,0xe2,0x25}, {0x8b,0x28,0x3c,0x49}, {0x41,0xff,0x0d,0x95},
-{0x71,0x39,0xa8,0x01}, {0xde,0x08,0x0c,0xb3}, {0x9c,0xd8,0xb4,0xe4}, {0x90,0x64,0x56,0xc1},
-{0x61,0x7b,0xcb,0x84}, {0x70,0xd5,0x32,0xb6}, {0x74,0x48,0x6c,0x5c}, {0x42,0xd0,0xb8,0x57}
- }
-};
-#define T6 xT6.xt8
-
-static const union xtab xT7 = {
- .xt8 = {
-{0xa7,0x50,0x51,0xf4}, {0x65,0x53,0x7e,0x41}, {0xa4,0xc3,0x1a,0x17}, {0x5e,0x96,0x3a,0x27},
-{0x6b,0xcb,0x3b,0xab}, {0x45,0xf1,0x1f,0x9d}, {0x58,0xab,0xac,0xfa}, {0x03,0x93,0x4b,0xe3},
-{0xfa,0x55,0x20,0x30}, {0x6d,0xf6,0xad,0x76}, {0x76,0x91,0x88,0xcc}, {0x4c,0x25,0xf5,0x02},
-{0xd7,0xfc,0x4f,0xe5}, {0xcb,0xd7,0xc5,0x2a}, {0x44,0x80,0x26,0x35}, {0xa3,0x8f,0xb5,0x62},
-{0x5a,0x49,0xde,0xb1}, {0x1b,0x67,0x25,0xba}, {0x0e,0x98,0x45,0xea}, {0xc0,0xe1,0x5d,0xfe},
-{0x75,0x02,0xc3,0x2f}, {0xf0,0x12,0x81,0x4c}, {0x97,0xa3,0x8d,0x46}, {0xf9,0xc6,0x6b,0xd3},
-{0x5f,0xe7,0x03,0x8f}, {0x9c,0x95,0x15,0x92}, {0x7a,0xeb,0xbf,0x6d}, {0x59,0xda,0x95,0x52},
-{0x83,0x2d,0xd4,0xbe}, {0x21,0xd3,0x58,0x74}, {0x69,0x29,0x49,0xe0}, {0xc8,0x44,0x8e,0xc9},
-{0x89,0x6a,0x75,0xc2}, {0x79,0x78,0xf4,0x8e}, {0x3e,0x6b,0x99,0x58}, {0x71,0xdd,0x27,0xb9},
-{0x4f,0xb6,0xbe,0xe1}, {0xad,0x17,0xf0,0x88}, {0xac,0x66,0xc9,0x20}, {0x3a,0xb4,0x7d,0xce},
-{0x4a,0x18,0x63,0xdf}, {0x31,0x82,0xe5,0x1a}, {0x33,0x60,0x97,0x51}, {0x7f,0x45,0x62,0x53},
-{0x77,0xe0,0xb1,0x64}, {0xae,0x84,0xbb,0x6b}, {0xa0,0x1c,0xfe,0x81}, {0x2b,0x94,0xf9,0x08},
-{0x68,0x58,0x70,0x48}, {0xfd,0x19,0x8f,0x45}, {0x6c,0x87,0x94,0xde}, {0xf8,0xb7,0x52,0x7b},
-{0xd3,0x23,0xab,0x73}, {0x02,0xe2,0x72,0x4b}, {0x8f,0x57,0xe3,0x1f}, {0xab,0x2a,0x66,0x55},
-{0x28,0x07,0xb2,0xeb}, {0xc2,0x03,0x2f,0xb5}, {0x7b,0x9a,0x86,0xc5}, {0x08,0xa5,0xd3,0x37},
-{0x87,0xf2,0x30,0x28}, {0xa5,0xb2,0x23,0xbf}, {0x6a,0xba,0x02,0x03}, {0x82,0x5c,0xed,0x16},
-{0x1c,0x2b,0x8a,0xcf}, {0xb4,0x92,0xa7,0x79}, {0xf2,0xf0,0xf3,0x07}, {0xe2,0xa1,0x4e,0x69},
-{0xf4,0xcd,0x65,0xda}, {0xbe,0xd5,0x06,0x05}, {0x62,0x1f,0xd1,0x34}, {0xfe,0x8a,0xc4,0xa6},
-{0x53,0x9d,0x34,0x2e}, {0x55,0xa0,0xa2,0xf3}, {0xe1,0x32,0x05,0x8a}, {0xeb,0x75,0xa4,0xf6},
-{0xec,0x39,0x0b,0x83}, {0xef,0xaa,0x40,0x60}, {0x9f,0x06,0x5e,0x71}, {0x10,0x51,0xbd,0x6e},
-{0x8a,0xf9,0x3e,0x21}, {0x06,0x3d,0x96,0xdd}, {0x05,0xae,0xdd,0x3e}, {0xbd,0x46,0x4d,0xe6},
-{0x8d,0xb5,0x91,0x54}, {0x5d,0x05,0x71,0xc4}, {0xd4,0x6f,0x04,0x06}, {0x15,0xff,0x60,0x50},
-{0xfb,0x24,0x19,0x98}, {0xe9,0x97,0xd6,0xbd}, {0x43,0xcc,0x89,0x40}, {0x9e,0x77,0x67,0xd9},
-{0x42,0xbd,0xb0,0xe8}, {0x8b,0x88,0x07,0x89}, {0x5b,0x38,0xe7,0x19}, {0xee,0xdb,0x79,0xc8},
-{0x0a,0x47,0xa1,0x7c}, {0x0f,0xe9,0x7c,0x42}, {0x1e,0xc9,0xf8,0x84}, {0x00,0x00,0x00,0x00},
-{0x86,0x83,0x09,0x80}, {0xed,0x48,0x32,0x2b}, {0x70,0xac,0x1e,0x11}, {0x72,0x4e,0x6c,0x5a},
-{0xff,0xfb,0xfd,0x0e}, {0x38,0x56,0x0f,0x85}, {0xd5,0x1e,0x3d,0xae}, {0x39,0x27,0x36,0x2d},
-{0xd9,0x64,0x0a,0x0f}, {0xa6,0x21,0x68,0x5c}, {0x54,0xd1,0x9b,0x5b}, {0x2e,0x3a,0x24,0x36},
-{0x67,0xb1,0x0c,0x0a}, {0xe7,0x0f,0x93,0x57}, {0x96,0xd2,0xb4,0xee}, {0x91,0x9e,0x1b,0x9b},
-{0xc5,0x4f,0x80,0xc0}, {0x20,0xa2,0x61,0xdc}, {0x4b,0x69,0x5a,0x77}, {0x1a,0x16,0x1c,0x12},
-{0xba,0x0a,0xe2,0x93}, {0x2a,0xe5,0xc0,0xa0}, {0xe0,0x43,0x3c,0x22}, {0x17,0x1d,0x12,0x1b},
-{0x0d,0x0b,0x0e,0x09}, {0xc7,0xad,0xf2,0x8b}, {0xa8,0xb9,0x2d,0xb6}, {0xa9,0xc8,0x14,0x1e},
-{0x19,0x85,0x57,0xf1}, {0x07,0x4c,0xaf,0x75}, {0xdd,0xbb,0xee,0x99}, {0x60,0xfd,0xa3,0x7f},
-{0x26,0x9f,0xf7,0x01}, {0xf5,0xbc,0x5c,0x72}, {0x3b,0xc5,0x44,0x66}, {0x7e,0x34,0x5b,0xfb},
-{0x29,0x76,0x8b,0x43}, {0xc6,0xdc,0xcb,0x23}, {0xfc,0x68,0xb6,0xed}, {0xf1,0x63,0xb8,0xe4},
-{0xdc,0xca,0xd7,0x31}, {0x85,0x10,0x42,0x63}, {0x22,0x40,0x13,0x97}, {0x11,0x20,0x84,0xc6},
-{0x24,0x7d,0x85,0x4a}, {0x3d,0xf8,0xd2,0xbb}, {0x32,0x11,0xae,0xf9}, {0xa1,0x6d,0xc7,0x29},
-{0x2f,0x4b,0x1d,0x9e}, {0x30,0xf3,0xdc,0xb2}, {0x52,0xec,0x0d,0x86}, {0xe3,0xd0,0x77,0xc1},
-{0x16,0x6c,0x2b,0xb3}, {0xb9,0x99,0xa9,0x70}, {0x48,0xfa,0x11,0x94}, {0x64,0x22,0x47,0xe9},
-{0x8c,0xc4,0xa8,0xfc}, {0x3f,0x1a,0xa0,0xf0}, {0x2c,0xd8,0x56,0x7d}, {0x90,0xef,0x22,0x33},
-{0x4e,0xc7,0x87,0x49}, {0xd1,0xc1,0xd9,0x38}, {0xa2,0xfe,0x8c,0xca}, {0x0b,0x36,0x98,0xd4},
-{0x81,0xcf,0xa6,0xf5}, {0xde,0x28,0xa5,0x7a}, {0x8e,0x26,0xda,0xb7}, {0xbf,0xa4,0x3f,0xad},
-{0x9d,0xe4,0x2c,0x3a}, {0x92,0x0d,0x50,0x78}, {0xcc,0x9b,0x6a,0x5f}, {0x46,0x62,0x54,0x7e},
-{0x13,0xc2,0xf6,0x8d}, {0xb8,0xe8,0x90,0xd8}, {0xf7,0x5e,0x2e,0x39}, {0xaf,0xf5,0x82,0xc3},
-{0x80,0xbe,0x9f,0x5d}, {0x93,0x7c,0x69,0xd0}, {0x2d,0xa9,0x6f,0xd5}, {0x12,0xb3,0xcf,0x25},
-{0x99,0x3b,0xc8,0xac}, {0x7d,0xa7,0x10,0x18}, {0x63,0x6e,0xe8,0x9c}, {0xbb,0x7b,0xdb,0x3b},
-{0x78,0x09,0xcd,0x26}, {0x18,0xf4,0x6e,0x59}, {0xb7,0x01,0xec,0x9a}, {0x9a,0xa8,0x83,0x4f},
-{0x6e,0x65,0xe6,0x95}, {0xe6,0x7e,0xaa,0xff}, {0xcf,0x08,0x21,0xbc}, {0xe8,0xe6,0xef,0x15},
-{0x9b,0xd9,0xba,0xe7}, {0x36,0xce,0x4a,0x6f}, {0x09,0xd4,0xea,0x9f}, {0x7c,0xd6,0x29,0xb0},
-{0xb2,0xaf,0x31,0xa4}, {0x23,0x31,0x2a,0x3f}, {0x94,0x30,0xc6,0xa5}, {0x66,0xc0,0x35,0xa2},
-{0xbc,0x37,0x74,0x4e}, {0xca,0xa6,0xfc,0x82}, {0xd0,0xb0,0xe0,0x90}, {0xd8,0x15,0x33,0xa7},
-{0x98,0x4a,0xf1,0x04}, {0xda,0xf7,0x41,0xec}, {0x50,0x0e,0x7f,0xcd}, {0xf6,0x2f,0x17,0x91},
-{0xd6,0x8d,0x76,0x4d}, {0xb0,0x4d,0x43,0xef}, {0x4d,0x54,0xcc,0xaa}, {0x04,0xdf,0xe4,0x96},
-{0xb5,0xe3,0x9e,0xd1}, {0x88,0x1b,0x4c,0x6a}, {0x1f,0xb8,0xc1,0x2c}, {0x51,0x7f,0x46,0x65},
-{0xea,0x04,0x9d,0x5e}, {0x35,0x5d,0x01,0x8c}, {0x74,0x73,0xfa,0x87}, {0x41,0x2e,0xfb,0x0b},
-{0x1d,0x5a,0xb3,0x67}, {0xd2,0x52,0x92,0xdb}, {0x56,0x33,0xe9,0x10}, {0x47,0x13,0x6d,0xd6},
-{0x61,0x8c,0x9a,0xd7}, {0x0c,0x7a,0x37,0xa1}, {0x14,0x8e,0x59,0xf8}, {0x3c,0x89,0xeb,0x13},
-{0x27,0xee,0xce,0xa9}, {0xc9,0x35,0xb7,0x61}, {0xe5,0xed,0xe1,0x1c}, {0xb1,0x3c,0x7a,0x47},
-{0xdf,0x59,0x9c,0xd2}, {0x73,0x3f,0x55,0xf2}, {0xce,0x79,0x18,0x14}, {0x37,0xbf,0x73,0xc7},
-{0xcd,0xea,0x53,0xf7}, {0xaa,0x5b,0x5f,0xfd}, {0x6f,0x14,0xdf,0x3d}, {0xdb,0x86,0x78,0x44},
-{0xf3,0x81,0xca,0xaf}, {0xc4,0x3e,0xb9,0x68}, {0x34,0x2c,0x38,0x24}, {0x40,0x5f,0xc2,0xa3},
-{0xc3,0x72,0x16,0x1d}, {0x25,0x0c,0xbc,0xe2}, {0x49,0x8b,0x28,0x3c}, {0x95,0x41,0xff,0x0d},
-{0x01,0x71,0x39,0xa8}, {0xb3,0xde,0x08,0x0c}, {0xe4,0x9c,0xd8,0xb4}, {0xc1,0x90,0x64,0x56},
-{0x84,0x61,0x7b,0xcb}, {0xb6,0x70,0xd5,0x32}, {0x5c,0x74,0x48,0x6c}, {0x57,0x42,0xd0,0xb8}
- }
-};
-#define T7 xT7.xt8
-
-static const union xtab xT8 = {
- .xt8 = {
-{0xf4,0xa7,0x50,0x51}, {0x41,0x65,0x53,0x7e}, {0x17,0xa4,0xc3,0x1a}, {0x27,0x5e,0x96,0x3a},
-{0xab,0x6b,0xcb,0x3b}, {0x9d,0x45,0xf1,0x1f}, {0xfa,0x58,0xab,0xac}, {0xe3,0x03,0x93,0x4b},
-{0x30,0xfa,0x55,0x20}, {0x76,0x6d,0xf6,0xad}, {0xcc,0x76,0x91,0x88}, {0x02,0x4c,0x25,0xf5},
-{0xe5,0xd7,0xfc,0x4f}, {0x2a,0xcb,0xd7,0xc5}, {0x35,0x44,0x80,0x26}, {0x62,0xa3,0x8f,0xb5},
-{0xb1,0x5a,0x49,0xde}, {0xba,0x1b,0x67,0x25}, {0xea,0x0e,0x98,0x45}, {0xfe,0xc0,0xe1,0x5d},
-{0x2f,0x75,0x02,0xc3}, {0x4c,0xf0,0x12,0x81}, {0x46,0x97,0xa3,0x8d}, {0xd3,0xf9,0xc6,0x6b},
-{0x8f,0x5f,0xe7,0x03}, {0x92,0x9c,0x95,0x15}, {0x6d,0x7a,0xeb,0xbf}, {0x52,0x59,0xda,0x95},
-{0xbe,0x83,0x2d,0xd4}, {0x74,0x21,0xd3,0x58}, {0xe0,0x69,0x29,0x49}, {0xc9,0xc8,0x44,0x8e},
-{0xc2,0x89,0x6a,0x75}, {0x8e,0x79,0x78,0xf4}, {0x58,0x3e,0x6b,0x99}, {0xb9,0x71,0xdd,0x27},
-{0xe1,0x4f,0xb6,0xbe}, {0x88,0xad,0x17,0xf0}, {0x20,0xac,0x66,0xc9}, {0xce,0x3a,0xb4,0x7d},
-{0xdf,0x4a,0x18,0x63}, {0x1a,0x31,0x82,0xe5}, {0x51,0x33,0x60,0x97}, {0x53,0x7f,0x45,0x62},
-{0x64,0x77,0xe0,0xb1}, {0x6b,0xae,0x84,0xbb}, {0x81,0xa0,0x1c,0xfe}, {0x08,0x2b,0x94,0xf9},
-{0x48,0x68,0x58,0x70}, {0x45,0xfd,0x19,0x8f}, {0xde,0x6c,0x87,0x94}, {0x7b,0xf8,0xb7,0x52},
-{0x73,0xd3,0x23,0xab}, {0x4b,0x02,0xe2,0x72}, {0x1f,0x8f,0x57,0xe3}, {0x55,0xab,0x2a,0x66},
-{0xeb,0x28,0x07,0xb2}, {0xb5,0xc2,0x03,0x2f}, {0xc5,0x7b,0x9a,0x86}, {0x37,0x08,0xa5,0xd3},
-{0x28,0x87,0xf2,0x30}, {0xbf,0xa5,0xb2,0x23}, {0x03,0x6a,0xba,0x02}, {0x16,0x82,0x5c,0xed},
-{0xcf,0x1c,0x2b,0x8a}, {0x79,0xb4,0x92,0xa7}, {0x07,0xf2,0xf0,0xf3}, {0x69,0xe2,0xa1,0x4e},
-{0xda,0xf4,0xcd,0x65}, {0x05,0xbe,0xd5,0x06}, {0x34,0x62,0x1f,0xd1}, {0xa6,0xfe,0x8a,0xc4},
-{0x2e,0x53,0x9d,0x34}, {0xf3,0x55,0xa0,0xa2}, {0x8a,0xe1,0x32,0x05}, {0xf6,0xeb,0x75,0xa4},
-{0x83,0xec,0x39,0x0b}, {0x60,0xef,0xaa,0x40}, {0x71,0x9f,0x06,0x5e}, {0x6e,0x10,0x51,0xbd},
-{0x21,0x8a,0xf9,0x3e}, {0xdd,0x06,0x3d,0x96}, {0x3e,0x05,0xae,0xdd}, {0xe6,0xbd,0x46,0x4d},
-{0x54,0x8d,0xb5,0x91}, {0xc4,0x5d,0x05,0x71}, {0x06,0xd4,0x6f,0x04}, {0x50,0x15,0xff,0x60},
-{0x98,0xfb,0x24,0x19}, {0xbd,0xe9,0x97,0xd6}, {0x40,0x43,0xcc,0x89}, {0xd9,0x9e,0x77,0x67},
-{0xe8,0x42,0xbd,0xb0}, {0x89,0x8b,0x88,0x07}, {0x19,0x5b,0x38,0xe7}, {0xc8,0xee,0xdb,0x79},
-{0x7c,0x0a,0x47,0xa1}, {0x42,0x0f,0xe9,0x7c}, {0x84,0x1e,0xc9,0xf8}, {0x00,0x00,0x00,0x00},
-{0x80,0x86,0x83,0x09}, {0x2b,0xed,0x48,0x32}, {0x11,0x70,0xac,0x1e}, {0x5a,0x72,0x4e,0x6c},
-{0x0e,0xff,0xfb,0xfd}, {0x85,0x38,0x56,0x0f}, {0xae,0xd5,0x1e,0x3d}, {0x2d,0x39,0x27,0x36},
-{0x0f,0xd9,0x64,0x0a}, {0x5c,0xa6,0x21,0x68}, {0x5b,0x54,0xd1,0x9b}, {0x36,0x2e,0x3a,0x24},
-{0x0a,0x67,0xb1,0x0c}, {0x57,0xe7,0x0f,0x93}, {0xee,0x96,0xd2,0xb4}, {0x9b,0x91,0x9e,0x1b},
-{0xc0,0xc5,0x4f,0x80}, {0xdc,0x20,0xa2,0x61}, {0x77,0x4b,0x69,0x5a}, {0x12,0x1a,0x16,0x1c},
-{0x93,0xba,0x0a,0xe2}, {0xa0,0x2a,0xe5,0xc0}, {0x22,0xe0,0x43,0x3c}, {0x1b,0x17,0x1d,0x12},
-{0x09,0x0d,0x0b,0x0e}, {0x8b,0xc7,0xad,0xf2}, {0xb6,0xa8,0xb9,0x2d}, {0x1e,0xa9,0xc8,0x14},
-{0xf1,0x19,0x85,0x57}, {0x75,0x07,0x4c,0xaf}, {0x99,0xdd,0xbb,0xee}, {0x7f,0x60,0xfd,0xa3},
-{0x01,0x26,0x9f,0xf7}, {0x72,0xf5,0xbc,0x5c}, {0x66,0x3b,0xc5,0x44}, {0xfb,0x7e,0x34,0x5b},
-{0x43,0x29,0x76,0x8b}, {0x23,0xc6,0xdc,0xcb}, {0xed,0xfc,0x68,0xb6}, {0xe4,0xf1,0x63,0xb8},
-{0x31,0xdc,0xca,0xd7}, {0x63,0x85,0x10,0x42}, {0x97,0x22,0x40,0x13}, {0xc6,0x11,0x20,0x84},
-{0x4a,0x24,0x7d,0x85}, {0xbb,0x3d,0xf8,0xd2}, {0xf9,0x32,0x11,0xae}, {0x29,0xa1,0x6d,0xc7},
-{0x9e,0x2f,0x4b,0x1d}, {0xb2,0x30,0xf3,0xdc}, {0x86,0x52,0xec,0x0d}, {0xc1,0xe3,0xd0,0x77},
-{0xb3,0x16,0x6c,0x2b}, {0x70,0xb9,0x99,0xa9}, {0x94,0x48,0xfa,0x11}, {0xe9,0x64,0x22,0x47},
-{0xfc,0x8c,0xc4,0xa8}, {0xf0,0x3f,0x1a,0xa0}, {0x7d,0x2c,0xd8,0x56}, {0x33,0x90,0xef,0x22},
-{0x49,0x4e,0xc7,0x87}, {0x38,0xd1,0xc1,0xd9}, {0xca,0xa2,0xfe,0x8c}, {0xd4,0x0b,0x36,0x98},
-{0xf5,0x81,0xcf,0xa6}, {0x7a,0xde,0x28,0xa5}, {0xb7,0x8e,0x26,0xda}, {0xad,0xbf,0xa4,0x3f},
-{0x3a,0x9d,0xe4,0x2c}, {0x78,0x92,0x0d,0x50}, {0x5f,0xcc,0x9b,0x6a}, {0x7e,0x46,0x62,0x54},
-{0x8d,0x13,0xc2,0xf6}, {0xd8,0xb8,0xe8,0x90}, {0x39,0xf7,0x5e,0x2e}, {0xc3,0xaf,0xf5,0x82},
-{0x5d,0x80,0xbe,0x9f}, {0xd0,0x93,0x7c,0x69}, {0xd5,0x2d,0xa9,0x6f}, {0x25,0x12,0xb3,0xcf},
-{0xac,0x99,0x3b,0xc8}, {0x18,0x7d,0xa7,0x10}, {0x9c,0x63,0x6e,0xe8}, {0x3b,0xbb,0x7b,0xdb},
-{0x26,0x78,0x09,0xcd}, {0x59,0x18,0xf4,0x6e}, {0x9a,0xb7,0x01,0xec}, {0x4f,0x9a,0xa8,0x83},
-{0x95,0x6e,0x65,0xe6}, {0xff,0xe6,0x7e,0xaa}, {0xbc,0xcf,0x08,0x21}, {0x15,0xe8,0xe6,0xef},
-{0xe7,0x9b,0xd9,0xba}, {0x6f,0x36,0xce,0x4a}, {0x9f,0x09,0xd4,0xea}, {0xb0,0x7c,0xd6,0x29},
-{0xa4,0xb2,0xaf,0x31}, {0x3f,0x23,0x31,0x2a}, {0xa5,0x94,0x30,0xc6}, {0xa2,0x66,0xc0,0x35},
-{0x4e,0xbc,0x37,0x74}, {0x82,0xca,0xa6,0xfc}, {0x90,0xd0,0xb0,0xe0}, {0xa7,0xd8,0x15,0x33},
-{0x04,0x98,0x4a,0xf1}, {0xec,0xda,0xf7,0x41}, {0xcd,0x50,0x0e,0x7f}, {0x91,0xf6,0x2f,0x17},
-{0x4d,0xd6,0x8d,0x76}, {0xef,0xb0,0x4d,0x43}, {0xaa,0x4d,0x54,0xcc}, {0x96,0x04,0xdf,0xe4},
-{0xd1,0xb5,0xe3,0x9e}, {0x6a,0x88,0x1b,0x4c}, {0x2c,0x1f,0xb8,0xc1}, {0x65,0x51,0x7f,0x46},
-{0x5e,0xea,0x04,0x9d}, {0x8c,0x35,0x5d,0x01}, {0x87,0x74,0x73,0xfa}, {0x0b,0x41,0x2e,0xfb},
-{0x67,0x1d,0x5a,0xb3}, {0xdb,0xd2,0x52,0x92}, {0x10,0x56,0x33,0xe9}, {0xd6,0x47,0x13,0x6d},
-{0xd7,0x61,0x8c,0x9a}, {0xa1,0x0c,0x7a,0x37}, {0xf8,0x14,0x8e,0x59}, {0x13,0x3c,0x89,0xeb},
-{0xa9,0x27,0xee,0xce}, {0x61,0xc9,0x35,0xb7}, {0x1c,0xe5,0xed,0xe1}, {0x47,0xb1,0x3c,0x7a},
-{0xd2,0xdf,0x59,0x9c}, {0xf2,0x73,0x3f,0x55}, {0x14,0xce,0x79,0x18}, {0xc7,0x37,0xbf,0x73},
-{0xf7,0xcd,0xea,0x53}, {0xfd,0xaa,0x5b,0x5f}, {0x3d,0x6f,0x14,0xdf}, {0x44,0xdb,0x86,0x78},
-{0xaf,0xf3,0x81,0xca}, {0x68,0xc4,0x3e,0xb9}, {0x24,0x34,0x2c,0x38}, {0xa3,0x40,0x5f,0xc2},
-{0x1d,0xc3,0x72,0x16}, {0xe2,0x25,0x0c,0xbc}, {0x3c,0x49,0x8b,0x28}, {0x0d,0x95,0x41,0xff},
-{0xa8,0x01,0x71,0x39}, {0x0c,0xb3,0xde,0x08}, {0xb4,0xe4,0x9c,0xd8}, {0x56,0xc1,0x90,0x64},
-{0xcb,0x84,0x61,0x7b}, {0x32,0xb6,0x70,0xd5}, {0x6c,0x5c,0x74,0x48}, {0xb8,0x57,0x42,0xd0}
- }
-};
-#define T8 xT8.xt8
-
-static const word8 S5[256] = {
-0x52,0x09,0x6a,0xd5,
-0x30,0x36,0xa5,0x38,
-0xbf,0x40,0xa3,0x9e,
-0x81,0xf3,0xd7,0xfb,
-0x7c,0xe3,0x39,0x82,
-0x9b,0x2f,0xff,0x87,
-0x34,0x8e,0x43,0x44,
-0xc4,0xde,0xe9,0xcb,
-0x54,0x7b,0x94,0x32,
-0xa6,0xc2,0x23,0x3d,
-0xee,0x4c,0x95,0x0b,
-0x42,0xfa,0xc3,0x4e,
-0x08,0x2e,0xa1,0x66,
-0x28,0xd9,0x24,0xb2,
-0x76,0x5b,0xa2,0x49,
-0x6d,0x8b,0xd1,0x25,
-0x72,0xf8,0xf6,0x64,
-0x86,0x68,0x98,0x16,
-0xd4,0xa4,0x5c,0xcc,
-0x5d,0x65,0xb6,0x92,
-0x6c,0x70,0x48,0x50,
-0xfd,0xed,0xb9,0xda,
-0x5e,0x15,0x46,0x57,
-0xa7,0x8d,0x9d,0x84,
-0x90,0xd8,0xab,0x00,
-0x8c,0xbc,0xd3,0x0a,
-0xf7,0xe4,0x58,0x05,
-0xb8,0xb3,0x45,0x06,
-0xd0,0x2c,0x1e,0x8f,
-0xca,0x3f,0x0f,0x02,
-0xc1,0xaf,0xbd,0x03,
-0x01,0x13,0x8a,0x6b,
-0x3a,0x91,0x11,0x41,
-0x4f,0x67,0xdc,0xea,
-0x97,0xf2,0xcf,0xce,
-0xf0,0xb4,0xe6,0x73,
-0x96,0xac,0x74,0x22,
-0xe7,0xad,0x35,0x85,
-0xe2,0xf9,0x37,0xe8,
-0x1c,0x75,0xdf,0x6e,
-0x47,0xf1,0x1a,0x71,
-0x1d,0x29,0xc5,0x89,
-0x6f,0xb7,0x62,0x0e,
-0xaa,0x18,0xbe,0x1b,
-0xfc,0x56,0x3e,0x4b,
-0xc6,0xd2,0x79,0x20,
-0x9a,0xdb,0xc0,0xfe,
-0x78,0xcd,0x5a,0xf4,
-0x1f,0xdd,0xa8,0x33,
-0x88,0x07,0xc7,0x31,
-0xb1,0x12,0x10,0x59,
-0x27,0x80,0xec,0x5f,
-0x60,0x51,0x7f,0xa9,
-0x19,0xb5,0x4a,0x0d,
-0x2d,0xe5,0x7a,0x9f,
-0x93,0xc9,0x9c,0xef,
-0xa0,0xe0,0x3b,0x4d,
-0xae,0x2a,0xf5,0xb0,
-0xc8,0xeb,0xbb,0x3c,
-0x83,0x53,0x99,0x61,
-0x17,0x2b,0x04,0x7e,
-0xba,0x77,0xd6,0x26,
-0xe1,0x69,0x14,0x63,
-0x55,0x21,0x0c,0x7d
-};
-
-static const union xtab xU1 = {
- .xt8 = {
-{0x00,0x00,0x00,0x00}, {0x0e,0x09,0x0d,0x0b}, {0x1c,0x12,0x1a,0x16}, {0x12,0x1b,0x17,0x1d},
-{0x38,0x24,0x34,0x2c}, {0x36,0x2d,0x39,0x27}, {0x24,0x36,0x2e,0x3a}, {0x2a,0x3f,0x23,0x31},
-{0x70,0x48,0x68,0x58}, {0x7e,0x41,0x65,0x53}, {0x6c,0x5a,0x72,0x4e}, {0x62,0x53,0x7f,0x45},
-{0x48,0x6c,0x5c,0x74}, {0x46,0x65,0x51,0x7f}, {0x54,0x7e,0x46,0x62}, {0x5a,0x77,0x4b,0x69},
-{0xe0,0x90,0xd0,0xb0}, {0xee,0x99,0xdd,0xbb}, {0xfc,0x82,0xca,0xa6}, {0xf2,0x8b,0xc7,0xad},
-{0xd8,0xb4,0xe4,0x9c}, {0xd6,0xbd,0xe9,0x97}, {0xc4,0xa6,0xfe,0x8a}, {0xca,0xaf,0xf3,0x81},
-{0x90,0xd8,0xb8,0xe8}, {0x9e,0xd1,0xb5,0xe3}, {0x8c,0xca,0xa2,0xfe}, {0x82,0xc3,0xaf,0xf5},
-{0xa8,0xfc,0x8c,0xc4}, {0xa6,0xf5,0x81,0xcf}, {0xb4,0xee,0x96,0xd2}, {0xba,0xe7,0x9b,0xd9},
-{0xdb,0x3b,0xbb,0x7b}, {0xd5,0x32,0xb6,0x70}, {0xc7,0x29,0xa1,0x6d}, {0xc9,0x20,0xac,0x66},
-{0xe3,0x1f,0x8f,0x57}, {0xed,0x16,0x82,0x5c}, {0xff,0x0d,0x95,0x41}, {0xf1,0x04,0x98,0x4a},
-{0xab,0x73,0xd3,0x23}, {0xa5,0x7a,0xde,0x28}, {0xb7,0x61,0xc9,0x35}, {0xb9,0x68,0xc4,0x3e},
-{0x93,0x57,0xe7,0x0f}, {0x9d,0x5e,0xea,0x04}, {0x8f,0x45,0xfd,0x19}, {0x81,0x4c,0xf0,0x12},
-{0x3b,0xab,0x6b,0xcb}, {0x35,0xa2,0x66,0xc0}, {0x27,0xb9,0x71,0xdd}, {0x29,0xb0,0x7c,0xd6},
-{0x03,0x8f,0x5f,0xe7}, {0x0d,0x86,0x52,0xec}, {0x1f,0x9d,0x45,0xf1}, {0x11,0x94,0x48,0xfa},
-{0x4b,0xe3,0x03,0x93}, {0x45,0xea,0x0e,0x98}, {0x57,0xf1,0x19,0x85}, {0x59,0xf8,0x14,0x8e},
-{0x73,0xc7,0x37,0xbf}, {0x7d,0xce,0x3a,0xb4}, {0x6f,0xd5,0x2d,0xa9}, {0x61,0xdc,0x20,0xa2},
-{0xad,0x76,0x6d,0xf6}, {0xa3,0x7f,0x60,0xfd}, {0xb1,0x64,0x77,0xe0}, {0xbf,0x6d,0x7a,0xeb},
-{0x95,0x52,0x59,0xda}, {0x9b,0x5b,0x54,0xd1}, {0x89,0x40,0x43,0xcc}, {0x87,0x49,0x4e,0xc7},
-{0xdd,0x3e,0x05,0xae}, {0xd3,0x37,0x08,0xa5}, {0xc1,0x2c,0x1f,0xb8}, {0xcf,0x25,0x12,0xb3},
-{0xe5,0x1a,0x31,0x82}, {0xeb,0x13,0x3c,0x89}, {0xf9,0x08,0x2b,0x94}, {0xf7,0x01,0x26,0x9f},
-{0x4d,0xe6,0xbd,0x46}, {0x43,0xef,0xb0,0x4d}, {0x51,0xf4,0xa7,0x50}, {0x5f,0xfd,0xaa,0x5b},
-{0x75,0xc2,0x89,0x6a}, {0x7b,0xcb,0x84,0x61}, {0x69,0xd0,0x93,0x7c}, {0x67,0xd9,0x9e,0x77},
-{0x3d,0xae,0xd5,0x1e}, {0x33,0xa7,0xd8,0x15}, {0x21,0xbc,0xcf,0x08}, {0x2f,0xb5,0xc2,0x03},
-{0x05,0x8a,0xe1,0x32}, {0x0b,0x83,0xec,0x39}, {0x19,0x98,0xfb,0x24}, {0x17,0x91,0xf6,0x2f},
-{0x76,0x4d,0xd6,0x8d}, {0x78,0x44,0xdb,0x86}, {0x6a,0x5f,0xcc,0x9b}, {0x64,0x56,0xc1,0x90},
-{0x4e,0x69,0xe2,0xa1}, {0x40,0x60,0xef,0xaa}, {0x52,0x7b,0xf8,0xb7}, {0x5c,0x72,0xf5,0xbc},
-{0x06,0x05,0xbe,0xd5}, {0x08,0x0c,0xb3,0xde}, {0x1a,0x17,0xa4,0xc3}, {0x14,0x1e,0xa9,0xc8},
-{0x3e,0x21,0x8a,0xf9}, {0x30,0x28,0x87,0xf2}, {0x22,0x33,0x90,0xef}, {0x2c,0x3a,0x9d,0xe4},
-{0x96,0xdd,0x06,0x3d}, {0x98,0xd4,0x0b,0x36}, {0x8a,0xcf,0x1c,0x2b}, {0x84,0xc6,0x11,0x20},
-{0xae,0xf9,0x32,0x11}, {0xa0,0xf0,0x3f,0x1a}, {0xb2,0xeb,0x28,0x07}, {0xbc,0xe2,0x25,0x0c},
-{0xe6,0x95,0x6e,0x65}, {0xe8,0x9c,0x63,0x6e}, {0xfa,0x87,0x74,0x73}, {0xf4,0x8e,0x79,0x78},
-{0xde,0xb1,0x5a,0x49}, {0xd0,0xb8,0x57,0x42}, {0xc2,0xa3,0x40,0x5f}, {0xcc,0xaa,0x4d,0x54},
-{0x41,0xec,0xda,0xf7}, {0x4f,0xe5,0xd7,0xfc}, {0x5d,0xfe,0xc0,0xe1}, {0x53,0xf7,0xcd,0xea},
-{0x79,0xc8,0xee,0xdb}, {0x77,0xc1,0xe3,0xd0}, {0x65,0xda,0xf4,0xcd}, {0x6b,0xd3,0xf9,0xc6},
-{0x31,0xa4,0xb2,0xaf}, {0x3f,0xad,0xbf,0xa4}, {0x2d,0xb6,0xa8,0xb9}, {0x23,0xbf,0xa5,0xb2},
-{0x09,0x80,0x86,0x83}, {0x07,0x89,0x8b,0x88}, {0x15,0x92,0x9c,0x95}, {0x1b,0x9b,0x91,0x9e},
-{0xa1,0x7c,0x0a,0x47}, {0xaf,0x75,0x07,0x4c}, {0xbd,0x6e,0x10,0x51}, {0xb3,0x67,0x1d,0x5a},
-{0x99,0x58,0x3e,0x6b}, {0x97,0x51,0x33,0x60}, {0x85,0x4a,0x24,0x7d}, {0x8b,0x43,0x29,0x76},
-{0xd1,0x34,0x62,0x1f}, {0xdf,0x3d,0x6f,0x14}, {0xcd,0x26,0x78,0x09}, {0xc3,0x2f,0x75,0x02},
-{0xe9,0x10,0x56,0x33}, {0xe7,0x19,0x5b,0x38}, {0xf5,0x02,0x4c,0x25}, {0xfb,0x0b,0x41,0x2e},
-{0x9a,0xd7,0x61,0x8c}, {0x94,0xde,0x6c,0x87}, {0x86,0xc5,0x7b,0x9a}, {0x88,0xcc,0x76,0x91},
-{0xa2,0xf3,0x55,0xa0}, {0xac,0xfa,0x58,0xab}, {0xbe,0xe1,0x4f,0xb6}, {0xb0,0xe8,0x42,0xbd},
-{0xea,0x9f,0x09,0xd4}, {0xe4,0x96,0x04,0xdf}, {0xf6,0x8d,0x13,0xc2}, {0xf8,0x84,0x1e,0xc9},
-{0xd2,0xbb,0x3d,0xf8}, {0xdc,0xb2,0x30,0xf3}, {0xce,0xa9,0x27,0xee}, {0xc0,0xa0,0x2a,0xe5},
-{0x7a,0x47,0xb1,0x3c}, {0x74,0x4e,0xbc,0x37}, {0x66,0x55,0xab,0x2a}, {0x68,0x5c,0xa6,0x21},
-{0x42,0x63,0x85,0x10}, {0x4c,0x6a,0x88,0x1b}, {0x5e,0x71,0x9f,0x06}, {0x50,0x78,0x92,0x0d},
-{0x0a,0x0f,0xd9,0x64}, {0x04,0x06,0xd4,0x6f}, {0x16,0x1d,0xc3,0x72}, {0x18,0x14,0xce,0x79},
-{0x32,0x2b,0xed,0x48}, {0x3c,0x22,0xe0,0x43}, {0x2e,0x39,0xf7,0x5e}, {0x20,0x30,0xfa,0x55},
-{0xec,0x9a,0xb7,0x01}, {0xe2,0x93,0xba,0x0a}, {0xf0,0x88,0xad,0x17}, {0xfe,0x81,0xa0,0x1c},
-{0xd4,0xbe,0x83,0x2d}, {0xda,0xb7,0x8e,0x26}, {0xc8,0xac,0x99,0x3b}, {0xc6,0xa5,0x94,0x30},
-{0x9c,0xd2,0xdf,0x59}, {0x92,0xdb,0xd2,0x52}, {0x80,0xc0,0xc5,0x4f}, {0x8e,0xc9,0xc8,0x44},
-{0xa4,0xf6,0xeb,0x75}, {0xaa,0xff,0xe6,0x7e}, {0xb8,0xe4,0xf1,0x63}, {0xb6,0xed,0xfc,0x68},
-{0x0c,0x0a,0x67,0xb1}, {0x02,0x03,0x6a,0xba}, {0x10,0x18,0x7d,0xa7}, {0x1e,0x11,0x70,0xac},
-{0x34,0x2e,0x53,0x9d}, {0x3a,0x27,0x5e,0x96}, {0x28,0x3c,0x49,0x8b}, {0x26,0x35,0x44,0x80},
-{0x7c,0x42,0x0f,0xe9}, {0x72,0x4b,0x02,0xe2}, {0x60,0x50,0x15,0xff}, {0x6e,0x59,0x18,0xf4},
-{0x44,0x66,0x3b,0xc5}, {0x4a,0x6f,0x36,0xce}, {0x58,0x74,0x21,0xd3}, {0x56,0x7d,0x2c,0xd8},
-{0x37,0xa1,0x0c,0x7a}, {0x39,0xa8,0x01,0x71}, {0x2b,0xb3,0x16,0x6c}, {0x25,0xba,0x1b,0x67},
-{0x0f,0x85,0x38,0x56}, {0x01,0x8c,0x35,0x5d}, {0x13,0x97,0x22,0x40}, {0x1d,0x9e,0x2f,0x4b},
-{0x47,0xe9,0x64,0x22}, {0x49,0xe0,0x69,0x29}, {0x5b,0xfb,0x7e,0x34}, {0x55,0xf2,0x73,0x3f},
-{0x7f,0xcd,0x50,0x0e}, {0x71,0xc4,0x5d,0x05}, {0x63,0xdf,0x4a,0x18}, {0x6d,0xd6,0x47,0x13},
-{0xd7,0x31,0xdc,0xca}, {0xd9,0x38,0xd1,0xc1}, {0xcb,0x23,0xc6,0xdc}, {0xc5,0x2a,0xcb,0xd7},
-{0xef,0x15,0xe8,0xe6}, {0xe1,0x1c,0xe5,0xed}, {0xf3,0x07,0xf2,0xf0}, {0xfd,0x0e,0xff,0xfb},
-{0xa7,0x79,0xb4,0x92}, {0xa9,0x70,0xb9,0x99}, {0xbb,0x6b,0xae,0x84}, {0xb5,0x62,0xa3,0x8f},
-{0x9f,0x5d,0x80,0xbe}, {0x91,0x54,0x8d,0xb5}, {0x83,0x4f,0x9a,0xa8}, {0x8d,0x46,0x97,0xa3}
- }
-};
-#define U1 xU1.xt8
-
-static const union xtab xU2 = {
- .xt8 = {
-{0x00,0x00,0x00,0x00}, {0x0b,0x0e,0x09,0x0d}, {0x16,0x1c,0x12,0x1a}, {0x1d,0x12,0x1b,0x17},
-{0x2c,0x38,0x24,0x34}, {0x27,0x36,0x2d,0x39}, {0x3a,0x24,0x36,0x2e}, {0x31,0x2a,0x3f,0x23},
-{0x58,0x70,0x48,0x68}, {0x53,0x7e,0x41,0x65}, {0x4e,0x6c,0x5a,0x72}, {0x45,0x62,0x53,0x7f},
-{0x74,0x48,0x6c,0x5c}, {0x7f,0x46,0x65,0x51}, {0x62,0x54,0x7e,0x46}, {0x69,0x5a,0x77,0x4b},
-{0xb0,0xe0,0x90,0xd0}, {0xbb,0xee,0x99,0xdd}, {0xa6,0xfc,0x82,0xca}, {0xad,0xf2,0x8b,0xc7},
-{0x9c,0xd8,0xb4,0xe4}, {0x97,0xd6,0xbd,0xe9}, {0x8a,0xc4,0xa6,0xfe}, {0x81,0xca,0xaf,0xf3},
-{0xe8,0x90,0xd8,0xb8}, {0xe3,0x9e,0xd1,0xb5}, {0xfe,0x8c,0xca,0xa2}, {0xf5,0x82,0xc3,0xaf},
-{0xc4,0xa8,0xfc,0x8c}, {0xcf,0xa6,0xf5,0x81}, {0xd2,0xb4,0xee,0x96}, {0xd9,0xba,0xe7,0x9b},
-{0x7b,0xdb,0x3b,0xbb}, {0x70,0xd5,0x32,0xb6}, {0x6d,0xc7,0x29,0xa1}, {0x66,0xc9,0x20,0xac},
-{0x57,0xe3,0x1f,0x8f}, {0x5c,0xed,0x16,0x82}, {0x41,0xff,0x0d,0x95}, {0x4a,0xf1,0x04,0x98},
-{0x23,0xab,0x73,0xd3}, {0x28,0xa5,0x7a,0xde}, {0x35,0xb7,0x61,0xc9}, {0x3e,0xb9,0x68,0xc4},
-{0x0f,0x93,0x57,0xe7}, {0x04,0x9d,0x5e,0xea}, {0x19,0x8f,0x45,0xfd}, {0x12,0x81,0x4c,0xf0},
-{0xcb,0x3b,0xab,0x6b}, {0xc0,0x35,0xa2,0x66}, {0xdd,0x27,0xb9,0x71}, {0xd6,0x29,0xb0,0x7c},
-{0xe7,0x03,0x8f,0x5f}, {0xec,0x0d,0x86,0x52}, {0xf1,0x1f,0x9d,0x45}, {0xfa,0x11,0x94,0x48},
-{0x93,0x4b,0xe3,0x03}, {0x98,0x45,0xea,0x0e}, {0x85,0x57,0xf1,0x19}, {0x8e,0x59,0xf8,0x14},
-{0xbf,0x73,0xc7,0x37}, {0xb4,0x7d,0xce,0x3a}, {0xa9,0x6f,0xd5,0x2d}, {0xa2,0x61,0xdc,0x20},
-{0xf6,0xad,0x76,0x6d}, {0xfd,0xa3,0x7f,0x60}, {0xe0,0xb1,0x64,0x77}, {0xeb,0xbf,0x6d,0x7a},
-{0xda,0x95,0x52,0x59}, {0xd1,0x9b,0x5b,0x54}, {0xcc,0x89,0x40,0x43}, {0xc7,0x87,0x49,0x4e},
-{0xae,0xdd,0x3e,0x05}, {0xa5,0xd3,0x37,0x08}, {0xb8,0xc1,0x2c,0x1f}, {0xb3,0xcf,0x25,0x12},
-{0x82,0xe5,0x1a,0x31}, {0x89,0xeb,0x13,0x3c}, {0x94,0xf9,0x08,0x2b}, {0x9f,0xf7,0x01,0x26},
-{0x46,0x4d,0xe6,0xbd}, {0x4d,0x43,0xef,0xb0}, {0x50,0x51,0xf4,0xa7}, {0x5b,0x5f,0xfd,0xaa},
-{0x6a,0x75,0xc2,0x89}, {0x61,0x7b,0xcb,0x84}, {0x7c,0x69,0xd0,0x93}, {0x77,0x67,0xd9,0x9e},
-{0x1e,0x3d,0xae,0xd5}, {0x15,0x33,0xa7,0xd8}, {0x08,0x21,0xbc,0xcf}, {0x03,0x2f,0xb5,0xc2},
-{0x32,0x05,0x8a,0xe1}, {0x39,0x0b,0x83,0xec}, {0x24,0x19,0x98,0xfb}, {0x2f,0x17,0x91,0xf6},
-{0x8d,0x76,0x4d,0xd6}, {0x86,0x78,0x44,0xdb}, {0x9b,0x6a,0x5f,0xcc}, {0x90,0x64,0x56,0xc1},
-{0xa1,0x4e,0x69,0xe2}, {0xaa,0x40,0x60,0xef}, {0xb7,0x52,0x7b,0xf8}, {0xbc,0x5c,0x72,0xf5},
-{0xd5,0x06,0x05,0xbe}, {0xde,0x08,0x0c,0xb3}, {0xc3,0x1a,0x17,0xa4}, {0xc8,0x14,0x1e,0xa9},
-{0xf9,0x3e,0x21,0x8a}, {0xf2,0x30,0x28,0x87}, {0xef,0x22,0x33,0x90}, {0xe4,0x2c,0x3a,0x9d},
-{0x3d,0x96,0xdd,0x06}, {0x36,0x98,0xd4,0x0b}, {0x2b,0x8a,0xcf,0x1c}, {0x20,0x84,0xc6,0x11},
-{0x11,0xae,0xf9,0x32}, {0x1a,0xa0,0xf0,0x3f}, {0x07,0xb2,0xeb,0x28}, {0x0c,0xbc,0xe2,0x25},
-{0x65,0xe6,0x95,0x6e}, {0x6e,0xe8,0x9c,0x63}, {0x73,0xfa,0x87,0x74}, {0x78,0xf4,0x8e,0x79},
-{0x49,0xde,0xb1,0x5a}, {0x42,0xd0,0xb8,0x57}, {0x5f,0xc2,0xa3,0x40}, {0x54,0xcc,0xaa,0x4d},
-{0xf7,0x41,0xec,0xda}, {0xfc,0x4f,0xe5,0xd7}, {0xe1,0x5d,0xfe,0xc0}, {0xea,0x53,0xf7,0xcd},
-{0xdb,0x79,0xc8,0xee}, {0xd0,0x77,0xc1,0xe3}, {0xcd,0x65,0xda,0xf4}, {0xc6,0x6b,0xd3,0xf9},
-{0xaf,0x31,0xa4,0xb2}, {0xa4,0x3f,0xad,0xbf}, {0xb9,0x2d,0xb6,0xa8}, {0xb2,0x23,0xbf,0xa5},
-{0x83,0x09,0x80,0x86}, {0x88,0x07,0x89,0x8b}, {0x95,0x15,0x92,0x9c}, {0x9e,0x1b,0x9b,0x91},
-{0x47,0xa1,0x7c,0x0a}, {0x4c,0xaf,0x75,0x07}, {0x51,0xbd,0x6e,0x10}, {0x5a,0xb3,0x67,0x1d},
-{0x6b,0x99,0x58,0x3e}, {0x60,0x97,0x51,0x33}, {0x7d,0x85,0x4a,0x24}, {0x76,0x8b,0x43,0x29},
-{0x1f,0xd1,0x34,0x62}, {0x14,0xdf,0x3d,0x6f}, {0x09,0xcd,0x26,0x78}, {0x02,0xc3,0x2f,0x75},
-{0x33,0xe9,0x10,0x56}, {0x38,0xe7,0x19,0x5b}, {0x25,0xf5,0x02,0x4c}, {0x2e,0xfb,0x0b,0x41},
-{0x8c,0x9a,0xd7,0x61}, {0x87,0x94,0xde,0x6c}, {0x9a,0x86,0xc5,0x7b}, {0x91,0x88,0xcc,0x76},
-{0xa0,0xa2,0xf3,0x55}, {0xab,0xac,0xfa,0x58}, {0xb6,0xbe,0xe1,0x4f}, {0xbd,0xb0,0xe8,0x42},
-{0xd4,0xea,0x9f,0x09}, {0xdf,0xe4,0x96,0x04}, {0xc2,0xf6,0x8d,0x13}, {0xc9,0xf8,0x84,0x1e},
-{0xf8,0xd2,0xbb,0x3d}, {0xf3,0xdc,0xb2,0x30}, {0xee,0xce,0xa9,0x27}, {0xe5,0xc0,0xa0,0x2a},
-{0x3c,0x7a,0x47,0xb1}, {0x37,0x74,0x4e,0xbc}, {0x2a,0x66,0x55,0xab}, {0x21,0x68,0x5c,0xa6},
-{0x10,0x42,0x63,0x85}, {0x1b,0x4c,0x6a,0x88}, {0x06,0x5e,0x71,0x9f}, {0x0d,0x50,0x78,0x92},
-{0x64,0x0a,0x0f,0xd9}, {0x6f,0x04,0x06,0xd4}, {0x72,0x16,0x1d,0xc3}, {0x79,0x18,0x14,0xce},
-{0x48,0x32,0x2b,0xed}, {0x43,0x3c,0x22,0xe0}, {0x5e,0x2e,0x39,0xf7}, {0x55,0x20,0x30,0xfa},
-{0x01,0xec,0x9a,0xb7}, {0x0a,0xe2,0x93,0xba}, {0x17,0xf0,0x88,0xad}, {0x1c,0xfe,0x81,0xa0},
-{0x2d,0xd4,0xbe,0x83}, {0x26,0xda,0xb7,0x8e}, {0x3b,0xc8,0xac,0x99}, {0x30,0xc6,0xa5,0x94},
-{0x59,0x9c,0xd2,0xdf}, {0x52,0x92,0xdb,0xd2}, {0x4f,0x80,0xc0,0xc5}, {0x44,0x8e,0xc9,0xc8},
-{0x75,0xa4,0xf6,0xeb}, {0x7e,0xaa,0xff,0xe6}, {0x63,0xb8,0xe4,0xf1}, {0x68,0xb6,0xed,0xfc},
-{0xb1,0x0c,0x0a,0x67}, {0xba,0x02,0x03,0x6a}, {0xa7,0x10,0x18,0x7d}, {0xac,0x1e,0x11,0x70},
-{0x9d,0x34,0x2e,0x53}, {0x96,0x3a,0x27,0x5e}, {0x8b,0x28,0x3c,0x49}, {0x80,0x26,0x35,0x44},
-{0xe9,0x7c,0x42,0x0f}, {0xe2,0x72,0x4b,0x02}, {0xff,0x60,0x50,0x15}, {0xf4,0x6e,0x59,0x18},
-{0xc5,0x44,0x66,0x3b}, {0xce,0x4a,0x6f,0x36}, {0xd3,0x58,0x74,0x21}, {0xd8,0x56,0x7d,0x2c},
-{0x7a,0x37,0xa1,0x0c}, {0x71,0x39,0xa8,0x01}, {0x6c,0x2b,0xb3,0x16}, {0x67,0x25,0xba,0x1b},
-{0x56,0x0f,0x85,0x38}, {0x5d,0x01,0x8c,0x35}, {0x40,0x13,0x97,0x22}, {0x4b,0x1d,0x9e,0x2f},
-{0x22,0x47,0xe9,0x64}, {0x29,0x49,0xe0,0x69}, {0x34,0x5b,0xfb,0x7e}, {0x3f,0x55,0xf2,0x73},
-{0x0e,0x7f,0xcd,0x50}, {0x05,0x71,0xc4,0x5d}, {0x18,0x63,0xdf,0x4a}, {0x13,0x6d,0xd6,0x47},
-{0xca,0xd7,0x31,0xdc}, {0xc1,0xd9,0x38,0xd1}, {0xdc,0xcb,0x23,0xc6}, {0xd7,0xc5,0x2a,0xcb},
-{0xe6,0xef,0x15,0xe8}, {0xed,0xe1,0x1c,0xe5}, {0xf0,0xf3,0x07,0xf2}, {0xfb,0xfd,0x0e,0xff},
-{0x92,0xa7,0x79,0xb4}, {0x99,0xa9,0x70,0xb9}, {0x84,0xbb,0x6b,0xae}, {0x8f,0xb5,0x62,0xa3},
-{0xbe,0x9f,0x5d,0x80}, {0xb5,0x91,0x54,0x8d}, {0xa8,0x83,0x4f,0x9a}, {0xa3,0x8d,0x46,0x97}
- }
-};
-#define U2 xU2.xt8
-
-static const union xtab xU3 = {
- .xt8 = {
-{0x00,0x00,0x00,0x00}, {0x0d,0x0b,0x0e,0x09}, {0x1a,0x16,0x1c,0x12}, {0x17,0x1d,0x12,0x1b},
-{0x34,0x2c,0x38,0x24}, {0x39,0x27,0x36,0x2d}, {0x2e,0x3a,0x24,0x36}, {0x23,0x31,0x2a,0x3f},
-{0x68,0x58,0x70,0x48}, {0x65,0x53,0x7e,0x41}, {0x72,0x4e,0x6c,0x5a}, {0x7f,0x45,0x62,0x53},
-{0x5c,0x74,0x48,0x6c}, {0x51,0x7f,0x46,0x65}, {0x46,0x62,0x54,0x7e}, {0x4b,0x69,0x5a,0x77},
-{0xd0,0xb0,0xe0,0x90}, {0xdd,0xbb,0xee,0x99}, {0xca,0xa6,0xfc,0x82}, {0xc7,0xad,0xf2,0x8b},
-{0xe4,0x9c,0xd8,0xb4}, {0xe9,0x97,0xd6,0xbd}, {0xfe,0x8a,0xc4,0xa6}, {0xf3,0x81,0xca,0xaf},
-{0xb8,0xe8,0x90,0xd8}, {0xb5,0xe3,0x9e,0xd1}, {0xa2,0xfe,0x8c,0xca}, {0xaf,0xf5,0x82,0xc3},
-{0x8c,0xc4,0xa8,0xfc}, {0x81,0xcf,0xa6,0xf5}, {0x96,0xd2,0xb4,0xee}, {0x9b,0xd9,0xba,0xe7},
-{0xbb,0x7b,0xdb,0x3b}, {0xb6,0x70,0xd5,0x32}, {0xa1,0x6d,0xc7,0x29}, {0xac,0x66,0xc9,0x20},
-{0x8f,0x57,0xe3,0x1f}, {0x82,0x5c,0xed,0x16}, {0x95,0x41,0xff,0x0d}, {0x98,0x4a,0xf1,0x04},
-{0xd3,0x23,0xab,0x73}, {0xde,0x28,0xa5,0x7a}, {0xc9,0x35,0xb7,0x61}, {0xc4,0x3e,0xb9,0x68},
-{0xe7,0x0f,0x93,0x57}, {0xea,0x04,0x9d,0x5e}, {0xfd,0x19,0x8f,0x45}, {0xf0,0x12,0x81,0x4c},
-{0x6b,0xcb,0x3b,0xab}, {0x66,0xc0,0x35,0xa2}, {0x71,0xdd,0x27,0xb9}, {0x7c,0xd6,0x29,0xb0},
-{0x5f,0xe7,0x03,0x8f}, {0x52,0xec,0x0d,0x86}, {0x45,0xf1,0x1f,0x9d}, {0x48,0xfa,0x11,0x94},
-{0x03,0x93,0x4b,0xe3}, {0x0e,0x98,0x45,0xea}, {0x19,0x85,0x57,0xf1}, {0x14,0x8e,0x59,0xf8},
-{0x37,0xbf,0x73,0xc7}, {0x3a,0xb4,0x7d,0xce}, {0x2d,0xa9,0x6f,0xd5}, {0x20,0xa2,0x61,0xdc},
-{0x6d,0xf6,0xad,0x76}, {0x60,0xfd,0xa3,0x7f}, {0x77,0xe0,0xb1,0x64}, {0x7a,0xeb,0xbf,0x6d},
-{0x59,0xda,0x95,0x52}, {0x54,0xd1,0x9b,0x5b}, {0x43,0xcc,0x89,0x40}, {0x4e,0xc7,0x87,0x49},
-{0x05,0xae,0xdd,0x3e}, {0x08,0xa5,0xd3,0x37}, {0x1f,0xb8,0xc1,0x2c}, {0x12,0xb3,0xcf,0x25},
-{0x31,0x82,0xe5,0x1a}, {0x3c,0x89,0xeb,0x13}, {0x2b,0x94,0xf9,0x08}, {0x26,0x9f,0xf7,0x01},
-{0xbd,0x46,0x4d,0xe6}, {0xb0,0x4d,0x43,0xef}, {0xa7,0x50,0x51,0xf4}, {0xaa,0x5b,0x5f,0xfd},
-{0x89,0x6a,0x75,0xc2}, {0x84,0x61,0x7b,0xcb}, {0x93,0x7c,0x69,0xd0}, {0x9e,0x77,0x67,0xd9},
-{0xd5,0x1e,0x3d,0xae}, {0xd8,0x15,0x33,0xa7}, {0xcf,0x08,0x21,0xbc}, {0xc2,0x03,0x2f,0xb5},
-{0xe1,0x32,0x05,0x8a}, {0xec,0x39,0x0b,0x83}, {0xfb,0x24,0x19,0x98}, {0xf6,0x2f,0x17,0x91},
-{0xd6,0x8d,0x76,0x4d}, {0xdb,0x86,0x78,0x44}, {0xcc,0x9b,0x6a,0x5f}, {0xc1,0x90,0x64,0x56},
-{0xe2,0xa1,0x4e,0x69}, {0xef,0xaa,0x40,0x60}, {0xf8,0xb7,0x52,0x7b}, {0xf5,0xbc,0x5c,0x72},
-{0xbe,0xd5,0x06,0x05}, {0xb3,0xde,0x08,0x0c}, {0xa4,0xc3,0x1a,0x17}, {0xa9,0xc8,0x14,0x1e},
-{0x8a,0xf9,0x3e,0x21}, {0x87,0xf2,0x30,0x28}, {0x90,0xef,0x22,0x33}, {0x9d,0xe4,0x2c,0x3a},
-{0x06,0x3d,0x96,0xdd}, {0x0b,0x36,0x98,0xd4}, {0x1c,0x2b,0x8a,0xcf}, {0x11,0x20,0x84,0xc6},
-{0x32,0x11,0xae,0xf9}, {0x3f,0x1a,0xa0,0xf0}, {0x28,0x07,0xb2,0xeb}, {0x25,0x0c,0xbc,0xe2},
-{0x6e,0x65,0xe6,0x95}, {0x63,0x6e,0xe8,0x9c}, {0x74,0x73,0xfa,0x87}, {0x79,0x78,0xf4,0x8e},
-{0x5a,0x49,0xde,0xb1}, {0x57,0x42,0xd0,0xb8}, {0x40,0x5f,0xc2,0xa3}, {0x4d,0x54,0xcc,0xaa},
-{0xda,0xf7,0x41,0xec}, {0xd7,0xfc,0x4f,0xe5}, {0xc0,0xe1,0x5d,0xfe}, {0xcd,0xea,0x53,0xf7},
-{0xee,0xdb,0x79,0xc8}, {0xe3,0xd0,0x77,0xc1}, {0xf4,0xcd,0x65,0xda}, {0xf9,0xc6,0x6b,0xd3},
-{0xb2,0xaf,0x31,0xa4}, {0xbf,0xa4,0x3f,0xad}, {0xa8,0xb9,0x2d,0xb6}, {0xa5,0xb2,0x23,0xbf},
-{0x86,0x83,0x09,0x80}, {0x8b,0x88,0x07,0x89}, {0x9c,0x95,0x15,0x92}, {0x91,0x9e,0x1b,0x9b},
-{0x0a,0x47,0xa1,0x7c}, {0x07,0x4c,0xaf,0x75}, {0x10,0x51,0xbd,0x6e}, {0x1d,0x5a,0xb3,0x67},
-{0x3e,0x6b,0x99,0x58}, {0x33,0x60,0x97,0x51}, {0x24,0x7d,0x85,0x4a}, {0x29,0x76,0x8b,0x43},
-{0x62,0x1f,0xd1,0x34}, {0x6f,0x14,0xdf,0x3d}, {0x78,0x09,0xcd,0x26}, {0x75,0x02,0xc3,0x2f},
-{0x56,0x33,0xe9,0x10}, {0x5b,0x38,0xe7,0x19}, {0x4c,0x25,0xf5,0x02}, {0x41,0x2e,0xfb,0x0b},
-{0x61,0x8c,0x9a,0xd7}, {0x6c,0x87,0x94,0xde}, {0x7b,0x9a,0x86,0xc5}, {0x76,0x91,0x88,0xcc},
-{0x55,0xa0,0xa2,0xf3}, {0x58,0xab,0xac,0xfa}, {0x4f,0xb6,0xbe,0xe1}, {0x42,0xbd,0xb0,0xe8},
-{0x09,0xd4,0xea,0x9f}, {0x04,0xdf,0xe4,0x96}, {0x13,0xc2,0xf6,0x8d}, {0x1e,0xc9,0xf8,0x84},
-{0x3d,0xf8,0xd2,0xbb}, {0x30,0xf3,0xdc,0xb2}, {0x27,0xee,0xce,0xa9}, {0x2a,0xe5,0xc0,0xa0},
-{0xb1,0x3c,0x7a,0x47}, {0xbc,0x37,0x74,0x4e}, {0xab,0x2a,0x66,0x55}, {0xa6,0x21,0x68,0x5c},
-{0x85,0x10,0x42,0x63}, {0x88,0x1b,0x4c,0x6a}, {0x9f,0x06,0x5e,0x71}, {0x92,0x0d,0x50,0x78},
-{0xd9,0x64,0x0a,0x0f}, {0xd4,0x6f,0x04,0x06}, {0xc3,0x72,0x16,0x1d}, {0xce,0x79,0x18,0x14},
-{0xed,0x48,0x32,0x2b}, {0xe0,0x43,0x3c,0x22}, {0xf7,0x5e,0x2e,0x39}, {0xfa,0x55,0x20,0x30},
-{0xb7,0x01,0xec,0x9a}, {0xba,0x0a,0xe2,0x93}, {0xad,0x17,0xf0,0x88}, {0xa0,0x1c,0xfe,0x81},
-{0x83,0x2d,0xd4,0xbe}, {0x8e,0x26,0xda,0xb7}, {0x99,0x3b,0xc8,0xac}, {0x94,0x30,0xc6,0xa5},
-{0xdf,0x59,0x9c,0xd2}, {0xd2,0x52,0x92,0xdb}, {0xc5,0x4f,0x80,0xc0}, {0xc8,0x44,0x8e,0xc9},
-{0xeb,0x75,0xa4,0xf6}, {0xe6,0x7e,0xaa,0xff}, {0xf1,0x63,0xb8,0xe4}, {0xfc,0x68,0xb6,0xed},
-{0x67,0xb1,0x0c,0x0a}, {0x6a,0xba,0x02,0x03}, {0x7d,0xa7,0x10,0x18}, {0x70,0xac,0x1e,0x11},
-{0x53,0x9d,0x34,0x2e}, {0x5e,0x96,0x3a,0x27}, {0x49,0x8b,0x28,0x3c}, {0x44,0x80,0x26,0x35},
-{0x0f,0xe9,0x7c,0x42}, {0x02,0xe2,0x72,0x4b}, {0x15,0xff,0x60,0x50}, {0x18,0xf4,0x6e,0x59},
-{0x3b,0xc5,0x44,0x66}, {0x36,0xce,0x4a,0x6f}, {0x21,0xd3,0x58,0x74}, {0x2c,0xd8,0x56,0x7d},
-{0x0c,0x7a,0x37,0xa1}, {0x01,0x71,0x39,0xa8}, {0x16,0x6c,0x2b,0xb3}, {0x1b,0x67,0x25,0xba},
-{0x38,0x56,0x0f,0x85}, {0x35,0x5d,0x01,0x8c}, {0x22,0x40,0x13,0x97}, {0x2f,0x4b,0x1d,0x9e},
-{0x64,0x22,0x47,0xe9}, {0x69,0x29,0x49,0xe0}, {0x7e,0x34,0x5b,0xfb}, {0x73,0x3f,0x55,0xf2},
-{0x50,0x0e,0x7f,0xcd}, {0x5d,0x05,0x71,0xc4}, {0x4a,0x18,0x63,0xdf}, {0x47,0x13,0x6d,0xd6},
-{0xdc,0xca,0xd7,0x31}, {0xd1,0xc1,0xd9,0x38}, {0xc6,0xdc,0xcb,0x23}, {0xcb,0xd7,0xc5,0x2a},
-{0xe8,0xe6,0xef,0x15}, {0xe5,0xed,0xe1,0x1c}, {0xf2,0xf0,0xf3,0x07}, {0xff,0xfb,0xfd,0x0e},
-{0xb4,0x92,0xa7,0x79}, {0xb9,0x99,0xa9,0x70}, {0xae,0x84,0xbb,0x6b}, {0xa3,0x8f,0xb5,0x62},
-{0x80,0xbe,0x9f,0x5d}, {0x8d,0xb5,0x91,0x54}, {0x9a,0xa8,0x83,0x4f}, {0x97,0xa3,0x8d,0x46}
- }
-};
-#define U3 xU3.xt8
-
-static const union xtab xU4 = {
- .xt8 = {
-{0x00,0x00,0x00,0x00}, {0x09,0x0d,0x0b,0x0e}, {0x12,0x1a,0x16,0x1c}, {0x1b,0x17,0x1d,0x12},
-{0x24,0x34,0x2c,0x38}, {0x2d,0x39,0x27,0x36}, {0x36,0x2e,0x3a,0x24}, {0x3f,0x23,0x31,0x2a},
-{0x48,0x68,0x58,0x70}, {0x41,0x65,0x53,0x7e}, {0x5a,0x72,0x4e,0x6c}, {0x53,0x7f,0x45,0x62},
-{0x6c,0x5c,0x74,0x48}, {0x65,0x51,0x7f,0x46}, {0x7e,0x46,0x62,0x54}, {0x77,0x4b,0x69,0x5a},
-{0x90,0xd0,0xb0,0xe0}, {0x99,0xdd,0xbb,0xee}, {0x82,0xca,0xa6,0xfc}, {0x8b,0xc7,0xad,0xf2},
-{0xb4,0xe4,0x9c,0xd8}, {0xbd,0xe9,0x97,0xd6}, {0xa6,0xfe,0x8a,0xc4}, {0xaf,0xf3,0x81,0xca},
-{0xd8,0xb8,0xe8,0x90}, {0xd1,0xb5,0xe3,0x9e}, {0xca,0xa2,0xfe,0x8c}, {0xc3,0xaf,0xf5,0x82},
-{0xfc,0x8c,0xc4,0xa8}, {0xf5,0x81,0xcf,0xa6}, {0xee,0x96,0xd2,0xb4}, {0xe7,0x9b,0xd9,0xba},
-{0x3b,0xbb,0x7b,0xdb}, {0x32,0xb6,0x70,0xd5}, {0x29,0xa1,0x6d,0xc7}, {0x20,0xac,0x66,0xc9},
-{0x1f,0x8f,0x57,0xe3}, {0x16,0x82,0x5c,0xed}, {0x0d,0x95,0x41,0xff}, {0x04,0x98,0x4a,0xf1},
-{0x73,0xd3,0x23,0xab}, {0x7a,0xde,0x28,0xa5}, {0x61,0xc9,0x35,0xb7}, {0x68,0xc4,0x3e,0xb9},
-{0x57,0xe7,0x0f,0x93}, {0x5e,0xea,0x04,0x9d}, {0x45,0xfd,0x19,0x8f}, {0x4c,0xf0,0x12,0x81},
-{0xab,0x6b,0xcb,0x3b}, {0xa2,0x66,0xc0,0x35}, {0xb9,0x71,0xdd,0x27}, {0xb0,0x7c,0xd6,0x29},
-{0x8f,0x5f,0xe7,0x03}, {0x86,0x52,0xec,0x0d}, {0x9d,0x45,0xf1,0x1f}, {0x94,0x48,0xfa,0x11},
-{0xe3,0x03,0x93,0x4b}, {0xea,0x0e,0x98,0x45}, {0xf1,0x19,0x85,0x57}, {0xf8,0x14,0x8e,0x59},
-{0xc7,0x37,0xbf,0x73}, {0xce,0x3a,0xb4,0x7d}, {0xd5,0x2d,0xa9,0x6f}, {0xdc,0x20,0xa2,0x61},
-{0x76,0x6d,0xf6,0xad}, {0x7f,0x60,0xfd,0xa3}, {0x64,0x77,0xe0,0xb1}, {0x6d,0x7a,0xeb,0xbf},
-{0x52,0x59,0xda,0x95}, {0x5b,0x54,0xd1,0x9b}, {0x40,0x43,0xcc,0x89}, {0x49,0x4e,0xc7,0x87},
-{0x3e,0x05,0xae,0xdd}, {0x37,0x08,0xa5,0xd3}, {0x2c,0x1f,0xb8,0xc1}, {0x25,0x12,0xb3,0xcf},
-{0x1a,0x31,0x82,0xe5}, {0x13,0x3c,0x89,0xeb}, {0x08,0x2b,0x94,0xf9}, {0x01,0x26,0x9f,0xf7},
-{0xe6,0xbd,0x46,0x4d}, {0xef,0xb0,0x4d,0x43}, {0xf4,0xa7,0x50,0x51}, {0xfd,0xaa,0x5b,0x5f},
-{0xc2,0x89,0x6a,0x75}, {0xcb,0x84,0x61,0x7b}, {0xd0,0x93,0x7c,0x69}, {0xd9,0x9e,0x77,0x67},
-{0xae,0xd5,0x1e,0x3d}, {0xa7,0xd8,0x15,0x33}, {0xbc,0xcf,0x08,0x21}, {0xb5,0xc2,0x03,0x2f},
-{0x8a,0xe1,0x32,0x05}, {0x83,0xec,0x39,0x0b}, {0x98,0xfb,0x24,0x19}, {0x91,0xf6,0x2f,0x17},
-{0x4d,0xd6,0x8d,0x76}, {0x44,0xdb,0x86,0x78}, {0x5f,0xcc,0x9b,0x6a}, {0x56,0xc1,0x90,0x64},
-{0x69,0xe2,0xa1,0x4e}, {0x60,0xef,0xaa,0x40}, {0x7b,0xf8,0xb7,0x52}, {0x72,0xf5,0xbc,0x5c},
-{0x05,0xbe,0xd5,0x06}, {0x0c,0xb3,0xde,0x08}, {0x17,0xa4,0xc3,0x1a}, {0x1e,0xa9,0xc8,0x14},
-{0x21,0x8a,0xf9,0x3e}, {0x28,0x87,0xf2,0x30}, {0x33,0x90,0xef,0x22}, {0x3a,0x9d,0xe4,0x2c},
-{0xdd,0x06,0x3d,0x96}, {0xd4,0x0b,0x36,0x98}, {0xcf,0x1c,0x2b,0x8a}, {0xc6,0x11,0x20,0x84},
-{0xf9,0x32,0x11,0xae}, {0xf0,0x3f,0x1a,0xa0}, {0xeb,0x28,0x07,0xb2}, {0xe2,0x25,0x0c,0xbc},
-{0x95,0x6e,0x65,0xe6}, {0x9c,0x63,0x6e,0xe8}, {0x87,0x74,0x73,0xfa}, {0x8e,0x79,0x78,0xf4},
-{0xb1,0x5a,0x49,0xde}, {0xb8,0x57,0x42,0xd0}, {0xa3,0x40,0x5f,0xc2}, {0xaa,0x4d,0x54,0xcc},
-{0xec,0xda,0xf7,0x41}, {0xe5,0xd7,0xfc,0x4f}, {0xfe,0xc0,0xe1,0x5d}, {0xf7,0xcd,0xea,0x53},
-{0xc8,0xee,0xdb,0x79}, {0xc1,0xe3,0xd0,0x77}, {0xda,0xf4,0xcd,0x65}, {0xd3,0xf9,0xc6,0x6b},
-{0xa4,0xb2,0xaf,0x31}, {0xad,0xbf,0xa4,0x3f}, {0xb6,0xa8,0xb9,0x2d}, {0xbf,0xa5,0xb2,0x23},
-{0x80,0x86,0x83,0x09}, {0x89,0x8b,0x88,0x07}, {0x92,0x9c,0x95,0x15}, {0x9b,0x91,0x9e,0x1b},
-{0x7c,0x0a,0x47,0xa1}, {0x75,0x07,0x4c,0xaf}, {0x6e,0x10,0x51,0xbd}, {0x67,0x1d,0x5a,0xb3},
-{0x58,0x3e,0x6b,0x99}, {0x51,0x33,0x60,0x97}, {0x4a,0x24,0x7d,0x85}, {0x43,0x29,0x76,0x8b},
-{0x34,0x62,0x1f,0xd1}, {0x3d,0x6f,0x14,0xdf}, {0x26,0x78,0x09,0xcd}, {0x2f,0x75,0x02,0xc3},
-{0x10,0x56,0x33,0xe9}, {0x19,0x5b,0x38,0xe7}, {0x02,0x4c,0x25,0xf5}, {0x0b,0x41,0x2e,0xfb},
-{0xd7,0x61,0x8c,0x9a}, {0xde,0x6c,0x87,0x94}, {0xc5,0x7b,0x9a,0x86}, {0xcc,0x76,0x91,0x88},
-{0xf3,0x55,0xa0,0xa2}, {0xfa,0x58,0xab,0xac}, {0xe1,0x4f,0xb6,0xbe}, {0xe8,0x42,0xbd,0xb0},
-{0x9f,0x09,0xd4,0xea}, {0x96,0x04,0xdf,0xe4}, {0x8d,0x13,0xc2,0xf6}, {0x84,0x1e,0xc9,0xf8},
-{0xbb,0x3d,0xf8,0xd2}, {0xb2,0x30,0xf3,0xdc}, {0xa9,0x27,0xee,0xce}, {0xa0,0x2a,0xe5,0xc0},
-{0x47,0xb1,0x3c,0x7a}, {0x4e,0xbc,0x37,0x74}, {0x55,0xab,0x2a,0x66}, {0x5c,0xa6,0x21,0x68},
-{0x63,0x85,0x10,0x42}, {0x6a,0x88,0x1b,0x4c}, {0x71,0x9f,0x06,0x5e}, {0x78,0x92,0x0d,0x50},
-{0x0f,0xd9,0x64,0x0a}, {0x06,0xd4,0x6f,0x04}, {0x1d,0xc3,0x72,0x16}, {0x14,0xce,0x79,0x18},
-{0x2b,0xed,0x48,0x32}, {0x22,0xe0,0x43,0x3c}, {0x39,0xf7,0x5e,0x2e}, {0x30,0xfa,0x55,0x20},
-{0x9a,0xb7,0x01,0xec}, {0x93,0xba,0x0a,0xe2}, {0x88,0xad,0x17,0xf0}, {0x81,0xa0,0x1c,0xfe},
-{0xbe,0x83,0x2d,0xd4}, {0xb7,0x8e,0x26,0xda}, {0xac,0x99,0x3b,0xc8}, {0xa5,0x94,0x30,0xc6},
-{0xd2,0xdf,0x59,0x9c}, {0xdb,0xd2,0x52,0x92}, {0xc0,0xc5,0x4f,0x80}, {0xc9,0xc8,0x44,0x8e},
-{0xf6,0xeb,0x75,0xa4}, {0xff,0xe6,0x7e,0xaa}, {0xe4,0xf1,0x63,0xb8}, {0xed,0xfc,0x68,0xb6},
-{0x0a,0x67,0xb1,0x0c}, {0x03,0x6a,0xba,0x02}, {0x18,0x7d,0xa7,0x10}, {0x11,0x70,0xac,0x1e},
-{0x2e,0x53,0x9d,0x34}, {0x27,0x5e,0x96,0x3a}, {0x3c,0x49,0x8b,0x28}, {0x35,0x44,0x80,0x26},
-{0x42,0x0f,0xe9,0x7c}, {0x4b,0x02,0xe2,0x72}, {0x50,0x15,0xff,0x60}, {0x59,0x18,0xf4,0x6e},
-{0x66,0x3b,0xc5,0x44}, {0x6f,0x36,0xce,0x4a}, {0x74,0x21,0xd3,0x58}, {0x7d,0x2c,0xd8,0x56},
-{0xa1,0x0c,0x7a,0x37}, {0xa8,0x01,0x71,0x39}, {0xb3,0x16,0x6c,0x2b}, {0xba,0x1b,0x67,0x25},
-{0x85,0x38,0x56,0x0f}, {0x8c,0x35,0x5d,0x01}, {0x97,0x22,0x40,0x13}, {0x9e,0x2f,0x4b,0x1d},
-{0xe9,0x64,0x22,0x47}, {0xe0,0x69,0x29,0x49}, {0xfb,0x7e,0x34,0x5b}, {0xf2,0x73,0x3f,0x55},
-{0xcd,0x50,0x0e,0x7f}, {0xc4,0x5d,0x05,0x71}, {0xdf,0x4a,0x18,0x63}, {0xd6,0x47,0x13,0x6d},
-{0x31,0xdc,0xca,0xd7}, {0x38,0xd1,0xc1,0xd9}, {0x23,0xc6,0xdc,0xcb}, {0x2a,0xcb,0xd7,0xc5},
-{0x15,0xe8,0xe6,0xef}, {0x1c,0xe5,0xed,0xe1}, {0x07,0xf2,0xf0,0xf3}, {0x0e,0xff,0xfb,0xfd},
-{0x79,0xb4,0x92,0xa7}, {0x70,0xb9,0x99,0xa9}, {0x6b,0xae,0x84,0xbb}, {0x62,0xa3,0x8f,0xb5},
-{0x5d,0x80,0xbe,0x9f}, {0x54,0x8d,0xb5,0x91}, {0x4f,0x9a,0xa8,0x83}, {0x46,0x97,0xa3,0x8d}
- }
-};
-#define U4 xU4.xt8
-
-static const word32 rcon[30] = {
- 0x01,0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91
-};
diff --git a/src/racoon/missing/crypto/rijndael/rijndael-alg-fst.c b/src/racoon/missing/crypto/rijndael/rijndael-alg-fst.c
deleted file mode 100644
index 7e48d44..0000000
--- a/src/racoon/missing/crypto/rijndael/rijndael-alg-fst.c
+++ /dev/null
@@ -1,496 +0,0 @@
-/* $NetBSD: rijndael-alg-fst.c,v 1.4 2006/09/09 16:22:36 manu Exp $ */
-
-/* $KAME: rijndael-alg-fst.c,v 1.1.1.1 2001/08/08 09:56:23 sakane Exp $ */
-
-/*
- * rijndael-alg-fst.c v2.3 April '2000
- *
- * Optimised ANSI C code
- *
- * authors: v1.0: Antoon Bosselaers
- * v2.0: Vincent Rijmen
- * v2.3: Paulo Barreto
- *
- * This code is placed in the public domain.
- */
-
-#include "config.h"
-
-#include <sys/cdefs.h>
-#include <sys/types.h>
-#ifdef _KERNEL
-#include <sys/systm.h>
-#else
-#include <string.h>
-#endif
-#include <crypto/rijndael/rijndael-alg-fst.h>
-#include <crypto/rijndael/rijndael_local.h>
-
-#include <crypto/rijndael/boxes-fst.dat>
-
-#include <err.h>
-#define bcopy(a, b, c) memcpy((b), (a), (c))
-#define bzero(a, b) memset((a), 0, (b))
-#define panic(a) err(1, (a))
-
-int rijndaelKeySched(word8 k[MAXKC][4], word8 W[MAXROUNDS+1][4][4], int ROUNDS) {
- /* Calculate the necessary round keys
- * The number of calculations depends on keyBits and blockBits
- */
- int j, r, t, rconpointer = 0;
- union {
- word8 x8[MAXKC][4];
- word32 x32[MAXKC];
- } xtk;
-#define tk xtk.x8
- int KC = ROUNDS - 6;
-
- for (j = KC-1; j >= 0; j--) {
- *((word32*)tk[j]) = *((word32*)k[j]);
- }
- r = 0;
- t = 0;
- /* copy values into round key array */
- for (j = 0; (j < KC) && (r < ROUNDS + 1); ) {
- for (; (j < KC) && (t < 4); j++, t++) {
- *((word32*)W[r][t]) = *((word32*)tk[j]);
- }
- if (t == 4) {
- r++;
- t = 0;
- }
- }
-
- while (r < ROUNDS + 1) { /* while not enough round key material calculated */
- /* calculate new values */
- tk[0][0] ^= S[tk[KC-1][1]];
- tk[0][1] ^= S[tk[KC-1][2]];
- tk[0][2] ^= S[tk[KC-1][3]];
- tk[0][3] ^= S[tk[KC-1][0]];
- tk[0][0] ^= rcon[rconpointer++];
-
- if (KC != 8) {
- for (j = 1; j < KC; j++) {
- *((word32*)tk[j]) ^= *((word32*)tk[j-1]);
- }
- } else {
- for (j = 1; j < KC/2; j++) {
- *((word32*)tk[j]) ^= *((word32*)tk[j-1]);
- }
- tk[KC/2][0] ^= S[tk[KC/2 - 1][0]];
- tk[KC/2][1] ^= S[tk[KC/2 - 1][1]];
- tk[KC/2][2] ^= S[tk[KC/2 - 1][2]];
- tk[KC/2][3] ^= S[tk[KC/2 - 1][3]];
- for (j = KC/2 + 1; j < KC; j++) {
- *((word32*)tk[j]) ^= *((word32*)tk[j-1]);
- }
- }
- /* copy values into round key array */
- for (j = 0; (j < KC) && (r < ROUNDS + 1); ) {
- for (; (j < KC) && (t < 4); j++, t++) {
- *((word32*)W[r][t]) = *((word32*)tk[j]);
- }
- if (t == 4) {
- r++;
- t = 0;
- }
- }
- }
- return 0;
-#undef tk
-}
-
-int rijndaelKeyEncToDec(word8 W[MAXROUNDS+1][4][4], int ROUNDS) {
- int r;
- word8 *w;
-
- for (r = 1; r < ROUNDS; r++) {
- w = W[r][0];
- *((word32*)w) =
- *((const word32*)U1[w[0]])
- ^ *((const word32*)U2[w[1]])
- ^ *((const word32*)U3[w[2]])
- ^ *((const word32*)U4[w[3]]);
-
- w = W[r][1];
- *((word32*)w) =
- *((const word32*)U1[w[0]])
- ^ *((const word32*)U2[w[1]])
- ^ *((const word32*)U3[w[2]])
- ^ *((const word32*)U4[w[3]]);
-
- w = W[r][2];
- *((word32*)w) =
- *((const word32*)U1[w[0]])
- ^ *((const word32*)U2[w[1]])
- ^ *((const word32*)U3[w[2]])
- ^ *((const word32*)U4[w[3]]);
-
- w = W[r][3];
- *((word32*)w) =
- *((const word32*)U1[w[0]])
- ^ *((const word32*)U2[w[1]])
- ^ *((const word32*)U3[w[2]])
- ^ *((const word32*)U4[w[3]]);
- }
- return 0;
-}
-
-/**
- * Encrypt a single block.
- */
-int rijndaelEncrypt(word8 in[16], word8 out[16], word8 rk[MAXROUNDS+1][4][4], int ROUNDS) {
- int r;
- union {
- word8 x8[16];
- word32 x32[4];
- } xa, xb;
-#define a xa.x8
-#define b xb.x8
- union {
- word8 x8[4][4];
- word32 x32[4];
- } xtemp;
-#define temp xtemp.x8
-
- memcpy(a, in, sizeof a);
-
- *((word32*)temp[0]) = *((word32*)(a )) ^ *((word32*)rk[0][0]);
- *((word32*)temp[1]) = *((word32*)(a+ 4)) ^ *((word32*)rk[0][1]);
- *((word32*)temp[2]) = *((word32*)(a+ 8)) ^ *((word32*)rk[0][2]);
- *((word32*)temp[3]) = *((word32*)(a+12)) ^ *((word32*)rk[0][3]);
- *((word32*)(b )) = *((const word32*)T1[temp[0][0]])
- ^ *((const word32*)T2[temp[1][1]])
- ^ *((const word32*)T3[temp[2][2]])
- ^ *((const word32*)T4[temp[3][3]]);
- *((word32*)(b + 4)) = *((const word32*)T1[temp[1][0]])
- ^ *((const word32*)T2[temp[2][1]])
- ^ *((const word32*)T3[temp[3][2]])
- ^ *((const word32*)T4[temp[0][3]]);
- *((word32*)(b + 8)) = *((const word32*)T1[temp[2][0]])
- ^ *((const word32*)T2[temp[3][1]])
- ^ *((const word32*)T3[temp[0][2]])
- ^ *((const word32*)T4[temp[1][3]]);
- *((word32*)(b +12)) = *((const word32*)T1[temp[3][0]])
- ^ *((const word32*)T2[temp[0][1]])
- ^ *((const word32*)T3[temp[1][2]])
- ^ *((const word32*)T4[temp[2][3]]);
- for (r = 1; r < ROUNDS-1; r++) {
- *((word32*)temp[0]) = *((word32*)(b )) ^ *((word32*)rk[r][0]);
- *((word32*)temp[1]) = *((word32*)(b+ 4)) ^ *((word32*)rk[r][1]);
- *((word32*)temp[2]) = *((word32*)(b+ 8)) ^ *((word32*)rk[r][2]);
- *((word32*)temp[3]) = *((word32*)(b+12)) ^ *((word32*)rk[r][3]);
-
- *((word32*)(b )) = *((const word32*)T1[temp[0][0]])
- ^ *((const word32*)T2[temp[1][1]])
- ^ *((const word32*)T3[temp[2][2]])
- ^ *((const word32*)T4[temp[3][3]]);
- *((word32*)(b + 4)) = *((const word32*)T1[temp[1][0]])
- ^ *((const word32*)T2[temp[2][1]])
- ^ *((const word32*)T3[temp[3][2]])
- ^ *((const word32*)T4[temp[0][3]]);
- *((word32*)(b + 8)) = *((const word32*)T1[temp[2][0]])
- ^ *((const word32*)T2[temp[3][1]])
- ^ *((const word32*)T3[temp[0][2]])
- ^ *((const word32*)T4[temp[1][3]]);
- *((word32*)(b +12)) = *((const word32*)T1[temp[3][0]])
- ^ *((const word32*)T2[temp[0][1]])
- ^ *((const word32*)T3[temp[1][2]])
- ^ *((const word32*)T4[temp[2][3]]);
- }
- /* last round is special */
- *((word32*)temp[0]) = *((word32*)(b )) ^ *((word32*)rk[ROUNDS-1][0]);
- *((word32*)temp[1]) = *((word32*)(b+ 4)) ^ *((word32*)rk[ROUNDS-1][1]);
- *((word32*)temp[2]) = *((word32*)(b+ 8)) ^ *((word32*)rk[ROUNDS-1][2]);
- *((word32*)temp[3]) = *((word32*)(b+12)) ^ *((word32*)rk[ROUNDS-1][3]);
- b[ 0] = T1[temp[0][0]][1];
- b[ 1] = T1[temp[1][1]][1];
- b[ 2] = T1[temp[2][2]][1];
- b[ 3] = T1[temp[3][3]][1];
- b[ 4] = T1[temp[1][0]][1];
- b[ 5] = T1[temp[2][1]][1];
- b[ 6] = T1[temp[3][2]][1];
- b[ 7] = T1[temp[0][3]][1];
- b[ 8] = T1[temp[2][0]][1];
- b[ 9] = T1[temp[3][1]][1];
- b[10] = T1[temp[0][2]][1];
- b[11] = T1[temp[1][3]][1];
- b[12] = T1[temp[3][0]][1];
- b[13] = T1[temp[0][1]][1];
- b[14] = T1[temp[1][2]][1];
- b[15] = T1[temp[2][3]][1];
- *((word32*)(b )) ^= *((word32*)rk[ROUNDS][0]);
- *((word32*)(b+ 4)) ^= *((word32*)rk[ROUNDS][1]);
- *((word32*)(b+ 8)) ^= *((word32*)rk[ROUNDS][2]);
- *((word32*)(b+12)) ^= *((word32*)rk[ROUNDS][3]);
-
- memcpy(out, b, sizeof b /* XXX out */);
-
- return 0;
-#undef a
-#undef b
-#undef temp
-}
-
-#ifdef INTERMEDIATE_VALUE_KAT
-/**
- * Encrypt only a certain number of rounds.
- * Only used in the Intermediate Value Known Answer Test.
- */
-int rijndaelEncryptRound(word8 a[4][4], word8 rk[MAXROUNDS+1][4][4], int ROUNDS, int rounds) {
- int r;
- word8 temp[4][4];
-
- /* make number of rounds sane */
- if (rounds > ROUNDS) {
- rounds = ROUNDS;
- }
-
- *((word32*)a[0]) = *((word32*)a[0]) ^ *((word32*)rk[0][0]);
- *((word32*)a[1]) = *((word32*)a[1]) ^ *((word32*)rk[0][1]);
- *((word32*)a[2]) = *((word32*)a[2]) ^ *((word32*)rk[0][2]);
- *((word32*)a[3]) = *((word32*)a[3]) ^ *((word32*)rk[0][3]);
-
- for (r = 1; (r <= rounds) && (r < ROUNDS); r++) {
- *((word32*)temp[0]) = *((const word32*)T1[a[0][0]])
- ^ *((const word32*)T2[a[1][1]])
- ^ *((const word32*)T3[a[2][2]])
- ^ *((const word32*)T4[a[3][3]]);
- *((word32*)temp[1]) = *((const word32*)T1[a[1][0]])
- ^ *((const word32*)T2[a[2][1]])
- ^ *((const word32*)T3[a[3][2]])
- ^ *((const word32*)T4[a[0][3]]);
- *((word32*)temp[2]) = *((const word32*)T1[a[2][0]])
- ^ *((const word32*)T2[a[3][1]])
- ^ *((const word32*)T3[a[0][2]])
- ^ *((const word32*)T4[a[1][3]]);
- *((word32*)temp[3]) = *((const word32*)T1[a[3][0]])
- ^ *((const word32*)T2[a[0][1]])
- ^ *((const word32*)T3[a[1][2]])
- ^ *((const word32*)T4[a[2][3]]);
- *((word32*)a[0]) = *((word32*)temp[0]) ^ *((word32*)rk[r][0]);
- *((word32*)a[1]) = *((word32*)temp[1]) ^ *((word32*)rk[r][1]);
- *((word32*)a[2]) = *((word32*)temp[2]) ^ *((word32*)rk[r][2]);
- *((word32*)a[3]) = *((word32*)temp[3]) ^ *((word32*)rk[r][3]);
- }
- if (rounds == ROUNDS) {
- /* last round is special */
- temp[0][0] = T1[a[0][0]][1];
- temp[0][1] = T1[a[1][1]][1];
- temp[0][2] = T1[a[2][2]][1];
- temp[0][3] = T1[a[3][3]][1];
- temp[1][0] = T1[a[1][0]][1];
- temp[1][1] = T1[a[2][1]][1];
- temp[1][2] = T1[a[3][2]][1];
- temp[1][3] = T1[a[0][3]][1];
- temp[2][0] = T1[a[2][0]][1];
- temp[2][1] = T1[a[3][1]][1];
- temp[2][2] = T1[a[0][2]][1];
- temp[2][3] = T1[a[1][3]][1];
- temp[3][0] = T1[a[3][0]][1];
- temp[3][1] = T1[a[0][1]][1];
- temp[3][2] = T1[a[1][2]][1];
- temp[3][3] = T1[a[2][3]][1];
- *((word32*)a[0]) = *((word32*)temp[0]) ^ *((word32*)rk[ROUNDS][0]);
- *((word32*)a[1]) = *((word32*)temp[1]) ^ *((word32*)rk[ROUNDS][1]);
- *((word32*)a[2]) = *((word32*)temp[2]) ^ *((word32*)rk[ROUNDS][2]);
- *((word32*)a[3]) = *((word32*)temp[3]) ^ *((word32*)rk[ROUNDS][3]);
- }
-
- return 0;
-}
-#endif /* INTERMEDIATE_VALUE_KAT */
-
-/**
- * Decrypt a single block.
- */
-int rijndaelDecrypt(word8 in[16], word8 out[16], word8 rk[MAXROUNDS+1][4][4], int ROUNDS) {
- int r;
- union {
- word8 x8[16];
- word32 x32[4];
- } xa, xb;
-#define a xa.x8
-#define b xb.x8
- union {
- word8 x8[4][4];
- word32 x32[4];
- } xtemp;
-#define temp xtemp.x8
-
- memcpy(a, in, sizeof a);
-
- *((word32*)temp[0]) = *((word32*)(a )) ^ *((word32*)rk[ROUNDS][0]);
- *((word32*)temp[1]) = *((word32*)(a+ 4)) ^ *((word32*)rk[ROUNDS][1]);
- *((word32*)temp[2]) = *((word32*)(a+ 8)) ^ *((word32*)rk[ROUNDS][2]);
- *((word32*)temp[3]) = *((word32*)(a+12)) ^ *((word32*)rk[ROUNDS][3]);
-
- *((word32*)(b )) = *((const word32*)T5[temp[0][0]])
- ^ *((const word32*)T6[temp[3][1]])
- ^ *((const word32*)T7[temp[2][2]])
- ^ *((const word32*)T8[temp[1][3]]);
- *((word32*)(b+ 4)) = *((const word32*)T5[temp[1][0]])
- ^ *((const word32*)T6[temp[0][1]])
- ^ *((const word32*)T7[temp[3][2]])
- ^ *((const word32*)T8[temp[2][3]]);
- *((word32*)(b+ 8)) = *((const word32*)T5[temp[2][0]])
- ^ *((const word32*)T6[temp[1][1]])
- ^ *((const word32*)T7[temp[0][2]])
- ^ *((const word32*)T8[temp[3][3]]);
- *((word32*)(b+12)) = *((const word32*)T5[temp[3][0]])
- ^ *((const word32*)T6[temp[2][1]])
- ^ *((const word32*)T7[temp[1][2]])
- ^ *((const word32*)T8[temp[0][3]]);
- for (r = ROUNDS-1; r > 1; r--) {
- *((word32*)temp[0]) = *((word32*)(b )) ^ *((word32*)rk[r][0]);
- *((word32*)temp[1]) = *((word32*)(b+ 4)) ^ *((word32*)rk[r][1]);
- *((word32*)temp[2]) = *((word32*)(b+ 8)) ^ *((word32*)rk[r][2]);
- *((word32*)temp[3]) = *((word32*)(b+12)) ^ *((word32*)rk[r][3]);
- *((word32*)(b )) = *((const word32*)T5[temp[0][0]])
- ^ *((const word32*)T6[temp[3][1]])
- ^ *((const word32*)T7[temp[2][2]])
- ^ *((const word32*)T8[temp[1][3]]);
- *((word32*)(b+ 4)) = *((const word32*)T5[temp[1][0]])
- ^ *((const word32*)T6[temp[0][1]])
- ^ *((const word32*)T7[temp[3][2]])
- ^ *((const word32*)T8[temp[2][3]]);
- *((word32*)(b+ 8)) = *((const word32*)T5[temp[2][0]])
- ^ *((const word32*)T6[temp[1][1]])
- ^ *((const word32*)T7[temp[0][2]])
- ^ *((const word32*)T8[temp[3][3]]);
- *((word32*)(b+12)) = *((const word32*)T5[temp[3][0]])
- ^ *((const word32*)T6[temp[2][1]])
- ^ *((const word32*)T7[temp[1][2]])
- ^ *((const word32*)T8[temp[0][3]]);
- }
- /* last round is special */
- *((word32*)temp[0]) = *((word32*)(b )) ^ *((word32*)rk[1][0]);
- *((word32*)temp[1]) = *((word32*)(b+ 4)) ^ *((word32*)rk[1][1]);
- *((word32*)temp[2]) = *((word32*)(b+ 8)) ^ *((word32*)rk[1][2]);
- *((word32*)temp[3]) = *((word32*)(b+12)) ^ *((word32*)rk[1][3]);
- b[ 0] = S5[temp[0][0]];
- b[ 1] = S5[temp[3][1]];
- b[ 2] = S5[temp[2][2]];
- b[ 3] = S5[temp[1][3]];
- b[ 4] = S5[temp[1][0]];
- b[ 5] = S5[temp[0][1]];
- b[ 6] = S5[temp[3][2]];
- b[ 7] = S5[temp[2][3]];
- b[ 8] = S5[temp[2][0]];
- b[ 9] = S5[temp[1][1]];
- b[10] = S5[temp[0][2]];
- b[11] = S5[temp[3][3]];
- b[12] = S5[temp[3][0]];
- b[13] = S5[temp[2][1]];
- b[14] = S5[temp[1][2]];
- b[15] = S5[temp[0][3]];
- *((word32*)(b )) ^= *((word32*)rk[0][0]);
- *((word32*)(b+ 4)) ^= *((word32*)rk[0][1]);
- *((word32*)(b+ 8)) ^= *((word32*)rk[0][2]);
- *((word32*)(b+12)) ^= *((word32*)rk[0][3]);
-
- memcpy(out, b, sizeof b /* XXX out */);
-
- return 0;
-#undef a
-#undef b
-#undef temp
-}
-
-
-#ifdef INTERMEDIATE_VALUE_KAT
-/**
- * Decrypt only a certain number of rounds.
- * Only used in the Intermediate Value Known Answer Test.
- * Operations rearranged such that the intermediate values
- * of decryption correspond with the intermediate values
- * of encryption.
- */
-int rijndaelDecryptRound(word8 a[4][4], word8 rk[MAXROUNDS+1][4][4], int ROUNDS, int rounds) {
- int r, i;
- word8 temp[4], shift;
-
- /* make number of rounds sane */
- if (rounds > ROUNDS) {
- rounds = ROUNDS;
- }
- /* first round is special: */
- *(word32 *)a[0] ^= *(word32 *)rk[ROUNDS][0];
- *(word32 *)a[1] ^= *(word32 *)rk[ROUNDS][1];
- *(word32 *)a[2] ^= *(word32 *)rk[ROUNDS][2];
- *(word32 *)a[3] ^= *(word32 *)rk[ROUNDS][3];
- for (i = 0; i < 4; i++) {
- a[i][0] = Si[a[i][0]];
- a[i][1] = Si[a[i][1]];
- a[i][2] = Si[a[i][2]];
- a[i][3] = Si[a[i][3]];
- }
- for (i = 1; i < 4; i++) {
- shift = (4 - i) & 3;
- temp[0] = a[(0 + shift) & 3][i];
- temp[1] = a[(1 + shift) & 3][i];
- temp[2] = a[(2 + shift) & 3][i];
- temp[3] = a[(3 + shift) & 3][i];
- a[0][i] = temp[0];
- a[1][i] = temp[1];
- a[2][i] = temp[2];
- a[3][i] = temp[3];
- }
- /* ROUNDS-1 ordinary rounds */
- for (r = ROUNDS-1; r > rounds; r--) {
- *(word32 *)a[0] ^= *(word32 *)rk[r][0];
- *(word32 *)a[1] ^= *(word32 *)rk[r][1];
- *(word32 *)a[2] ^= *(word32 *)rk[r][2];
- *(word32 *)a[3] ^= *(word32 *)rk[r][3];
-
- *((word32*)a[0]) =
- *((const word32*)U1[a[0][0]])
- ^ *((const word32*)U2[a[0][1]])
- ^ *((const word32*)U3[a[0][2]])
- ^ *((const word32*)U4[a[0][3]]);
-
- *((word32*)a[1]) =
- *((const word32*)U1[a[1][0]])
- ^ *((const word32*)U2[a[1][1]])
- ^ *((const word32*)U3[a[1][2]])
- ^ *((const word32*)U4[a[1][3]]);
-
- *((word32*)a[2]) =
- *((const word32*)U1[a[2][0]])
- ^ *((const word32*)U2[a[2][1]])
- ^ *((const word32*)U3[a[2][2]])
- ^ *((const word32*)U4[a[2][3]]);
-
- *((word32*)a[3]) =
- *((const word32*)U1[a[3][0]])
- ^ *((const word32*)U2[a[3][1]])
- ^ *((const word32*)U3[a[3][2]])
- ^ *((const word32*)U4[a[3][3]]);
- for (i = 0; i < 4; i++) {
- a[i][0] = Si[a[i][0]];
- a[i][1] = Si[a[i][1]];
- a[i][2] = Si[a[i][2]];
- a[i][3] = Si[a[i][3]];
- }
- for (i = 1; i < 4; i++) {
- shift = (4 - i) & 3;
- temp[0] = a[(0 + shift) & 3][i];
- temp[1] = a[(1 + shift) & 3][i];
- temp[2] = a[(2 + shift) & 3][i];
- temp[3] = a[(3 + shift) & 3][i];
- a[0][i] = temp[0];
- a[1][i] = temp[1];
- a[2][i] = temp[2];
- a[3][i] = temp[3];
- }
- }
- if (rounds == 0) {
- /* End with the extra key addition */
- *(word32 *)a[0] ^= *(word32 *)rk[0][0];
- *(word32 *)a[1] ^= *(word32 *)rk[0][1];
- *(word32 *)a[2] ^= *(word32 *)rk[0][2];
- *(word32 *)a[3] ^= *(word32 *)rk[0][3];
- }
- return 0;
-}
-#endif /* INTERMEDIATE_VALUE_KAT */
diff --git a/src/racoon/missing/crypto/rijndael/rijndael-alg-fst.h b/src/racoon/missing/crypto/rijndael/rijndael-alg-fst.h
deleted file mode 100644
index 4afeca1..0000000
--- a/src/racoon/missing/crypto/rijndael/rijndael-alg-fst.h
+++ /dev/null
@@ -1,35 +0,0 @@
-/* $NetBSD: rijndael-alg-fst.h,v 1.4 2006/09/09 16:22:36 manu Exp $ */
-
-/* $KAME: rijndael-alg-fst.h,v 1.1.1.1 2001/08/08 09:56:23 sakane Exp $ */
-
-/*
- * rijndael-alg-fst.h v2.3 April '2000
- *
- * Optimised ANSI C code
- *
- * #define INTERMEDIATE_VALUE_KAT to generate the Intermediate Value Known Answer Test.
- */
-
-#ifndef __RIJNDAEL_ALG_FST_H
-#define __RIJNDAEL_ALG_FST_H
-
-#define RIJNDAEL_MAXKC (256/32)
-#define RIJNDAEL_MAXROUNDS 14
-
-int rijndaelKeySched(u_int8_t k[RIJNDAEL_MAXKC][4], u_int8_t rk[RIJNDAEL_MAXROUNDS+1][4][4], int ROUNDS);
-
-int rijndaelKeyEncToDec(u_int8_t W[RIJNDAEL_MAXROUNDS+1][4][4], int ROUNDS);
-
-int rijndaelEncrypt(u_int8_t a[16], u_int8_t b[16], u_int8_t rk[RIJNDAEL_MAXROUNDS+1][4][4], int ROUNDS);
-
-#ifdef INTERMEDIATE_VALUE_KAT
-int rijndaelEncryptRound(u_int8_t a[4][4], u_int8_t rk[RIJNDAEL_MAXROUNDS+1][4][4], int ROUNDS, int rounds);
-#endif /* INTERMEDIATE_VALUE_KAT */
-
-int rijndaelDecrypt(u_int8_t a[16], u_int8_t b[16], u_int8_t rk[RIJNDAEL_MAXROUNDS+1][4][4], int ROUNDS);
-
-#ifdef INTERMEDIATE_VALUE_KAT
-int rijndaelDecryptRound(u_int8_t a[4][4], u_int8_t rk[RIJNDAEL_MAXROUNDS+1][4][4], int ROUNDS, int rounds);
-#endif /* INTERMEDIATE_VALUE_KAT */
-
-#endif /* __RIJNDAEL_ALG_FST_H */
diff --git a/src/racoon/missing/crypto/rijndael/rijndael-api-fst.c b/src/racoon/missing/crypto/rijndael/rijndael-api-fst.c
deleted file mode 100644
index 9b6f5fe..0000000
--- a/src/racoon/missing/crypto/rijndael/rijndael-api-fst.c
+++ /dev/null
@@ -1,494 +0,0 @@
-/* $NetBSD: rijndael-api-fst.c,v 1.4 2006/09/09 16:22:36 manu Exp $ */
-
-/* $KAME: rijndael-api-fst.c,v 1.8 2002/11/18 23:32:54 itojun Exp $ */
-
-/*
- * rijndael-api-fst.c v2.3 April '2000
- *
- * Optimised ANSI C code
- *
- * authors: v1.0: Antoon Bosselaers
- * v2.0: Vincent Rijmen
- * v2.1: Vincent Rijmen
- * v2.2: Vincent Rijmen
- * v2.3: Paulo Barreto
- * v2.4: Vincent Rijmen
- *
- * This code is placed in the public domain.
- */
-
-#include "config.h"
-
-#include <sys/param.h>
-#include <sys/types.h>
-#ifdef _KERNEL
-#include <sys/time.h>
-#include <sys/systm.h>
-#else
-#include <string.h>
-#endif
-#include <crypto/rijndael/rijndael-alg-fst.h>
-#include <crypto/rijndael/rijndael-api-fst.h>
-#include <crypto/rijndael/rijndael_local.h>
-
-#include <err.h>
-#define bcopy(a, b, c) memcpy(b, a, c)
-#define bzero(a, b) memset(a, 0, b)
-#define panic(a) err(1, (a))
-
-int rijndael_makeKey(keyInstance *key, BYTE direction, int keyLen, char *keyMaterial) {
- word8 k[MAXKC][4];
- int i;
- char *keyMat;
-
- if (key == NULL) {
- return BAD_KEY_INSTANCE;
- }
-
- if ((direction == DIR_ENCRYPT) || (direction == DIR_DECRYPT)) {
- key->direction = direction;
- } else {
- return BAD_KEY_DIR;
- }
-
- if ((keyLen == 128) || (keyLen == 192) || (keyLen == 256)) {
- key->keyLen = keyLen;
- } else {
- return BAD_KEY_MAT;
- }
-
- if (keyMaterial != NULL) {
- bcopy(keyMaterial, key->keyMaterial, keyLen/8);
- }
-
- key->ROUNDS = keyLen/32 + 6;
-
- /* initialize key schedule: */
- keyMat = key->keyMaterial;
- for (i = 0; i < key->keyLen/8; i++) {
- k[i >> 2][i & 3] = (word8)keyMat[i];
- }
- rijndaelKeySched(k, key->keySched, key->ROUNDS);
- if (direction == DIR_DECRYPT) {
- rijndaelKeyEncToDec(key->keySched, key->ROUNDS);
- }
-
- return TRUE;
-}
-
-int rijndael_cipherInit(cipherInstance *cipher, BYTE mode, char *IV) {
- if ((mode == MODE_ECB) || (mode == MODE_CBC) || (mode == MODE_CFB1)) {
- cipher->mode = mode;
- } else {
- return BAD_CIPHER_MODE;
- }
- if (IV != NULL) {
- bcopy(IV, cipher->IV, MAX_IV_SIZE);
- } else {
- bzero(cipher->IV, MAX_IV_SIZE);
- }
- return TRUE;
-}
-
-int rijndael_blockEncrypt(cipherInstance *cipher, keyInstance *key,
- BYTE *input, int inputLen, BYTE *outBuffer) {
- int i, k, numBlocks;
- word8 block[16], iv[4][4];
-
- if (cipher == NULL ||
- key == NULL ||
- key->direction == DIR_DECRYPT) {
- return BAD_CIPHER_STATE;
- }
- if (input == NULL || inputLen <= 0) {
- return 0; /* nothing to do */
- }
-
- numBlocks = inputLen/128;
-
- switch (cipher->mode) {
- case MODE_ECB:
- for (i = numBlocks; i > 0; i--) {
- rijndaelEncrypt(input, outBuffer, key->keySched, key->ROUNDS);
- input += 16;
- outBuffer += 16;
- }
- break;
-
- case MODE_CBC:
-#if 1 /*STRICT_ALIGN*/
- bcopy(cipher->IV, block, 16);
- bcopy(input, iv, 16);
- ((word32*)block)[0] ^= ((word32*)iv)[0];
- ((word32*)block)[1] ^= ((word32*)iv)[1];
- ((word32*)block)[2] ^= ((word32*)iv)[2];
- ((word32*)block)[3] ^= ((word32*)iv)[3];
-#else
- ((word32*)block)[0] = ((word32*)cipher->IV)[0] ^ ((word32*)input)[0];
- ((word32*)block)[1] = ((word32*)cipher->IV)[1] ^ ((word32*)input)[1];
- ((word32*)block)[2] = ((word32*)cipher->IV)[2] ^ ((word32*)input)[2];
- ((word32*)block)[3] = ((word32*)cipher->IV)[3] ^ ((word32*)input)[3];
-#endif
- rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS);
- input += 16;
- for (i = numBlocks - 1; i > 0; i--) {
-#if 1 /*STRICT_ALIGN*/
- bcopy(outBuffer, block, 16);
- bcopy(input, iv, 16);
- ((word32*)block)[0] ^= ((word32*)iv)[0];
- ((word32*)block)[1] ^= ((word32*)iv)[1];
- ((word32*)block)[2] ^= ((word32*)iv)[2];
- ((word32*)block)[3] ^= ((word32*)iv)[3];
-#else
- ((word32*)block)[0] = ((word32*)outBuffer)[0] ^ ((word32*)input)[0];
- ((word32*)block)[1] = ((word32*)outBuffer)[1] ^ ((word32*)input)[1];
- ((word32*)block)[2] = ((word32*)outBuffer)[2] ^ ((word32*)input)[2];
- ((word32*)block)[3] = ((word32*)outBuffer)[3] ^ ((word32*)input)[3];
-#endif
- outBuffer += 16;
- rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS);
- input += 16;
- }
- break;
-
- case MODE_CFB1:
-#if 1 /*STRICT_ALIGN*/
- bcopy(cipher->IV, iv, 16);
-#else /* !STRICT_ALIGN */
- *((word32*)iv[0]) = *((word32*)(cipher->IV ));
- *((word32*)iv[1]) = *((word32*)(cipher->IV+ 4));
- *((word32*)iv[2]) = *((word32*)(cipher->IV+ 8));
- *((word32*)iv[3]) = *((word32*)(cipher->IV+12));
-#endif /* ?STRICT_ALIGN */
- for (i = numBlocks; i > 0; i--) {
- for (k = 0; k < 128; k++) {
- *((word32*) block ) = *((word32*)iv[0]);
- *((word32*)(block+ 4)) = *((word32*)iv[1]);
- *((word32*)(block+ 8)) = *((word32*)iv[2]);
- *((word32*)(block+12)) = *((word32*)iv[3]);
- rijndaelEncrypt(block, block, key->keySched, key->ROUNDS);
- outBuffer[k/8] ^= (block[0] & 0x80) >> (k & 7);
- iv[0][0] = (iv[0][0] << 1) | (iv[0][1] >> 7);
- iv[0][1] = (iv[0][1] << 1) | (iv[0][2] >> 7);
- iv[0][2] = (iv[0][2] << 1) | (iv[0][3] >> 7);
- iv[0][3] = (iv[0][3] << 1) | (iv[1][0] >> 7);
- iv[1][0] = (iv[1][0] << 1) | (iv[1][1] >> 7);
- iv[1][1] = (iv[1][1] << 1) | (iv[1][2] >> 7);
- iv[1][2] = (iv[1][2] << 1) | (iv[1][3] >> 7);
- iv[1][3] = (iv[1][3] << 1) | (iv[2][0] >> 7);
- iv[2][0] = (iv[2][0] << 1) | (iv[2][1] >> 7);
- iv[2][1] = (iv[2][1] << 1) | (iv[2][2] >> 7);
- iv[2][2] = (iv[2][2] << 1) | (iv[2][3] >> 7);
- iv[2][3] = (iv[2][3] << 1) | (iv[3][0] >> 7);
- iv[3][0] = (iv[3][0] << 1) | (iv[3][1] >> 7);
- iv[3][1] = (iv[3][1] << 1) | (iv[3][2] >> 7);
- iv[3][2] = (iv[3][2] << 1) | (iv[3][3] >> 7);
- iv[3][3] = (iv[3][3] << 1) | ((outBuffer[k/8] >> (7-(k&7))) & 1);
- }
- }
- break;
-
- default:
- return BAD_CIPHER_STATE;
- }
-
- return 128*numBlocks;
-}
-
-/**
- * Encrypt data partitioned in octets, using RFC 2040-like padding.
- *
- * @param input data to be encrypted (octet sequence)
- * @param inputOctets input length in octets (not bits)
- * @param outBuffer encrypted output data
- *
- * @return length in octets (not bits) of the encrypted output buffer.
- */
-int rijndael_padEncrypt(cipherInstance *cipher, keyInstance *key,
- BYTE *input, int inputOctets, BYTE *outBuffer) {
- int i, numBlocks, padLen;
- word8 block[16], *iv, *cp;
-
- if (cipher == NULL ||
- key == NULL ||
- key->direction == DIR_DECRYPT) {
- return BAD_CIPHER_STATE;
- }
- if (input == NULL || inputOctets <= 0) {
- return 0; /* nothing to do */
- }
-
- numBlocks = inputOctets/16;
-
- switch (cipher->mode) {
- case MODE_ECB:
- for (i = numBlocks; i > 0; i--) {
- rijndaelEncrypt(input, outBuffer, key->keySched, key->ROUNDS);
- input += 16;
- outBuffer += 16;
- }
- padLen = 16 - (inputOctets - 16*numBlocks);
- if (padLen <= 0 || padLen > 16)
- panic("rijndael_padEncrypt(ECB)");
- bcopy(input, block, 16 - padLen);
- for (cp = block + 16 - padLen; cp < block + 16; cp++)
- *cp = padLen;
- rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS);
- break;
-
- case MODE_CBC:
- iv = cipher->IV;
- for (i = numBlocks; i > 0; i--) {
- ((word32*)block)[0] = ((word32*)input)[0] ^ ((word32*)iv)[0];
- ((word32*)block)[1] = ((word32*)input)[1] ^ ((word32*)iv)[1];
- ((word32*)block)[2] = ((word32*)input)[2] ^ ((word32*)iv)[2];
- ((word32*)block)[3] = ((word32*)input)[3] ^ ((word32*)iv)[3];
- rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS);
- iv = outBuffer;
- input += 16;
- outBuffer += 16;
- }
- padLen = 16 - (inputOctets - 16*numBlocks);
- if (padLen <= 0 || padLen > 16)
- panic("rijndael_padEncrypt(CBC)");
- for (i = 0; i < 16 - padLen; i++) {
- block[i] = input[i] ^ iv[i];
- }
- for (i = 16 - padLen; i < 16; i++) {
- block[i] = (BYTE)padLen ^ iv[i];
- }
- rijndaelEncrypt(block, outBuffer, key->keySched, key->ROUNDS);
- break;
-
- default:
- return BAD_CIPHER_STATE;
- }
-
- return 16*(numBlocks + 1);
-}
-
-int rijndael_blockDecrypt(cipherInstance *cipher, keyInstance *key,
- BYTE *input, int inputLen, BYTE *outBuffer) {
- int i, k, numBlocks;
- word8 block[16], iv[4][4];
-
- if (cipher == NULL ||
- key == NULL ||
- (cipher->mode != MODE_CFB1 && key->direction == DIR_ENCRYPT)) {
- return BAD_CIPHER_STATE;
- }
- if (input == NULL || inputLen <= 0) {
- return 0; /* nothing to do */
- }
-
- numBlocks = inputLen/128;
-
- switch (cipher->mode) {
- case MODE_ECB:
- for (i = numBlocks; i > 0; i--) {
- rijndaelDecrypt(input, outBuffer, key->keySched, key->ROUNDS);
- input += 16;
- outBuffer += 16;
- }
- break;
-
- case MODE_CBC:
-#if 1 /*STRICT_ALIGN */
- bcopy(cipher->IV, iv, 16);
-#else
- *((word32*)iv[0]) = *((word32*)(cipher->IV ));
- *((word32*)iv[1]) = *((word32*)(cipher->IV+ 4));
- *((word32*)iv[2]) = *((word32*)(cipher->IV+ 8));
- *((word32*)iv[3]) = *((word32*)(cipher->IV+12));
-#endif
- for (i = numBlocks; i > 0; i--) {
- rijndaelDecrypt(input, block, key->keySched, key->ROUNDS);
- ((word32*)block)[0] ^= *((word32*)iv[0]);
- ((word32*)block)[1] ^= *((word32*)iv[1]);
- ((word32*)block)[2] ^= *((word32*)iv[2]);
- ((word32*)block)[3] ^= *((word32*)iv[3]);
-#if 1 /*STRICT_ALIGN*/
- bcopy(input, iv, 16);
- bcopy(block, outBuffer, 16);
-#else
- *((word32*)iv[0]) = ((word32*)input)[0]; ((word32*)outBuffer)[0] = ((word32*)block)[0];
- *((word32*)iv[1]) = ((word32*)input)[1]; ((word32*)outBuffer)[1] = ((word32*)block)[1];
- *((word32*)iv[2]) = ((word32*)input)[2]; ((word32*)outBuffer)[2] = ((word32*)block)[2];
- *((word32*)iv[3]) = ((word32*)input)[3]; ((word32*)outBuffer)[3] = ((word32*)block)[3];
-#endif
- input += 16;
- outBuffer += 16;
- }
- break;
-
- case MODE_CFB1:
-#if 1 /*STRICT_ALIGN */
- bcopy(cipher->IV, iv, 16);
-#else
- *((word32*)iv[0]) = *((word32*)(cipher->IV));
- *((word32*)iv[1]) = *((word32*)(cipher->IV+ 4));
- *((word32*)iv[2]) = *((word32*)(cipher->IV+ 8));
- *((word32*)iv[3]) = *((word32*)(cipher->IV+12));
-#endif
- for (i = numBlocks; i > 0; i--) {
- for (k = 0; k < 128; k++) {
- *((word32*) block ) = *((word32*)iv[0]);
- *((word32*)(block+ 4)) = *((word32*)iv[1]);
- *((word32*)(block+ 8)) = *((word32*)iv[2]);
- *((word32*)(block+12)) = *((word32*)iv[3]);
- rijndaelEncrypt(block, block, key->keySched, key->ROUNDS);
- iv[0][0] = (iv[0][0] << 1) | (iv[0][1] >> 7);
- iv[0][1] = (iv[0][1] << 1) | (iv[0][2] >> 7);
- iv[0][2] = (iv[0][2] << 1) | (iv[0][3] >> 7);
- iv[0][3] = (iv[0][3] << 1) | (iv[1][0] >> 7);
- iv[1][0] = (iv[1][0] << 1) | (iv[1][1] >> 7);
- iv[1][1] = (iv[1][1] << 1) | (iv[1][2] >> 7);
- iv[1][2] = (iv[1][2] << 1) | (iv[1][3] >> 7);
- iv[1][3] = (iv[1][3] << 1) | (iv[2][0] >> 7);
- iv[2][0] = (iv[2][0] << 1) | (iv[2][1] >> 7);
- iv[2][1] = (iv[2][1] << 1) | (iv[2][2] >> 7);
- iv[2][2] = (iv[2][2] << 1) | (iv[2][3] >> 7);
- iv[2][3] = (iv[2][3] << 1) | (iv[3][0] >> 7);
- iv[3][0] = (iv[3][0] << 1) | (iv[3][1] >> 7);
- iv[3][1] = (iv[3][1] << 1) | (iv[3][2] >> 7);
- iv[3][2] = (iv[3][2] << 1) | (iv[3][3] >> 7);
- iv[3][3] = (iv[3][3] << 1) | ((input[k/8] >> (7-(k&7))) & 1);
- outBuffer[k/8] ^= (block[0] & 0x80) >> (k & 7);
- }
- }
- break;
-
- default:
- return BAD_CIPHER_STATE;
- }
-
- return 128*numBlocks;
-}
-
-int rijndael_padDecrypt(cipherInstance *cipher, keyInstance *key,
- BYTE *input, int inputOctets, BYTE *outBuffer) {
- int i, numBlocks, padLen;
- word8 block[16];
- word32 iv[4];
-
- if (cipher == NULL ||
- key == NULL ||
- key->direction == DIR_ENCRYPT) {
- return BAD_CIPHER_STATE;
- }
- if (input == NULL || inputOctets <= 0) {
- return 0; /* nothing to do */
- }
- if (inputOctets % 16 != 0) {
- return BAD_DATA;
- }
-
- numBlocks = inputOctets/16;
-
- switch (cipher->mode) {
- case MODE_ECB:
- /* all blocks but last */
- for (i = numBlocks - 1; i > 0; i--) {
- rijndaelDecrypt(input, outBuffer, key->keySched, key->ROUNDS);
- input += 16;
- outBuffer += 16;
- }
- /* last block */
- rijndaelDecrypt(input, block, key->keySched, key->ROUNDS);
- padLen = block[15];
- if (padLen >= 16) {
- return BAD_DATA;
- }
- for (i = 16 - padLen; i < 16; i++) {
- if (block[i] != padLen) {
- return BAD_DATA;
- }
- }
- bcopy(block, outBuffer, 16 - padLen);
- break;
-
- case MODE_CBC:
- bcopy(cipher->IV, iv, 16);
- /* all blocks but last */
- for (i = numBlocks - 1; i > 0; i--) {
- rijndaelDecrypt(input, block, key->keySched, key->ROUNDS);
- ((word32*)block)[0] ^= iv[0];
- ((word32*)block)[1] ^= iv[1];
- ((word32*)block)[2] ^= iv[2];
- ((word32*)block)[3] ^= iv[3];
- bcopy(input, iv, 16);
- bcopy(block, outBuffer, 16);
- input += 16;
- outBuffer += 16;
- }
- /* last block */
- rijndaelDecrypt(input, block, key->keySched, key->ROUNDS);
- ((word32*)block)[0] ^= iv[0];
- ((word32*)block)[1] ^= iv[1];
- ((word32*)block)[2] ^= iv[2];
- ((word32*)block)[3] ^= iv[3];
- padLen = block[15];
- if (padLen <= 0 || padLen > 16) {
- return BAD_DATA;
- }
- for (i = 16 - padLen; i < 16; i++) {
- if (block[i] != padLen) {
- return BAD_DATA;
- }
- }
- bcopy(block, outBuffer, 16 - padLen);
- break;
-
- default:
- return BAD_CIPHER_STATE;
- }
-
- return 16*numBlocks - padLen;
-}
-
-#ifdef INTERMEDIATE_VALUE_KAT
-/**
- * cipherUpdateRounds:
- *
- * Encrypts/Decrypts exactly one full block a specified number of rounds.
- * Only used in the Intermediate Value Known Answer Test.
- *
- * Returns:
- * TRUE - on success
- * BAD_CIPHER_STATE - cipher in bad state (e.g., not initialized)
- */
-int rijndael_cipherUpdateRounds(cipherInstance *cipher, keyInstance *key,
- BYTE *input, int inputLen, BYTE *outBuffer, int rounds) {
- int j;
- word8 block[4][4];
-
- if (cipher == NULL || key == NULL) {
- return BAD_CIPHER_STATE;
- }
-
- for (j = 3; j >= 0; j--) {
- /* parse input stream into rectangular array */
- *((word32*)block[j]) = *((word32*)(input+4*j));
- }
-
- switch (key->direction) {
- case DIR_ENCRYPT:
- rijndaelEncryptRound(block, key->keySched, key->ROUNDS, rounds);
- break;
-
- case DIR_DECRYPT:
- rijndaelDecryptRound(block, key->keySched, key->ROUNDS, rounds);
- break;
-
- default:
- return BAD_KEY_DIR;
- }
-
- for (j = 3; j >= 0; j--) {
- /* parse rectangular array into output ciphertext bytes */
- *((word32*)(outBuffer+4*j)) = *((word32*)block[j]);
- }
-
- return TRUE;
-}
-#endif /* INTERMEDIATE_VALUE_KAT */
diff --git a/src/racoon/missing/crypto/rijndael/rijndael-api-fst.h b/src/racoon/missing/crypto/rijndael/rijndael-api-fst.h
deleted file mode 100644
index 1d76a21..0000000
--- a/src/racoon/missing/crypto/rijndael/rijndael-api-fst.h
+++ /dev/null
@@ -1,105 +0,0 @@
-/* $NetBSD: rijndael-api-fst.h,v 1.4 2006/09/09 16:22:36 manu Exp $ */
-
-/* $KAME: rijndael-api-fst.h,v 1.1.1.1 2001/08/08 09:56:27 sakane Exp $ */
-
-/*
- * rijndael-api-fst.h v2.3 April '2000
- *
- * Optimised ANSI C code
- *
- * #define INTERMEDIATE_VALUE_KAT to generate the Intermediate Value Known Answer Test.
- */
-
-#ifndef __RIJNDAEL_API_FST_H
-#define __RIJNDAEL_API_FST_H
-
-#include <crypto/rijndael/rijndael-alg-fst.h>
-
-/* Defines:
- Add any additional defines you need
-*/
-
-#define DIR_ENCRYPT 0 /* Are we encrpyting? */
-#define DIR_DECRYPT 1 /* Are we decrpyting? */
-#define MODE_ECB 1 /* Are we ciphering in ECB mode? */
-#define MODE_CBC 2 /* Are we ciphering in CBC mode? */
-#define MODE_CFB1 3 /* Are we ciphering in 1-bit CFB mode? */
-#define TRUE 1
-#define FALSE 0
-#define BITSPERBLOCK 128 /* Default number of bits in a cipher block */
-
-/* Error Codes - CHANGE POSSIBLE: inclusion of additional error codes */
-#define BAD_KEY_DIR -1 /* Key direction is invalid, e.g., unknown value */
-#define BAD_KEY_MAT -2 /* Key material not of correct length */
-#define BAD_KEY_INSTANCE -3 /* Key passed is not valid */
-#define BAD_CIPHER_MODE -4 /* Params struct passed to cipherInit invalid */
-#define BAD_CIPHER_STATE -5 /* Cipher in wrong state (e.g., not initialized) */
-#define BAD_BLOCK_LENGTH -6
-#define BAD_CIPHER_INSTANCE -7
-#define BAD_DATA -8 /* Data contents are invalid, e.g., invalid padding */
-#define BAD_OTHER -9 /* Unknown error */
-
-/* CHANGE POSSIBLE: inclusion of algorithm specific defines */
-#define MAX_KEY_SIZE 64 /* # of ASCII char's needed to represent a key */
-#define MAX_IV_SIZE 16 /* # bytes needed to represent an IV */
-
-/* Typedefs:
-
- Typedef'ed data storage elements. Add any algorithm specific
-parameters at the bottom of the structs as appropriate.
-*/
-
-/* The structure for key information */
-typedef struct {
- u_int8_t direction; /* Key used for encrypting or decrypting? */
- int keyLen; /* Length of the key */
- char keyMaterial[MAX_KEY_SIZE+1]; /* Raw key data in ASCII, e.g., user input or KAT values */
- /* The following parameters are algorithm dependent, replace or add as necessary */
- int ROUNDS; /* key-length-dependent number of rounds */
- int blockLen; /* block length */
- union {
- u_int8_t xkS8[RIJNDAEL_MAXROUNDS+1][4][4]; /* key schedule */
- u_int32_t xkS32[RIJNDAEL_MAXROUNDS+1][4]; /* key schedule */
- } xKeySched;
-#define keySched xKeySched.xkS8
-} keyInstance;
-
-/* The structure for cipher information */
-typedef struct { /* changed order of the components */
- u_int8_t mode; /* MODE_ECB, MODE_CBC, or MODE_CFB1 */
- u_int8_t IV[MAX_IV_SIZE]; /* A possible Initialization Vector for ciphering */
- /* Add any algorithm specific parameters needed here */
- int blockLen; /* Sample: Handles non-128 bit block sizes (if available) */
-} cipherInstance;
-
-/* Function prototypes */
-/* CHANGED: nothing
- TODO: implement the following extensions to setup 192-bit and 256-bit block lengths:
- makeKeyEx(): parameter blockLen added
- -- this parameter is absolutely necessary if you want to
- setup the round keys in a variable block length setting
- cipherInitEx(): parameter blockLen added (for obvious reasons)
- */
-
-int rijndael_makeKey(keyInstance *key, u_int8_t direction, int keyLen, char *keyMaterial);
-
-int rijndael_cipherInit(cipherInstance *cipher, u_int8_t mode, char *IV);
-
-int rijndael_blockEncrypt(cipherInstance *cipher, keyInstance *key,
- u_int8_t *input, int inputLen, u_int8_t *outBuffer);
-
-int rijndael_padEncrypt(cipherInstance *cipher, keyInstance *key,
- u_int8_t *input, int inputOctets, u_int8_t *outBuffer);
-
-int rijndael_blockDecrypt(cipherInstance *cipher, keyInstance *key,
- u_int8_t *input, int inputLen, u_int8_t *outBuffer);
-
-int rijndael_padDecrypt(cipherInstance *cipher, keyInstance *key,
- u_int8_t *input, int inputOctets, u_int8_t *outBuffer);
-
-#ifdef INTERMEDIATE_VALUE_KAT
-int rijndael_cipherUpdateRounds(cipherInstance *cipher, keyInstance *key,
- u_int8_t *input, int inputLen, u_int8_t *outBuffer, int Rounds);
-#endif /* INTERMEDIATE_VALUE_KAT */
-
-#endif /* __RIJNDAEL_API_FST_H */
diff --git a/src/racoon/missing/crypto/rijndael/rijndael.h b/src/racoon/missing/crypto/rijndael/rijndael.h
deleted file mode 100644
index 59c3077..0000000
--- a/src/racoon/missing/crypto/rijndael/rijndael.h
+++ /dev/null
@@ -1,5 +0,0 @@
-/* $NetBSD: rijndael.h,v 1.4 2006/09/09 16:22:36 manu Exp $ */
-
-/* $KAME: rijndael.h,v 1.1.1.1 2001/08/08 09:56:27 sakane Exp $ */
-
-#include <crypto/rijndael/rijndael-api-fst.h>
diff --git a/src/racoon/missing/crypto/rijndael/rijndael_local.h b/src/racoon/missing/crypto/rijndael/rijndael_local.h
deleted file mode 100644
index e446378..0000000
--- a/src/racoon/missing/crypto/rijndael/rijndael_local.h
+++ /dev/null
@@ -1,12 +0,0 @@
-/* $NetBSD: rijndael_local.h,v 1.4 2006/09/09 16:22:36 manu Exp $ */
-
-/* $KAME: rijndael_local.h,v 1.1.1.1 2001/08/08 09:56:27 sakane Exp $ */
-
-/* the file should not be used from outside */
-typedef u_int8_t BYTE;
-typedef u_int8_t word8;
-typedef u_int16_t word16;
-typedef u_int32_t word32;
-
-#define MAXKC RIJNDAEL_MAXKC
-#define MAXROUNDS RIJNDAEL_MAXROUNDS
diff --git a/src/racoon/missing/crypto/sha2/sha2.c b/src/racoon/missing/crypto/sha2/sha2.c
deleted file mode 100644
index cfde829..0000000
--- a/src/racoon/missing/crypto/sha2/sha2.c
+++ /dev/null
@@ -1,1201 +0,0 @@
-/* $NetBSD: sha2.c,v 1.4 2006/09/09 16:22:36 manu Exp $ */
-
-/* Id: sha2.c,v 1.6 2004/09/21 14:35:25 ludvigm Exp */
-
-/*
- * sha2.c
- *
- * Version 1.0.0beta1
- *
- * Written by Aaron D. Gifford <me@aarongifford.com>
- *
- * Copyright 2000 Aaron D. Gifford. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the copyright holder nor the names of contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/time.h>
-#ifndef __linux__
-#include <machine/endian.h>
-#endif
-#include <crypto/sha2/sha2.h>
-#include <openssl/evp.h>
-
-/* get openssl/ssleay version number */
-#include <openssl/opensslv.h>
-
-#include <err.h>
-#include <string.h>
-#define bcopy(a, b, c) memcpy((b), (a), (c))
-#define bzero(a, b) memset((a), 0, (b))
-#define panic(a) err(1, (a))
-
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
-#define HAVE_EVP_097
-#endif
-
-/*
- * ASSERT NOTE:
- * Some sanity checking code is included using assert(). On my FreeBSD
- * system, this additional code can be removed by compiling with NDEBUG
- * defined. Check your own systems manpage on assert() to see how to
- * compile WITHOUT the sanity checking code on your system.
- *
- * UNROLLED TRANSFORM LOOP NOTE:
- * You can define SHA2_UNROLL_TRANSFORM to use the unrolled transform
- * loop version for the hash transform rounds (defined using macros
- * later in this file). Either define on the command line, for example:
- *
- * cc -DSHA2_UNROLL_TRANSFORM -o sha2 sha2.c sha2prog.c
- *
- * or define below:
- *
- * #define SHA2_UNROLL_TRANSFORM
- *
- */
-
-#define assert(x)
-
-
-/*** SHA-256/384/512 Machine Architecture Definitions *****************/
-/*
- * BYTE_ORDER NOTE:
- *
- * Please make sure that your system defines BYTE_ORDER. If your
- * architecture is little-endian, make sure it also defines
- * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
- * equivilent.
- *
- * If your system does not define the above, then you can do so by
- * hand like this:
- *
- * #define LITTLE_ENDIAN 1234
- * #define BIG_ENDIAN 4321
- *
- * And for little-endian machines, add:
- *
- * #define BYTE_ORDER LITTLE_ENDIAN
- *
- * Or for big-endian machines:
- *
- * #define BYTE_ORDER BIG_ENDIAN
- *
- * The FreeBSD machine this was written on defines BYTE_ORDER
- * appropriately by including <sys/types.h> (which in turn includes
- * <machine/endian.h> where the appropriate definitions are actually
- * made).
- */
-#if !defined(BYTE_ORDER) || (BYTE_ORDER != LITTLE_ENDIAN && BYTE_ORDER != BIG_ENDIAN)
-#error Define BYTE_ORDER to be equal to either LITTLE_ENDIAN or BIG_ENDIAN
-#endif
-
-/*
- * Define the followingsha2_* types to types of the correct length on
- * the native archtecture. Most BSD systems and Linux define u_intXX_t
- * types. Machines with very recent ANSI C headers, can use the
- * uintXX_t definintions from inttypes.h by defining SHA2_USE_INTTYPES_H
- * during compile or in the sha.h header file.
- *
- * Machines that support neither u_intXX_t nor inttypes.h's uintXX_t
- * will need to define these three typedefs below (and the appropriate
- * ones in sha.h too) by hand according to their system architecture.
- *
- * Thank you, Jun-ichiro itojun Hagino, for suggesting using u_intXX_t
- * types and pointing out recent ANSI C support for uintXX_t in inttypes.h.
- */
-#if 0 /*def SHA2_USE_INTTYPES_H*/
-
-typedef uint8_t sha2_byte; /* Exactly 1 byte */
-typedef uint32_t sha2_word32; /* Exactly 4 bytes */
-typedef uint64_t sha2_word64; /* Exactly 8 bytes */
-
-#else /* SHA2_USE_INTTYPES_H */
-
-typedef u_int8_t sha2_byte; /* Exactly 1 byte */
-typedef u_int32_t sha2_word32; /* Exactly 4 bytes */
-typedef u_int64_t sha2_word64; /* Exactly 8 bytes */
-
-#endif /* SHA2_USE_INTTYPES_H */
-
-
-/*** SHA-256/384/512 Various Length Definitions ***********************/
-/* NOTE: Most of these are in sha2.h */
-#define SHA256_SHORT_BLOCK_LENGTH (SHA256_BLOCK_LENGTH - 8)
-#define SHA384_SHORT_BLOCK_LENGTH (SHA384_BLOCK_LENGTH - 16)
-#define SHA512_SHORT_BLOCK_LENGTH (SHA512_BLOCK_LENGTH - 16)
-
-
-/*** ENDIAN REVERSAL MACROS *******************************************/
-#if BYTE_ORDER == LITTLE_ENDIAN
-#define REVERSE32(w,x) { \
- sha2_word32 tmp = (w); \
- tmp = (tmp >> 16) | (tmp << 16); \
- (x) = ((tmp & 0xff00ff00UL) >> 8) | ((tmp & 0x00ff00ffUL) << 8); \
-}
-#define REVERSE64(w,x) { \
- sha2_word64 tmp = (w); \
- tmp = (tmp >> 32) | (tmp << 32); \
- tmp = ((tmp & 0xff00ff00ff00ff00ULL) >> 8) | \
- ((tmp & 0x00ff00ff00ff00ffULL) << 8); \
- (x) = ((tmp & 0xffff0000ffff0000ULL) >> 16) | \
- ((tmp & 0x0000ffff0000ffffULL) << 16); \
-}
-#endif /* BYTE_ORDER == LITTLE_ENDIAN */
-
-/*
- * Macro for incrementally adding the unsigned 64-bit integer n to the
- * unsigned 128-bit integer (represented using a two-element array of
- * 64-bit words):
- */
-#define ADDINC128(w,n) { \
- (w)[0] += (sha2_word64)(n); \
- if ((w)[0] < (n)) { \
- (w)[1]++; \
- } \
-}
-
-/*** THE SIX LOGICAL FUNCTIONS ****************************************/
-/*
- * Bit shifting and rotation (used by the six SHA-XYZ logical functions:
- *
- * NOTE: The naming of R and S appears backwards here (R is a SHIFT and
- * S is a ROTATION) because the SHA-256/384/512 description document
- * (see http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf) uses this
- * same "backwards" definition.
- */
-/* Shift-right (used in SHA-256, SHA-384, and SHA-512): */
-#define R(b,x) ((x) >> (b))
-/* 32-bit Rotate-right (used in SHA-256): */
-#define S32(b,x) (((x) >> (b)) | ((x) << (32 - (b))))
-/* 64-bit Rotate-right (used in SHA-384 and SHA-512): */
-#define S64(b,x) (((x) >> (b)) | ((x) << (64 - (b))))
-
-/* Two of six logical functions used in SHA-256, SHA-384, and SHA-512: */
-#define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z)))
-#define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
-
-/* Four of six logical functions used in SHA-256: */
-#define Sigma0_256(x) (S32(2, (x)) ^ S32(13, (x)) ^ S32(22, (x)))
-#define Sigma1_256(x) (S32(6, (x)) ^ S32(11, (x)) ^ S32(25, (x)))
-#define sigma0_256(x) (S32(7, (x)) ^ S32(18, (x)) ^ R(3 , (x)))
-#define sigma1_256(x) (S32(17, (x)) ^ S32(19, (x)) ^ R(10, (x)))
-
-/* Four of six logical functions used in SHA-384 and SHA-512: */
-#define Sigma0_512(x) (S64(28, (x)) ^ S64(34, (x)) ^ S64(39, (x)))
-#define Sigma1_512(x) (S64(14, (x)) ^ S64(18, (x)) ^ S64(41, (x)))
-#define sigma0_512(x) (S64( 1, (x)) ^ S64( 8, (x)) ^ R( 7, (x)))
-#define sigma1_512(x) (S64(19, (x)) ^ S64(61, (x)) ^ R( 6, (x)))
-
-/*** INTERNAL FUNCTION PROTOTYPES *************************************/
-/* NOTE: These should not be accessed directly from outside this
- * library -- they are intended for private internal visibility/use
- * only.
- */
-void SHA512_Last(SHA512_CTX*);
-void SHA256_Transform(SHA256_CTX*, const sha2_word32*);
-void SHA512_Transform(SHA512_CTX*, const sha2_word64*);
-
-
-/*** SHA-XYZ INITIAL HASH VALUES AND CONSTANTS ************************/
-/* Hash constant words K for SHA-256: */
-const static sha2_word32 K256[64] = {
- 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL,
- 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL,
- 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL,
- 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL,
- 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL,
- 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL,
- 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL,
- 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL,
- 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL,
- 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL,
- 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL,
- 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL,
- 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL,
- 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL,
- 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL,
- 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
-};
-
-/* Initial hash value H for SHA-256: */
-const static sha2_word32 sha256_initial_hash_value[8] = {
- 0x6a09e667UL,
- 0xbb67ae85UL,
- 0x3c6ef372UL,
- 0xa54ff53aUL,
- 0x510e527fUL,
- 0x9b05688cUL,
- 0x1f83d9abUL,
- 0x5be0cd19UL
-};
-
-/* Hash constant words K for SHA-384 and SHA-512: */
-const static sha2_word64 K512[80] = {
- 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
- 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
- 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL,
- 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
- 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL,
- 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
- 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL,
- 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
- 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL,
- 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
- 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL,
- 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
- 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL,
- 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
- 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL,
- 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
- 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL,
- 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
- 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL,
- 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
- 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL,
- 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
- 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL,
- 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
- 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL,
- 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
- 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL,
- 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
- 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL,
- 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
- 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL,
- 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
- 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL,
- 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
- 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL,
- 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
- 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL,
- 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
- 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL,
- 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
-};
-
-/* Initial hash value H for SHA-384 */
-const static sha2_word64 sha384_initial_hash_value[8] = {
- 0xcbbb9d5dc1059ed8ULL,
- 0x629a292a367cd507ULL,
- 0x9159015a3070dd17ULL,
- 0x152fecd8f70e5939ULL,
- 0x67332667ffc00b31ULL,
- 0x8eb44a8768581511ULL,
- 0xdb0c2e0d64f98fa7ULL,
- 0x47b5481dbefa4fa4ULL
-};
-
-/* Initial hash value H for SHA-512 */
-const static sha2_word64 sha512_initial_hash_value[8] = {
- 0x6a09e667f3bcc908ULL,
- 0xbb67ae8584caa73bULL,
- 0x3c6ef372fe94f82bULL,
- 0xa54ff53a5f1d36f1ULL,
- 0x510e527fade682d1ULL,
- 0x9b05688c2b3e6c1fULL,
- 0x1f83d9abfb41bd6bULL,
- 0x5be0cd19137e2179ULL
-};
-
-/*
- * Constant used by SHA256/384/512_End() functions for converting the
- * digest to a readable hexadecimal character string:
- */
-static const char *sha2_hex_digits = "0123456789abcdef";
-
-
-/*** SHA-256: *********************************************************/
-void SHA256_Init(SHA256_CTX* context) {
- if (context == (SHA256_CTX*)0) {
- return;
- }
- bcopy(sha256_initial_hash_value, context->state, SHA256_DIGEST_LENGTH);
- bzero(context->buffer, SHA256_BLOCK_LENGTH);
- context->bitcount = 0;
-}
-
-#ifdef SHA2_UNROLL_TRANSFORM
-
-/* Unrolled SHA-256 round macros: */
-
-#if BYTE_ORDER == LITTLE_ENDIAN
-
-#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
- REVERSE32(*data++, W256[j]); \
- T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
- K256[j] + W256[j]; \
- (d) += T1; \
- (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
- j++
-
-
-#else /* BYTE_ORDER == LITTLE_ENDIAN */
-
-#define ROUND256_0_TO_15(a,b,c,d,e,f,g,h) \
- T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
- K256[j] + (W256[j] = *data++); \
- (d) += T1; \
- (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
- j++
-
-#endif /* BYTE_ORDER == LITTLE_ENDIAN */
-
-#define ROUND256(a,b,c,d,e,f,g,h) \
- s0 = W256[(j+1)&0x0f]; \
- s0 = sigma0_256(s0); \
- s1 = W256[(j+14)&0x0f]; \
- s1 = sigma1_256(s1); \
- T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + K256[j] + \
- (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0); \
- (d) += T1; \
- (h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
- j++
-
-void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) {
- sha2_word32 a, b, c, d, e, f, g, h, s0, s1;
- sha2_word32 T1, *W256;
- int j;
-
- W256 = (sha2_word32*)context->buffer;
-
- /* Initialize registers with the prev. intermediate value */
- a = context->state[0];
- b = context->state[1];
- c = context->state[2];
- d = context->state[3];
- e = context->state[4];
- f = context->state[5];
- g = context->state[6];
- h = context->state[7];
-
- j = 0;
- do {
- /* Rounds 0 to 15 (unrolled): */
- ROUND256_0_TO_15(a,b,c,d,e,f,g,h);
- ROUND256_0_TO_15(h,a,b,c,d,e,f,g);
- ROUND256_0_TO_15(g,h,a,b,c,d,e,f);
- ROUND256_0_TO_15(f,g,h,a,b,c,d,e);
- ROUND256_0_TO_15(e,f,g,h,a,b,c,d);
- ROUND256_0_TO_15(d,e,f,g,h,a,b,c);
- ROUND256_0_TO_15(c,d,e,f,g,h,a,b);
- ROUND256_0_TO_15(b,c,d,e,f,g,h,a);
- } while (j < 16);
-
- /* Now for the remaining rounds to 64: */
- do {
- ROUND256(a,b,c,d,e,f,g,h);
- ROUND256(h,a,b,c,d,e,f,g);
- ROUND256(g,h,a,b,c,d,e,f);
- ROUND256(f,g,h,a,b,c,d,e);
- ROUND256(e,f,g,h,a,b,c,d);
- ROUND256(d,e,f,g,h,a,b,c);
- ROUND256(c,d,e,f,g,h,a,b);
- ROUND256(b,c,d,e,f,g,h,a);
- } while (j < 64);
-
- /* Compute the current intermediate hash value */
- context->state[0] += a;
- context->state[1] += b;
- context->state[2] += c;
- context->state[3] += d;
- context->state[4] += e;
- context->state[5] += f;
- context->state[6] += g;
- context->state[7] += h;
-
- /* Clean up */
- a = b = c = d = e = f = g = h = T1 = 0;
-}
-
-#else /* SHA2_UNROLL_TRANSFORM */
-
-void SHA256_Transform(SHA256_CTX* context, const sha2_word32* data) {
- sha2_word32 a, b, c, d, e, f, g, h, s0, s1;
- sha2_word32 T1, T2, *W256;
- int j;
-
- W256 = (sha2_word32*)context->buffer;
-
- /* Initialize registers with the prev. intermediate value */
- a = context->state[0];
- b = context->state[1];
- c = context->state[2];
- d = context->state[3];
- e = context->state[4];
- f = context->state[5];
- g = context->state[6];
- h = context->state[7];
-
- j = 0;
- do {
-#if BYTE_ORDER == LITTLE_ENDIAN
- /* Copy data while converting to host byte order */
- REVERSE32(*data++,W256[j]);
- /* Apply the SHA-256 compression function to update a..h */
- T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + W256[j];
-#else /* BYTE_ORDER == LITTLE_ENDIAN */
- /* Apply the SHA-256 compression function to update a..h with copy */
- T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + (W256[j] = *data++);
-#endif /* BYTE_ORDER == LITTLE_ENDIAN */
- T2 = Sigma0_256(a) + Maj(a, b, c);
- h = g;
- g = f;
- f = e;
- e = d + T1;
- d = c;
- c = b;
- b = a;
- a = T1 + T2;
-
- j++;
- } while (j < 16);
-
- do {
- /* Part of the message block expansion: */
- s0 = W256[(j+1)&0x0f];
- s0 = sigma0_256(s0);
- s1 = W256[(j+14)&0x0f];
- s1 = sigma1_256(s1);
-
- /* Apply the SHA-256 compression function to update a..h */
- T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
- (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
- T2 = Sigma0_256(a) + Maj(a, b, c);
- h = g;
- g = f;
- f = e;
- e = d + T1;
- d = c;
- c = b;
- b = a;
- a = T1 + T2;
-
- j++;
- } while (j < 64);
-
- /* Compute the current intermediate hash value */
- context->state[0] += a;
- context->state[1] += b;
- context->state[2] += c;
- context->state[3] += d;
- context->state[4] += e;
- context->state[5] += f;
- context->state[6] += g;
- context->state[7] += h;
-
- /* Clean up */
- a = b = c = d = e = f = g = h = T1 = T2 = 0;
-}
-
-#endif /* SHA2_UNROLL_TRANSFORM */
-
-void SHA256_Update(SHA256_CTX* context, const sha2_byte *data, size_t len) {
- unsigned int freespace, usedspace;
-
- if (len == 0) {
- /* Calling with no data is valid - we do nothing */
- return;
- }
-
- /* Sanity check: */
- assert(context != (SHA256_CTX*)0 && data != (sha2_byte*)0);
-
- usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
- if (usedspace > 0) {
- /* Calculate how much free space is available in the buffer */
- freespace = SHA256_BLOCK_LENGTH - usedspace;
-
- if (len >= freespace) {
- /* Fill the buffer completely and process it */
- bcopy(data, &context->buffer[usedspace], freespace);
- context->bitcount += freespace << 3;
- len -= freespace;
- data += freespace;
- SHA256_Transform(context, (sha2_word32*)context->buffer);
- } else {
- /* The buffer is not yet full */
- bcopy(data, &context->buffer[usedspace], len);
- context->bitcount += len << 3;
- /* Clean up: */
- usedspace = freespace = 0;
- return;
- }
- }
- while (len >= SHA256_BLOCK_LENGTH) {
- /* Process as many complete blocks as we can */
- SHA256_Transform(context, (const sha2_word32*)data);
- context->bitcount += SHA256_BLOCK_LENGTH << 3;
- len -= SHA256_BLOCK_LENGTH;
- data += SHA256_BLOCK_LENGTH;
- }
- if (len > 0) {
- /* There's left-overs, so save 'em */
- bcopy(data, context->buffer, len);
- context->bitcount += len << 3;
- }
- /* Clean up: */
- usedspace = freespace = 0;
-}
-
-void SHA256_Final(sha2_byte digest[], SHA256_CTX* context) {
- sha2_word32 *d = (sha2_word32*)digest;
- unsigned int usedspace;
-
- /* Sanity check: */
- assert(context != (SHA256_CTX*)0);
-
- /* If no digest buffer is passed, we don't bother doing this: */
- if (digest != (sha2_byte*)0) {
- usedspace = (context->bitcount >> 3) % SHA256_BLOCK_LENGTH;
-#if BYTE_ORDER == LITTLE_ENDIAN
- /* Convert FROM host byte order */
- REVERSE64(context->bitcount,context->bitcount);
-#endif
- if (usedspace > 0) {
- /* Begin padding with a 1 bit: */
- context->buffer[usedspace++] = 0x80;
-
- if (usedspace <= SHA256_SHORT_BLOCK_LENGTH) {
- /* Set-up for the last transform: */
- bzero(&context->buffer[usedspace], SHA256_SHORT_BLOCK_LENGTH - usedspace);
- } else {
- if (usedspace < SHA256_BLOCK_LENGTH) {
- bzero(&context->buffer[usedspace], SHA256_BLOCK_LENGTH - usedspace);
- }
- /* Do second-to-last transform: */
- SHA256_Transform(context, (sha2_word32*)context->buffer);
-
- /* And set-up for the last transform: */
- bzero(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
- }
- } else {
- /* Set-up for the last transform: */
- bzero(context->buffer, SHA256_SHORT_BLOCK_LENGTH);
-
- /* Begin padding with a 1 bit: */
- *context->buffer = 0x80;
- }
- /* Set the bit count: */
- *(sha2_word64*)&context->buffer[SHA256_SHORT_BLOCK_LENGTH] = context->bitcount;
-
- /* Final transform: */
- SHA256_Transform(context, (sha2_word32*)context->buffer);
-
-#if BYTE_ORDER == LITTLE_ENDIAN
- {
- /* Convert TO host byte order */
- int j;
- for (j = 0; j < 8; j++) {
- REVERSE32(context->state[j],context->state[j]);
- *d++ = context->state[j];
- }
- }
-#else
- bcopy(context->state, d, SHA256_DIGEST_LENGTH);
-#endif
- }
-
- /* Clean up state data: */
- bzero(context, sizeof(*context));
- usedspace = 0;
-}
-
-char *SHA256_End(SHA256_CTX* context, char buffer[]) {
- sha2_byte digest[SHA256_DIGEST_LENGTH], *d = digest;
- int i;
-
- /* Sanity check: */
- assert(context != (SHA256_CTX*)0);
-
- if (buffer != (char*)0) {
- SHA256_Final(digest, context);
-
- for (i = 0; i < SHA256_DIGEST_LENGTH; i++) {
- *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
- *buffer++ = sha2_hex_digits[*d & 0x0f];
- d++;
- }
- *buffer = (char)0;
- } else {
- bzero(context, sizeof(*context));
- }
- bzero(digest, SHA256_DIGEST_LENGTH);
- return buffer;
-}
-
-char* SHA256_Data(const sha2_byte* data, size_t len, char digest[SHA256_DIGEST_STRING_LENGTH]) {
- SHA256_CTX context;
-
- SHA256_Init(&context);
- SHA256_Update(&context, data, len);
- return SHA256_End(&context, digest);
-}
-
-
-/*** SHA-512: *********************************************************/
-void SHA512_Init(SHA512_CTX* context) {
- if (context == (SHA512_CTX*)0) {
- return;
- }
- bcopy(sha512_initial_hash_value, context->state, SHA512_DIGEST_LENGTH);
- bzero(context->buffer, SHA512_BLOCK_LENGTH);
- context->bitcount[0] = context->bitcount[1] = 0;
-}
-
-#ifdef SHA2_UNROLL_TRANSFORM
-
-/* Unrolled SHA-512 round macros: */
-#if BYTE_ORDER == LITTLE_ENDIAN
-
-#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
- REVERSE64(*data++, W512[j]); \
- T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
- K512[j] + W512[j]; \
- (d) += T1, \
- (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \
- j++
-
-
-#else /* BYTE_ORDER == LITTLE_ENDIAN */
-
-#define ROUND512_0_TO_15(a,b,c,d,e,f,g,h) \
- T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
- K512[j] + (W512[j] = *data++); \
- (d) += T1; \
- (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
- j++
-
-#endif /* BYTE_ORDER == LITTLE_ENDIAN */
-
-#define ROUND512(a,b,c,d,e,f,g,h) \
- s0 = W512[(j+1)&0x0f]; \
- s0 = sigma0_512(s0); \
- s1 = W512[(j+14)&0x0f]; \
- s1 = sigma1_512(s1); \
- T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \
- (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
- (d) += T1; \
- (h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
- j++
-
-void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) {
- sha2_word64 a, b, c, d, e, f, g, h, s0, s1;
- sha2_word64 T1, *W512 = (sha2_word64*)context->buffer;
- int j;
-
- /* Initialize registers with the prev. intermediate value */
- a = context->state[0];
- b = context->state[1];
- c = context->state[2];
- d = context->state[3];
- e = context->state[4];
- f = context->state[5];
- g = context->state[6];
- h = context->state[7];
-
- j = 0;
- do {
- ROUND512_0_TO_15(a,b,c,d,e,f,g,h);
- ROUND512_0_TO_15(h,a,b,c,d,e,f,g);
- ROUND512_0_TO_15(g,h,a,b,c,d,e,f);
- ROUND512_0_TO_15(f,g,h,a,b,c,d,e);
- ROUND512_0_TO_15(e,f,g,h,a,b,c,d);
- ROUND512_0_TO_15(d,e,f,g,h,a,b,c);
- ROUND512_0_TO_15(c,d,e,f,g,h,a,b);
- ROUND512_0_TO_15(b,c,d,e,f,g,h,a);
- } while (j < 16);
-
- /* Now for the remaining rounds up to 79: */
- do {
- ROUND512(a,b,c,d,e,f,g,h);
- ROUND512(h,a,b,c,d,e,f,g);
- ROUND512(g,h,a,b,c,d,e,f);
- ROUND512(f,g,h,a,b,c,d,e);
- ROUND512(e,f,g,h,a,b,c,d);
- ROUND512(d,e,f,g,h,a,b,c);
- ROUND512(c,d,e,f,g,h,a,b);
- ROUND512(b,c,d,e,f,g,h,a);
- } while (j < 80);
-
- /* Compute the current intermediate hash value */
- context->state[0] += a;
- context->state[1] += b;
- context->state[2] += c;
- context->state[3] += d;
- context->state[4] += e;
- context->state[5] += f;
- context->state[6] += g;
- context->state[7] += h;
-
- /* Clean up */
- a = b = c = d = e = f = g = h = T1 = 0;
-}
-
-#else /* SHA2_UNROLL_TRANSFORM */
-
-void SHA512_Transform(SHA512_CTX* context, const sha2_word64* data) {
- sha2_word64 a, b, c, d, e, f, g, h, s0, s1;
- sha2_word64 T1, T2, *W512 = (sha2_word64*)context->buffer;
- int j;
-
- /* Initialize registers with the prev. intermediate value */
- a = context->state[0];
- b = context->state[1];
- c = context->state[2];
- d = context->state[3];
- e = context->state[4];
- f = context->state[5];
- g = context->state[6];
- h = context->state[7];
-
- j = 0;
- do {
-#if BYTE_ORDER == LITTLE_ENDIAN
- /* Convert TO host byte order */
- REVERSE64(*data++, W512[j]);
- /* Apply the SHA-512 compression function to update a..h */
- T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + W512[j];
-#else /* BYTE_ORDER == LITTLE_ENDIAN */
- /* Apply the SHA-512 compression function to update a..h with copy */
- T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] + (W512[j] = *data++);
-#endif /* BYTE_ORDER == LITTLE_ENDIAN */
- T2 = Sigma0_512(a) + Maj(a, b, c);
- h = g;
- g = f;
- f = e;
- e = d + T1;
- d = c;
- c = b;
- b = a;
- a = T1 + T2;
-
- j++;
- } while (j < 16);
-
- do {
- /* Part of the message block expansion: */
- s0 = W512[(j+1)&0x0f];
- s0 = sigma0_512(s0);
- s1 = W512[(j+14)&0x0f];
- s1 = sigma1_512(s1);
-
- /* Apply the SHA-512 compression function to update a..h */
- T1 = h + Sigma1_512(e) + Ch(e, f, g) + K512[j] +
- (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0);
- T2 = Sigma0_512(a) + Maj(a, b, c);
- h = g;
- g = f;
- f = e;
- e = d + T1;
- d = c;
- c = b;
- b = a;
- a = T1 + T2;
-
- j++;
- } while (j < 80);
-
- /* Compute the current intermediate hash value */
- context->state[0] += a;
- context->state[1] += b;
- context->state[2] += c;
- context->state[3] += d;
- context->state[4] += e;
- context->state[5] += f;
- context->state[6] += g;
- context->state[7] += h;
-
- /* Clean up */
- a = b = c = d = e = f = g = h = T1 = T2 = 0;
-}
-
-#endif /* SHA2_UNROLL_TRANSFORM */
-
-void SHA512_Update(SHA512_CTX* context, const sha2_byte *data, size_t len) {
- unsigned int freespace, usedspace;
-
- if (len == 0) {
- /* Calling with no data is valid - we do nothing */
- return;
- }
-
- /* Sanity check: */
- assert(context != (SHA512_CTX*)0 && data != (sha2_byte*)0);
-
- usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
- if (usedspace > 0) {
- /* Calculate how much free space is available in the buffer */
- freespace = SHA512_BLOCK_LENGTH - usedspace;
-
- if (len >= freespace) {
- /* Fill the buffer completely and process it */
- bcopy(data, &context->buffer[usedspace], freespace);
- ADDINC128(context->bitcount, freespace << 3);
- len -= freespace;
- data += freespace;
- SHA512_Transform(context, (sha2_word64*)context->buffer);
- } else {
- /* The buffer is not yet full */
- bcopy(data, &context->buffer[usedspace], len);
- ADDINC128(context->bitcount, len << 3);
- /* Clean up: */
- usedspace = freespace = 0;
- return;
- }
- }
- while (len >= SHA512_BLOCK_LENGTH) {
- /* Process as many complete blocks as we can */
- SHA512_Transform(context, (const sha2_word64*)data);
- ADDINC128(context->bitcount, SHA512_BLOCK_LENGTH << 3);
- len -= SHA512_BLOCK_LENGTH;
- data += SHA512_BLOCK_LENGTH;
- }
- if (len > 0) {
- /* There's left-overs, so save 'em */
- bcopy(data, context->buffer, len);
- ADDINC128(context->bitcount, len << 3);
- }
- /* Clean up: */
- usedspace = freespace = 0;
-}
-
-void SHA512_Last(SHA512_CTX* context) {
- unsigned int usedspace;
-
- usedspace = (context->bitcount[0] >> 3) % SHA512_BLOCK_LENGTH;
-#if BYTE_ORDER == LITTLE_ENDIAN
- /* Convert FROM host byte order */
- REVERSE64(context->bitcount[0],context->bitcount[0]);
- REVERSE64(context->bitcount[1],context->bitcount[1]);
-#endif
- if (usedspace > 0) {
- /* Begin padding with a 1 bit: */
- context->buffer[usedspace++] = 0x80;
-
- if (usedspace <= SHA512_SHORT_BLOCK_LENGTH) {
- /* Set-up for the last transform: */
- bzero(&context->buffer[usedspace], SHA512_SHORT_BLOCK_LENGTH - usedspace);
- } else {
- if (usedspace < SHA512_BLOCK_LENGTH) {
- bzero(&context->buffer[usedspace], SHA512_BLOCK_LENGTH - usedspace);
- }
- /* Do second-to-last transform: */
- SHA512_Transform(context, (sha2_word64*)context->buffer);
-
- /* And set-up for the last transform: */
- bzero(context->buffer, SHA512_BLOCK_LENGTH - 2);
- }
- } else {
- /* Prepare for final transform: */
- bzero(context->buffer, SHA512_SHORT_BLOCK_LENGTH);
-
- /* Begin padding with a 1 bit: */
- *context->buffer = 0x80;
- }
- /* Store the length of input data (in bits): */
- *(sha2_word64*)&context->buffer[SHA512_SHORT_BLOCK_LENGTH] = context->bitcount[1];
- *(sha2_word64*)&context->buffer[SHA512_SHORT_BLOCK_LENGTH+8] = context->bitcount[0];
-
- /* Final transform: */
- SHA512_Transform(context, (sha2_word64*)context->buffer);
-}
-
-void SHA512_Final(sha2_byte digest[], SHA512_CTX* context) {
- sha2_word64 *d = (sha2_word64*)digest;
-
- /* Sanity check: */
- assert(context != (SHA512_CTX*)0);
-
- /* If no digest buffer is passed, we don't bother doing this: */
- if (digest != (sha2_byte*)0) {
- SHA512_Last(context);
-
- /* Save the hash data for output: */
-#if BYTE_ORDER == LITTLE_ENDIAN
- {
- /* Convert TO host byte order */
- int j;
- for (j = 0; j < 8; j++) {
- REVERSE64(context->state[j],context->state[j]);
- *d++ = context->state[j];
- }
- }
-#else
- bcopy(context->state, d, SHA512_DIGEST_LENGTH);
-#endif
- }
-
- /* Zero out state data */
- bzero(context, sizeof(*context));
-}
-
-char *SHA512_End(SHA512_CTX* context, char buffer[]) {
- sha2_byte digest[SHA512_DIGEST_LENGTH], *d = digest;
- int i;
-
- /* Sanity check: */
- assert(context != (SHA512_CTX*)0);
-
- if (buffer != (char*)0) {
- SHA512_Final(digest, context);
-
- for (i = 0; i < SHA512_DIGEST_LENGTH; i++) {
- *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
- *buffer++ = sha2_hex_digits[*d & 0x0f];
- d++;
- }
- *buffer = (char)0;
- } else {
- bzero(context, sizeof(*context));
- }
- bzero(digest, SHA512_DIGEST_LENGTH);
- return buffer;
-}
-
-char* SHA512_Data(const sha2_byte* data, size_t len, char digest[SHA512_DIGEST_STRING_LENGTH]) {
- SHA512_CTX context;
-
- SHA512_Init(&context);
- SHA512_Update(&context, data, len);
- return SHA512_End(&context, digest);
-}
-
-
-/*** SHA-384: *********************************************************/
-void SHA384_Init(SHA384_CTX* context) {
- if (context == (SHA384_CTX*)0) {
- return;
- }
- bcopy(sha384_initial_hash_value, context->state, SHA512_DIGEST_LENGTH);
- bzero(context->buffer, SHA384_BLOCK_LENGTH);
- context->bitcount[0] = context->bitcount[1] = 0;
-}
-
-void SHA384_Update(SHA384_CTX* context, const sha2_byte* data, size_t len) {
- SHA512_Update((SHA512_CTX*)context, data, len);
-}
-
-void SHA384_Final(sha2_byte digest[], SHA384_CTX* context) {
- sha2_word64 *d = (sha2_word64*)digest;
-
- /* Sanity check: */
- assert(context != (SHA384_CTX*)0);
-
- /* If no digest buffer is passed, we don't bother doing this: */
- if (digest != (sha2_byte*)0) {
- SHA512_Last((SHA512_CTX*)context);
-
- /* Save the hash data for output: */
-#if BYTE_ORDER == LITTLE_ENDIAN
- {
- /* Convert TO host byte order */
- int j;
- for (j = 0; j < 6; j++) {
- REVERSE64(context->state[j],context->state[j]);
- *d++ = context->state[j];
- }
- }
-#else
- bcopy(context->state, d, SHA384_DIGEST_LENGTH);
-#endif
- }
-
- /* Zero out state data */
- bzero(context, sizeof(*context));
-}
-
-char *SHA384_End(SHA384_CTX* context, char buffer[]) {
- sha2_byte digest[SHA384_DIGEST_LENGTH], *d = digest;
- int i;
-
- /* Sanity check: */
- assert(context != (SHA384_CTX*)0);
-
- if (buffer != (char*)0) {
- SHA384_Final(digest, context);
-
- for (i = 0; i < SHA384_DIGEST_LENGTH; i++) {
- *buffer++ = sha2_hex_digits[(*d & 0xf0) >> 4];
- *buffer++ = sha2_hex_digits[*d & 0x0f];
- d++;
- }
- *buffer = (char)0;
- } else {
- bzero(context, sizeof(*context));
- }
- bzero(digest, SHA384_DIGEST_LENGTH);
- return buffer;
-}
-
-char* SHA384_Data(const sha2_byte* data, size_t len, char digest[SHA384_DIGEST_STRING_LENGTH]) {
- SHA384_CTX context;
-
- SHA384_Init(&context);
- SHA384_Update(&context, data, len);
- return SHA384_End(&context, digest);
-}
-
-/*glue*/
-#ifdef HAVE_EVP_097
-
-/* SHA256 */
-#define data(ctx) ((SHA256_CTX *)(ctx)->md_data)
-static int sha256_init(EVP_MD_CTX *ctx)
-{
- SHA256_Init(data(ctx));
- return 1;
-}
-static int sha256_update(EVP_MD_CTX *ctx, const void *data, unsigned long count)
-{
- SHA256_Update(data(ctx), data, count);
- return 1;
-}
-static int sha256_final(EVP_MD_CTX *ctx, unsigned char *md)
-{
- SHA256_Final(md, data(ctx));
- return 1;
-}
-#undef data
-
-/* SHA384 */
-#define data(ctx) ((SHA384_CTX *)(ctx)->md_data)
-static int sha384_init(EVP_MD_CTX *ctx)
-{
- SHA384_Init(data(ctx));
- return 1;
-}
-static int sha384_update(EVP_MD_CTX *ctx, const void *data, unsigned long count)
-{
- SHA384_Update(data(ctx), data, count);
- return 1;
-}
-static int sha384_final(EVP_MD_CTX *ctx, unsigned char *md)
-{
- SHA384_Final(md, data(ctx));
- return 1;
-}
-#undef data
-
-/* SHA512 */
-#define data(ctx) ((SHA512_CTX *)(ctx)->md_data)
-static int sha512_init(EVP_MD_CTX *ctx)
-{
- SHA512_Init(data(ctx));
- return 1;
-}
-static int sha512_update(EVP_MD_CTX *ctx, const void *data, unsigned long count)
-{
- SHA512_Update(data(ctx), data, count);
- return 1;
-}
-static int sha512_final(EVP_MD_CTX *ctx, unsigned char *md)
-{
- SHA512_Final(md, data(ctx));
- return 1;
-}
-#undef data
-#endif
-
-static struct env_md_st sha2_256_md = {
- 0, /*NID_sha1*/
- 0, /*NID_sha1WithRSAEncryption*/
- SHA256_DIGEST_LENGTH,
-#ifdef HAVE_EVP_097
- 0, /* flags */
- sha256_init,
- sha256_update,
- sha256_final,
- NULL, /* copy */
- NULL, /* cleanup */
-#else
- SHA256_Init,
- SHA256_Update,
- SHA256_Final,
-#endif
- NULL, NULL, {0, 0, 0, 0},
- SHA256_BLOCK_LENGTH,
- sizeof(struct env_md_st *) + sizeof(SHA256_CTX),
-};
-
-struct env_md_st *EVP_sha2_256(void)
-{
- return(&sha2_256_md);
-}
-
-static struct env_md_st sha2_384_md = {
- 0, /*NID_sha1*/
- 0, /*NID_sha1WithRSAEncryption*/
- SHA384_DIGEST_LENGTH,
-#ifdef HAVE_EVP_097
- 0, /* flags */
- sha384_init,
- sha384_update,
- sha384_final,
- NULL, /* copy */
- NULL, /* cleanup */
-#else
- SHA384_Init,
- SHA384_Update,
- SHA384_Final,
-#endif
- NULL, NULL, {0, 0, 0, 0},
- SHA384_BLOCK_LENGTH,
- sizeof(struct env_md_st *) + sizeof(SHA384_CTX),
-};
-
-struct env_md_st *EVP_sha2_384(void)
-{
- return(&sha2_384_md);
-}
-
-static struct env_md_st sha2_512_md = {
- 0, /*NID_sha1*/
- 0, /*NID_sha1WithRSAEncryption*/
- SHA512_DIGEST_LENGTH,
-#ifdef HAVE_EVP_097
- 0, /* flags */
- sha512_init,
- sha512_update,
- sha512_final,
- NULL, /* copy */
- NULL, /* cleanup */
-#else
- SHA512_Init,
- SHA512_Update,
- SHA512_Final,
-#endif
- NULL, NULL, {0, 0, 0, 0}, /*EVP_PKEY_RSA_method*/
- SHA512_BLOCK_LENGTH,
- sizeof(struct env_md_st *) + sizeof(SHA512_CTX),
-};
-
-struct env_md_st *EVP_sha2_512(void)
-{
- return(&sha2_512_md);
-}
diff --git a/src/racoon/missing/crypto/sha2/sha2.h b/src/racoon/missing/crypto/sha2/sha2.h
deleted file mode 100644
index 42bcc2a..0000000
--- a/src/racoon/missing/crypto/sha2/sha2.h
+++ /dev/null
@@ -1,161 +0,0 @@
-/* $NetBSD: sha2.h,v 1.4 2006/09/09 16:22:36 manu Exp $ */
-
-/* $KAME: sha2.h,v 1.2 2001/08/08 22:09:27 sakane Exp $ */
-
-/*
- * sha2.h
- *
- * Version 1.0.0beta1
- *
- * Written by Aaron D. Gifford <me@aarongifford.com>
- *
- * Copyright 2000 Aaron D. Gifford. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the copyright holder nor the names of contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR(S) OR CONTRIBUTOR(S) BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- */
-
-#ifndef __SHA2_H__
-#define __SHA2_H__
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-
-/*** SHA-256/384/512 Various Length Definitions ***********************/
-#define SHA256_BLOCK_LENGTH 64
-#define SHA256_DIGEST_LENGTH 32
-#define SHA256_DIGEST_STRING_LENGTH (SHA256_DIGEST_LENGTH * 2 + 1)
-#define SHA384_BLOCK_LENGTH 128
-#define SHA384_DIGEST_LENGTH 48
-#define SHA384_DIGEST_STRING_LENGTH (SHA384_DIGEST_LENGTH * 2 + 1)
-#define SHA512_BLOCK_LENGTH 128
-#define SHA512_DIGEST_LENGTH 64
-#define SHA512_DIGEST_STRING_LENGTH (SHA512_DIGEST_LENGTH * 2 + 1)
-
-
-/*** SHA-256/384/512 Context Structures *******************************/
-/* NOTE: If your architecture does not define either u_intXX_t types or
- * uintXX_t (from inttypes.h), you may need to define things by hand
- * for your system:
- */
-#if 0
-typedef unsigned char u_int8_t; /* 1-byte (8-bits) */
-typedef unsigned int u_int32_t; /* 4-bytes (32-bits) */
-typedef unsigned long long u_int64_t; /* 8-bytes (64-bits) */
-#endif
-
-#ifndef HAVE_SHA2_IN_SHA_H
-/*
- * Most BSD systems already define u_intXX_t types, as does Linux.
- * Some systems, however, like Compaq's Tru64 Unix instead can use
- * uintXX_t types defined by very recent ANSI C standards and included
- * in the file:
- *
- * #include <inttypes.h>
- *
- * If you choose to use <inttypes.h> then please define:
- *
- * #define SHA2_USE_INTTYPES_H
- *
- * Or on the command line during compile:
- *
- * cc -DSHA2_USE_INTTYPES_H ...
- */
-#if 0 /*def SHA2_USE_INTTYPES_H*/
-
-typedef struct _SHA256_CTX {
- uint32_t state[8];
- uint64_t bitcount;
- uint8_t buffer[SHA256_BLOCK_LENGTH];
-} SHA256_CTX;
-typedef struct _SHA512_CTX {
- uint64_t state[8];
- uint64_t bitcount[2];
- uint8_t buffer[SHA512_BLOCK_LENGTH];
-} SHA512_CTX;
-
-#else /* SHA2_USE_INTTYPES_H */
-
-typedef struct _SHA256_CTX {
- u_int32_t state[8];
- u_int64_t bitcount;
- u_int8_t buffer[SHA256_BLOCK_LENGTH];
-} SHA256_CTX;
-typedef struct _SHA512_CTX {
- u_int64_t state[8];
- u_int64_t bitcount[2];
- u_int8_t buffer[SHA512_BLOCK_LENGTH];
-} SHA512_CTX;
-
-#endif /* SHA2_USE_INTTYPES_H */
-#endif /* HAVE_SHA2_IN_SHA_H */
-
-typedef SHA512_CTX SHA384_CTX;
-
-
-/*** SHA-256/384/512 Function Prototypes ******************************/
-
-#ifndef HAVE_SHA2_IN_SHA_H
-void SHA256_Init __P((SHA256_CTX *));
-void SHA256_Update __P((SHA256_CTX*, const u_int8_t*, size_t));
-void SHA256_Final __P((u_int8_t[SHA256_DIGEST_LENGTH], SHA256_CTX*));
-#endif /* HAVE_SHA2_IN_SHA_H */
-char* SHA256_End __P((SHA256_CTX*, char[SHA256_DIGEST_STRING_LENGTH]));
-char* SHA256_Data __P((const u_int8_t*, size_t, char[SHA256_DIGEST_STRING_LENGTH]));
-
-#ifndef HAVE_SHA2_IN_SHA_H
-void SHA384_Init __P((SHA384_CTX*));
-void SHA384_Update __P((SHA384_CTX*, const u_int8_t*, size_t));
-void SHA384_Final __P((u_int8_t[SHA384_DIGEST_LENGTH], SHA384_CTX*));
-#endif /* HAVE_SHA2_IN_SHA_H */
-char* SHA384_End __P((SHA384_CTX*, char[SHA384_DIGEST_STRING_LENGTH]));
-char* SHA384_Data __P((const u_int8_t*, size_t, char[SHA384_DIGEST_STRING_LENGTH]));
-
-#ifndef HAVE_SHA2_IN_SHA_H
-void SHA512_Init __P((SHA512_CTX*));
-void SHA512_Update __P((SHA512_CTX*, const u_int8_t*, size_t));
-void SHA512_Final __P((u_int8_t[SHA512_DIGEST_LENGTH], SHA512_CTX*));
-#endif /* HAVE_SHA2_IN_SHA_H */
-char* SHA512_End __P((SHA512_CTX*, char[SHA512_DIGEST_STRING_LENGTH]));
-char* SHA512_Data __P((const u_int8_t*, size_t, char[SHA512_DIGEST_STRING_LENGTH]));
-
-struct env_md_st *EVP_sha2_256 __P((void));
-struct env_md_st *EVP_sha2_384 __P((void));
-struct env_md_st *EVP_sha2_512 __P((void));
-
-#ifdef HAVE_SHA2_IN_SHA_H
-#define EVP_sha2_256 EVP_sha256
-#define EVP_sha2_384 EVP_sha384
-#define EVP_sha2_512 EVP_sha512
-#endif
-
-#ifdef __cplusplus
-}
-#endif /* __cplusplus */
-
-#endif /* __SHA2_H__ */
-
diff --git a/src/racoon/nattraversal.c b/src/racoon/nattraversal.c
deleted file mode 100644
index 9fd4bcd..0000000
--- a/src/racoon/nattraversal.c
+++ /dev/null
@@ -1,528 +0,0 @@
-/* $NetBSD: nattraversal.c,v 1.6.6.2 2009/05/18 17:01:07 tteras Exp $ */
-
-/*
- * Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany.
- * Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-
-#ifdef __linux__
-#include <linux/udp.h>
-#endif
-#if defined(__NetBSD__) || defined (__FreeBSD__)
-#include <netinet/udp.h>
-#endif
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-#include <ctype.h>
-
-#include "var.h"
-#include "misc.h"
-#include "vmbuf.h"
-#include "plog.h"
-#include "debug.h"
-
-#include "localconf.h"
-#include "remoteconf.h"
-#include "sockmisc.h"
-#include "isakmp_var.h"
-#include "isakmp.h"
-#include "oakley.h"
-#include "ipsec_doi.h"
-#include "vendorid.h"
-#include "handler.h"
-#include "crypto_openssl.h"
-#include "schedule.h"
-#include "nattraversal.h"
-#include "grabmyaddr.h"
-
-struct natt_ka_addrs {
- struct sockaddr *src;
- struct sockaddr *dst;
- unsigned in_use;
-
- TAILQ_ENTRY(natt_ka_addrs) chain;
-};
-
-static TAILQ_HEAD(_natt_ka_addrs, natt_ka_addrs) ka_tree;
-
-/*
- * check if the given vid is NAT-T.
- */
-int
-natt_vendorid (int vid)
-{
- return (
-#ifdef ENABLE_NATT_00
- vid == VENDORID_NATT_00 ||
-#endif
-#ifdef ENABLE_NATT_01
- vid == VENDORID_NATT_01 ||
-#endif
-#ifdef ENABLE_NATT_02
- vid == VENDORID_NATT_02 ||
- vid == VENDORID_NATT_02_N ||
-#endif
-#ifdef ENABLE_NATT_03
- vid == VENDORID_NATT_03 ||
-#endif
-#ifdef ENABLE_NATT_04
- vid == VENDORID_NATT_04 ||
-#endif
-#ifdef ENABLE_NATT_05
- vid == VENDORID_NATT_05 ||
-#endif
-#ifdef ENABLE_NATT_06
- vid == VENDORID_NATT_06 ||
-#endif
-#ifdef ENABLE_NATT_07
- vid == VENDORID_NATT_07 ||
-#endif
-#ifdef ENABLE_NATT_08
- vid == VENDORID_NATT_08 ||
-#endif
- /* Always enable NATT RFC if ENABLE_NATT
- */
- vid == VENDORID_NATT_RFC);
-}
-
-vchar_t *
-natt_hash_addr (struct ph1handle *iph1, struct sockaddr *addr)
-{
- vchar_t *natd;
- vchar_t *buf;
- char *ptr;
- void *addr_ptr, *addr_port;
- size_t buf_size, addr_size;
-
- plog (LLV_INFO, LOCATION, addr, "Hashing %s with algo #%d %s\n",
- saddr2str(addr), iph1->approval->hashtype,
- (iph1->rmconf->nat_traversal == NATT_FORCE)?"(NAT-T forced)":"");
-
- if (addr->sa_family == AF_INET) {
- addr_size = sizeof (struct in_addr); /* IPv4 address */
- addr_ptr = &((struct sockaddr_in *)addr)->sin_addr;
- addr_port = &((struct sockaddr_in *)addr)->sin_port;
- }
- else if (addr->sa_family == AF_INET6) {
- addr_size = sizeof (struct in6_addr); /* IPv6 address */
- addr_ptr = &((struct sockaddr_in6 *)addr)->sin6_addr;
- addr_port = &((struct sockaddr_in6 *)addr)->sin6_port;
- }
- else {
- plog (LLV_ERROR, LOCATION, addr, "Unsupported address family #0x%x\n", addr->sa_family);
- return NULL;
- }
-
- buf_size = 2 * sizeof (cookie_t); /* CKY-I + CKY+R */
- buf_size += addr_size + 2; /* Address + Port */
-
- if ((buf = vmalloc (buf_size)) == NULL)
- return NULL;
-
- ptr = buf->v;
-
- /* Copy-in CKY-I */
- memcpy (ptr, iph1->index.i_ck, sizeof (cookie_t));
- ptr += sizeof (cookie_t);
-
- /* Copy-in CKY-I */
- memcpy (ptr, iph1->index.r_ck, sizeof (cookie_t));
- ptr += sizeof (cookie_t);
-
- /* Copy-in Address (or zeroes if NATT_FORCE) */
- if (iph1->rmconf->nat_traversal == NATT_FORCE)
- memset (ptr, 0, addr_size);
- else
- memcpy (ptr, addr_ptr, addr_size);
- ptr += addr_size;
-
- /* Copy-in Port number */
- memcpy (ptr, addr_port, 2);
-
- natd = oakley_hash (buf, iph1);
- vfree(buf);
-
- return natd;
-}
-
-int
-natt_compare_addr_hash (struct ph1handle *iph1, vchar_t *natd_received,
- int natd_seq)
-{
- vchar_t *natd_computed;
- u_int32_t flag;
- int verified = 0;
-
- if (iph1->rmconf->nat_traversal == NATT_FORCE)
- return verified;
-
- if (natd_seq == 0) {
- natd_computed = natt_hash_addr (iph1, iph1->local);
- flag = NAT_DETECTED_ME;
- }
- else {
- natd_computed = natt_hash_addr (iph1, iph1->remote);
- flag = NAT_DETECTED_PEER;
- }
-
- if (natd_computed == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "natd_computed allocation failed\n");
- return verified; /* XXX should abort */
- }
-
- if (natd_received->l == natd_computed->l &&
- memcmp (natd_received->v, natd_computed->v, natd_received->l) == 0) {
- iph1->natt_flags &= ~flag;
- verified = 1;
- }
-
- vfree (natd_computed);
-
- return verified;
-}
-
-int
-natt_udp_encap (int encmode)
-{
- return (encmode == IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC ||
- encmode == IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC ||
- encmode == IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT ||
- encmode == IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT);
-}
-
-int
-natt_fill_options (struct ph1natt_options *opts, int version)
-{
- if (! opts)
- return -1;
-
- opts->version = version;
-
- switch (version) {
- case VENDORID_NATT_00:
- case VENDORID_NATT_01:
- opts->float_port = 0; /* No port floating for those drafts */
- opts->payload_nat_d = ISAKMP_NPTYPE_NATD_DRAFT;
- opts->payload_nat_oa = ISAKMP_NPTYPE_NATOA_DRAFT;
- opts->mode_udp_tunnel = IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT;
- opts->mode_udp_transport = IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT;
- opts->encaps_type = UDP_ENCAP_ESPINUDP_NON_IKE;
- break;
-
- case VENDORID_NATT_02:
- case VENDORID_NATT_02_N:
- case VENDORID_NATT_03:
- opts->float_port = lcconf->port_isakmp_natt;
- opts->payload_nat_d = ISAKMP_NPTYPE_NATD_DRAFT;
- opts->payload_nat_oa = ISAKMP_NPTYPE_NATOA_DRAFT;
- opts->mode_udp_tunnel = IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT;
- opts->mode_udp_transport = IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT;
- opts->encaps_type = UDP_ENCAP_ESPINUDP;
- break;
- case VENDORID_NATT_04:
- case VENDORID_NATT_05:
- case VENDORID_NATT_06:
- case VENDORID_NATT_07:
- case VENDORID_NATT_08:
- opts->float_port = lcconf->port_isakmp_natt;
- opts->payload_nat_d = ISAKMP_NPTYPE_NATD_BADDRAFT;
- opts->payload_nat_oa = ISAKMP_NPTYPE_NATOA_BADDRAFT;
- opts->mode_udp_tunnel = IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC;
- opts->mode_udp_transport = IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC;
- opts->encaps_type = UDP_ENCAP_ESPINUDP;
- break;
- case VENDORID_NATT_RFC:
- opts->float_port = lcconf->port_isakmp_natt;
- opts->payload_nat_d = ISAKMP_NPTYPE_NATD_RFC;
- opts->payload_nat_oa = ISAKMP_NPTYPE_NATOA_RFC;
- opts->mode_udp_tunnel = IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC;
- opts->mode_udp_transport = IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC;
- opts->encaps_type = UDP_ENCAP_ESPINUDP;
- break;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "unsupported NAT-T version: %s\n",
- vid_string_by_id(version));
- return -1;
- }
-
- opts->mode_udp_diff = opts->mode_udp_tunnel - IPSECDOI_ATTR_ENC_MODE_TUNNEL;
-
- return 0;
-}
-
-void
-natt_float_ports (struct ph1handle *iph1)
-{
- if (! (iph1->natt_flags & NAT_DETECTED) )
- return;
- if (! iph1->natt_options->float_port){
- /* Drafts 00 / 01, just schedule keepalive */
- natt_keepalive_add_ph1 (iph1);
- return;
- }
-
- set_port (iph1->local, iph1->natt_options->float_port);
- set_port (iph1->remote, iph1->natt_options->float_port);
- iph1->natt_flags |= NAT_PORTS_CHANGED | NAT_ADD_NON_ESP_MARKER;
-
- natt_keepalive_add_ph1 (iph1);
-}
-
-void
-natt_handle_vendorid (struct ph1handle *iph1, int vid_numeric)
-{
- if (! iph1->natt_options)
- iph1->natt_options = racoon_calloc (1, sizeof (*iph1->natt_options));
-
- if (! iph1->natt_options) {
- plog (LLV_ERROR, LOCATION, NULL,
- "Allocating memory for natt_options failed!\n");
- return;
- }
-
- if (iph1->natt_options->version < vid_numeric)
- if (natt_fill_options (iph1->natt_options, vid_numeric) == 0)
- iph1->natt_flags |= NAT_ANNOUNCED;
-}
-
-static void
-natt_keepalive_delete (struct natt_ka_addrs *ka)
-{
- TAILQ_REMOVE (&ka_tree, ka, chain);
- racoon_free (ka->src);
- racoon_free (ka->dst);
- racoon_free (ka);
-}
-
-/* NAT keepalive functions */
-static void
-natt_keepalive_send (void *param)
-{
- struct natt_ka_addrs *ka, *next = NULL;
- char keepalive_packet[] = { 0xff };
- size_t len;
- int s;
-
- for (ka = TAILQ_FIRST(&ka_tree); ka; ka = next) {
- next = TAILQ_NEXT(ka, chain);
-
- s = getsockmyaddr(ka->src);
- if (s == -1) {
- natt_keepalive_delete(ka);
- continue;
- }
- plog (LLV_DEBUG, LOCATION, NULL, "KA: %s\n",
- saddr2str_fromto("%s->%s", ka->src, ka->dst));
- len = sendfromto(s, keepalive_packet, sizeof (keepalive_packet),
- ka->src, ka->dst, 1);
- if (len == -1)
- plog(LLV_ERROR, LOCATION, NULL, "KA: sendfromto failed: %s\n",
- strerror (errno));
- }
-
- sched_new (lcconf->natt_ka_interval, natt_keepalive_send, NULL);
-}
-
-void
-natt_keepalive_init (void)
-{
- TAILQ_INIT(&ka_tree);
-
- /* To disable sending KAs set natt_ka_interval=0 */
- if (lcconf->natt_ka_interval > 0)
- sched_new (lcconf->natt_ka_interval, natt_keepalive_send, NULL);
-}
-
-int
-natt_keepalive_add (struct sockaddr *src, struct sockaddr *dst)
-{
- struct natt_ka_addrs *ka = NULL, *new_addr;
-
- TAILQ_FOREACH (ka, &ka_tree, chain) {
- if (cmpsaddrstrict(ka->src, src) == 0 &&
- cmpsaddrstrict(ka->dst, dst) == 0) {
- ka->in_use++;
- plog (LLV_INFO, LOCATION, NULL, "KA found: %s (in_use=%u)\n",
- saddr2str_fromto("%s->%s", src, dst), ka->in_use);
- return 0;
- }
- }
-
- plog (LLV_INFO, LOCATION, NULL, "KA list add: %s\n", saddr2str_fromto("%s->%s", src, dst));
-
- new_addr = (struct natt_ka_addrs *)racoon_malloc(sizeof(*new_addr));
- if (! new_addr) {
- plog (LLV_ERROR, LOCATION, NULL, "Can't allocate new KA list item\n");
- return -1;
- }
-
- if ((new_addr->src = dupsaddr(src)) == NULL) {
- racoon_free(new_addr);
- plog (LLV_ERROR, LOCATION, NULL, "Can't allocate new KA list item\n");
- return -1;
- }
- if ((new_addr->dst = dupsaddr(dst)) == NULL) {
- racoon_free(new_addr);
- plog (LLV_ERROR, LOCATION, NULL, "Can't allocate new KA list item\n");
- return -1;
- }
- new_addr->in_use = 1;
- TAILQ_INSERT_TAIL(&ka_tree, new_addr, chain);
-
- return 0;
-}
-
-int
-natt_keepalive_add_ph1 (struct ph1handle *iph1)
-{
- int ret = 0;
-
- /* Should only the NATed host send keepalives?
- If yes, add '(iph1->natt_flags & NAT_DETECTED_ME)'
- to the following condition. */
- if (iph1->natt_flags & NAT_DETECTED &&
- ! (iph1->natt_flags & NAT_KA_QUEUED)) {
- ret = natt_keepalive_add (iph1->local, iph1->remote);
- if (ret == 0)
- iph1->natt_flags |= NAT_KA_QUEUED;
- }
-
- return ret;
-}
-
-void
-natt_keepalive_remove (struct sockaddr *src, struct sockaddr *dst)
-{
- struct natt_ka_addrs *ka, *next = NULL;
-
- plog (LLV_INFO, LOCATION, NULL, "KA remove: %s\n", saddr2str_fromto("%s->%s", src, dst));
-
- for (ka = TAILQ_FIRST(&ka_tree); ka; ka = next) {
- next = TAILQ_NEXT(ka, chain);
-
- plog (LLV_DEBUG, LOCATION, NULL, "KA tree dump: %s (in_use=%u)\n",
- saddr2str_fromto("%s->%s", src, dst), ka->in_use);
-
- if (cmpsaddrstrict(ka->src, src) == 0 &&
- cmpsaddrstrict(ka->dst, dst) == 0 &&
- -- ka->in_use <= 0) {
-
- plog (LLV_DEBUG, LOCATION, NULL, "KA removing this one...\n");
-
- natt_keepalive_delete (ka);
- /* Should we break here? Every pair of addresses should
- be inserted only once, but who knows :-) Lets traverse
- the whole list... */
- }
- }
-}
-
-static struct remoteconf *
-natt_enabled_in_rmconf_stub (struct remoteconf *rmconf, void *data)
-{
- return (rmconf->nat_traversal ? rmconf : NULL);
-}
-
-int
-natt_enabled_in_rmconf ()
-{
- return foreachrmconf (natt_enabled_in_rmconf_stub, NULL) != NULL;
-}
-
-
-struct payload_list *
-isakmp_plist_append_natt_vids (struct payload_list *plist, vchar_t *vid_natt[MAX_NATT_VID_COUNT]){
- int i, vid_natt_i = 0;
-
- if(vid_natt == NULL)
- return NULL;
-
- for (i = 0; i < MAX_NATT_VID_COUNT; i++)
- vid_natt[i]=NULL;
-
- /* Puts the olders VIDs last, as some implementations may choose the first
- * NATT VID given
- */
-
- /* Always set RFC VID
- */
- if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_RFC)) != NULL)
- vid_natt_i++;
-#ifdef ENABLE_NATT_08
- if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_08)) != NULL)
- vid_natt_i++;
-#endif
-#ifdef ENABLE_NATT_07
- if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_07)) != NULL)
- vid_natt_i++;
-#endif
-#ifdef ENABLE_NATT_06
- if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_06)) != NULL)
- vid_natt_i++;
-#endif
-#ifdef ENABLE_NATT_05
- if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_05)) != NULL)
- vid_natt_i++;
-#endif
-#ifdef ENABLE_NATT_04
- if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_04)) != NULL)
- vid_natt_i++;
-#endif
-#ifdef ENABLE_NATT_03
- if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_03)) != NULL)
- vid_natt_i++;
-#endif
-#ifdef ENABLE_NATT_02
- if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_02)) != NULL)
- vid_natt_i++;
- if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_02_N)) != NULL)
- vid_natt_i++;
-#endif
-#ifdef ENABLE_NATT_01
- if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_01)) != NULL)
- vid_natt_i++;
-#endif
-#ifdef ENABLE_NATT_00
- if ((vid_natt[vid_natt_i] = set_vendorid(VENDORID_NATT_00)) != NULL)
- vid_natt_i++;
-#endif
- /* set VID payload for NAT-T */
- for (i = 0; i < vid_natt_i; i++)
- plist = isakmp_plist_append(plist, vid_natt[i], ISAKMP_NPTYPE_VID);
-
- return plist;
-}
diff --git a/src/racoon/nattraversal.h b/src/racoon/nattraversal.h
deleted file mode 100644
index cec5815..0000000
--- a/src/racoon/nattraversal.h
+++ /dev/null
@@ -1,99 +0,0 @@
-/* $NetBSD: nattraversal.h,v 1.6 2006/09/09 16:22:09 manu Exp $ */
-
-/*
- * Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany.
- * Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _NATTRAVERSAL_H
-#define _NATTRAVERSAL_H
-
-#include "vendorid.h"
-
-#define NAT_ANNOUNCED (1L<<0)
-#define NAT_DETECTED_ME (1L<<1)
-#define NAT_DETECTED_PEER (1L<<2)
-#define NAT_PORTS_CHANGED (1L<<3)
-#define NAT_KA_QUEUED (1L<<4)
-#define NAT_ADD_NON_ESP_MARKER (1L<<5)
-
-#define NATT_AVAILABLE(ph1) ((iph1)->natt_flags & NAT_ANNOUNCED)
-
-#define NAT_DETECTED (NAT_DETECTED_ME | NAT_DETECTED_PEER)
-
-#define NON_ESP_MARKER_LEN sizeof(u_int32_t)
-#define NON_ESP_MARKER_USE(iph1) ((iph1)->natt_flags & NAT_ADD_NON_ESP_MARKER)
-
-/* These are the values from parsing "remote {}"
- block of the config file. */
-#define NATT_OFF FLASE /* = 0 */
-#define NATT_ON TRUE /* = 1 */
-#define NATT_FORCE 2
-
-struct ph1natt_options {
- int version;
- u_int16_t float_port;
- u_int16_t mode_udp_tunnel;
- u_int16_t mode_udp_transport;
- u_int16_t encaps_type; /* ESPINUDP / ESPINUDP_NON_IKE */
- u_int16_t mode_udp_diff;
- u_int16_t payload_nat_d;
- u_int16_t payload_nat_oa;
-};
-
-struct ph2natt {
- u_int8_t type;
- u_int16_t sport;
- u_int16_t dport;
- struct sockaddr *oa;
- u_int16_t frag;
-};
-
-int natt_vendorid (int vid);
-vchar_t *natt_hash_addr (struct ph1handle *iph1, struct sockaddr *addr);
-int natt_compare_addr_hash (struct ph1handle *iph1, vchar_t *natd_received, int natd_seq);
-int natt_udp_encap (int encmode);
-int natt_fill_options (struct ph1natt_options *opts, int version);
-void natt_float_ports (struct ph1handle *iph1);
-void natt_handle_vendorid (struct ph1handle *iph1, int vid_numeric);
-
-
-struct payload_list *
-isakmp_plist_append_natt_vids (struct payload_list *plist, vchar_t *vid_natt[MAX_NATT_VID_COUNT]);
-
-
-/* NAT keepalive functions */
-void natt_keepalive_init (void);
-int natt_keepalive_add (struct sockaddr *src, struct sockaddr *dst);
-int natt_keepalive_add_ph1 (struct ph1handle *iph1);
-void natt_keepalive_remove (struct sockaddr *src, struct sockaddr *dst);
-
-/* Walk through all rmconfigs and tell if NAT-T is enabled in at least one. */
-int natt_enabled_in_rmconf (void);
-
-#endif /* _NATTRAVERSAL_H */
diff --git a/src/racoon/netdb_dnssec.h b/src/racoon/netdb_dnssec.h
deleted file mode 100644
index a11209d..0000000
--- a/src/racoon/netdb_dnssec.h
+++ /dev/null
@@ -1,74 +0,0 @@
-/* $NetBSD: netdb_dnssec.h,v 1.4 2006/09/09 16:22:09 manu Exp $ */
-
-/* Id: netdb_dnssec.h,v 1.3 2004/06/11 16:00:17 ludvigm Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _NETDB_DNSSEC_H
-#define _NETDB_DNSSEC_H
-
-#ifndef T_CERT
-#define T_CERT 37 /* defined by RFC2538 section 2 */
-#endif
-
-/* RFC2538 section 2.1 */
-#define DNSSEC_TYPE_PKIX 1
-#define DNSSEC_TYPE_SPKI 2
-#define DNSSEC_TYPE_PGP 3
-#define DNSSEC_TYPE_URI 4
-#define DNSSEC_TYPE_OID 5
-
-/* RFC2535 section 3.2 */
-#define DNSSEC_ALG_RSAMD5 1
-#define DNSSEC_ALG_DH 2
-#define DNSSEC_ALG_DSA 3
-#define DNSSEC_ALG_ECC 4
-#define DNSSEC_ALG_PRIVATEDNS 5
-#define DNSSEC_ALG_PRIVATEOID 6
-
-/*
- * Structures returned by network data base library. All addresses are
- * supplied in host order, and returned in network order (suitable for
- * use in system calls).
- */
-struct certinfo {
- int ci_type; /* certificate type */
- int ci_keytag; /* keytag */
- int ci_algorithm; /* algorithm */
- int ci_flags; /* currently, 1:valid or 0:uncertain */
- size_t ci_certlen; /* length of certificate */
- char *ci_cert; /* certificate */
- struct certinfo *ci_next; /* next structure */
-};
-
-extern void freecertinfo __P((struct certinfo *));
-extern int getcertsbyname __P((char *, struct certinfo **));
-
-#endif /* _NETDB_DNSSEC_H */
diff --git a/src/racoon/oakley.c b/src/racoon/oakley.c
deleted file mode 100644
index 5b6ad46..0000000
--- a/src/racoon/oakley.c
+++ /dev/null
@@ -1,3429 +0,0 @@
-/* $NetBSD: oakley.c,v 1.9.6.4 2009/08/13 09:18:45 vanhu Exp $ */
-
-/* Id: oakley.c,v 1.32 2006/05/26 12:19:46 manubsd Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h> /* XXX for subjectaltname */
-#include <netinet/in.h> /* XXX for subjectaltname */
-
-#include <openssl/x509.h>
-#include <openssl/err.h>
-
-#if !defined(OPENSSL_IS_BORINGSSL)
-#include <openssl/engine.h>
-#include <openssl/pkcs7.h>
-#else
-#include <openssl/bytestring.h>
-#endif
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-
-#if TIME_WITH_SYS_TIME
-# include <sys/time.h>
-# include <time.h>
-#else
-# if HAVE_SYS_TIME_H
-# include <sys/time.h>
-# else
-# include <time.h>
-# endif
-#endif
-#ifdef ENABLE_HYBRID
-#include <resolv.h>
-#endif
-
-#include "var.h"
-#include "misc.h"
-#include "vmbuf.h"
-#include "str2val.h"
-#include "plog.h"
-#include "debug.h"
-
-#include "isakmp_var.h"
-#include "isakmp.h"
-#ifdef ENABLE_HYBRID
-#include "isakmp_xauth.h"
-#include "isakmp_cfg.h"
-#endif
-#include "oakley.h"
-#include "admin.h"
-#include "privsep.h"
-#include "localconf.h"
-#include "remoteconf.h"
-#include "policy.h"
-#include "handler.h"
-#include "ipsec_doi.h"
-#include "algorithm.h"
-#include "dhgroup.h"
-#include "sainfo.h"
-#include "proposal.h"
-#include "crypto_openssl.h"
-#include "dnssec.h"
-#include "sockmisc.h"
-#include "strnames.h"
-#include "gcmalloc.h"
-#include "rsalist.h"
-
-#ifdef HAVE_GSSAPI
-#include "gssapi.h"
-#endif
-
-#define OUTBOUND_SA 0
-#define INBOUND_SA 1
-
-#define INITDHVAL(a, s, d, t) \
-do { \
- vchar_t buf; \
- buf.v = str2val((s), 16, &buf.l); \
- memset(&a, 0, sizeof(struct dhgroup)); \
- a.type = (t); \
- a.prime = vdup(&buf); \
- a.gen1 = 2; \
- a.gen2 = 0; \
- racoon_free(buf.v); \
-} while(0);
-
-struct dhgroup dh_modp768;
-struct dhgroup dh_modp1024;
-struct dhgroup dh_modp1536;
-struct dhgroup dh_modp2048;
-struct dhgroup dh_modp3072;
-struct dhgroup dh_modp4096;
-struct dhgroup dh_modp6144;
-struct dhgroup dh_modp8192;
-
-
-static int oakley_check_dh_pub __P((vchar_t *, vchar_t **));
-static int oakley_compute_keymat_x __P((struct ph2handle *, int, int));
-static int get_cert_fromlocal __P((struct ph1handle *, int));
-static int get_plainrsa_fromlocal __P((struct ph1handle *, int));
-static int oakley_check_certid __P((struct ph1handle *iph1));
-static int check_typeofcertname __P((int, int));
-static cert_t *save_certbuf __P((struct isakmp_gen *));
-static cert_t *save_certx509 __P((X509 *));
-static int oakley_padlen __P((int, int));
-
-int
-oakley_get_defaultlifetime()
-{
- return OAKLEY_ATTR_SA_LD_SEC_DEFAULT;
-}
-
-int
-oakley_dhinit()
-{
- /* set DH MODP */
- INITDHVAL(dh_modp768, OAKLEY_PRIME_MODP768,
- OAKLEY_ATTR_GRP_DESC_MODP768, OAKLEY_ATTR_GRP_TYPE_MODP);
- INITDHVAL(dh_modp1024, OAKLEY_PRIME_MODP1024,
- OAKLEY_ATTR_GRP_DESC_MODP1024, OAKLEY_ATTR_GRP_TYPE_MODP);
- INITDHVAL(dh_modp1536, OAKLEY_PRIME_MODP1536,
- OAKLEY_ATTR_GRP_DESC_MODP1536, OAKLEY_ATTR_GRP_TYPE_MODP);
- INITDHVAL(dh_modp2048, OAKLEY_PRIME_MODP2048,
- OAKLEY_ATTR_GRP_DESC_MODP2048, OAKLEY_ATTR_GRP_TYPE_MODP);
- INITDHVAL(dh_modp3072, OAKLEY_PRIME_MODP3072,
- OAKLEY_ATTR_GRP_DESC_MODP3072, OAKLEY_ATTR_GRP_TYPE_MODP);
- INITDHVAL(dh_modp4096, OAKLEY_PRIME_MODP4096,
- OAKLEY_ATTR_GRP_DESC_MODP4096, OAKLEY_ATTR_GRP_TYPE_MODP);
- INITDHVAL(dh_modp6144, OAKLEY_PRIME_MODP6144,
- OAKLEY_ATTR_GRP_DESC_MODP6144, OAKLEY_ATTR_GRP_TYPE_MODP);
- INITDHVAL(dh_modp8192, OAKLEY_PRIME_MODP8192,
- OAKLEY_ATTR_GRP_DESC_MODP8192, OAKLEY_ATTR_GRP_TYPE_MODP);
-
- return 0;
-}
-
-void
-oakley_dhgrp_free(dhgrp)
- struct dhgroup *dhgrp;
-{
- if (dhgrp->prime)
- vfree(dhgrp->prime);
- if (dhgrp->curve_a)
- vfree(dhgrp->curve_a);
- if (dhgrp->curve_b)
- vfree(dhgrp->curve_b);
- if (dhgrp->order)
- vfree(dhgrp->order);
- racoon_free(dhgrp);
-}
-
-/*
- * RFC2409 5
- * The length of the Diffie-Hellman public value MUST be equal to the
- * length of the prime modulus over which the exponentiation was
- * performed, prepending zero bits to the value if necessary.
- */
-static int
-oakley_check_dh_pub(prime, pub0)
- vchar_t *prime, **pub0;
-{
- vchar_t *tmp;
- vchar_t *pub = *pub0;
-
- if (prime->l == pub->l)
- return 0;
-
- if (prime->l < pub->l) {
- /* what should i do ? */
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid public information was generated.\n");
- return -1;
- }
-
- /* prime->l > pub->l */
- tmp = vmalloc(prime->l);
- if (tmp == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get DH buffer.\n");
- return -1;
- }
- memcpy(tmp->v + prime->l - pub->l, pub->v, pub->l);
-
- vfree(*pub0);
- *pub0 = tmp;
-
- return 0;
-}
-
-/*
- * compute sharing secret of DH
- * IN: *dh, *pub, *priv, *pub_p
- * OUT: **gxy
- */
-int
-oakley_dh_compute(dh, pub, priv, pub_p, gxy)
- const struct dhgroup *dh;
- vchar_t *pub, *priv, *pub_p, **gxy;
-{
-#ifdef ENABLE_STATS
- struct timeval start, end;
-#endif
- if ((*gxy = vmalloc(dh->prime->l)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get DH buffer.\n");
- return -1;
- }
-
-#ifdef ENABLE_STATS
- gettimeofday(&start, NULL);
-#endif
- switch (dh->type) {
- case OAKLEY_ATTR_GRP_TYPE_MODP:
- if (eay_dh_compute(dh->prime, dh->gen1, pub, priv, pub_p, gxy) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to compute dh value.\n");
- return -1;
- }
- break;
- case OAKLEY_ATTR_GRP_TYPE_ECP:
- case OAKLEY_ATTR_GRP_TYPE_EC2N:
- plog(LLV_ERROR, LOCATION, NULL,
- "dh type %d isn't supported.\n", dh->type);
- return -1;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid dh type %d.\n", dh->type);
- return -1;
- }
-
-#ifdef ENABLE_STATS
- gettimeofday(&end, NULL);
- syslog(LOG_NOTICE, "%s(%s%zu): %8.6f", __func__,
- s_attr_isakmp_group(dh->type), dh->prime->l << 3,
- timedelta(&start, &end));
-#endif
-
- plog(LLV_DEBUG, LOCATION, NULL, "compute DH's shared.\n");
- plogdump(LLV_DEBUG, (*gxy)->v, (*gxy)->l);
-
- return 0;
-}
-
-/*
- * generate values of DH
- * IN: *dh
- * OUT: **pub, **priv
- */
-int
-oakley_dh_generate(dh, pub, priv)
- const struct dhgroup *dh;
- vchar_t **pub, **priv;
-{
-#ifdef ENABLE_STATS
- struct timeval start, end;
- gettimeofday(&start, NULL);
-#endif
- switch (dh->type) {
- case OAKLEY_ATTR_GRP_TYPE_MODP:
- if (eay_dh_generate(dh->prime, dh->gen1, dh->gen2, pub, priv) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to compute dh value.\n");
- return -1;
- }
- break;
-
- case OAKLEY_ATTR_GRP_TYPE_ECP:
- case OAKLEY_ATTR_GRP_TYPE_EC2N:
- plog(LLV_ERROR, LOCATION, NULL,
- "dh type %d isn't supported.\n", dh->type);
- return -1;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid dh type %d.\n", dh->type);
- return -1;
- }
-
-#ifdef ENABLE_STATS
- gettimeofday(&end, NULL);
- syslog(LOG_NOTICE, "%s(%s%zu): %8.6f", __func__,
- s_attr_isakmp_group(dh->type), dh->prime->l << 3,
- timedelta(&start, &end));
-#endif
-
- if (oakley_check_dh_pub(dh->prime, pub) != 0)
- return -1;
-
- plog(LLV_DEBUG, LOCATION, NULL, "compute DH's private.\n");
- plogdump(LLV_DEBUG, (*priv)->v, (*priv)->l);
- plog(LLV_DEBUG, LOCATION, NULL, "compute DH's public.\n");
- plogdump(LLV_DEBUG, (*pub)->v, (*pub)->l);
-
- return 0;
-}
-
-/*
- * copy pre-defined dhgroup values.
- */
-int
-oakley_setdhgroup(group, dhgrp)
- int group;
- struct dhgroup **dhgrp;
-{
- struct dhgroup *g;
-
- *dhgrp = NULL; /* just make sure, initialize */
-
- g = alg_oakley_dhdef_group(group);
- if (g == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid DH parameter grp=%d.\n", group);
- return -1;
- }
-
- if (!g->type || !g->prime || !g->gen1) {
- /* unsuported */
- plog(LLV_ERROR, LOCATION, NULL,
- "unsupported DH parameters grp=%d.\n", group);
- return -1;
- }
-
- *dhgrp = racoon_calloc(1, sizeof(struct dhgroup));
- if (*dhgrp == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get DH buffer.\n");
- return 0;
- }
-
- /* set defined dh vlaues */
- memcpy(*dhgrp, g, sizeof(*g));
- (*dhgrp)->prime = vdup(g->prime);
-
- return 0;
-}
-
-/*
- * PRF
- *
- * NOTE: we do not support prf with different input/output bitwidth,
- * so we do not implement RFC2409 Appendix B (DOORAK-MAC example) in
- * oakley_compute_keymat(). If you add support for such prf function,
- * modify oakley_compute_keymat() accordingly.
- */
-vchar_t *
-oakley_prf(key, buf, iph1)
- vchar_t *key, *buf;
- struct ph1handle *iph1;
-{
- vchar_t *res = NULL;
- int type;
-
- if (iph1->approval == NULL) {
- /*
- * it's before negotiating hash algorithm.
- * We use md5 as default.
- */
- type = OAKLEY_ATTR_HASH_ALG_MD5;
- } else
- type = iph1->approval->hashtype;
-
- res = alg_oakley_hmacdef_one(type, key, buf);
- if (res == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid hmac algorithm %d.\n", type);
- return NULL;
- }
-
- return res;
-}
-
-/*
- * hash
- */
-vchar_t *
-oakley_hash(buf, iph1)
- vchar_t *buf;
- struct ph1handle *iph1;
-{
- vchar_t *res = NULL;
- int type;
-
- if (iph1->approval == NULL) {
- /*
- * it's before negotiating hash algorithm.
- * We use md5 as default.
- */
- type = OAKLEY_ATTR_HASH_ALG_MD5;
- } else
- type = iph1->approval->hashtype;
-
- res = alg_oakley_hashdef_one(type, buf);
- if (res == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid hash algoriym %d.\n", type);
- return NULL;
- }
-
- return res;
-}
-
-/*
- * compute KEYMAT
- * see seciton 5.5 Phase 2 - Quick Mode in isakmp-oakley-05.
- */
-int
-oakley_compute_keymat(iph2, side)
- struct ph2handle *iph2;
- int side;
-{
- int error = -1;
-
- /* compute sharing secret of DH when PFS */
- if (iph2->approval->pfs_group && iph2->dhpub_p) {
- if (oakley_dh_compute(iph2->pfsgrp, iph2->dhpub,
- iph2->dhpriv, iph2->dhpub_p, &iph2->dhgxy) < 0)
- goto end;
- }
-
- /* compute keymat */
- if (oakley_compute_keymat_x(iph2, side, INBOUND_SA) < 0
- || oakley_compute_keymat_x(iph2, side, OUTBOUND_SA) < 0)
- goto end;
-
- plog(LLV_DEBUG, LOCATION, NULL, "KEYMAT computed.\n");
-
- error = 0;
-
-end:
- return error;
-}
-
-/*
- * compute KEYMAT.
- * KEYMAT = prf(SKEYID_d, protocol | SPI | Ni_b | Nr_b).
- * If PFS is desired and KE payloads were exchanged,
- * KEYMAT = prf(SKEYID_d, g(qm)^xy | protocol | SPI | Ni_b | Nr_b)
- *
- * NOTE: we do not support prf with different input/output bitwidth,
- * so we do not implement RFC2409 Appendix B (DOORAK-MAC example).
- */
-static int
-oakley_compute_keymat_x(iph2, side, sa_dir)
- struct ph2handle *iph2;
- int side;
- int sa_dir;
-{
- vchar_t *buf = NULL, *res = NULL, *bp;
- char *p;
- int len;
- int error = -1;
- int pfs = 0;
- int dupkeymat; /* generate K[1-dupkeymat] */
- struct saproto *pr;
- struct satrns *tr;
- int encklen, authklen, l;
-
- pfs = ((iph2->approval->pfs_group && iph2->dhgxy) ? 1 : 0);
-
- len = pfs ? iph2->dhgxy->l : 0;
- len += (1
- + sizeof(u_int32_t) /* XXX SPI size */
- + iph2->nonce->l
- + iph2->nonce_p->l);
- buf = vmalloc(len);
- if (buf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get keymat buffer.\n");
- goto end;
- }
-
- for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
- p = buf->v;
-
- /* if PFS */
- if (pfs) {
- memcpy(p, iph2->dhgxy->v, iph2->dhgxy->l);
- p += iph2->dhgxy->l;
- }
-
- p[0] = pr->proto_id;
- p += 1;
-
- memcpy(p, (sa_dir == INBOUND_SA ? &pr->spi : &pr->spi_p),
- sizeof(pr->spi));
- p += sizeof(pr->spi);
-
- bp = (side == INITIATOR ? iph2->nonce : iph2->nonce_p);
- memcpy(p, bp->v, bp->l);
- p += bp->l;
-
- bp = (side == INITIATOR ? iph2->nonce_p : iph2->nonce);
- memcpy(p, bp->v, bp->l);
- p += bp->l;
-
- /* compute IV */
- plog(LLV_DEBUG, LOCATION, NULL, "KEYMAT compute with\n");
- plogdump(LLV_DEBUG, buf->v, buf->l);
-
- /* res = K1 */
- res = oakley_prf(iph2->ph1->skeyid_d, buf, iph2->ph1);
- if (res == NULL)
- goto end;
-
- /* compute key length needed */
- encklen = authklen = 0;
- switch (pr->proto_id) {
- case IPSECDOI_PROTO_IPSEC_ESP:
- for (tr = pr->head; tr; tr = tr->next) {
- l = alg_ipsec_encdef_keylen(tr->trns_id,
- tr->encklen);
- if (l > encklen)
- encklen = l;
-
- l = alg_ipsec_hmacdef_hashlen(tr->authtype);
- if (l > authklen)
- authklen = l;
- }
- break;
- case IPSECDOI_PROTO_IPSEC_AH:
- for (tr = pr->head; tr; tr = tr->next) {
- l = alg_ipsec_hmacdef_hashlen(tr->trns_id);
- if (l > authklen)
- authklen = l;
- }
- break;
- default:
- break;
- }
- plog(LLV_DEBUG, LOCATION, NULL, "encklen=%d authklen=%d\n",
- encklen, authklen);
-
- dupkeymat = (encklen + authklen) / 8 / res->l;
- dupkeymat += 2; /* safety mergin */
- if (dupkeymat < 3)
- dupkeymat = 3;
- plog(LLV_DEBUG, LOCATION, NULL,
- "generating %zu bits of key (dupkeymat=%d)\n",
- dupkeymat * 8 * res->l, dupkeymat);
- if (0 < --dupkeymat) {
- vchar_t *prev = res; /* K(n-1) */
- vchar_t *seed = NULL; /* seed for Kn */
- size_t l;
-
- /*
- * generating long key (isakmp-oakley-08 5.5)
- * KEYMAT = K1 | K2 | K3 | ...
- * where
- * src = [ g(qm)^xy | ] protocol | SPI | Ni_b | Nr_b
- * K1 = prf(SKEYID_d, src)
- * K2 = prf(SKEYID_d, K1 | src)
- * K3 = prf(SKEYID_d, K2 | src)
- * Kn = prf(SKEYID_d, K(n-1) | src)
- */
- plog(LLV_DEBUG, LOCATION, NULL,
- "generating K1...K%d for KEYMAT.\n",
- dupkeymat + 1);
-
- seed = vmalloc(prev->l + buf->l);
- if (seed == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get keymat buffer.\n");
- if (prev && prev != res)
- vfree(prev);
- goto end;
- }
-
- while (dupkeymat--) {
- vchar_t *this = NULL; /* Kn */
- int update_prev;
-
- memcpy(seed->v, prev->v, prev->l);
- memcpy(seed->v + prev->l, buf->v, buf->l);
- this = oakley_prf(iph2->ph1->skeyid_d, seed,
- iph2->ph1);
- if (!this) {
- plog(LLV_ERROR, LOCATION, NULL,
- "oakley_prf memory overflow\n");
- if (prev && prev != res)
- vfree(prev);
- vfree(this);
- vfree(seed);
- goto end;
- }
-
- update_prev = (prev && prev == res) ? 1 : 0;
-
- l = res->l;
- res = vrealloc(res, l + this->l);
-
- if (update_prev)
- prev = res;
-
- if (res == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get keymat buffer.\n");
- if (prev && prev != res)
- vfree(prev);
- vfree(this);
- vfree(seed);
- goto end;
- }
- memcpy(res->v + l, this->v, this->l);
-
- if (prev && prev != res)
- vfree(prev);
- prev = this;
- this = NULL;
- }
-
- if (prev && prev != res)
- vfree(prev);
- vfree(seed);
- }
-
- plogdump(LLV_DEBUG, res->v, res->l);
-
- if (sa_dir == INBOUND_SA)
- pr->keymat = res;
- else
- pr->keymat_p = res;
- res = NULL;
- }
-
- error = 0;
-
-end:
- if (error) {
- for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
- if (pr->keymat) {
- vfree(pr->keymat);
- pr->keymat = NULL;
- }
- if (pr->keymat_p) {
- vfree(pr->keymat_p);
- pr->keymat_p = NULL;
- }
- }
- }
-
- if (buf != NULL)
- vfree(buf);
- if (res)
- vfree(res);
-
- return error;
-}
-
-#if notyet
-/*
- * NOTE: Must terminate by NULL.
- */
-vchar_t *
-oakley_compute_hashx(struct ph1handle *iph1, ...)
-{
- vchar_t *buf, *res;
- vchar_t *s;
- caddr_t p;
- int len;
-
- va_list ap;
-
- /* get buffer length */
- va_start(ap, iph1);
- len = 0;
- while ((s = va_arg(ap, vchar_t *)) != NULL) {
- len += s->l
- }
- va_end(ap);
-
- buf = vmalloc(len);
- if (buf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get hash buffer\n");
- return NULL;
- }
-
- /* set buffer */
- va_start(ap, iph1);
- p = buf->v;
- while ((s = va_arg(ap, char *)) != NULL) {
- memcpy(p, s->v, s->l);
- p += s->l;
- }
- va_end(ap);
-
- plog(LLV_DEBUG, LOCATION, NULL, "HASH with: \n");
- plogdump(LLV_DEBUG, buf->v, buf->l);
-
- /* compute HASH */
- res = oakley_prf(iph1->skeyid_a, buf, iph1);
- vfree(buf);
- if (res == NULL)
- return NULL;
-
- plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n");
- plogdump(LLV_DEBUG, res->v, res->l);
-
- return res;
-}
-#endif
-
-/*
- * compute HASH(3) prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b)
- * see seciton 5.5 Phase 2 - Quick Mode in isakmp-oakley-05.
- */
-vchar_t *
-oakley_compute_hash3(iph1, msgid, body)
- struct ph1handle *iph1;
- u_int32_t msgid;
- vchar_t *body;
-{
- vchar_t *buf = 0, *res = 0;
- int len;
- int error = -1;
-
- /* create buffer */
- len = 1 + sizeof(u_int32_t) + body->l;
- buf = vmalloc(len);
- if (buf == NULL) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "failed to get hash buffer\n");
- goto end;
- }
-
- buf->v[0] = 0;
-
- memcpy(buf->v + 1, (char *)&msgid, sizeof(msgid));
-
- memcpy(buf->v + 1 + sizeof(u_int32_t), body->v, body->l);
-
- plog(LLV_DEBUG, LOCATION, NULL, "HASH with: \n");
- plogdump(LLV_DEBUG, buf->v, buf->l);
-
- /* compute HASH */
- res = oakley_prf(iph1->skeyid_a, buf, iph1);
- if (res == NULL)
- goto end;
-
- error = 0;
-
- plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n");
- plogdump(LLV_DEBUG, res->v, res->l);
-
-end:
- if (buf != NULL)
- vfree(buf);
- return res;
-}
-
-/*
- * compute HASH type of prf(SKEYID_a, M-ID | buffer)
- * e.g.
- * for quick mode HASH(1):
- * prf(SKEYID_a, M-ID | SA | Ni [ | KE ] [ | IDci | IDcr ])
- * for quick mode HASH(2):
- * prf(SKEYID_a, M-ID | Ni_b | SA | Nr [ | KE ] [ | IDci | IDcr ])
- * for Informational exchange:
- * prf(SKEYID_a, M-ID | N/D)
- */
-vchar_t *
-oakley_compute_hash1(iph1, msgid, body)
- struct ph1handle *iph1;
- u_int32_t msgid;
- vchar_t *body;
-{
- vchar_t *buf = NULL, *res = NULL;
- char *p;
- int len;
- int error = -1;
-
- /* create buffer */
- len = sizeof(u_int32_t) + body->l;
- buf = vmalloc(len);
- if (buf == NULL) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "failed to get hash buffer\n");
- goto end;
- }
-
- p = buf->v;
-
- memcpy(buf->v, (char *)&msgid, sizeof(msgid));
- p += sizeof(u_int32_t);
-
- memcpy(p, body->v, body->l);
-
- plog(LLV_DEBUG, LOCATION, NULL, "HASH with:\n");
- plogdump(LLV_DEBUG, buf->v, buf->l);
-
- /* compute HASH */
- res = oakley_prf(iph1->skeyid_a, buf, iph1);
- if (res == NULL)
- goto end;
-
- error = 0;
-
- plog(LLV_DEBUG, LOCATION, NULL, "HASH computed:\n");
- plogdump(LLV_DEBUG, res->v, res->l);
-
-end:
- if (buf != NULL)
- vfree(buf);
- return res;
-}
-
-/*
- * compute phase1 HASH
- * main/aggressive
- * I-digest = prf(SKEYID, g^i | g^r | CKY-I | CKY-R | SAi_b | ID_i1_b)
- * R-digest = prf(SKEYID, g^r | g^i | CKY-R | CKY-I | SAi_b | ID_r1_b)
- * for gssapi, also include all GSS tokens, and call gss_wrap on the result
- */
-vchar_t *
-oakley_ph1hash_common(iph1, sw)
- struct ph1handle *iph1;
- int sw;
-{
- vchar_t *buf = NULL, *res = NULL, *bp;
- char *p, *bp2;
- int len, bl;
- int error = -1;
-#ifdef HAVE_GSSAPI
- vchar_t *gsstokens = NULL;
-#endif
-
- /* create buffer */
- len = iph1->dhpub->l
- + iph1->dhpub_p->l
- + sizeof(cookie_t) * 2
- + iph1->sa->l
- + (sw == GENERATE ? iph1->id->l : iph1->id_p->l);
-
-#ifdef HAVE_GSSAPI
- if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
- if (iph1->gi_i != NULL && iph1->gi_r != NULL) {
- bp = (sw == GENERATE ? iph1->gi_i : iph1->gi_r);
- len += bp->l;
- }
- if (sw == GENERATE)
- gssapi_get_itokens(iph1, &gsstokens);
- else
- gssapi_get_rtokens(iph1, &gsstokens);
- if (gsstokens == NULL)
- return NULL;
- len += gsstokens->l;
- }
-#endif
-
- buf = vmalloc(len);
- if (buf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get hash buffer\n");
- goto end;
- }
-
- p = buf->v;
-
- bp = (sw == GENERATE ? iph1->dhpub : iph1->dhpub_p);
- memcpy(p, bp->v, bp->l);
- p += bp->l;
-
- bp = (sw == GENERATE ? iph1->dhpub_p : iph1->dhpub);
- memcpy(p, bp->v, bp->l);
- p += bp->l;
-
- if (iph1->side == INITIATOR)
- bp2 = (sw == GENERATE ?
- (char *)&iph1->index.i_ck : (char *)&iph1->index.r_ck);
- else
- bp2 = (sw == GENERATE ?
- (char *)&iph1->index.r_ck : (char *)&iph1->index.i_ck);
- bl = sizeof(cookie_t);
- memcpy(p, bp2, bl);
- p += bl;
-
- if (iph1->side == INITIATOR)
- bp2 = (sw == GENERATE ?
- (char *)&iph1->index.r_ck : (char *)&iph1->index.i_ck);
- else
- bp2 = (sw == GENERATE ?
- (char *)&iph1->index.i_ck : (char *)&iph1->index.r_ck);
- bl = sizeof(cookie_t);
- memcpy(p, bp2, bl);
- p += bl;
-
- bp = iph1->sa;
- memcpy(p, bp->v, bp->l);
- p += bp->l;
-
- bp = (sw == GENERATE ? iph1->id : iph1->id_p);
- memcpy(p, bp->v, bp->l);
- p += bp->l;
-
-#ifdef HAVE_GSSAPI
- if (AUTHMETHOD(iph1) == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
- if (iph1->gi_i != NULL && iph1->gi_r != NULL) {
- bp = (sw == GENERATE ? iph1->gi_i : iph1->gi_r);
- memcpy(p, bp->v, bp->l);
- p += bp->l;
- }
- memcpy(p, gsstokens->v, gsstokens->l);
- p += gsstokens->l;
- }
-#endif
-
- plog(LLV_DEBUG, LOCATION, NULL, "HASH with:\n");
- plogdump(LLV_DEBUG, buf->v, buf->l);
-
- /* compute HASH */
- res = oakley_prf(iph1->skeyid, buf, iph1);
- if (res == NULL)
- goto end;
-
- error = 0;
-
- plog(LLV_DEBUG, LOCATION, NULL, "HASH (%s) computed:\n",
- iph1->side == INITIATOR ? "init" : "resp");
- plogdump(LLV_DEBUG, res->v, res->l);
-
-end:
- if (buf != NULL)
- vfree(buf);
-#ifdef HAVE_GSSAPI
- if (gsstokens != NULL)
- vfree(gsstokens);
-#endif
- return res;
-}
-
-/*
- * compute HASH_I on base mode.
- * base:psk,rsa
- * HASH_I = prf(SKEYID, g^xi | CKY-I | CKY-R | SAi_b | IDii_b)
- * base:sig
- * HASH_I = prf(hash(Ni_b | Nr_b), g^xi | CKY-I | CKY-R | SAi_b | IDii_b)
- */
-vchar_t *
-oakley_ph1hash_base_i(iph1, sw)
- struct ph1handle *iph1;
- int sw;
-{
- vchar_t *buf = NULL, *res = NULL, *bp;
- vchar_t *hashkey = NULL;
- vchar_t *hash = NULL; /* for signature mode */
- char *p;
- int len;
- int error = -1;
-
- /* sanity check */
- if (iph1->etype != ISAKMP_ETYPE_BASE) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid etype for this hash function\n");
- return NULL;
- }
-
- switch (AUTHMETHOD(iph1)) {
- case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
- case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
- case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
-#ifdef ENABLE_HYBRID
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
- case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
-#endif
- if (iph1->skeyid == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "no SKEYID found.\n");
- return NULL;
- }
- hashkey = iph1->skeyid;
- break;
-
- case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
- case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
-#ifdef HAVE_GSSAPI
- case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
-#endif
-#ifdef ENABLE_HYBRID
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
-#endif
- /* make hash for seed */
- len = iph1->nonce->l + iph1->nonce_p->l;
- buf = vmalloc(len);
- if (buf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get hash buffer\n");
- goto end;
- }
- p = buf->v;
-
- bp = (sw == GENERATE ? iph1->nonce_p : iph1->nonce);
- memcpy(p, bp->v, bp->l);
- p += bp->l;
-
- bp = (sw == GENERATE ? iph1->nonce : iph1->nonce_p);
- memcpy(p, bp->v, bp->l);
- p += bp->l;
-
- hash = oakley_hash(buf, iph1);
- if (hash == NULL)
- goto end;
- vfree(buf);
- buf = NULL;
-
- hashkey = hash;
- break;
-
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "not supported authentication method %d\n",
- iph1->approval->authmethod);
- return NULL;
-
- }
-
- len = (sw == GENERATE ? iph1->dhpub->l : iph1->dhpub_p->l)
- + sizeof(cookie_t) * 2
- + iph1->sa->l
- + (sw == GENERATE ? iph1->id->l : iph1->id_p->l);
- buf = vmalloc(len);
- if (buf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get hash buffer\n");
- goto end;
- }
- p = buf->v;
-
- bp = (sw == GENERATE ? iph1->dhpub : iph1->dhpub_p);
- memcpy(p, bp->v, bp->l);
- p += bp->l;
-
- memcpy(p, &iph1->index.i_ck, sizeof(cookie_t));
- p += sizeof(cookie_t);
- memcpy(p, &iph1->index.r_ck, sizeof(cookie_t));
- p += sizeof(cookie_t);
-
- memcpy(p, iph1->sa->v, iph1->sa->l);
- p += iph1->sa->l;
-
- bp = (sw == GENERATE ? iph1->id : iph1->id_p);
- memcpy(p, bp->v, bp->l);
- p += bp->l;
-
- plog(LLV_DEBUG, LOCATION, NULL, "HASH_I with:\n");
- plogdump(LLV_DEBUG, buf->v, buf->l);
-
- /* compute HASH */
- res = oakley_prf(hashkey, buf, iph1);
- if (res == NULL)
- goto end;
-
- error = 0;
-
- plog(LLV_DEBUG, LOCATION, NULL, "HASH_I computed:\n");
- plogdump(LLV_DEBUG, res->v, res->l);
-
-end:
- if (hash != NULL)
- vfree(hash);
- if (buf != NULL)
- vfree(buf);
- return res;
-}
-
-/*
- * compute HASH_R on base mode for signature method.
- * base:
- * HASH_R = prf(hash(Ni_b | Nr_b), g^xi | g^xr | CKY-I | CKY-R | SAi_b | IDii_b)
- */
-vchar_t *
-oakley_ph1hash_base_r(iph1, sw)
- struct ph1handle *iph1;
- int sw;
-{
- vchar_t *buf = NULL, *res = NULL, *bp;
- vchar_t *hash = NULL;
- char *p;
- int len;
- int error = -1;
-
- /* sanity check */
- if (iph1->etype != ISAKMP_ETYPE_BASE) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid etype for this hash function\n");
- return NULL;
- }
-
- switch(AUTHMETHOD(iph1)) {
- case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
- case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
-#ifdef ENABLE_HYBRID
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
- case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
-#endif
- break;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "not supported authentication method %d\n",
- iph1->approval->authmethod);
- return NULL;
- break;
- }
-
- /* make hash for seed */
- len = iph1->nonce->l + iph1->nonce_p->l;
- buf = vmalloc(len);
- if (buf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get hash buffer\n");
- goto end;
- }
- p = buf->v;
-
- bp = (sw == GENERATE ? iph1->nonce_p : iph1->nonce);
- memcpy(p, bp->v, bp->l);
- p += bp->l;
-
- bp = (sw == GENERATE ? iph1->nonce : iph1->nonce_p);
- memcpy(p, bp->v, bp->l);
- p += bp->l;
-
- hash = oakley_hash(buf, iph1);
- if (hash == NULL)
- goto end;
- vfree(buf);
- buf = NULL;
-
- /* make really hash */
- len = (sw == GENERATE ? iph1->dhpub_p->l : iph1->dhpub->l)
- + (sw == GENERATE ? iph1->dhpub->l : iph1->dhpub_p->l)
- + sizeof(cookie_t) * 2
- + iph1->sa->l
- + (sw == GENERATE ? iph1->id_p->l : iph1->id->l);
- buf = vmalloc(len);
- if (buf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get hash buffer\n");
- goto end;
- }
- p = buf->v;
-
-
- bp = (sw == GENERATE ? iph1->dhpub_p : iph1->dhpub);
- memcpy(p, bp->v, bp->l);
- p += bp->l;
-
- bp = (sw == GENERATE ? iph1->dhpub : iph1->dhpub_p);
- memcpy(p, bp->v, bp->l);
- p += bp->l;
-
- memcpy(p, &iph1->index.i_ck, sizeof(cookie_t));
- p += sizeof(cookie_t);
- memcpy(p, &iph1->index.r_ck, sizeof(cookie_t));
- p += sizeof(cookie_t);
-
- memcpy(p, iph1->sa->v, iph1->sa->l);
- p += iph1->sa->l;
-
- bp = (sw == GENERATE ? iph1->id_p : iph1->id);
- memcpy(p, bp->v, bp->l);
- p += bp->l;
-
- plog(LLV_DEBUG, LOCATION, NULL, "HASH_R with:\n");
- plogdump(LLV_DEBUG, buf->v, buf->l);
-
- /* compute HASH */
- res = oakley_prf(hash, buf, iph1);
- if (res == NULL)
- goto end;
-
- error = 0;
-
- plog(LLV_DEBUG, LOCATION, NULL, "HASH_R computed:\n");
- plogdump(LLV_DEBUG, res->v, res->l);
-
-end:
- if (buf != NULL)
- vfree(buf);
- if (hash)
- vfree(hash);
- return res;
-}
-
-/*
- * compute each authentication method in phase 1.
- * OUT:
- * 0: OK
- * -1: error
- * other: error to be reply with notification.
- * the value is notification type.
- */
-int
-oakley_validate_auth(iph1)
- struct ph1handle *iph1;
-{
- vchar_t *my_hash = NULL;
- int result;
-#ifdef HAVE_GSSAPI
- vchar_t *gsshash = NULL;
-#endif
-#ifdef ENABLE_STATS
- struct timeval start, end;
-#endif
-
-#ifdef ENABLE_STATS
- gettimeofday(&start, NULL);
-#endif
-
- switch (AUTHMETHOD(iph1)) {
- case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
-#ifdef ENABLE_HYBRID
- case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
-#endif
- /* validate HASH */
- {
- char *r_hash;
-
- if (iph1->id_p == NULL || iph1->pl_hash == NULL) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "few isakmp message received.\n");
- return ISAKMP_NTYPE_PAYLOAD_MALFORMED;
- }
-#ifdef ENABLE_HYBRID
- if (AUTHMETHOD(iph1) == FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I &&
- ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0))
- {
- plog(LLV_ERROR, LOCATION, NULL, "No SIG was passed, "
- "hybrid auth is enabled, "
- "but peer is no Xauth compliant\n");
- return ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED;
- break;
- }
-#endif
- r_hash = (caddr_t)(iph1->pl_hash + 1);
-
- plog(LLV_DEBUG, LOCATION, NULL, "HASH received:\n");
- plogdump(LLV_DEBUG, r_hash,
- ntohs(iph1->pl_hash->h.len) - sizeof(*iph1->pl_hash));
-
- switch (iph1->etype) {
- case ISAKMP_ETYPE_IDENT:
- case ISAKMP_ETYPE_AGG:
- my_hash = oakley_ph1hash_common(iph1, VALIDATE);
- break;
- case ISAKMP_ETYPE_BASE:
- if (iph1->side == INITIATOR)
- my_hash = oakley_ph1hash_common(iph1, VALIDATE);
- else
- my_hash = oakley_ph1hash_base_i(iph1, VALIDATE);
- break;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid etype %d\n", iph1->etype);
- return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE;
- }
- if (my_hash == NULL)
- return ISAKMP_INTERNAL_ERROR;
-
- result = memcmp(my_hash->v, r_hash, my_hash->l);
- vfree(my_hash);
-
- if (result) {
- plog(LLV_ERROR, LOCATION, NULL, "HASH mismatched\n");
- return ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
- }
-
- plog(LLV_DEBUG, LOCATION, NULL, "HASH for PSK validated.\n");
- }
- break;
- case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
- case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
-#ifdef ENABLE_HYBRID
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
-#endif
- {
- int error = 0;
- int certtype = 0;
-
- /* validation */
- if (iph1->id_p == NULL) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "no ID payload was passed.\n");
- return ISAKMP_NTYPE_PAYLOAD_MALFORMED;
- }
- if (iph1->sig_p == NULL) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "no SIG payload was passed.\n");
- return ISAKMP_NTYPE_PAYLOAD_MALFORMED;
- }
-
- plog(LLV_DEBUG, LOCATION, NULL, "SIGN passed:\n");
- plogdump(LLV_DEBUG, iph1->sig_p->v, iph1->sig_p->l);
-
- /* get peer's cert */
- switch (iph1->rmconf->getcert_method) {
- case ISAKMP_GETCERT_PAYLOAD:
- if (iph1->cert_p == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "no peer's CERT payload found.\n");
- return ISAKMP_INTERNAL_ERROR;
- }
- break;
- case ISAKMP_GETCERT_LOCALFILE:
- switch (iph1->rmconf->certtype) {
- case ISAKMP_CERT_X509SIGN:
- if (iph1->rmconf->peerscertfile == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "no peer's CERT file found.\n");
- return ISAKMP_INTERNAL_ERROR;
- }
-
- /* don't use cached cert */
- if (iph1->cert_p != NULL) {
- oakley_delcert(iph1->cert_p);
- iph1->cert_p = NULL;
- }
-
- error = get_cert_fromlocal(iph1, 0);
-#ifdef ANDROID_PATCHED
- if (!error)
- break;
- default:
- return ISAKMP_INTERNAL_ERROR;
-#else
- break;
-
- case ISAKMP_CERT_PLAINRSA:
- error = get_plainrsa_fromlocal(iph1, 0);
- break;
- }
- if (error)
- return ISAKMP_INTERNAL_ERROR;
- break;
- case ISAKMP_GETCERT_DNS:
- if (iph1->rmconf->peerscertfile != NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "why peer's CERT file is defined "
- "though getcert method is dns ?\n");
- return ISAKMP_INTERNAL_ERROR;
- }
-
- /* don't use cached cert */
- if (iph1->cert_p != NULL) {
- oakley_delcert(iph1->cert_p);
- iph1->cert_p = NULL;
- }
-
- iph1->cert_p = dnssec_getcert(iph1->id_p);
- if (iph1->cert_p == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "no CERT RR found.\n");
- return ISAKMP_INTERNAL_ERROR;
-#endif
- }
- break;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid getcert_mothod: %d\n",
- iph1->rmconf->getcert_method);
- return ISAKMP_INTERNAL_ERROR;
- }
-
- /* compare ID payload and certificate name */
- if (iph1->rmconf->verify_cert &&
- (error = oakley_check_certid(iph1)) != 0)
- return error;
-
- /* verify certificate */
- if (iph1->rmconf->verify_cert
- && iph1->rmconf->getcert_method == ISAKMP_GETCERT_PAYLOAD) {
- certtype = iph1->rmconf->certtype;
-#ifdef ENABLE_HYBRID
- switch (AUTHMETHOD(iph1)) {
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
- certtype = iph1->cert_p->type;
- break;
- default:
- break;
- }
-#endif
- switch (certtype) {
- case ISAKMP_CERT_X509SIGN: {
- char path[MAXPATHLEN];
- char *ca;
-
- if (iph1->rmconf->cacertfile != NULL) {
- getpathname(path, sizeof(path),
- LC_PATHTYPE_CERT,
- iph1->rmconf->cacertfile);
- ca = path;
- } else {
- ca = NULL;
- }
-
- error = eay_check_x509cert(&iph1->cert_p->cert,
- lcconf->pathinfo[LC_PATHTYPE_CERT],
- ca, 0);
- break;
- }
-
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "no supported certtype %d\n", certtype);
- return ISAKMP_INTERNAL_ERROR;
- }
- if (error != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "the peer's certificate is not verified.\n");
- return ISAKMP_NTYPE_INVALID_CERT_AUTHORITY;
- }
- }
-
- /* Generate a warning if verify_cert == 0
- */
- if (iph1->rmconf->verify_cert){
- plog(LLV_DEBUG, LOCATION, NULL, "CERT validated\n");
- }else{
- plog(LLV_WARNING, LOCATION, NULL,
- "CERT validation disabled by configuration\n");
- }
-
- /* compute hash */
- switch (iph1->etype) {
- case ISAKMP_ETYPE_IDENT:
- case ISAKMP_ETYPE_AGG:
- my_hash = oakley_ph1hash_common(iph1, VALIDATE);
- break;
- case ISAKMP_ETYPE_BASE:
- if (iph1->side == INITIATOR)
- my_hash = oakley_ph1hash_base_r(iph1, VALIDATE);
- else
- my_hash = oakley_ph1hash_base_i(iph1, VALIDATE);
- break;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid etype %d\n", iph1->etype);
- return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE;
- }
- if (my_hash == NULL)
- return ISAKMP_INTERNAL_ERROR;
-
-
- certtype = iph1->rmconf->certtype;
-#ifdef ENABLE_HYBRID
- switch (AUTHMETHOD(iph1)) {
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
- certtype = iph1->cert_p->type;
- break;
- default:
- break;
- }
-#endif
- /* check signature */
- switch (certtype) {
- case ISAKMP_CERT_X509SIGN:
- case ISAKMP_CERT_DNS:
- error = eay_check_x509sign(my_hash,
- iph1->sig_p,
- &iph1->cert_p->cert);
- break;
-#ifndef ANDROID_PATCHED
- case ISAKMP_CERT_PLAINRSA:
- iph1->rsa_p = rsa_try_check_rsasign(my_hash,
- iph1->sig_p, iph1->rsa_candidates);
- error = iph1->rsa_p ? 0 : -1;
-
- break;
-#endif
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "no supported certtype %d\n",
- certtype);
- vfree(my_hash);
- return ISAKMP_INTERNAL_ERROR;
- }
-
- vfree(my_hash);
- if (error != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Invalid SIG.\n");
- return ISAKMP_NTYPE_INVALID_SIGNATURE;
- }
- plog(LLV_DEBUG, LOCATION, NULL, "SIG authenticated\n");
- }
- break;
-#ifdef ENABLE_HYBRID
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
- {
- if ((iph1->mode_cfg->flags & ISAKMP_CFG_VENDORID_XAUTH) == 0) {
- plog(LLV_ERROR, LOCATION, NULL, "No SIG was passed, "
- "hybrid auth is enabled, "
- "but peer is no Xauth compliant\n");
- return ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED;
- break;
- }
- plog(LLV_INFO, LOCATION, NULL, "No SIG was passed, "
- "but hybrid auth is enabled\n");
-
- return 0;
- break;
- }
-#endif
-#ifdef HAVE_GSSAPI
- case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
- /* check if we're not into XAUTH_PSKEY_I instead */
-#ifdef ENABLE_HYBRID
- if (iph1->rmconf->xauth)
- break;
-#endif
- switch (iph1->etype) {
- case ISAKMP_ETYPE_IDENT:
- case ISAKMP_ETYPE_AGG:
- my_hash = oakley_ph1hash_common(iph1, VALIDATE);
- break;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid etype %d\n", iph1->etype);
- return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE;
- }
-
- if (my_hash == NULL) {
- if (gssapi_more_tokens(iph1))
- return ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE;
- else
- return ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
- }
-
- gsshash = gssapi_unwraphash(iph1);
- if (gsshash == NULL) {
- vfree(my_hash);
- return ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
- }
-
- result = memcmp(my_hash->v, gsshash->v, my_hash->l);
- vfree(my_hash);
- vfree(gsshash);
-
- if (result) {
- plog(LLV_ERROR, LOCATION, NULL, "HASH mismatched\n");
- return ISAKMP_NTYPE_INVALID_HASH_INFORMATION;
- }
- plog(LLV_DEBUG, LOCATION, NULL, "hash compared OK\n");
- break;
-#endif
- case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
- case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
-#ifdef ENABLE_HYBRID
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
-#endif
- if (iph1->id_p == NULL || iph1->pl_hash == NULL) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "few isakmp message received.\n");
- return ISAKMP_NTYPE_PAYLOAD_MALFORMED;
- }
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "not supported authmethod type %s\n",
- s_oakley_attr_method(iph1->approval->authmethod));
- return ISAKMP_INTERNAL_ERROR;
- default:
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "invalid authmethod %d why ?\n",
- iph1->approval->authmethod);
- return ISAKMP_INTERNAL_ERROR;
- }
-#ifdef ENABLE_STATS
- gettimeofday(&end, NULL);
- syslog(LOG_NOTICE, "%s(%s): %8.6f", __func__,
- s_oakley_attr_method(iph1->approval->authmethod),
- timedelta(&start, &end));
-#endif
-
- return 0;
-}
-
-/* get my certificate
- * NOTE: include certificate type.
- */
-int
-oakley_getmycert(iph1)
- struct ph1handle *iph1;
-{
- switch (iph1->rmconf->certtype) {
- case ISAKMP_CERT_X509SIGN:
- if (iph1->cert)
- return 0;
- return get_cert_fromlocal(iph1, 1);
-
-#ifndef ANDROID_PATCHED
- case ISAKMP_CERT_PLAINRSA:
- if (iph1->rsa)
- return 0;
- return get_plainrsa_fromlocal(iph1, 1);
-#endif
-
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "Unknown certtype #%d\n",
- iph1->rmconf->certtype);
- return -1;
- }
-
-}
-
-/*
- * get a CERT from local file.
- * IN:
- * my != 0 my cert.
- * my == 0 peer's cert.
- */
-static int
-get_cert_fromlocal(iph1, my)
- struct ph1handle *iph1;
- int my;
-{
- char path[MAXPATHLEN];
- vchar_t *cert = NULL;
- cert_t **certpl;
- char *certfile;
- int error = -1;
-
- if (my) {
- certfile = iph1->rmconf->mycertfile;
- certpl = &iph1->cert;
- } else {
- certfile = iph1->rmconf->peerscertfile;
- certpl = &iph1->cert_p;
- }
- if (!certfile) {
- plog(LLV_ERROR, LOCATION, NULL, "no CERT defined.\n");
- return 0;
- }
-
- switch (iph1->rmconf->certtype) {
- case ISAKMP_CERT_X509SIGN:
- case ISAKMP_CERT_DNS:
- /* make public file name */
- getpathname(path, sizeof(path), LC_PATHTYPE_CERT, certfile);
- cert = eay_get_x509cert(path);
- if (cert) {
- char *p = NULL;
- p = eay_get_x509text(cert);
- plog(LLV_DEBUG, LOCATION, NULL, "%s", p ? p : "\n");
- racoon_free(p);
- };
- break;
-
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "not supported certtype %d\n",
- iph1->rmconf->certtype);
- goto end;
- }
-
- if (!cert) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get %s CERT.\n",
- my ? "my" : "peers");
- goto end;
- }
-
- *certpl = oakley_newcert();
- if (!*certpl) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get cert buffer.\n");
- goto end;
- }
- (*certpl)->pl = vmalloc(cert->l + 1);
- if ((*certpl)->pl == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get cert buffer\n");
- oakley_delcert(*certpl);
- *certpl = NULL;
- goto end;
- }
- memcpy((*certpl)->pl->v + 1, cert->v, cert->l);
- (*certpl)->pl->v[0] = iph1->rmconf->certtype;
- (*certpl)->type = iph1->rmconf->certtype;
- (*certpl)->cert.v = (*certpl)->pl->v + 1;
- (*certpl)->cert.l = (*certpl)->pl->l - 1;
-
- plog(LLV_DEBUG, LOCATION, NULL, "created CERT payload:\n");
- plogdump(LLV_DEBUG, (*certpl)->pl->v, (*certpl)->pl->l);
-
- error = 0;
-
-end:
- if (cert != NULL)
- vfree(cert);
-
- return error;
-}
-
-#ifndef ANDROID_PATCHED
-static int
-get_plainrsa_fromlocal(iph1, my)
- struct ph1handle *iph1;
- int my;
-{
- char path[MAXPATHLEN];
- vchar_t *cert = NULL;
- char *certfile;
- int error = -1;
-
- iph1->rsa_candidates = rsa_lookup_keys(iph1, my);
- if (!iph1->rsa_candidates ||
- rsa_list_count(iph1->rsa_candidates) == 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "%s RSA key not found for %s\n",
- my ? "Private" : "Public",
- saddr2str_fromto("%s <-> %s",
- iph1->local, iph1->remote));
- goto end;
- }
-
- if (my && rsa_list_count(iph1->rsa_candidates) > 1) {
- plog(LLV_WARNING, LOCATION, NULL,
- "More than one (=%lu) private "
- "PlainRSA key found for %s\n",
- rsa_list_count(iph1->rsa_candidates),
- saddr2str_fromto("%s <-> %s",
- iph1->local, iph1->remote));
- plog(LLV_WARNING, LOCATION, NULL,
- "This may have unpredictable results, "
- "i.e. wrong key could be used!\n");
- plog(LLV_WARNING, LOCATION, NULL,
- "Consider using only one single private "
- "key for all peers...\n");
- }
- if (my) {
- iph1->rsa = ((struct rsa_key *)
- genlist_next(iph1->rsa_candidates, NULL))->rsa;
-
- genlist_free(iph1->rsa_candidates, NULL);
- iph1->rsa_candidates = NULL;
-
- if (iph1->rsa == NULL)
- goto end;
- }
-
- error = 0;
-
-end:
- return error;
-}
-#endif
-
-#ifdef ANDROID_CHANGES
-
-#if defined(OPENSSL_IS_BORINGSSL)
-/* EVP_PKEY_from_keystore is from system/security/keystore-engine. */
-extern EVP_PKEY* EVP_PKEY_from_keystore(const char *key_id);
-#endif
-
-static vchar_t* keystore_sign(vchar_t* src, const char* path) {
- vchar_t* sig = NULL;
- EVP_PKEY *evp = NULL;
-
-#if !defined(OPENSSL_IS_BORINGSSL)
- ENGINE *engine = ENGINE_by_id("keystore");
- if (!engine) {
- return NULL;
- }
- if (!ENGINE_init(engine)) {
- ENGINE_free(engine);
- return NULL;
- }
-#endif
-
- const char *key_id;
- if (sscanf(path, pname, &key_id) != 1) {
- do_plog(LLV_ERROR, "couldn't read private key info\n");
- goto out;
- }
-
-#if !defined(OPENSSL_IS_BORINGSSL)
- evp = ENGINE_load_private_key(engine, key_id, NULL, NULL);
-#else
- evp = EVP_PKEY_from_keystore(key_id);
-#endif
- if (!evp) {
- do_plog(LLV_ERROR, "couldn't retrieve private key");
- ERR_remove_thread_state(NULL);
- goto out;
- }
-
- if (EVP_PKEY_id(evp) == EVP_PKEY_RSA) {
- sig = eay_rsa_sign(src, EVP_PKEY_get0_RSA(evp));
- }
-
-out:
- if (evp) {
- EVP_PKEY_free(evp);
- }
-
-#if !defined(OPENSSL_IS_BORINGSSL)
- ENGINE_finish(engine);
- ENGINE_free(engine);
-#endif
-
- return sig;
-}
-#endif
-
-/* get signature */
-int
-oakley_getsign(iph1)
- struct ph1handle *iph1;
-{
- char path[MAXPATHLEN];
- vchar_t *privkey = NULL;
- int error = -1;
-
- switch (iph1->rmconf->certtype) {
- case ISAKMP_CERT_X509SIGN:
- case ISAKMP_CERT_DNS:
- if (iph1->rmconf->myprivfile == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "no cert defined.\n");
- goto end;
- }
-
- /* make private file name */
- getpathname(path, sizeof(path),
- LC_PATHTYPE_CERT,
- iph1->rmconf->myprivfile);
-#ifdef ANDROID_CHANGES
- iph1->sig = keystore_sign(iph1->hash, path);
-#else
- privkey = privsep_eay_get_pkcs1privkey(path);
- if (privkey == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get private key.\n");
- goto end;
- }
- plog(LLV_DEBUG2, LOCATION, NULL, "private key:\n");
- plogdump(LLV_DEBUG2, privkey->v, privkey->l);
-
- iph1->sig = eay_get_x509sign(iph1->hash, privkey);
-#endif
- break;
-#ifndef ANDROID_PATCHED
- case ISAKMP_CERT_PLAINRSA:
- iph1->sig = eay_get_rsasign(iph1->hash, iph1->rsa);
- break;
-#endif
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "Unknown certtype #%d\n",
- iph1->rmconf->certtype);
- goto end;
- }
-
- if (iph1->sig == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "failed to sign.\n");
- goto end;
- }
-
- plog(LLV_DEBUG, LOCATION, NULL, "SIGN computed:\n");
- plogdump(LLV_DEBUG, iph1->sig->v, iph1->sig->l);
-
- error = 0;
-
-end:
- if (privkey != NULL)
- vfree(privkey);
-
- return error;
-}
-
-/*
- * compare certificate name and ID value.
- */
-static int
-oakley_check_certid(iph1)
- struct ph1handle *iph1;
-{
- struct ipsecdoi_id_b *id_b;
- vchar_t *name = NULL;
- char *altname = NULL;
- int idlen, type;
- int error;
-
- if (iph1->id_p == NULL || iph1->cert_p == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "no ID nor CERT found.\n");
- return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
- }
-
- id_b = (struct ipsecdoi_id_b *)iph1->id_p->v;
- idlen = iph1->id_p->l - sizeof(*id_b);
-
- switch (id_b->type) {
- case IPSECDOI_ID_DER_ASN1_DN:
- name = eay_get_x509asn1subjectname(&iph1->cert_p->cert);
- if (!name) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get subjectName\n");
- return ISAKMP_NTYPE_INVALID_CERTIFICATE;
- }
- if (idlen != name->l) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Invalid ID length in phase 1.\n");
- vfree(name);
- return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
- }
- error = memcmp(id_b + 1, name->v, idlen);
- vfree(name);
- if (error != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "ID mismatched with ASN1 SubjectName.\n");
- plogdump(LLV_DEBUG, id_b + 1, idlen);
- plogdump(LLV_DEBUG, name->v, idlen);
- return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
- }
- return 0;
- case IPSECDOI_ID_IPV4_ADDR:
- case IPSECDOI_ID_IPV6_ADDR:
- {
- /*
- * converting to binary from string because openssl return
- * a string even if object is a binary.
- * XXX fix it ! access by ASN.1 directly without.
- */
- struct addrinfo hints, *res;
- caddr_t a = NULL;
- int pos;
-
- for (pos = 1; ; pos++) {
- if (eay_get_x509subjectaltname(&iph1->cert_p->cert,
- &altname, &type, pos) !=0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get subjectAltName\n");
- return ISAKMP_NTYPE_INVALID_CERTIFICATE;
- }
-
- /* it's the end condition of the loop. */
- if (!altname) {
- plog(LLV_ERROR, LOCATION, NULL,
- "no proper subjectAltName.\n");
- return ISAKMP_NTYPE_INVALID_CERTIFICATE;
- }
-
- if (check_typeofcertname(id_b->type, type) == 0)
- break;
-
- /* next name */
- racoon_free(altname);
- altname = NULL;
- }
- memset(&hints, 0, sizeof(hints));
- hints.ai_family = PF_UNSPEC;
- hints.ai_socktype = SOCK_RAW;
- hints.ai_flags = AI_NUMERICHOST;
- error = getaddrinfo(altname, NULL, &hints, &res);
- if (error != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "no proper subjectAltName.\n");
- racoon_free(altname);
- return ISAKMP_NTYPE_INVALID_CERTIFICATE;
- }
- switch (res->ai_family) {
- case AF_INET:
- a = (caddr_t)&((struct sockaddr_in *)res->ai_addr)->sin_addr.s_addr;
- break;
-#ifdef INET6
- case AF_INET6:
- a = (caddr_t)&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr.s6_addr;
- break;
-#endif
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "family not supported: %d.\n", res->ai_family);
- racoon_free(altname);
- freeaddrinfo(res);
- return ISAKMP_NTYPE_INVALID_CERTIFICATE;
- }
- error = memcmp(id_b + 1, a, idlen);
- freeaddrinfo(res);
- vfree(name);
- if (error != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "ID mismatched with subjectAltName.\n");
- plogdump(LLV_DEBUG, id_b + 1, idlen);
- plogdump(LLV_DEBUG, a, idlen);
- return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
- }
- return 0;
- }
- case IPSECDOI_ID_FQDN:
- case IPSECDOI_ID_USER_FQDN:
- {
- int pos;
-
- for (pos = 1; ; pos++) {
- if (eay_get_x509subjectaltname(&iph1->cert_p->cert,
- &altname, &type, pos) != 0){
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get subjectAltName\n");
- return ISAKMP_NTYPE_INVALID_CERTIFICATE;
- }
-
- /* it's the end condition of the loop. */
- if (!altname) {
- plog(LLV_ERROR, LOCATION, NULL,
- "no proper subjectAltName.\n");
- return ISAKMP_NTYPE_INVALID_CERTIFICATE;
- }
-
- if (check_typeofcertname(id_b->type, type) == 0)
- break;
-
- /* next name */
- racoon_free(altname);
- altname = NULL;
- }
- if (idlen != strlen(altname)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Invalid ID length in phase 1.\n");
- racoon_free(altname);
- return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
- }
- if (check_typeofcertname(id_b->type, type) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "ID type mismatched. ID: %s CERT: %s.\n",
- s_ipsecdoi_ident(id_b->type),
- s_ipsecdoi_ident(type));
- racoon_free(altname);
- return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
- }
- error = memcmp(id_b + 1, altname, idlen);
- if (error) {
- plog(LLV_ERROR, LOCATION, NULL, "ID mismatched.\n");
- plogdump(LLV_DEBUG, id_b + 1, idlen);
- plogdump(LLV_DEBUG, altname, idlen);
- racoon_free(altname);
- return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
- }
- racoon_free(altname);
- return 0;
- }
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "Inpropper ID type passed: %s.\n",
- s_ipsecdoi_ident(id_b->type));
- return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
- }
- /*NOTREACHED*/
-}
-
-static int
-check_typeofcertname(doi, genid)
- int doi, genid;
-{
- switch (doi) {
- case IPSECDOI_ID_IPV4_ADDR:
- case IPSECDOI_ID_IPV4_ADDR_SUBNET:
- case IPSECDOI_ID_IPV6_ADDR:
- case IPSECDOI_ID_IPV6_ADDR_SUBNET:
- case IPSECDOI_ID_IPV4_ADDR_RANGE:
- case IPSECDOI_ID_IPV6_ADDR_RANGE:
- if (genid != GENT_IPADD)
- return -1;
- return 0;
- case IPSECDOI_ID_FQDN:
- if (genid != GENT_DNS)
- return -1;
- return 0;
- case IPSECDOI_ID_USER_FQDN:
- if (genid != GENT_EMAIL)
- return -1;
- return 0;
- case IPSECDOI_ID_DER_ASN1_DN: /* should not be passed to this function*/
- case IPSECDOI_ID_DER_ASN1_GN:
- case IPSECDOI_ID_KEY_ID:
- default:
- return -1;
- }
- /*NOTREACHED*/
-}
-
-/*
- * save certificate including certificate type.
- */
-int
-oakley_savecert(iph1, gen)
- struct ph1handle *iph1;
- struct isakmp_gen *gen;
-{
- cert_t **c;
- u_int8_t type;
- STACK_OF(X509) *certs=NULL;
-#if !defined(OPENSSL_IS_BORINGSSL)
- PKCS7 *p7;
-#endif
-
- type = *(u_int8_t *)(gen + 1) & 0xff;
-
- switch (type) {
- case ISAKMP_CERT_DNS:
- plog(LLV_WARNING, LOCATION, NULL,
- "CERT payload is unnecessary in DNSSEC. "
- "ignore this CERT payload.\n");
- return 0;
- case ISAKMP_CERT_PKCS7:
- case ISAKMP_CERT_PGP:
- case ISAKMP_CERT_X509SIGN:
- case ISAKMP_CERT_KERBEROS:
- case ISAKMP_CERT_SPKI:
- c = &iph1->cert_p;
- break;
- case ISAKMP_CERT_CRL:
- c = &iph1->crl_p;
- break;
- case ISAKMP_CERT_X509KE:
- case ISAKMP_CERT_X509ATTR:
- case ISAKMP_CERT_ARL:
- plog(LLV_ERROR, LOCATION, NULL,
- "No supported such CERT type %d\n", type);
- return -1;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "Invalid CERT type %d\n", type);
- return -1;
- }
-
- /* XXX choice the 1th cert, ignore after the cert. */
- /* XXX should be processed. */
- if (*c) {
- plog(LLV_WARNING, LOCATION, NULL,
- "ignore 2nd CERT payload.\n");
- return 0;
- }
-
- if (type == ISAKMP_CERT_PKCS7) {
- u_char *bp;
-#if defined(OPENSSL_IS_BORINGSSL)
- size_t i;
- STACK_OF(X509) *certs = sk_X509_new_null();
- CBS cbs;
-#else
- int i;
-#endif
-
- /* Skip the header */
- bp = (u_char *)(gen + 1);
- /* And the first byte is the certificate type,
- * we know that already
- */
- bp++;
-#if defined(OPENSSL_IS_BORINGSSL)
- CBS_init(&cbs, bp, ntohs(gen->len) - sizeof(*gen) - 1);
- if (!PKCS7_get_certificates(certs, &cbs)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Failed to parse PKCS#7 CERT.\n");
- sk_X509_pop_free(certs, X509_free);
- return -1;
- }
-
- if (sk_X509_num(certs) == 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "CERT PKCS#7 bundle contains no certs.\n");
- sk_X509_pop_free(certs, X509_free);
- return -1;
- }
-#else
- p7 = d2i_PKCS7(NULL, (void *)&bp,
- ntohs(gen->len) - sizeof(*gen) - 1);
-
- if (!p7) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Failed to parse PKCS#7 CERT.\n");
- return -1;
- }
-
- /* Copied this from the openssl pkcs7 application;
- * there"s little by way of documentation for any of
- * it. I can only presume it"s correct.
- */
-
- i = OBJ_obj2nid(p7->type);
- switch (i) {
- case NID_pkcs7_signed:
- certs=p7->d.sign->cert;
- break;
- case NID_pkcs7_signedAndEnveloped:
- certs=p7->d.signed_and_enveloped->cert;
- break;
- default:
- break;
- }
-
- if (!certs) {
- plog(LLV_ERROR, LOCATION, NULL,
- "CERT PKCS#7 bundle contains no certs.\n");
- PKCS7_free(p7);
- return -1;
- }
-#endif
-
- for (i = 0; i < sk_X509_num(certs); i++) {
- int len;
- u_char *bp;
- X509 *cert = sk_X509_value(certs,i);
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "Trying PKCS#7 cert %d.\n", i);
-
- /* We'll just try each cert in turn */
- *c = save_certx509(cert);
-
- if (!*c) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Failed to get CERT buffer.\n");
- continue;
- }
-
- /* Ignore cert if it doesn't match identity
- * XXX If verify cert is disabled, we still just take
- * the first certificate....
- */
- if(iph1->rmconf->verify_cert &&
- oakley_check_certid(iph1)) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "Discarding CERT: does not match ID.\n");
- oakley_delcert((*c));
- *c = NULL;
- continue;
- }
-
- {
- char *p = eay_get_x509text(&(*c)->cert);
- plog(LLV_DEBUG, LOCATION, NULL, "CERT saved:\n");
- plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l);
- plog(LLV_DEBUG, LOCATION, NULL, "%s",
- p ? p : "\n");
- racoon_free(p);
- }
- break;
- }
-
-#if defined(OPENSSL_IS_BORINGSSL)
- sk_X509_pop_free(certs, X509_free);
-#else
- PKCS7_free(p7);
-#endif
-
- } else {
- *c = save_certbuf(gen);
- if (!*c) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Failed to get CERT buffer.\n");
- return -1;
- }
-
- switch ((*c)->type) {
- case ISAKMP_CERT_DNS:
- plog(LLV_WARNING, LOCATION, NULL,
- "CERT payload is unnecessary in DNSSEC. "
- "ignore it.\n");
- return 0;
- case ISAKMP_CERT_PGP:
- case ISAKMP_CERT_X509SIGN:
- case ISAKMP_CERT_KERBEROS:
- case ISAKMP_CERT_SPKI:
- /* Ignore cert if it doesn't match identity
- * XXX If verify cert is disabled, we still just take
- * the first certificate....
- */
- if(iph1->rmconf->verify_cert &&
- oakley_check_certid(iph1)){
- plog(LLV_DEBUG, LOCATION, NULL,
- "Discarding CERT: does not match ID.\n");
- oakley_delcert((*c));
- *c = NULL;
- return 0;
- }
-
- {
- char *p = eay_get_x509text(&(*c)->cert);
- plog(LLV_DEBUG, LOCATION, NULL, "CERT saved:\n");
- plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l);
- plog(LLV_DEBUG, LOCATION, NULL, "%s", p ? p : "\n");
- racoon_free(p);
- }
- break;
- case ISAKMP_CERT_CRL:
- plog(LLV_DEBUG, LOCATION, NULL, "CRL saved:\n");
- plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l);
- break;
- case ISAKMP_CERT_X509KE:
- case ISAKMP_CERT_X509ATTR:
- case ISAKMP_CERT_ARL:
- default:
- /* XXX */
- oakley_delcert((*c));
- *c = NULL;
- return 0;
- }
- }
-
- return 0;
-}
-
-/*
- * save certificate including certificate type.
- */
-int
-oakley_savecr(iph1, gen)
- struct ph1handle *iph1;
- struct isakmp_gen *gen;
-{
- cert_t **c;
- u_int8_t type;
-
- type = *(u_int8_t *)(gen + 1) & 0xff;
-
- switch (type) {
- case ISAKMP_CERT_DNS:
- plog(LLV_WARNING, LOCATION, NULL,
- "CERT payload is unnecessary in DNSSEC\n");
- /*FALLTHRU*/
- case ISAKMP_CERT_PKCS7:
- case ISAKMP_CERT_PGP:
- case ISAKMP_CERT_X509SIGN:
- case ISAKMP_CERT_KERBEROS:
- case ISAKMP_CERT_SPKI:
- c = &iph1->cr_p;
- break;
- case ISAKMP_CERT_X509KE:
- case ISAKMP_CERT_X509ATTR:
- case ISAKMP_CERT_ARL:
- plog(LLV_ERROR, LOCATION, NULL,
- "No supported such CR type %d\n", type);
- return -1;
- case ISAKMP_CERT_CRL:
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "Invalid CR type %d\n", type);
- return -1;
- }
-
- *c = save_certbuf(gen);
- if (!*c) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Failed to get CR buffer.\n");
- return -1;
- }
-
- plog(LLV_DEBUG, LOCATION, NULL, "CR saved:\n");
- plogdump(LLV_DEBUG, (*c)->cert.v, (*c)->cert.l);
-
- return 0;
-}
-
-static cert_t *
-save_certbuf(gen)
- struct isakmp_gen *gen;
-{
- cert_t *new;
-
- if(ntohs(gen->len) <= sizeof(*gen)){
- plog(LLV_ERROR, LOCATION, NULL,
- "Len is too small !!.\n");
- return NULL;
- }
-
- new = oakley_newcert();
- if (!new) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Failed to get CERT buffer.\n");
- return NULL;
- }
-
- new->pl = vmalloc(ntohs(gen->len) - sizeof(*gen));
- if (new->pl == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Failed to copy CERT from packet.\n");
- oakley_delcert(new);
- new = NULL;
- return NULL;
- }
- memcpy(new->pl->v, gen + 1, new->pl->l);
- new->type = new->pl->v[0] & 0xff;
- new->cert.v = new->pl->v + 1;
- new->cert.l = new->pl->l - 1;
-
- return new;
-}
-
-static cert_t *
-save_certx509(cert)
- X509 *cert;
-{
- cert_t *new;
- int len;
- u_char *bp;
-
- new = oakley_newcert();
- if (!new) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Failed to get CERT buffer.\n");
- return NULL;
- }
-
- len = i2d_X509(cert, NULL);
- new->pl = vmalloc(len);
- if (new->pl == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Failed to copy CERT from packet.\n");
- oakley_delcert(new);
- new = NULL;
- return NULL;
- }
- bp = (u_char *) new->pl->v;
- len = i2d_X509(cert, &bp);
- new->type = ISAKMP_CERT_X509SIGN;
- new->cert.v = new->pl->v;
- new->cert.l = new->pl->l;
-
- return new;
-}
-
-/*
- * get my CR.
- * NOTE: No Certificate Authority field is included to CR payload at the
- * moment. Becuase any certificate authority are accepted without any check.
- * The section 3.10 in RFC2408 says that this field SHOULD not be included,
- * if there is no specific certificate authority requested.
- */
-vchar_t *
-oakley_getcr(iph1)
- struct ph1handle *iph1;
-{
- vchar_t *buf;
-
- buf = vmalloc(1);
- if (buf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get cr buffer\n");
- return NULL;
- }
- if(iph1->rmconf->certtype == ISAKMP_CERT_NONE) {
- buf->v[0] = iph1->rmconf->cacerttype;
- plog(LLV_DEBUG, LOCATION, NULL, "create my CR: NONE, using %s instead\n",
- s_isakmp_certtype(iph1->rmconf->cacerttype));
- } else {
- buf->v[0] = iph1->rmconf->certtype;
- plog(LLV_DEBUG, LOCATION, NULL, "create my CR: %s\n",
- s_isakmp_certtype(iph1->rmconf->certtype));
- }
- if (buf->l > 1) {
- plogdump(LLV_DEBUG, buf->v, buf->l);
- }
-
- return buf;
-}
-
-/*
- * check peer's CR.
- */
-int
-oakley_checkcr(iph1)
- struct ph1handle *iph1;
-{
- if (iph1->cr_p == NULL)
- return 0;
-
- plog(LLV_DEBUG, LOCATION, iph1->remote,
- "peer transmitted CR: %s\n",
- s_isakmp_certtype(iph1->cr_p->type));
-
- if (iph1->cr_p->type != iph1->rmconf->certtype) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "such a cert type isn't supported: %d\n",
- (char)iph1->cr_p->type);
- return -1;
- }
-
- return 0;
-}
-
-/*
- * check to need CR payload.
- */
-int
-oakley_needcr(type)
- int type;
-{
- switch (type) {
- case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
- case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
-#ifdef ENABLE_HYBRID
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
-#endif
- return 1;
- default:
- return 0;
- }
- /*NOTREACHED*/
-}
-
-/*
- * compute SKEYID
- * see seciton 5. Exchanges in RFC 2409
- * psk: SKEYID = prf(pre-shared-key, Ni_b | Nr_b)
- * sig: SKEYID = prf(Ni_b | Nr_b, g^ir)
- * enc: SKEYID = prf(H(Ni_b | Nr_b), CKY-I | CKY-R)
- */
-int
-oakley_skeyid(iph1)
- struct ph1handle *iph1;
-{
- vchar_t *buf = NULL, *bp;
- char *p;
- int len;
- int error = -1;
-
- /* SKEYID */
- switch (AUTHMETHOD(iph1)) {
- case OAKLEY_ATTR_AUTH_METHOD_PSKEY:
-#ifdef ENABLE_HYBRID
- case FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
-#endif
- if (iph1->etype != ISAKMP_ETYPE_IDENT) {
- iph1->authstr = getpskbyname(iph1->id_p);
- if (iph1->authstr == NULL) {
- if (iph1->rmconf->verify_identifier) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "couldn't find the pskey.\n");
- goto end;
- }
- plog(LLV_NOTIFY, LOCATION, iph1->remote,
- "couldn't find the proper pskey, "
- "try to get one by the peer's address.\n");
- }
- }
- if (iph1->authstr == NULL) {
- /*
- * If the exchange type is the main mode or if it's
- * failed to get the psk by ID, racoon try to get
- * the psk by remote IP address.
- * It may be nonsense.
- */
- iph1->authstr = getpskbyaddr(iph1->remote);
- if (iph1->authstr == NULL) {
- plog(LLV_ERROR, LOCATION, iph1->remote,
- "couldn't find the pskey for %s.\n",
- saddrwop2str(iph1->remote));
- goto end;
- }
- }
- plog(LLV_DEBUG, LOCATION, NULL, "the psk found.\n");
- /* should be secret PSK */
- plog(LLV_DEBUG2, LOCATION, NULL, "psk: ");
- plogdump(LLV_DEBUG2, iph1->authstr->v, iph1->authstr->l);
-
- len = iph1->nonce->l + iph1->nonce_p->l;
- buf = vmalloc(len);
- if (buf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get skeyid buffer\n");
- goto end;
- }
- p = buf->v;
-
- bp = (iph1->side == INITIATOR ? iph1->nonce : iph1->nonce_p);
- plog(LLV_DEBUG, LOCATION, NULL, "nonce 1: ");
- plogdump(LLV_DEBUG, bp->v, bp->l);
- memcpy(p, bp->v, bp->l);
- p += bp->l;
-
- bp = (iph1->side == INITIATOR ? iph1->nonce_p : iph1->nonce);
- plog(LLV_DEBUG, LOCATION, NULL, "nonce 2: ");
- plogdump(LLV_DEBUG, bp->v, bp->l);
- memcpy(p, bp->v, bp->l);
- p += bp->l;
-
- iph1->skeyid = oakley_prf(iph1->authstr, buf, iph1);
- if (iph1->skeyid == NULL)
- goto end;
- break;
-
- case OAKLEY_ATTR_AUTH_METHOD_DSSSIG:
- case OAKLEY_ATTR_AUTH_METHOD_RSASIG:
-#ifdef ENABLE_HYBRID
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R:
- case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R:
-#endif
-#ifdef HAVE_GSSAPI
- case OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB:
-#endif
- len = iph1->nonce->l + iph1->nonce_p->l;
- buf = vmalloc(len);
- if (buf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get nonce buffer\n");
- goto end;
- }
- p = buf->v;
-
- bp = (iph1->side == INITIATOR ? iph1->nonce : iph1->nonce_p);
- plog(LLV_DEBUG, LOCATION, NULL, "nonce1: ");
- plogdump(LLV_DEBUG, bp->v, bp->l);
- memcpy(p, bp->v, bp->l);
- p += bp->l;
-
- bp = (iph1->side == INITIATOR ? iph1->nonce_p : iph1->nonce);
- plog(LLV_DEBUG, LOCATION, NULL, "nonce2: ");
- plogdump(LLV_DEBUG, bp->v, bp->l);
- memcpy(p, bp->v, bp->l);
- p += bp->l;
-
- iph1->skeyid = oakley_prf(buf, iph1->dhgxy, iph1);
- if (iph1->skeyid == NULL)
- goto end;
- break;
- case OAKLEY_ATTR_AUTH_METHOD_RSAENC:
- case OAKLEY_ATTR_AUTH_METHOD_RSAREV:
-#ifdef ENABLE_HYBRID
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
- case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R:
-#endif
- plog(LLV_WARNING, LOCATION, NULL,
- "not supported authentication method %s\n",
- s_oakley_attr_method(iph1->approval->authmethod));
- goto end;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid authentication method %d\n",
- iph1->approval->authmethod);
- goto end;
- }
-
- plog(LLV_DEBUG, LOCATION, NULL, "SKEYID computed:\n");
- plogdump(LLV_DEBUG, iph1->skeyid->v, iph1->skeyid->l);
-
- error = 0;
-
-end:
- if (buf != NULL)
- vfree(buf);
- return error;
-}
-
-/*
- * compute SKEYID_[dae]
- * see seciton 5. Exchanges in RFC 2409
- * SKEYID_d = prf(SKEYID, g^ir | CKY-I | CKY-R | 0)
- * SKEYID_a = prf(SKEYID, SKEYID_d | g^ir | CKY-I | CKY-R | 1)
- * SKEYID_e = prf(SKEYID, SKEYID_a | g^ir | CKY-I | CKY-R | 2)
- */
-int
-oakley_skeyid_dae(iph1)
- struct ph1handle *iph1;
-{
- vchar_t *buf = NULL;
- char *p;
- int len;
- int error = -1;
-
- if (iph1->skeyid == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "no SKEYID found.\n");
- goto end;
- }
-
- /* SKEYID D */
- /* SKEYID_d = prf(SKEYID, g^xy | CKY-I | CKY-R | 0) */
- len = iph1->dhgxy->l + sizeof(cookie_t) * 2 + 1;
- buf = vmalloc(len);
- if (buf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get skeyid buffer\n");
- goto end;
- }
- p = buf->v;
-
- memcpy(p, iph1->dhgxy->v, iph1->dhgxy->l);
- p += iph1->dhgxy->l;
- memcpy(p, (caddr_t)&iph1->index.i_ck, sizeof(cookie_t));
- p += sizeof(cookie_t);
- memcpy(p, (caddr_t)&iph1->index.r_ck, sizeof(cookie_t));
- p += sizeof(cookie_t);
- *p = 0;
- iph1->skeyid_d = oakley_prf(iph1->skeyid, buf, iph1);
- if (iph1->skeyid_d == NULL)
- goto end;
-
- vfree(buf);
- buf = NULL;
-
- plog(LLV_DEBUG, LOCATION, NULL, "SKEYID_d computed:\n");
- plogdump(LLV_DEBUG, iph1->skeyid_d->v, iph1->skeyid_d->l);
-
- /* SKEYID A */
- /* SKEYID_a = prf(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R | 1) */
- len = iph1->skeyid_d->l + iph1->dhgxy->l + sizeof(cookie_t) * 2 + 1;
- buf = vmalloc(len);
- if (buf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get skeyid buffer\n");
- goto end;
- }
- p = buf->v;
- memcpy(p, iph1->skeyid_d->v, iph1->skeyid_d->l);
- p += iph1->skeyid_d->l;
- memcpy(p, iph1->dhgxy->v, iph1->dhgxy->l);
- p += iph1->dhgxy->l;
- memcpy(p, (caddr_t)&iph1->index.i_ck, sizeof(cookie_t));
- p += sizeof(cookie_t);
- memcpy(p, (caddr_t)&iph1->index.r_ck, sizeof(cookie_t));
- p += sizeof(cookie_t);
- *p = 1;
- iph1->skeyid_a = oakley_prf(iph1->skeyid, buf, iph1);
- if (iph1->skeyid_a == NULL)
- goto end;
-
- vfree(buf);
- buf = NULL;
-
- plog(LLV_DEBUG, LOCATION, NULL, "SKEYID_a computed:\n");
- plogdump(LLV_DEBUG, iph1->skeyid_a->v, iph1->skeyid_a->l);
-
- /* SKEYID E */
- /* SKEYID_e = prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2) */
- len = iph1->skeyid_a->l + iph1->dhgxy->l + sizeof(cookie_t) * 2 + 1;
- buf = vmalloc(len);
- if (buf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get skeyid buffer\n");
- goto end;
- }
- p = buf->v;
- memcpy(p, iph1->skeyid_a->v, iph1->skeyid_a->l);
- p += iph1->skeyid_a->l;
- memcpy(p, iph1->dhgxy->v, iph1->dhgxy->l);
- p += iph1->dhgxy->l;
- memcpy(p, (caddr_t)&iph1->index.i_ck, sizeof(cookie_t));
- p += sizeof(cookie_t);
- memcpy(p, (caddr_t)&iph1->index.r_ck, sizeof(cookie_t));
- p += sizeof(cookie_t);
- *p = 2;
- iph1->skeyid_e = oakley_prf(iph1->skeyid, buf, iph1);
- if (iph1->skeyid_e == NULL)
- goto end;
-
- vfree(buf);
- buf = NULL;
-
- plog(LLV_DEBUG, LOCATION, NULL, "SKEYID_e computed:\n");
- plogdump(LLV_DEBUG, iph1->skeyid_e->v, iph1->skeyid_e->l);
-
- error = 0;
-
-end:
- if (buf != NULL)
- vfree(buf);
- return error;
-}
-
-/*
- * compute final encryption key.
- * see Appendix B.
- */
-int
-oakley_compute_enckey(iph1)
- struct ph1handle *iph1;
-{
- u_int keylen, prflen;
- int error = -1;
-
- /* RFC2409 p39 */
- keylen = alg_oakley_encdef_keylen(iph1->approval->enctype,
- iph1->approval->encklen);
- if (keylen == -1) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid encryption algoritym %d, "
- "or invalid key length %d.\n",
- iph1->approval->enctype,
- iph1->approval->encklen);
- goto end;
- }
- iph1->key = vmalloc(keylen >> 3);
- if (iph1->key == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get key buffer\n");
- goto end;
- }
-
- /* set prf length */
- prflen = alg_oakley_hashdef_hashlen(iph1->approval->hashtype);
- if (prflen == -1) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid hash type %d.\n", iph1->approval->hashtype);
- goto end;
- }
-
- /* see isakmp-oakley-08 5.3. */
- if (iph1->key->l <= iph1->skeyid_e->l) {
- /*
- * if length(Ka) <= length(SKEYID_e)
- * Ka = first length(K) bit of SKEYID_e
- */
- memcpy(iph1->key->v, iph1->skeyid_e->v, iph1->key->l);
- } else {
- vchar_t *buf = NULL, *res = NULL;
- u_char *p, *ep;
- int cplen;
- int subkey;
-
- /*
- * otherwise,
- * Ka = K1 | K2 | K3
- * where
- * K1 = prf(SKEYID_e, 0)
- * K2 = prf(SKEYID_e, K1)
- * K3 = prf(SKEYID_e, K2)
- */
- plog(LLV_DEBUG, LOCATION, NULL,
- "len(SKEYID_e) < len(Ka) (%zu < %zu), "
- "generating long key (Ka = K1 | K2 | ...)\n",
- iph1->skeyid_e->l, iph1->key->l);
-
- if ((buf = vmalloc(prflen >> 3)) == 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get key buffer\n");
- goto end;
- }
- p = (u_char *)iph1->key->v;
- ep = p + iph1->key->l;
-
- subkey = 1;
- while (p < ep) {
- if (p == (u_char *)iph1->key->v) {
- /* just for computing K1 */
- buf->v[0] = 0;
- buf->l = 1;
- }
- res = oakley_prf(iph1->skeyid_e, buf, iph1);
- if (res == NULL) {
- vfree(buf);
- goto end;
- }
- plog(LLV_DEBUG, LOCATION, NULL,
- "compute intermediate encryption key K%d\n",
- subkey);
- plogdump(LLV_DEBUG, buf->v, buf->l);
- plogdump(LLV_DEBUG, res->v, res->l);
-
- cplen = (res->l < ep - p) ? res->l : ep - p;
- memcpy(p, res->v, cplen);
- p += cplen;
-
- buf->l = prflen >> 3; /* to cancel K1 speciality */
- if (res->l != buf->l) {
- plog(LLV_ERROR, LOCATION, NULL,
- "internal error: res->l=%zu buf->l=%zu\n",
- res->l, buf->l);
- vfree(res);
- vfree(buf);
- goto end;
- }
- memcpy(buf->v, res->v, res->l);
- vfree(res);
- subkey++;
- }
-
- vfree(buf);
- }
-
- /*
- * don't check any weak key or not.
- * draft-ietf-ipsec-ike-01.txt Appendix B.
- * draft-ietf-ipsec-ciph-aes-cbc-00.txt Section 2.3.
- */
-#if 0
- /* weakkey check */
- if (iph1->approval->enctype > ARRAYLEN(oakley_encdef)
- || oakley_encdef[iph1->approval->enctype].weakkey == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "encryption algoritym %d isn't supported.\n",
- iph1->approval->enctype);
- goto end;
- }
- if ((oakley_encdef[iph1->approval->enctype].weakkey)(iph1->key)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "weakkey was generated.\n");
- goto end;
- }
-#endif
-
- plog(LLV_DEBUG, LOCATION, NULL, "final encryption key computed:\n");
- plogdump(LLV_DEBUG, iph1->key->v, iph1->key->l);
-
- error = 0;
-
-end:
- return error;
-}
-
-/* allocated new buffer for CERT */
-cert_t *
-oakley_newcert()
-{
- cert_t *new;
-
- new = racoon_calloc(1, sizeof(*new));
- if (new == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get cert's buffer\n");
- return NULL;
- }
-
- new->pl = NULL;
-
- return new;
-}
-
-/* delete buffer for CERT */
-void
-oakley_delcert(cert)
- cert_t *cert;
-{
- if (!cert)
- return;
- if (cert->pl)
- VPTRINIT(cert->pl);
- racoon_free(cert);
-}
-
-/*
- * compute IV and set to ph1handle
- * IV = hash(g^xi | g^xr)
- * see 4.1 Phase 1 state in draft-ietf-ipsec-ike.
- */
-int
-oakley_newiv(iph1)
- struct ph1handle *iph1;
-{
- struct isakmp_ivm *newivm = NULL;
- vchar_t *buf = NULL, *bp;
- char *p;
- int len;
-
- /* create buffer */
- len = iph1->dhpub->l + iph1->dhpub_p->l;
- buf = vmalloc(len);
- if (buf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get iv buffer\n");
- return -1;
- }
-
- p = buf->v;
-
- bp = (iph1->side == INITIATOR ? iph1->dhpub : iph1->dhpub_p);
- memcpy(p, bp->v, bp->l);
- p += bp->l;
-
- bp = (iph1->side == INITIATOR ? iph1->dhpub_p : iph1->dhpub);
- memcpy(p, bp->v, bp->l);
- p += bp->l;
-
- /* allocate IVm */
- newivm = racoon_calloc(1, sizeof(struct isakmp_ivm));
- if (newivm == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get iv buffer\n");
- vfree(buf);
- return -1;
- }
-
- /* compute IV */
- newivm->iv = oakley_hash(buf, iph1);
- if (newivm->iv == NULL) {
- vfree(buf);
- oakley_delivm(newivm);
- return -1;
- }
-
- /* adjust length of iv */
- newivm->iv->l = alg_oakley_encdef_blocklen(iph1->approval->enctype);
- if (newivm->iv->l == -1) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid encryption algoriym %d.\n",
- iph1->approval->enctype);
- vfree(buf);
- oakley_delivm(newivm);
- return -1;
- }
-
- /* create buffer to save iv */
- if ((newivm->ive = vdup(newivm->iv)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "vdup (%s)\n", strerror(errno));
- vfree(buf);
- oakley_delivm(newivm);
- return -1;
- }
-
- vfree(buf);
-
- plog(LLV_DEBUG, LOCATION, NULL, "IV computed:\n");
- plogdump(LLV_DEBUG, newivm->iv->v, newivm->iv->l);
-
- iph1->ivm = newivm;
-
- return 0;
-}
-
-/*
- * compute IV for the payload after phase 1.
- * It's not limited for phase 2.
- * if pahse 1 was encrypted.
- * IV = hash(last CBC block of Phase 1 | M-ID)
- * if phase 1 was not encrypted.
- * IV = hash(phase 1 IV | M-ID)
- * see 4.2 Phase 2 state in draft-ietf-ipsec-ike.
- */
-struct isakmp_ivm *
-oakley_newiv2(iph1, msgid)
- struct ph1handle *iph1;
- u_int32_t msgid;
-{
- struct isakmp_ivm *newivm = NULL;
- vchar_t *buf = NULL;
- char *p;
- int len;
- int error = -1;
-
- /* create buffer */
- len = iph1->ivm->iv->l + sizeof(msgid_t);
- buf = vmalloc(len);
- if (buf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get iv buffer\n");
- goto end;
- }
-
- p = buf->v;
-
- memcpy(p, iph1->ivm->iv->v, iph1->ivm->iv->l);
- p += iph1->ivm->iv->l;
-
- memcpy(p, &msgid, sizeof(msgid));
-
- plog(LLV_DEBUG, LOCATION, NULL, "compute IV for phase2\n");
- plog(LLV_DEBUG, LOCATION, NULL, "phase1 last IV:\n");
- plogdump(LLV_DEBUG, buf->v, buf->l);
-
- /* allocate IVm */
- newivm = racoon_calloc(1, sizeof(struct isakmp_ivm));
- if (newivm == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get iv buffer\n");
- goto end;
- }
-
- /* compute IV */
- if ((newivm->iv = oakley_hash(buf, iph1)) == NULL)
- goto end;
-
- /* adjust length of iv */
- newivm->iv->l = alg_oakley_encdef_blocklen(iph1->approval->enctype);
- if (newivm->iv->l == -1) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid encryption algoriym %d.\n",
- iph1->approval->enctype);
- goto end;
- }
-
- /* create buffer to save new iv */
- if ((newivm->ive = vdup(newivm->iv)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "vdup (%s)\n", strerror(errno));
- goto end;
- }
-
- error = 0;
-
- plog(LLV_DEBUG, LOCATION, NULL, "phase2 IV computed:\n");
- plogdump(LLV_DEBUG, newivm->iv->v, newivm->iv->l);
-
-end:
- if (error && newivm != NULL){
- oakley_delivm(newivm);
- newivm=NULL;
- }
- if (buf != NULL)
- vfree(buf);
- return newivm;
-}
-
-void
-oakley_delivm(ivm)
- struct isakmp_ivm *ivm;
-{
- if (ivm == NULL)
- return;
-
- if (ivm->iv != NULL)
- vfree(ivm->iv);
- if (ivm->ive != NULL)
- vfree(ivm->ive);
- racoon_free(ivm);
- plog(LLV_DEBUG, LOCATION, NULL, "IV freed\n");
-
- return;
-}
-
-/*
- * decrypt packet.
- * save new iv and old iv.
- */
-vchar_t *
-oakley_do_decrypt(iph1, msg, ivdp, ivep)
- struct ph1handle *iph1;
- vchar_t *msg, *ivdp, *ivep;
-{
- vchar_t *buf = NULL, *new = NULL;
- char *pl;
- int len;
- u_int8_t padlen;
- int blen;
- int error = -1;
-
- plog(LLV_DEBUG, LOCATION, NULL, "begin decryption.\n");
-
- blen = alg_oakley_encdef_blocklen(iph1->approval->enctype);
- if (blen == -1) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid encryption algoriym %d.\n",
- iph1->approval->enctype);
- goto end;
- }
-
- /* save IV for next, but not sync. */
- memset(ivep->v, 0, ivep->l);
- memcpy(ivep->v, (caddr_t)&msg->v[msg->l - blen], blen);
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "IV was saved for next processing:\n");
- plogdump(LLV_DEBUG, ivep->v, ivep->l);
-
- pl = msg->v + sizeof(struct isakmp);
-
- len = msg->l - sizeof(struct isakmp);
-
- /* create buffer */
- buf = vmalloc(len);
- if (buf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get buffer to decrypt.\n");
- goto end;
- }
- memcpy(buf->v, pl, len);
-
- /* do decrypt */
- new = alg_oakley_encdef_decrypt(iph1->approval->enctype,
- buf, iph1->key, ivdp);
- if (new == NULL || new->v == NULL || new->l == 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "decryption %d failed.\n", iph1->approval->enctype);
- goto end;
- }
- plog(LLV_DEBUG, LOCATION, NULL, "with key:\n");
- plogdump(LLV_DEBUG, iph1->key->v, iph1->key->l);
-
- vfree(buf);
- buf = NULL;
-
- plog(LLV_DEBUG, LOCATION, NULL, "decrypted payload by IV:\n");
- plogdump(LLV_DEBUG, ivdp->v, ivdp->l);
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "decrypted payload, but not trimed.\n");
- plogdump(LLV_DEBUG, new->v, new->l);
-
- /* get padding length */
- if (lcconf->pad_excltail)
- padlen = new->v[new->l - 1] + 1;
- else
- padlen = new->v[new->l - 1];
- plog(LLV_DEBUG, LOCATION, NULL, "padding len=%u\n", padlen);
-
- /* trim padding */
- if (lcconf->pad_strict) {
- if (padlen > new->l) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalied padding len=%u, buflen=%zu.\n",
- padlen, new->l);
- plogdump(LLV_ERROR, new->v, new->l);
- goto end;
- }
- new->l -= padlen;
- plog(LLV_DEBUG, LOCATION, NULL, "trimmed padding\n");
- } else {
- plog(LLV_DEBUG, LOCATION, NULL, "skip to trim padding.\n");
- }
-
- /* create new buffer */
- len = sizeof(struct isakmp) + new->l;
- buf = vmalloc(len);
- if (buf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get buffer to decrypt.\n");
- goto end;
- }
- memcpy(buf->v, msg->v, sizeof(struct isakmp));
- memcpy(buf->v + sizeof(struct isakmp), new->v, new->l);
- ((struct isakmp *)buf->v)->len = htonl(buf->l);
-
- plog(LLV_DEBUG, LOCATION, NULL, "decrypted.\n");
- plogdump(LLV_DEBUG, buf->v, buf->l);
-
-#ifdef HAVE_PRINT_ISAKMP_C
- isakmp_printpacket(buf, iph1->remote, iph1->local, 1);
-#endif
-
- error = 0;
-
-end:
- if (error && buf != NULL) {
- vfree(buf);
- buf = NULL;
- }
- if (new != NULL)
- vfree(new);
-
- return buf;
-}
-
-/*
- * encrypt packet.
- */
-vchar_t *
-oakley_do_encrypt(iph1, msg, ivep, ivp)
- struct ph1handle *iph1;
- vchar_t *msg, *ivep, *ivp;
-{
- vchar_t *buf = 0, *new = 0;
- char *pl;
- int len;
- u_int padlen;
- int blen;
- int error = -1;
-
- plog(LLV_DEBUG, LOCATION, NULL, "begin encryption.\n");
-
- /* set cbc block length */
- blen = alg_oakley_encdef_blocklen(iph1->approval->enctype);
- if (blen == -1) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid encryption algoriym %d.\n",
- iph1->approval->enctype);
- goto end;
- }
-
- pl = msg->v + sizeof(struct isakmp);
- len = msg->l - sizeof(struct isakmp);
-
- /* add padding */
- padlen = oakley_padlen(len, blen);
- plog(LLV_DEBUG, LOCATION, NULL, "pad length = %u\n", padlen);
-
- /* create buffer */
- buf = vmalloc(len + padlen);
- if (buf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get buffer to encrypt.\n");
- goto end;
- }
- if (padlen) {
- int i;
- char *p = &buf->v[len];
- if (lcconf->pad_random) {
- for (i = 0; i < padlen; i++)
- *p++ = eay_random() & 0xff;
- }
- }
- memcpy(buf->v, pl, len);
-
- /* make pad into tail */
- if (lcconf->pad_excltail)
- buf->v[len + padlen - 1] = padlen - 1;
- else
- buf->v[len + padlen - 1] = padlen;
-
- plogdump(LLV_DEBUG, buf->v, buf->l);
-
- /* do encrypt */
- new = alg_oakley_encdef_encrypt(iph1->approval->enctype,
- buf, iph1->key, ivep);
- if (new == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "encryption %d failed.\n", iph1->approval->enctype);
- goto end;
- }
- plog(LLV_DEBUG, LOCATION, NULL, "with key:\n");
- plogdump(LLV_DEBUG, iph1->key->v, iph1->key->l);
-
- vfree(buf);
- buf = NULL;
-
- plog(LLV_DEBUG, LOCATION, NULL, "encrypted payload by IV:\n");
- plogdump(LLV_DEBUG, ivep->v, ivep->l);
-
- /* save IV for next */
- memset(ivp->v, 0, ivp->l);
- memcpy(ivp->v, (caddr_t)&new->v[new->l - blen], blen);
-
- plog(LLV_DEBUG, LOCATION, NULL, "save IV for next:\n");
- plogdump(LLV_DEBUG, ivp->v, ivp->l);
-
- /* create new buffer */
- len = sizeof(struct isakmp) + new->l;
- buf = vmalloc(len);
- if (buf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get buffer to encrypt.\n");
- goto end;
- }
- memcpy(buf->v, msg->v, sizeof(struct isakmp));
- memcpy(buf->v + sizeof(struct isakmp), new->v, new->l);
- ((struct isakmp *)buf->v)->len = htonl(buf->l);
-
- error = 0;
-
- plog(LLV_DEBUG, LOCATION, NULL, "encrypted.\n");
-
-end:
- if (error && buf != NULL) {
- vfree(buf);
- buf = NULL;
- }
- if (new != NULL)
- vfree(new);
-
- return buf;
-}
-
-/* culculate padding length */
-static int
-oakley_padlen(len, base)
- int len, base;
-{
- int padlen;
-
- padlen = base - len % base;
-
- if (lcconf->pad_randomlen)
- padlen += ((eay_random() % (lcconf->pad_maxsize + 1) + 1) *
- base);
-
- return padlen;
-}
-
diff --git a/src/racoon/oakley.h b/src/racoon/oakley.h
deleted file mode 100644
index a8dbbd2..0000000
--- a/src/racoon/oakley.h
+++ /dev/null
@@ -1,243 +0,0 @@
-/* $NetBSD: oakley.h,v 1.5 2006/10/06 12:02:27 manu Exp $ */
-
-/* Id: oakley.h,v 1.13 2005/05/30 20:12:43 fredsen Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _OAKLEY_H
-#define _OAKLEY_H
-
-#include "vmbuf.h"
-
-/* refer to RFC 2409 */
-
-/* Attribute Classes */
-#define OAKLEY_ATTR_ENC_ALG 1 /* B */
-#define OAKLEY_ATTR_ENC_ALG_DES 1
-#define OAKLEY_ATTR_ENC_ALG_IDEA 2
-#define OAKLEY_ATTR_ENC_ALG_BLOWFISH 3
-#define OAKLEY_ATTR_ENC_ALG_RC5 4
-#define OAKLEY_ATTR_ENC_ALG_3DES 5
-#define OAKLEY_ATTR_ENC_ALG_CAST 6
-#define OAKLEY_ATTR_ENC_ALG_AES 7
-#define OAKLEY_ATTR_ENC_ALG_CAMELLIA 8
- /* 65001 - 65535 Private Use */
-#define OAKLEY_ATTR_HASH_ALG 2 /* B */
-#define OAKLEY_ATTR_HASH_ALG_MD5 1
-#define OAKLEY_ATTR_HASH_ALG_SHA 2
-#define OAKLEY_ATTR_HASH_ALG_TIGER 3
-#if defined(WITH_SHA2)
-#define OAKLEY_ATTR_HASH_ALG_SHA2_256 4
-#define OAKLEY_ATTR_HASH_ALG_SHA2_384 5
-#define OAKLEY_ATTR_HASH_ALG_SHA2_512 6
-#endif
- /* 65001 - 65535 Private Use */
-#define OAKLEY_ATTR_AUTH_METHOD 3 /* B */
-#define OAKLEY_ATTR_AUTH_METHOD_PSKEY 1
-#define OAKLEY_ATTR_AUTH_METHOD_DSSSIG 2
-#define OAKLEY_ATTR_AUTH_METHOD_RSASIG 3
-#define OAKLEY_ATTR_AUTH_METHOD_RSAENC 4
-#define OAKLEY_ATTR_AUTH_METHOD_RSAREV 5
-#define OAKLEY_ATTR_AUTH_METHOD_EGENC 6
-#define OAKLEY_ATTR_AUTH_METHOD_EGREV 7
- /* Hybrid Auth */
-#ifdef ENABLE_HYBRID
-#define OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I 64221
-#define OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R 64222
-#define OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I 64223
-#define OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R 64224
-
- /* 65001 - 65535 Private Use */
-
- /* Plain Xauth */
-#define OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I 65001
-#define OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R 65002
-#define OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I 65003
-#define OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R 65004
-#define OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I 65005
-#define OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R 65006
-#define OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I 65007
-#define OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R 65008
-#define OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I 65009
-#define OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R 65010
-#endif
-
- /* 65500 -> still private
- * to avoid clash with GSSAPI_KRB below
- */
-#define FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I 65500
-
-
- /*
- * The following are valid when the Vendor ID is one of
- * the following:
- *
- * MD5("A GSS-API Authentication Method for IKE")
- * MD5("GSSAPI") (recognized by Windows 2000)
- * MD5("MS NT5 ISAKMPOAKLEY") (sent by Windows 2000)
- */
-#define OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB 65001
-#define OAKLEY_ATTR_GRP_DESC 4 /* B */
-#define OAKLEY_ATTR_GRP_DESC_MODP768 1
-#define OAKLEY_ATTR_GRP_DESC_MODP1024 2
-#define OAKLEY_ATTR_GRP_DESC_EC2N155 3
-#define OAKLEY_ATTR_GRP_DESC_EC2N185 4
-#define OAKLEY_ATTR_GRP_DESC_MODP1536 5
-#define OAKLEY_ATTR_GRP_DESC_MODP2048 14
-#define OAKLEY_ATTR_GRP_DESC_MODP3072 15
-#define OAKLEY_ATTR_GRP_DESC_MODP4096 16
-#define OAKLEY_ATTR_GRP_DESC_MODP6144 17
-#define OAKLEY_ATTR_GRP_DESC_MODP8192 18
- /* 32768 - 65535 Private Use */
-#define OAKLEY_ATTR_GRP_TYPE 5 /* B */
-#define OAKLEY_ATTR_GRP_TYPE_MODP 1
-#define OAKLEY_ATTR_GRP_TYPE_ECP 2
-#define OAKLEY_ATTR_GRP_TYPE_EC2N 3
- /* 65001 - 65535 Private Use */
-#define OAKLEY_ATTR_GRP_PI 6 /* V */
-#define OAKLEY_ATTR_GRP_GEN_ONE 7 /* V */
-#define OAKLEY_ATTR_GRP_GEN_TWO 8 /* V */
-#define OAKLEY_ATTR_GRP_CURVE_A 9 /* V */
-#define OAKLEY_ATTR_GRP_CURVE_B 10 /* V */
-#define OAKLEY_ATTR_SA_LD_TYPE 11 /* B */
-#define OAKLEY_ATTR_SA_LD_TYPE_DEFAULT 1
-#define OAKLEY_ATTR_SA_LD_TYPE_SEC 1
-#define OAKLEY_ATTR_SA_LD_TYPE_KB 2
-#define OAKLEY_ATTR_SA_LD_TYPE_MAX 3
- /* 65001 - 65535 Private Use */
-#define OAKLEY_ATTR_SA_LD 12 /* V */
-#define OAKLEY_ATTR_SA_LD_SEC_DEFAULT 28800 /* 8 hours */
-#define OAKLEY_ATTR_PRF 13 /* B */
-#define OAKLEY_ATTR_KEY_LEN 14 /* B */
-#define OAKLEY_ATTR_FIELD_SIZE 15 /* B */
-#define OAKLEY_ATTR_GRP_ORDER 16 /* V */
-#define OAKLEY_ATTR_BLOCK_SIZE 17 /* B */
- /* 16384 - 32767 Private Use */
-
- /*
- * The following are valid when the Vendor ID is one of
- * the following:
- *
- * MD5("A GSS-API Authentication Method for IKE")
- * MD5("GSSAPI") (recognized by Windows 2000)
- * MD5("MS NT5 ISAKMPOAKLEY") (sent by Windows 2000)
- */
-#define OAKLEY_ATTR_GSS_ID 16384
-
-#define MAXPADLWORD 20
-
-struct dhgroup {
- int type;
- vchar_t *prime;
- int gen1;
- int gen2;
- vchar_t *curve_a;
- vchar_t *curve_b;
- vchar_t *order;
-};
-
-/* certificate holder */
-typedef struct cert_t_tag {
- u_int8_t type; /* type of CERT, must be same to pl->v[0]*/
- vchar_t cert; /* pointer to the CERT */
- vchar_t *pl; /* CERT payload minus isakmp general header */
-} cert_t;
-
-struct ph1handle;
-struct ph2handle;
-struct isakmp_ivm;
-
-extern int oakley_get_defaultlifetime __P((void));
-
-extern int oakley_dhinit __P((void));
-extern void oakley_dhgrp_free __P((struct dhgroup *));
-extern int oakley_dh_compute __P((const struct dhgroup *,
- vchar_t *, vchar_t *, vchar_t *, vchar_t **));
-extern int oakley_dh_generate __P((const struct dhgroup *,
- vchar_t **, vchar_t **));
-extern int oakley_setdhgroup __P((int, struct dhgroup **));
-
-extern vchar_t *oakley_prf __P((vchar_t *, vchar_t *, struct ph1handle *));
-extern vchar_t *oakley_hash __P((vchar_t *, struct ph1handle *));
-
-extern int oakley_compute_keymat __P((struct ph2handle *, int));
-
-#if notyet
-extern vchar_t *oakley_compute_hashx __P((void));
-#endif
-extern vchar_t *oakley_compute_hash3 __P((struct ph1handle *,
- u_int32_t, vchar_t *));
-extern vchar_t *oakley_compute_hash1 __P((struct ph1handle *,
- u_int32_t, vchar_t *));
-extern vchar_t *oakley_ph1hash_common __P((struct ph1handle *, int));
-extern vchar_t *oakley_ph1hash_base_i __P((struct ph1handle *, int));
-extern vchar_t *oakley_ph1hash_base_r __P((struct ph1handle *, int));
-
-extern int oakley_validate_auth __P((struct ph1handle *));
-extern int oakley_getmycert __P((struct ph1handle *));
-extern int oakley_getsign __P((struct ph1handle *));
-extern vchar_t *oakley_getcr __P((struct ph1handle *));
-extern int oakley_checkcr __P((struct ph1handle *));
-extern int oakley_needcr __P((int));
-struct isakmp_gen;
-extern int oakley_savecert __P((struct ph1handle *, struct isakmp_gen *));
-extern int oakley_savecr __P((struct ph1handle *, struct isakmp_gen *));
-
-extern int oakley_skeyid __P((struct ph1handle *));
-extern int oakley_skeyid_dae __P((struct ph1handle *));
-
-extern int oakley_compute_enckey __P((struct ph1handle *));
-extern cert_t *oakley_newcert __P((void));
-extern void oakley_delcert __P((cert_t *));
-extern int oakley_newiv __P((struct ph1handle *));
-extern struct isakmp_ivm *oakley_newiv2 __P((struct ph1handle *, u_int32_t));
-extern void oakley_delivm __P((struct isakmp_ivm *));
-extern vchar_t *oakley_do_decrypt __P((struct ph1handle *,
- vchar_t *, vchar_t *, vchar_t *));
-extern vchar_t *oakley_do_encrypt __P((struct ph1handle *,
- vchar_t *, vchar_t *, vchar_t *));
-
-#ifdef ENABLE_HYBRID
-#define AUTHMETHOD(iph1) \
- (((iph1)->rmconf->xauth && \
- (iph1)->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I) ? \
- FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I : (iph1)->approval->authmethod)
-#define RMAUTHMETHOD(iph1) \
- (((iph1)->rmconf->xauth && \
- (iph1)->rmconf->proposal->authmethod == \
- OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I) ? \
- FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I : \
- (iph1)->rmconf->proposal->authmethod)
-#else
-#define AUTHMETHOD(iph1) (iph1)->approval->authmethod
-#define RMAUTHMETHOD(iph1) (iph1)->rmconf->proposal->authmethod
-#endif /* ENABLE_HYBRID */
-
-#endif /* _OAKLEY_H */
diff --git a/src/racoon/pfkey.c b/src/racoon/pfkey.c
deleted file mode 100644
index e73acc8..0000000
--- a/src/racoon/pfkey.c
+++ /dev/null
@@ -1,3157 +0,0 @@
-/* $NetBSD: pfkey.c,v 1.18.4.5 2008/03/05 22:14:24 mgrooms Exp $ */
-
-/* $Id: pfkey.c,v 1.18.4.5 2008/03/05 22:14:24 mgrooms Exp $ */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <stdlib.h>
-#include <string.h>
-#include <stdio.h>
-#include <netdb.h>
-#include <errno.h>
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-#include <netdb.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#ifdef ENABLE_NATT
-# ifdef __linux__
-# include <linux/udp.h>
-# endif
-# if defined(__NetBSD__) || defined(__FreeBSD__) || \
- (defined(__APPLE__) && defined(__MACH__))
-# include <netinet/udp.h>
-# endif
-#endif
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-#include <sys/queue.h>
-#ifndef ANDROID_CHANGES
-#include <sys/sysctl.h>
-#endif
-
-#include <net/route.h>
-#include <net/pfkeyv2.h>
-
-#include <netinet/in.h>
-#include PATH_IPSEC_H
-#include <fcntl.h>
-
-#include "libpfkey.h"
-
-#include "var.h"
-#include "misc.h"
-#include "vmbuf.h"
-#include "plog.h"
-#include "sockmisc.h"
-#include "debug.h"
-
-#include "schedule.h"
-#include "localconf.h"
-#include "remoteconf.h"
-#include "handler.h"
-#include "policy.h"
-#include "proposal.h"
-#include "isakmp_var.h"
-#include "isakmp.h"
-#include "isakmp_inf.h"
-#include "ipsec_doi.h"
-#include "oakley.h"
-#include "pfkey.h"
-#include "algorithm.h"
-#include "sainfo.h"
-#include "admin.h"
-#include "privsep.h"
-#include "strnames.h"
-#include "backupsa.h"
-#include "gcmalloc.h"
-#include "nattraversal.h"
-#include "crypto_openssl.h"
-#include "grabmyaddr.h"
-
-#if defined(SADB_X_EALG_RIJNDAELCBC) && !defined(SADB_X_EALG_AESCBC)
-#define SADB_X_EALG_AESCBC SADB_X_EALG_RIJNDAELCBC
-#endif
-
-/* prototype */
-static u_int ipsecdoi2pfkey_aalg __P((u_int));
-static u_int ipsecdoi2pfkey_ealg __P((u_int));
-static u_int ipsecdoi2pfkey_calg __P((u_int));
-static u_int ipsecdoi2pfkey_alg __P((u_int, u_int));
-static u_int keylen_aalg __P((u_int));
-static u_int keylen_ealg __P((u_int, int));
-
-static int pk_recvgetspi __P((caddr_t *));
-static int pk_recvupdate __P((caddr_t *));
-static int pk_recvadd __P((caddr_t *));
-static int pk_recvdelete __P((caddr_t *));
-static int pk_recvacquire __P((caddr_t *));
-static int pk_recvexpire __P((caddr_t *));
-static int pk_recvflush __P((caddr_t *));
-static int getsadbpolicy __P((caddr_t *, int *, int, struct ph2handle *));
-static int pk_recvspdupdate __P((caddr_t *));
-static int pk_recvspdadd __P((caddr_t *));
-static int pk_recvspddelete __P((caddr_t *));
-static int pk_recvspdexpire __P((caddr_t *));
-static int pk_recvspdget __P((caddr_t *));
-static int pk_recvspddump __P((caddr_t *));
-static int pk_recvspdflush __P((caddr_t *));
-static struct sadb_msg *pk_recv __P((int, int *));
-
-static int (*pkrecvf[]) __P((caddr_t *)) = {
-NULL,
-pk_recvgetspi,
-pk_recvupdate,
-pk_recvadd,
-pk_recvdelete,
-NULL, /* SADB_GET */
-pk_recvacquire,
-NULL, /* SABD_REGISTER */
-pk_recvexpire,
-pk_recvflush,
-NULL, /* SADB_DUMP */
-NULL, /* SADB_X_PROMISC */
-NULL, /* SADB_X_PCHANGE */
-pk_recvspdupdate,
-pk_recvspdadd,
-pk_recvspddelete,
-pk_recvspdget,
-NULL, /* SADB_X_SPDACQUIRE */
-pk_recvspddump,
-pk_recvspdflush,
-NULL, /* SADB_X_SPDSETIDX */
-pk_recvspdexpire,
-NULL, /* SADB_X_SPDDELETE2 */
-NULL, /* SADB_X_NAT_T_NEW_MAPPING */
-NULL, /* SADB_X_MIGRATE */
-#if (SADB_MAX > 24)
-#error "SADB extra message?"
-#endif
-};
-
-static int addnewsp __P((caddr_t *));
-
-/* cope with old kame headers - ugly */
-#ifndef SADB_X_AALG_MD5
-#define SADB_X_AALG_MD5 SADB_AALG_MD5
-#endif
-#ifndef SADB_X_AALG_SHA
-#define SADB_X_AALG_SHA SADB_AALG_SHA
-#endif
-#ifndef SADB_X_AALG_NULL
-#define SADB_X_AALG_NULL SADB_AALG_NULL
-#endif
-
-#ifndef SADB_X_EALG_BLOWFISHCBC
-#define SADB_X_EALG_BLOWFISHCBC SADB_EALG_BLOWFISHCBC
-#endif
-#ifndef SADB_X_EALG_CAST128CBC
-#define SADB_X_EALG_CAST128CBC SADB_EALG_CAST128CBC
-#endif
-#ifndef SADB_X_EALG_RC5CBC
-#ifdef SADB_EALG_RC5CBC
-#define SADB_X_EALG_RC5CBC SADB_EALG_RC5CBC
-#endif
-#endif
-
-/*
- * PF_KEY packet handler
- * 0: success
- * -1: fail
- */
-int
-pfkey_handler()
-{
- struct sadb_msg *msg;
- int len;
- caddr_t mhp[SADB_EXT_MAX + 1];
- int error = -1;
-
- /* receive pfkey message. */
- len = 0;
- msg = (struct sadb_msg *)pk_recv(lcconf->sock_pfkey, &len);
- if (msg == NULL) {
- if (len < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to recv from pfkey (%s)\n",
- strerror(errno));
- goto end;
- } else {
- /* short message - msg not ready */
- return 0;
- }
- }
-
- plog(LLV_DEBUG, LOCATION, NULL, "get pfkey %s message\n",
- s_pfkey_type(msg->sadb_msg_type));
- plogdump(LLV_DEBUG2, msg, msg->sadb_msg_len << 3);
-
- /* validity check */
- if (msg->sadb_msg_errno) {
- int pri;
-
- /* when SPD is empty, treat the state as no error. */
- if (msg->sadb_msg_type == SADB_X_SPDDUMP &&
- msg->sadb_msg_errno == ENOENT)
- pri = LLV_DEBUG;
- else
- pri = LLV_ERROR;
-
- plog(pri, LOCATION, NULL,
- "pfkey %s failed: %s\n",
- s_pfkey_type(msg->sadb_msg_type),
- strerror(msg->sadb_msg_errno));
-
- goto end;
- }
-
- /* check pfkey message. */
- if (pfkey_align(msg, mhp)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "libipsec failed pfkey align (%s)\n",
- ipsec_strerror());
- goto end;
- }
- if (pfkey_check(mhp)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "libipsec failed pfkey check (%s)\n",
- ipsec_strerror());
- goto end;
- }
- msg = (struct sadb_msg *)mhp[0];
-
- /* safety check */
- if (msg->sadb_msg_type >= ARRAYLEN(pkrecvf)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "unknown PF_KEY message type=%u\n",
- msg->sadb_msg_type);
- goto end;
- }
-
- if (pkrecvf[msg->sadb_msg_type] == NULL) {
- plog(LLV_INFO, LOCATION, NULL,
- "unsupported PF_KEY message %s\n",
- s_pfkey_type(msg->sadb_msg_type));
- goto end;
- }
-
- if ((pkrecvf[msg->sadb_msg_type])(mhp) < 0)
- goto end;
-
- error = 0;
-end:
- if (msg)
- racoon_free(msg);
- return(error);
-}
-
-/*
- * dump SADB
- */
-vchar_t *
-pfkey_dump_sadb(satype)
- int satype;
-{
- int s = -1;
- vchar_t *buf = NULL;
- pid_t pid = getpid();
- struct sadb_msg *msg = NULL;
- size_t bl, ml;
- int len;
-
- if ((s = privsep_pfkey_open()) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "libipsec failed pfkey open: %s\n",
- ipsec_strerror());
- return NULL;
- }
-
- plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_dump\n");
- if (pfkey_send_dump(s, satype) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "libipsec failed dump: %s\n", ipsec_strerror());
- goto fail;
- }
-
- while (1) {
- if (msg)
- racoon_free(msg);
- msg = pk_recv(s, &len);
- if (msg == NULL) {
- if (len < 0)
- goto done;
- else
- continue;
- }
-
- if (msg->sadb_msg_type != SADB_DUMP || msg->sadb_msg_pid != pid)
- {
- plog(LLV_DEBUG, LOCATION, NULL,
- "discarding non-sadb dump msg %p, our pid=%i\n", msg, pid);
- plog(LLV_DEBUG, LOCATION, NULL,
- "type %i, pid %i\n", msg->sadb_msg_type, msg->sadb_msg_pid);
- continue;
- }
-
-
- ml = msg->sadb_msg_len << 3;
- bl = buf ? buf->l : 0;
- buf = vrealloc(buf, bl + ml);
- if (buf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to reallocate buffer to dump.\n");
- goto fail;
- }
- memcpy(buf->v + bl, msg, ml);
-
- if (msg->sadb_msg_seq == 0)
- break;
- }
- goto done;
-
-fail:
- if (buf)
- vfree(buf);
- buf = NULL;
-done:
- if (msg)
- racoon_free(msg);
- if (s >= 0)
- privsep_pfkey_close(s);
- return buf;
-}
-
-#ifdef ENABLE_ADMINPORT
-/*
- * flush SADB
- */
-void
-pfkey_flush_sadb(proto)
- u_int proto;
-{
- int satype;
-
- /* convert to SADB_SATYPE */
- if ((satype = admin2pfkey_proto(proto)) < 0)
- return;
-
- plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_flush\n");
- if (pfkey_send_flush(lcconf->sock_pfkey, satype) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "libipsec failed send flush (%s)\n", ipsec_strerror());
- return;
- }
-
- return;
-}
-#endif
-
-/*
- * These are the SATYPEs that we manage. We register to get
- * PF_KEY messages related to these SATYPEs, and we also use
- * this list to determine which SATYPEs to delete SAs for when
- * we receive an INITIAL-CONTACT.
- */
-const struct pfkey_satype pfkey_satypes[] = {
- { SADB_SATYPE_AH, "AH" },
- { SADB_SATYPE_ESP, "ESP" },
- { SADB_X_SATYPE_IPCOMP, "IPCOMP" },
-};
-const int pfkey_nsatypes =
- sizeof(pfkey_satypes) / sizeof(pfkey_satypes[0]);
-
-/*
- * PF_KEY initialization
- */
-int
-pfkey_init()
-{
- int i, reg_fail;
-
- if ((lcconf->sock_pfkey = privsep_pfkey_open()) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "libipsec failed pfkey open (%s)\n", ipsec_strerror());
- return -1;
- }
- if (fcntl(lcconf->sock_pfkey, F_SETFL, O_NONBLOCK) == -1)
- plog(LLV_WARNING, LOCATION, NULL,
- "failed to set the pfkey socket to NONBLOCK\n");
-
- for (i = 0, reg_fail = 0; i < pfkey_nsatypes; i++) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "call pfkey_send_register for %s\n",
- pfkey_satypes[i].ps_name);
- if (pfkey_send_register(lcconf->sock_pfkey,
- pfkey_satypes[i].ps_satype) < 0 ||
- pfkey_recv_register(lcconf->sock_pfkey) < 0) {
- plog(LLV_WARNING, LOCATION, NULL,
- "failed to register %s (%s)\n",
- pfkey_satypes[i].ps_name,
- ipsec_strerror());
- reg_fail++;
- }
- }
-
- if (reg_fail == pfkey_nsatypes) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to regist any protocol.\n");
- pfkey_close(lcconf->sock_pfkey);
- return -1;
- }
-
- initsp();
-
- if (pfkey_send_spddump(lcconf->sock_pfkey) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "libipsec sending spddump failed: %s\n",
- ipsec_strerror());
- pfkey_close(lcconf->sock_pfkey);
- return -1;
- }
-#if 0
- if (pfkey_promisc_toggle(1) < 0) {
- pfkey_close(lcconf->sock_pfkey);
- return -1;
- }
-#endif
- return 0;
-}
-
-/* %%% for conversion */
-/* IPSECDOI_ATTR_AUTH -> SADB_AALG */
-static u_int
-ipsecdoi2pfkey_aalg(hashtype)
- u_int hashtype;
-{
- switch (hashtype) {
- case IPSECDOI_ATTR_AUTH_HMAC_MD5:
- return SADB_AALG_MD5HMAC;
- case IPSECDOI_ATTR_AUTH_HMAC_SHA1:
- return SADB_AALG_SHA1HMAC;
- case IPSECDOI_ATTR_AUTH_HMAC_SHA2_256:
-#if (defined SADB_X_AALG_SHA2_256) && !defined(SADB_X_AALG_SHA2_256HMAC)
- return SADB_X_AALG_SHA2_256;
-#else
- return SADB_X_AALG_SHA2_256HMAC;
-#endif
- case IPSECDOI_ATTR_AUTH_HMAC_SHA2_384:
-#if (defined SADB_X_AALG_SHA2_384) && !defined(SADB_X_AALG_SHA2_384HMAC)
- return SADB_X_AALG_SHA2_384;
-#else
- return SADB_X_AALG_SHA2_384HMAC;
-#endif
- case IPSECDOI_ATTR_AUTH_HMAC_SHA2_512:
-#if (defined SADB_X_AALG_SHA2_512) && !defined(SADB_X_AALG_SHA2_512HMAC)
- return SADB_X_AALG_SHA2_512;
-#else
- return SADB_X_AALG_SHA2_512HMAC;
-#endif
- case IPSECDOI_ATTR_AUTH_KPDK: /* need special care */
- return SADB_AALG_NONE;
-
- /* not supported */
- case IPSECDOI_ATTR_AUTH_DES_MAC:
- plog(LLV_ERROR, LOCATION, NULL,
- "Not supported hash type: %u\n", hashtype);
- return ~0;
-
- case 0: /* reserved */
- default:
- return SADB_AALG_NONE;
-
- plog(LLV_ERROR, LOCATION, NULL,
- "Invalid hash type: %u\n", hashtype);
- return ~0;
- }
- /*NOTREACHED*/
-}
-
-/* IPSECDOI_ESP -> SADB_EALG */
-static u_int
-ipsecdoi2pfkey_ealg(t_id)
- u_int t_id;
-{
- switch (t_id) {
- case IPSECDOI_ESP_DES_IV64: /* sa_flags |= SADB_X_EXT_OLD */
- return SADB_EALG_DESCBC;
- case IPSECDOI_ESP_DES:
- return SADB_EALG_DESCBC;
- case IPSECDOI_ESP_3DES:
- return SADB_EALG_3DESCBC;
-#ifdef SADB_X_EALG_RC5CBC
- case IPSECDOI_ESP_RC5:
- return SADB_X_EALG_RC5CBC;
-#endif
- case IPSECDOI_ESP_CAST:
- return SADB_X_EALG_CAST128CBC;
- case IPSECDOI_ESP_BLOWFISH:
- return SADB_X_EALG_BLOWFISHCBC;
- case IPSECDOI_ESP_DES_IV32: /* flags |= (SADB_X_EXT_OLD|
- SADB_X_EXT_IV4B)*/
- return SADB_EALG_DESCBC;
- case IPSECDOI_ESP_NULL:
- return SADB_EALG_NULL;
-#ifdef SADB_X_EALG_AESCBC
- case IPSECDOI_ESP_AES:
- return SADB_X_EALG_AESCBC;
-#endif
-#ifdef SADB_X_EALG_TWOFISHCBC
- case IPSECDOI_ESP_TWOFISH:
- return SADB_X_EALG_TWOFISHCBC;
-#endif
-#ifdef SADB_X_EALG_CAMELLIACBC
- case IPSECDOI_ESP_CAMELLIA:
- return SADB_X_EALG_CAMELLIACBC;
-#endif
-
- /* not supported */
- case IPSECDOI_ESP_3IDEA:
- case IPSECDOI_ESP_IDEA:
- case IPSECDOI_ESP_RC4:
- plog(LLV_ERROR, LOCATION, NULL,
- "Not supported transform: %u\n", t_id);
- return ~0;
-
- case 0: /* reserved */
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "Invalid transform id: %u\n", t_id);
- return ~0;
- }
- /*NOTREACHED*/
-}
-
-/* IPCOMP -> SADB_CALG */
-static u_int
-ipsecdoi2pfkey_calg(t_id)
- u_int t_id;
-{
- switch (t_id) {
- case IPSECDOI_IPCOMP_OUI:
- return SADB_X_CALG_OUI;
- case IPSECDOI_IPCOMP_DEFLATE:
- return SADB_X_CALG_DEFLATE;
- case IPSECDOI_IPCOMP_LZS:
- return SADB_X_CALG_LZS;
-
- case 0: /* reserved */
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "Invalid transform id: %u\n", t_id);
- return ~0;
- }
- /*NOTREACHED*/
-}
-
-/* IPSECDOI_PROTO -> SADB_SATYPE */
-u_int
-ipsecdoi2pfkey_proto(proto)
- u_int proto;
-{
- switch (proto) {
- case IPSECDOI_PROTO_IPSEC_AH:
- return SADB_SATYPE_AH;
- case IPSECDOI_PROTO_IPSEC_ESP:
- return SADB_SATYPE_ESP;
- case IPSECDOI_PROTO_IPCOMP:
- return SADB_X_SATYPE_IPCOMP;
-
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "Invalid ipsec_doi proto: %u\n", proto);
- return ~0;
- }
- /*NOTREACHED*/
-}
-
-static u_int
-ipsecdoi2pfkey_alg(algclass, type)
- u_int algclass, type;
-{
- switch (algclass) {
- case IPSECDOI_ATTR_AUTH:
- return ipsecdoi2pfkey_aalg(type);
- case IPSECDOI_PROTO_IPSEC_ESP:
- return ipsecdoi2pfkey_ealg(type);
- case IPSECDOI_PROTO_IPCOMP:
- return ipsecdoi2pfkey_calg(type);
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "Invalid ipsec_doi algclass: %u\n", algclass);
- return ~0;
- }
- /*NOTREACHED*/
-}
-
-/* SADB_SATYPE -> IPSECDOI_PROTO */
-u_int
-pfkey2ipsecdoi_proto(satype)
- u_int satype;
-{
- switch (satype) {
- case SADB_SATYPE_AH:
- return IPSECDOI_PROTO_IPSEC_AH;
- case SADB_SATYPE_ESP:
- return IPSECDOI_PROTO_IPSEC_ESP;
- case SADB_X_SATYPE_IPCOMP:
- return IPSECDOI_PROTO_IPCOMP;
-
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "Invalid pfkey proto: %u\n", satype);
- return ~0;
- }
- /*NOTREACHED*/
-}
-
-/* IPSECDOI_ATTR_ENC_MODE -> IPSEC_MODE */
-u_int
-ipsecdoi2pfkey_mode(mode)
- u_int mode;
-{
- switch (mode) {
- case IPSECDOI_ATTR_ENC_MODE_TUNNEL:
-#ifdef ENABLE_NATT
- case IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC:
- case IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT:
-#endif
- return IPSEC_MODE_TUNNEL;
- case IPSECDOI_ATTR_ENC_MODE_TRNS:
-#ifdef ENABLE_NATT
- case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC:
- case IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT:
-#endif
- return IPSEC_MODE_TRANSPORT;
- default:
- plog(LLV_ERROR, LOCATION, NULL, "Invalid mode type: %u\n", mode);
- return ~0;
- }
- /*NOTREACHED*/
-}
-
-/* IPSECDOI_ATTR_ENC_MODE -> IPSEC_MODE */
-u_int
-pfkey2ipsecdoi_mode(mode)
- u_int mode;
-{
- switch (mode) {
- case IPSEC_MODE_TUNNEL:
- return IPSECDOI_ATTR_ENC_MODE_TUNNEL;
- case IPSEC_MODE_TRANSPORT:
- return IPSECDOI_ATTR_ENC_MODE_TRNS;
- case IPSEC_MODE_ANY:
- return IPSECDOI_ATTR_ENC_MODE_ANY;
- default:
- plog(LLV_ERROR, LOCATION, NULL, "Invalid mode type: %u\n", mode);
- return ~0;
- }
- /*NOTREACHED*/
-}
-
-/* default key length for encryption algorithm */
-static u_int
-keylen_aalg(hashtype)
- u_int hashtype;
-{
- int res;
-
- if (hashtype == 0)
- return SADB_AALG_NONE;
-
- res = alg_ipsec_hmacdef_hashlen(hashtype);
- if (res == -1) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid hmac algorithm %u.\n", hashtype);
- return ~0;
- }
- return res;
-}
-
-/* default key length for encryption algorithm */
-static u_int
-keylen_ealg(enctype, encklen)
- u_int enctype;
- int encklen;
-{
- int res;
-
- res = alg_ipsec_encdef_keylen(enctype, encklen);
- if (res == -1) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid encryption algorithm %u.\n", enctype);
- return ~0;
- }
- return res;
-}
-
-int
-pfkey_convertfromipsecdoi(proto_id, t_id, hashtype,
- e_type, e_keylen, a_type, a_keylen, flags)
- u_int proto_id;
- u_int t_id;
- u_int hashtype;
- u_int *e_type;
- u_int *e_keylen;
- u_int *a_type;
- u_int *a_keylen;
- u_int *flags;
-{
- *flags = 0;
- switch (proto_id) {
- case IPSECDOI_PROTO_IPSEC_ESP:
- if ((*e_type = ipsecdoi2pfkey_ealg(t_id)) == ~0)
- goto bad;
- if ((*e_keylen = keylen_ealg(t_id, *e_keylen)) == ~0)
- goto bad;
- *e_keylen >>= 3;
-
- if ((*a_type = ipsecdoi2pfkey_aalg(hashtype)) == ~0)
- goto bad;
- if ((*a_keylen = keylen_aalg(hashtype)) == ~0)
- goto bad;
- *a_keylen >>= 3;
-
- if (*e_type == SADB_EALG_NONE) {
- plog(LLV_ERROR, LOCATION, NULL, "no ESP algorithm.\n");
- goto bad;
- }
- break;
-
- case IPSECDOI_PROTO_IPSEC_AH:
- if ((*a_type = ipsecdoi2pfkey_aalg(hashtype)) == ~0)
- goto bad;
- if ((*a_keylen = keylen_aalg(hashtype)) == ~0)
- goto bad;
- *a_keylen >>= 3;
-
- if (t_id == IPSECDOI_ATTR_AUTH_HMAC_MD5
- && hashtype == IPSECDOI_ATTR_AUTH_KPDK) {
- /* AH_MD5 + Auth(KPDK) = RFC1826 keyed-MD5 */
- *a_type = SADB_X_AALG_MD5;
- *flags |= SADB_X_EXT_OLD;
- }
- *e_type = SADB_EALG_NONE;
- *e_keylen = 0;
- if (*a_type == SADB_AALG_NONE) {
- plog(LLV_ERROR, LOCATION, NULL, "no AH algorithm.\n");
- goto bad;
- }
- break;
-
- case IPSECDOI_PROTO_IPCOMP:
- if ((*e_type = ipsecdoi2pfkey_calg(t_id)) == ~0)
- goto bad;
- *e_keylen = 0;
-
- *flags = SADB_X_EXT_RAWCPI;
-
- *a_type = SADB_AALG_NONE;
- *a_keylen = 0;
- if (*e_type == SADB_X_CALG_NONE) {
- plog(LLV_ERROR, LOCATION, NULL, "no IPCOMP algorithm.\n");
- goto bad;
- }
- break;
-
- default:
- plog(LLV_ERROR, LOCATION, NULL, "unknown IPsec protocol.\n");
- goto bad;
- }
-
- return 0;
-
- bad:
- errno = EINVAL;
- return -1;
-}
-
-/* called from scheduler */
-void
-pfkey_timeover_stub(p)
- void *p;
-{
-
- pfkey_timeover((struct ph2handle *)p);
-}
-
-void
-pfkey_timeover(iph2)
- struct ph2handle *iph2;
-{
- plog(LLV_ERROR, LOCATION, NULL,
- "%s give up to get IPsec-SA due to time up to wait.\n",
- saddrwop2str(iph2->dst));
- SCHED_KILL(iph2->sce);
-
- /* If initiator side, send error to kernel by SADB_ACQUIRE. */
- if (iph2->side == INITIATOR)
- pk_sendeacquire(iph2);
-
- unbindph12(iph2);
- remph2(iph2);
- delph2(iph2);
-
- return;
-}
-
-/*%%%*/
-/* send getspi message per ipsec protocol per remote address */
-/*
- * the local address and remote address in ph1handle are dealed
- * with destination address and source address respectively.
- * Because SPI is decided by responder.
- */
-int
-pk_sendgetspi(iph2)
- struct ph2handle *iph2;
-{
- struct sockaddr *src = NULL, *dst = NULL;
- u_int satype, mode;
- struct saprop *pp;
- struct saproto *pr;
- u_int32_t minspi, maxspi;
- int proxy = 0;
-
- if (iph2->side == INITIATOR) {
- pp = iph2->proposal;
- proxy = iph2->ph1->rmconf->support_proxy;
- } else {
- pp = iph2->approval;
- if (iph2->sainfo && iph2->sainfo->id_i)
- proxy = 1;
- }
-
- /* for mobile IPv6 */
- if (proxy && iph2->src_id && iph2->dst_id &&
- ipsecdoi_transportmode(pp)) {
- src = iph2->src_id;
- dst = iph2->dst_id;
- } else {
- src = iph2->src;
- dst = iph2->dst;
- }
-
- for (pr = pp->head; pr != NULL; pr = pr->next) {
-
- /* validity check */
- satype = ipsecdoi2pfkey_proto(pr->proto_id);
- if (satype == ~0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid proto_id %d\n", pr->proto_id);
- return -1;
- }
- /* this works around a bug in Linux kernel where it allocates 4 byte
- spi's for IPCOMP */
- else if (satype == SADB_X_SATYPE_IPCOMP) {
- minspi = 0x100;
- maxspi = 0xffff;
- }
- else {
- minspi = 0;
- maxspi = 0;
- }
- mode = ipsecdoi2pfkey_mode(pr->encmode);
- if (mode == ~0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid encmode %d\n", pr->encmode);
- return -1;
- }
-
-#ifdef ENABLE_NATT
- /* XXX should we do a copy of src/dst for each pr ?
- */
- if (! pr->udp_encap) {
- /* Remove port information, that SA doesn't use it */
- set_port(src, 0);
- set_port(dst, 0);
- }
-#endif
- plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_getspi\n");
- if (pfkey_send_getspi(
- lcconf->sock_pfkey,
- satype,
- mode,
- dst, /* src of SA */
- src, /* dst of SA */
- minspi, maxspi,
- pr->reqid_in, iph2->seq) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "ipseclib failed send getspi (%s)\n",
- ipsec_strerror());
- return -1;
- }
- plog(LLV_DEBUG, LOCATION, NULL,
- "pfkey GETSPI sent: %s\n",
- sadbsecas2str(dst, src, satype, 0, mode));
- }
-
- return 0;
-}
-
-/*
- * receive GETSPI from kernel.
- */
-static int
-pk_recvgetspi(mhp)
- caddr_t *mhp;
-{
- struct sadb_msg *msg;
- struct sadb_sa *sa;
- struct ph2handle *iph2;
- struct sockaddr *dst;
- int proto_id;
- int allspiok, notfound;
- struct saprop *pp;
- struct saproto *pr;
-
- /* validity check */
- if (mhp[SADB_EXT_SA] == NULL
- || mhp[SADB_EXT_ADDRESS_DST] == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "inappropriate sadb getspi message passed.\n");
- return -1;
- }
- msg = (struct sadb_msg *)mhp[0];
- sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]); /* note SA dir */
-
- /* the message has to be processed or not ? */
- if (msg->sadb_msg_pid != getpid()) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "%s message is not interesting "
- "because pid %d is not mine.\n",
- s_pfkey_type(msg->sadb_msg_type),
- msg->sadb_msg_pid);
- return -1;
- }
-
- iph2 = getph2byseq(msg->sadb_msg_seq);
- if (iph2 == NULL) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "seq %d of %s message not interesting.\n",
- msg->sadb_msg_seq,
- s_pfkey_type(msg->sadb_msg_type));
- return -1;
- }
-
- if (iph2->status != PHASE2ST_GETSPISENT) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatch (db:%d msg:%d)\n",
- iph2->status, PHASE2ST_GETSPISENT);
- return -1;
- }
-
- /* set SPI, and check to get all spi whether or not */
- allspiok = 1;
- notfound = 1;
- proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
- pp = iph2->side == INITIATOR ? iph2->proposal : iph2->approval;
-
- for (pr = pp->head; pr != NULL; pr = pr->next) {
- if (pr->proto_id == proto_id && pr->spi == 0) {
- pr->spi = sa->sadb_sa_spi;
- notfound = 0;
- plog(LLV_DEBUG, LOCATION, NULL,
- "pfkey GETSPI succeeded: %s\n",
- sadbsecas2str(iph2->dst, iph2->src,
- msg->sadb_msg_satype,
- sa->sadb_sa_spi,
- ipsecdoi2pfkey_mode(pr->encmode)));
- }
- if (pr->spi == 0)
- allspiok = 0; /* not get all spi */
- }
-
- if (notfound) {
- plog(LLV_ERROR, LOCATION, NULL,
- "get spi for unknown address %s\n",
- saddrwop2str(iph2->dst));
- return -1;
- }
-
- if (allspiok) {
- /* update status */
- iph2->status = PHASE2ST_GETSPIDONE;
- if (isakmp_post_getspi(iph2) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to start post getspi.\n");
- unbindph12(iph2);
- remph2(iph2);
- delph2(iph2);
- iph2 = NULL;
- return -1;
- }
- }
-
- return 0;
-}
-
-/*
- * set inbound SA
- */
-int
-pk_sendupdate(iph2)
- struct ph2handle *iph2;
-{
- struct saproto *pr;
- struct pfkey_send_sa_args sa_args;
- int proxy = 0;
-
- /* sanity check */
- if (iph2->approval == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "no approvaled SAs found.\n");
- }
-
- if (iph2->side == INITIATOR)
- proxy = iph2->ph1->rmconf->support_proxy;
- else if (iph2->sainfo && iph2->sainfo->id_i)
- proxy = 1;
-
- /* fill in some needed for pfkey_send_update2 */
- memset (&sa_args, 0, sizeof (sa_args));
- sa_args.so = lcconf->sock_pfkey;
- sa_args.l_addtime = iph2->approval->lifetime;
- sa_args.seq = iph2->seq;
- sa_args.wsize = 4;
-
- /* for mobile IPv6 */
- if (proxy && iph2->src_id && iph2->dst_id &&
- ipsecdoi_transportmode(iph2->approval)) {
- sa_args.dst = iph2->src_id;
- sa_args.src = iph2->dst_id;
- } else {
- sa_args.dst = iph2->src;
- sa_args.src = iph2->dst;
- }
-
- for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
- /* validity check */
- sa_args.satype = ipsecdoi2pfkey_proto(pr->proto_id);
- if (sa_args.satype == ~0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid proto_id %d\n", pr->proto_id);
- return -1;
- }
- else if (sa_args.satype == SADB_X_SATYPE_IPCOMP) {
- /* IPCOMP has no replay window */
- sa_args.wsize = 0;
- }
-#ifdef ENABLE_SAMODE_UNSPECIFIED
- sa_args.mode = IPSEC_MODE_ANY;
-#else
- sa_args.mode = ipsecdoi2pfkey_mode(pr->encmode);
- if (sa_args.mode == ~0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid encmode %d\n", pr->encmode);
- return -1;
- }
-#endif
- /* set algorithm type and key length */
- sa_args.e_keylen = pr->head->encklen;
- if (pfkey_convertfromipsecdoi(
- pr->proto_id,
- pr->head->trns_id,
- pr->head->authtype,
- &sa_args.e_type, &sa_args.e_keylen,
- &sa_args.a_type, &sa_args.a_keylen,
- &sa_args.flags) < 0)
- return -1;
-
-#if 0
- sa_args.l_bytes = iph2->approval->lifebyte * 1024,
-#else
- sa_args.l_bytes = 0;
-#endif
-
-#ifdef HAVE_SECCTX
- if (*iph2->approval->sctx.ctx_str) {
- sa_args.ctxdoi = iph2->approval->sctx.ctx_doi;
- sa_args.ctxalg = iph2->approval->sctx.ctx_alg;
- sa_args.ctxstrlen = iph2->approval->sctx.ctx_strlen;
- sa_args.ctxstr = iph2->approval->sctx.ctx_str;
- }
-#endif /* HAVE_SECCTX */
-
-#ifdef ENABLE_NATT
- if (pr->udp_encap) {
- sa_args.l_natt_type = iph2->ph1->natt_options->encaps_type;
- sa_args.l_natt_sport = extract_port (iph2->ph1->remote);
- sa_args.l_natt_dport = extract_port (iph2->ph1->local);
- sa_args.l_natt_oa = NULL; // FIXME: Here comes OA!!!
-#ifdef SADB_X_EXT_NAT_T_FRAG
- sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag;
-#endif
- } else {
- /* Remove port information, that SA doesn't use it */
- set_port(sa_args.src, 0);
- set_port(sa_args.dst, 0);
- }
-
-#endif
- /* more info to fill in */
- sa_args.spi = pr->spi;
- sa_args.reqid = pr->reqid_in;
- sa_args.keymat = pr->keymat->v;
-
- plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_update2\n");
- if (pfkey_send_update2(&sa_args) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "libipsec failed send update (%s)\n",
- ipsec_strerror());
- return -1;
- }
-
-#ifndef ANDROID_PATCHED
- if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA])
- continue;
-
- /*
- * It maybe good idea to call backupsa_to_file() after
- * racoon will receive the sadb_update messages.
- * But it is impossible because there is not key in the
- * information from the kernel.
- */
-
- /* change some things before backing up */
- sa_args.wsize = 4;
- sa_args.l_bytes = iph2->approval->lifebyte * 1024;
-
- if (backupsa_to_file(&sa_args) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "backuped SA failed: %s\n",
- sadbsecas2str(sa_args.src, sa_args.dst,
- sa_args.satype, sa_args.spi, sa_args.mode));
- }
- plog(LLV_DEBUG, LOCATION, NULL,
- "backuped SA: %s\n",
- sadbsecas2str(sa_args.src, sa_args.dst,
- sa_args.satype, sa_args.spi, sa_args.mode));
-#endif
- }
-
- return 0;
-}
-
-static int
-pk_recvupdate(mhp)
- caddr_t *mhp;
-{
- struct sadb_msg *msg;
- struct sadb_sa *sa;
- struct sockaddr *src, *dst;
- struct ph2handle *iph2;
- u_int proto_id, encmode, sa_mode;
- int incomplete = 0;
- struct saproto *pr;
-
- /* ignore this message because of local test mode. */
- if (f_local)
- return 0;
-
- /* sanity check */
- if (mhp[0] == NULL
- || mhp[SADB_EXT_SA] == NULL
- || mhp[SADB_EXT_ADDRESS_SRC] == NULL
- || mhp[SADB_EXT_ADDRESS_DST] == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "inappropriate sadb update message passed.\n");
- return -1;
- }
- msg = (struct sadb_msg *)mhp[0];
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
- sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
-
- sa_mode = mhp[SADB_X_EXT_SA2] == NULL
- ? IPSEC_MODE_ANY
- : ((struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
-
- /* the message has to be processed or not ? */
- if (msg->sadb_msg_pid != getpid()) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "%s message is not interesting "
- "because pid %d is not mine.\n",
- s_pfkey_type(msg->sadb_msg_type),
- msg->sadb_msg_pid);
- return -1;
- }
-
- iph2 = getph2byseq(msg->sadb_msg_seq);
- if (iph2 == NULL) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "seq %d of %s message not interesting.\n",
- msg->sadb_msg_seq,
- s_pfkey_type(msg->sadb_msg_type));
- return -1;
- }
-
- if (iph2->status != PHASE2ST_ADDSA) {
- plog(LLV_ERROR, LOCATION, NULL,
- "status mismatch (db:%d msg:%d)\n",
- iph2->status, PHASE2ST_ADDSA);
- return -1;
- }
-
- /* check to complete all keys ? */
- for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
- proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
- if (proto_id == ~0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid proto_id %d\n", msg->sadb_msg_satype);
- return -1;
- }
- encmode = pfkey2ipsecdoi_mode(sa_mode);
- if (encmode == ~0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid encmode %d\n", sa_mode);
- return -1;
- }
-
- if (pr->proto_id == proto_id
- && pr->spi == sa->sadb_sa_spi) {
- pr->ok = 1;
- plog(LLV_DEBUG, LOCATION, NULL,
- "pfkey UPDATE succeeded: %s\n",
- sadbsecas2str(iph2->dst, iph2->src,
- msg->sadb_msg_satype,
- sa->sadb_sa_spi,
- sa_mode));
-
- plog(LLV_INFO, LOCATION, NULL,
- "IPsec-SA established: %s\n",
- sadbsecas2str(iph2->dst, iph2->src,
- msg->sadb_msg_satype, sa->sadb_sa_spi,
- sa_mode));
- }
-
- if (pr->ok == 0)
- incomplete = 1;
- }
-
- if (incomplete)
- return 0;
-
- /* turn off the timer for calling pfkey_timeover() */
- SCHED_KILL(iph2->sce);
-
- /* update status */
- iph2->status = PHASE2ST_ESTABLISHED;
-
-#ifdef ENABLE_STATS
- gettimeofday(&iph2->end, NULL);
- syslog(LOG_NOTICE, "%s(%s): %8.6f",
- "phase2", "quick", timedelta(&iph2->start, &iph2->end));
-#endif
-
- /* count up */
- iph2->ph1->ph2cnt++;
-
- /* turn off schedule */
- SCHED_KILL(iph2->scr);
-
- /* Force the update of ph2's ports, as there is at least one
- * situation where they'll mismatch with ph1's values
- */
-
-#ifdef ENABLE_NATT
- set_port(iph2->src, extract_port(iph2->ph1->local));
- set_port(iph2->dst, extract_port(iph2->ph1->remote));
-#endif
-
- /*
- * since we are going to reuse the phase2 handler, we need to
- * remain it and refresh all the references between ph1 and ph2 to use.
- */
- unbindph12(iph2);
-
- iph2->sce = sched_new(iph2->approval->lifetime,
- isakmp_ph2expire_stub, iph2);
-
- plog(LLV_DEBUG, LOCATION, NULL, "===\n");
- return 0;
-}
-
-/*
- * set outbound SA
- */
-int
-pk_sendadd(iph2)
- struct ph2handle *iph2;
-{
- struct saproto *pr;
- int proxy = 0;
- struct pfkey_send_sa_args sa_args;
-
- /* sanity check */
- if (iph2->approval == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "no approvaled SAs found.\n");
- return -1;
- }
-
- if (iph2->side == INITIATOR)
- proxy = iph2->ph1->rmconf->support_proxy;
- else if (iph2->sainfo && iph2->sainfo->id_i)
- proxy = 1;
-
- /* fill in some needed for pfkey_send_update2 */
- memset (&sa_args, 0, sizeof (sa_args));
- sa_args.so = lcconf->sock_pfkey;
- sa_args.l_addtime = iph2->approval->lifetime;
- sa_args.seq = iph2->seq;
- sa_args.wsize = 4;
-
- /* for mobile IPv6 */
- if (proxy && iph2->src_id && iph2->dst_id &&
- ipsecdoi_transportmode(iph2->approval)) {
- sa_args.src = iph2->src_id;
- sa_args.dst = iph2->dst_id;
- } else {
- sa_args.src = iph2->src;
- sa_args.dst = iph2->dst;
- }
-
- for (pr = iph2->approval->head; pr != NULL; pr = pr->next) {
- /* validity check */
- sa_args.satype = ipsecdoi2pfkey_proto(pr->proto_id);
- if (sa_args.satype == ~0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid proto_id %d\n", pr->proto_id);
- return -1;
- }
- else if (sa_args.satype == SADB_X_SATYPE_IPCOMP) {
- /* no replay window for IPCOMP */
- sa_args.wsize = 0;
- }
-#ifdef ENABLE_SAMODE_UNSPECIFIED
- sa_args.mode = IPSEC_MODE_ANY;
-#else
- sa_args.mode = ipsecdoi2pfkey_mode(pr->encmode);
- if (sa_args.mode == ~0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid encmode %d\n", pr->encmode);
- return -1;
- }
-#endif
-
- /* set algorithm type and key length */
- sa_args.e_keylen = pr->head->encklen;
- if (pfkey_convertfromipsecdoi(
- pr->proto_id,
- pr->head->trns_id,
- pr->head->authtype,
- &sa_args.e_type, &sa_args.e_keylen,
- &sa_args.a_type, &sa_args.a_keylen,
- &sa_args.flags) < 0)
- return -1;
-
-#if 0
- sa_args.l_bytes = iph2->approval->lifebyte * 1024,
-#else
- sa_args.l_bytes = 0;
-#endif
-
-#ifdef HAVE_SECCTX
- if (*iph2->approval->sctx.ctx_str) {
- sa_args.ctxdoi = iph2->approval->sctx.ctx_doi;
- sa_args.ctxalg = iph2->approval->sctx.ctx_alg;
- sa_args.ctxstrlen = iph2->approval->sctx.ctx_strlen;
- sa_args.ctxstr = iph2->approval->sctx.ctx_str;
- }
-#endif /* HAVE_SECCTX */
-
-#ifdef ENABLE_NATT
- plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_add2 "
- "(NAT flavor)\n");
-
- if (pr->udp_encap) {
- sa_args.l_natt_type = UDP_ENCAP_ESPINUDP;
- sa_args.l_natt_sport = extract_port(iph2->ph1->local);
- sa_args.l_natt_dport = extract_port(iph2->ph1->remote);
- sa_args.l_natt_oa = NULL; // FIXME: Here comes OA!!!
-#ifdef SADB_X_EXT_NAT_T_FRAG
- sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag;
-#endif
- } else {
- /* Remove port information, that SA doesn't use it */
- set_port(sa_args.src, 0);
- set_port(sa_args.dst, 0);
- }
-
-#else
- /* Remove port information, it is not used without NAT-T */
- set_port(sa_args.src, 0);
- set_port(sa_args.dst, 0);
-#endif
-
- /* more info to fill in */
- sa_args.spi = pr->spi_p;
- sa_args.reqid = pr->reqid_out;
- sa_args.keymat = pr->keymat_p->v;
-
- plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_add2\n");
- if (pfkey_send_add2(&sa_args) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "libipsec failed send add (%s)\n",
- ipsec_strerror());
- return -1;
- }
-
-#ifndef ANDROID_PATCHED
- if (!lcconf->pathinfo[LC_PATHTYPE_BACKUPSA])
- continue;
-
- /*
- * It maybe good idea to call backupsa_to_file() after
- * racoon will receive the sadb_update messages.
- * But it is impossible because there is not key in the
- * information from the kernel.
- */
- if (backupsa_to_file(&sa_args) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "backuped SA failed: %s\n",
- sadbsecas2str(sa_args.src, sa_args.dst,
- sa_args.satype, sa_args.spi, sa_args.mode));
- }
- plog(LLV_DEBUG, LOCATION, NULL,
- "backuped SA: %s\n",
- sadbsecas2str(sa_args.src, sa_args.dst,
- sa_args.satype, sa_args.spi, sa_args.mode));
-#endif
- }
- return 0;
-}
-
-static int
-pk_recvadd(mhp)
- caddr_t *mhp;
-{
- struct sadb_msg *msg;
- struct sadb_sa *sa;
- struct sockaddr *src, *dst;
- struct ph2handle *iph2;
- u_int sa_mode;
-
- /* ignore this message because of local test mode. */
- if (f_local)
- return 0;
-
- /* sanity check */
- if (mhp[0] == NULL
- || mhp[SADB_EXT_SA] == NULL
- || mhp[SADB_EXT_ADDRESS_SRC] == NULL
- || mhp[SADB_EXT_ADDRESS_DST] == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "inappropriate sadb add message passed.\n");
- return -1;
- }
- msg = (struct sadb_msg *)mhp[0];
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
- sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
-
- sa_mode = mhp[SADB_X_EXT_SA2] == NULL
- ? IPSEC_MODE_ANY
- : ((struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
-
- /* the message has to be processed or not ? */
- if (msg->sadb_msg_pid != getpid()) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "%s message is not interesting "
- "because pid %d is not mine.\n",
- s_pfkey_type(msg->sadb_msg_type),
- msg->sadb_msg_pid);
- return -1;
- }
-
- iph2 = getph2byseq(msg->sadb_msg_seq);
- if (iph2 == NULL) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "seq %d of %s message not interesting.\n",
- msg->sadb_msg_seq,
- s_pfkey_type(msg->sadb_msg_type));
- return -1;
- }
-
- /*
- * NOTE don't update any status of phase2 handle
- * because they must be updated by SADB_UPDATE message
- */
-
- plog(LLV_INFO, LOCATION, NULL,
- "IPsec-SA established: %s\n",
- sadbsecas2str(iph2->src, iph2->dst,
- msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode));
-
- plog(LLV_DEBUG, LOCATION, NULL, "===\n");
- return 0;
-}
-
-static int
-pk_recvexpire(mhp)
- caddr_t *mhp;
-{
- struct sadb_msg *msg;
- struct sadb_sa *sa;
- struct sockaddr *src, *dst;
- struct ph2handle *iph2;
- u_int proto_id, sa_mode;
-
- /* sanity check */
- if (mhp[0] == NULL
- || mhp[SADB_EXT_SA] == NULL
- || mhp[SADB_EXT_ADDRESS_SRC] == NULL
- || mhp[SADB_EXT_ADDRESS_DST] == NULL
- || (mhp[SADB_EXT_LIFETIME_HARD] != NULL
- && mhp[SADB_EXT_LIFETIME_SOFT] != NULL)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "inappropriate sadb expire message passed.\n");
- return -1;
- }
- msg = (struct sadb_msg *)mhp[0];
- sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
-
- sa_mode = mhp[SADB_X_EXT_SA2] == NULL
- ? IPSEC_MODE_ANY
- : ((struct sadb_x_sa2 *)mhp[SADB_X_EXT_SA2])->sadb_x_sa2_mode;
-
- proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
- if (proto_id == ~0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid proto_id %d\n", msg->sadb_msg_satype);
- return -1;
- }
-
- plog(LLV_INFO, LOCATION, NULL,
- "IPsec-SA expired: %s\n",
- sadbsecas2str(src, dst,
- msg->sadb_msg_satype, sa->sadb_sa_spi, sa_mode));
-
- iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi);
- if (iph2 == NULL) {
- /*
- * Ignore it because two expire messages are come up.
- * phase2 handler has been deleted already when 2nd message
- * is received.
- */
- plog(LLV_DEBUG, LOCATION, NULL,
- "no such a SA found: %s\n",
- sadbsecas2str(src, dst,
- msg->sadb_msg_satype, sa->sadb_sa_spi,
- sa_mode));
- return 0;
- }
- if (iph2->status != PHASE2ST_ESTABLISHED) {
- /*
- * If the status is not equal to PHASE2ST_ESTABLISHED,
- * racoon ignores this expire message. There are two reason.
- * One is that the phase 2 probably starts because there is
- * a potential that racoon receives the acquire message
- * without receiving a expire message. Another is that racoon
- * may receive the multiple expire messages from the kernel.
- */
- plog(LLV_WARNING, LOCATION, NULL,
- "the expire message is received "
- "but the handler has not been established.\n");
- return 0;
- }
-
- /* turn off the timer for calling isakmp_ph2expire() */
- SCHED_KILL(iph2->sce);
-
- iph2->status = PHASE2ST_EXPIRED;
-
- /* INITIATOR, begin phase 2 exchange. */
- /* allocate buffer for status management of pfkey message */
- if (iph2->side == INITIATOR) {
-
- initph2(iph2);
-
- /* update status for re-use */
- iph2->status = PHASE2ST_STATUS2;
-
- /* start isakmp initiation by using ident exchange */
- if (isakmp_post_acquire(iph2) < 0) {
- plog(LLV_ERROR, LOCATION, iph2->dst,
- "failed to begin ipsec sa "
- "re-negotication.\n");
- unbindph12(iph2);
- remph2(iph2);
- delph2(iph2);
- return -1;
- }
-
- return 0;
- /*NOTREACHED*/
- }
-
- /* If not received SADB_EXPIRE, INITIATOR delete ph2handle. */
- /* RESPONDER always delete ph2handle, keep silent. RESPONDER doesn't
- * manage IPsec SA, so delete the list */
- unbindph12(iph2);
- remph2(iph2);
- delph2(iph2);
-
- return 0;
-}
-
-static int
-pk_recvacquire(mhp)
- caddr_t *mhp;
-{
- struct sadb_msg *msg;
- struct sadb_x_policy *xpl;
- struct secpolicy *sp_out = NULL, *sp_in = NULL;
-#define MAXNESTEDSA 5 /* XXX */
- struct ph2handle *iph2[MAXNESTEDSA];
- struct sockaddr *src, *dst;
- int n; /* # of phase 2 handler */
- int remoteid=0;
-#ifdef HAVE_SECCTX
- struct sadb_x_sec_ctx *m_sec_ctx;
-#endif /* HAVE_SECCTX */
- struct policyindex spidx;
-
-
- /* ignore this message because of local test mode. */
- if (f_local)
- return 0;
-
- /* sanity check */
- if (mhp[0] == NULL
- || mhp[SADB_EXT_ADDRESS_SRC] == NULL
- || mhp[SADB_EXT_ADDRESS_DST] == NULL
- || mhp[SADB_X_EXT_POLICY] == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "inappropriate sadb acquire message passed.\n");
- return -1;
- }
- msg = (struct sadb_msg *)mhp[0];
- xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
-
-#ifdef HAVE_SECCTX
- m_sec_ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
-
- if (m_sec_ctx != NULL) {
- plog(LLV_INFO, LOCATION, NULL, "security context doi: %u\n",
- m_sec_ctx->sadb_x_ctx_doi);
- plog(LLV_INFO, LOCATION, NULL,
- "security context algorithm: %u\n",
- m_sec_ctx->sadb_x_ctx_alg);
- plog(LLV_INFO, LOCATION, NULL, "security context length: %u\n",
- m_sec_ctx->sadb_x_ctx_len);
- plog(LLV_INFO, LOCATION, NULL, "security context: %s\n",
- ((char *)m_sec_ctx + sizeof(struct sadb_x_sec_ctx)));
- }
-#endif /* HAVE_SECCTX */
-
- /* ignore if type is not IPSEC_POLICY_IPSEC */
- if (xpl->sadb_x_policy_type != IPSEC_POLICY_IPSEC) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "ignore ACQUIRE message. type is not IPsec.\n");
- return 0;
- }
-
- /* ignore it if src is multicast address */
- {
- struct sockaddr *sa = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
-
- if ((sa->sa_family == AF_INET
- && IN_MULTICAST(ntohl(((struct sockaddr_in *)sa)->sin_addr.s_addr)))
-#ifdef INET6
- || (sa->sa_family == AF_INET6
- && IN6_IS_ADDR_MULTICAST(&((struct sockaddr_in6 *)sa)->sin6_addr))
-#endif
- ) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "ignore due to multicast address: %s.\n",
- saddrwop2str(sa));
- return 0;
- }
- }
-
- /* ignore, if we do not listen on source address */
- {
- /* reasons behind:
- * - if we'll contact peer from address we do not listen -
- * we will be unable to complete negotiation;
- * - if we'll negotiate using address we're listening -
- * remote peer will send packets to address different
- * than one in the policy, so kernel will drop them;
- * => therefore this acquire is not for us! --Aidas
- */
- struct sockaddr *sa = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- struct myaddrs *p;
- int do_listen = 0;
- for (p = lcconf->myaddrs; p; p = p->next) {
- if (!cmpsaddrwop(p->addr, sa)) {
- do_listen = 1;
- break;
- }
- }
-
- if (!do_listen) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "ignore because do not listen on source address : %s.\n",
- saddrwop2str(sa));
- return 0;
- }
- }
-
- /*
- * If there is a phase 2 handler against the policy identifier in
- * the acquire message, and if
- * 1. its state is less than PHASE2ST_ESTABLISHED, then racoon
- * should ignore such a acquire message because the phase 2
- * is just negotiating.
- * 2. its state is equal to PHASE2ST_ESTABLISHED, then racoon
- * has to prcesss such a acquire message because racoon may
- * lost the expire message.
- */
- iph2[0] = getph2byid(src, dst, xpl->sadb_x_policy_id);
- if (iph2[0] != NULL) {
- if (iph2[0]->status < PHASE2ST_ESTABLISHED) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "ignore the acquire because ph2 found\n");
- return -1;
- }
- if (iph2[0]->status == PHASE2ST_EXPIRED)
- iph2[0] = NULL;
- /*FALLTHROUGH*/
- }
-
- /* search for proper policyindex */
- sp_out = getspbyspid(xpl->sadb_x_policy_id);
- if (sp_out == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "no policy found: id:%d.\n",
- xpl->sadb_x_policy_id);
- return -1;
- }
- plog(LLV_DEBUG, LOCATION, NULL,
- "suitable outbound SP found: %s.\n", spidx2str(&sp_out->spidx));
-
- /* get inbound policy */
- {
-
- memset(&spidx, 0, sizeof(spidx));
- spidx.dir = IPSEC_DIR_INBOUND;
- memcpy(&spidx.src, &sp_out->spidx.dst, sizeof(spidx.src));
- memcpy(&spidx.dst, &sp_out->spidx.src, sizeof(spidx.dst));
- spidx.prefs = sp_out->spidx.prefd;
- spidx.prefd = sp_out->spidx.prefs;
- spidx.ul_proto = sp_out->spidx.ul_proto;
-
-#ifdef HAVE_SECCTX
- if (m_sec_ctx) {
- spidx.sec_ctx.ctx_doi = m_sec_ctx->sadb_x_ctx_doi;
- spidx.sec_ctx.ctx_alg = m_sec_ctx->sadb_x_ctx_alg;
- spidx.sec_ctx.ctx_strlen = m_sec_ctx->sadb_x_ctx_len;
- memcpy(spidx.sec_ctx.ctx_str,
- ((char *)m_sec_ctx + sizeof(struct sadb_x_sec_ctx)),
- spidx.sec_ctx.ctx_strlen);
- }
-#endif /* HAVE_SECCTX */
-
- sp_in = getsp(&spidx);
- if (sp_in) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "suitable inbound SP found: %s.\n",
- spidx2str(&sp_in->spidx));
- } else {
- plog(LLV_NOTIFY, LOCATION, NULL,
- "no in-bound policy found: %s\n",
- spidx2str(&spidx));
- }
- }
-
- memset(iph2, 0, MAXNESTEDSA);
-
- n = 0;
-
- /* allocate a phase 2 */
- iph2[n] = newph2();
- if (iph2[n] == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate phase2 entry.\n");
- return -1;
- }
- iph2[n]->side = INITIATOR;
- iph2[n]->spid = xpl->sadb_x_policy_id;
- iph2[n]->satype = msg->sadb_msg_satype;
- iph2[n]->seq = msg->sadb_msg_seq;
- iph2[n]->status = PHASE2ST_STATUS2;
-
- /* set end addresses of SA */
- iph2[n]->dst = dupsaddr(PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]));
- if (iph2[n]->dst == NULL) {
- delph2(iph2[n]);
- return -1;
- }
- iph2[n]->src = dupsaddr(PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]));
- if (iph2[n]->src == NULL) {
- delph2(iph2[n]);
- return -1;
- }
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "new acquire %s\n", spidx2str(&sp_out->spidx));
-
- /* get sainfo */
- {
- vchar_t *idsrc, *iddst;
-
- idsrc = ipsecdoi_sockaddr2id((struct sockaddr *)&sp_out->spidx.src,
- sp_out->spidx.prefs, sp_out->spidx.ul_proto);
- if (idsrc == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get ID for %s\n",
- spidx2str(&sp_out->spidx));
- delph2(iph2[n]);
- return -1;
- }
- iddst = ipsecdoi_sockaddr2id((struct sockaddr *)&sp_out->spidx.dst,
- sp_out->spidx.prefd, sp_out->spidx.ul_proto);
- if (iddst == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get ID for %s\n",
- spidx2str(&sp_out->spidx));
- vfree(idsrc);
- delph2(iph2[n]);
- return -1;
- }
- {
- struct remoteconf *conf;
- conf = getrmconf(iph2[n]->dst);
- if (conf != NULL)
- remoteid=conf->ph1id;
- else{
- plog(LLV_DEBUG, LOCATION, NULL, "Warning: no valid rmconf !\n");
- remoteid=0;
- }
- }
- iph2[n]->sainfo = getsainfo(idsrc, iddst, NULL, remoteid);
- vfree(idsrc);
- vfree(iddst);
- if (iph2[n]->sainfo == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get sainfo.\n");
- delph2(iph2[n]);
- return -1;
- /* XXX should use the algorithm list from register message */
- }
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "selected sainfo: %s\n", sainfo2str(iph2[n]->sainfo));
- }
-
- if (set_proposal_from_policy(iph2[n], sp_out, sp_in) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to create saprop.\n");
- delph2(iph2[n]);
- return -1;
- }
-#ifdef HAVE_SECCTX
- if (m_sec_ctx) {
- set_secctx_in_proposal(iph2[n], spidx);
- }
-#endif /* HAVE_SECCTX */
-
- insph2(iph2[n]);
-
- /* start isakmp initiation by using ident exchange */
- /* XXX should be looped if there are multiple phase 2 handler. */
- if (isakmp_post_acquire(iph2[n]) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to begin ipsec sa negotication.\n");
- goto err;
- }
-
- return 0;
-
-err:
- while (n >= 0) {
- unbindph12(iph2[n]);
- remph2(iph2[n]);
- delph2(iph2[n]);
- iph2[n] = NULL;
- n--;
- }
- return -1;
-}
-
-static int
-pk_recvdelete(mhp)
- caddr_t *mhp;
-{
- struct sadb_msg *msg;
- struct sadb_sa *sa;
- struct sockaddr *src, *dst;
- struct ph2handle *iph2 = NULL;
- u_int proto_id;
-
- /* ignore this message because of local test mode. */
- if (f_local)
- return 0;
-
- /* sanity check */
- if (mhp[0] == NULL
- || mhp[SADB_EXT_SA] == NULL
- || mhp[SADB_EXT_ADDRESS_SRC] == NULL
- || mhp[SADB_EXT_ADDRESS_DST] == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "inappropriate sadb delete message passed.\n");
- return -1;
- }
- msg = (struct sadb_msg *)mhp[0];
- sa = (struct sadb_sa *)mhp[SADB_EXT_SA];
- src = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_SRC]);
- dst = PFKEY_ADDR_SADDR(mhp[SADB_EXT_ADDRESS_DST]);
-
- /* the message has to be processed or not ? */
- if (msg->sadb_msg_pid == getpid()) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "%s message is not interesting "
- "because the message was originated by me.\n",
- s_pfkey_type(msg->sadb_msg_type));
- return -1;
- }
-
- proto_id = pfkey2ipsecdoi_proto(msg->sadb_msg_satype);
- if (proto_id == ~0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid proto_id %d\n", msg->sadb_msg_satype);
- return -1;
- }
-
- iph2 = getph2bysaidx(src, dst, proto_id, sa->sadb_sa_spi);
- if (iph2 == NULL) {
- /* ignore */
- plog(LLV_ERROR, LOCATION, NULL,
- "no iph2 found: %s\n",
- sadbsecas2str(src, dst, msg->sadb_msg_satype,
- sa->sadb_sa_spi, IPSEC_MODE_ANY));
- return 0;
- }
-
- plog(LLV_ERROR, LOCATION, NULL,
- "pfkey DELETE received: %s\n",
- sadbsecas2str(iph2->src, iph2->dst,
- msg->sadb_msg_satype, sa->sadb_sa_spi, IPSEC_MODE_ANY));
-
- /* send delete information */
- if (iph2->status == PHASE2ST_ESTABLISHED)
- isakmp_info_send_d2(iph2);
-
- unbindph12(iph2);
- remph2(iph2);
- delph2(iph2);
-
- return 0;
-}
-
-static int
-pk_recvflush(mhp)
- caddr_t *mhp;
-{
- /* ignore this message because of local test mode. */
- if (f_local)
- return 0;
-
- /* sanity check */
- if (mhp[0] == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "inappropriate sadb flush message passed.\n");
- return -1;
- }
-
- flushph2();
-
- return 0;
-}
-
-static int
-getsadbpolicy(policy0, policylen0, type, iph2)
- caddr_t *policy0;
- int *policylen0, type;
- struct ph2handle *iph2;
-{
- struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen;
- struct sadb_x_policy *xpl;
- struct sadb_x_ipsecrequest *xisr;
- struct saproto *pr;
- struct saproto **pr_rlist;
- int rlist_len = 0;
- caddr_t policy, p;
- int policylen;
- int xisrlen;
- u_int satype, mode;
- int len = 0;
-#ifdef HAVE_SECCTX
- int ctxlen = 0;
-#endif /* HAVE_SECCTX */
-
-
- /* get policy buffer size */
- policylen = sizeof(struct sadb_x_policy);
- if (type != SADB_X_SPDDELETE) {
- for (pr = iph2->approval->head; pr; pr = pr->next) {
- xisrlen = sizeof(*xisr);
- if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL) {
- xisrlen += (sysdep_sa_len(iph2->src)
- + sysdep_sa_len(iph2->dst));
- }
-
- policylen += PFKEY_ALIGN8(xisrlen);
- }
- }
-
-#ifdef HAVE_SECCTX
- if (*spidx->sec_ctx.ctx_str) {
- ctxlen = sizeof(struct sadb_x_sec_ctx)
- + PFKEY_ALIGN8(spidx->sec_ctx.ctx_strlen);
- policylen += ctxlen;
- }
-#endif /* HAVE_SECCTX */
-
- /* make policy structure */
- policy = racoon_malloc(policylen);
- memset((void*)policy, 0xcd, policylen);
- if (!policy) {
- plog(LLV_ERROR, LOCATION, NULL,
- "buffer allocation failed.\n");
- return -1;
- }
-
- xpl = (struct sadb_x_policy *)policy;
- xpl->sadb_x_policy_len = PFKEY_UNIT64(policylen);
- xpl->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
- xpl->sadb_x_policy_type = IPSEC_POLICY_IPSEC;
- xpl->sadb_x_policy_dir = spidx->dir;
- xpl->sadb_x_policy_id = 0;
-#ifdef HAVE_PFKEY_POLICY_PRIORITY
- xpl->sadb_x_policy_priority = PRIORITY_DEFAULT;
-#endif
- len++;
-
-#ifdef HAVE_SECCTX
- if (*spidx->sec_ctx.ctx_str) {
- struct sadb_x_sec_ctx *p;
-
- p = (struct sadb_x_sec_ctx *)(xpl + len);
- memset(p, 0, ctxlen);
- p->sadb_x_sec_len = PFKEY_UNIT64(ctxlen);
- p->sadb_x_sec_exttype = SADB_X_EXT_SEC_CTX;
- p->sadb_x_ctx_len = spidx->sec_ctx.ctx_strlen;
- p->sadb_x_ctx_doi = spidx->sec_ctx.ctx_doi;
- p->sadb_x_ctx_alg = spidx->sec_ctx.ctx_alg;
-
- memcpy(p + 1,spidx->sec_ctx.ctx_str,spidx->sec_ctx.ctx_strlen);
- len += ctxlen;
- }
-#endif /* HAVE_SECCTX */
-
- /* no need to append policy information any more if type is SPDDELETE */
- if (type == SADB_X_SPDDELETE)
- goto end;
-
- xisr = (struct sadb_x_ipsecrequest *)(xpl + len);
-
- /* The order of things is reversed for use in add policy messages */
- for (pr = iph2->approval->head; pr; pr = pr->next) rlist_len++;
- pr_rlist = racoon_malloc((rlist_len+1)*sizeof(struct saproto*));
- if (!pr_rlist) {
- plog(LLV_ERROR, LOCATION, NULL,
- "buffer allocation failed.\n");
- return -1;
- }
- pr_rlist[rlist_len--] = NULL;
- for (pr = iph2->approval->head; pr; pr = pr->next) pr_rlist[rlist_len--] = pr;
- rlist_len = 0;
-
- for (pr = pr_rlist[rlist_len++]; pr; pr = pr_rlist[rlist_len++]) {
-
- satype = doi2ipproto(pr->proto_id);
- if (satype == ~0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid proto_id %d\n", pr->proto_id);
- goto err;
- }
- mode = ipsecdoi2pfkey_mode(pr->encmode);
- if (mode == ~0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid encmode %d\n", pr->encmode);
- goto err;
- }
-
- /*
- * the policy level cannot be unique because the policy
- * is defined later than SA, so req_id cannot be bound to SA.
- */
- xisr->sadb_x_ipsecrequest_proto = satype;
- xisr->sadb_x_ipsecrequest_mode = mode;
- if(iph2->proposal->head->reqid_in > 0){
- xisr->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE;
- xisr->sadb_x_ipsecrequest_reqid = iph2->proposal->head->reqid_in;
- }else{
- xisr->sadb_x_ipsecrequest_level = IPSEC_LEVEL_REQUIRE;
- xisr->sadb_x_ipsecrequest_reqid = 0;
- }
- p = (caddr_t)(xisr + 1);
-
- xisrlen = sizeof(*xisr);
-
- if (pr->encmode == IPSECDOI_ATTR_ENC_MODE_TUNNEL) {
- int src_len, dst_len;
-
- src_len = sysdep_sa_len(iph2->src);
- dst_len = sysdep_sa_len(iph2->dst);
- xisrlen += src_len + dst_len;
-
- memcpy(p, iph2->src, src_len);
- p += src_len;
-
- memcpy(p, iph2->dst, dst_len);
- p += dst_len;
- }
-
- xisr->sadb_x_ipsecrequest_len = PFKEY_ALIGN8(xisrlen);
- xisr = (struct sadb_x_ipsecrequest *)p;
-
- }
- racoon_free(pr_rlist);
-
-end:
- *policy0 = policy;
- *policylen0 = policylen;
-
- return 0;
-
-err:
- if (policy)
- racoon_free(policy);
- if (pr_rlist) racoon_free(pr_rlist);
-
- return -1;
-}
-
-int
-pk_sendspdupdate2(iph2)
- struct ph2handle *iph2;
-{
- struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen;
- caddr_t policy = NULL;
- int policylen = 0;
- u_int64_t ltime, vtime;
-
- ltime = iph2->approval->lifetime;
- vtime = 0;
-
- if (getsadbpolicy(&policy, &policylen, SADB_X_SPDUPDATE, iph2)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "getting sadb policy failed.\n");
- return -1;
- }
-
- if (pfkey_send_spdupdate2(
- lcconf->sock_pfkey,
- (struct sockaddr *)&spidx->src,
- spidx->prefs,
- (struct sockaddr *)&spidx->dst,
- spidx->prefd,
- spidx->ul_proto,
- ltime, vtime,
- policy, policylen, 0) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "libipsec failed send spdupdate2 (%s)\n",
- ipsec_strerror());
- goto end;
- }
- plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_spdupdate2\n");
-
-end:
- if (policy)
- racoon_free(policy);
-
- return 0;
-}
-
-static int
-pk_recvspdupdate(mhp)
- caddr_t *mhp;
-{
- struct sadb_address *saddr, *daddr;
- struct sadb_x_policy *xpl;
- struct sadb_lifetime *lt;
- struct policyindex spidx;
- struct secpolicy *sp;
- u_int64_t created;
-
- /* sanity check */
- if (mhp[0] == NULL
- || mhp[SADB_EXT_ADDRESS_SRC] == NULL
- || mhp[SADB_EXT_ADDRESS_DST] == NULL
- || mhp[SADB_X_EXT_POLICY] == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "inappropriate sadb spdupdate message passed.\n");
- return -1;
- }
- saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
- daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
- xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
- lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
- if(lt != NULL)
- created = lt->sadb_lifetime_addtime;
- else
- created = 0;
-
-#ifdef HAVE_PFKEY_POLICY_PRIORITY
- KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
- saddr + 1,
- daddr + 1,
- saddr->sadb_address_prefixlen,
- daddr->sadb_address_prefixlen,
- saddr->sadb_address_proto,
- xpl->sadb_x_policy_priority,
- created,
- &spidx);
-#else
- KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
- saddr + 1,
- daddr + 1,
- saddr->sadb_address_prefixlen,
- daddr->sadb_address_prefixlen,
- saddr->sadb_address_proto,
- created,
- &spidx);
-#endif
-
-#ifdef HAVE_SECCTX
- if (mhp[SADB_X_EXT_SEC_CTX] != NULL) {
- struct sadb_x_sec_ctx *ctx;
-
- ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
- spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg;
- spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi;
- spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len;
- memcpy(spidx.sec_ctx.ctx_str, ctx + 1, ctx->sadb_x_ctx_len);
- }
-#endif /* HAVE_SECCTX */
-
- sp = getsp(&spidx);
- if (sp == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "such policy does not already exist: \"%s\"\n",
- spidx2str(&spidx));
- } else {
- remsp(sp);
- delsp(sp);
- }
-
- if (addnewsp(mhp) < 0)
- return -1;
-
- return 0;
-}
-
-/*
- * this function has to be used by responder side.
- */
-int
-pk_sendspdadd2(iph2)
- struct ph2handle *iph2;
-{
- struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen;
- caddr_t policy = NULL;
- int policylen = 0;
- u_int64_t ltime, vtime;
-
- ltime = iph2->approval->lifetime;
- vtime = 0;
-
- if (getsadbpolicy(&policy, &policylen, SADB_X_SPDADD, iph2)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "getting sadb policy failed.\n");
- return -1;
- }
-
- if (pfkey_send_spdadd2(
- lcconf->sock_pfkey,
- (struct sockaddr *)&spidx->src,
- spidx->prefs,
- (struct sockaddr *)&spidx->dst,
- spidx->prefd,
- spidx->ul_proto,
- ltime, vtime,
- policy, policylen, 0) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "libipsec failed send spdadd2 (%s)\n",
- ipsec_strerror());
- goto end;
- }
- plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_spdadd2\n");
-
-end:
- if (policy)
- racoon_free(policy);
-
- return 0;
-}
-
-static int
-pk_recvspdadd(mhp)
- caddr_t *mhp;
-{
- struct sadb_address *saddr, *daddr;
- struct sadb_x_policy *xpl;
- struct sadb_lifetime *lt;
- struct policyindex spidx;
- struct secpolicy *sp;
- u_int64_t created;
-
- /* sanity check */
- if (mhp[0] == NULL
- || mhp[SADB_EXT_ADDRESS_SRC] == NULL
- || mhp[SADB_EXT_ADDRESS_DST] == NULL
- || mhp[SADB_X_EXT_POLICY] == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "inappropriate sadb spdadd message passed.\n");
- return -1;
- }
- saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
- daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
- xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
- lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
- if(lt != NULL)
- created = lt->sadb_lifetime_addtime;
- else
- created = 0;
-
-#ifdef HAVE_PFKEY_POLICY_PRIORITY
- KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
- saddr + 1,
- daddr + 1,
- saddr->sadb_address_prefixlen,
- daddr->sadb_address_prefixlen,
- saddr->sadb_address_proto,
- xpl->sadb_x_policy_priority,
- created,
- &spidx);
-#else
- KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
- saddr + 1,
- daddr + 1,
- saddr->sadb_address_prefixlen,
- daddr->sadb_address_prefixlen,
- saddr->sadb_address_proto,
- created,
- &spidx);
-#endif
-
-#ifdef HAVE_SECCTX
- if (mhp[SADB_X_EXT_SEC_CTX] != NULL) {
- struct sadb_x_sec_ctx *ctx;
-
- ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
- spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg;
- spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi;
- spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len;
- memcpy(spidx.sec_ctx.ctx_str, ctx + 1, ctx->sadb_x_ctx_len);
- }
-#endif /* HAVE_SECCTX */
-
- sp = getsp(&spidx);
- if (sp != NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "such policy already exists. "
- "anyway replace it: %s\n",
- spidx2str(&spidx));
- remsp(sp);
- delsp(sp);
- }
-
- if (addnewsp(mhp) < 0)
- return -1;
-
- return 0;
-}
-
-/*
- * this function has to be used by responder side.
- */
-int
-pk_sendspddelete(iph2)
- struct ph2handle *iph2;
-{
- struct policyindex *spidx = (struct policyindex *)iph2->spidx_gen;
- caddr_t policy = NULL;
- int policylen;
-
- if (getsadbpolicy(&policy, &policylen, SADB_X_SPDDELETE, iph2)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "getting sadb policy failed.\n");
- return -1;
- }
-
- if (pfkey_send_spddelete(
- lcconf->sock_pfkey,
- (struct sockaddr *)&spidx->src,
- spidx->prefs,
- (struct sockaddr *)&spidx->dst,
- spidx->prefd,
- spidx->ul_proto,
- policy, policylen, 0) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "libipsec failed send spddelete (%s)\n",
- ipsec_strerror());
- goto end;
- }
- plog(LLV_DEBUG, LOCATION, NULL, "call pfkey_send_spddelete\n");
-
-end:
- if (policy)
- racoon_free(policy);
-
- return 0;
-}
-
-static int
-pk_recvspddelete(mhp)
- caddr_t *mhp;
-{
- struct sadb_address *saddr, *daddr;
- struct sadb_x_policy *xpl;
- struct sadb_lifetime *lt;
- struct policyindex spidx;
- struct secpolicy *sp;
- u_int64_t created;
-
- /* sanity check */
- if (mhp[0] == NULL
- || mhp[SADB_EXT_ADDRESS_SRC] == NULL
- || mhp[SADB_EXT_ADDRESS_DST] == NULL
- || mhp[SADB_X_EXT_POLICY] == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "inappropriate sadb spddelete message passed.\n");
- return -1;
- }
- saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
- daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
- xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
- lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
- if(lt != NULL)
- created = lt->sadb_lifetime_addtime;
- else
- created = 0;
-
-#ifdef HAVE_PFKEY_POLICY_PRIORITY
- KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
- saddr + 1,
- daddr + 1,
- saddr->sadb_address_prefixlen,
- daddr->sadb_address_prefixlen,
- saddr->sadb_address_proto,
- xpl->sadb_x_policy_priority,
- created,
- &spidx);
-#else
- KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
- saddr + 1,
- daddr + 1,
- saddr->sadb_address_prefixlen,
- daddr->sadb_address_prefixlen,
- saddr->sadb_address_proto,
- created,
- &spidx);
-#endif
-
-#ifdef HAVE_SECCTX
- if (mhp[SADB_X_EXT_SEC_CTX] != NULL) {
- struct sadb_x_sec_ctx *ctx;
-
- ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
- spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg;
- spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi;
- spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len;
- memcpy(spidx.sec_ctx.ctx_str, ctx + 1, ctx->sadb_x_ctx_len);
- }
-#endif /* HAVE_SECCTX */
-
- sp = getsp(&spidx);
- if (sp == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "no policy found: %s\n",
- spidx2str(&spidx));
- return -1;
- }
-
- remsp(sp);
- delsp(sp);
-
- return 0;
-}
-
-static int
-pk_recvspdexpire(mhp)
- caddr_t *mhp;
-{
- struct sadb_address *saddr, *daddr;
- struct sadb_x_policy *xpl;
- struct sadb_lifetime *lt;
- struct policyindex spidx;
- struct secpolicy *sp;
- u_int64_t created;
-
- /* sanity check */
- if (mhp[0] == NULL
- || mhp[SADB_EXT_ADDRESS_SRC] == NULL
- || mhp[SADB_EXT_ADDRESS_DST] == NULL
- || mhp[SADB_X_EXT_POLICY] == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "inappropriate sadb spdexpire message passed.\n");
- return -1;
- }
- saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
- daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
- xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
- lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
- if(lt != NULL)
- created = lt->sadb_lifetime_addtime;
- else
- created = 0;
-
-#ifdef HAVE_PFKEY_POLICY_PRIORITY
- KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
- saddr + 1,
- daddr + 1,
- saddr->sadb_address_prefixlen,
- daddr->sadb_address_prefixlen,
- saddr->sadb_address_proto,
- xpl->sadb_x_policy_priority,
- created,
- &spidx);
-#else
- KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
- saddr + 1,
- daddr + 1,
- saddr->sadb_address_prefixlen,
- daddr->sadb_address_prefixlen,
- saddr->sadb_address_proto,
- created,
- &spidx);
-#endif
-
-#ifdef HAVE_SECCTX
- if (mhp[SADB_X_EXT_SEC_CTX] != NULL) {
- struct sadb_x_sec_ctx *ctx;
-
- ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
- spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg;
- spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi;
- spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len;
- memcpy(spidx.sec_ctx.ctx_str, ctx + 1, ctx->sadb_x_ctx_len);
- }
-#endif /* HAVE_SECCTX */
-
- sp = getsp(&spidx);
- if (sp == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "no policy found: %s\n",
- spidx2str(&spidx));
- return -1;
- }
-
- remsp(sp);
- delsp(sp);
-
- return 0;
-}
-
-static int
-pk_recvspdget(mhp)
- caddr_t *mhp;
-{
- /* sanity check */
- if (mhp[0] == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "inappropriate sadb spdget message passed.\n");
- return -1;
- }
-
- return 0;
-}
-
-static int
-pk_recvspddump(mhp)
- caddr_t *mhp;
-{
- struct sadb_msg *msg;
- struct sadb_address *saddr, *daddr;
- struct sadb_x_policy *xpl;
- struct sadb_lifetime *lt;
- struct policyindex spidx;
- struct secpolicy *sp;
- u_int64_t created;
-
- /* sanity check */
- if (mhp[0] == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "inappropriate sadb spddump message passed.\n");
- return -1;
- }
- msg = (struct sadb_msg *)mhp[0];
-
- saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
- daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
- xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
- lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
- if(lt != NULL)
- created = lt->sadb_lifetime_addtime;
- else
- created = 0;
-
- if (saddr == NULL || daddr == NULL || xpl == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "inappropriate sadb spddump message passed.\n");
- return -1;
- }
-
-#ifdef HAVE_PFKEY_POLICY_PRIORITY
- KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
- saddr + 1,
- daddr + 1,
- saddr->sadb_address_prefixlen,
- daddr->sadb_address_prefixlen,
- saddr->sadb_address_proto,
- xpl->sadb_x_policy_priority,
- created,
- &spidx);
-#else
- KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
- saddr + 1,
- daddr + 1,
- saddr->sadb_address_prefixlen,
- daddr->sadb_address_prefixlen,
- saddr->sadb_address_proto,
- created,
- &spidx);
-#endif
-
-#ifdef HAVE_SECCTX
- if (mhp[SADB_X_EXT_SEC_CTX] != NULL) {
- struct sadb_x_sec_ctx *ctx;
-
- ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
- spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg;
- spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi;
- spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len;
- memcpy(spidx.sec_ctx.ctx_str, ctx + 1, ctx->sadb_x_ctx_len);
- }
-#endif /* HAVE_SECCTX */
-
- sp = getsp(&spidx);
- if (sp != NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "such policy already exists. "
- "anyway replace it: %s\n",
- spidx2str(&spidx));
- remsp(sp);
- delsp(sp);
- }
-
- if (addnewsp(mhp) < 0)
- return -1;
-
- return 0;
-}
-
-static int
-pk_recvspdflush(mhp)
- caddr_t *mhp;
-{
- /* sanity check */
- if (mhp[0] == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "inappropriate sadb spdflush message passed.\n");
- return -1;
- }
-
- flushsp();
-
- return 0;
-}
-
-#ifndef ANDROID_PATCHED
-
-/*
- * send error against acquire message to kenrel.
- */
-int
-pk_sendeacquire(iph2)
- struct ph2handle *iph2;
-{
- struct sadb_msg *newmsg;
- int len;
-
- len = sizeof(struct sadb_msg);
- newmsg = racoon_calloc(1, len);
- if (newmsg == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get buffer to send acquire.\n");
- return -1;
- }
-
- memset(newmsg, 0, len);
- newmsg->sadb_msg_version = PF_KEY_V2;
- newmsg->sadb_msg_type = SADB_ACQUIRE;
- newmsg->sadb_msg_errno = ENOENT; /* XXX */
- newmsg->sadb_msg_satype = iph2->satype;
- newmsg->sadb_msg_len = PFKEY_UNIT64(len);
- newmsg->sadb_msg_reserved = 0;
- newmsg->sadb_msg_seq = iph2->seq;
- newmsg->sadb_msg_pid = (u_int32_t)getpid();
-
- /* send message */
- len = pfkey_send(lcconf->sock_pfkey, newmsg, len);
-
- racoon_free(newmsg);
-
- return 0;
-}
-
-#else
-
-int pk_sendeacquire(struct ph2handle *iph2)
-{
- exit(1);
-}
-
-#endif
-
-/*
- * check if the algorithm is supported or not.
- * OUT 0: ok
- * -1: ng
- */
-int
-pk_checkalg(class, calg, keylen)
- int class, calg, keylen;
-{
- int sup, error;
- u_int alg;
- struct sadb_alg alg0;
-
- switch (algclass2doi(class)) {
- case IPSECDOI_PROTO_IPSEC_ESP:
- sup = SADB_EXT_SUPPORTED_ENCRYPT;
- break;
- case IPSECDOI_ATTR_AUTH:
- sup = SADB_EXT_SUPPORTED_AUTH;
- break;
- case IPSECDOI_PROTO_IPCOMP:
- plog(LLV_DEBUG, LOCATION, NULL,
- "compression algorithm can not be checked "
- "because sadb message doesn't support it.\n");
- return 0;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid algorithm class.\n");
- return -1;
- }
- alg = ipsecdoi2pfkey_alg(algclass2doi(class), algtype2doi(class, calg));
- if (alg == ~0)
- return -1;
-
- if (keylen == 0) {
- if (ipsec_get_keylen(sup, alg, &alg0)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "%s.\n", ipsec_strerror());
- return -1;
- }
- keylen = alg0.sadb_alg_minbits;
- }
-
- error = ipsec_check_keylen(sup, alg, keylen);
- if (error)
- plog(LLV_ERROR, LOCATION, NULL,
- "%s.\n", ipsec_strerror());
-
- return error;
-}
-
-/*
- * differences with pfkey_recv() in libipsec/pfkey.c:
- * - never performs busy wait loop.
- * - returns NULL and set *lenp to negative on fatal failures
- * - returns NULL and set *lenp to non-negative on non-fatal failures
- * - returns non-NULL on success
- */
-static struct sadb_msg *
-pk_recv(so, lenp)
- int so;
- int *lenp;
-{
- struct sadb_msg buf, *newmsg;
- int reallen;
- int retry = 0;
-
- *lenp = -1;
- do
- {
- plog(LLV_DEBUG, LOCATION, NULL, "pk_recv: retry[%d] recv() \n", retry );
- *lenp = recv(so, (caddr_t)&buf, sizeof(buf), MSG_PEEK | MSG_DONTWAIT);
- retry++;
- }
- while (*lenp < 0 && errno == EAGAIN && retry < 3);
-
- if (*lenp < 0)
- return NULL; /*fatal*/
-
- else if (*lenp < sizeof(buf))
- return NULL;
-
- reallen = PFKEY_UNUNIT64(buf.sadb_msg_len);
- if ((newmsg = racoon_calloc(1, reallen)) == NULL)
- return NULL;
-
- *lenp = recv(so, (caddr_t)newmsg, reallen, MSG_PEEK);
- if (*lenp < 0) {
- racoon_free(newmsg);
- return NULL; /*fatal*/
- } else if (*lenp != reallen) {
- racoon_free(newmsg);
- return NULL;
- }
-
- *lenp = recv(so, (caddr_t)newmsg, reallen, 0);
- if (*lenp < 0) {
- racoon_free(newmsg);
- return NULL; /*fatal*/
- } else if (*lenp != reallen) {
- racoon_free(newmsg);
- return NULL;
- }
-
- return newmsg;
-}
-
-/* see handler.h */
-u_int32_t
-pk_getseq()
-{
- return eay_random();
-}
-
-static int
-addnewsp(mhp)
- caddr_t *mhp;
-{
- struct secpolicy *new = NULL;
- struct sadb_address *saddr, *daddr;
- struct sadb_x_policy *xpl;
- struct sadb_lifetime *lt;
- u_int64_t created;
-
- /* sanity check */
- if (mhp[SADB_EXT_ADDRESS_SRC] == NULL
- || mhp[SADB_EXT_ADDRESS_DST] == NULL
- || mhp[SADB_X_EXT_POLICY] == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "inappropriate sadb spd management message passed.\n");
- goto bad;
- }
-
- saddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_SRC];
- daddr = (struct sadb_address *)mhp[SADB_EXT_ADDRESS_DST];
- xpl = (struct sadb_x_policy *)mhp[SADB_X_EXT_POLICY];
- lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
- if(lt != NULL)
- created = lt->sadb_lifetime_addtime;
- else
- created = 0;
- lt = (struct sadb_lifetime*)mhp[SADB_EXT_LIFETIME_HARD];
- if(lt != NULL)
- created = lt->sadb_lifetime_addtime;
- else
- created = 0;
-
-#ifdef __linux__
- /* bsd skips over per-socket policies because there will be no
- * src and dst extensions in spddump messages. On Linux the only
- * way to achieve the same is check for policy id.
- */
- if (xpl->sadb_x_policy_id % 8 >= 3) return 0;
-#endif
-
- new = newsp();
- if (new == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate buffer\n");
- goto bad;
- }
-
- new->spidx.dir = xpl->sadb_x_policy_dir;
- new->id = xpl->sadb_x_policy_id;
- new->policy = xpl->sadb_x_policy_type;
- new->req = NULL;
-
- /* check policy */
- switch (xpl->sadb_x_policy_type) {
- case IPSEC_POLICY_DISCARD:
- case IPSEC_POLICY_NONE:
- case IPSEC_POLICY_ENTRUST:
- case IPSEC_POLICY_BYPASS:
- break;
-
- case IPSEC_POLICY_IPSEC:
- {
- int tlen;
- struct sadb_x_ipsecrequest *xisr;
- struct ipsecrequest **p_isr = &new->req;
-
- /* validity check */
- if (PFKEY_EXTLEN(xpl) < sizeof(*xpl)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid msg length.\n");
- goto bad;
- }
-
- tlen = PFKEY_EXTLEN(xpl) - sizeof(*xpl);
- xisr = (struct sadb_x_ipsecrequest *)(xpl + 1);
-
- while (tlen > 0) {
-
- /* length check */
- if (xisr->sadb_x_ipsecrequest_len < sizeof(*xisr)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid msg length.\n");
- goto bad;
- }
-
- /* allocate request buffer */
- *p_isr = newipsecreq();
- if (*p_isr == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get new ipsecreq.\n");
- goto bad;
- }
-
- /* set values */
- (*p_isr)->next = NULL;
-
- switch (xisr->sadb_x_ipsecrequest_proto) {
- case IPPROTO_ESP:
- case IPPROTO_AH:
- case IPPROTO_IPCOMP:
- break;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid proto type: %u\n",
- xisr->sadb_x_ipsecrequest_proto);
- goto bad;
- }
- (*p_isr)->saidx.proto = xisr->sadb_x_ipsecrequest_proto;
-
- switch (xisr->sadb_x_ipsecrequest_mode) {
- case IPSEC_MODE_TRANSPORT:
- case IPSEC_MODE_TUNNEL:
- break;
- case IPSEC_MODE_ANY:
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid mode: %u\n",
- xisr->sadb_x_ipsecrequest_mode);
- goto bad;
- }
- (*p_isr)->saidx.mode = xisr->sadb_x_ipsecrequest_mode;
-
- switch (xisr->sadb_x_ipsecrequest_level) {
- case IPSEC_LEVEL_DEFAULT:
- case IPSEC_LEVEL_USE:
- case IPSEC_LEVEL_REQUIRE:
- break;
- case IPSEC_LEVEL_UNIQUE:
- (*p_isr)->saidx.reqid =
- xisr->sadb_x_ipsecrequest_reqid;
- break;
-
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid level: %u\n",
- xisr->sadb_x_ipsecrequest_level);
- goto bad;
- }
- (*p_isr)->level = xisr->sadb_x_ipsecrequest_level;
-
- /* set IP addresses if there */
- if (xisr->sadb_x_ipsecrequest_len > sizeof(*xisr)) {
- struct sockaddr *paddr;
-
- paddr = (struct sockaddr *)(xisr + 1);
- bcopy(paddr, &(*p_isr)->saidx.src,
- sysdep_sa_len(paddr));
-
- paddr = (struct sockaddr *)((caddr_t)paddr
- + sysdep_sa_len(paddr));
- bcopy(paddr, &(*p_isr)->saidx.dst,
- sysdep_sa_len(paddr));
- }
-
- (*p_isr)->sp = new;
-
- /* initialization for the next. */
- p_isr = &(*p_isr)->next;
- tlen -= xisr->sadb_x_ipsecrequest_len;
-
- /* validity check */
- if (tlen < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "becoming tlen < 0\n");
- }
-
- xisr = (struct sadb_x_ipsecrequest *)((caddr_t)xisr
- + xisr->sadb_x_ipsecrequest_len);
- }
- }
- break;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid policy type.\n");
- goto bad;
- }
-
-#ifdef HAVE_PFKEY_POLICY_PRIORITY
- KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
- saddr + 1,
- daddr + 1,
- saddr->sadb_address_prefixlen,
- daddr->sadb_address_prefixlen,
- saddr->sadb_address_proto,
- xpl->sadb_x_policy_priority,
- created,
- &new->spidx);
-#else
- KEY_SETSECSPIDX(xpl->sadb_x_policy_dir,
- saddr + 1,
- daddr + 1,
- saddr->sadb_address_prefixlen,
- daddr->sadb_address_prefixlen,
- saddr->sadb_address_proto,
- created,
- &new->spidx);
-#endif
-
-#ifdef HAVE_SECCTX
- if (mhp[SADB_X_EXT_SEC_CTX] != NULL) {
- struct sadb_x_sec_ctx *ctx;
-
- ctx = (struct sadb_x_sec_ctx *)mhp[SADB_X_EXT_SEC_CTX];
- new->spidx.sec_ctx.ctx_alg = ctx->sadb_x_ctx_alg;
- new->spidx.sec_ctx.ctx_doi = ctx->sadb_x_ctx_doi;
- new->spidx.sec_ctx.ctx_strlen = ctx->sadb_x_ctx_len;
- memcpy(new->spidx.sec_ctx.ctx_str,ctx + 1,ctx->sadb_x_ctx_len);
- }
-#endif /* HAVE_SECCTX */
-
- inssp(new);
-
- return 0;
-bad:
- if (new != NULL) {
- if (new->req != NULL)
- racoon_free(new->req);
- racoon_free(new);
- }
- return -1;
-}
-
-/* proto/mode/src->dst spi */
-const char *
-sadbsecas2str(src, dst, proto, spi, mode)
- struct sockaddr *src, *dst;
- int proto;
- u_int32_t spi;
- int mode;
-{
- static char buf[256];
- u_int doi_proto, doi_mode = 0;
- char *p;
- int blen, i;
-
- doi_proto = pfkey2ipsecdoi_proto(proto);
- if (doi_proto == ~0)
- return NULL;
- if (mode) {
- doi_mode = pfkey2ipsecdoi_mode(mode);
- if (doi_mode == ~0)
- return NULL;
- }
-
- blen = sizeof(buf) - 1;
- p = buf;
-
- i = snprintf(p, blen, "%s%s%s ",
- s_ipsecdoi_proto(doi_proto),
- mode ? "/" : "",
- mode ? s_ipsecdoi_encmode(doi_mode) : "");
- if (i < 0 || i >= blen)
- return NULL;
- p += i;
- blen -= i;
-
- i = snprintf(p, blen, "%s->", saddr2str(src));
- if (i < 0 || i >= blen)
- return NULL;
- p += i;
- blen -= i;
-
- i = snprintf(p, blen, "%s ", saddr2str(dst));
- if (i < 0 || i >= blen)
- return NULL;
- p += i;
- blen -= i;
-
- if (spi) {
- snprintf(p, blen, "spi=%lu(0x%lx)", (unsigned long)ntohl(spi),
- (unsigned long)ntohl(spi));
- }
-
- return buf;
-}
diff --git a/src/racoon/pfkey.h b/src/racoon/pfkey.h
deleted file mode 100644
index 547f94a..0000000
--- a/src/racoon/pfkey.h
+++ /dev/null
@@ -1,77 +0,0 @@
-/* $NetBSD: pfkey.h,v 1.4 2006/09/09 16:22:10 manu Exp $ */
-
-/* Id: pfkey.h,v 1.3 2004/06/11 16:00:17 ludvigm Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _PFKEY_H
-#define _PFKEY_H
-
-struct pfkey_satype {
- u_int8_t ps_satype;
- const char *ps_name;
-};
-
-extern const struct pfkey_satype pfkey_satypes[];
-extern const int pfkey_nsatypes;
-
-extern int pfkey_handler __P((void));
-extern vchar_t *pfkey_dump_sadb __P((int));
-extern void pfkey_flush_sadb __P((u_int));
-extern int pfkey_init __P((void));
-
-extern struct pfkey_st *pfkey_getpst __P((caddr_t *, int, int));
-
-extern int pk_checkalg __P((int, int, int));
-
-struct ph2handle;
-extern int pk_sendgetspi __P((struct ph2handle *));
-extern int pk_sendupdate __P((struct ph2handle *));
-extern int pk_sendadd __P((struct ph2handle *));
-extern int pk_sendeacquire __P((struct ph2handle *));
-extern int pk_sendspdupdate2 __P((struct ph2handle *));
-extern int pk_sendspdadd2 __P((struct ph2handle *));
-extern int pk_sendspddelete __P((struct ph2handle *));
-
-extern void pfkey_timeover_stub __P((void *));
-extern void pfkey_timeover __P((struct ph2handle *));
-
-extern u_int pfkey2ipsecdoi_proto __P((u_int));
-extern u_int ipsecdoi2pfkey_proto __P((u_int));
-extern u_int pfkey2ipsecdoi_mode __P((u_int));
-extern u_int ipsecdoi2pfkey_mode __P((u_int));
-
-extern int pfkey_convertfromipsecdoi __P(( u_int, u_int, u_int,
- u_int *, u_int *, u_int *, u_int *, u_int *));
-extern u_int32_t pk_getseq __P((void));
-extern const char *sadbsecas2str
- __P((struct sockaddr *, struct sockaddr *, int, u_int32_t, int));
-
-#endif /* _PFKEY_H */
diff --git a/src/racoon/plainrsa-gen.8 b/src/racoon/plainrsa-gen.8
deleted file mode 100644
index 377de2d..0000000
--- a/src/racoon/plainrsa-gen.8
+++ /dev/null
@@ -1,138 +0,0 @@
-.\" $NetBSD: plainrsa-gen.8,v 1.13 2006/09/19 18:54:39 wiz Exp $
-.\"
-.\" Id: plainrsa-gen.8,v 1.4 2005/04/18 11:07:55 manubsd Exp
-.\"
-.\" Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany.
-.\" Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the distribution.
-.\" 3. Neither the name of the project nor the names of its contributors
-.\" may be used to endorse or promote products derived from this software
-.\" without specific prior written permission.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-.\" SUCH DAMAGE.
-.\"
-.Dd June 14, 2004
-.Dt PLAINRSA-GEN 8
-.Os
-.\"
-.Sh NAME
-.Nm plainrsa-gen
-.Nd generator for Plain RSA keys
-.\"
-.Sh SYNOPSIS
-.Nm plainrsa-gen
-.Bk -words
-.Op Fl b Ar bits
-.Op Fl e Ar pubexp
-.Op Fl f Ar outfile
-.Op Fl h
-.Ek
-.\"
-.Sh DESCRIPTION
-.Nm
-can be used to generate
-.Li Plain RSA keys
-for authentication purposes.
-Using
-.Li Plain RSA keys
-is optional.
-Other possibilities are
-.Li Pre-shared keys
-or
-.Li X.509 certificates .
-.\"
-.Bl -tag -width Ds
-.It Fl b Ar bits
-bit length of the key.
-Default is
-.Li 1024 ,
-recommended length is
-.Li 2048
-or even
-.Li 4096
-bits.
-Note that generating longer keys takes longer time.
-.It Fl e Ar pubexp
-value of RSA public exponent.
-Default is
-.Li 0x3 .
-Don't change this unless you really know what you are doing!
-.It Fl f Ar outfile
-.Ar outfile
-instead of
-.Li stdout .
-If the file already exists it won't be overwritten.
-You wouldn't like to lose your private key by accident, would you?
-.El
-.\"
-.Sh OUTPUT FILE FORMAT
-This is the secret
-.Li private key
-that should
-.Ic never
-leave your computer:
-.Bd -literal
-: RSA {
- # RSA 1024 bits
- # pubkey=0sAQOrWlcwbAIdNSMhDt...
- Modulus: 0xab5a57306c021d3523...
- PublicExponent: 0x03
- PrivateExponent: 0x723c3a2048...
- Prime1: 0xd309b30e6adf9d85c01...
- Prime2: 0xcfdc2a8aa5b2b3c90e3...
- Exponent1: 0x8cb122099c9513ae...
- Exponent2: 0x8a92c7071921cd30...
- Coefficient: 0x722751305eafe9...
- }
-.Ed
-.Pp
-The line
-.Li pubkey=0sAQOrW...
-of the
-.Li private key
-contains a
-.Li public key
-that should be stored in the other peer's configuration in this format:
-.Bd -literal
-: PUB 0sAQOrWlcwbAIdNSMhDt...
-.Ed
-.\"
-.Pp
-You can also specify
-.Li from
-and
-.Li to
-addresses for which the key is valid:
-.Bd -literal
-0.0.0.0/0 10.20.30.0/24 : PUB 0sAQOrWlcwbAIdNSMhDt...
-.Ed
-.\"
-.Sh SEE ALSO
-.Xr racoon.conf 5 ,
-.Xr racoon 8
-.\"
-.Sh HISTORY
-.Nm
-was written by
-.An Michal Ludvig Aq michal@logix.cz
-and first appeared in
-.Ic ipsec-tools 0.4 .
diff --git a/src/racoon/plainrsa-gen.c b/src/racoon/plainrsa-gen.c
deleted file mode 100644
index 1bd5f67..0000000
--- a/src/racoon/plainrsa-gen.c
+++ /dev/null
@@ -1,208 +0,0 @@
-/* $NetBSD: plainrsa-gen.c,v 1.4 2006/09/09 16:22:10 manu Exp $ */
-
-/* Id: plainrsa-gen.c,v 1.6 2005/04/21 09:08:40 monas Exp */
-/*
- * Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany.
- * Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* This file contains a generator for FreeS/WAN-style ipsec.secrets RSA keys. */
-
-#include "config.h"
-
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/socket.h>
-#include <unistd.h>
-
-#include <openssl/bio.h>
-#include <openssl/bn.h>
-#include <openssl/err.h>
-#include <openssl/objects.h>
-#include <openssl/rsa.h>
-#include <openssl/evp.h>
-#ifdef HAVE_OPENSSL_ENGINE_H
-#include <openssl/engine.h>
-#endif
-
-#include "misc.h"
-#include "vmbuf.h"
-#include "plog.h"
-#include "crypto_openssl.h"
-
-#include "package_version.h"
-
-void
-usage (char *argv0)
-{
- fprintf(stderr, "Plain RSA key generator, part of %s\n", TOP_PACKAGE_STRING);
- fprintf(stderr, "By Michal Ludvig (http://www.logix.cz/michal)\n");
- fprintf(stderr, "\n");
- fprintf(stderr, "Usage: %s [options]\n", argv0);
- fprintf(stderr, "\n");
- fprintf(stderr, " -b bits Generate <bits> long RSA key (default=1024)\n");
- fprintf(stderr, " -e pubexp Public exponent to use (default=0x3)\n");
- fprintf(stderr, " -f filename Filename to store the key to (default=stdout)\n");
- fprintf(stderr, " -h Help\n");
- fprintf(stderr, "\n");
- fprintf(stderr, "Report bugs to <ipsec-tools-devel@lists.sourceforge.net>\n");
- exit(1);
-}
-
-/*
- * See RFC 2065, section 3.5 for details about the output format.
- */
-vchar_t *
-mix_b64_pubkey(RSA *key)
-{
- char *binbuf;
- long binlen, ret;
- vchar_t *res;
-
- binlen = 1 + BN_num_bytes(key->e) + BN_num_bytes(key->n);
- binbuf = malloc(binlen);
- memset(binbuf, 0, binlen);
- binbuf[0] = BN_bn2bin(key->e, (unsigned char *) &binbuf[1]);
- ret = BN_bn2bin(key->n, (unsigned char *) (&binbuf[binbuf[0] + 1]));
- if (1 + binbuf[0] + ret != binlen) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Pubkey generation failed. This is really strange...\n");
- return NULL;
- }
-
- return base64_encode(binbuf, binlen);
-}
-
-char *
-lowercase(char *input)
-{
- char *ptr = input;
- while (*ptr) {
- if (*ptr >= 'A' && *ptr <= 'F')
- *ptr -= 'A' - 'a';
- *ptr++;
- }
-
- return input;
-}
-
-int
-gen_rsa_key(FILE *fp, size_t bits, unsigned long exp)
-{
- RSA *key;
- vchar_t *pubkey64 = NULL;
-
- key = RSA_generate_key(bits, exp, NULL, NULL);
- if (!key) {
- fprintf(stderr, "RSA_generate_key(): %s\n", eay_strerror());
- return -1;
- }
-
- pubkey64 = mix_b64_pubkey(key);
- if (!pubkey64) {
- fprintf(stderr, "mix_b64_pubkey(): %s\n", eay_strerror());
- return -1;
- }
-
- fprintf(fp, "# : PUB 0s%s\n", pubkey64->v);
- fprintf(fp, ": RSA\t{\n");
- fprintf(fp, "\t# RSA %zu bits\n", bits);
- fprintf(fp, "\t# pubkey=0s%s\n", pubkey64->v);
- fprintf(fp, "\tModulus: 0x%s\n", lowercase(BN_bn2hex(key->n)));
- fprintf(fp, "\tPublicExponent: 0x%s\n", lowercase(BN_bn2hex(key->e)));
- fprintf(fp, "\tPrivateExponent: 0x%s\n", lowercase(BN_bn2hex(key->d)));
- fprintf(fp, "\tPrime1: 0x%s\n", lowercase(BN_bn2hex(key->p)));
- fprintf(fp, "\tPrime2: 0x%s\n", lowercase(BN_bn2hex(key->q)));
- fprintf(fp, "\tExponent1: 0x%s\n", lowercase(BN_bn2hex(key->dmp1)));
- fprintf(fp, "\tExponent2: 0x%s\n", lowercase(BN_bn2hex(key->dmq1)));
- fprintf(fp, "\tCoefficient: 0x%s\n", lowercase(BN_bn2hex(key->iqmp)));
- fprintf(fp, " }\n");
-
- vfree(pubkey64);
-
- return 0;
-}
-
-int
-main (int argc, char *argv[])
-{
- FILE *fp = stdout;
- size_t bits = 1024;
- unsigned int pubexp = 0x3;
- struct stat st;
- extern char *optarg;
- extern int optind;
- int c;
- char *fname = NULL;
-
- while ((c = getopt(argc, argv, "e:b:f:h")) != -1)
- switch (c) {
- case 'e':
- if (strncmp(optarg, "0x", 2) == 0)
- sscanf(optarg, "0x%x", &pubexp);
- else
- pubexp = atoi(optarg);
- break;
- case 'b':
- bits = atoi(optarg);
- break;
- case 'f':
- fname = optarg;
- break;
- case 'h':
- default:
- usage(argv[0]);
- }
-
- if (fname) {
- if (stat(fname, &st) >= 0) {
- fprintf(stderr, "%s: file exists! Please use a different name.\n", fname);
- exit(1);
- }
-
- umask(0077);
- fp = fopen(fname, "w");
- if (fp == NULL) {
- fprintf(stderr, "%s: %s\n", fname, strerror(errno));
- exit(1);
- }
- }
-
- ploginit();
- eay_init();
-
- gen_rsa_key(fp, bits, pubexp);
-
- fclose(fp);
-
- return 0;
-}
diff --git a/src/racoon/plog.c b/src/racoon/plog.c
deleted file mode 100644
index 008260d..0000000
--- a/src/racoon/plog.c
+++ /dev/null
@@ -1,268 +0,0 @@
-/* $NetBSD: plog.c,v 1.4.6.2 2009/04/20 13:35:36 tteras Exp $ */
-
-/* Id: plog.c,v 1.11 2006/06/20 09:57:31 vanhu Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-#ifdef HAVE_STDARG_H
-#include <stdarg.h>
-#else
-#include <varargs.h>
-#endif
-#if TIME_WITH_SYS_TIME
-# include <sys/time.h>
-# include <time.h>
-#else
-# if HAVE_SYS_TIME_H
-# include <sys/time.h>
-# else
-# include <time.h>
-# endif
-#endif
-#include <ctype.h>
-#include <err.h>
-
-#include "var.h"
-#include "misc.h"
-#include "plog.h"
-#include "logger.h"
-#include "debug.h"
-#include "gcmalloc.h"
-
-#ifndef VA_COPY
-# define VA_COPY(dst,src) memcpy(&(dst), &(src), sizeof(va_list))
-#endif
-
-char *pname = NULL;
-u_int32_t loglevel = LLV_BASE;
-int f_foreground = 0;
-
-int print_location = 0;
-
-static struct log *logp = NULL;
-static char *logfile = NULL;
-
-static char *plog_common __P((int, const char *, const char *));
-
-static struct plogtags {
- char *name;
- int priority;
-} ptab[] = {
- { "(not defined)", 0, },
- { "ERROR", LOG_INFO, },
- { "WARNING", LOG_INFO, },
- { "NOTIFY", LOG_INFO, },
- { "INFO", LOG_INFO, },
- { "DEBUG", LOG_DEBUG, },
- { "DEBUG2", LOG_DEBUG, },
-};
-
-static char *
-plog_common(pri, fmt, func)
- int pri;
- const char *fmt, *func;
-{
- static char buf[800]; /* XXX shoule be allocated every time ? */
- char *p;
- int reslen, len;
-
- p = buf;
- reslen = sizeof(buf);
-
- if (logfile || f_foreground) {
- time_t t;
- struct tm *tm;
-
- t = time(0);
- tm = localtime(&t);
- len = strftime(p, reslen, "%Y-%m-%d %T: ", tm);
- p += len;
- reslen -= len;
- }
-
- if (pri < ARRAYLEN(ptab)) {
- len = snprintf(p, reslen, "%s: ", ptab[pri].name);
- if (len >= 0 && len < reslen) {
- p += len;
- reslen -= len;
- } else
- *p = '\0';
- }
-
- if (print_location)
- snprintf(p, reslen, "%s: %s", func, fmt);
- else
- snprintf(p, reslen, "%s", fmt);
-#ifdef BROKEN_PRINTF
- while ((p = strstr(buf,"%z")) != NULL)
- p[1] = 'l';
-#endif
-
- return buf;
-}
-
-void
-_plog(int pri, const char *func, struct sockaddr *sa, const char *fmt, ...)
-{
- va_list ap;
-
- va_start(ap, fmt);
- plogv(pri, func, sa, fmt, ap);
- va_end(ap);
-}
-
-void
-plogv(int pri, const char *func, struct sockaddr *sa,
- const char *fmt, va_list ap)
-{
- char *newfmt;
- va_list ap_bak;
-
- if (pri > loglevel)
- return;
-
- newfmt = plog_common(pri, fmt, func);
-
- VA_COPY(ap_bak, ap);
-
- if (f_foreground)
- vprintf(newfmt, ap);
-
- if (logfile)
- log_vaprint(logp, newfmt, ap_bak);
- else {
- if (pri < ARRAYLEN(ptab))
- vsyslog(ptab[pri].priority, newfmt, ap_bak);
- else
- vsyslog(LOG_ALERT, newfmt, ap_bak);
- }
-}
-
-void
-plogdump(pri, data, len)
- int pri;
- void *data;
- size_t len;
-{
- caddr_t buf;
- size_t buflen;
- int i, j;
-
- if (pri > loglevel)
- return;
-
- /*
- * 2 words a bytes + 1 space 4 bytes + 1 newline 32 bytes
- * + 2 newline + '\0'
- */
- buflen = (len * 2) + (len / 4) + (len / 32) + 3;
- buf = racoon_malloc(buflen);
-
- i = 0;
- j = 0;
- while (j < len) {
- if (j % 32 == 0)
- buf[i++] = '\n';
- else
- if (j % 4 == 0)
- buf[i++] = ' ';
- snprintf(&buf[i], buflen - i, "%02x",
- ((unsigned char *)data)[j] & 0xff);
- i += 2;
- j++;
- }
- if (buflen - i >= 2) {
- buf[i++] = '\n';
- buf[i] = '\0';
- }
- plog(pri, LOCATION, NULL, "%s", buf);
-
- racoon_free(buf);
-}
-
-void
-ploginit()
-{
- if (logfile) {
- logp = log_open(250, logfile);
- if (logp == NULL)
- errx(1, "ERROR: failed to open log file %s.", logfile);
- return;
- }
-
- openlog(pname, LOG_NDELAY, LOG_DAEMON);
-}
-
-void
-plogset(file)
- char *file;
-{
- if (logfile != NULL)
- racoon_free(logfile);
- logfile = racoon_strdup(file);
- STRDUP_FATAL(logfile);
-}
-
-/*
- Returns a printable string from (possibly) binary data ;
- concatenates all unprintable chars to one space.
- XXX Maybe the printable chars range is too large...
- */
-char*
-binsanitize(binstr, n)
- char *binstr;
- size_t n;
-{
- int p,q;
- char* d;
-
- d = racoon_malloc(n + 1);
- for (p = 0, q = 0; p < n; p++) {
- if (isgraph((int)binstr[p])) {
- d[q++] = binstr[p];
- } else {
- if (q && d[q - 1] != ' ')
- d[q++] = ' ';
- }
- }
- d[q++] = '\0';
-
- return d;
-}
-
diff --git a/src/racoon/plog.h b/src/racoon/plog.h
deleted file mode 100644
index b8cb027..0000000
--- a/src/racoon/plog.h
+++ /dev/null
@@ -1,110 +0,0 @@
-/* $NetBSD: plog.h,v 1.4.6.1 2007/11/06 16:41:27 vanhu Exp $ */
-
-/* Id: plog.h,v 1.7 2006/06/20 09:57:31 vanhu Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _PLOG_H
-#define _PLOG_H
-
-#ifdef ANDROID_PATCHED
-
-#define LLV_ERROR 0
-#define LLV_WARNING 1
-#define LLV_NOTIFY 2
-#define LLV_INFO 3
-#define LLV_DEBUG 4
-#define LLV_DEBUG2 5
-
-#define loglevel LLV_DEBUG2
-
-#define plog(level, location, address, ...) \
- do { \
- if ((level) >= LLV_ERROR && (level) <= LLV_INFO) { \
- do_plog((level), __VA_ARGS__); \
- } \
- } while (0)
-
-#define plogdump(...)
-
-extern void do_plog(int level, char *format, ...);
-extern char *binsanitize(char *binary, size_t size);
-extern char *pname;
-
-#else
-
-#ifdef HAVE_STDARG_H
-#include <stdarg.h>
-#else
-#include <varargs.h>
-#endif
-#include <syslog.h>
-
-/*
- * INFO: begin negotiation, SA establishment/deletion/expiration.
- * NOTIFY: just notifiable.
- * WARNING: not error strictly.
- * ERROR: system call error. also invalid parameter/format.
- * DEBUG1: debugging informatioin.
- * DEBUG2: too more verbose. e.g. parsing config.
- */
-#define LLV_ERROR 1
-#define LLV_WARNING 2
-#define LLV_NOTIFY 3
-#define LLV_INFO 4
-#define LLV_DEBUG 5
-#define LLV_DEBUG2 6
-
-#define LLV_BASE LLV_INFO /* by default log less than this value. */
-
-extern char *pname;
-extern u_int32_t loglevel;
-extern int f_foreground;
-extern int print_location;
-
-struct sockaddr;
-#define plog(pri, ...) \
- do { \
- if ((pri) <= loglevel) \
- _plog((pri), __VA_ARGS__); \
- } while (0)
-extern void _plog __P((int, const char *, struct sockaddr *, const char *, ...))
- __attribute__ ((__format__ (__printf__, 4, 5)));
-extern void plogv __P((int, const char *, struct sockaddr *,
- const char *, va_list));
-extern void plogdump __P((int, void *, size_t));
-extern void ploginit __P((void));
-extern void plogset __P((char *));
-
-extern char* binsanitize __P((char*, size_t));
-
-#endif
-
-#endif /* _PLOG_H */
diff --git a/src/racoon/policy.c b/src/racoon/policy.c
deleted file mode 100644
index 29a6818..0000000
--- a/src/racoon/policy.c
+++ /dev/null
@@ -1,488 +0,0 @@
-/* $NetBSD: policy.c,v 1.6.4.1 2007/08/01 11:52:21 vanhu Exp $ */
-
-/* $KAME: policy.c,v 1.46 2001/11/16 04:08:10 sakane Exp $ */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/param.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/queue.h>
-
-#include <netinet/in.h>
-#include PATH_IPSEC_H
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-
-#include "var.h"
-#include "misc.h"
-#include "vmbuf.h"
-#include "plog.h"
-#include "sockmisc.h"
-#include "debug.h"
-
-#include "policy.h"
-#include "localconf.h"
-#include "isakmp_var.h"
-#include "isakmp.h"
-#include "oakley.h"
-#include "handler.h"
-#include "strnames.h"
-#include "gcmalloc.h"
-
-static TAILQ_HEAD(_sptree, secpolicy) sptree;
-
-/* perform exact match against security policy table. */
-struct secpolicy *
-getsp(spidx)
- struct policyindex *spidx;
-{
- struct secpolicy *p;
-
- for (p = TAILQ_FIRST(&sptree); p; p = TAILQ_NEXT(p, chain)) {
- if (!cmpspidxstrict(spidx, &p->spidx))
- return p;
- }
-
- return NULL;
-}
-
-/*
- * perform non-exact match against security policy table, only if this is
- * transport mode SA negotiation. for example, 0.0.0.0/0 -> 0.0.0.0/0
- * entry in policy.txt can be returned when we're negotiating transport
- * mode SA. this is how the kernel works.
- */
-#if 1
-struct secpolicy *
-getsp_r(spidx)
- struct policyindex *spidx;
-{
- struct secpolicy *p;
-
- for (p = TAILQ_FIRST(&sptree); p; p = TAILQ_NEXT(p, chain)) {
- if (!cmpspidxwild(spidx, &p->spidx))
- return p;
- }
-
- return NULL;
-}
-#else
-struct secpolicy *
-getsp_r(spidx, iph2)
- struct policyindex *spidx;
- struct ph2handle *iph2;
-{
- struct secpolicy *p;
- u_int8_t prefixlen;
-
- plog(LLV_DEBUG, LOCATION, NULL, "checking for transport mode\n");
-
- if (spidx->src.ss_family != spidx->dst.ss_family) {
- plog(LLV_ERROR, LOCATION, NULL,
- "address family mismatch, src:%d dst:%d\n",
- spidx->src.ss_family,
- spidx->dst.ss_family);
- return NULL;
- }
- switch (spidx->src.ss_family) {
- case AF_INET:
- prefixlen = sizeof(struct in_addr) << 3;
- break;
-#ifdef INET6
- case AF_INET6:
- prefixlen = sizeof(struct in6_addr) << 3;
- break;
-#endif
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid family: %d\n", spidx->src.ss_family);
- return NULL;
- }
-
- /* is it transport mode SA negotiation? */
- plog(LLV_DEBUG, LOCATION, NULL, "src1: %s\n",
- saddr2str(iph2->src));
- plog(LLV_DEBUG, LOCATION, NULL, "src2: %s\n",
- saddr2str((struct sockaddr *)&spidx->src));
- if (cmpsaddrwop(iph2->src, (struct sockaddr *)&spidx->src)
- || spidx->prefs != prefixlen)
- return NULL;
-
- plog(LLV_DEBUG, LOCATION, NULL, "dst1: %s\n",
- saddr2str(iph2->dst));
- plog(LLV_DEBUG, LOCATION, NULL, "dst2: %s\n",
- saddr2str((struct sockaddr *)&spidx->dst));
- if (cmpsaddrwop(iph2->dst, (struct sockaddr *)&spidx->dst)
- || spidx->prefd != prefixlen)
- return NULL;
-
- plog(LLV_DEBUG, LOCATION, NULL, "looks to be transport mode\n");
-
- for (p = TAILQ_FIRST(&sptree); p; p = TAILQ_NEXT(p, chain)) {
- if (!cmpspidx_wild(spidx, &p->spidx))
- return p;
- }
-
- return NULL;
-}
-#endif
-
-struct secpolicy *
-getspbyspid(spid)
- u_int32_t spid;
-{
- struct secpolicy *p;
-
- for (p = TAILQ_FIRST(&sptree); p; p = TAILQ_NEXT(p, chain)) {
- if (p->id == spid)
- return p;
- }
-
- return NULL;
-}
-
-/*
- * compare policyindex.
- * a: subject b: db
- * OUT: 0: equal
- * 1: not equal
- */
-int
-cmpspidxstrict(a, b)
- struct policyindex *a, *b;
-{
- plog(LLV_DEBUG, LOCATION, NULL, "sub:%p: %s\n", a, spidx2str(a));
- plog(LLV_DEBUG, LOCATION, NULL, "db :%p: %s\n", b, spidx2str(b));
-
- /* XXX don't check direction now, but it's to be checked carefully. */
- if (a->dir != b->dir
- || a->prefs != b->prefs
- || a->prefd != b->prefd
- || a->ul_proto != b->ul_proto)
- return 1;
-
- if (cmpsaddrstrict((struct sockaddr *)&a->src,
- (struct sockaddr *)&b->src))
- return 1;
- if (cmpsaddrstrict((struct sockaddr *)&a->dst,
- (struct sockaddr *)&b->dst))
- return 1;
-
-#ifdef HAVE_SECCTX
- if (a->sec_ctx.ctx_alg != b->sec_ctx.ctx_alg
- || a->sec_ctx.ctx_doi != b->sec_ctx.ctx_doi
- || !within_range(a->sec_ctx.ctx_str, b->sec_ctx.ctx_str))
- return 1;
-#endif
- return 0;
-}
-
-/*
- * compare policyindex, with wildcard address/protocol match.
- * a: subject b: db, can contain wildcard things.
- * OUT: 0: equal
- * 1: not equal
- */
-int
-cmpspidxwild(a, b)
- struct policyindex *a, *b;
-{
- struct sockaddr_storage sa1, sa2;
-
- plog(LLV_DEBUG, LOCATION, NULL, "sub:%p: %s\n", a, spidx2str(a));
- plog(LLV_DEBUG, LOCATION, NULL, "db: %p: %s\n", b, spidx2str(b));
-
- if (!(b->dir == IPSEC_DIR_ANY || a->dir == b->dir))
- return 1;
-
- if (!(a->ul_proto == IPSEC_ULPROTO_ANY ||
- b->ul_proto == IPSEC_ULPROTO_ANY ||
- a->ul_proto == b->ul_proto))
- return 1;
-
- if (a->src.ss_family != b->src.ss_family)
- return 1;
- if (a->dst.ss_family != b->dst.ss_family)
- return 1;
-
-#ifndef __linux__
- /* compare src address */
- if (sizeof(sa1) < a->src.ss_len || sizeof(sa2) < b->src.ss_len) {
- plog(LLV_ERROR, LOCATION, NULL,
- "unexpected error: "
- "src.ss_len:%d dst.ss_len:%d\n",
- a->src.ss_len, b->src.ss_len);
- return 1;
- }
-#endif
- mask_sockaddr((struct sockaddr *)&sa1, (struct sockaddr *)&a->src,
- b->prefs);
- mask_sockaddr((struct sockaddr *)&sa2, (struct sockaddr *)&b->src,
- b->prefs);
- plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n",
- a, b->prefs, saddr2str((struct sockaddr *)&sa1));
- plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n",
- b, b->prefs, saddr2str((struct sockaddr *)&sa2));
- if (cmpsaddrwild((struct sockaddr *)&sa1, (struct sockaddr *)&sa2))
- return 1;
-
-#ifndef __linux__
- /* compare dst address */
- if (sizeof(sa1) < a->dst.ss_len || sizeof(sa2) < b->dst.ss_len) {
- plog(LLV_ERROR, LOCATION, NULL, "unexpected error\n");
- exit(1);
- }
-#endif
- mask_sockaddr((struct sockaddr *)&sa1, (struct sockaddr *)&a->dst,
- b->prefd);
- mask_sockaddr((struct sockaddr *)&sa2, (struct sockaddr *)&b->dst,
- b->prefd);
- plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n",
- a, b->prefd, saddr2str((struct sockaddr *)&sa1));
- plog(LLV_DEBUG, LOCATION, NULL, "%p masked with /%d: %s\n",
- b, b->prefd, saddr2str((struct sockaddr *)&sa2));
- if (cmpsaddrwild((struct sockaddr *)&sa1, (struct sockaddr *)&sa2))
- return 1;
-
-#ifdef HAVE_SECCTX
- if (a->sec_ctx.ctx_alg != b->sec_ctx.ctx_alg
- || a->sec_ctx.ctx_doi != b->sec_ctx.ctx_doi
- || !within_range(a->sec_ctx.ctx_str, b->sec_ctx.ctx_str))
- return 1;
-#endif
- return 0;
-}
-
-struct secpolicy *
-newsp()
-{
- struct secpolicy *new;
-
- new = racoon_calloc(1, sizeof(*new));
- if (new == NULL)
- return NULL;
-
- return new;
-}
-
-void
-delsp(sp)
- struct secpolicy *sp;
-{
- struct ipsecrequest *req = NULL, *next;
-
- for (req = sp->req; req; req = next) {
- next = req->next;
- racoon_free(req);
- }
-
- racoon_free(sp);
-}
-
-void
-delsp_bothdir(spidx0)
- struct policyindex *spidx0;
-{
- struct policyindex spidx;
- struct secpolicy *sp;
- struct sockaddr_storage src, dst;
- u_int8_t prefs, prefd;
-
- memcpy(&spidx, spidx0, sizeof(spidx));
- switch (spidx.dir) {
- case IPSEC_DIR_INBOUND:
-#ifdef HAVE_POLICY_FWD
- case IPSEC_DIR_FWD:
-#endif
- src = spidx.src;
- dst = spidx.dst;
- prefs = spidx.prefs;
- prefd = spidx.prefd;
- break;
- case IPSEC_DIR_OUTBOUND:
- src = spidx.dst;
- dst = spidx.src;
- prefs = spidx.prefd;
- prefd = spidx.prefs;
- break;
- default:
- return;
- }
-
- spidx.src = src;
- spidx.dst = dst;
- spidx.prefs = prefs;
- spidx.prefd = prefd;
- spidx.dir = IPSEC_DIR_INBOUND;
-
- sp = getsp(&spidx);
- if (sp) {
- remsp(sp);
- delsp(sp);
- }
-
-#ifdef HAVE_POLICY_FWD
- spidx.dir = IPSEC_DIR_FWD;
-
- sp = getsp(&spidx);
- if (sp) {
- remsp(sp);
- delsp(sp);
- }
-#endif
-
- spidx.src = dst;
- spidx.dst = src;
- spidx.prefs = prefd;
- spidx.prefd = prefs;
- spidx.dir = IPSEC_DIR_OUTBOUND;
-
- sp = getsp(&spidx);
- if (sp) {
- remsp(sp);
- delsp(sp);
- }
-}
-
-void
-inssp(new)
- struct secpolicy *new;
-{
-#ifdef HAVE_PFKEY_POLICY_PRIORITY
- struct secpolicy *p;
-
- TAILQ_FOREACH(p, &sptree, chain) {
- if (new->spidx.priority < p->spidx.priority) {
- TAILQ_INSERT_BEFORE(p, new, chain);
- return;
- }
- }
- if (p == NULL)
-#endif
- TAILQ_INSERT_TAIL(&sptree, new, chain);
-
- return;
-}
-
-void
-remsp(sp)
- struct secpolicy *sp;
-{
- TAILQ_REMOVE(&sptree, sp, chain);
-}
-
-void
-flushsp()
-{
- struct secpolicy *p, *next;
-
- for (p = TAILQ_FIRST(&sptree); p; p = next) {
- next = TAILQ_NEXT(p, chain);
- remsp(p);
- delsp(p);
- }
-}
-
-void
-initsp()
-{
- TAILQ_INIT(&sptree);
-}
-
-struct ipsecrequest *
-newipsecreq()
-{
- struct ipsecrequest *new;
-
- new = racoon_calloc(1, sizeof(*new));
- if (new == NULL)
- return NULL;
-
- return new;
-}
-
-const char *
-spidx2str(spidx)
- const struct policyindex *spidx;
-{
- /* addr/pref[port] addr/pref[port] ul dir act */
- static char buf[256];
- char *p, *a, *b;
- int blen, i;
-
- blen = sizeof(buf) - 1;
- p = buf;
-
- a = saddr2str((const struct sockaddr *)&spidx->src);
- for (b = a; *b != '\0'; b++)
- if (*b == '[') {
- *b = '\0';
- b++;
- break;
- }
- i = snprintf(p, blen, "%s/%d[%s ", a, spidx->prefs, b);
- if (i < 0 || i >= blen)
- return NULL;
- p += i;
- blen -= i;
-
- a = saddr2str((const struct sockaddr *)&spidx->dst);
- for (b = a; *b != '\0'; b++)
- if (*b == '[') {
- *b = '\0';
- b++;
- break;
- }
- i = snprintf(p, blen, "%s/%d[%s ", a, spidx->prefd, b);
- if (i < 0 || i >= blen)
- return NULL;
- p += i;
- blen -= i;
-
- i = snprintf(p, blen, "proto=%s dir=%s",
- s_proto(spidx->ul_proto), s_direction(spidx->dir));
-
-#ifdef HAVE_SECCTX
- if (spidx->sec_ctx.ctx_strlen) {
- p += i;
- blen -= i;
- snprintf(p, blen, " sec_ctx:doi=%d,alg=%d,len=%d,str=%s",
- spidx->sec_ctx.ctx_doi, spidx->sec_ctx.ctx_alg,
- spidx->sec_ctx.ctx_strlen, spidx->sec_ctx.ctx_str);
- }
-#endif
- return buf;
-}
diff --git a/src/racoon/policy.h b/src/racoon/policy.h
deleted file mode 100644
index 8c47451..0000000
--- a/src/racoon/policy.h
+++ /dev/null
@@ -1,163 +0,0 @@
-/* $NetBSD: policy.h,v 1.5.4.2 2007/06/07 20:34:19 manu Exp $ */
-
-/* Id: policy.h,v 1.5 2004/06/11 16:00:17 ludvigm Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _POLICY_H
-#define _POLICY_H
-
-#include <sys/queue.h>
-
-
-#ifdef HAVE_SECCTX
-#define MAX_CTXSTR_SIZE 50
-struct security_ctx {
- u_int8_t ctx_doi; /* Security Context DOI */
- u_int8_t ctx_alg; /* Security Context Algorithm */
- u_int16_t ctx_strlen; /* Security Context stringlength
- * (includes terminating NULL)
- */
- char ctx_str[MAX_CTXSTR_SIZE]; /* Security Context string */
-};
-#endif
-
-/* refs. ipsec.h */
-/*
- * Security Policy Index
- * NOTE: Ensure to be same address family and upper layer protocol.
- * NOTE: ul_proto, port number, uid, gid:
- * ANY: reserved for waldcard.
- * 0 to (~0 - 1): is one of the number of each value.
- */
-struct policyindex {
- u_int8_t dir; /* direction of packet flow, see blow */
- struct sockaddr_storage src; /* IP src address for SP */
- struct sockaddr_storage dst; /* IP dst address for SP */
- u_int8_t prefs; /* prefix length in bits for src */
- u_int8_t prefd; /* prefix length in bits for dst */
- u_int16_t ul_proto; /* upper layer Protocol */
- u_int32_t priority; /* priority for the policy */
- u_int64_t created; /* Used for generated SPD entries deletion */
-#ifdef HAVE_SECCTX
- struct security_ctx sec_ctx; /* Security Context */
-#endif
-};
-
-/* Security Policy Data Base */
-struct secpolicy {
- TAILQ_ENTRY(secpolicy) chain;
-
- struct policyindex spidx; /* selector */
- u_int32_t id; /* It's unique number on the system. */
-
- u_int policy; /* DISCARD, NONE or IPSEC, see keyv2.h */
- struct ipsecrequest *req;
- /* pointer to the ipsec request tree, */
- /* if policy == IPSEC else this value == NULL.*/
-};
-
-/* Security Assocciation Index */
-/* NOTE: Ensure to be same address family */
-struct secasindex {
- struct sockaddr_storage src; /* srouce address for SA */
- struct sockaddr_storage dst; /* destination address for SA */
- u_int16_t proto; /* IPPROTO_ESP or IPPROTO_AH */
- u_int8_t mode; /* mode of protocol, see ipsec.h */
- u_int32_t reqid; /* reqid id who owned this SA */
- /* see IPSEC_MANUAL_REQID_MAX. */
-};
-
-/* Request for IPsec */
-struct ipsecrequest {
- struct ipsecrequest *next;
- /* pointer to next structure */
- /* If NULL, it means the end of chain. */
-
- struct secasindex saidx;/* hint for search proper SA */
- /* if __ss_len == 0 then no address specified.*/
- u_int level; /* IPsec level defined below. */
-
- struct secpolicy *sp; /* back pointer to SP */
-};
-
-#ifdef HAVE_PFKEY_POLICY_PRIORITY
-#define KEY_SETSECSPIDX(_dir, s, d, ps, pd, ulp, _priority, _created, idx) \
-do { \
- memset((idx), 0, sizeof(struct policyindex)); \
- (idx)->dir = (_dir); \
- (idx)->prefs = (ps); \
- (idx)->prefd = (pd); \
- (idx)->ul_proto = (ulp); \
- (idx)->priority = (_priority); \
- (idx)->created = (_created); \
- memcpy(&(idx)->src, (s), sysdep_sa_len((struct sockaddr *)(s))); \
- memcpy(&(idx)->dst, (d), sysdep_sa_len((struct sockaddr *)(d))); \
-} while (0)
-#else
-#define KEY_SETSECSPIDX(_dir, s, d, ps, pd, ulp, _created, idx) \
-do { \
- memset((idx), 0, sizeof(struct policyindex)); \
- (idx)->dir = (_dir); \
- (idx)->prefs = (ps); \
- (idx)->prefd = (pd); \
- (idx)->ul_proto = (ulp); \
- (idx)->created = (_created); \
- memcpy(&(idx)->src, (s), sysdep_sa_len((struct sockaddr *)(s))); \
- memcpy(&(idx)->dst, (d), sysdep_sa_len((struct sockaddr *)(d))); \
-} while (0)
-#endif
-
-struct ph2handle;
-struct policyindex;
-extern struct secpolicy *getsp __P((struct policyindex *));
-extern struct secpolicy *getsp_r __P((struct policyindex *));
-struct secpolicy *getspbyspid __P((u_int32_t));
-extern int cmpspidxstrict __P((struct policyindex *, struct policyindex *));
-extern int cmpspidxwild __P((struct policyindex *, struct policyindex *));
-extern struct secpolicy *newsp __P((void));
-extern void delsp __P((struct secpolicy *));
-extern void delsp_bothdir __P((struct policyindex *));
-extern void inssp __P((struct secpolicy *));
-extern void remsp __P((struct secpolicy *));
-extern void flushsp __P((void));
-extern void initsp __P((void));
-extern struct ipsecrequest *newipsecreq __P((void));
-
-extern const char *spidx2str __P((const struct policyindex *));
-#ifdef HAVE_SECCTX
-#include <selinux/selinux.h>
-extern int get_security_context __P((vchar_t *, struct policyindex *));
-extern void init_avc __P((void));
-extern int within_range __P((security_context_t, security_context_t));
-extern void set_secctx_in_proposal __P((struct ph2handle *, struct policyindex));
-#endif
-
-#endif /* _POLICY_H */
diff --git a/src/racoon/privsep.c b/src/racoon/privsep.c
deleted file mode 100644
index 9e60b89..0000000
--- a/src/racoon/privsep.c
+++ /dev/null
@@ -1,1339 +0,0 @@
-/* $NetBSD: privsep.c,v 1.6 2006/09/09 16:22:10 manu Exp $ */
-
-/* Id: privsep.c,v 1.15 2005/08/08 11:23:44 vanhu Exp */
-
-/*
- * Copyright (C) 2004 Emmanuel Dreyfus
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <unistd.h>
-#include <string.h>
-#ifdef __NetBSD__
-#include <stdlib.h> /* for setproctitle */
-#endif
-#include <errno.h>
-#include <signal.h>
-#include <pwd.h>
-
-#include <sys/socket.h>
-#include <sys/param.h>
-
-#include "gcmalloc.h"
-#include "vmbuf.h"
-#include "misc.h"
-#include "plog.h"
-#include "var.h"
-#include "libpfkey.h"
-
-#include "crypto_openssl.h"
-#include "isakmp_var.h"
-#include "isakmp.h"
-#ifdef ENABLE_HYBRID
-#include "resolv.h"
-#include "isakmp_xauth.h"
-#include "isakmp_cfg.h"
-#endif
-#include "localconf.h"
-#include "remoteconf.h"
-#include "admin.h"
-#include "sockmisc.h"
-#include "privsep.h"
-
-static int privsep_sock[2] = { -1, -1 };
-
-static int privsep_recv(int, struct privsep_com_msg **, size_t *);
-static int privsep_send(int, struct privsep_com_msg *, size_t);
-static int safety_check(struct privsep_com_msg *, int i);
-static int port_check(int);
-static int unsafe_env(char *const *);
-static int unknown_name(int);
-static int unsafe_path(char *, int);
-
-static int
-privsep_send(sock, buf, len)
- int sock;
- struct privsep_com_msg *buf;
- size_t len;
-{
- if (buf == NULL)
- return 0;
-
- if (sendto(sock, (char *)buf, len, 0, NULL, 0) == -1) {
- plog(LLV_ERROR, LOCATION, NULL,
- "privsep_send failed: %s\n",
- strerror(errno));
- return -1;
- }
-
- racoon_free((char *)buf);
-
- return 0;
-}
-
-
-static int
-privsep_recv(sock, bufp, lenp)
- int sock;
- struct privsep_com_msg **bufp;
- size_t *lenp;
-{
- struct admin_com com;
- struct admin_com *combuf;
- size_t len;
-
- *bufp = NULL;
- *lenp = 0;
-
- /* Get the header */
- while ((len = recvfrom(sock, (char *)&com,
- sizeof(com), MSG_PEEK, NULL, NULL)) == -1) {
- if (errno == EINTR)
- continue;
-
- plog(LLV_ERROR, LOCATION, NULL,
- "privsep_recv failed: %s\n",
- strerror(errno));
- return -1;
- }
-
- /* Check for short packets */
- if (len < sizeof(com)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "corrupted privsep message (short header)\n");
- return -1;
- }
-
- /* Allocate buffer for the whole message */
- if ((combuf = (struct admin_com *)racoon_malloc(com.ac_len)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate memory: %s\n", strerror(errno));
- return -1;
- }
-
- /* Get the whole buffer */
- while ((len = recvfrom(sock, (char *)combuf,
- com.ac_len, 0, NULL, NULL)) == -1) {
- if (errno == EINTR)
- continue;
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to recv privsep command: %s\n",
- strerror(errno));
- return -1;
- }
-
- /* We expect len to match */
- if (len != com.ac_len) {
- plog(LLV_ERROR, LOCATION, NULL,
- "corrupted privsep message (short packet)\n");
- return -1;
- }
-
- *bufp = (struct privsep_com_msg *)combuf;
- *lenp = len;
-
- return 0;
-}
-
-int
-privsep_init(void)
-{
- int i;
- pid_t child_pid;
-
- /* If running as root, we don't use the privsep code path */
- if (lcconf->uid == 0)
- return 0;
-
- /*
- * When running privsep, certificate and script paths
- * are mandatory, as they enable us to check path safety
- * in the privilegied instance
- */
- if ((lcconf->pathinfo[LC_PATHTYPE_CERT] == NULL) ||
- (lcconf->pathinfo[LC_PATHTYPE_SCRIPT] == NULL)) {
- plog(LLV_ERROR, LOCATION, NULL, "privilege separation "
- "require path cert and path script in the config file\n");
- return -1;
- }
-
- if (socketpair(PF_LOCAL, SOCK_DGRAM, 0, privsep_sock) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot allocate privsep_sock: %s\n", strerror(errno));
- return -1;
- }
-
- switch (child_pid = fork()) {
- case -1:
- plog(LLV_ERROR, LOCATION, NULL, "Cannot fork privsep: %s\n",
- strerror(errno));
- return -1;
- break;
-
- case 0: /* Child: drop privileges */
- if (lcconf->chroot != NULL) {
- if (chdir(lcconf->chroot) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot chdir(%s): %s\n", lcconf->chroot,
- strerror(errno));
- return -1;
- }
- if (chroot(lcconf->chroot) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot chroot(%s): %s\n", lcconf->chroot,
- strerror(errno));
- return -1;
- }
- }
-
- if (setgid(lcconf->gid) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot setgid(%d): %s\n", lcconf->gid,
- strerror(errno));
- return -1;
- }
-
- if (setegid(lcconf->gid) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot setegid(%d): %s\n", lcconf->gid,
- strerror(errno));
- return -1;
- }
-
- if (setuid(lcconf->uid) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot setuid(%d): %s\n", lcconf->uid,
- strerror(errno));
- return -1;
- }
-
- if (seteuid(lcconf->uid) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot seteuid(%d): %s\n", lcconf->uid,
- strerror(errno));
- return -1;
- }
-
- return 0;
- break;
-
- default: /* Parent: privilegied process */
- break;
- }
-
- /*
- * Close everything except the socketpair,
- * and stdout if running in the forground.
- */
- for (i = sysconf(_SC_OPEN_MAX); i > 0; i--) {
- if (i == privsep_sock[0])
- continue;
- if (i == privsep_sock[1])
- continue;
- if ((f_foreground) && (i == 1))
- continue;
- (void)close(i);
- }
-
- /* Above trickery closed the log file, reopen it */
- ploginit();
-
- plog(LLV_INFO, LOCATION, NULL,
- "racoon privilegied process running with PID %d\n", getpid());
-
-#ifdef __NetBSD__
- setproctitle("[priv]");
-#endif
-
- /*
- * Don't catch any signal
- * This duplicate session:signals[], which is static...
- */
- signal(SIGHUP, SIG_DFL);
- signal(SIGINT, SIG_DFL);
- signal(SIGTERM, SIG_DFL);
- signal(SIGUSR1, SIG_DFL);
- signal(SIGUSR2, SIG_DFL);
- signal(SIGCHLD, SIG_DFL);
-
- while (1) {
- size_t len;
- struct privsep_com_msg *combuf;
- struct privsep_com_msg *reply;
- char *data;
- size_t *buflen;
- size_t totallen;
- char *bufs[PRIVSEP_NBUF_MAX];
- int i;
-
- if (privsep_recv(privsep_sock[0], &combuf, &len) != 0)
- goto out;
-
- /* Safety checks and gather the data */
- if (len < sizeof(*combuf)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "corrupted privsep message (short buflen)\n");
- goto out;
- }
-
- data = (char *)(combuf + 1);
- totallen = sizeof(*combuf);
- for (i = 0; i < PRIVSEP_NBUF_MAX; i++) {
- bufs[i] = (char *)data;
- data += combuf->bufs.buflen[i];
- totallen += combuf->bufs.buflen[i];
- }
-
- if (totallen > len) {
- plog(LLV_ERROR, LOCATION, NULL,
- "corrupted privsep message (bufs too big)\n");
- goto out;
- }
-
- /* Prepare the reply buffer */
- if ((reply = racoon_malloc(sizeof(*reply))) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot allocate reply buffer: %s\n",
- strerror(errno));
- goto out;
- }
- bzero(reply, sizeof(*reply));
- reply->hdr.ac_cmd = combuf->hdr.ac_cmd;
- reply->hdr.ac_len = sizeof(*reply);
-
- switch(combuf->hdr.ac_cmd) {
- /*
- * XXX Improvement: instead of returning the key,
- * stuff eay_get_pkcs1privkey and eay_get_x509sign
- * together and sign the hash in the privilegied
- * instance?
- * pro: the key remains inaccessible to unpriv
- * con: a compromised unpriv racoon can still sign anything
- */
- case PRIVSEP_EAY_GET_PKCS1PRIVKEY: {
- vchar_t *privkey;
-
- /* Make sure the string is NULL terminated */
- if (safety_check(combuf, 0) != 0)
- break;
- bufs[0][combuf->bufs.buflen[0] - 1] = '\0';
-
- if (unsafe_path(bufs[0], LC_PATHTYPE_CERT) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "privsep_eay_get_pkcs1privkey: "
- "unsafe cert \"%s\"\n", bufs[0]);
- }
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "eay_get_pkcs1privkey(\"%s\")\n", bufs[0]);
-
- if ((privkey = eay_get_pkcs1privkey(bufs[0])) == NULL){
- reply->hdr.ac_errno = errno;
- break;
- }
-
- reply->bufs.buflen[0] = privkey->l;
- reply->hdr.ac_len = sizeof(*reply) + privkey->l;
- reply = racoon_realloc(reply, reply->hdr.ac_len);
- if (reply == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot allocate reply buffer: %s\n",
- strerror(errno));
- goto out;
- }
-
- memcpy(reply + 1, privkey->v, privkey->l);
- vfree(privkey);
- break;
- }
-
- case PRIVSEP_SCRIPT_EXEC: {
- char *script;
- int name;
- char **envp = NULL;
- int envc = 0;
- int count = 0;
- int i;
-
- /*
- * First count the bufs, and make sure strings
- * are NULL terminated.
- *
- * We expect: script, name, envp[], void
- */
- if (safety_check(combuf, 0) != 0)
- break;
- bufs[0][combuf->bufs.buflen[0] - 1] = '\0';
- count++; /* script */
-
- count++; /* name */
-
- for (; count < PRIVSEP_NBUF_MAX; count++) {
- if (combuf->bufs.buflen[count] == 0)
- break;
- bufs[count]
- [combuf->bufs.buflen[count] - 1] = '\0';
- envc++;
- }
-
- /* count a void buf and perform safety check */
- count++;
- if (count >= PRIVSEP_NBUF_MAX) {
- plog(LLV_ERROR, LOCATION, NULL,
- "privsep_script_exec: too many args\n");
- goto out;
- }
-
-
- /*
- * Allocate the arrays for envp
- */
- envp = racoon_malloc((envc + 1) * sizeof(char *));
- if (envp == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "cannot allocate memory: %s\n",
- strerror(errno));
- goto out;
- }
- bzero(envp, (envc + 1) * sizeof(char *));
-
-
- /*
- * Populate script, name and envp
- */
- count = 0;
- script = bufs[count++];
-
- if (combuf->bufs.buflen[count] != sizeof(name)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "privsep_script_exec: corrupted message\n");
- goto out;
- }
- memcpy((char *)&name, bufs[count++], sizeof(name));
-
- for (i = 0; combuf->bufs.buflen[count]; count++)
- envp[i++] = bufs[count];
-
- count++; /* void */
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "script_exec(\"%s\", %d, %p)\n",
- script, name, envp);
-
- /*
- * Check env for dangerous variables
- * Check script path and name
- * Perform fork and execve
- */
- if ((unsafe_env(envp) == 0) &&
- (unknown_name(name) == 0) &&
- (unsafe_path(script, LC_PATHTYPE_SCRIPT) == 0))
- (void)script_exec(script, name, envp);
- else
- plog(LLV_ERROR, LOCATION, NULL,
- "privsep_script_exec: "
- "unsafe script \"%s\"\n", script);
-
- racoon_free(envp);
- break;
- }
-
- case PRIVSEP_GETPSK: {
- vchar_t *psk;
- int keylen;
-
- /* Make sure the string is NULL terminated */
- if (safety_check(combuf, 0) != 0)
- break;
- bufs[0][combuf->bufs.buflen[0] - 1] = '\0';
-
- if (combuf->bufs.buflen[1] != sizeof(keylen)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "privsep_getpsk: corrupted message\n");
- goto out;
- }
- memcpy(&keylen, bufs[1], sizeof(keylen));
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "getpsk(\"%s\", %d)\n", bufs[0], keylen);
-
- if ((psk = getpsk(bufs[0], keylen)) == NULL) {
- reply->hdr.ac_errno = errno;
- break;
- }
-
- reply->bufs.buflen[0] = psk->l;
- reply->hdr.ac_len = sizeof(*reply) + psk->l;
- reply = racoon_realloc(reply, reply->hdr.ac_len);
- if (reply == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot allocate reply buffer: %s\n",
- strerror(errno));
- goto out;
- }
-
- memcpy(reply + 1, psk->v, psk->l);
- vfree(psk);
- break;
- }
-
-#ifdef ENABLE_HYBRID
- case PRIVSEP_ACCOUNTING_SYSTEM: {
- int pool_size;
- int port;
- int inout;
- struct sockaddr *raddr;
-
- if (safety_check(combuf, 0) != 0)
- break;
- if (safety_check(combuf, 1) != 0)
- break;
- if (safety_check(combuf, 2) != 0)
- break;
- if (safety_check(combuf, 3) != 0)
- break;
-
- memcpy(&port, bufs[0], sizeof(port));
- raddr = (struct sockaddr *)bufs[1];
-
- bufs[2][combuf->bufs.buflen[2] - 1] = '\0';
- memcpy(&inout, bufs[3], sizeof(port));
-
- if (port_check(port) != 0)
- break;
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "accounting_system(%d, %s, %s)\n",
- port, saddr2str(raddr), bufs[2]);
-
- errno = 0;
- if (isakmp_cfg_accounting_system(port,
- raddr, bufs[2], inout) != 0) {
- if (errno == 0)
- reply->hdr.ac_errno = EINVAL;
- else
- reply->hdr.ac_errno = errno;
- }
- break;
- }
- case PRIVSEP_XAUTH_LOGIN_SYSTEM: {
- if (safety_check(combuf, 0) != 0)
- break;
- bufs[0][combuf->bufs.buflen[0] - 1] = '\0';
-
- if (safety_check(combuf, 1) != 0)
- break;
- bufs[1][combuf->bufs.buflen[1] - 1] = '\0';
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "xauth_login_system(\"%s\", <password>)\n",
- bufs[0]);
-
- errno = 0;
- if (xauth_login_system(bufs[0], bufs[1]) != 0) {
- if (errno == 0)
- reply->hdr.ac_errno = EINVAL;
- else
- reply->hdr.ac_errno = errno;
- }
- break;
- }
-#ifdef HAVE_LIBPAM
- case PRIVSEP_ACCOUNTING_PAM: {
- int port;
- int inout;
- int pool_size;
-
- if (safety_check(combuf, 0) != 0)
- break;
- if (safety_check(combuf, 1) != 0)
- break;
- if (safety_check(combuf, 2) != 0)
- break;
-
- memcpy(&port, bufs[0], sizeof(port));
- memcpy(&inout, bufs[1], sizeof(inout));
- memcpy(&pool_size, bufs[2], sizeof(pool_size));
-
- if (pool_size != isakmp_cfg_config.pool_size)
- if (isakmp_cfg_resize_pool(pool_size) != 0)
- break;
-
- if (port_check(port) != 0)
- break;
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "isakmp_cfg_accounting_pam(%d, %d)\n",
- port, inout);
-
- errno = 0;
- if (isakmp_cfg_accounting_pam(port, inout) != 0) {
- if (errno == 0)
- reply->hdr.ac_errno = EINVAL;
- else
- reply->hdr.ac_errno = errno;
- }
- break;
- }
-
- case PRIVSEP_XAUTH_LOGIN_PAM: {
- int port;
- int pool_size;
- struct sockaddr *raddr;
-
- if (safety_check(combuf, 0) != 0)
- break;
- if (safety_check(combuf, 1) != 0)
- break;
- if (safety_check(combuf, 2) != 0)
- break;
- if (safety_check(combuf, 3) != 0)
- break;
- if (safety_check(combuf, 4) != 0)
- break;
-
- memcpy(&port, bufs[0], sizeof(port));
- memcpy(&pool_size, bufs[1], sizeof(pool_size));
- raddr = (struct sockaddr *)bufs[2];
-
- bufs[3][combuf->bufs.buflen[3] - 1] = '\0';
- bufs[4][combuf->bufs.buflen[4] - 1] = '\0';
-
- if (pool_size != isakmp_cfg_config.pool_size)
- if (isakmp_cfg_resize_pool(pool_size) != 0)
- break;
-
- if (port_check(port) != 0)
- break;
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "xauth_login_pam(%d, %s, \"%s\", <password>)\n",
- port, saddr2str(raddr), bufs[3]);
-
- errno = 0;
- if (xauth_login_pam(port,
- raddr, bufs[3], bufs[4]) != 0) {
- if (errno == 0)
- reply->hdr.ac_errno = EINVAL;
- else
- reply->hdr.ac_errno = errno;
- }
- break;
- }
-
- case PRIVSEP_CLEANUP_PAM: {
- int port;
- int pool_size;
-
- if (safety_check(combuf, 0) != 0)
- break;
- if (safety_check(combuf, 1) != 0)
- break;
-
- memcpy(&port, bufs[0], sizeof(port));
- memcpy(&pool_size, bufs[1], sizeof(pool_size));
-
- if (pool_size != isakmp_cfg_config.pool_size)
- if (isakmp_cfg_resize_pool(pool_size) != 0)
- break;
-
- if (port_check(port) != 0)
- break;
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "cleanup_pam(%d)\n", port);
-
- cleanup_pam(port);
- reply->hdr.ac_errno = 0;
-
- break;
- }
-#endif /* HAVE_LIBPAM */
-#endif /* ENABLE_HYBRID */
-
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "unexpected privsep command %d\n",
- combuf->hdr.ac_cmd);
- goto out;
- break;
- }
-
- /* This frees reply */
- if (privsep_send(privsep_sock[0],
- reply, reply->hdr.ac_len) != 0)
- goto out;
-
- racoon_free(combuf);
- }
-
-out:
- plog(LLV_INFO, LOCATION, NULL, "privsep exit\n");
- _exit(0);
-}
-
-
-vchar_t *
-privsep_eay_get_pkcs1privkey(path)
- char *path;
-{
- vchar_t *privkey;
- struct privsep_com_msg *msg;
- size_t len;
-
- if (geteuid() == 0)
- return eay_get_pkcs1privkey(path);
-
- len = sizeof(*msg) + strlen(path) + 1;
- if ((msg = racoon_malloc(len)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot allocate memory: %s\n", strerror(errno));
- return NULL;
- }
- bzero(msg, len);
- msg->hdr.ac_cmd = PRIVSEP_EAY_GET_PKCS1PRIVKEY;
- msg->hdr.ac_len = len;
- msg->bufs.buflen[0] = len - sizeof(*msg);
- memcpy(msg + 1, path, msg->bufs.buflen[0]);
-
- if (privsep_send(privsep_sock[1], msg, len) != 0)
- return NULL;
-
- if (privsep_recv(privsep_sock[1], &msg, &len) != 0)
- return NULL;
-
- if (msg->hdr.ac_errno != 0) {
- errno = msg->hdr.ac_errno;
- goto out;
- }
-
- if ((privkey = vmalloc(len - sizeof(*msg))) == NULL)
- goto out;
-
- memcpy(privkey->v, msg + 1, privkey->l);
- racoon_free(msg);
- return privkey;
-
-out:
- racoon_free(msg);
- return NULL;
-}
-
-/*
- * No prigilege separation trick here, we just open PFKEY before
- * dropping root privs and we remember it later.
- */
-static int pfkey_socket = -1;
-int
-privsep_pfkey_open(void)
-{
- int ps;
-
- if (pfkey_socket != -1)
- return pfkey_socket;
-
- ps = pfkey_open();
- if (ps != -1)
- pfkey_socket = ps;
-
- return ps;
-}
-
-/*
- * Consequence of the above trickery: don't
- * really close PFKEY as we never re-open it.
- */
-void
-privsep_pfkey_close(ps)
- int ps;
-{
- return;
-}
-
-int
-privsep_script_exec(script, name, envp)
- char *script;
- int name;
- char *const envp[];
-{
- int count = 0;
- char *const *c;
- char *data;
- size_t len;
- struct privsep_com_msg *msg;
-
- if (geteuid() == 0)
- return script_exec(script, name, envp);
-
- if ((msg = racoon_malloc(sizeof(*msg))) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot allocate memory: %s\n", strerror(errno));
- return -1;
- }
-
- bzero(msg, sizeof(*msg));
- msg->hdr.ac_cmd = PRIVSEP_SCRIPT_EXEC;
- msg->hdr.ac_len = sizeof(*msg);
-
- /*
- * We send:
- * script, name, envp[0], ... envp[N], void
- */
-
- /*
- * Safety check on the counts: PRIVSEP_NBUF_MAX max
- */
- count = 0;
- count++; /* script */
- count++; /* name */
- for (c = envp; *c; c++) /* envp */
- count++;
- count++; /* void */
-
- if (count > PRIVSEP_NBUF_MAX) {
- plog(LLV_ERROR, LOCATION, NULL, "Unexpected error: "
- "privsep_script_exec count > PRIVSEP_NBUF_MAX\n");
- racoon_free(msg);
- return -1;
- }
-
-
- /*
- * Compute the length
- */
- count = 0;
- msg->bufs.buflen[count] = strlen(script) + 1; /* script */
- msg->hdr.ac_len += msg->bufs.buflen[count++];
-
- msg->bufs.buflen[count] = sizeof(name); /* name */
- msg->hdr.ac_len += msg->bufs.buflen[count++];
-
- for (c = envp; *c; c++) { /* envp */
- msg->bufs.buflen[count] = strlen(*c) + 1;
- msg->hdr.ac_len += msg->bufs.buflen[count++];
- }
-
- msg->bufs.buflen[count] = 0; /* void */
- msg->hdr.ac_len += msg->bufs.buflen[count++];
-
- if ((msg = racoon_realloc(msg, msg->hdr.ac_len)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot allocate memory: %s\n", strerror(errno));
- return -1;
- }
-
- /*
- * Now copy the data
- */
- data = (char *)(msg + 1);
- count = 0;
-
- memcpy(data, (char *)script, msg->bufs.buflen[count]); /* script */
- data += msg->bufs.buflen[count++];
-
- memcpy(data, (char *)&name, msg->bufs.buflen[count]); /* name */
- data += msg->bufs.buflen[count++];
-
- for (c = envp; *c; c++) { /* envp */
- memcpy(data, *c, msg->bufs.buflen[count]);
- data += msg->bufs.buflen[count++];
- }
-
- count++; /* void */
-
- /*
- * And send it!
- */
- if (privsep_send(privsep_sock[1], msg, msg->hdr.ac_len) != 0)
- return -1;
-
- if (privsep_recv(privsep_sock[1], &msg, &len) != 0)
- return -1;
-
- if (msg->hdr.ac_errno != 0) {
- errno = msg->hdr.ac_errno;
- racoon_free(msg);
- return -1;
- }
-
- racoon_free(msg);
- return 0;
-}
-
-vchar_t *
-privsep_getpsk(str, keylen)
- const char *str;
- int keylen;
-{
- vchar_t *psk;
- struct privsep_com_msg *msg;
- size_t len;
- int *keylenp;
- char *data;
-
- if (geteuid() == 0)
- return getpsk(str, keylen);
-
- len = sizeof(*msg) + strlen(str) + 1 + sizeof(keylen);
- if ((msg = racoon_malloc(len)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot allocate memory: %s\n", strerror(errno));
- return NULL;
- }
- bzero(msg, len);
- msg->hdr.ac_cmd = PRIVSEP_GETPSK;
- msg->hdr.ac_len = len;
-
- data = (char *)(msg + 1);
- msg->bufs.buflen[0] = strlen(str) + 1;
- memcpy(data, str, msg->bufs.buflen[0]);
-
- data += msg->bufs.buflen[0];
- msg->bufs.buflen[1] = sizeof(keylen);
- memcpy(data, &keylen, sizeof(keylen));
-
- if (privsep_send(privsep_sock[1], msg, len) != 0)
- return NULL;
-
- if (privsep_recv(privsep_sock[1], &msg, &len) != 0)
- return NULL;
-
- if (msg->hdr.ac_errno != 0) {
- errno = msg->hdr.ac_errno;
- goto out;
- }
-
- if ((psk = vmalloc(len - sizeof(*msg))) == NULL)
- goto out;
-
- memcpy(psk->v, msg + 1, psk->l);
- racoon_free(msg);
- return psk;
-
-out:
- racoon_free(msg);
- return NULL;
-}
-
-#ifdef ENABLE_HYBRID
-int
-privsep_xauth_login_system(usr, pwd)
- char *usr;
- char *pwd;
-{
- struct privsep_com_msg *msg;
- size_t len;
- char *data;
-
- if (geteuid() == 0)
- return xauth_login_system(usr, pwd);
-
- len = sizeof(*msg) + strlen(usr) + 1 + strlen(pwd) + 1;
- if ((msg = racoon_malloc(len)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot allocate memory: %s\n", strerror(errno));
- return -1;
- }
- bzero(msg, len);
- msg->hdr.ac_cmd = PRIVSEP_XAUTH_LOGIN_SYSTEM;
- msg->hdr.ac_len = len;
-
- data = (char *)(msg + 1);
- msg->bufs.buflen[0] = strlen(usr) + 1;
- memcpy(data, usr, msg->bufs.buflen[0]);
- data += msg->bufs.buflen[0];
-
- msg->bufs.buflen[1] = strlen(pwd) + 1;
- memcpy(data, pwd, msg->bufs.buflen[1]);
-
- if (privsep_send(privsep_sock[1], msg, len) != 0)
- return -1;
-
- if (privsep_recv(privsep_sock[1], &msg, &len) != 0)
- return -1;
-
- if (msg->hdr.ac_errno != 0) {
- racoon_free(msg);
- return -1;
- }
-
- racoon_free(msg);
- return 0;
-}
-
-int
-privsep_accounting_system(port, raddr, usr, inout)
- int port;
- struct sockaddr *raddr;
- char *usr;
- int inout;
-{
- struct privsep_com_msg *msg;
- size_t len;
- char *data;
- int result;
-
- if (geteuid() == 0)
- return isakmp_cfg_accounting_system(port, raddr,
- usr, inout);
-
- len = sizeof(*msg)
- + sizeof(port)
- + sysdep_sa_len(raddr)
- + strlen(usr) + 1
- + sizeof(inout);
-
- if ((msg = racoon_malloc(len)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot allocate memory: %s\n", strerror(errno));
- return -1;
- }
- bzero(msg, len);
- msg->hdr.ac_cmd = PRIVSEP_ACCOUNTING_SYSTEM;
- msg->hdr.ac_len = len;
- msg->bufs.buflen[0] = sizeof(port);
- msg->bufs.buflen[1] = sysdep_sa_len(raddr);
- msg->bufs.buflen[2] = strlen(usr) + 1;
- msg->bufs.buflen[3] = sizeof(inout);
-
- data = (char *)(msg + 1);
- memcpy(data, &port, msg->bufs.buflen[0]);
-
- data += msg->bufs.buflen[0];
- memcpy(data, raddr, msg->bufs.buflen[1]);
-
- data += msg->bufs.buflen[1];
- memcpy(data, usr, msg->bufs.buflen[2]);
-
- data += msg->bufs.buflen[2];
- memcpy(data, &inout, msg->bufs.buflen[3]);
-
- if (privsep_send(privsep_sock[1], msg, len) != 0)
- return -1;
-
- if (privsep_recv(privsep_sock[1], &msg, &len) != 0)
- return -1;
-
- if (msg->hdr.ac_errno != 0) {
- errno = msg->hdr.ac_errno;
- goto out;
- }
-
- racoon_free(msg);
- return 0;
-
-out:
- racoon_free(msg);
- return -1;
-}
-
-static int
-port_check(port)
- int port;
-{
- if ((port < 0) || (port >= isakmp_cfg_config.pool_size)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "privsep: port %d outside of allowed range [0,%zu]\n",
- port, isakmp_cfg_config.pool_size - 1);
- return -1;
- }
-
- return 0;
-}
-#endif
-
-static int
-safety_check(msg, index)
- struct privsep_com_msg *msg;
- int index;
-{
- if (index >= PRIVSEP_NBUF_MAX) {
- plog(LLV_ERROR, LOCATION, NULL,
- "privsep: Corrupted message, too many buffers\n");
- return -1;
- }
-
- if (msg->bufs.buflen[index] == 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "privsep: Corrupted message, unexpected void buffer\n");
- return -1;
- }
-
- return 0;
-}
-
-/*
- * Filter unsafe environement variables
- */
-static int
-unsafe_env(envp)
- char *const *envp;
-{
- char *const *e;
- char *const *be;
- char *const bad_env[] = { "PATH=", "LD_LIBRARY_PATH=", "IFS=", NULL };
-
- for (e = envp; *e; e++) {
- for (be = bad_env; *be; be++) {
- if (strncmp(*e, *be, strlen(*be)) == 0) {
- goto found;
- }
- }
- }
-
- return 0;
-found:
- plog(LLV_ERROR, LOCATION, NULL,
- "privsep_script_exec: unsafe environement variable\n");
- return -1;
-}
-
-/*
- * Check path safety
- */
-static int
-unsafe_path(script, pathtype)
- char *script;
- int pathtype;
-{
- char *path;
- char rpath[MAXPATHLEN + 1];
- size_t len;
-
- if (script == NULL)
- return -1;
-
- path = lcconf->pathinfo[pathtype];
-
- /* No path was given for scripts: skip the check */
- if (path == NULL)
- return 0;
-
- if (realpath(script, rpath) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "script path \"%s\" is invalid\n", script);
- return -1;
- }
-
- len = strlen(path);
- if (strncmp(path, rpath, len) != 0)
- return -1;
-
- return 0;
-}
-
-static int
-unknown_name(name)
- int name;
-{
- if ((name < 0) || (name > SCRIPT_MAX)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "privsep_script_exec: unsafe name index\n");
- return -1;
- }
-
- return 0;
-}
-
-#ifdef HAVE_LIBPAM
-int
-privsep_accounting_pam(port, inout)
- int port;
- int inout;
-{
- struct privsep_com_msg *msg;
- size_t len;
- int *port_data;
- int *inout_data;
- int *pool_size_data;
- int result;
-
- if (geteuid() == 0)
- return isakmp_cfg_accounting_pam(port, inout);
-
- len = sizeof(*msg)
- + sizeof(port)
- + sizeof(inout)
- + sizeof(isakmp_cfg_config.pool_size);
-
- if ((msg = racoon_malloc(len)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot allocate memory: %s\n", strerror(errno));
- return -1;
- }
- bzero(msg, len);
- msg->hdr.ac_cmd = PRIVSEP_ACCOUNTING_PAM;
- msg->hdr.ac_len = len;
- msg->bufs.buflen[0] = sizeof(port);
- msg->bufs.buflen[1] = sizeof(inout);
- msg->bufs.buflen[2] = sizeof(isakmp_cfg_config.pool_size);
-
- port_data = (int *)(msg + 1);
- inout_data = (int *)(port_data + 1);
- pool_size_data = (int *)(inout_data + 1);
-
- *port_data = port;
- *inout_data = inout;
- *pool_size_data = isakmp_cfg_config.pool_size;
-
- if (privsep_send(privsep_sock[1], msg, len) != 0)
- return -1;
-
- if (privsep_recv(privsep_sock[1], &msg, &len) != 0)
- return -1;
-
- if (msg->hdr.ac_errno != 0) {
- errno = msg->hdr.ac_errno;
- goto out;
- }
-
- racoon_free(msg);
- return 0;
-
-out:
- racoon_free(msg);
- return -1;
-}
-
-int
-privsep_xauth_login_pam(port, raddr, usr, pwd)
- int port;
- struct sockaddr *raddr;
- char *usr;
- char *pwd;
-{
- struct privsep_com_msg *msg;
- size_t len;
- char *data;
- int result;
-
- if (geteuid() == 0)
- return xauth_login_pam(port, raddr, usr, pwd);
-
- len = sizeof(*msg)
- + sizeof(port)
- + sizeof(isakmp_cfg_config.pool_size)
- + sysdep_sa_len(raddr)
- + strlen(usr) + 1
- + strlen(pwd) + 1;
-
- if ((msg = racoon_malloc(len)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot allocate memory: %s\n", strerror(errno));
- return -1;
- }
- bzero(msg, len);
- msg->hdr.ac_cmd = PRIVSEP_XAUTH_LOGIN_PAM;
- msg->hdr.ac_len = len;
- msg->bufs.buflen[0] = sizeof(port);
- msg->bufs.buflen[1] = sizeof(isakmp_cfg_config.pool_size);
- msg->bufs.buflen[2] = sysdep_sa_len(raddr);
- msg->bufs.buflen[3] = strlen(usr) + 1;
- msg->bufs.buflen[4] = strlen(pwd) + 1;
-
- data = (char *)(msg + 1);
- memcpy(data, &port, msg->bufs.buflen[0]);
-
- data += msg->bufs.buflen[0];
- memcpy(data, &isakmp_cfg_config.pool_size, msg->bufs.buflen[1]);
-
- data += msg->bufs.buflen[1];
- memcpy(data, raddr, msg->bufs.buflen[2]);
-
- data += msg->bufs.buflen[2];
- memcpy(data, usr, msg->bufs.buflen[3]);
-
- data += msg->bufs.buflen[3];
- memcpy(data, pwd, msg->bufs.buflen[4]);
-
- if (privsep_send(privsep_sock[1], msg, len) != 0)
- return -1;
-
- if (privsep_recv(privsep_sock[1], &msg, &len) != 0)
- return -1;
-
- if (msg->hdr.ac_errno != 0) {
- errno = msg->hdr.ac_errno;
- goto out;
- }
-
- racoon_free(msg);
- return 0;
-
-out:
- racoon_free(msg);
- return -1;
-}
-
-void
-privsep_cleanup_pam(port)
- int port;
-{
- struct privsep_com_msg *msg;
- size_t len;
- char *data;
- int result;
-
- if (geteuid() == 0)
- return cleanup_pam(port);
-
- len = sizeof(*msg)
- + sizeof(port)
- + sizeof(isakmp_cfg_config.pool_size);
-
- if ((msg = racoon_malloc(len)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot allocate memory: %s\n", strerror(errno));
- return;
- }
- bzero(msg, len);
- msg->hdr.ac_cmd = PRIVSEP_CLEANUP_PAM;
- msg->hdr.ac_len = len;
- msg->bufs.buflen[0] = sizeof(port);
- msg->bufs.buflen[1] = sizeof(isakmp_cfg_config.pool_size);
-
- data = (char *)(msg + 1);
- memcpy(data, &port, msg->bufs.buflen[0]);
-
- data += msg->bufs.buflen[0];
- memcpy(data, &isakmp_cfg_config.pool_size, msg->bufs.buflen[1]);
-
- if (privsep_send(privsep_sock[1], msg, len) != 0)
- return;
-
- if (privsep_recv(privsep_sock[1], &msg, &len) != 0)
- return;
-
- if (msg->hdr.ac_errno != 0)
- errno = msg->hdr.ac_errno;
-
- racoon_free(msg);
- return;
-}
-#endif
diff --git a/src/racoon/privsep.h b/src/racoon/privsep.h
deleted file mode 100644
index 0fa4363..0000000
--- a/src/racoon/privsep.h
+++ /dev/null
@@ -1,72 +0,0 @@
-/* $NetBSD: privsep.h,v 1.4 2006/09/09 16:22:10 manu Exp $ */
-
-/* Id: privsep.h,v 1.5 2005/06/07 12:22:11 fredsen Exp */
-
-/*
- * Copyright (C) 2004 Emmanuel Dreyfus
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _PRIVSEP_H
-#define _PRIVSEP_H
-
-#define PRIVSEP_EAY_GET_PKCS1PRIVKEY 0x0801 /* admin_com_bufs follows */
-#define PRIVSEP_SCRIPT_EXEC 0x0803 /* admin_com_bufs follows */
-#define PRIVSEP_GETPSK 0x0804 /* admin_com_bufs follows */
-#define PRIVSEP_XAUTH_LOGIN_SYSTEM 0x0805 /* admin_com_bufs follows */
-#define PRIVSEP_ACCOUNTING_PAM 0x0806 /* admin_com_bufs follows */
-#define PRIVSEP_XAUTH_LOGIN_PAM 0x0807 /* admin_com_bufs follows */
-#define PRIVSEP_CLEANUP_PAM 0x0808 /* admin_com_bufs follows */
-#define PRIVSEP_ACCOUNTING_SYSTEM 0x0809 /* admin_com_bufs follows */
-
-#define PRIVSEP_NBUF_MAX 24
-#define PRIVSEP_BUFLEN_MAX 4096
-struct admin_com_bufs {
- size_t buflen[PRIVSEP_NBUF_MAX];
- /* Followed by the buffers */
-};
-
-struct privsep_com_msg {
- struct admin_com hdr;
- struct admin_com_bufs bufs;
-};
-
-int privsep_init __P((void));
-
-vchar_t *privsep_eay_get_pkcs1privkey __P((char *));
-int privsep_pfkey_open __P((void));
-void privsep_pfkey_close __P((int));
-int privsep_script_exec __P((char *, int, char * const *));
-vchar_t *privsep_getpsk __P((const char *, const int));
-int privsep_xauth_login_system __P((char *, char *));
-#ifdef HAVE_LIBPAM
-int privsep_accounting_pam __P((int, int));
-int privsep_xauth_login_pam __P((int, struct sockaddr *, char *, char *));
-void privsep_cleanup_pam __P((int));
-#endif
-int privsep_accounting_system __P((int, struct sockaddr *, char *, int));
-#endif /* _PRIVSEP_H */
diff --git a/src/racoon/proposal.c b/src/racoon/proposal.c
deleted file mode 100644
index 26c9274..0000000
--- a/src/racoon/proposal.c
+++ /dev/null
@@ -1,1294 +0,0 @@
-/* $NetBSD: proposal.c,v 1.13.4.2 2008/07/22 13:25:42 vanhu Exp $ */
-
-/* $Id: proposal.c,v 1.13.4.2 2008/07/22 13:25:42 vanhu Exp $ */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/param.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/queue.h>
-
-#include <netinet/in.h>
-#include PATH_IPSEC_H
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-
-#include "var.h"
-#include "misc.h"
-#include "vmbuf.h"
-#include "plog.h"
-#include "sockmisc.h"
-#include "debug.h"
-
-#include "policy.h"
-#include "pfkey.h"
-#include "isakmp_var.h"
-#include "isakmp.h"
-#include "ipsec_doi.h"
-#include "algorithm.h"
-#include "proposal.h"
-#include "sainfo.h"
-#include "localconf.h"
-#include "remoteconf.h"
-#include "oakley.h"
-#include "handler.h"
-#include "strnames.h"
-#include "gcmalloc.h"
-#ifdef ENABLE_NATT
-#include "nattraversal.h"
-#endif
-
-static uint g_nextreqid = 1;
-
-/* %%%
- * modules for ipsec sa spec
- */
-struct saprop *
-newsaprop()
-{
- struct saprop *new;
-
- new = racoon_calloc(1, sizeof(*new));
- if (new == NULL)
- return NULL;
-
- return new;
-}
-
-struct saproto *
-newsaproto()
-{
- struct saproto *new;
-
- new = racoon_calloc(1, sizeof(*new));
- if (new == NULL)
- return NULL;
-
- return new;
-}
-
-/* set saprop to last part of the prop tree */
-void
-inssaprop(head, new)
- struct saprop **head;
- struct saprop *new;
-{
- struct saprop *p;
-
- if (*head == NULL) {
- *head = new;
- return;
- }
-
- for (p = *head; p->next; p = p->next)
- ;
- p->next = new;
-
- return;
-}
-
-/* set saproto to the end of the proto tree in saprop */
-void
-inssaproto(pp, new)
- struct saprop *pp;
- struct saproto *new;
-{
- struct saproto *p;
-
- for (p = pp->head; p && p->next; p = p->next)
- ;
- if (p == NULL)
- pp->head = new;
- else
- p->next = new;
-
- return;
-}
-
-/* set saproto to the top of the proto tree in saprop */
-void
-inssaprotorev(pp, new)
- struct saprop *pp;
- struct saproto *new;
-{
- new->next = pp->head;
- pp->head = new;
-
- return;
-}
-
-struct satrns *
-newsatrns()
-{
- struct satrns *new;
-
- new = racoon_calloc(1, sizeof(*new));
- if (new == NULL)
- return NULL;
-
- return new;
-}
-
-/* set saproto to last part of the proto tree in saprop */
-void
-inssatrns(pr, new)
- struct saproto *pr;
- struct satrns *new;
-{
- struct satrns *tr;
-
- for (tr = pr->head; tr && tr->next; tr = tr->next)
- ;
- if (tr == NULL)
- pr->head = new;
- else
- tr->next = new;
-
- return;
-}
-
-/*
- * take a single match between saprop. allocate a new proposal and return it
- * for future use (like picking single proposal from a bundle).
- * pp1: peer's proposal.
- * pp2: my proposal.
- * NOTE: In the case of initiator, must be ensured that there is no
- * modification of the proposal by calling cmp_aproppair_i() before
- * this function.
- * XXX cannot understand the comment!
- */
-struct saprop *
-cmpsaprop_alloc(ph1, pp1, pp2, side)
- struct ph1handle *ph1;
- const struct saprop *pp1, *pp2;
- int side;
-{
- struct saprop *newpp = NULL;
- struct saproto *pr1, *pr2, *newpr = NULL;
- struct satrns *tr1, *tr2, *newtr;
- const int ordermatters = 0;
- int npr1, npr2;
- int spisizematch;
-
- newpp = newsaprop();
- if (newpp == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate saprop.\n");
- return NULL;
- }
- newpp->prop_no = pp1->prop_no;
-
- /* see proposal.h about lifetime/key length and PFS selection. */
-
- /* check time/bytes lifetime and PFS */
- switch (ph1->rmconf->pcheck_level) {
- case PROP_CHECK_OBEY:
- newpp->lifetime = pp1->lifetime;
- newpp->lifebyte = pp1->lifebyte;
- newpp->pfs_group = pp1->pfs_group;
- break;
-
- case PROP_CHECK_STRICT:
- if (pp1->lifetime > pp2->lifetime) {
- plog(LLV_ERROR, LOCATION, NULL,
- "long lifetime proposed: "
- "my:%d peer:%d\n",
- (int)pp2->lifetime, (int)pp1->lifetime);
- goto err;
- }
- if (pp1->lifebyte > pp2->lifebyte) {
- plog(LLV_ERROR, LOCATION, NULL,
- "long lifebyte proposed: "
- "my:%d peer:%d\n",
- pp2->lifebyte, pp1->lifebyte);
- goto err;
- }
- newpp->lifetime = pp1->lifetime;
- newpp->lifebyte = pp1->lifebyte;
-
- prop_pfs_check:
- if (pp2->pfs_group != 0 && pp1->pfs_group != pp2->pfs_group) {
- plog(LLV_ERROR, LOCATION, NULL,
- "pfs group mismatched: "
- "my:%d peer:%d\n",
- pp2->pfs_group, pp1->pfs_group);
- goto err;
- }
- newpp->pfs_group = pp1->pfs_group;
- break;
-
- case PROP_CHECK_CLAIM:
- /* lifetime */
- if (pp1->lifetime <= pp2->lifetime) {
- newpp->lifetime = pp1->lifetime;
- } else {
- newpp->lifetime = pp2->lifetime;
- newpp->claim |= IPSECDOI_ATTR_SA_LD_TYPE_SEC;
- plog(LLV_NOTIFY, LOCATION, NULL,
- "use own lifetime: "
- "my:%d peer:%d\n",
- (int)pp2->lifetime, (int)pp1->lifetime);
- }
-
- /* lifebyte */
- if (pp1->lifebyte > pp2->lifebyte) {
- newpp->lifebyte = pp2->lifebyte;
- newpp->claim |= IPSECDOI_ATTR_SA_LD_TYPE_SEC;
- plog(LLV_NOTIFY, LOCATION, NULL,
- "use own lifebyte: "
- "my:%d peer:%d\n",
- pp2->lifebyte, pp1->lifebyte);
- }
- newpp->lifebyte = pp1->lifebyte;
-
- goto prop_pfs_check;
- break;
-
- case PROP_CHECK_EXACT:
- if (pp1->lifetime != pp2->lifetime) {
- plog(LLV_ERROR, LOCATION, NULL,
- "lifetime mismatched: "
- "my:%d peer:%d\n",
- (int)pp2->lifetime, (int)pp1->lifetime);
- goto err;
- }
-
- if (pp1->lifebyte != pp2->lifebyte) {
- plog(LLV_ERROR, LOCATION, NULL,
- "lifebyte mismatched: "
- "my:%d peer:%d\n",
- pp2->lifebyte, pp1->lifebyte);
- goto err;
- }
- if (pp1->pfs_group != pp2->pfs_group) {
- plog(LLV_ERROR, LOCATION, NULL,
- "pfs group mismatched: "
- "my:%d peer:%d\n",
- pp2->pfs_group, pp1->pfs_group);
- goto err;
- }
- newpp->lifetime = pp1->lifetime;
- newpp->lifebyte = pp1->lifebyte;
- newpp->pfs_group = pp1->pfs_group;
- break;
-
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid pcheck_level why?.\n");
- goto err;
- }
-
-#ifdef HAVE_SECCTX
- /* check the security_context properties.
- * It is possible for one side to have a security context
- * and the other side doesn't. If so, this is an error.
- */
-
- if (*pp1->sctx.ctx_str && !(*pp2->sctx.ctx_str)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "My proposal missing security context\n");
- goto err;
- }
- if (!(*pp1->sctx.ctx_str) && *pp2->sctx.ctx_str) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Peer is missing security context\n");
- goto err;
- }
-
- if (*pp1->sctx.ctx_str && *pp2->sctx.ctx_str) {
- if (pp1->sctx.ctx_doi == pp2->sctx.ctx_doi)
- newpp->sctx.ctx_doi = pp1->sctx.ctx_doi;
- else {
- plog(LLV_ERROR, LOCATION, NULL,
- "sec doi mismatched: my:%d peer:%d\n",
- pp2->sctx.ctx_doi, pp1->sctx.ctx_doi);
- goto err;
- }
-
- if (pp1->sctx.ctx_alg == pp2->sctx.ctx_alg)
- newpp->sctx.ctx_alg = pp1->sctx.ctx_alg;
- else {
- plog(LLV_ERROR, LOCATION, NULL,
- "sec alg mismatched: my:%d peer:%d\n",
- pp2->sctx.ctx_alg, pp1->sctx.ctx_alg);
- goto err;
- }
-
- if ((pp1->sctx.ctx_strlen != pp2->sctx.ctx_strlen) ||
- memcmp(pp1->sctx.ctx_str, pp2->sctx.ctx_str,
- pp1->sctx.ctx_strlen) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "sec ctx string mismatched: my:%s peer:%s\n",
- pp2->sctx.ctx_str, pp1->sctx.ctx_str);
- goto err;
- } else {
- newpp->sctx.ctx_strlen = pp1->sctx.ctx_strlen;
- memcpy(newpp->sctx.ctx_str, pp1->sctx.ctx_str,
- pp1->sctx.ctx_strlen);
- }
- }
-#endif /* HAVE_SECCTX */
-
- npr1 = npr2 = 0;
- for (pr1 = pp1->head; pr1; pr1 = pr1->next)
- npr1++;
- for (pr2 = pp2->head; pr2; pr2 = pr2->next)
- npr2++;
- if (npr1 != npr2)
- goto err;
-
- /* check protocol order */
- pr1 = pp1->head;
- pr2 = pp2->head;
-
- while (1) {
- if (!ordermatters) {
- /*
- * XXX does not work if we have multiple proposals
- * with the same proto_id
- */
- switch (side) {
- case RESPONDER:
- if (!pr2)
- break;
- for (pr1 = pp1->head; pr1; pr1 = pr1->next) {
- if (pr1->proto_id == pr2->proto_id)
- break;
- }
- break;
- case INITIATOR:
- if (!pr1)
- break;
- for (pr2 = pp2->head; pr2; pr2 = pr2->next) {
- if (pr2->proto_id == pr1->proto_id)
- break;
- }
- break;
- }
- }
- if (!pr1 || !pr2)
- break;
-
- if (pr1->proto_id != pr2->proto_id) {
- plog(LLV_ERROR, LOCATION, NULL,
- "proto_id mismatched: "
- "my:%s peer:%s\n",
- s_ipsecdoi_proto(pr2->proto_id),
- s_ipsecdoi_proto(pr1->proto_id));
- goto err;
- }
- spisizematch = 0;
- if (pr1->spisize == pr2->spisize)
- spisizematch = 1;
- else if (pr1->proto_id == IPSECDOI_PROTO_IPCOMP) {
- /*
- * draft-shacham-ippcp-rfc2393bis-05.txt:
- * need to accept 16bit and 32bit SPI (CPI) for IPComp.
- */
- if (pr1->spisize == sizeof(u_int16_t) &&
- pr2->spisize == sizeof(u_int32_t)) {
- spisizematch = 1;
- } else if (pr2->spisize == sizeof(u_int16_t) &&
- pr1->spisize == sizeof(u_int32_t)) {
- spisizematch = 1;
- }
- if (spisizematch) {
- plog(LLV_ERROR, LOCATION, NULL,
- "IPComp SPI size promoted "
- "from 16bit to 32bit\n");
- }
- }
- if (!spisizematch) {
- plog(LLV_ERROR, LOCATION, NULL,
- "spisize mismatched: "
- "my:%d peer:%d\n",
- (int)pr2->spisize, (int)pr1->spisize);
- goto err;
- }
-
-#ifdef ENABLE_NATT
- if ((ph1->natt_flags & NAT_DETECTED) &&
- natt_udp_encap (pr2->encmode))
- {
- plog(LLV_INFO, LOCATION, NULL, "Adjusting my encmode %s->%s\n",
- s_ipsecdoi_encmode(pr2->encmode),
- s_ipsecdoi_encmode(pr2->encmode - ph1->natt_options->mode_udp_diff));
- pr2->encmode -= ph1->natt_options->mode_udp_diff;
- pr2->udp_encap = 1;
- }
-
- if ((ph1->natt_flags & NAT_DETECTED) &&
- natt_udp_encap (pr1->encmode))
- {
- plog(LLV_INFO, LOCATION, NULL, "Adjusting peer's encmode %s(%d)->%s(%d)\n",
- s_ipsecdoi_encmode(pr1->encmode),
- pr1->encmode,
- s_ipsecdoi_encmode(pr1->encmode - ph1->natt_options->mode_udp_diff),
- pr1->encmode - ph1->natt_options->mode_udp_diff);
- pr1->encmode -= ph1->natt_options->mode_udp_diff;
- pr1->udp_encap = 1;
- }
-#endif
-
- if (pr1->encmode != pr2->encmode) {
- plog(LLV_ERROR, LOCATION, NULL,
- "encmode mismatched: "
- "my:%s peer:%s\n",
- s_ipsecdoi_encmode(pr2->encmode),
- s_ipsecdoi_encmode(pr1->encmode));
- goto err;
- }
-
- for (tr1 = pr1->head; tr1; tr1 = tr1->next) {
- for (tr2 = pr2->head; tr2; tr2 = tr2->next) {
- if (cmpsatrns(pr1->proto_id, tr1, tr2, ph1->rmconf->pcheck_level) == 0)
- goto found;
- }
- }
-
- goto err;
-
- found:
- newpr = newsaproto();
- if (newpr == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate saproto.\n");
- goto err;
- }
- newpr->proto_id = pr1->proto_id;
- newpr->spisize = pr1->spisize;
- newpr->encmode = pr1->encmode;
- newpr->spi = pr2->spi; /* copy my SPI */
- newpr->spi_p = pr1->spi; /* copy peer's SPI */
- newpr->reqid_in = pr2->reqid_in;
- newpr->reqid_out = pr2->reqid_out;
-#ifdef ENABLE_NATT
- newpr->udp_encap = pr1->udp_encap | pr2->udp_encap;
-#endif
-
- newtr = newsatrns();
- if (newtr == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate satrns.\n");
- racoon_free(newpr);
- goto err;
- }
- newtr->trns_no = tr1->trns_no;
- newtr->trns_id = tr1->trns_id;
- newtr->encklen = tr1->encklen;
- newtr->authtype = tr1->authtype;
-
- inssatrns(newpr, newtr);
- inssaproto(newpp, newpr);
-
- pr1 = pr1->next;
- pr2 = pr2->next;
- }
-
- /* XXX should check if we have visited all items or not */
- if (!ordermatters) {
- switch (side) {
- case RESPONDER:
- if (!pr2)
- pr1 = NULL;
- break;
- case INITIATOR:
- if (!pr1)
- pr2 = NULL;
- break;
- }
- }
-
- /* should be matched all protocols in a proposal */
- if (pr1 != NULL || pr2 != NULL)
- goto err;
-
- return newpp;
-
-err:
- flushsaprop(newpp);
- return NULL;
-}
-
-/* take a single match between saprop. returns 0 if pp1 equals to pp2. */
-int
-cmpsaprop(pp1, pp2)
- const struct saprop *pp1, *pp2;
-{
- if (pp1->pfs_group != pp2->pfs_group) {
- plog(LLV_WARNING, LOCATION, NULL,
- "pfs_group mismatch. mine:%d peer:%d\n",
- pp1->pfs_group, pp2->pfs_group);
- /* FALLTHRU */
- }
-
- if (pp1->lifetime > pp2->lifetime) {
- plog(LLV_WARNING, LOCATION, NULL,
- "less lifetime proposed. mine:%d peer:%d\n",
- (int)pp1->lifetime, (int)pp2->lifetime);
- /* FALLTHRU */
- }
- if (pp1->lifebyte > pp2->lifebyte) {
- plog(LLV_WARNING, LOCATION, NULL,
- "less lifebyte proposed. mine:%d peer:%d\n",
- pp1->lifebyte, pp2->lifebyte);
- /* FALLTHRU */
- }
-
- return 0;
-}
-
-/*
- * take a single match between satrns. returns 0 if tr1 equals to tr2.
- * tr1: peer's satrns
- * tr2: my satrns
- */
-int
-cmpsatrns(proto_id, tr1, tr2, check_level)
- int proto_id;
- const struct satrns *tr1, *tr2;
- int check_level;
-{
- if (tr1->trns_id != tr2->trns_id) {
- plog(LLV_WARNING, LOCATION, NULL,
- "trns_id mismatched: "
- "my:%s peer:%s\n",
- s_ipsecdoi_trns(proto_id, tr2->trns_id),
- s_ipsecdoi_trns(proto_id, tr1->trns_id));
- return 1;
- }
-
- if (tr1->authtype != tr2->authtype) {
- plog(LLV_WARNING, LOCATION, NULL,
- "authtype mismatched: "
- "my:%s peer:%s\n",
- s_ipsecdoi_attr_v(IPSECDOI_ATTR_AUTH, tr2->authtype),
- s_ipsecdoi_attr_v(IPSECDOI_ATTR_AUTH, tr1->authtype));
- return 1;
- }
-
- /* Check key length regarding checkmode
- * XXX Shall we send some kind of notify message when key length rejected ?
- */
- switch(check_level){
- case PROP_CHECK_OBEY:
- return 0;
- break;
-
- case PROP_CHECK_STRICT:
- /* FALLTHROUGH */
- case PROP_CHECK_CLAIM:
- if (tr1->encklen < tr2->encklen) {
- plog(LLV_WARNING, LOCATION, NULL,
- "low key length proposed, "
- "mine:%d peer:%d.\n",
- tr2->encklen, tr1->encklen);
- return 1;
- }
- break;
- case PROP_CHECK_EXACT:
- if (tr1->encklen != tr2->encklen) {
- plog(LLV_WARNING, LOCATION, NULL,
- "key length mismatched, "
- "mine:%d peer:%d.\n",
- tr2->encklen, tr1->encklen);
- return 1;
- }
- break;
- }
-
- return 0;
-}
-
-int
-set_satrnsbysainfo(pr, sainfo)
- struct saproto *pr;
- struct sainfo *sainfo;
-{
- struct sainfoalg *a, *b;
- struct satrns *newtr;
- int t;
-
- switch (pr->proto_id) {
- case IPSECDOI_PROTO_IPSEC_AH:
- if (sainfo->algs[algclass_ipsec_auth] == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "no auth algorithm found\n");
- goto err;
- }
- t = 1;
- for (a = sainfo->algs[algclass_ipsec_auth]; a; a = a->next) {
-
- if (a->alg == IPSECDOI_ATTR_AUTH_NONE)
- continue;
-
- /* allocate satrns */
- newtr = newsatrns();
- if (newtr == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate satrns.\n");
- goto err;
- }
-
- newtr->trns_no = t++;
- newtr->trns_id = ipsecdoi_authalg2trnsid(a->alg);
- newtr->authtype = a->alg;
-
- inssatrns(pr, newtr);
- }
- break;
- case IPSECDOI_PROTO_IPSEC_ESP:
- if (sainfo->algs[algclass_ipsec_enc] == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "no encryption algorithm found\n");
- goto err;
- }
- t = 1;
- for (a = sainfo->algs[algclass_ipsec_enc]; a; a = a->next) {
- for (b = sainfo->algs[algclass_ipsec_auth]; b; b = b->next) {
- /* allocate satrns */
- newtr = newsatrns();
- if (newtr == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate satrns.\n");
- goto err;
- }
-
- newtr->trns_no = t++;
- newtr->trns_id = a->alg;
- newtr->encklen = a->encklen;
- newtr->authtype = b->alg;
-
- inssatrns(pr, newtr);
- }
- }
- break;
- case IPSECDOI_PROTO_IPCOMP:
- if (sainfo->algs[algclass_ipsec_comp] == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "no ipcomp algorithm found\n");
- goto err;
- }
- t = 1;
- for (a = sainfo->algs[algclass_ipsec_comp]; a; a = a->next) {
-
- /* allocate satrns */
- newtr = newsatrns();
- if (newtr == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate satrns.\n");
- goto err;
- }
-
- newtr->trns_no = t++;
- newtr->trns_id = a->alg;
- newtr->authtype = IPSECDOI_ATTR_AUTH_NONE; /*no auth*/
-
- inssatrns(pr, newtr);
- }
- break;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "unknown proto_id (%d).\n", pr->proto_id);
- goto err;
- }
-
- /* no proposal found */
- if (pr->head == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "no algorithms found.\n");
- return -1;
- }
-
- return 0;
-
-err:
- flushsatrns(pr->head);
- return -1;
-}
-
-struct saprop *
-aproppair2saprop(p0)
- struct prop_pair *p0;
-{
- struct prop_pair *p, *t;
- struct saprop *newpp;
- struct saproto *newpr;
- struct satrns *newtr;
- u_int8_t *spi;
-
- if (p0 == NULL)
- return NULL;
-
- /* allocate ipsec a sa proposal */
- newpp = newsaprop();
- if (newpp == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate saprop.\n");
- return NULL;
- }
- newpp->prop_no = p0->prop->p_no;
- /* lifetime & lifebyte must be updated later */
-
- for (p = p0; p; p = p->next) {
-
- /* allocate ipsec sa protocol */
- newpr = newsaproto();
- if (newpr == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate saproto.\n");
- goto err;
- }
-
- /* check spi size */
- /* XXX should be handled isakmp cookie */
- if (sizeof(newpr->spi) < p->prop->spi_size) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid spi size %d.\n", p->prop->spi_size);
- racoon_free(newpr);
- goto err;
- }
-
- /*
- * XXX SPI bits are left-filled, for use with IPComp.
- * we should be switching to variable-length spi field...
- */
- newpr->proto_id = p->prop->proto_id;
- newpr->spisize = p->prop->spi_size;
- memset(&newpr->spi, 0, sizeof(newpr->spi));
- spi = (u_int8_t *)&newpr->spi;
- spi += sizeof(newpr->spi);
- spi -= p->prop->spi_size;
- memcpy(spi, p->prop + 1, p->prop->spi_size);
- newpr->reqid_in = 0;
- newpr->reqid_out = 0;
-
- for (t = p; t; t = t->tnext) {
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "prop#=%d prot-id=%s spi-size=%d "
- "#trns=%d trns#=%d trns-id=%s\n",
- t->prop->p_no,
- s_ipsecdoi_proto(t->prop->proto_id),
- t->prop->spi_size, t->prop->num_t,
- t->trns->t_no,
- s_ipsecdoi_trns(t->prop->proto_id,
- t->trns->t_id));
-
- /* allocate ipsec sa transform */
- newtr = newsatrns();
- if (newtr == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate satrns.\n");
- racoon_free(newpr);
- goto err;
- }
-
- if (ipsecdoi_t2satrns(t->trns,
- newpp, newpr, newtr) < 0) {
- flushsaprop(newpp);
- racoon_free(newtr);
- racoon_free(newpr);
- return NULL;
- }
-
- inssatrns(newpr, newtr);
- }
-
- /*
- * If the peer does not specify encryption mode, use
- * transport mode by default. This is to conform to
- * draft-shacham-ippcp-rfc2393bis-08.txt (explicitly specifies
- * that unspecified == transport), as well as RFC2407
- * (unspecified == implementation dependent default).
- */
- if (newpr->encmode == 0)
- newpr->encmode = IPSECDOI_ATTR_ENC_MODE_TRNS;
-
- inssaproto(newpp, newpr);
- }
-
- return newpp;
-
-err:
- flushsaprop(newpp);
- return NULL;
-}
-
-void
-flushsaprop(head)
- struct saprop *head;
-{
- struct saprop *p, *save;
-
- for (p = head; p != NULL; p = save) {
- save = p->next;
- flushsaproto(p->head);
- racoon_free(p);
- }
-
- return;
-}
-
-void
-flushsaproto(head)
- struct saproto *head;
-{
- struct saproto *p, *save;
-
- for (p = head; p != NULL; p = save) {
- save = p->next;
- flushsatrns(p->head);
- vfree(p->keymat);
- vfree(p->keymat_p);
- racoon_free(p);
- }
-
- return;
-}
-
-void
-flushsatrns(head)
- struct satrns *head;
-{
- struct satrns *p, *save;
-
- for (p = head; p != NULL; p = save) {
- save = p->next;
- racoon_free(p);
- }
-
- return;
-}
-
-/*
- * print multiple proposals
- */
-void
-printsaprop(pri, pp)
- const int pri;
- const struct saprop *pp;
-{
- const struct saprop *p;
-
- if (pp == NULL) {
- plog(pri, LOCATION, NULL, "(null)");
- return;
- }
-
- for (p = pp; p; p = p->next) {
- printsaprop0(pri, p);
- }
-
- return;
-}
-
-/*
- * print one proposal.
- */
-void
-printsaprop0(pri, pp)
- int pri;
- const struct saprop *pp;
-{
- const struct saproto *p;
-
- if (pp == NULL)
- return;
-
- for (p = pp->head; p; p = p->next) {
- printsaproto(pri, p);
- }
-
- return;
-}
-
-void
-printsaproto(pri, pr)
- const int pri;
- const struct saproto *pr;
-{
- struct satrns *tr;
-
- if (pr == NULL)
- return;
-
- plog(pri, LOCATION, NULL,
- " (proto_id=%s spisize=%d spi=%08lx spi_p=%08lx "
- "encmode=%s reqid=%d:%d)\n",
- s_ipsecdoi_proto(pr->proto_id),
- (int)pr->spisize,
- (unsigned long)ntohl(pr->spi),
- (unsigned long)ntohl(pr->spi_p),
- s_ipsecdoi_attr_v(IPSECDOI_ATTR_ENC_MODE, pr->encmode),
- (int)pr->reqid_in, (int)pr->reqid_out);
-
- for (tr = pr->head; tr; tr = tr->next) {
- printsatrns(pri, pr->proto_id, tr);
- }
-
- return;
-}
-
-void
-printsatrns(pri, proto_id, tr)
- const int pri;
- const int proto_id;
- const struct satrns *tr;
-{
- if (tr == NULL)
- return;
-
- switch (proto_id) {
- case IPSECDOI_PROTO_IPSEC_AH:
- plog(pri, LOCATION, NULL,
- " (trns_id=%s authtype=%s)\n",
- s_ipsecdoi_trns(proto_id, tr->trns_id),
- s_ipsecdoi_attr_v(IPSECDOI_ATTR_AUTH, tr->authtype));
- break;
- case IPSECDOI_PROTO_IPSEC_ESP:
- plog(pri, LOCATION, NULL,
- " (trns_id=%s encklen=%d authtype=%s)\n",
- s_ipsecdoi_trns(proto_id, tr->trns_id),
- tr->encklen,
- s_ipsecdoi_attr_v(IPSECDOI_ATTR_AUTH, tr->authtype));
- break;
- case IPSECDOI_PROTO_IPCOMP:
- plog(pri, LOCATION, NULL,
- " (trns_id=%s)\n",
- s_ipsecdoi_trns(proto_id, tr->trns_id));
- break;
- default:
- plog(pri, LOCATION, NULL,
- "(unknown proto_id %d)\n", proto_id);
- }
-
- return;
-}
-
-void
-print_proppair0(pri, p, level)
- int pri;
- struct prop_pair *p;
- int level;
-{
- char spc[21];
-
- memset(spc, ' ', sizeof(spc));
- spc[sizeof(spc) - 1] = '\0';
- if (level < 20) {
- spc[level] = '\0';
- }
-
- plog(pri, LOCATION, NULL,
- "%s%p: next=%p tnext=%p\n", spc, p, p->next, p->tnext);
- if (p->next)
- print_proppair0(pri, p->next, level + 1);
- if (p->tnext)
- print_proppair0(pri, p->tnext, level + 1);
-}
-
-void
-print_proppair(pri, p)
- int pri;
- struct prop_pair *p;
-{
- print_proppair0(pri, p, 1);
-}
-
-int
-set_proposal_from_policy(iph2, sp_main, sp_sub)
- struct ph2handle *iph2;
- struct secpolicy *sp_main, *sp_sub;
-{
- struct saprop *newpp;
- struct ipsecrequest *req;
- int encmodesv = IPSECDOI_ATTR_ENC_MODE_TRNS; /* use only when complex_bundle */
-
- newpp = newsaprop();
- if (newpp == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate saprop.\n");
- goto err;
- }
- newpp->prop_no = 1;
- newpp->lifetime = iph2->sainfo->lifetime;
- newpp->lifebyte = iph2->sainfo->lifebyte;
- newpp->pfs_group = iph2->sainfo->pfs_group;
-
- if (lcconf->complex_bundle)
- goto skip1;
-
- /*
- * decide the encryption mode of this SA bundle.
- * the mode becomes tunnel mode when there is even one policy
- * of tunnel mode in the SPD. otherwise the mode becomes
- * transport mode.
- */
- for (req = sp_main->req; req; req = req->next) {
- if (req->saidx.mode == IPSEC_MODE_TUNNEL) {
- encmodesv = pfkey2ipsecdoi_mode(req->saidx.mode);
-#ifdef ENABLE_NATT
- if (iph2->ph1 && (iph2->ph1->natt_flags & NAT_DETECTED))
- encmodesv += iph2->ph1->natt_options->mode_udp_diff;
-#endif
- break;
- }
- }
-
- skip1:
- for (req = sp_main->req; req; req = req->next) {
- struct saproto *newpr;
- caddr_t paddr = NULL;
-
- /*
- * check if SA bundle ?
- * nested SAs negotiation is NOT supported.
- * me +--- SA1 ---+ peer1
- * me +--- SA2 --------------+ peer2
- */
-#ifdef __linux__
- if (req->saidx.src.ss_family && req->saidx.dst.ss_family) {
-#else
- if (req->saidx.src.ss_len && req->saidx.dst.ss_len) {
-#endif
- /* check the end of ip addresses of SA */
- if (iph2->side == INITIATOR)
- paddr = (caddr_t)&req->saidx.dst;
- else
- paddr = (caddr_t)&req->saidx.src;
- }
-
- /* allocate ipsec sa protocol */
- newpr = newsaproto();
- if (newpr == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate saproto.\n");
- goto err;
- }
-
- newpr->proto_id = ipproto2doi(req->saidx.proto);
- if (newpr->proto_id == IPSECDOI_PROTO_IPCOMP)
- newpr->spisize = 2;
- else
- newpr->spisize = 4;
- if (lcconf->complex_bundle) {
- newpr->encmode = pfkey2ipsecdoi_mode(req->saidx.mode);
-#ifdef ENABLE_NATT
- if (iph2->ph1 && (iph2->ph1->natt_flags & NAT_DETECTED))
- newpr->encmode +=
- iph2->ph1->natt_options->mode_udp_diff;
-#endif
- }
- else
- newpr->encmode = encmodesv;
-
- if (iph2->side == INITIATOR)
- newpr->reqid_out = req->saidx.reqid;
- else
- newpr->reqid_in = req->saidx.reqid;
-
- if (set_satrnsbysainfo(newpr, iph2->sainfo) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get algorithms.\n");
- racoon_free(newpr);
- goto err;
- }
-
- /* set new saproto */
- inssaprotorev(newpp, newpr);
- }
-
- /* get reqid_in from inbound policy */
- if (sp_sub) {
- struct saproto *pr;
-
- req = sp_sub->req;
- pr = newpp->head;
- while (req && pr) {
- if (iph2->side == INITIATOR)
- pr->reqid_in = req->saidx.reqid;
- else
- pr->reqid_out = req->saidx.reqid;
- pr = pr->next;
- req = req->next;
- }
- if (pr || req) {
- plog(LLV_NOTIFY, LOCATION, NULL,
- "There is a difference "
- "between the in/out bound policies in SPD.\n");
- }
- }
-
- iph2->proposal = newpp;
-
- printsaprop0(LLV_DEBUG, newpp);
-
- return 0;
-err:
- flushsaprop(newpp);
- return -1;
-}
-
-/*
- * generate a policy from peer's proposal.
- * this function unconditionally choices first proposal in SA payload
- * passed by peer.
- */
-int
-set_proposal_from_proposal(iph2)
- struct ph2handle *iph2;
-{
- struct saprop *newpp = NULL, *pp0, *pp_peer = NULL;
- struct saproto *newpr = NULL, *pr;
- struct prop_pair **pair;
- int error = -1;
- int i;
-
- /* get proposal pair */
- pair = get_proppair(iph2->sa, IPSECDOI_TYPE_PH2);
- if (pair == NULL)
- goto end;
-
- /*
- * make my proposal according as the client proposal.
- * XXX assumed there is only one proposal even if it's the SA bundle.
- */
- for (i = 0; i < MAXPROPPAIRLEN; i++) {
- if (pair[i] == NULL)
- continue;
-
- if (pp_peer != NULL)
- flushsaprop(pp_peer);
-
- pp_peer = aproppair2saprop(pair[i]);
- if (pp_peer == NULL)
- goto end;
-
- pp0 = newsaprop();
- if (pp0 == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate saprop.\n");
- goto end;
- }
- pp0->prop_no = 1;
- pp0->lifetime = iph2->sainfo->lifetime;
- pp0->lifebyte = iph2->sainfo->lifebyte;
- pp0->pfs_group = iph2->sainfo->pfs_group;
-
-#ifdef HAVE_SECCTX
- if (*pp_peer->sctx.ctx_str) {
- pp0->sctx.ctx_doi = pp_peer->sctx.ctx_doi;
- pp0->sctx.ctx_alg = pp_peer->sctx.ctx_alg;
- pp0->sctx.ctx_strlen = pp_peer->sctx.ctx_strlen;
- memcpy(pp0->sctx.ctx_str, pp_peer->sctx.ctx_str,
- pp_peer->sctx.ctx_strlen);
- }
-#endif /* HAVE_SECCTX */
-
- if (pp_peer->next != NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "pp_peer is inconsistency, ignore it.\n");
- /*FALLTHROUGH*/
- }
-
- for (pr = pp_peer->head; pr; pr = pr->next)
- {
- struct remoteconf *conf;
-
- newpr = newsaproto();
- if (newpr == NULL)
- {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate saproto.\n");
- racoon_free(pp0);
- goto end;
- }
- newpr->proto_id = pr->proto_id;
- newpr->spisize = pr->spisize;
- newpr->encmode = pr->encmode;
- newpr->spi = 0;
- newpr->spi_p = pr->spi; /* copy peer's SPI */
- newpr->reqid_in = 0;
- newpr->reqid_out = 0;
-
- conf = getrmconf(iph2->dst);
- if (conf != NULL &&
- conf->gen_policy == GENERATE_POLICY_UNIQUE){
- newpr->reqid_in = g_nextreqid ;
- newpr->reqid_out = g_nextreqid ++;
- /*
- * XXX there is a (very limited)
- * risk of reusing the same reqid
- * as another SP entry for the same peer
- */
- if(g_nextreqid >= IPSEC_MANUAL_REQID_MAX)
- g_nextreqid = 1;
- }else{
- newpr->reqid_in = 0;
- newpr->reqid_out = 0;
- }
-
- if (set_satrnsbysainfo(newpr, iph2->sainfo) < 0)
- {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get algorithms.\n");
- racoon_free(newpr);
- racoon_free(pp0);
- goto end;
- }
- inssaproto(pp0, newpr);
- }
-
- inssaprop(&newpp, pp0);
- }
-
- plog(LLV_DEBUG, LOCATION, NULL, "make a proposal from peer's:\n");
- printsaprop0(LLV_DEBUG, newpp);
-
- iph2->proposal = newpp;
-
- error = 0;
-
-end:
- if (error && newpp)
- flushsaprop(newpp);
-
- if (pp_peer)
- flushsaprop(pp_peer);
- if (pair)
- free_proppair(pair);
- return error;
-}
diff --git a/src/racoon/proposal.h b/src/racoon/proposal.h
deleted file mode 100644
index 60fc531..0000000
--- a/src/racoon/proposal.h
+++ /dev/null
@@ -1,214 +0,0 @@
-/* $NetBSD: proposal.h,v 1.6 2006/12/09 05:52:57 manu Exp $ */
-
-/* Id: proposal.h,v 1.5 2004/06/11 16:00:17 ludvigm Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _PROPOSAL_H
-#define _PROPOSAL_H
-
-#include <sys/queue.h>
-
-/*
- * A. chained list of transform, only for single proto_id
- * (this is same as set of transforms in single proposal payload)
- * B. proposal. this will point to multiple (A) items (order is important
- * here so pointer to (A) must be ordered array, or chained list).
- * this covers multiple proposal on a packet if proposal # is the same.
- * C. finally, (B) needs to be connected as chained list.
- *
- * head ---> prop[.......] ---> prop[...] ---> prop[...] ---> ...
- * | | | |
- * | | | +- proto4 <== must preserve order here
- * | | +--- proto3
- * | +----- proto2
- * +------- proto1[trans1, trans2, trans3, ...]
- *
- * incoming packets needs to be parsed to construct the same structure
- * (check "prop_pair" too).
- */
-/* SA proposal specification */
-struct saprop {
- int prop_no;
- time_t lifetime;
- int lifebyte;
- int pfs_group; /* pfs group */
- int claim; /* flag to send RESPONDER-LIFETIME. */
- /* XXX assumed DOI values are 1 or 2. */
-#ifdef HAVE_SECCTX
- struct security_ctx sctx; /* security context structure */
-#endif
- struct saproto *head;
- struct saprop *next;
-};
-
-/* SA protocol specification */
-struct saproto {
- int proto_id;
- size_t spisize; /* spi size */
- int encmode; /* encryption mode */
-
- int udp_encap; /* UDP encapsulation */
-
- /* XXX should be vchar_t * */
- /* these are network byte order */
- u_int32_t spi; /* inbound. i.e. --SA-> me */
- u_int32_t spi_p; /* outbound. i.e. me -SA-> */
-
- vchar_t *keymat; /* KEYMAT */
- vchar_t *keymat_p; /* peer's KEYMAT */
-
- int reqid_out; /* request id (outbound) */
- int reqid_in; /* request id (inbound) */
-
- int ok; /* if 1, success to set SA in kenrel */
-
- struct satrns *head; /* header of transform */
- struct saproto *next; /* next protocol */
-};
-
-/* SA algorithm specification */
-struct satrns {
- int trns_no;
- int trns_id; /* transform id */
- int encklen; /* key length of encryption algorithm */
- int authtype; /* authentication algorithm if ESP */
-
- struct satrns *next; /* next transform */
-};
-
-/*
- * prop_pair: (proposal number, transform number)
- *
- * (SA (P1 (T1 T2)) (P1' (T1' T2')) (P2 (T1" T2")))
- *
- * p[1] p[2]
- * top (P1,T1) (P2",T1")
- * | |tnext |tnext
- * | v v
- * | (P1, T2) (P2", T2")
- * v next
- * (P1', T1')
- * |tnext
- * v
- * (P1', T2')
- *
- * when we convert it to saprop in prop2saprop(), it should become like:
- *
- * (next)
- * saprop --------------------> saprop
- * | (head) | (head)
- * +-> saproto +-> saproto
- * | | (head) | (head)
- * | +-> satrns(P1 T1) +-> satrns(P2" T1")
- * | | (next) | (next)
- * | v v
- * | satrns(P1, T2) satrns(P2", T2")
- * v (next)
- * saproto
- * | (head)
- * +-> satrns(P1' T1')
- * | (next)
- * v
- * satrns(P1', T2')
- */
-struct prop_pair {
- struct isakmp_pl_p *prop;
- struct isakmp_pl_t *trns;
- struct prop_pair *next; /* next prop_pair with same proposal # */
- /* (bundle case) */
- struct prop_pair *tnext; /* next prop_pair in same proposal payload */
- /* (multiple tranform case) */
-};
-#define MAXPROPPAIRLEN 256 /* It's enough because field size is 1 octet. */
-
-/*
- * Lifetime length selection refered to the section 4.5.4 of RFC2407. It does
- * not completely conform to the description of RFC. There are four types of
- * the behavior. If the value of "proposal_check" in "remote" directive is;
- * "obey"
- * the responder obey the initiator anytime.
- * "strict"
- * If the responder's length is longer than the initiator's one, the
- * responder uses the intitiator's one. Otherwise rejects the proposal.
- * If PFS is not required by the responder, the responder obeys the
- * proposal. If PFS is required by both sides and if the responder's
- * group is not equal to the initiator's one, then the responder reject
- * the proposal.
- * "claim"
- * If the responder's length is longer than the initiator's one, the
- * responder use the intitiator's one. If the responder's length is
- * shorter than the initiator's one, the responder uses own length
- * AND send RESPONDER-LIFETIME notify message to a initiator in the
- * case of lifetime.
- * About PFS, this directive is same as "strict".
- * "exact"
- * If the initiator's length is not equal to the responder's one, the
- * responder rejects the proposal.
- * If PFS is required and if the responder's group is not equal to
- * the initiator's one, then the responder reject the proposal.
- * XXX should be defined the behavior of key length.
- */
-#define PROP_CHECK_OBEY 1
-#define PROP_CHECK_STRICT 2
-#define PROP_CHECK_CLAIM 3
-#define PROP_CHECK_EXACT 4
-
-struct sainfo;
-struct ph1handle;
-struct secpolicy;
-extern struct saprop *newsaprop __P((void));
-extern struct saproto *newsaproto __P((void));
-extern void inssaprop __P((struct saprop **, struct saprop *));
-extern void inssaproto __P((struct saprop *, struct saproto *));
-extern void inssaprotorev __P((struct saprop *, struct saproto *));
-extern struct satrns *newsatrns __P((void));
-extern void inssatrns __P((struct saproto *, struct satrns *));
-extern struct saprop *cmpsaprop_alloc __P((struct ph1handle *,
- const struct saprop *, const struct saprop *, int));
-extern int cmpsaprop __P((const struct saprop *, const struct saprop *));
-extern int cmpsatrns __P((int, const struct satrns *, const struct satrns *, int));
-extern int set_satrnsbysainfo __P((struct saproto *, struct sainfo *));
-extern struct saprop *aproppair2saprop __P((struct prop_pair *));
-extern void free_proppair __P((struct prop_pair **));
-extern void flushsaprop __P((struct saprop *));
-extern void flushsaproto __P((struct saproto *));
-extern void flushsatrns __P((struct satrns *));
-extern void printsaprop __P((const int, const struct saprop *));
-extern void printsaprop0 __P((const int, const struct saprop *));
-extern void printsaproto __P((const int, const struct saproto *));
-extern void printsatrns __P((const int, const int, const struct satrns *));
-extern void print_proppair0 __P((int, struct prop_pair *, int));
-extern void print_proppair __P((int, struct prop_pair *));
-extern int set_proposal_from_policy __P((struct ph2handle *,
- struct secpolicy *, struct secpolicy *));
-extern int set_proposal_from_proposal __P((struct ph2handle *));
-
-#endif /* _PROPOSAL_H */
diff --git a/src/racoon/prsa_par.h b/src/racoon/prsa_par.h
deleted file mode 100644
index 3bdb11d..0000000
--- a/src/racoon/prsa_par.h
+++ /dev/null
@@ -1,110 +0,0 @@
-/* A Bison parser, made by GNU Bison 2.3. */
-
-/* Skeleton interface for Bison's Yacc-like parsers in C
-
- Copyright (C) 1984, 1989, 1990, 2000, 2001, 2002, 2003, 2004, 2005, 2006
- Free Software Foundation, Inc.
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2, or (at your option)
- any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 51 Franklin Street, Fifth Floor,
- Boston, MA 02110-1301, USA. */
-
-/* As a special exception, you may create a larger work that contains
- part or all of the Bison parser skeleton and distribute that work
- under terms of your choice, so long as that work isn't itself a
- parser generator using the skeleton or a modified version thereof
- as a parser skeleton. Alternatively, if you modify or redistribute
- the parser skeleton itself, you may (at your option) remove this
- special exception, which will cause the skeleton and the resulting
- Bison output files to be licensed under the GNU General Public
- License without this special exception.
-
- This special exception was added by the Free Software Foundation in
- version 2.2 of Bison. */
-
-/* Tokens. */
-#ifndef YYTOKENTYPE
-# define YYTOKENTYPE
- /* Put the tokens into the symbol table, so that GDB and other debuggers
- know about them. */
- enum yytokentype {
- COLON = 258,
- HEX = 259,
- OBRACE = 260,
- EBRACE = 261,
- TAG_RSA = 262,
- TAG_PUB = 263,
- TAG_PSK = 264,
- MODULUS = 265,
- PUBLIC_EXPONENT = 266,
- PRIVATE_EXPONENT = 267,
- PRIME1 = 268,
- PRIME2 = 269,
- EXPONENT1 = 270,
- EXPONENT2 = 271,
- COEFFICIENT = 272,
- ADDR4 = 273,
- ADDR6 = 274,
- ADDRANY = 275,
- SLASH = 276,
- NUMBER = 277,
- BASE64 = 278
- };
-#endif
-/* Tokens. */
-#define COLON 258
-#define HEX 259
-#define OBRACE 260
-#define EBRACE 261
-#define TAG_RSA 262
-#define TAG_PUB 263
-#define TAG_PSK 264
-#define MODULUS 265
-#define PUBLIC_EXPONENT 266
-#define PRIVATE_EXPONENT 267
-#define PRIME1 268
-#define PRIME2 269
-#define EXPONENT1 270
-#define EXPONENT2 271
-#define COEFFICIENT 272
-#define ADDR4 273
-#define ADDR6 274
-#define ADDRANY 275
-#define SLASH 276
-#define NUMBER 277
-#define BASE64 278
-
-
-
-
-#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
-typedef union YYSTYPE
-#line 130 "prsa_par.y"
-{
- BIGNUM *bn;
- RSA *rsa;
- char *chr;
- long num;
- struct netaddr *naddr;
-}
-/* Line 1489 of yacc.c. */
-#line 103 "prsa_par.h"
- YYSTYPE;
-# define yystype YYSTYPE /* obsolescent; will be withdrawn */
-# define YYSTYPE_IS_DECLARED 1
-# define YYSTYPE_IS_TRIVIAL 1
-#endif
-
-extern YYSTYPE prsalval;
-
diff --git a/src/racoon/prsa_par.y b/src/racoon/prsa_par.y
deleted file mode 100644
index f21a82b..0000000
--- a/src/racoon/prsa_par.y
+++ /dev/null
@@ -1,350 +0,0 @@
-/* $NetBSD: prsa_par.y,v 1.4 2006/09/09 16:22:10 manu Exp $ */
-
-/* Id: prsa_par.y,v 1.3 2004/11/08 12:04:23 ludvigm Exp */
-
-%{
-/*
- * Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany.
- * Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* This file contains a parser for FreeS/WAN-style ipsec.secrets RSA keys. */
-
-#include "config.h"
-
-#include <stdio.h>
-#include <stdarg.h>
-#include <string.h>
-#include <errno.h>
-#include <unistd.h>
-
-#ifdef HAVE_STDARG_H
-#include <stdarg.h>
-#else
-#include <varargs.h>
-#endif
-
-#include <netdb.h>
-#include <netinet/in.h>
-#include <sys/socket.h>
-#include <arpa/inet.h>
-#include <sys/types.h>
-
-#include <sys/stat.h>
-#include <unistd.h>
-
-#include <openssl/bn.h>
-#include <openssl/rsa.h>
-
-#include "misc.h"
-#include "vmbuf.h"
-#include "plog.h"
-#include "oakley.h"
-#include "isakmp_var.h"
-#include "handler.h"
-#include "crypto_openssl.h"
-#include "sockmisc.h"
-#include "rsalist.h"
-
-extern void prsaerror(const char *str, ...);
-extern int prsawrap (void);
-extern int prsalex (void);
-
-extern char *prsatext;
-extern int prsa_cur_lineno;
-extern char *prsa_cur_fname;
-extern FILE *prsain;
-
-int prsa_cur_lineno = 0;
-char *prsa_cur_fname = NULL;
-struct genlist *prsa_cur_list = NULL;
-enum rsa_key_type prsa_cur_type = RSA_TYPE_ANY;
-
-static RSA *rsa_cur;
-
-void
-prsaerror(const char *s, ...)
-{
- char fmt[512];
-
- va_list ap;
-#ifdef HAVE_STDARG_H
- va_start(ap, s);
-#else
- va_start(ap);
-#endif
- snprintf(fmt, sizeof(fmt), "%s:%d: %s",
- prsa_cur_fname, prsa_cur_lineno, s);
- plogv(LLV_ERROR, LOCATION, NULL, fmt, ap);
- va_end(ap);
-}
-
-void
-prsawarning(const char *s, ...)
-{
- char fmt[512];
-
- va_list ap;
-#ifdef HAVE_STDARG_H
- va_start(ap, s);
-#else
- va_start(ap);
-#endif
- snprintf(fmt, sizeof(fmt), "%s:%d: %s",
- prsa_cur_fname, prsa_cur_lineno, s);
- plogv(LLV_WARNING, LOCATION, NULL, fmt, ap);
- va_end(ap);
-}
-
-int
-prsawrap()
-{
- return 1;
-}
-%}
-%union {
- BIGNUM *bn;
- RSA *rsa;
- char *chr;
- long num;
- struct netaddr *naddr;
-}
-
-%token COLON HEX
-%token OBRACE EBRACE COLON HEX
-%token TAG_RSA TAG_PUB TAG_PSK
-%token MODULUS PUBLIC_EXPONENT PRIVATE_EXPONENT
-%token PRIME1 PRIME2 EXPONENT1 EXPONENT2 COEFFICIENT
-%token ADDR4 ADDR6 ADDRANY SLASH NUMBER BASE64
-
-%type <bn> HEX
-%type <num> NUMBER
-%type <chr> ADDR4 ADDR6 BASE64
-
-%type <rsa> rsa_statement
-%type <num> prefix
-%type <naddr> addr4 addr6 addr
-
-%%
-statements:
- statements statement
- | statement
- ;
-
-statement:
- addr addr COLON rsa_statement
- {
- rsa_key_insert(prsa_cur_list, $1, $2, $4);
- }
- | addr COLON rsa_statement
- {
- rsa_key_insert(prsa_cur_list, NULL, $1, $3);
- }
- | COLON rsa_statement
- {
- rsa_key_insert(prsa_cur_list, NULL, NULL, $2);
- }
- ;
-
-rsa_statement:
- TAG_RSA OBRACE params EBRACE
- {
- if (prsa_cur_type == RSA_TYPE_PUBLIC) {
- prsawarning("Using private key for public key purpose.\n");
- if (!rsa_cur->n || !rsa_cur->e) {
- prsaerror("Incomplete key. Mandatory parameters are missing!\n");
- YYABORT;
- }
- }
- else {
- if (!rsa_cur->n || !rsa_cur->e || !rsa_cur->d) {
- prsaerror("Incomplete key. Mandatory parameters are missing!\n");
- YYABORT;
- }
- if (!rsa_cur->p || !rsa_cur->q || !rsa_cur->dmp1
- || !rsa_cur->dmq1 || !rsa_cur->iqmp) {
- if (rsa_cur->p) BN_clear_free(rsa_cur->p);
- if (rsa_cur->q) BN_clear_free(rsa_cur->q);
- if (rsa_cur->dmp1) BN_clear_free(rsa_cur->dmp1);
- if (rsa_cur->dmq1) BN_clear_free(rsa_cur->dmq1);
- if (rsa_cur->iqmp) BN_clear_free(rsa_cur->iqmp);
-
- rsa_cur->p = NULL;
- rsa_cur->q = NULL;
- rsa_cur->dmp1 = NULL;
- rsa_cur->dmq1 = NULL;
- rsa_cur->iqmp = NULL;
- }
- }
- $$ = rsa_cur;
- rsa_cur = RSA_new();
- }
- | TAG_PUB BASE64
- {
- if (prsa_cur_type == RSA_TYPE_PRIVATE) {
- prsaerror("Public key in private-key file!\n");
- YYABORT;
- }
- $$ = base64_pubkey2rsa($2);
- }
- | TAG_PUB HEX
- {
- if (prsa_cur_type == RSA_TYPE_PRIVATE) {
- prsaerror("Public key in private-key file!\n");
- YYABORT;
- }
- $$ = bignum_pubkey2rsa($2);
- }
- ;
-
-addr:
- addr4
- | addr6
- | ADDRANY
- {
- $$ = NULL;
- }
- ;
-
-addr4:
- ADDR4 prefix
- {
- int err;
- struct sockaddr_in *sap;
-
- if ($2 == -1) $2 = 32;
- if ($2 < 0 || $2 > 32) {
- prsaerror ("Invalid IPv4 prefix\n");
- YYABORT;
- }
- $$ = calloc (sizeof(struct netaddr), 1);
- $$->prefix = $2;
- sap = (struct sockaddr_in *)(&$$->sa);
- sap->sin_family = AF_INET;
- err = inet_pton(AF_INET, $1, (struct in_addr*)(&sap->sin_addr));
- if (err <= 0) {
- prsaerror("inet_pton(%s): %s\n", $1, strerror(errno));
- YYABORT;
- }
- }
- ;
-
-addr6:
- ADDR6 prefix
- {
- int err;
- struct sockaddr_in6 *sap;
-
- if ($2 == -1) $2 = 128;
- if ($2 < 0 || $2 > 128) {
- prsaerror ("Invalid IPv6 prefix\n");
- YYABORT;
- }
- $$ = calloc (sizeof(struct netaddr), 1);
- $$->prefix = $2;
- sap = (struct sockaddr_in6 *)(&$$->sa);
- sap->sin6_family = AF_INET6;
- err = inet_pton(AF_INET6, $1, (struct in6_addr*)(&sap->sin6_addr));
- if (err <= 0) {
- prsaerror("inet_pton(%s): %s\n", $1, strerror(errno));
- YYABORT;
- }
- }
- ;
-
-prefix:
- /* nothing */ { $$ = -1; }
- | SLASH NUMBER { $$ = $2; }
- ;
-params:
- params param
- | param
- ;
-
-param:
- MODULUS COLON HEX
- { if (!rsa_cur->n) rsa_cur->n = $3; else { prsaerror ("Modulus already defined\n"); YYABORT; } }
- | PUBLIC_EXPONENT COLON HEX
- { if (!rsa_cur->e) rsa_cur->e = $3; else { prsaerror ("PublicExponent already defined\n"); YYABORT; } }
- | PRIVATE_EXPONENT COLON HEX
- { if (!rsa_cur->d) rsa_cur->d = $3; else { prsaerror ("PrivateExponent already defined\n"); YYABORT; } }
- | PRIME1 COLON HEX
- { if (!rsa_cur->p) rsa_cur->p = $3; else { prsaerror ("Prime1 already defined\n"); YYABORT; } }
- | PRIME2 COLON HEX
- { if (!rsa_cur->q) rsa_cur->q = $3; else { prsaerror ("Prime2 already defined\n"); YYABORT; } }
- | EXPONENT1 COLON HEX
- { if (!rsa_cur->dmp1) rsa_cur->dmp1 = $3; else { prsaerror ("Exponent1 already defined\n"); YYABORT; } }
- | EXPONENT2 COLON HEX
- { if (!rsa_cur->dmq1) rsa_cur->dmq1 = $3; else { prsaerror ("Exponent2 already defined\n"); YYABORT; } }
- | COEFFICIENT COLON HEX
- { if (!rsa_cur->iqmp) rsa_cur->iqmp = $3; else { prsaerror ("Coefficient already defined\n"); YYABORT; } }
- ;
-%%
-
-int prsaparse(void);
-
-int
-prsa_parse_file(struct genlist *list, char *fname, enum rsa_key_type type)
-{
- FILE *fp = NULL;
- int ret;
-
- if (!fname)
- return -1;
- if (type == RSA_TYPE_PRIVATE) {
- struct stat st;
- if (stat(fname, &st) < 0)
- return -1;
- if (st.st_mode & (S_IRWXG | S_IRWXO)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Too slack permissions on private key '%s'\n",
- fname);
- plog(LLV_ERROR, LOCATION, NULL,
- "Should be at most 0600, now is 0%o\n",
- st.st_mode & 0777);
- return -1;
- }
- }
- fp = fopen(fname, "r");
- if (!fp)
- return -1;
- prsain = fp;
- prsa_cur_lineno = 1;
- prsa_cur_fname = fname;
- prsa_cur_list = list;
- prsa_cur_type = type;
- rsa_cur = RSA_new();
- ret = prsaparse();
- if (rsa_cur) {
- RSA_free(rsa_cur);
- rsa_cur = NULL;
- }
- fclose (fp);
- prsain = NULL;
- return ret;
-}
diff --git a/src/racoon/prsa_tok.l b/src/racoon/prsa_tok.l
deleted file mode 100644
index 83e3d14..0000000
--- a/src/racoon/prsa_tok.l
+++ /dev/null
@@ -1,89 +0,0 @@
-/* $NetBSD: prsa_tok.l,v 1.4 2006/09/09 16:22:10 manu Exp $ */
-
-/* Id: prsa_tok.l,v 1.2 2004/07/12 20:43:51 ludvigm Exp */
-
-%{
-/*
- * Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany.
- * Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-/* This file contains a tokeniser for FreeS/WAN-style ipsec.secrets RSA keys. */
-
-#include <string.h>
-#include <openssl/bn.h>
-#include <openssl/rsa.h>
-#include "prsa_par.h"
-
-extern int prsalex (void);
-extern int prsa_cur_lineno;
-
-%}
-
-comment \#.*
-digit [0-9]
-octet (([01]?{digit}?{digit})|((2([0-4]{digit}))|(25[0-5])))
-addr4 {octet}\.{octet}\.{octet}\.{octet}
-hex [0-9a-fA-F]
-word6 {hex}{0,4}
-base64 [A-Za-z0-9+/=]
-addr6 (::({word6}|{addr4})?|({word6}:)+:?({word6}|{addr4})?)
-%%
-\{ { return OBRACE; }
-\} { return EBRACE; }
-: { return COLON; }
-RSA { return TAG_RSA; }
-PSK { return TAG_PSK; }
-PUB { return TAG_PUB; }
-0x[0-9a-fA-F]+ {
- BIGNUM *bn = BN_new();
- BN_hex2bn(&bn, prsatext+2);
- prsalval.bn = bn;
- return HEX;
- }
-0s{base64}+ {
- prsalval.chr = strdup(prsatext);
- return BASE64;
- }
-Modulus { return MODULUS; }
-PublicExponent { return PUBLIC_EXPONENT; }
-PrivateExponent { return PRIVATE_EXPONENT; }
-Prime1 { return PRIME1; }
-Prime2 { return PRIME2; }
-Exponent1 { return EXPONENT1; }
-Exponent2 { return EXPONENT2; }
-Coefficient { return COEFFICIENT; }
-\/ { return SLASH; }
-{digit}+ { prsalval.num = atol(prsatext); return NUMBER; }
-any { return ADDRANY; }
-{addr4} { prsalval.chr = strdup(prsatext); return ADDR4; }
-{addr6} { prsalval.chr = strdup(prsatext); return ADDR6; }
-[ \t]* ;
-\n { prsa_cur_lineno++; }
-\#.* ;
-%%
diff --git a/src/racoon/racoon.8 b/src/racoon/racoon.8
deleted file mode 100644
index a6d39d7..0000000
--- a/src/racoon/racoon.8
+++ /dev/null
@@ -1,155 +0,0 @@
-.\" $NetBSD: racoon.8,v 1.10 2006/09/09 16:22:10 manu Exp $
-.\"
-.\" Id: racoon.8,v 1.4 2005/04/18 11:07:55 manubsd Exp
-.\"
-.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the distribution.
-.\" 3. Neither the name of the project nor the names of its contributors
-.\" may be used to endorse or promote products derived from this software
-.\" without specific prior written permission.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-.\" SUCH DAMAGE.
-.\"
-.Dd November 20, 2000
-.Dt RACOON 8
-.Os
-.\"
-.Sh NAME
-.Nm racoon
-.Nd IKE (ISAKMP/Oakley) key management daemon
-.\"
-.Sh SYNOPSIS
-.Nm racoon
-.Bk -words
-.Op Fl 46BdFLv
-.Ek
-.Bk -words
-.Op Fl f Ar configfile
-.Ek
-.Bk -words
-.Op Fl l Ar logfile
-.Ek
-.Bk -words
-.Op Fl P Ar isakmp-natt-port
-.Ek
-.Bk -words
-.Op Fl p Ar isakmp-port
-.Ek
-.\"
-.Sh DESCRIPTION
-.Nm
-speaks the IKE
-.Pq ISAKMP/Oakley
-key management protocol,
-to establish security associations with other hosts.
-The SPD
-.Pq Security Policy Database
-in the kernel usually triggers
-.Nm .
-.Nm
-usually sends all informational messages, warnings and error messages to
-.Xr syslogd 8
-with the facility
-.Dv LOG_DAEMON
-and the priority
-.Dv LOG_INFO .
-Debugging messages are sent with the priority
-.Dv LOG_DEBUG .
-You should configure
-.Xr syslog.conf 5
-appropriately to see these messages.
-.Bl -tag -width Ds
-.It Fl 4
-.It Fl 6
-Specify the default address family for the sockets.
-.It Fl B
-Install SA(s) from the file which is specified in
-.Xr racoon.conf 5 .
-.It Fl d
-Increase the debug level.
-Multiple
-.Fl d
-arguments will increase the debug level even more.
-.It Fl F
-Run
-.Nm
-in the foreground.
-.It Fl f Ar configfile
-Use
-.Ar configfile
-as the configuration file instead of the default.
-.It Fl L
-Include
-.Ar file_name:line_number:function_name
-in all messages.
-.It Fl l Ar logfile
-Use
-.Ar logfile
-as the logging file instead of
-.Xr syslogd 8 .
-.It Fl P Ar isakmp-natt-port
-Use
-.Ar isakmp-natt-port
-for NAT-Traversal port-floating.
-The default is 4500.
-.It Fl p Ar isakmp-port
-Listen to the ISAKMP key exchange on port
-.Ar isakmp-port
-instead of the default port number, 500.
-.It Fl v
-This flag causes the packet dump be more verbose, with higher
-debugging level.
-.El
-.Pp
-.Nm
-assumes the presence of the kernel random number device
-.Xr rnd 4
-at
-.Pa /dev/urandom .
-.\"
-.Sh RETURN VALUES
-The command exits with 0 on success, and non-zero on errors.
-.\"
-.Sh FILES
-.Bl -tag -width /etc/racoon.conf -compact
-.It Pa /etc/racoon.conf
-default configuration file.
-.El
-.\"
-.Sh SEE ALSO
-.Xr ipsec 4 ,
-.Xr racoon.conf 5 ,
-.Xr syslog.conf 5 ,
-.Xr setkey 8 ,
-.Xr syslogd 8
-.\"
-.Sh HISTORY
-The
-.Nm
-command first appeared in the
-.Dq YIPS
-Yokogawa IPsec implementation.
-.\"
-.Sh SECURITY CONSIDERATIONS
-The use of IKE phase 1 aggressive mode is not recommended,
-as described in
-.Pa http://www.kb.cert.org/vuls/id/886601 .
diff --git a/src/racoon/racoon.conf.5 b/src/racoon/racoon.conf.5
deleted file mode 100644
index 9ddee80..0000000
--- a/src/racoon/racoon.conf.5
+++ /dev/null
@@ -1,1420 +0,0 @@
-.\" $NetBSD: racoon.conf.5,v 1.34.4.3 2007/09/03 18:07:29 mgrooms Exp $
-.\"
-.\" Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
-.\"
-.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the distribution.
-.\" 3. Neither the name of the project nor the names of its contributors
-.\" may be used to endorse or promote products derived from this software
-.\" without specific prior written permission.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-.\" SUCH DAMAGE.
-.\"
-.Dd September 19, 2006
-.Dt RACOON.CONF 5
-.Os
-.\"
-.Sh NAME
-.Nm racoon.conf
-.Nd configuration file for racoon
-.\"
-.\" .Sh SYNOPSIS
-.\"
-.Sh DESCRIPTION
-.Nm
-is the configuration file for the
-.Xr racoon 8
-ISAKMP daemon.
-.Xr racoon 8
-negotiates security associations for itself (ISAKMP SA, or phase 1 SA)
-and for kernel IPsec (IPsec SA, or phase 2 SA).
-The file consists of a sequence of directives and statements.
-Each directive is composed by a tag and statements, enclosed by
-.Ql {
-and
-.Ql } .
-Lines beginning with
-.Ql #
-are comments.
-.\"
-.Ss Meta Syntax
-Keywords and special characters that the parser expects exactly are
-displayed using
-.Ic this
-font.
-Parameters are specified with
-.Ar this
-font.
-Square brackets
-.Po
-.Ql \&[
-and
-.Ql \&]
-.Pc
-are used to show optional keywords and parameters.
-Note that
-you have to pay attention when this manual is describing
-.Ar port
-numbers.
-The
-.Ar port
-number is always enclosed by
-.Ql \&[
-and
-.Ql \&] .
-In this case, the port number is not an optional keyword.
-If it is possible to omit the
-.Ar port
-number,
-the expression becomes
-.Bq Bq Ar port .
-The vertical bar
-.Pq Ql \&|
-is used to indicate
-a choice between optional parameters.
-Parentheses
-.Po
-.Ql \&(
-and
-.Ql \&)
-.Pc
-are used to group keywords and parameters when necessary.
-Major parameters are listed below.
-.Pp
-.Bl -tag -width addressx -compact
-.It Ar number
-means a hexadecimal or a decimal number.
-The former must be prefixed with
-.Ql Li 0x .
-.It Ar string
-.It Ar path
-.It Ar file
-means any string enclosed in
-.Ql \&"
-.Pq double quotes .
-.It Ar address
-means IPv6 and/or IPv4 address.
-.It Ar port
-means a TCP/UDP port number.
-The port number is always enclosed by
-.Ql \&[
-and
-.Ql \&] .
-.It Ar timeunit
-is one of following:
-.Ic sec , secs , second , seconds ,
-.Ic min , mins , minute , minutes ,
-.Ic hour , hours .
-.El
-.\"
-.Ss Privilege separation
-.Bl -tag -width Ds -compact
-.It Ic privsep { Ar statements Ic }
-Specifies privilege separation parameters.
-When enabled, these enable
-.Xr racoon 8
-to operate with an unprivileged instance doing most of the work, while
-a privileged instance takes care of performing the following operations
-as root: reading PSK and private keys, launching hook scripts, and
-validating passwords against system databases or against PAM.
-Please note that using privilege separation makes changes to the
-.Ar listen
-and
-.Ar paths
-sections ignored upon configuration reloads.
-A
-.Xr racoon 8
-restart is required if you want such changes to be taken into account.
-.Pp
-.Bl -tag -width Ds -compact
-.It Ic user Ar user ;
-The user to which the unprivileged instance of
-.Xr racoon 8 ,
-should switch.
-This can be a quoted user name or a numeric UID.
-.It Ic group Ar group ;
-The group the unprivilegied instance of
-.Xr racoon 8 ,
-should switch.
-This can be a quoted group name or a numeric GID.
-.It Ic chroot Ar path ;
-A directory to which the unprivileged instance of
-.Xr racoon 8
-should
-.Xr chroot 2 .
-This directory should hold a tree where the following files must be
-reachable:
-.Bl -tag -width Ds -compact
-.It Pa /dev/random
-.It Pa /dev/urandom
-.It The certificates
-.It The file containing the Xauth banner
-.El
-.Pp
-The PSK file, the private keys, and the hook scripts are accessed through the
-privileged instance of
-.Xr racoon 8
-and do not need to be reachable in the
-.Xr chroot 2 Ap ed
-tree.
-.El
-.El
-.Ss Path Specification
-This section specifies various paths used by racoon.
-When running in privilege separation mode,
-.Ic certificate
-and
-.Ic script
-paths are mandatory. A
-.Xr racoon 8
-restart is required if you want path changes to be taken into account.
-.Bl -tag -width Ds -compact
-.It Ic path include Ar path ;
-Specifies a path to include a file.
-See
-.Sx File Inclusion .
-.It Ic path pre_shared_key Ar file ;
-Specifies a file containing pre-shared key(s) for various ID(s).
-See
-.Sx Pre-shared key File .
-.It Ic path certificate Ar path ;
-.Xr racoon 8
-will search this directory if a certificate or certificate request is received.
-If you run with privilege separation,
-.Xr racoon 8
-will refuse to use a certificate stored outside of this directory.
-.It Ic path backupsa Ar file ;
-Specifies a file to which SA information negotiated by
-racoon should be stored.
-.Xr racoon 8
-will install SA(s) from the file when started with the
-.Fl B
-flag.
-The file is growing because
-.Xr racoon 8
-simply adds SAs to it.
-You should maintain the file manually.
-.It Ic path script Ar path ;
-.Xr racoon 8
-will search this directory for scripts hooks.
-If you run with privilege separation,
-.Xr racoon 8
-will refuse to execute a script stored outside of this directory.
-.It Ic path pidfile Ar file ;
-Specifies file where to store PID of process.
-If path starts with
-.Pa /
-it is treated as an absolute path. Otherwise, it is treated as a relative
-path to the VARRUN directory specified at compilation time.
-Default is
-.Pa racoon.pid .
-.El
-.\"
-.Ss File Inclusion
-.Bl -tag -width Ds -compact
-.It Ic include Ar file
-Specifies other configuration files to be included.
-.El
-.\"
-.Ss Identifier Specification
-is obsolete.
-It must be defined at each
-.Ic remote
-directive.
-.\"
-.Ss Timer Specification
-.Bl -tag -width Ds -compact
-.It Ic timer { Ar statements Ic }
-This section specifies various timer values used by racoon.
-.Pp
-.Bl -tag -width Ds -compact
-.It Ic counter Ar number ;
-The maximum number of retries to send.
-The default is 5.
-.It Ic interval Ar number Ar timeunit ;
-The interval to resend, in seconds.
-The default time is 10 seconds.
-.It Ic persend Ar number ;
-The number of packets per send.
-The default is 1.
-.It Ic phase1 Ar number Ar timeunit ;
-The maximum time it should take to complete phase 1.
-The default time is 15 seconds.
-.It Ic phase2 Ar number Ar timeunit ;
-The maximum time it should take to complete phase 2.
-The default time is 10 seconds.
-.It Ic natt_keepalive Ar number Ar timeunit ;
-The interval between sending NAT-Traversal keep-alive packets.
-The default time is 20 seconds.
-Set to 0s to disable keep-alive packets.
-.El
-.El
-.\"
-.Ss Listening Port Specification
-.Bl -tag -width Ds -compact
-.It Ic listen { Ar statements Ic }
-If no
-.Ar listen
-directive is specified,
-.Xr racoon 8
-will listen on all available interface addresses.
-The following is the list of valid statements:
-.Pp
-.Bl -tag -width Ds -compact
-.\" How do I express bold brackets; `[' and `]' .
-.\" Answer: For bold brackets, do "Ic \&[ foo \&]".
-.\" Is the "Bq Ic [ Ar port ] ;" buggy ?
-.It Ic isakmp Ar address Bq Bq Ar port ;
-If this is specified,
-.Xr racoon 8
-will only listen on the defined
-.Ar address .
-The default port is 500, which is specified by IANA.
-You can provide more than one address definition.
-.It Ic isakmp_natt Ar address Bq Ar port ;
-Same as
-.Ic isakmp
-but also sets the socket options to accept UDP-encapsulated ESP traffic for
-NAT-Traversal.
-If you plan to use NAT-T, you should provide at least one address
-with port 4500, which is specified by IANA.
-There is no default.
-.It Ic strict_address ;
-Requires that all addresses for ISAKMP be bound.
-This statement will be ignored if you do not specify address definitions.
-.El
-When running in privilege separation mode, you need to restart
-.Xr racoon 8
-to have changes to the
-.Ar listen
-section taken into account.
-.Pp
-The
-.Ar listen
-section can also be used to specify the admin socket mode and ownership
-if racoon was built with support for admin port.
-.Bl -tag -width Ds -compact
-.It Ic adminsock Ar path Op Ar owner\ group\ mode ;
-The
-.Ar path ,
-.Ar owner ,
-and
-.Ar group
-values specify the socket path, owner, and group. They must be quoted.
-The defaults are
-.Pa /var/racoon/racoon.sock ,
-UID 0, and GID 0.
-.Ar mode
-is the access mode in octal. The default is 0600.
-.It Ic adminsock disabled ;
-This directive tells racoon to not listen on the admin socket.
-.El
-.El
-.\"
-.Ss Miscellaneous Global Parameters
-.Bl -tag -width Ds -compact
-.It Ic gss_id_enc Ar enctype ;
-Older versions of
-.Xr racoon 8
-used ISO-Latin-1 as the encoding of the GSS-API identifier attribute.
-For interoperability with Microsoft Windows' GSS-API authentication
-scheme, the default encoding has been changed to UTF-16LE.
-The
-.Ic gss_id_enc
-parameter allows
-.Xr racoon 8
-to be configured to use the old encoding for compatibility with existing
-.Xr racoon 8
-installations.
-The following are valid values for
-.Ar enctype :
-.Pp
-.Bl -tag -width Ds -compact
-.It Ic utf-16le
-Use UTF-16LE to encode the GSS-API identifier attribute.
-This is the default encoding.
-This encoding is compatible with Microsoft Windows.
-.It Ic latin1
-Use ISO-Latin-1 to encode the GSS-API identifier attribute.
-This is the encoding used by older versions of
-.Xr racoon 8 .
-.El
-.El
-.\"
-.Ss Remote Nodes Specifications
-.Bl -tag -width Ds -compact
-.It Xo
-.Ic remote ( Ar address | Ic anonymous )
-.Bq Bq Ar port
-.Bq Ic inherit Ar parent
-.Ic { Ar statements Ic }
-.Xc
-Specifies the IKE phase 1 parameters for each remote node.
-The default port is 500.
-If
-.Ic anonymous
-is specified, the statements will apply to any peer that does not match a
-more specific
-.Ic remote
-directive.
-.Pp
-Sections with
-.Ic inherit Ar parent
-statements (where
-.Ar parent
-is either
-.Ar address
-or a keyword
-.Ic anonymous )
-that have all values predefined to those of a given
-.Ar parent .
-In these sections it is enough to redefine only the changed parameters.
-.Pp
-The following are valid statements.
-.Pp
-.Bl -tag -width Ds -compact
-.\"
-.It Ic exchange_mode ( main | aggressive | base ) ;
-Defines the exchange mode for phase 1 when racoon is the initiator.
-It also means the acceptable exchange mode when racoon is the responder.
-More than one mode can be specified by separating them with a comma.
-All of the modes are acceptable.
-The first exchange mode is what racoon uses when it is the initiator.
-.\"
-.It Ic doi Ic ipsec_doi ;
-Means to use IPsec DOI as specified in RFC 2407.
-You can omit this statement.
-.\"
-.It Ic situation Ic identity_only ;
-Means to use SIT_IDENTITY_ONLY as specified in RFC 2407.
-You can omit this statement.
-.\"
-.It Ic identifier Ar idtype ;
-This statment is obsolete. Instead, use
-.Ic my_identifier .
-.\"
-.It Xo
-.Ic my_identifier Bq Ar qualifier
-.Ar idtype ... ;
-.Xc
-Specifies the identifier sent to the remote host
-and the type to use in the phase 1 negotiation.
-.Ic address, fqdn , user_fqdn , keyid ,
-and
-.Ic asn1dn
-can be used as an
-.Ar idtype .
-The
-.Ar qualifier
-is currently only used for
-.Ic keyid ,
-and can be either
-.Ic file
-or
-.Ic tag .
-The possible values are :
-.Bl -tag -width Ds -compact
-.It Ic my_identifier Ic address Bq Ar address ;
-The type is the IP address.
-This is the default type if you do not specify an identifier to use.
-.It Ic my_identifier Ic user_fqdn Ar string ;
-The type is a USER_FQDN (user fully-qualified domain name).
-.It Ic my_identifier Ic fqdn Ar string ;
-The type is a FQDN (fully-qualified domain name).
-.It Xo
-.Ic my_identifier Ic keyid Bq Ic file
-.Ar file ;
-.Xc
-The type is a KEY_ID, read from the file.
-.It Ic my_identifier Ic keyid Ic tag Ar string ;
-The type is a KEY_ID, specified in the quoted string.
-.It Ic my_identifier Ic asn1dn Bq Ar string ;
-The type is an ASN.1 distinguished name.
-If
-.Ar string
-is omitted,
-.Xr racoon 8
-will get the DN from the Subject field in the certificate.
-.El
-.\"
-.It Ic xauth_login Bq Ar string ;
-Specifies the login to use in client-side Hybrid authentication.
-It is available only if
-.Xr racoon 8
-has been built with this option.
-The associated password is looked up in the pre-shared key files,
-using the login
-.Ic string
-as the key id.
-.\"
-.It Ic peers_identifier Ar idtype ... ;
-Specifies the peer's identifier to be received.
-If it is not defined then
-.Xr racoon 8
-will not verify the peer's identifier in ID payload transmitted from the peer.
-If it is defined, the behavior of the verification depends on the flag of
-.Ic verify_identifier .
-The usage of
-.Ar idtype
-is the same as
-.Ic my_identifier
-except that the individual component values of an
-.Ic asn1dn
-identifier may specified as
-.Ic *
-to match any value (e.g. "C=XX, O=MyOrg, OU=*, CN=Mine").
-Alternative acceptable peer identifiers may be specified by repeating the
-.Ic peers_identifier
-statement.
-.\"
-.It Ic verify_identifier (on | off) ;
-If you want to verify the peer's identifier,
-set this to on.
-In this case, if the value defined by
-.Ic peers_identifier
-is not the same as the peer's identifier in the ID payload,
-the negotiation will fail.
-The default is off.
-.\"
-.It Ic certificate_type Ar certspec ;
-Specifies a certificate specification.
-.Ar certspec
-is one of followings:
-.Bl -tag -width Ds -compact
-.It Ic x509 Ar certfile Ar privkeyfile ;
-.Ar certfile
-means a file name of a certificate.
-.Ar privkeyfile
-means a file name of a secret key.
-.El
-.Bl -tag -width Ds -compact
-.It Ic plain_rsa Ar privkeyfile ;
-.Ar privkeyfile
-means a file name of a private key generated by plainrsa-gen(8). Required
-for RSA authentication.
-.El
-.It Ic ca_type Ar cacertspec ;
-Specifies a root certificate authority specification.
-.Ar cacertspec
-is one of followings:
-.Bl -tag -width Ds -compact
-.It Ic x509 Ar cacertfile ;
-.Ar cacertfile
-means a file name of the root certificate authority.
-Default is
-.Pa /etc/openssl/cert.pem
-.El
-.\"
-.It Ic mode_cfg (on | off) ;
-Gather network information through ISAKMP mode configuration.
-Default is off.
-.\"
-.It Ic weak_phase1_check (on | off) ;
-Tells racoon to act on unencrypted deletion messages during phase 1.
-This is a small security risk, so the default is off, meaning that
-racoon will keep on trying to establish a connection even if the
-user credentials are wrong, for instance.
-.\"
-.It Ic peers_certfile ( dnssec | Ar certfile | Ic plain_rsa Ar pubkeyfile ) ;
-If
-.Ic dnssec
-is defined,
-.Xr racoon 8
-will ignore the CERT payload from the peer,
-and try to get the peer's certificate from DNS instead.
-If
-.Ar certfile
-is defined,
-.Xr racoon 8
-will ignore the CERT payload from the peer,
-and will use this certificate as the peer's certificate.
-If
-.Ic plain_rsa
-is defined,
-.Xr racoon 8
-will expect
-.Ar pubkeyfile
-to be the peer's public key that was generated
-by plainrsa-gen(8).
-.\"
-.It Ic script Ar script Ic phase1_up
-.It Ic script Ar script Ic phase1_down
-Shell scripts that get executed when a phase 1 SA goes up or down.
-Both scripts get either
-.Ic phase1_up
-or
-.Ic phase1_down
-as first argument, and the following
-variables are set in their environment:
-.Bl -tag -width Ds -compact
-.It Ev LOCAL_ADDR
-The local address of the phase 1 SA.
-.It Ev LOCAL_PORT
-The local port used for IKE for the phase 1 SA.
-.It Ev REMOTE_ADDR
-The remote address of the phase 1 SA.
-.It Ev REMOTE_PORT
-The remote port used for IKE for the phase 1 SA.
-.El
-The following variables are only set if
-.Ic mode_cfg
-was enabled:
-.Bl -tag -width Ds -compact
-.It INTERNAL_ADDR4
-An IPv4 internal address obtained by ISAKMP mode config.
-.It INTERNAL_NETMASK4
-An IPv4 internal netmask obtained by ISAKMP mode config.
-.It INTERNAL_CIDR4
-An IPv4 internal netmask obtained by ISAKMP mode config, in CIDR notation.
-.It INTERNAL_DNS4
-The first internal DNS server IPv4 address obtained by ISAKMP mode config.
-.It INTERNAL_DNS4_LIST
-A list of internal DNS servers IPv4 address obtained by ISAKMP mode config,
-separated by spaces.
-.It INTERNAL_WINS4
-The first internal WINS server IPv4 address obtained by ISAKMP mode config.
-.It INTERNAL_WINS4_LIST
-A list of internal WINS servers IPv4 address obtained by ISAKMP mode config,
-separated by spaces.
-.It SPLIT_INCLUDE
-The space separated list of IPv4 addresses and masks (address slash mask)
-that define the networks to be encrypted (as opposed to the default where
-all the traffic should be encrypted) ; obtained by ISAKMP mode config ;
-SPLIT_INCLUDE and SPLIT_LOCAL are mutually exclusive.
-.It SPLIT_LOCAL
-The space separated list of IPv4 addresses and masks (address slash mask)
-that define the networks to be considered local, and thus excluded from the
-tunnels ; obtained by ISAKMP mode config.
-.It DEFAULT_DOMAIN
-The DNS default domain name obtained by ISAKMP mode config.
-.El
-.\"
-.\"
-.It Ic send_cert (on | off) ;
-If you do not want to send a certificate, set this to off.
-The default is on.
-.\"
-.It Ic send_cr (on | off) ;
-If you do not want to send a certificate request, set this to off.
-The default is on.
-.\"
-.It Ic verify_cert (on | off) ;
-By default, the identifier sent by the remote host (as specified in its
-.Ic my_identifier
-statement) is compared with the credentials in the certificate
-used to authenticate the remote host as follows:
-.Bl -tag -width Ds -compact
-.It Type Ic asn1dn:
-The entire certificate subject name is compared with the identifier,
-e.g. "C=XX, O=YY, ...".
-.It Type Ic address, fqdn, or user_fqdn:
-The certificate's subjectAltName is compared with the identifier.
-.El
-If the two do not match the negotiation will fail.
-If you do not want to verify the identifier using the peer's certificate,
-set this to off.
-.\"
-.It Ic lifetime time Ar number Ar timeunit ;
-Define a lifetime of a certain time
-which will be proposed in the phase 1 negotiations.
-Any proposal will be accepted, and the attribute(s) will not be proposed to
-the peer if you do not specify it (them).
-They can be individually specified in each proposal.
-.\"
-.It Ic ike_frag (on | off | force) ;
-Enable receiver-side IKE fragmentation if
-.Xr racoon 8
-has been built with this feature.
-If set to on, racoon will advertise
-itself as being capable of receiving packets split by IKE fragmentation.
-This extension is there to work around broken firewalls that do not
-work with fragmented UDP packets.
-IKE fragmentation is always enabled on the sender-side, and it is
-used if the peer advertises itself as IKE fragmentation capable.
-By selecting force, IKE Fragmentation will
-be used when racoon is acting as the initiator even before the remote
-peer has advertised itself as IKE fragmentation capable.
-.\"
-.It Ic esp_frag Ar fraglen ;
-This option is only relevant if you use NAT traversal in tunnel mode.
-Its purpose is to work around broken DSL routers that reject UDP
-fragments, by fragmenting the IP packets before ESP encapsulation.
-The result is ESP over UDP of fragmented packets instead of fragmented
-ESP over UDP packets (i.e., IP:UDP:ESP:frag(IP) instead of
-frag(IP:UDP:ESP:IP)).
-.Ar fraglen
-is the maximum size of the fragments.
-552 should work anywhere,
-but the higher
-.Ar fraglen
-is, the better the performance.
-.Pp
-Note that because PMTU discovery is broken on many sites, you will
-have to use MSS clamping if you want TCP to work correctly.
-.\"
-.It Ic initial_contact (on | off) ;
-Enable this to send an INITIAL-CONTACT message.
-The default value is
-.Ic on .
-This message is useful only when the responder implementation chooses an
-old SA when there are multiple SAs with different established time and the
-initiator reboots.
-If racoon did not send the message,
-the responder would use an old SA even when a new SA was established.
-For systems that use a KAME derived IPSEC stack, the
-.Xr sysctl 8
-variable net.key.preferred_oldsa can be used to control this preference.
-When the value is zero, the stack always uses a new SA.
-.\"
-.It Ic passive (on | off) ;
-If you do not want to initiate the negotiation, set this to on.
-The default value is
-.Ic off .
-It is useful for a server.
-.\"
-.It Ic proposal_check Ar level ;
-Specifies the action of lifetime length, key length and PFS of the phase 2
-selection on the responder side, and the action of lifetime check in
-phase 1.
-The default level is
-.Ic strict .
-If the
-.Ar level
-is:
-.Bl -tag -width Ds -compact
-.It Ic obey
-The responder will obey the initiator anytime.
-.It Ic strict
-If the responder's lifetime length is longer than the initiator's or
-the responder's key length is shorter than the initiator's,
-the responder will use the initiator's value.
-Otherwise, the proposal will be rejected.
-If PFS is not required by the responder, the responder will obey the proposal.
-If PFS is required by both sides and the responder's group is not equal to
-the initiator's, then the responder will reject the proposal.
-.It Ic claim
-If the responder's lifetime length is longer than the initiator's or
-the responder's key length is shorter than the initiator's,
-the responder will use the initiator's value.
-If the responder's lifetime length is shorter than the initiator's,
-the responder uses its own length AND sends a RESPONDER-LIFETIME notify
-message to an initiator in the case of lifetime (phase 2 only).
-For PFS, this directive behaves the same as
-.Ic strict .
-.It Ic exact
-If the initiator's lifetime or key length is not equal to the responder's,
-the responder will reject the proposal.
-If PFS is required by both sides and the responder's group is not equal to
-the initiator's, then the responder will reject the proposal.
-.El
-.\"
-.It Ic support_proxy (on | off) ;
-If this value is set to on, then both values of ID payloads in the
-phase 2 exchange are always used as the addresses of end-point of
-IPsec-SAs.
-The default is off.
-.\"
-.It Ic generate_policy (on | off | require | unique) ;
-This directive is for the responder.
-Therefore you should set
-.Ic passive
-to on in order that
-.Xr racoon 8
-only becomes a responder.
-If the responder does not have any policy in SPD during phase 2
-negotiation, and the directive is set to on, then
-.Xr racoon 8
-will choose the first proposal in the
-SA payload from the initiator, and generate policy entries from the proposal.
-It is useful to negotiate with clients whose IP address is allocated
-dynamically.
-Note that an inappropriate policy might be installed into the responder's SPD
-by the initiator,
-so other communications might fail if such policies are installed
-due to a policy mismatch between the initiator and the responder.
-.Ic on
-and
-.Ic require
-values mean the same thing (generate a require policy).
-.Ic unique
-tells racoon to set up unique policies, with a monotoning increasing
-reqid number (between 1 and IPSEC_MANUAL_REQID_MAX).
-This directive is ignored in the initiator case.
-The default value is
-.Ic off .
-.\"
-.\"
-.It Ic nat_traversal (on | off | force) ;
-This directive enables use of the NAT-Traversal IPsec extension
-(NAT-T).
-NAT-T allows one or both peers to reside behind a NAT gateway (i.e.,
-doing address- or port-translation).
-If a NAT gateway is detected during the phase 1 handshake, racoon will
-attempt to negotiate the use of NAT-T with the remote peer.
-If the negotiation succeeds, all ESP and AH packets for the given connection
-will be encapsulated into UDP datagrams (port 4500, by default).
-Possible values are:
-.Bl -tag -width Ds -compact
-.It Ic on
-NAT-T is used when a NAT gateway is detected between the peers.
-.It Ic off
-NAT-T is not proposed/accepted.
-This is the default.
-.It Ic force
-NAT-T is used regardless of whether a NAT gateway is detected between the
-peers or not.
-.El
-Please note that NAT-T support is a compile-time option.
-Although it is enabled in the source distribution by default, it
-may not be available in your particular build.
-In that case you will get a
-warning when using any NAT-T related config options.
-.\"
-.It Ic dpd_delay Ar delay ;
-This option activates the DPD and sets the time (in seconds) allowed
-between 2 proof of liveliness requests.
-The default value is
-.Ic 0 ,
-which disables DPD monitoring, but still negotiates DPD support.
-.\"
-.It Ic dpd_retry Ar delay ;
-If
-.Ic dpd_delay
-is set, this sets the delay (in seconds) to wait for a proof of
-liveliness before considering it as failed and send another request.
-The default value is
-.Ic 5 .
-.\"
-.It Ic dpd_maxfail Ar number ;
-If
-.Ic dpd_delay
-is set, this sets the maximum number of liveliness proofs to request
-(without reply) before considering the peer is dead.
-The default value is
-.Ic 5 .
-.\"
-.It Ic nonce_size Ar number ;
-define the byte size of nonce value.
-Racoon can send any value although
-RFC2409 specifies that the value MUST be between 8 and 256 bytes.
-The default size is 16 bytes.
-.\"
-.It Ic ph1id Ar number ;
-An optionnal number to identify the remote proposal and to link it
-only with sainfos who have the same number.
-Defaults to 0.
-.\"
-.It Xo
-.Ic proposal { Ar sub-substatements Ic }
-.Xc
-.Bl -tag -width Ds -compact
-.\"
-.It Ic encryption_algorithm Ar algorithm ;
-Specifies the encryption algorithm used for the phase 1 negotiation.
-This directive must be defined.
-.Ar algorithm
-is one of following:
-.Ic des, 3des, blowfish, cast128, aes, camellia
-.\".Ic rc5 , idea
-for Oakley.
-For other transforms, this statement should not be used.
-.\"
-.It Ic hash_algorithm Ar algorithm ;
-Defines the hash algorithm used for the phase 1 negotiation.
-This directive must be defined.
-.Ar algorithm
-is one of following:
-.Ic md5, sha1, sha256, sha384, sha512
-for Oakley.
-.\"
-.It Ic authentication_method Ar type ;
-Defines the authentication method used for the phase 1 negotiation.
-This directive must be defined.
-.Ar type
-is one of:
-.Ic pre_shared_key , rsasig
-(for plain RSA authentication),
-.Ic gssapi_krb , hybrid_rsa_server ,
-.Ic hybrid_rsa_client , xauth_rsa_server , xauth_rsa_client , xauth_psk_server
-or
-.Ic xauth_psk_client .
-.\"
-.It Ic dh_group Ar group ;
-Defines the group used for the Diffie-Hellman exponentiations.
-This directive must be defined.
-.Ar group
-is one of following:
-.Ic modp768 , modp1024 , modp1536 ,
-.Ic modp2048 , modp3072 , modp4096 ,
-.Ic modp6144 , modp8192 .
-Or you can define 1, 2, 5, 14, 15, 16, 17, or 18 as the DH group number.
-When you want to use aggressive mode,
-you must define the same DH group in each proposal.
-.It Ic lifetime time Ar number Ar timeunit ;
-Defines the lifetime of the phase 1 SA proposal.
-Refer to the description of the
-.Ic lifetime
-directive defined in the
-.Ic remote
-directive.
-.It Ic gss_id Ar string ;
-Defines the GSS-API endpoint name, to be included as an attribute in the SA,
-if the
-.Ic gssapi_krb
-authentication method is used.
-If this is not defined, the default value of
-.Ql host/hostname
-is used, where hostname is the value returned by the
-.Xr hostname 1
-command.
-.El
-.El
-.El
-.\"
-.Ss Policy Specifications
-The policy directive is obsolete, policies are now in the SPD.
-.Xr racoon 8
-will obey the policy configured into the kernel by
-.Xr setkey 8 ,
-and will construct phase 2 proposals by combining
-.Ic sainfo
-specifications in
-.Nm ,
-and policies in the kernel.
-.\"
-.Ss Sainfo Specifications
-.Bl -tag -width Ds -compact
-.It Xo
-.Ic sainfo ( Ar source_id destination_id | Ar source_id Ic anonymous | Ic anonymous Ar destination_id | Ic anonymous ) [ from Ar idtype [ Ar string ] ] [ Ic group Ar string ]
-.Ic { Ar statements Ic }
-.Xc
-defines the parameters of the IKE phase 2 (IPsec-SA establishment).
-.Ar source_id
-and
-.Ar destination_id
-are constructed like:
-.Pp
-.Ic address Ar address
-.Bq Ic / Ar prefix
-.Bq Ic [ Ar port ]
-.Ar ul_proto
-.Pp
-or
-.Pp
-.Ic subnet Ar address
-.Bq Ic / Ar prefix
-.Bq Ic [ Ar port ]
-.Ar ul_proto
-.Pp
-or
-.Pp
-.Ar idtype Ar string
-.Pp
-An id string should be expressed to match the exact value of an ID payload
-(source is the local end, destination is the remote end).
-This is not like a filter rule.
-For example, if you define 3ffe:501:4819::/48 as
-.Ar source_id .
-3ffe:501:4819:1000:/64 will not match.
-.Pp
-In the case of a longest prefix (selecting a single host),
-.Ar address
-instructs to send ID type of ADDRESS while
-.Ar subnet
-instructs to send ID type of SUBNET.
-Otherwise, these instructions are identical.
-.Pp
-The group keyword allows an XAuth group membership check to be performed
-for this sainfo section.
-When the mode_cfg auth source is set to
-.Ic system
-or
-.Ic ldap ,
-the XAuth user is verified to be a member of the specified group
-before allowing a matching SA to be negotiated.
-.Pp
-.Bl -tag -width Ds -compact
-.\"
-.It Ic pfs_group Ar group ;
-define the group of Diffie-Hellman exponentiations.
-If you do not require PFS then you can omit this directive.
-Any proposal will be accepted if you do not specify one.
-.Ar group
-is one of following:
-.Ic modp768 , modp1024 , modp1536 ,
-.Ic modp2048 , modp3072 , modp4096 ,
-.Ic modp6144 , modp8192 .
-Or you can define 1, 2, 5, 14, 15, 16, 17, or 18 as the DH group number.
-.\"
-.It Ic lifetime time Ar number Ar timeunit ;
-define how long an IPsec-SA will be used, in timeunits.
-Any proposal will be accepted, and no attribute(s) will be proposed to
-the peer if you do not specify it(them).
-See the
-.Ic proposal_check
-directive.
-.\"
-.It Ic remoteid Ar number ;
-Sainfos will only be used if their remoteid matches the ph1id of the
-remote section used for phase 1.
-Defaults to 0, which is also the default for ph1id.
-.\"
-.It Ic my_identifier Ar idtype ... ;
-is obsolete.
-It does not make sense to specify an identifier in the phase 2.
-.El
-.\"
-.Pp
-.Xr racoon 8
-does not have a list of security protocols to be negotiated.
-The list of security protocols are passed by SPD in the kernel.
-Therefore you have to define all of the potential algorithms
-in the phase 2 proposals even if there are algorithms which will not be used.
-These algorithms are define by using the following three directives,
-with a single comma as the separator.
-For algorithms that can take variable-length keys, algorithm names
-can be followed by a key length, like
-.Dq Li blowfish 448 .
-.Xr racoon 8
-will compute the actual phase 2 proposals by computing
-the permutation of the specified algorithms,
-and then combining them with the security protocol specified by the SPD.
-For example, if
-.Ic des , 3des , hmac_md5 ,
-and
-.Ic hmac_sha1
-are specified as algorithms, we have four combinations for use with ESP,
-and two for AH.
-Then, based on the SPD settings,
-.Xr racoon 8
-will construct the actual proposals.
-If the SPD entry asks for ESP only, there will be 4 proposals.
-If it asks for both AH and ESP, there will be 8 proposals.
-Note that the kernel may not support the algorithm you have specified.
-.\"
-.Bl -tag -width Ds -compact
-.It Ic encryption_algorithm Ar algorithms ;
-.Ic des , 3des , des_iv64 , des_iv32 ,
-.Ic rc5 , rc4 , idea , 3idea ,
-.Ic cast128 , blowfish , null_enc ,
-.Ic twofish , rijndael , aes , camellia
-.Pq used with ESP
-.\"
-.It Ic authentication_algorithm Ar algorithms ;
-.Ic des , 3des , des_iv64 , des_iv32 ,
-.Ic hmac_md5 , hmac_sha1 , hmac_sha256, hmac_sha384, hmac_sha512, non_auth
-.Pq used with ESP authentication and AH
-.\"
-.It Ic compression_algorithm Ar algorithms ;
-.Ic deflate
-.Pq used with IPComp
-.El
-.El
-.\"
-.Ss Logging level
-.Bl -tag -width Ds -compact
-.It Ic log Ar level ;
-Defines the logging level.
-.Ar level
-is one of following:
-.Ic error , warning , notify , info , debug
-and
-.Ic debug2 .
-The default is
-.Ic info .
-If you set the logging level too high on slower machines,
-IKE negotiation can fail due to timing constraint changes.
-.El
-.\"
-.Ss Specifies the way to pad
-.Bl -tag -width Ds -compact
-.It Ic padding { Ar statements Ic }
-specifies the padding format.
-The following are valid statements:
-.Bl -tag -width Ds -compact
-.It Ic randomize (on | off) ;
-Enables the use of a randomized value for padding.
-The default is on.
-.It Ic randomize_length (on | off) ;
-The pad length will be random.
-The default is off.
-.It Ic maximum_length Ar number ;
-Defines a maximum padding length.
-If
-.Ic randomize_length
-is off, this is ignored.
-The default is 20 bytes.
-.It Ic exclusive_tail (on | off) ;
-Means to put the number of pad bytes minus one into the last part
-of the padding.
-The default is on.
-.It Ic strict_check (on | off) ;
-Means to constrain the peer to set the number of pad bytes.
-The default is off.
-.El
-.El
-.Ss ISAKMP mode configuration settings
-.Bl -tag -width Ds -compact
-.It Ic mode_cfg { Ar statements Ic }
-Defines the information to return for remote hosts' ISAKMP mode config
-requests.
-Also defines the authentication source for remote peers
-authenticating through Xauth.
-.Pp
-The following are valid statements:
-.Bl -tag -width Ds -compact
-.It Ic auth_source (system | radius | pam | ldap) ;
-Specifies the source for authentication of users through Xauth.
-.Ar system
-means to use the Unix user database.
-This is the default.
-.Ar radius
-means to use a RADIUS server.
-It works only if
-.Xr racoon 8
-was built with libradius support. Radius configuration is hanlded by
-.Xr radius.conf 5 .
-.Ar pam
-means to use PAM.
-It works only if
-.Xr racoon 8
-was built with libpam support.
-.Ar ldap
-means to use LDAP.
-It works only if
-.Xr racoon 8
-was built with libldap support. LDAP configuration is handled by
-statements in the
-.Ic ldapcfg
-section.
-.It Ic auth_groups Ar "group1", ... ;
-Specifies the group memberships for Xauth in quoted group name strings.
-When defined, the authenticating user must be a member of at least one
-group for Xauth to succeed.
-.It Ic group_source (system | ldap) ;
-Specifies the source for group validataion of users through Xauth.
-.Ar system
-means to use the Unix user database.
-This is the default.
-.Ar ldap
-means to use LDAP.
-It works only if
-.Xr racoon 8
-was built with libldap support and requires LDAP authentication.
-LDAP configuration is handled by statements in the
-.Ic ldapcfg
-section.
-.It Ic conf_source (local | radius | ldap) ;
-Specifies the source for IP addresses and netmask allocated through ISAKMP
-mode config.
-.Ar local
-means to use the local IP pool defined by the
-.Ic network4
-and
-.Ic pool_size
-statements.
-This is the default.
-.Ar radius
-means to use a RADIUS server.
-It works only if
-.Xr racoon 8
-was built with libradius support and requires RADIUS authentiation.
-RADIUS configuration is handled by
-.Xr radius.conf 5 .
-.Ar ldap
-means to use an LDAP server.
-It works only if
-.Xr racoon 8
-was built with libldap support and requires LDAP authentication.
-LDAP configuration is handled by
-statements in the
-.Ic ldapcfg
-section.
-.It Ic accounting (none | system | radius | pam) ;
-Enables or disables accounting for Xauth logins and logouts.
-The default is
-.Ar none
-which disable accounting.
-Specifying
-.Ar system
-enables system accounting through
-.Xr utmp 5 .
-Specifying
-.Ar radius
-enables RADIUS accounting.
-It works only if
-.Xr racoon 8
-was built with libradius support and requires RADIUS authentication.
-RADIUS configuration is handled by
-.Xr radius.conf 5 .
-Specifying
-.Ar pam
-enables PAM accounting.
-It works only if
-.Xr racoon 8
-was build with libpam support and requires PAM authentication.
-.It Ic pool_size Ar size
-Specify the size of the IP address pool, either local or allocated
-through RADIUS.
-.Ic conf_source
-selects the local pool or the RADIUS configuration, but in both
-configurations, you cannot have more than
-.Ar size
-users connected at the same time.
-The default is 255.
-.It Ic network4 Ar address ;
-.It Ic netmask4 Ar address ;
-The local IP pool base address and network mask from which dynamically
-allocated IPv4 addresses should be taken.
-This is used if
-.Ic conf_source
-is set to
-.Ar local
-or if the RADIUS server returned
-.Ar 255.255.255.254 .
-Default is
-.Ar 0.0.0.0/0.0.0.0 .
-.It Ic dns4 Ar addresses ;
-A list of IPv4 addresses for DNS servers, separated by commas, or on multiple
-.Ic dns4
-lines.
-.It Ic wins4 Ar addresses ;
-A list of IPv4 address for WINS servers. The keyword
-.It nbns4
-can also be used as an alias for
-.It wins4 .
-.It Ic split_network (include | local_lan) Ar network/mask, ...
-The network configuration to send, in cidr notation (e.g. 192.168.1.0/24).
-If
-.Ic include
-is specified, the tunnel should be only used to encrypt the indicated
-destinations ; otherwise, if
-.Ic local_lan
-is used, everything will pass through the tunnel but those destinations.
-.It Ic default_domain Ar domain ;
-The default DNS domain to send.
-.It Ic split_dns Ar "domain", ...
-The split dns configuration to send, in quoted domain name strings.
-This list can be used to describe a list of domain names for which
-a peer should query a modecfg assigned dns server.
-DNS queries for all other domains would be handled locally.
-(Cisco VPN client only).
-.It Ic banner Ar path ;
-The path of a file displayed on the client at connection time.
-Default is
-.Ar /etc/motd .
-.It Ic auth_throttle Ar delay ;
-On each failed Xauth authentication attempt, refuse new attempts for a set
-.Ar delay
-of seconds.
-This is to avoid dictionary attacks on Xauth passwords.
-Default is one second.
-Set to zero to disable authentication delay.
-.It Ic pfs_group Ar group ;
-Sets the PFS group used in the client proposal (Cisco VPN client only).
-Default is 0.
-.It Ic save_passwd (on | off) ;
-Allow the client to save the Xauth password (Cisco VPN client only).
-Default is off.
-.El
-.El
-.Ss Ldap configuration settings
-.Bl -tag -width Ds -compact
-.It Ic ldapcfg { Ar statements Ic }
-Defines the parameters that will be used to communicate with an ldap
-server for
-.Ic xauth
-authentication.
-.Pp
-The following are valid statements:
-.Bl -tag -width Ds -compact
-.It Ic version (2 | 3) ;
-The ldap protocol version used to communicate with the server.
-The default is
-.Ic 3 .
-.It Ic host Ar (hostname | address) ;
-The host name or ip address of the ldap server.
-The default is
-.Ic localhost .
-.It Ic port Ar number;
-The port that the ldap server is configured to listen on.
-The default is
-.Ic 389 .
-.It Ic base Ar distinguished name;
-The ldap search base.
-This option has no default value.
-.It Ic subtree (on | off) ;
-Use the subtree ldap search scope.
-Otherwise, use the one level search scope.
-The default is
-.Ic off .
-.It Ic bind_dn Ar distinguised name;
-The user dn used to optionaly bind as before performing ldap search operations.
-If this option is not specified, anonymous binds are used.
-.It Ic bind_pw Ar string;
-The password used when binding as
-.Ic bind_dn .
-.It Ic attr_user Ar attribute name;
-The attribute used to specify a users name in an ldap directory.
-For example,
-if a user dn is "cn=jdoe,dc=my,dc=net" then the attribute would be "cn".
-The default value is
-.Ic cn .
-.It Ic attr_addr Ar attribute name;
-.It Ic attr_mask Ar attribute name;
-The attributes used to specify a users network address and subnet mask in an
-ldap directory.
-These values are forwarded during mode_cfg negotiation when
-the conf_source is set to ldap.
-The default values are
-.Ic racoon-address
-and
-.Ic racoon-netmask .
-.It Ic attr_group Ar attribute name;
-The attribute used to specify a group name in an ldap directory.
-For example,
-if a group dn is "cn=users,dc=my,dc=net" then the attribute would be "cn".
-The default value is
-.Ic cn .
-.It Ic attr_member Ar attribute name;
-The attribute used to specify group membership in an ldap directory.
-The default value is
-.Ic member .
-.El
-.El
-.Ss Special directives
-.Bl -tag -width Ds -compact
-.It Ic complex_bundle (on | off) ;
-defines the interpretation of proposal in the case of SA bundle.
-Normally
-.Dq IP AH ESP IP payload
-is proposed as
-.Dq AH tunnel and ESP tunnel .
-The interpretation is more common to other IKE implementations, however,
-it allows very limited set of combinations for proposals.
-With the option enabled, it will be proposed as
-.Dq AH transport and ESP tunnel .
-The default value is
-.Ic off .
-.El
-.\"
-.Ss Pre-shared key File
-The pre-shared key file defines pairs of identifiers and corresponding
-shared secret keys which are used in the pre-shared key authentication
-method in phase 1.
-The pair in each line is separated by some number of blanks and/or tab
-characters like in the
-.Xr hosts 5
-file.
-Key can include blanks because everything after the first blanks
-is interpreted as the secret key.
-Lines starting with
-.Ql #
-are ignored.
-Keys which start with
-.Ql 0x
-are interpreted as hexadecimal strings.
-Note that the file must be owned by the user ID running
-.Xr racoon 8
-.Pq usually the privileged user ,
-and must not be accessible by others.
-.\"
-.Sh EXAMPLES
-The following shows how the remote directive should be configured.
-.Bd -literal -offset
-path pre_shared_key "/usr/local/v6/etc/psk.txt" ;
-remote anonymous
-{
- exchange_mode aggressive,main,base;
- lifetime time 24 hour;
- proposal {
- encryption_algorithm 3des;
- hash_algorithm sha1;
- authentication_method pre_shared_key;
- dh_group 2;
- }
-}
-
-sainfo anonymous
-{
- pfs_group 2;
- lifetime time 12 hour ;
- encryption_algorithm 3des, blowfish 448, twofish, rijndael ;
- authentication_algorithm hmac_sha1, hmac_md5 ;
- compression_algorithm deflate ;
-}
-.Ed
-.Pp
-If you are configuring plain RSA authentication, the remote directive
-should look like the following:
-.Bd -literal -offset
-path certificate "/usr/local/v6/etc" ;
-remote anonymous
-{
- exchange_mode main,base ;
- lifetime time 12 hour ;
- certificate_type plain_rsa "/usr/local/v6/etc/myrsakey.priv";
- peers_certfile plain_rsa "/usr/local/v6/etc/yourrsakey.pub";
- proposal {
- encryption_algorithm aes ;
- hash_algorithm sha1 ;
- authentication_method rsasig ;
- dh_group 2 ;
- }
-}
-.Ed
-.Pp
-The following is a sample for the pre-shared key file.
-.Bd -literal -offset
-10.160.94.3 mekmitasdigoat
-172.16.1.133 0x12345678
-194.100.55.1 whatcertificatereally
-3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat
-3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat
-foo@kame.net mekmitasdigoat
-foo.kame.net hoge
-.Ed
-.\"
-.Sh SEE ALSO
-.Xr racoon 8 ,
-.Xr racoonctl 8 ,
-.Xr setkey 8
-.\"
-.Sh HISTORY
-The
-.Nm
-configuration file first appeared in the
-.Dq YIPS
-Yokogawa IPsec implementation.
-.\"
-.Sh BUGS
-Some statements may not be handled by
-.Xr racoon 8
-yet.
-.Pp
-Diffie-Hellman computation can take a very long time, and may cause
-unwanted timeouts, specifically when a large D-H group is used.
-.\"
-.Sh SECURITY CONSIDERATIONS
-The use of IKE phase 1 aggressive mode is not recommended,
-as described in
-.Li http://www.kb.cert.org/vuls/id/886601 .
diff --git a/src/racoon/racoonctl.8 b/src/racoon/racoonctl.8
deleted file mode 100644
index b27b188..0000000
--- a/src/racoon/racoonctl.8
+++ /dev/null
@@ -1,199 +0,0 @@
-.\" $NetBSD: racoonctl.8,v 1.13 2006/09/09 16:22:10 manu Exp $
-.\"
-.\" Id: racoonctl.8,v 1.6 2006/05/07 21:32:59 manubsd Exp
-.\"
-.\" Copyright (C) 2004 Emmanuel Dreyfus
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the distribution.
-.\" 3. Neither the name of the project nor the names of its contributors
-.\" may be used to endorse or promote products derived from this software
-.\" without specific prior written permission.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-.\" SUCH DAMAGE.
-.\"
-.Dd November 16, 2004
-.Dt RACOONCTL 8
-.Os
-.\"
-.Sh NAME
-.Nm racoonctl
-.Nd racoon administrative control tool
-.\"
-.Sh SYNOPSIS
-.Nm
-reload-config
-.Nm
-show-schedule
-.Nm
-.Op Fl l Op Fl l
-show-sa
-.Op isakmp|esp|ah|ipsec
-.Nm
-flush-sa
-.Op isakmp|esp|ah|ipsec
-.Nm
-delete-sa
-.Ar saopts
-.Nm
-establish-sa
-.Op Fl u Ar identity
-.Ar saopts
-.Nm
-vpn-connect
-.Op Fl u identity
-.Ar vpn_gateway
-.Nm
-vpn-disconnect
-.Ar vpn_gateway
-.Nm
-show-event
-.Op Fl l
-.Nm
-logout-user
-.Ar login
-.\"
-.Sh DESCRIPTION
-.Nm
-is used to control
-.Xr racoon 8
-operation, if ipsec-tools was configured with adminport support.
-Communication between
-.Nm
-and
-.Xr racoon 8
-is done through a UNIX socket.
-By changing the default mode and ownership
-of the socket, you can allow non-root users to alter
-.Xr racoon 8
-behavior, so do that with caution.
-.Pp
-The following commands are available:
-.Bl -tag -width Ds
-.It reload-config
-This should cause
-.Xr racoon 8
-to reload its configuration file.
-.It show-schedule
-Unknown command.
-.It show-sa Op isakmp|esp|ah|ipsec
-Dump the SA: All the SAs if no SA class is provided, or either ISAKMP SAs,
-IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs.
-Use
-.Fl l
-to increase verbosity.
-.It flush-sa Op isakmp|esp|ah|ipsec
-is used to flush all SAs if no SA class is provided, or a class of SAs,
-either ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs.
-.It Xo establish-sa
-.Oo Fl u Ar username
-.Oc Ar saopts
-.Xc
-Establish an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA.
-The optional
-.Fl u Ar username
-can be used when establishing an ISAKMP SA while hybrid auth is in use.
-.Nm
-will prompt you for the password associated with
-.Ar username
-and these credentials will be used in the Xauth exchange.
-.Pp
-.Ar saopts
-has the following format:
-.Bl -tag -width Bl
-.It isakmp {inet|inet6} Ar src Ar dst
-.It {esp|ah} {inet|inet6} Ar src/prefixlen/port Ar dst/prefixlen/port
-{icmp|tcp|udp|any}
-.El
-.It Xo vpn-connect
-.Oo Fl u Ar username
-.Oc Ar vpn_gateway
-.Xc
-This is a particular case of the previous command.
-It will establish an ISAKMP SA with
-.Ar vpn_gateway .
-.It delete-sa Ar saopts
-Delete an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA.
-.It vpn-disconnect Ar vpn_gateway
-This is a particular case of the previous command.
-It will kill all SAs associated with
-.Ar vpn_gateway .
-.It show-event Op Fl l
-Dump all events reported by
-.Xr racoon 8 ,
-then quit.
-The
-.Fl l
-flag causes
-.Nm
-to not stop once all the events have been read, but rather to loop
-awaiting and reporting new events.
-.It logout-user Ar login
-Delete all SA established on behalf of the Xauth user
-.Ar login .
-.El
-.Pp
-Command shortcuts are available:
-.Bl -tag -width XXX -compact -offset indent
-.It rc
-reload-config
-.It ss
-show-sa
-.It sc
-show-schedule
-.It fs
-flush-sa
-.It ds
-delete-sa
-.It es
-establish-sa
-.It vc
-vpn-connect
-.It vd
-vpn-disconnect
-.It se
-show-event
-.It lu
-logout-user
-.El
-.\"
-.Sh RETURN VALUES
-The command should exit with 0 on success, and non-zero on errors.
-.\"
-.Sh FILES
-.Bl -tag -width 30n -compact
-.It Pa /var/racoon/racoon.sock No or
-.It Pa /var/run/racoon.sock
-.Xr racoon 8
-control socket.
-.El
-.\"
-.Sh SEE ALSO
-.Xr ipsec 4 ,
-.Xr racoon 8
-.Sh HISTORY
-Once was
-.Ic kmpstat
-in the KAME project.
-It turned into
-.Nm
-but remained undocumented for a while.
-.An Emmanuel Dreyfus Aq manu@NetBSD.org
-wrote this man page.
diff --git a/src/racoon/racoonctl.c b/src/racoon/racoonctl.c
deleted file mode 100644
index 1dd26f0..0000000
--- a/src/racoon/racoonctl.c
+++ /dev/null
@@ -1,1654 +0,0 @@
-/* $NetBSD: racoonctl.c,v 1.7.6.2 2009/04/20 13:32:57 tteras Exp $ */
-
-/* Id: racoonctl.c,v 1.11 2006/04/06 17:06:25 manubsd Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-#include <sys/un.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <net/pfkeyv2.h>
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-#if TIME_WITH_SYS_TIME
-# include <sys/time.h>
-# include <time.h>
-#else
-# if HAVE_SYS_TIME_H
-# include <sys/time.h>
-# else
-# include <time.h>
-# endif
-#endif
-#include <netdb.h>
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-#include <err.h>
-#include <sys/ioctl.h>
-#include <resolv.h>
-
-#include "var.h"
-#include "vmbuf.h"
-#include "misc.h"
-#include "gcmalloc.h"
-
-#include "racoonctl.h"
-#include "admin.h"
-#include "schedule.h"
-#include "handler.h"
-#include "sockmisc.h"
-#include "vmbuf.h"
-#include "plog.h"
-#include "isakmp_var.h"
-#include "isakmp.h"
-#include "isakmp_xauth.h"
-#include "isakmp_cfg.h"
-#include "isakmp_unity.h"
-#include "ipsec_doi.h"
-#include "evt.h"
-
-char *adminsock_path = ADMINSOCK_PATH;
-
-static void usage __P((void));
-static vchar_t *get_combuf __P((int, char **));
-static int handle_recv __P((vchar_t *));
-static vchar_t *f_reload __P((int, char **));
-static vchar_t *f_getsched __P((int, char **));
-static vchar_t *f_getsa __P((int, char **));
-static vchar_t *f_flushsa __P((int, char **));
-static vchar_t *f_deletesa __P((int, char **));
-static vchar_t *f_exchangesa __P((int, char **));
-static vchar_t *f_vpnc __P((int, char **));
-static vchar_t *f_vpnd __P((int, char **));
-static vchar_t *f_getevt __P((int, char **));
-#ifdef ENABLE_HYBRID
-static vchar_t *f_logoutusr __P((int, char **));
-#endif
-
-struct cmd_tag {
- vchar_t *(*func) __P((int, char **));
- int cmd;
- char *str;
-} cmdtab[] = {
- { f_reload, ADMIN_RELOAD_CONF, "reload-config" },
- { f_reload, ADMIN_RELOAD_CONF, "rc" },
- { f_getsched, ADMIN_SHOW_SCHED, "show-schedule" },
- { f_getsched, ADMIN_SHOW_SCHED, "sc" },
- { f_getsa, ADMIN_SHOW_SA, "show-sa" },
- { f_getsa, ADMIN_SHOW_SA, "ss" },
- { f_flushsa, ADMIN_FLUSH_SA, "flush-sa" },
- { f_flushsa, ADMIN_FLUSH_SA, "fs" },
- { f_deletesa, ADMIN_DELETE_SA, "delete-sa" },
- { f_deletesa, ADMIN_DELETE_SA, "ds" },
- { f_exchangesa, ADMIN_ESTABLISH_SA, "establish-sa" },
- { f_exchangesa, ADMIN_ESTABLISH_SA, "es" },
- { f_vpnc, ADMIN_ESTABLISH_SA, "vpn-connect" },
- { f_vpnc, ADMIN_ESTABLISH_SA, "vc" },
- { f_vpnd, ADMIN_DELETE_ALL_SA_DST,"vpn-disconnect" },
- { f_vpnd, ADMIN_DELETE_ALL_SA_DST,"vd" },
- { f_getevt, ADMIN_SHOW_EVT, "show-event" },
- { f_getevt, ADMIN_SHOW_EVT, "se" },
-#ifdef ENABLE_HYBRID
- { f_logoutusr, ADMIN_LOGOUT_USER, "logout-user" },
- { f_logoutusr, ADMIN_LOGOUT_USER, "lu" },
-#endif
- { NULL, 0, NULL },
-};
-
-struct evtmsg {
- int type;
- char *msg;
- enum { UNSPEC, ERROR, INFO } level;
-} evtmsg[] = {
- { EVTT_PHASE1_UP, "Phase 1 established", INFO },
- { EVTT_PHASE1_DOWN, "Phase 1 deleted", INFO },
- { EVTT_XAUTH_SUCCESS, "Xauth exchange passed", INFO },
- { EVTT_ISAKMP_CFG_DONE, "ISAKMP mode config done", INFO },
- { EVTT_PHASE2_UP, "Phase 2 established", INFO },
- { EVTT_PHASE2_DOWN, "Phase 2 deleted", INFO },
- { EVTT_DPD_TIMEOUT, "Peer not reachable anymore", ERROR },
- { EVTT_PEER_NO_RESPONSE, "Peer not responding", ERROR },
- { EVTT_PEER_DELETE, "Peer terminated security association", ERROR },
- { EVTT_RACOON_QUIT, "Raccon terminated", ERROR },
- { EVTT_OVERFLOW, "Event queue overflow", ERROR },
- { EVTT_XAUTH_FAILED, "Xauth exchange failed", ERROR },
- { EVTT_PEERPH1AUTH_FAILED, "Peer failed phase 1 authentication "
- "(certificate problem?)", ERROR },
- { EVTT_PEERPH1_NOPROP, "Peer failed phase 1 initiation "
- "(proposal problem?)", ERROR },
- { 0, NULL, UNSPEC },
- { EVTT_NO_ISAKMP_CFG, "No need for ISAKMP mode config ", INFO },
-};
-
-static int get_proto __P((char *));
-static vchar_t *get_index __P((int, char **));
-static int get_family __P((char *));
-static vchar_t *get_comindexes __P((int, int, char **));
-static int get_comindex __P((char *, char **, char **, char **));
-static int get_ulproto __P((char *));
-
-struct proto_tag {
- int proto;
- char *str;
-} prototab[] = {
- { ADMIN_PROTO_ISAKMP, "isakmp" },
- { ADMIN_PROTO_IPSEC, "ipsec" },
- { ADMIN_PROTO_AH, "ah" },
- { ADMIN_PROTO_ESP, "esp" },
- { ADMIN_PROTO_INTERNAL, "internal" },
- { 0, NULL },
-};
-
-struct ulproto_tag {
- int ul_proto;
- char *str;
-} ulprototab[] = {
- { 0, "any" },
- { IPPROTO_ICMP, "icmp" },
- { IPPROTO_TCP, "tcp" },
- { IPPROTO_UDP, "udp" },
- { 0, NULL },
-};
-
-int so;
-
-static char _addr1_[NI_MAXHOST], _addr2_[NI_MAXHOST];
-
-char *pname;
-int long_format = 0;
-
-#define EVTF_NONE 0x0000 /* Ignore any events */
-#define EVTF_LOOP 0x0001 /* Loop awaiting for new events */
-#define EVTF_CFG_STOP 0x0002 /* Stop after ISAKMP mode config */
-#define EVTF_CFG 0x0004 /* Print ISAKMP mode config info */
-#define EVTF_ALL 0x0008 /* Print any events */
-#define EVTF_PURGE 0x0010 /* Print all available events */
-#define EVTF_PH1DOWN_STOP 0x0020 /* Stop when phase 1 SA gets down */
-#define EVTF_PH1DOWN 0x0040 /* Print that phase 1 SA got down */
-#define EVTF_ERR 0x0080 /* Print any error */
-#define EVTF_ERR_STOP 0x0100 /* Stop on any error */
-
-int evt_filter = EVTF_NONE;
-time_t evt_start;
-
-void dump_isakmp_sa __P((char *, int));
-void dump_internal __P((char *, int));
-char *pindex_isakmp __P((isakmp_index *));
-void print_schedule __P((caddr_t, int));
-void print_evt __P((caddr_t, int));
-void print_cfg __P((caddr_t, int));
-void print_err __P((caddr_t, int));
-void print_ph1down __P((caddr_t, int));
-void print_ph1up __P((caddr_t, int));
-int evt_poll __P((void));
-char * fixed_addr __P((char *, char *, int));
-
-static void
-usage()
-{
- printf(
-"Usage:\n"
-" %s reload-config\n"
-" %s [-l [-l]] show-sa [protocol]\n"
-" %s flush-sa [protocol]\n"
-" %s delete-sa <saopts>\n"
-" %s establish-sa [-u identity] <saopts>\n"
-" %s vpn-connect [-u identity] vpn_gateway\n"
-" %s vpn-disconnect vpn_gateway\n"
-"\n"
-" <protocol>: \"isakmp\", \"esp\" or \"ah\".\n"
-" In the case of \"show-sa\" or \"flush-sa\", you can use \"ipsec\".\n"
-"\n"
-" <saopts>: \"isakmp\" <family> <src> <dst>\n"
-" : {\"esp\",\"ah\"} <family> <src/prefixlen/port> <dst/prefixlen/port>\n"
-" <ul_proto>\n"
-" <family>: \"inet\" or \"inet6\"\n"
-" <ul_proto>: \"icmp\", \"tcp\", \"udp\" or \"any\"\n",
- pname, pname, pname, pname, pname, pname, pname);
-}
-
-/*
- * Check for proper racoonctl interface
- */
-#if ((RACOONCTL_INTERFACE_MAJOR != 1) || (RACOONCTL_INTERFACE < 20041230))
-#error "Incompatible racoonctl interface"
-#endif
-
-int
-main(ac, av)
- int ac;
- char **av;
-{
- vchar_t *combuf;
- int c;
-
- pname = *av;
-
- /*
- * Check for proper racoonctl interface
- */
- if ((racoonctl_interface_major != RACOONCTL_INTERFACE_MAJOR) ||
- (racoonctl_interface < RACOONCTL_INTERFACE))
- errx(1, "Incompatible racoonctl interface");
-
-#ifdef __linux__
- /*
- * Disable GNU extensions that will prevent racoonct vc -u login
- * from working (GNU getopt(3) does not like options after vc)
- */
- setenv("POSIXLY_CORRECT", "1", 0);
-#endif
- while ((c = getopt(ac, av, "lds:")) != -1) {
- switch(c) {
- case 'l':
- long_format++;
- break;
-
- case 'd':
- loglevel++;
- break;
-
- case 's':
- adminsock_path = optarg;
- break;
-
- default:
- usage();
- exit(0);
- }
- }
-
- ac -= optind;
- av += optind;
-
- combuf = get_combuf(ac, av);
- if (!combuf)
- err(1, "kmpstat");
-
- if (loglevel)
- racoon_hexdump(combuf, ((struct admin_com *)combuf)->ac_len);
-
- com_init();
-
- if (com_send(combuf) != 0)
- goto bad;
-
- vfree(combuf);
-
- if (com_recv(&combuf) != 0)
- goto bad;
- if (handle_recv(combuf) != 0)
- goto bad;
-
- vfree(combuf);
-
- if (evt_filter != EVTF_NONE)
- if (evt_poll() != 0)
- goto bad;
-
- exit(0);
-
- bad:
- exit(1);
-}
-
-int
-evt_poll(void) {
- struct timeval tv;
- vchar_t *recvbuf;
- vchar_t *sendbuf;
-
- if ((sendbuf = f_getevt(0, NULL)) == NULL)
- errx(1, "Cannot make combuf");
-
-
- while (evt_filter & (EVTF_LOOP|EVTF_PURGE)) {
- /* handle_recv closes the socket time, so open it each time */
- com_init();
-
- if (com_send(sendbuf) != 0)
- errx(1, "Cannot send combuf");
-
- if (com_recv(&recvbuf) == 0) {
- handle_recv(recvbuf);
- vfree(recvbuf);
- }
-
- tv.tv_sec = 0;
- tv.tv_usec = 10;
- (void)select(0, NULL, NULL, NULL, &tv);
- }
-
- vfree(sendbuf);
- return 0;
-}
-
-/* %%% */
-/*
- * return command buffer.
- */
-static vchar_t *
-get_combuf(ac, av)
- int ac;
- char **av;
-{
- struct cmd_tag *cp;
-
- if (ac == 0) {
- usage();
- exit(0);
- }
-
- /* checking the string of command. */
- for (cp = &cmdtab[0]; cp->str; cp++) {
- if (strcmp(*av, cp->str) == 0) {
- break;
- }
- }
- if (!cp->str) {
- printf("Invalid command [%s]\n", *av);
- errno = EINVAL;
- return NULL;
- }
-
- ac--;
- av++;
- return (cp->func)(ac, av);
-}
-
-static vchar_t *
-f_reload(ac, av)
- int ac;
- char **av;
-{
- vchar_t *buf;
- struct admin_com *head;
-
- buf = vmalloc(sizeof(*head));
- if (buf == NULL)
- errx(1, "not enough core");
-
- head = (struct admin_com *)buf->v;
- head->ac_len = buf->l;
- head->ac_cmd = ADMIN_RELOAD_CONF;
- head->ac_errno = 0;
- head->ac_proto = 0;
-
- return buf;
-}
-
-static vchar_t *
-f_getevt(ac, av)
- int ac;
- char **av;
-{
- vchar_t *buf;
- struct admin_com *head;
-
- /*
- * There are 3 ways of getting here
- * 1) racoonctl vc => evt_filter = (EVTF_LOOP|EVTF_CFG| ... )
- * 2) racoonctl es => evt_filter = EVTF_NONE
- * 3) racoonctl es -l => evt_filter = EVTF_LOOP
- * Catch the second case: show-event is here to purge all
- */
- if (evt_filter == EVTF_NONE)
- evt_filter = (EVTF_ALL|EVTF_PURGE);
-
- if ((ac >= 1) && (strcmp(av[0], "-l") == 0))
- evt_filter |= EVTF_LOOP;
-
- if (ac >= 2)
- errx(1, "too many arguments");
-
- buf = vmalloc(sizeof(*head));
- if (buf == NULL)
- errx(1, "not enough core");
-
- head = (struct admin_com *)buf->v;
- head->ac_len = buf->l;
- head->ac_cmd = ADMIN_SHOW_EVT;
- head->ac_errno = 0;
- head->ac_proto = 0;
-
- return buf;
-}
-
-static vchar_t *
-f_getsched(ac, av)
- int ac;
- char **av;
-{
- vchar_t *buf;
- struct admin_com *head;
-
- buf = vmalloc(sizeof(*head));
- if (buf == NULL)
- errx(1, "not enough core");
-
- head = (struct admin_com *)buf->v;
- head->ac_len = buf->l;
- head->ac_cmd = ADMIN_SHOW_SCHED;
- head->ac_errno = 0;
- head->ac_proto = 0;
-
- return buf;
-}
-
-static vchar_t *
-f_getsa(ac, av)
- int ac;
- char **av;
-{
- vchar_t *buf;
- struct admin_com *head;
- int proto;
-
- /* need protocol */
- if (ac != 1)
- errx(1, "insufficient arguments");
- proto = get_proto(*av);
- if (proto == -1)
- errx(1, "unknown protocol %s", *av);
-
- buf = vmalloc(sizeof(*head));
- if (buf == NULL)
- errx(1, "not enough core");
-
- head = (struct admin_com *)buf->v;
- head->ac_len = buf->l;
- head->ac_cmd = ADMIN_SHOW_SA;
- head->ac_errno = 0;
- head->ac_proto = proto;
-
- return buf;
-}
-
-static vchar_t *
-f_flushsa(ac, av)
- int ac;
- char **av;
-{
- vchar_t *buf;
- struct admin_com *head;
- int proto;
-
- /* need protocol */
- if (ac != 1)
- errx(1, "insufficient arguments");
- proto = get_proto(*av);
- if (proto == -1)
- errx(1, "unknown protocol %s", *av);
-
- buf = vmalloc(sizeof(*head));
- if (buf == NULL)
- errx(1, "not enough core");
-
- head = (struct admin_com *)buf->v;
- head->ac_len = buf->l;
- head->ac_cmd = ADMIN_FLUSH_SA;
- head->ac_errno = 0;
- head->ac_proto = proto;
-
- return buf;
-}
-
-static vchar_t *
-f_deletesa(ac, av)
- int ac;
- char **av;
-{
- vchar_t *buf, *index;
- struct admin_com *head;
- int proto;
-
- /* need protocol */
- if (ac < 1)
- errx(1, "insufficient arguments");
- proto = get_proto(*av);
- if (proto == -1)
- errx(1, "unknown protocol %s", *av);
-
- /* get index(es) */
- av++;
- ac--;
- switch (proto) {
- case ADMIN_PROTO_ISAKMP:
- index = get_index(ac, av);
- if (index == NULL)
- return NULL;
- break;
- case ADMIN_PROTO_AH:
- case ADMIN_PROTO_ESP:
- index = get_index(ac, av);
- if (index == NULL)
- return NULL;
- break;
- default:
- errno = EPROTONOSUPPORT;
- return NULL;
- }
-
- buf = vmalloc(sizeof(*head) + index->l);
- if (buf == NULL)
- goto out;
-
- head = (struct admin_com *)buf->v;
- head->ac_len = buf->l + index->l;
- head->ac_cmd = ADMIN_DELETE_SA;
- head->ac_errno = 0;
- head->ac_proto = proto;
-
- memcpy(buf->v+sizeof(*head), index->v, index->l);
-
-out:
- if (index != NULL)
- vfree(index);
-
- return buf;
-}
-
-static vchar_t *
-f_deleteallsadst(ac, av)
- int ac;
- char **av;
-{
- vchar_t *buf, *index;
- struct admin_com *head;
- int proto;
-
- /* need protocol */
- if (ac < 1)
- errx(1, "insufficient arguments");
- proto = get_proto(*av);
- if (proto == -1)
- errx(1, "unknown protocol %s", *av);
-
- /* get index(es) */
- av++;
- ac--;
- switch (proto) {
- case ADMIN_PROTO_ISAKMP:
- index = get_index(ac, av);
- if (index == NULL)
- return NULL;
- break;
- case ADMIN_PROTO_AH:
- case ADMIN_PROTO_ESP:
- index = get_index(ac, av);
- if (index == NULL)
- return NULL;
- break;
- default:
- errno = EPROTONOSUPPORT;
- return NULL;
- }
-
- buf = vmalloc(sizeof(*head) + index->l);
- if (buf == NULL)
- goto out;
-
- head = (struct admin_com *)buf->v;
- head->ac_len = buf->l + index->l;
- head->ac_cmd = ADMIN_DELETE_ALL_SA_DST;
- head->ac_errno = 0;
- head->ac_proto = proto;
-
- memcpy(buf->v+sizeof(*head), index->v, index->l);
-
-out:
- if (index != NULL)
- vfree(index);
-
- return buf;
-}
-
-static vchar_t *
-f_exchangesa(ac, av)
- int ac;
- char **av;
-{
- vchar_t *buf, *index;
- struct admin_com *head;
- int proto;
- int cmd = ADMIN_ESTABLISH_SA;
- size_t com_len = 0;
- char *id = NULL;
- char *key = NULL;
- struct admin_com_psk *acp;
-
- if (ac < 1)
- errx(1, "insufficient arguments");
-
- /* Optional -u identity */
- if (strcmp(av[0], "-u") == 0) {
- if (ac < 2)
- errx(1, "-u require an argument");
-
- id = av[1];
- if ((key = getpass("Password: ")) == NULL)
- errx(1, "getpass() failed: %s", strerror(errno));
-
- com_len += sizeof(*acp) + strlen(id) + 1 + strlen(key) + 1;
- cmd = ADMIN_ESTABLISH_SA_PSK;
-
- av += 2;
- ac -= 2;
- }
-
- /* need protocol */
- if (ac < 1)
- errx(1, "insufficient arguments");
- if ((proto = get_proto(*av)) == -1)
- errx(1, "unknown protocol %s", *av);
-
- /* get index(es) */
- av++;
- ac--;
- switch (proto) {
- case ADMIN_PROTO_ISAKMP:
- index = get_index(ac, av);
- if (index == NULL)
- return NULL;
- break;
- case ADMIN_PROTO_AH:
- case ADMIN_PROTO_ESP:
- index = get_index(ac, av);
- if (index == NULL)
- return NULL;
- break;
- default:
- errno = EPROTONOSUPPORT;
- return NULL;
- }
-
- com_len += sizeof(*head) + index->l;
- if ((buf = vmalloc(com_len)) == NULL)
- errx(1, "Cannot allocate buffer");
-
- head = (struct admin_com *)buf->v;
- head->ac_len = buf->l;
- head->ac_cmd = cmd;
- head->ac_errno = 0;
- head->ac_proto = proto;
-
- memcpy(buf->v+sizeof(*head), index->v, index->l);
-
- if (id && key) {
- char *data;
- acp = (struct admin_com_psk *)
- (buf->v + sizeof(*head) + index->l);
-
- acp->id_type = IDTYPE_USERFQDN;
- acp->id_len = strlen(id) + 1;
- acp->key_len = strlen(key) + 1;
-
- data = (char *)(acp + 1);
- strcpy(data, id);
-
- data = (char *)(data + acp->id_len);
- strcpy(data, key);
- }
-
- vfree(index);
-
- return buf;
-}
-
-static vchar_t *
-f_vpnc(ac, av)
- int ac;
- char **av;
-{
- char *nav[] = {NULL, NULL, NULL, NULL, NULL, NULL};
- int nac = 0;
- char *isakmp = "isakmp";
- char *inet = "inet";
- char *srcaddr;
- struct addrinfo hints, *res;
- struct sockaddr *src;
- char *idx;
-
- if (ac < 1)
- errx(1, "insufficient arguments");
-
- evt_filter = (EVTF_LOOP|EVTF_CFG|EVTF_CFG_STOP|EVTF_ERR|EVTF_ERR_STOP);
- time(&evt_start);
-
- /* Optional -u identity */
- if (strcmp(av[0], "-u") == 0) {
- if (ac < 2)
- errx(1, "-u require an argument");
-
- nav[nac++] = av[0];
- nav[nac++] = av[1];
-
- ac -= 2;
- av += 2;
- }
-
- if (ac < 1)
- errx(1, "VPN gateway required");
- if (ac > 1)
- warnx("Extra arguments");
-
- /*
- * Find the source address
- */
- memset(&hints, 0, sizeof(hints));
- hints.ai_family = PF_UNSPEC;
- hints.ai_socktype = SOCK_DGRAM;
- if (getaddrinfo(av[0], "4500", &hints, &res) != 0)
- errx(1, "Cannot resolve destination address");
-
- if ((src = getlocaladdr(res->ai_addr)) == NULL)
- errx(1, "cannot find source address");
-
- if ((srcaddr = saddr2str(src)) == NULL)
- errx(1, "cannot read source address");
-
- /* We get "ip[port]" strip the port */
- if ((idx = index(srcaddr, '[')) == NULL)
- errx(1, "unexpected source address format");
- *idx = '\0';
-
- nav[nac++] = isakmp;
- nav[nac++] = inet;
- nav[nac++] = srcaddr;
- nav[nac++] = av[0];
-
- return f_exchangesa(nac, nav);
-}
-
-static vchar_t *
-f_vpnd(ac, av)
- int ac;
- char **av;
-{
- char *nav[] = {NULL, NULL, NULL, NULL};
- int nac = 0;
- char *isakmp = "isakmp";
- char *inet = "inet";
- char *anyaddr = "0.0.0.0";
- char *idx;
-
- if (ac < 1)
- errx(1, "VPN gateway required");
- if (ac > 1)
- warnx("Extra arguments");
-
- evt_filter =
- (EVTF_PH1DOWN|EVTF_PH1DOWN_STOP|EVTF_LOOP|EVTF_ERR|EVTF_ERR_STOP);
-
- nav[nac++] = isakmp;
- nav[nac++] = inet;
- nav[nac++] = anyaddr;
- nav[nac++] = av[0];
-
- return f_deleteallsadst(nac, nav);
-}
-
-#ifdef ENABLE_HYBRID
-static vchar_t *
-f_logoutusr(ac, av)
- int ac;
- char **av;
-{
- vchar_t *buf;
- struct admin_com *head;
- char *user;
- size_t userlen;
-
- /* need username */
- if (ac < 1)
- errx(1, "insufficient arguments");
- user = av[0];
- userlen = strlen(user);
- if ((user == NULL) || (userlen > LOGINLEN))
- errx(1, "bad login (too long?)");
-
- buf = vmalloc(sizeof(*head) + userlen);
- if (buf == NULL)
- return NULL;
-
- head = (struct admin_com *)buf->v;
- head->ac_len = buf->l;
- head->ac_cmd = ADMIN_LOGOUT_USER;
- head->ac_errno = 0;
- head->ac_proto = 0;
-
- strncpy((char *)(head + 1), user, userlen);
-
- return buf;
-}
-#endif /* ENABLE_HYBRID */
-
-
-static int
-get_proto(str)
- char *str;
-{
- struct proto_tag *cp;
-
- if (str == NULL) {
- errno = EINVAL;
- return -1;
- }
-
- /* checking the string of command. */
- for (cp = &prototab[0]; cp->str; cp++) {
- if (strcmp(str, cp->str) == 0)
- return cp->proto;
- }
-
- errno = EINVAL;
- return -1;
-}
-
-static vchar_t *
-get_index(ac, av)
- int ac;
- char **av;
-{
- int family;
-
- if (ac != 3 && ac != 4) {
- errno = EINVAL;
- return NULL;
- }
-
- /* checking the string of family */
- family = get_family(*av);
- if (family == -1)
- return NULL;
- av++;
- ac--;
-
- return get_comindexes(family, ac, av);
-}
-
-static int
-get_family(str)
- char *str;
-{
- if (strcmp("inet", str) == 0)
- return AF_INET;
-#ifdef INET6
- else if (strcmp("inet6", str) == 0)
- return AF_INET6;
-#endif
- errno = EAFNOSUPPORT;
- return -1;
-}
-
-static vchar_t *
-get_comindexes(family, ac, av)
- int family;
- int ac;
- char **av;
-{
- vchar_t *buf;
- struct admin_com_indexes *ci;
- char *p_name = NULL, *p_port = NULL;
- char *p_prefs = NULL, *p_prefd = NULL;
- struct sockaddr *src = NULL, *dst = NULL;
- int ulproto;
-
- if (ac != 2 && ac != 3) {
- errno = EINVAL;
- return NULL;
- }
-
- if (get_comindex(*av, &p_name, &p_port, &p_prefs) == -1)
- goto bad;
- src = get_sockaddr(family, p_name, p_port);
- if (p_name) {
- racoon_free(p_name);
- p_name = NULL;
- }
- if (p_port) {
- racoon_free(p_port);
- p_port = NULL;
- }
- if (src == NULL)
- goto bad;
- av++;
- ac--;
- if (get_comindex(*av, &p_name, &p_port, &p_prefd) == -1)
- goto bad;
- dst = get_sockaddr(family, p_name, p_port);
- if (p_name) {
- racoon_free(p_name);
- p_name = NULL;
- }
- if (p_port) {
- racoon_free(p_port);
- p_port = NULL;
- }
- if (dst == NULL)
- goto bad;
-
- buf = vmalloc(sizeof(*ci));
- if (buf == NULL)
- goto bad;
-
- av++;
- ac--;
- if(ac){
- ulproto = get_ulproto(*av);
- if (ulproto == -1)
- goto bad;
- }else
- ulproto=0;
-
- ci = (struct admin_com_indexes *)buf->v;
- if(p_prefs)
- ci->prefs = (u_int8_t)atoi(p_prefs); /* XXX should be handled error. */
- else
- ci->prefs = 32;
- if(p_prefd)
- ci->prefd = (u_int8_t)atoi(p_prefd); /* XXX should be handled error. */
- else
- ci->prefd = 32;
- ci->ul_proto = ulproto;
- memcpy(&ci->src, src, sysdep_sa_len(src));
- memcpy(&ci->dst, dst, sysdep_sa_len(dst));
-
- if (p_name)
- racoon_free(p_name);
-
- return buf;
-
- bad:
- if (p_name)
- racoon_free(p_name);
- if (p_port)
- racoon_free(p_port);
- if (p_prefs)
- racoon_free(p_prefs);
- if (p_prefd)
- racoon_free(p_prefd);
- return NULL;
-}
-
-static int
-get_comindex(str, name, port, pref)
- char *str, **name, **port, **pref;
-{
- char *p;
-
- *name = *port = *pref = NULL;
-
- *name = racoon_strdup(str);
- STRDUP_FATAL(*name);
- p = strpbrk(*name, "/[");
- if (p != NULL) {
- if (*(p + 1) == '\0')
- goto bad;
- if (*p == '/') {
- *p = '\0';
- *pref = racoon_strdup(p + 1);
- STRDUP_FATAL(*pref);
- p = strchr(*pref, '[');
- if (p != NULL) {
- if (*(p + 1) == '\0')
- goto bad;
- *p = '\0';
- *port = racoon_strdup(p + 1);
- STRDUP_FATAL(*port);
- p = strchr(*pref, ']');
- if (p == NULL)
- goto bad;
- *p = '\0';
- }
- } else if (*p == '[') {
- if (*pref == NULL)
- goto bad;
- *p = '\0';
- *port = racoon_strdup(p + 1);
- STRDUP_FATAL(*port);
- p = strchr(*pref, ']');
- if (p == NULL)
- goto bad;
- *p = '\0';
- } else {
- /* XXX */
- }
- }
-
- return 0;
-
- bad:
-
- if (*name)
- racoon_free(*name);
- if (*port)
- racoon_free(*port);
- if (*pref)
- racoon_free(*pref);
- *name = *port = *pref = NULL;
- return -1;
-}
-
-static int
-get_ulproto(str)
- char *str;
-{
- struct ulproto_tag *cp;
-
- if(str == NULL){
- errno = EINVAL;
- return -1;
- }
-
- /* checking the string of upper layer protocol. */
- for (cp = &ulprototab[0]; cp->str; cp++) {
- if (strcmp(str, cp->str) == 0)
- return cp->ul_proto;
- }
-
- errno = EINVAL;
- return -1;
-}
-
-/* %%% */
-void
-dump_isakmp_sa(buf, len)
- char *buf;
- int len;
-{
- struct ph1dump *pd;
- struct tm *tm;
- char tbuf[56];
- caddr_t p = NULL;
-
-/* isakmp status header */
-/* short header;
- 1234567890123456789012 0000000000000000:0000000000000000 000000000000
-*/
-char *header1 =
-"Destination Cookies Created";
-
-/* semi long header;
- 1234567890123456789012 0000000000000000:0000000000000000 00 X 00 X 0000-00-00 00:00:00 000000
-*/
-char *header2 =
-"Destination Cookies ST S V E Created Phase2";
-
-/* long header;
- 0000:0000:0000:0000:0000:0000:0000:0000.00000 0000:0000:0000:0000:0000:0000:0000:0000.00000 0000000000000000:0000000000000000 00 X 00 X 0000-00-00 00:00:00 000000
-*/
-char *header3 =
-"Source Destination Cookies ST S V E Created Phase2";
-
-/* phase status header */
-/* short format;
- side stats source address destination address
- xxx xxxxx 1234567890123456789012 1234567890123456789012
-*/
-
- static char *estr[] = { "", "B", "M", "U", "A", "I", };
-
- switch (long_format) {
- case 0:
- printf("%s\n", header1);
- break;
- case 1:
- printf("%s\n", header2);
- break;
- case 2:
- default:
- printf("%s\n", header3);
- break;
- }
-
- if (len % sizeof(*pd))
- printf("invalid length %d\n", len);
- len /= sizeof(*pd);
-
- pd = (struct ph1dump *)buf;
-
- while (len-- > 0) {
- /* source address */
- if (long_format >= 2) {
- GETNAMEINFO((struct sockaddr *)&pd->local, _addr1_, _addr2_);
- switch (long_format) {
- case 0:
- break;
- case 1:
- p = fixed_addr(_addr1_, _addr2_, 22);
- break;
- case 2:
- default:
- p = fixed_addr(_addr1_, _addr2_, 45);
- break;
- }
- printf("%s ", p);
- }
-
- /* destination address */
- GETNAMEINFO((struct sockaddr *)&pd->remote, _addr1_, _addr2_);
- switch (long_format) {
- case 0:
- case 1:
- p = fixed_addr(_addr1_, _addr2_, 22);
- break;
- case 2:
- default:
- p = fixed_addr(_addr1_, _addr2_, 45);
- break;
- }
- printf("%s ", p);
-
- printf("%s ", pindex_isakmp(&pd->index));
-
- /* statuc, side and version */
- if (long_format >= 1) {
- printf("%2d %c %2x ",
- pd->status,
- pd->side == INITIATOR ? 'I' : 'R',
- pd->version);
- if (ARRAYLEN(estr) > pd->etype)
- printf("%s ", estr[pd->etype]);
- }
-
- /* created date */
- if (pd->created) {
- tm = localtime(&pd->created);
- strftime(tbuf, sizeof(tbuf), "%Y-%m-%d %T", tm);
- } else
- snprintf(tbuf, sizeof(tbuf), " ");
- printf("%s ", tbuf);
-
- /* counter of phase 2 */
- if (long_format >= 1)
- printf("%6d ", pd->ph2cnt);
-
- printf("\n");
-
- pd++;
- }
-
- return;
-}
-
-/* %%% */
-void
-dump_internal(buf, tlen)
- char *buf;
- int tlen;
-{
- struct ph2handle *iph2;
- struct sockaddr *addr;
-
-/*
-short header;
- source address destination address
- 1234567890123456789012 1234567890123456789012
-*/
-char *short_h1 =
-"Source Destination ";
-
-/*
-long header;
- source address destination address
- 123456789012345678901234567890123456789012345 123456789012345678901234567890123456789012345
- 0000:0000:0000:0000:0000:0000:0000:0000.00000 0000:0000:0000:0000:0000:0000:0000:0000.00000 0000:0000:0000:0000:0000:0000:0000:0000.00000
-*/
-char *long_h1 =
-"Source Destination ";
-
- printf("%s\n", long_format ? long_h1 : short_h1);
-
- while (tlen > 0) {
- iph2 = (struct ph2handle *)buf;
- addr = (struct sockaddr *)(++iph2);
-
- GETNAMEINFO(addr, _addr1_, _addr2_);
- printf("%s ", long_format ?
- fixed_addr(_addr1_, _addr2_, 45)
- : fixed_addr(_addr1_, _addr2_, 22));
- addr++;
- tlen -= sysdep_sa_len(addr);
-
- GETNAMEINFO(addr, _addr1_, _addr2_);
- printf("%s ", long_format ?
- fixed_addr(_addr1_, _addr2_, 45)
- : fixed_addr(_addr1_, _addr2_, 22));
- addr++;
- tlen -= sysdep_sa_len(addr);
-
- printf("\n");
- }
-
- return;
-}
-
-/* %%% */
-char *
-pindex_isakmp(index)
- isakmp_index *index;
-{
- static char buf[64];
- u_char *p;
- int i, j;
-
- memset(buf, 0, sizeof(buf));
-
- /* copy index */
- p = (u_char *)index;
- for (j = 0, i = 0; i < sizeof(isakmp_index); i++) {
- snprintf((char *)&buf[j], sizeof(buf) - j, "%02x", p[i]);
- j += 2;
- switch (i) {
- case 7:
-#if 0
- case 15:
-#endif
- buf[j++] = ':';
- }
- }
-
- return buf;
-}
-
-/* print schedule */
-char *str_sched_stat[] = {
-"off",
-"on",
-"dead",
-};
-
-char *str_sched_id[] = {
-"PH1resend",
-"PH1lifetime",
-"PH2resend",
-"PSTacquire",
-"PSTlifetime",
-};
-
-void
-print_schedule(buf, len)
- caddr_t buf;
- int len;
-{
- struct scheddump *sc = (struct scheddump *)buf;
- struct tm *tm;
- char tbuf[56];
-
- if (len % sizeof(*sc))
- printf("invalid length %d\n", len);
- len /= sizeof(*sc);
-
- /* 00000000 00000000 00000000 xxx........*/
- printf("index tick xtime created\n");
-
- while (len-- > 0) {
- tm = localtime(&sc->created);
- strftime(tbuf, sizeof(tbuf), "%Y-%m-%d %T", tm);
-
- printf("%-8ld %-8ld %-8ld %s\n",
- sc->id,
- (long)sc->tick,
- (long)sc->xtime,
- tbuf);
- sc++;
- }
-
- return;
-}
-
-
-void
-print_evt(buf, len)
- caddr_t buf;
- int len;
-{
- struct evtdump *evtdump = (struct evtdump *)buf;
- int i;
- char *srcstr;
- char *dststr;
-
- for (i = 0; evtmsg[i].msg; i++)
- if (evtmsg[i].type == evtdump->type)
- break;
-
- if (evtmsg[i].msg == NULL)
- printf("Event %d: ", evtdump->type);
- else
- printf("%s : ", evtmsg[i].msg);
-
- if ((srcstr = saddr2str((struct sockaddr *)&evtdump->src)) == NULL)
- printf("unknown");
- else
- printf("%s", srcstr);
- printf(" -> ");
- if ((dststr = saddr2str((struct sockaddr *)&evtdump->dst)) == NULL)
- printf("unknown");
- else
- printf("%s", dststr);
- printf("\n");
-
- return;
-}
-
-void
-print_err(buf, len)
- caddr_t buf;
- int len;
-{
- struct evtdump *evtdump = (struct evtdump *)buf;
- int i;
-
-
- for (i = 0; evtmsg[i].msg; i++)
- if (evtmsg[i].type == evtdump->type)
- break;
-
- if (evtmsg[i].level != ERROR)
- return;
-
- if (evtmsg[i].msg == NULL)
- printf("Error: Event %d\n", evtdump->type);
- else
- printf("Error: %s\n", evtmsg[i].msg);
-
- if (evt_filter & EVTF_ERR_STOP)
- evt_filter &= ~EVTF_LOOP;
-
- return;
-}
-
-/*
- * Print a message when phase 1 SA goes down
- */
-void
-print_ph1down(buf, len)
- caddr_t buf;
- int len;
-{
- struct evtdump *evtdump = (struct evtdump *)buf;
-
- if (evtdump->type != EVTT_PHASE1_DOWN)
- return;
-
- printf("VPN connexion terminated\n");
-
- if (evt_filter & EVTF_PH1DOWN_STOP)
- evt_filter &= ~EVTF_LOOP;
-
- return;
-}
-
-/*
- * Print ISAKMP mode config info (IP and banner)
- */
-void
-print_cfg(buf, len)
- caddr_t buf;
- int len;
-{
- struct evtdump *evtdump = (struct evtdump *)buf;
- struct isakmp_data *attr;
- char *banner = NULL;
- struct in_addr addr4;
-
- memset(&addr4, 0, sizeof(addr4));
-
- if (evtdump->type != EVTT_ISAKMP_CFG_DONE &&
- evtdump->type != EVTT_NO_ISAKMP_CFG)
- return;
-
- len -= sizeof(*evtdump);
- attr = (struct isakmp_data *)(evtdump + 1);
-
- while (len > 0) {
- if (len < sizeof(*attr)) {
- printf("short attribute too short\n");
- break;
- }
-
- if ((ntohs(attr->type) & ISAKMP_GEN_MASK) == ISAKMP_GEN_TV) {
- /* Short attribute, skip */
- len -= sizeof(*attr);
- attr++;
- } else { /* Long attribute */
- char *n;
-
- if (len < (sizeof(*attr) + ntohs(attr->lorv))) {
- printf("long attribute too long\n");
- break;
- }
-
- switch (ntohs(attr->type) & ~ISAKMP_GEN_MASK) {
- case INTERNAL_IP4_ADDRESS:
- if (ntohs(attr->lorv) < sizeof(addr4)) {
- printf("addr4 attribute too short\n");
- break;
- }
- memcpy(&addr4, attr + 1, sizeof(addr4));
- break;
-
- case UNITY_BANNER:
- banner = racoon_malloc(ntohs(attr->lorv) + 1);
- if (banner == NULL) {
- printf("malloc failed\n");
- break;
- }
- memcpy(banner, attr + 1, ntohs(attr->lorv));
- banner[ntohs(attr->lorv)] = '\0';
- break;
-
- default:
- break;
- }
-
- len -= (sizeof(*attr) + ntohs(attr->lorv));
- n = (char *)attr;
- attr = (struct isakmp_data *)
- (n + sizeof(*attr) + ntohs(attr->lorv));
- }
- }
-
- if (evtdump->type == EVTT_ISAKMP_CFG_DONE)
- printf("Bound to address %s\n", inet_ntoa(addr4));
- else
- printf("VPN connexion established\n");
-
- if (banner) {
- struct winsize win;
- int col = 0;
- int i;
-
- if (ioctl(1, TIOCGWINSZ, &win) != 1)
- col = win.ws_col;
-
- for (i = 0; i < col; i++)
- printf("%c", '=');
- printf("\n%s\n", banner);
- for (i = 0; i < col; i++)
- printf("%c", '=');
- printf("\n");
- racoon_free(banner);
- }
-
- if (evt_filter & EVTF_CFG_STOP)
- evt_filter &= ~EVTF_LOOP;
-
- return;
-}
-
-
-char *
-fixed_addr(addr, port, len)
- char *addr, *port;
- int len;
-{
- static char _addr_buf_[BUFSIZ];
- char *p;
- int plen, i;
-
- /* initialize */
- memset(_addr_buf_, ' ', sizeof(_addr_buf_));
-
- plen = strlen(port);
- if (len < plen + 1)
- return NULL;
-
- p = _addr_buf_;
- for (i = 0; i < len - plen - 1 && addr[i] != '\0'; /*noting*/)
- *p++ = addr[i++];
- *p++ = '.';
-
- for (i = 0; i < plen && port[i] != '\0'; /*noting*/)
- *p++ = port[i++];
-
- _addr_buf_[len] = '\0';
-
- return _addr_buf_;
-}
-
-static int
-handle_recv(combuf)
- vchar_t *combuf;
-{
- struct admin_com h, *com;
- caddr_t buf;
- int len;
-
- com = (struct admin_com *)combuf->v;
- len = com->ac_len - sizeof(*com);
- buf = combuf->v + sizeof(*com);
-
- switch (com->ac_cmd) {
- case ADMIN_SHOW_SCHED:
- print_schedule(buf, len);
- break;
-
- case ADMIN_SHOW_EVT: {
- struct evtdump *evtdump;
-
- /* We got no event */
- if (len == 0) {
- /* If we were purging the queue, it is now done */
- if (evt_filter & EVTF_PURGE)
- evt_filter &= ~EVTF_PURGE;
- break;
- }
-
- if (len < sizeof(struct evtdump))
- errx(1, "Short buffer\n");
-
- /* Toss outdated events */
- evtdump = (struct evtdump *)buf;
- if (evtdump->timestamp < evt_start)
- break;
-
- if (evt_filter & EVTF_ALL)
- print_evt(buf, len);
- if (evt_filter & EVTF_ERR)
- print_err(buf, len);
- if (evt_filter & EVTF_CFG)
- print_cfg(buf, len);
- if (evt_filter & EVTF_PH1DOWN)
- print_ph1down(buf, len);
- break;
- }
-
- case ADMIN_SHOW_SA:
- {
- switch (com->ac_proto) {
- case ADMIN_PROTO_ISAKMP:
- dump_isakmp_sa(buf, len);
- break;
- case ADMIN_PROTO_IPSEC:
- case ADMIN_PROTO_AH:
- case ADMIN_PROTO_ESP:
- {
- struct sadb_msg *msg = (struct sadb_msg *)buf;
-
- switch (msg->sadb_msg_errno) {
- case ENOENT:
- switch (msg->sadb_msg_type) {
- case SADB_DELETE:
- case SADB_GET:
- printf("No entry.\n");
- break;
- case SADB_DUMP:
- printf("No SAD entries.\n");
- break;
- }
- break;
- case 0:
- while (1) {
- pfkey_sadump(msg);
- if (msg->sadb_msg_seq == 0)
- break;
- msg = (struct sadb_msg *)((caddr_t)msg +
- PFKEY_UNUNIT64(msg->sadb_msg_len));
- }
- break;
- default:
- printf("%s.\n", strerror(msg->sadb_msg_errno));
- }
- }
- break;
- case ADMIN_PROTO_INTERNAL:
- dump_internal(buf, len);
- break;
- default:
- printf("Invalid proto [%d]\n", com->ac_proto);
- }
-
- }
- break;
-
- default:
- /* IGNORE */
- break;
- }
-
- close(so);
- return 0;
-
- bad:
- close(so);
- return -1;
-}
diff --git a/src/racoon/racoonctl.h b/src/racoon/racoonctl.h
deleted file mode 100644
index d507213..0000000
--- a/src/racoon/racoonctl.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/* $NetBSD: racoonctl.h,v 1.4 2006/09/09 16:22:10 manu Exp $ */
-
-/* Id: racoonctl.h,v 1.3 2005/06/19 22:37:47 manubsd Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _RACOONCTL_H
-#define _RACOONCTL_H
-
-/* bumped on any change to the interface */
-#define RACOONCTL_INTERFACE 20050619
-extern u_int32_t racoonctl_interface;
-
-/* bumped when introducing changes that break backward compatibility */
-#define RACOONCTL_INTERFACE_MAJOR 1
-extern u_int32_t racoonctl_interface_major;
-
-extern u_int32_t loglevel;
-
-int com_init(void);
-int com_send(vchar_t *);
-int com_recv(vchar_t **);
-struct sockaddr *get_sockaddr(int, char *, char *);
-
-#endif /* _RACOONCTL_H */
-
diff --git a/src/racoon/remoteconf.c b/src/racoon/remoteconf.c
deleted file mode 100644
index 3b96f30..0000000
--- a/src/racoon/remoteconf.c
+++ /dev/null
@@ -1,693 +0,0 @@
-/* $NetBSD: remoteconf.c,v 1.9.4.2 2008/06/18 07:30:19 mgrooms Exp $ */
-
-/* Id: remoteconf.c,v 1.38 2006/05/06 15:52:44 manubsd Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-#include <sys/queue.h>
-
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-
-#include PATH_IPSEC_H
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-
-#include "var.h"
-#include "misc.h"
-#include "vmbuf.h"
-#include "plog.h"
-#include "sockmisc.h"
-#include "genlist.h"
-#include "debug.h"
-
-#include "isakmp_var.h"
-#ifdef ENABLE_HYBRID
-#include "isakmp_xauth.h"
-#endif
-#include "isakmp.h"
-#include "ipsec_doi.h"
-#include "oakley.h"
-#include "remoteconf.h"
-#include "localconf.h"
-#include "grabmyaddr.h"
-#include "policy.h"
-#include "proposal.h"
-#include "vendorid.h"
-#include "gcmalloc.h"
-#include "strnames.h"
-#include "algorithm.h"
-#include "nattraversal.h"
-#include "isakmp_frag.h"
-#include "genlist.h"
-
-static TAILQ_HEAD(_rmtree, remoteconf) rmtree, rmtree_save, rmtree_tmp;
-
-/*
- * Script hook names and script hook paths
- */
-char *script_names[SCRIPT_MAX + 1] = { "phase1_up", "phase1_down" };
-
-/*%%%*/
-/*
- * search remote configuration.
- * don't use port number to search if its value is either IPSEC_PORT_ANY.
- * If matching anonymous entry, then new entry is copied from anonymous entry.
- * If no anonymous entry found, then return NULL.
- * OUT: NULL: NG
- * Other: remote configuration entry.
- */
-struct remoteconf *
-getrmconf_strict(remote, allow_anon)
- struct sockaddr *remote;
- int allow_anon;
-{
- struct remoteconf *p;
- struct remoteconf *anon = NULL;
- int withport;
- char buf[NI_MAXHOST + NI_MAXSERV + 10];
- char addr[NI_MAXHOST], port[NI_MAXSERV];
-
- withport = 0;
-
-#ifndef ENABLE_NATT
- /*
- * We never have ports set in our remote configurations, but when
- * NAT-T is enabled, the kernel can have policies with ports and
- * send us an acquire message for a destination that has a port set.
- * If we do this port check here, we don't find the remote config.
- *
- * In an ideal world, we would be able to have remote conf with
- * port, and the port could be a wildcard. That test could be used.
- */
- if (remote->sa_family != AF_UNSPEC &&
- extract_port(remote) != IPSEC_PORT_ANY)
- withport = 1;
-#endif /* ENABLE_NATT */
-
- if (remote->sa_family == AF_UNSPEC)
- snprintf (buf, sizeof(buf), "%s", "anonymous");
- else {
- GETNAMEINFO(remote, addr, port);
- snprintf(buf, sizeof(buf), "%s%s%s%s", addr,
- withport ? "[" : "",
- withport ? port : "",
- withport ? "]" : "");
- }
-
- TAILQ_FOREACH(p, &rmtree, chain) {
- if ((remote->sa_family == AF_UNSPEC
- && remote->sa_family == p->remote->sa_family)
- || (!withport && cmpsaddrwop(remote, p->remote) == 0)
- || (withport && cmpsaddrstrict(remote, p->remote) == 0)) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "configuration found for %s.\n", buf);
- return p;
- }
-
- /* save the pointer to the anonymous configuration */
- if (p->remote->sa_family == AF_UNSPEC)
- anon = p;
- }
-
- if (allow_anon && anon != NULL) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "anonymous configuration selected for %s.\n", buf);
- return anon;
- }
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "no remote configuration found.\n");
-
- return NULL;
-}
-
-struct remoteconf *
-getrmconf(remote)
- struct sockaddr *remote;
-{
- return getrmconf_strict(remote, 1);
-}
-
-struct remoteconf *
-newrmconf()
-{
- struct remoteconf *new;
- int i;
-
- new = racoon_calloc(1, sizeof(*new));
- if (new == NULL)
- return NULL;
-
- new->proposal = NULL;
-
- /* set default */
- new->doitype = IPSEC_DOI;
- new->sittype = IPSECDOI_SIT_IDENTITY_ONLY;
- new->idvtype = IDTYPE_UNDEFINED;
- new->idvl_p = genlist_init();
- new->nonce_size = DEFAULT_NONCE_SIZE;
- new->passive = FALSE;
- new->ike_frag = FALSE;
- new->esp_frag = IP_MAXPACKET;
- new->ini_contact = TRUE;
- new->mode_cfg = FALSE;
- new->pcheck_level = PROP_CHECK_STRICT;
- new->verify_identifier = FALSE;
- new->verify_cert = TRUE;
- new->getcert_method = ISAKMP_GETCERT_PAYLOAD;
- new->getcacert_method = ISAKMP_GETCERT_LOCALFILE;
- new->cacerttype = ISAKMP_CERT_X509SIGN;
- new->certtype = ISAKMP_CERT_NONE;
- new->cacertfile = NULL;
- new->send_cert = TRUE;
- new->send_cr = TRUE;
- new->support_proxy = FALSE;
- for (i = 0; i <= SCRIPT_MAX; i++)
- new->script[i] = NULL;
- new->gen_policy = FALSE;
- new->retry_counter = lcconf->retry_counter;
- new->retry_interval = lcconf->retry_interval;
- new->nat_traversal = FALSE;
- new->rsa_private = genlist_init();
- new->rsa_public = genlist_init();
- new->idv = NULL;
- new->key = NULL;
-
- new->dpd = TRUE; /* Enable DPD support by default */
- new->dpd_interval = 0; /* Disable DPD checks by default */
- new->dpd_retry = 5;
- new->dpd_maxfails = 5;
-
- new->weak_phase1_check = 0;
-
-#ifdef ENABLE_HYBRID
- new->xauth = NULL;
-#endif
-
- return new;
-}
-
-struct remoteconf *
-copyrmconf(remote)
- struct sockaddr *remote;
-{
- struct remoteconf *new, *old;
-
- old = getrmconf_strict (remote, 0);
- if (old == NULL) {
- plog (LLV_ERROR, LOCATION, NULL,
- "Remote configuration for '%s' not found!\n",
- saddr2str (remote));
- return NULL;
- }
-
- new = duprmconf (old);
-
- return new;
-}
-
-void *
-dupidvl(entry, arg)
- void *entry;
- void *arg;
-{
- struct idspec *id;
- struct idspec *old = (struct idspec *) entry;
- id = newidspec();
- if (!id) return (void *) -1;
-
- if (set_identifier(&id->id, old->idtype, old->id) != 0) {
- racoon_free(id);
- return (void *) -1;
- }
-
- id->idtype = old->idtype;
-
- genlist_append(arg, id);
- return NULL;
-}
-
-struct remoteconf *
-duprmconf (rmconf)
- struct remoteconf *rmconf;
-{
- struct remoteconf *new;
-
- new = racoon_calloc(1, sizeof(*new));
- if (new == NULL)
- return NULL;
- memcpy (new, rmconf, sizeof (*new));
- // FIXME: We should duplicate the proposal as well.
- // This is now handled in the cfparse.y
- // new->proposal = ...;
-
- /* duplicate dynamic structures */
- if (new->etypes)
- new->etypes=dupetypes(new->etypes);
- new->idvl_p = genlist_init();
- genlist_foreach(rmconf->idvl_p, dupidvl, new->idvl_p);
-
- return new;
-}
-
-static void
-idspec_free(void *data)
-{
- vfree (((struct idspec *)data)->id);
- free (data);
-}
-
-void
-delrmconf(rmconf)
- struct remoteconf *rmconf;
-{
-#ifdef ENABLE_HYBRID
- if (rmconf->xauth)
- xauth_rmconf_delete(&rmconf->xauth);
-#endif
- if (rmconf->etypes){
- deletypes(rmconf->etypes);
- rmconf->etypes=NULL;
- }
- if (rmconf->idvl_p)
- genlist_free(rmconf->idvl_p, idspec_free);
- if (rmconf->dhgrp)
- oakley_dhgrp_free(rmconf->dhgrp);
- if (rmconf->proposal)
- delisakmpsa(rmconf->proposal);
- racoon_free(rmconf);
-}
-
-void
-delisakmpsa(sa)
- struct isakmpsa *sa;
-{
- if (sa->dhgrp)
- oakley_dhgrp_free(sa->dhgrp);
- if (sa->next)
- delisakmpsa(sa->next);
-#ifdef HAVE_GSSAPI
- if (sa->gssid)
- vfree(sa->gssid);
-#endif
- racoon_free(sa);
-}
-
-struct etypes *
-dupetypes(orig)
- struct etypes *orig;
-{
- struct etypes *new;
-
- if (!orig)
- return NULL;
-
- new = racoon_malloc(sizeof(struct etypes));
- if (new == NULL)
- return NULL;
-
- new->type = orig->type;
- new->next = NULL;
-
- if (orig->next)
- new->next=dupetypes(orig->next);
-
- return new;
-}
-
-void
-deletypes(e)
- struct etypes *e;
-{
- if (e->next)
- deletypes(e->next);
- racoon_free(e);
-}
-
-/*
- * insert into head of list.
- */
-void
-insrmconf(new)
- struct remoteconf *new;
-{
- TAILQ_INSERT_HEAD(&rmtree, new, chain);
-}
-
-void
-remrmconf(rmconf)
- struct remoteconf *rmconf;
-{
- TAILQ_REMOVE(&rmtree, rmconf, chain);
-}
-
-void
-flushrmconf()
-{
- struct remoteconf *p, *next;
-
- for (p = TAILQ_FIRST(&rmtree); p; p = next) {
- next = TAILQ_NEXT(p, chain);
- remrmconf(p);
- delrmconf(p);
- }
-}
-
-void
-initrmconf()
-{
- TAILQ_INIT(&rmtree);
-}
-
-void
-save_rmconf()
-{
- rmtree_save=rmtree;
- initrmconf();
-}
-
-void
-save_rmconf_flush()
-{
- rmtree_tmp=rmtree;
- rmtree=rmtree_save;
- flushrmconf();
- initrmconf();
- rmtree=rmtree_tmp;
-}
-
-
-
-/* check exchange type to be acceptable */
-struct etypes *
-check_etypeok( struct remoteconf *rmconf, u_int8_t etype)
-{
- struct etypes *e;
-
- for (e = rmconf->etypes; e != NULL; e = e->next) {
- if (e->type == etype)
- break;
- }
-
- return e;
-}
-
-/*%%%*/
-struct isakmpsa *
-newisakmpsa()
-{
- struct isakmpsa *new;
-
- new = racoon_calloc(1, sizeof(*new));
- if (new == NULL)
- return NULL;
-
- /*
- * Just for sanity, make sure this is initialized. This is
- * filled in for real when the ISAKMP proposal is configured.
- */
- new->vendorid = VENDORID_UNKNOWN;
-
- new->next = NULL;
- new->rmconf = NULL;
-#ifdef HAVE_GSSAPI
- new->gssid = NULL;
-#endif
-
- return new;
-}
-
-/*
- * insert into tail of list.
- */
-void
-insisakmpsa(new, rmconf)
- struct isakmpsa *new;
- struct remoteconf *rmconf;
-{
- struct isakmpsa *p;
-
- new->rmconf = rmconf;
-
- if (rmconf->proposal == NULL) {
- rmconf->proposal = new;
- return;
- }
-
- for (p = rmconf->proposal; p->next != NULL; p = p->next)
- ;
- p->next = new;
-
- return;
-}
-
-struct remoteconf *
-foreachrmconf(rmconf_func_t rmconf_func, void *data)
-{
- struct remoteconf *p, *ret = NULL;
- RACOON_TAILQ_FOREACH_REVERSE(p, &rmtree, _rmtree, chain) {
- ret = (*rmconf_func)(p, data);
- if (ret)
- break;
- }
-
- return ret;
-}
-
-static void *
-dump_peers_identifiers (void *entry, void *arg)
-{
- struct idspec *id = (struct idspec*) entry;
- char buf[1024], *pbuf;
- pbuf = buf;
- pbuf += sprintf (pbuf, "\tpeers_identifier %s",
- s_idtype (id->idtype));
- if (id->id)
- pbuf += sprintf (pbuf, " \"%s\"", id->id->v);
- plog(LLV_INFO, LOCATION, NULL, "%s;\n", buf);
- return NULL;
-}
-
-static struct remoteconf *
-dump_rmconf_single (struct remoteconf *p, void *data)
-{
- struct etypes *etype = p->etypes;
- struct isakmpsa *prop = p->proposal;
- char buf[1024], *pbuf;
-
- pbuf = buf;
- pbuf += sprintf(pbuf, "remote %s", saddr2str(p->remote));
- if (p->inherited_from)
- pbuf += sprintf(pbuf, " inherit %s",
- saddr2str(p->inherited_from->remote));
- plog(LLV_INFO, LOCATION, NULL, "%s {\n", buf);
- pbuf = buf;
- pbuf += sprintf(pbuf, "\texchange_type ");
- while (etype) {
- pbuf += sprintf (pbuf, "%s%s", s_etype(etype->type),
- etype->next != NULL ? ", " : ";\n");
- etype = etype->next;
- }
- plog(LLV_INFO, LOCATION, NULL, "%s", buf);
- plog(LLV_INFO, LOCATION, NULL, "\tdoi %s;\n", s_doi(p->doitype));
- pbuf = buf;
- pbuf += sprintf(pbuf, "\tmy_identifier %s", s_idtype (p->idvtype));
- if (p->idvtype == IDTYPE_ASN1DN) {
- plog(LLV_INFO, LOCATION, NULL, "%s;\n", buf);
- plog(LLV_INFO, LOCATION, NULL, "\tcertificate_type %s \"%s\" \"%s\";\n",
- p->certtype == ISAKMP_CERT_X509SIGN ? "x509" : "*UNKNOWN*",
- p->mycertfile, p->myprivfile);
- switch (p->getcert_method) {
- case 0:
- break;
- case ISAKMP_GETCERT_PAYLOAD:
- plog(LLV_INFO, LOCATION, NULL, "\t/* peers certificate from payload */\n");
- break;
- case ISAKMP_GETCERT_LOCALFILE:
- plog(LLV_INFO, LOCATION, NULL, "\tpeers_certfile \"%s\";\n", p->peerscertfile);
- break;
- case ISAKMP_GETCERT_DNS:
- plog(LLV_INFO, LOCATION, NULL, "\tpeer_certfile dnssec;\n");
- break;
- default:
- plog(LLV_INFO, LOCATION, NULL, "\tpeers_certfile *UNKNOWN* (%d)\n", p->getcert_method);
- }
- }
- else {
- if (p->idv)
- pbuf += sprintf (pbuf, " \"%s\"", p->idv->v);
- plog(LLV_INFO, LOCATION, NULL, "%s;\n", buf);
- genlist_foreach(p->idvl_p, &dump_peers_identifiers, NULL);
- }
-
- plog(LLV_INFO, LOCATION, NULL, "\tsend_cert %s;\n",
- s_switch (p->send_cert));
- plog(LLV_INFO, LOCATION, NULL, "\tsend_cr %s;\n",
- s_switch (p->send_cr));
- plog(LLV_INFO, LOCATION, NULL, "\tverify_cert %s;\n",
- s_switch (p->verify_cert));
- plog(LLV_INFO, LOCATION, NULL, "\tverify_identifier %s;\n",
- s_switch (p->verify_identifier));
- plog(LLV_INFO, LOCATION, NULL, "\tnat_traversal %s;\n",
- p->nat_traversal == NATT_FORCE ?
- "force" : s_switch (p->nat_traversal));
- plog(LLV_INFO, LOCATION, NULL, "\tnonce_size %d;\n",
- p->nonce_size);
- plog(LLV_INFO, LOCATION, NULL, "\tpassive %s;\n",
- s_switch (p->passive));
- plog(LLV_INFO, LOCATION, NULL, "\tike_frag %s;\n",
- p->ike_frag == ISAKMP_FRAG_FORCE ?
- "force" : s_switch (p->ike_frag));
- plog(LLV_INFO, LOCATION, NULL, "\tesp_frag %d;\n", p->esp_frag);
- plog(LLV_INFO, LOCATION, NULL, "\tinitial_contact %s;\n",
- s_switch (p->ini_contact));
- plog(LLV_INFO, LOCATION, NULL, "\tgenerate_policy %s;\n",
- s_switch (p->gen_policy));
- plog(LLV_INFO, LOCATION, NULL, "\tsupport_proxy %s;\n",
- s_switch (p->support_proxy));
-
- while (prop) {
- plog(LLV_INFO, LOCATION, NULL, "\n");
- plog(LLV_INFO, LOCATION, NULL,
- "\t/* prop_no=%d, trns_no=%d, rmconf=%s */\n",
- prop->prop_no, prop->trns_no,
- saddr2str(prop->rmconf->remote));
- plog(LLV_INFO, LOCATION, NULL, "\tproposal {\n");
- plog(LLV_INFO, LOCATION, NULL, "\t\tlifetime time %lu sec;\n",
- (long)prop->lifetime);
- plog(LLV_INFO, LOCATION, NULL, "\t\tlifetime bytes %zd;\n",
- prop->lifebyte);
- plog(LLV_INFO, LOCATION, NULL, "\t\tdh_group %s;\n",
- alg_oakley_dhdef_name(prop->dh_group));
- plog(LLV_INFO, LOCATION, NULL, "\t\tencryption_algorithm %s;\n",
- alg_oakley_encdef_name(prop->enctype));
- plog(LLV_INFO, LOCATION, NULL, "\t\thash_algorithm %s;\n",
- alg_oakley_hashdef_name(prop->hashtype));
- plog(LLV_INFO, LOCATION, NULL, "\t\tauthentication_method %s;\n",
- alg_oakley_authdef_name(prop->authmethod));
- plog(LLV_INFO, LOCATION, NULL, "\t}\n");
- prop = prop->next;
- }
- plog(LLV_INFO, LOCATION, NULL, "}\n");
- plog(LLV_INFO, LOCATION, NULL, "\n");
-
- return NULL;
-}
-
-void
-dumprmconf()
-{
- foreachrmconf (dump_rmconf_single, NULL);
-}
-
-struct idspec *
-newidspec()
-{
- struct idspec *new;
-
- new = racoon_calloc(1, sizeof(*new));
- if (new == NULL)
- return NULL;
- new->idtype = IDTYPE_ADDRESS;
-
- return new;
-}
-
-vchar_t *
-script_path_add(path)
- vchar_t *path;
-{
- char *script_dir;
- vchar_t *new_path;
- vchar_t *new_storage;
- vchar_t **sp;
- size_t len;
- size_t size;
-
- script_dir = lcconf->pathinfo[LC_PATHTYPE_SCRIPT];
-
- /* Try to find the script in the script directory */
- if ((path->v[0] != '/') && (script_dir != NULL)) {
- len = strlen(script_dir) + sizeof("/") + path->l + 1;
-
- if ((new_path = vmalloc(len)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Cannot allocate memory: %s\n", strerror(errno));
- return NULL;
- }
-
- new_path->v[0] = '\0';
- (void)strlcat(new_path->v, script_dir, len);
- (void)strlcat(new_path->v, "/", len);
- (void)strlcat(new_path->v, path->v, len);
-
- vfree(path);
- path = new_path;
- }
-
- return path;
-}
-
-
-struct isakmpsa *
-dupisakmpsa(struct isakmpsa *sa)
-{
- struct isakmpsa *res=NULL;
-
- if(sa == NULL)
- return NULL;
-
- res=newisakmpsa();
- if(res == NULL)
- return NULL;
-
- *res=*sa;
-#ifdef HAVE_GSSAPI
- /* XXX gssid
- */
-#endif
- res->next=NULL;
-
- if(sa->dhgrp != NULL)
- oakley_setdhgroup (sa->dh_group, &(res->dhgrp));
-
- return res;
-
-}
diff --git a/src/racoon/remoteconf.h b/src/racoon/remoteconf.h
deleted file mode 100644
index ca5945e..0000000
--- a/src/racoon/remoteconf.h
+++ /dev/null
@@ -1,196 +0,0 @@
-/* $NetBSD: remoteconf.h,v 1.7 2006/10/03 08:01:56 vanhu Exp $ */
-
-/* Id: remoteconf.h,v 1.26 2006/05/06 15:52:44 manubsd Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _REMOTECONF_H
-#define _REMOTECONF_H
-
-/* remote configuration */
-
-#include <sys/queue.h>
-#include "genlist.h"
-#ifdef ENABLE_HYBRID
-#include "isakmp_var.h"
-#include "isakmp_xauth.h"
-#endif
-
-struct proposalspec;
-
-struct etypes {
- int type;
- struct etypes *next;
-};
-
-/* Script hooks */
-#define SCRIPT_PHASE1_UP 0
-#define SCRIPT_PHASE1_DOWN 1
-#define SCRIPT_MAX 1
-extern char *script_names[SCRIPT_MAX + 1];
-
-struct remoteconf {
- struct sockaddr *remote; /* remote IP address */
- /* if family is AF_UNSPEC, that is
- * for anonymous configuration. */
-
- struct etypes *etypes; /* exchange type list. the head
- * is a type to be sent first. */
- int doitype; /* doi type */
- int sittype; /* situation type */
-
- int idvtype; /* my identifier type */
- vchar_t *idv; /* my identifier */
- vchar_t *key; /* my pre-shared key */
- struct genlist *idvl_p; /* peer's identifiers list */
-
- int certtype; /* certificate type if need */
- char *mycertfile; /* file name of my certificate */
- char *myprivfile; /* file name of my private key file */
- char *peerscertfile; /* file name of peer's certifcate */
- int getcert_method; /* the way to get peer's certificate */
- int cacerttype; /* CA type is needed */
- char *cacertfile; /* file name of CA */
- int getcacert_method; /* the way to get the CA */
- int send_cert; /* send to CERT or not */
- int send_cr; /* send to CR or not */
- int verify_cert; /* verify a CERT strictly */
- int verify_identifier; /* vefify the peer's identifier */
- int nonce_size; /* the number of bytes of nonce */
- int passive; /* never initiate */
- int ike_frag; /* IKE fragmentation */
- int esp_frag; /* ESP fragmentation */
- int mode_cfg; /* Gets config through mode config */
- int support_proxy; /* support mip6/proxy */
-#define GENERATE_POLICY_NONE 0
-#define GENERATE_POLICY_REQUIRE 1
-#define GENERATE_POLICY_UNIQUE 2
- int gen_policy; /* generate policy if no policy found */
- int ini_contact; /* initial contact */
- int pcheck_level; /* level of propocl checking */
- int nat_traversal; /* NAT-Traversal */
- vchar_t *script[SCRIPT_MAX + 1];/* script hooks paths */
- int dh_group; /* use it when only aggressive mode */
- struct dhgroup *dhgrp; /* use it when only aggressive mode */
- /* above two can't be defined by user*/
-
- int retry_counter; /* times to retry. */
- int retry_interval; /* interval each retry. */
- /* above 2 values are copied from localconf. */
-
- int dpd; /* Negociate DPD support ? */
- int dpd_retry; /* in seconds */
- int dpd_interval; /* in seconds */
- int dpd_maxfails;
-
- int ph1id; /* ph1id to be matched with sainfo sections */
-
- int weak_phase1_check; /* act on unencrypted deletions ? */
-
- struct isakmpsa *proposal; /* proposal list */
- struct remoteconf *inherited_from; /* the original rmconf
- from which this one
- was inherited */
- struct proposalspec *prhead;
-
- struct genlist *rsa_private, /* lists of PlainRSA keys to use */
- *rsa_public;
-
-#ifdef ENABLE_HYBRID
- struct xauth_rmconf *xauth;
-#endif
-
- TAILQ_ENTRY(remoteconf) chain; /* next remote conf */
-};
-
-struct dhgroup;
-
-/* ISAKMP SA specification */
-struct isakmpsa {
- int prop_no;
- int trns_no;
- time_t lifetime;
- size_t lifebyte;
- int enctype;
- int encklen;
- int authmethod;
- int hashtype;
- int vendorid;
-#ifdef HAVE_GSSAPI
- vchar_t *gssid;
-#endif
- int dh_group; /* don't use it if aggressive mode */
- struct dhgroup *dhgrp; /* don't use it if aggressive mode */
-
- struct isakmpsa *next; /* next transform */
- struct remoteconf *rmconf; /* backpointer to remoteconf */
-};
-
-struct idspec {
- int idtype; /* identifier type */
- vchar_t *id; /* identifier */
-};
-
-typedef struct remoteconf * (rmconf_func_t)(struct remoteconf *rmconf, void *data);
-
-extern struct remoteconf *getrmconf __P((struct sockaddr *));
-extern struct remoteconf *getrmconf_strict
- __P((struct sockaddr *remote, int allow_anon));
-extern struct remoteconf *copyrmconf __P((struct sockaddr *));
-extern struct remoteconf *newrmconf __P((void));
-extern struct remoteconf *duprmconf __P((struct remoteconf *));
-extern void delrmconf __P((struct remoteconf *));
-extern void delisakmpsa __P((struct isakmpsa *));
-extern void deletypes __P((struct etypes *));
-extern struct etypes * dupetypes __P((struct etypes *));
-extern void insrmconf __P((struct remoteconf *));
-extern void remrmconf __P((struct remoteconf *));
-extern void flushrmconf __P((void));
-extern void initrmconf __P((void));
-extern void save_rmconf __P((void));
-extern void save_rmconf_flush __P((void));
-
-extern struct etypes *check_etypeok
- __P((struct remoteconf *, u_int8_t));
-extern struct remoteconf *foreachrmconf __P((rmconf_func_t rmconf_func,
- void *data));
-
-extern struct isakmpsa *newisakmpsa __P((void));
-extern struct isakmpsa *dupisakmpsa __P((struct isakmpsa *));
-
-extern void insisakmpsa __P((struct isakmpsa *, struct remoteconf *));
-
-extern void dumprmconf __P((void));
-
-extern struct idspec *newidspec __P((void));
-
-extern vchar_t *script_path_add __P((vchar_t *));
-
-#endif /* _REMOTECONF_H */
diff --git a/src/racoon/rsalist.c b/src/racoon/rsalist.c
deleted file mode 100644
index 850aa4c..0000000
--- a/src/racoon/rsalist.c
+++ /dev/null
@@ -1,216 +0,0 @@
-/* $NetBSD: rsalist.c,v 1.4 2006/09/09 16:22:10 manu Exp $ */
-
-/* Id: rsalist.c,v 1.3 2004/11/08 12:04:23 ludvigm Exp */
-
-/*
- * Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany.
- * Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <stdio.h>
-#include <string.h>
-
-#include <sys/types.h>
-#include <sys/queue.h>
-#include <sys/socket.h>
-#include <netdb.h>
-
-#include <openssl/bn.h>
-#include <openssl/rsa.h>
-
-#include "misc.h"
-#include "plog.h"
-#include "sockmisc.h"
-#include "rsalist.h"
-#include "genlist.h"
-#include "remoteconf.h"
-#include "crypto_openssl.h"
-
-#ifndef LIST_FIRST
-#define LIST_FIRST(head) ((head)->lh_first)
-#endif
-
-#ifndef LIST_NEXT
-#define LIST_NEXT(elm, field) ((elm)->field.le_next)
-#endif
-
-/* from prsa_tok.l */
-int prsa_parse_file(struct genlist *list, const char *fname, enum rsa_key_type type);
-
-int
-rsa_key_insert(struct genlist *list, struct netaddr *src,
- struct netaddr *dst, RSA *rsa)
-{
- struct rsa_key *rsa_key;
-
- rsa_key = calloc(sizeof(struct rsa_key), 1);
- rsa_key->rsa = rsa;
-
- if (src)
- rsa_key->src = src;
- else
- rsa_key->src = calloc(sizeof(*rsa_key->src), 1);
-
- if (dst)
- rsa_key->dst = dst;
- else
- rsa_key->dst = calloc(sizeof(*rsa_key->dst), 1);
-
- genlist_append(list, rsa_key);
-
- return 0;
-}
-
-static void *
-rsa_key_dump_one(void *entry, void *arg)
-{
- struct rsa_key *key = entry;
-
- plog(LLV_DEBUG, LOCATION, NULL, "Entry %s\n",
- naddrwop2str_fromto("%s -> %s", key->src,
- key->dst));
- if (loglevel > LLV_DEBUG)
- RSA_print_fp(stdout, key->rsa, 4);
-
- return NULL;
-}
-
-void
-rsa_key_dump(struct genlist *list)
-{
- genlist_foreach(list, rsa_key_dump_one, NULL);
-}
-
-static void *
-rsa_list_count_one(void *entry, void *arg)
-{
- if (arg)
- (*(unsigned long *)arg)++;
- return NULL;
-}
-
-unsigned long
-rsa_list_count(struct genlist *list)
-{
- unsigned long count = 0;
- genlist_foreach(list, rsa_list_count_one, &count);
- return count;
-}
-
-struct lookup_result {
- struct ph1handle *iph1;
- int max_score;
- struct genlist *winners;
-};
-
-static void *
-rsa_lookup_key_one(void *entry, void *data)
-{
- int local_score, remote_score;
- struct lookup_result *req = data;
- struct rsa_key *key = entry;
-
- local_score = naddr_score(key->src, req->iph1->local);
- remote_score = naddr_score(key->dst, req->iph1->remote);
-
- plog(LLV_DEBUG, LOCATION, NULL, "Entry %s scored %d/%d\n",
- naddrwop2str_fromto("%s -> %s", key->src, key->dst),
- local_score, remote_score);
-
- if (local_score >= 0 && remote_score >= 0) {
- if (local_score + remote_score > req->max_score) {
- req->max_score = local_score + remote_score;
-// genlist_free(req->winners, NULL);
- }
-
- if (local_score + remote_score >= req->max_score) {
- genlist_append(req->winners, key);
- }
- }
-
- /* Always traverse the whole list */
- return NULL;
-}
-
-struct genlist *
-rsa_lookup_keys(struct ph1handle *iph1, int my)
-{
- struct genlist *list;
- struct lookup_result r;
-
- plog(LLV_DEBUG, LOCATION, NULL, "Looking up RSA key for %s\n",
- saddr2str_fromto("%s <-> %s", iph1->local, iph1->remote));
-
- r.iph1 = iph1;
- r.max_score = -1;
- r.winners = genlist_init();
-
- if (my)
- list = iph1->rmconf->rsa_private;
- else
- list = iph1->rmconf->rsa_public;
-
- genlist_foreach(list, rsa_lookup_key_one, &r);
-
- if (loglevel >= LLV_DEBUG)
- rsa_key_dump(r.winners);
-
- return r.winners;
-}
-
-int
-rsa_parse_file(struct genlist *list, const char *fname, enum rsa_key_type type)
-{
- int ret;
-
- plog(LLV_DEBUG, LOCATION, NULL, "Parsing %s\n", fname);
- ret = prsa_parse_file(list, fname, type);
- if (loglevel >= LLV_DEBUG)
- rsa_key_dump(list);
- return ret;
-}
-
-RSA *
-rsa_try_check_rsasign(vchar_t *source, vchar_t *sig, struct genlist *list)
-{
- struct rsa_key *key;
- struct genlist_entry *gp;
-
- for(key = genlist_next(list, &gp); key; key = genlist_next(NULL, &gp)) {
- plog(LLV_DEBUG, LOCATION, NULL, "Checking key %s...\n",
- naddrwop2str_fromto("%s -> %s", key->src, key->dst));
- if (eay_check_rsasign(source, sig, key->rsa) == 0) {
- plog(LLV_DEBUG, LOCATION, NULL, " ... YEAH!\n");
- return key->rsa;
- }
- plog(LLV_DEBUG, LOCATION, NULL, " ... nope.\n");
- }
- return NULL;
-}
diff --git a/src/racoon/rsalist.h b/src/racoon/rsalist.h
deleted file mode 100644
index 911670f..0000000
--- a/src/racoon/rsalist.h
+++ /dev/null
@@ -1,65 +0,0 @@
-/* $NetBSD: rsalist.h,v 1.4 2006/09/09 16:22:10 manu Exp $ */
-
-/* Id: rsalist.h,v 1.2 2004/07/12 20:43:51 ludvigm Exp */
-/*
- * Copyright (C) 2004 SuSE Linux AG, Nuernberg, Germany.
- * Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _RSALIST_H
-#define _RSALIST_H
-
-#include <netinet/in.h>
-#include <openssl/rsa.h>
-
-#include "handler.h"
-#include "genlist.h"
-
-enum rsa_key_type {
- RSA_TYPE_ANY = 0,
- RSA_TYPE_PUBLIC,
- RSA_TYPE_PRIVATE
-};
-
-struct rsa_key {
- struct netaddr *src;
- struct netaddr *dst;
- RSA *rsa;
-};
-
-int rsa_key_insert(struct genlist *list, struct netaddr *src, struct netaddr *dst, RSA *rsa);
-void rsa_key_dump(struct genlist *list);
-
-struct genlist *rsa_lookup_keys(struct ph1handle *iph1, int my);
-RSA *rsa_try_check_rsasign(vchar_t *source, vchar_t *sig, struct genlist *list);
-
-unsigned long rsa_list_count(struct genlist *list);
-
-int rsa_parse_file(struct genlist *list, const char *fname, enum rsa_key_type type);
-
-#endif /* _RSALIST_H */
diff --git a/src/racoon/safefile.c b/src/racoon/safefile.c
deleted file mode 100644
index 5241092..0000000
--- a/src/racoon/safefile.c
+++ /dev/null
@@ -1,93 +0,0 @@
-/* $NetBSD: safefile.c,v 1.4 2006/09/09 16:22:10 manu Exp $ */
-
-/* $KAME: safefile.c,v 1.5 2001/03/05 19:54:06 thorpej Exp $ */
-
-/*
- * Copyright (C) 2000 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <unistd.h>
-
-#include "plog.h"
-#include "debug.h"
-#include "misc.h"
-#include "safefile.h"
-
-int
-safefile(path, secret)
- const char *path;
- int secret;
-{
- struct stat s;
- uid_t me;
-
- /* no setuid */
- if (getuid() != geteuid()) {
- plog(LLV_ERROR, LOCATION, NULL,
- "setuid'ed execution not allowed\n");
- return -1;
- }
-
- if (stat(path, &s) != 0)
- return -1;
-
- /* the file must be owned by the running uid */
- me = getuid();
- if (s.st_uid != me) {
- plog(LLV_ERROR, LOCATION, NULL,
- "%s has invalid owner uid\n", path);
- return -1;
- }
-
- switch (s.st_mode & S_IFMT) {
- case S_IFREG:
- break;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "%s is an invalid file type 0x%x\n", path,
- (s.st_mode & S_IFMT));
- return -1;
- }
-
- /* secret file should not be read by others */
- if (secret) {
- if ((s.st_mode & S_IRWXG) != 0 || (s.st_mode & S_IRWXO) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "%s has weak file permission\n", path);
- return -1;
- }
- }
-
- return 0;
-}
diff --git a/src/racoon/safefile.h b/src/racoon/safefile.h
deleted file mode 100644
index c8d6a6c..0000000
--- a/src/racoon/safefile.h
+++ /dev/null
@@ -1,39 +0,0 @@
-/* $NetBSD: safefile.h,v 1.4 2006/09/09 16:22:10 manu Exp $ */
-
-/* Id: safefile.h,v 1.4 2004/07/12 18:32:12 ludvigm Exp */
-
-/*
- * Copyright (C) 2000 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _SAFEFILE_H
-#define _SAFEFILE_H
-
-extern int safefile __P((const char *, int));
-
-#endif /* _SAFEFILE_H */
diff --git a/src/racoon/sainfo.c b/src/racoon/sainfo.c
deleted file mode 100644
index afa0aac..0000000
--- a/src/racoon/sainfo.c
+++ /dev/null
@@ -1,319 +0,0 @@
-/* $NetBSD: sainfo.c,v 1.7.6.1 2007/08/01 11:52:22 vanhu Exp $ */
-
-/* $KAME: sainfo.c,v 1.16 2003/06/27 07:32:39 sakane Exp $ */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/param.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/queue.h>
-
-#include <netinet/in.h>
-#include <netinet/in.h>
-#include PATH_IPSEC_H
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-
-#include "var.h"
-#include "misc.h"
-#include "vmbuf.h"
-#include "plog.h"
-#include "sockmisc.h"
-#include "debug.h"
-
-#include "localconf.h"
-#include "isakmp_var.h"
-#include "isakmp.h"
-#include "ipsec_doi.h"
-#include "oakley.h"
-#include "handler.h"
-#include "algorithm.h"
-#include "sainfo.h"
-#include "gcmalloc.h"
-
-static LIST_HEAD(_sitree, sainfo) sitree, sitree_save, sitree_tmp;
-
-/* %%%
- * modules for ipsec sa info
- */
-/*
- * return matching entry.
- * no matching entry found and if there is anonymous entry, return it.
- * else return NULL.
- * First pass is for sainfo from a specified peer, second for others.
- */
-struct sainfo *
-getsainfo(loc, rmt, peer, remoteid)
- const vchar_t *loc, *rmt, *peer;
- int remoteid;
-{
- struct sainfo *s = NULL;
- struct sainfo *anonymous = NULL;
- int pass = 1;
-
- if (peer == NULL)
- pass = 2;
-
- /* debug level output */
- if(loglevel >= LLV_DEBUG) {
- char *dloc, *drmt, *dpeer, *dclient;
-
- if (loc == NULL)
- dloc = strdup("ANONYMOUS");
- else
- dloc = ipsecdoi_id2str(loc);
-
- if (rmt == NULL)
- drmt = strdup("ANONYMOUS");
- else
- drmt = ipsecdoi_id2str(rmt);
-
- if (peer == NULL)
- dpeer = strdup("NULL");
- else
- dpeer = ipsecdoi_id2str(peer);
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "getsainfo params: loc=\'%s\', rmt=\'%s\', peer=\'%s\', id=%i\n",
- dloc, drmt, dpeer, remoteid );
-
- racoon_free(dloc);
- racoon_free(drmt);
- racoon_free(dpeer);
- }
-
- again:
- plog(LLV_DEBUG, LOCATION, NULL,
- "getsainfo pass #%i\n", pass);
-
- LIST_FOREACH(s, &sitree, chain) {
- const char *sainfostr = sainfo2str(s);
- plog(LLV_DEBUG, LOCATION, NULL,
- "evaluating sainfo: %s\n", sainfostr);
-
- if(s->remoteid != remoteid)
- continue;
-
- if (s->id_i != NULL) {
- if (pass == 2)
- continue;
- if (ipsecdoi_chkcmpids(peer, s->id_i, 0))
- continue;
- } else if (pass == 1)
- continue;
- if (s->idsrc == NULL && s->iddst == NULL) {
- anonymous = s;
- continue;
- }
-
- /* anonymous ? */
- if (loc == NULL) {
- if (anonymous != NULL)
- break;
- continue;
- }
-
- /* compare the ids */
- if (!ipsecdoi_chkcmpids(loc, s->idsrc, 0) &&
- !ipsecdoi_chkcmpids(rmt, s->iddst, 0))
- return s;
- }
-
- if ((anonymous == NULL) && (pass == 1)) {
- pass++;
- goto again;
- }
-
- return anonymous;
-}
-
-struct sainfo *
-newsainfo()
-{
- struct sainfo *new;
-
- new = racoon_calloc(1, sizeof(*new));
- if (new == NULL)
- return NULL;
-
- new->lifetime = IPSECDOI_ATTR_SA_LD_SEC_DEFAULT;
- new->lifebyte = IPSECDOI_ATTR_SA_LD_KB_MAX;
-
- return new;
-}
-
-void
-delsainfo(si)
- struct sainfo *si;
-{
- int i;
-
- for (i = 0; i < MAXALGCLASS; i++)
- delsainfoalg(si->algs[i]);
-
- if (si->idsrc)
- vfree(si->idsrc);
- if (si->iddst)
- vfree(si->iddst);
-
-#ifdef ENABLE_HYBRID
- if (si->group)
- vfree(si->group);
-#endif
-
- racoon_free(si);
-}
-
-void
-inssainfo(new)
- struct sainfo *new;
-{
- LIST_INSERT_HEAD(&sitree, new, chain);
-}
-
-void
-remsainfo(si)
- struct sainfo *si;
-{
- LIST_REMOVE(si, chain);
-}
-
-void
-flushsainfo()
-{
- struct sainfo *s, *next;
-
- for (s = LIST_FIRST(&sitree); s; s = next) {
- next = LIST_NEXT(s, chain);
- remsainfo(s);
- delsainfo(s);
- }
-}
-
-void
-initsainfo()
-{
- LIST_INIT(&sitree);
-}
-
-struct sainfoalg *
-newsainfoalg()
-{
- struct sainfoalg *new;
-
- new = racoon_calloc(1, sizeof(*new));
- if (new == NULL)
- return NULL;
-
- return new;
-}
-
-void
-delsainfoalg(alg)
- struct sainfoalg *alg;
-{
- struct sainfoalg *a, *next;
-
- for (a = alg; a; a = next) {
- next = a->next;
- racoon_free(a);
- }
-}
-
-void
-inssainfoalg(head, new)
- struct sainfoalg **head;
- struct sainfoalg *new;
-{
- struct sainfoalg *a;
-
- for (a = *head; a && a->next; a = a->next)
- ;
- if (a)
- a->next = new;
- else
- *head = new;
-}
-
-const char *
-sainfo2str(si)
- const struct sainfo *si;
-{
- static char buf[256];
-
- char *idloc = NULL, *idrmt = NULL, *id_i;
-
- if (si->idsrc == NULL)
- idloc = strdup("ANONYMOUS");
- else
- idloc = ipsecdoi_id2str(si->idsrc);
-
- if (si->iddst == NULL)
- idrmt = strdup("ANONYMOUS");
- else
- idrmt = ipsecdoi_id2str(si->iddst);
-
- if (si->id_i == NULL)
- id_i = strdup("ANY");
- else
- id_i = ipsecdoi_id2str(si->id_i);
-
- snprintf(buf, 255, "loc=\'%s\', rmt=\'%s\', peer=\'%s\', id=%i",
- idloc, idrmt, id_i, si->remoteid);
-
- racoon_free(idloc);
- racoon_free(idrmt);
- racoon_free(id_i);
-
- return buf;
-}
-
-void save_sainfotree(void){
- sitree_save=sitree;
- initsainfo();
-}
-
-void save_sainfotree_flush(void){
- sitree_tmp=sitree;
- sitree=sitree_save;
- flushsainfo();
- sitree=sitree_tmp;
-}
-
-void save_sainfotree_restore(void){
- flushsainfo();
- sitree=sitree_save;
-}
diff --git a/src/racoon/sainfo.h b/src/racoon/sainfo.h
deleted file mode 100644
index 357da3f..0000000
--- a/src/racoon/sainfo.h
+++ /dev/null
@@ -1,88 +0,0 @@
-/* $NetBSD: sainfo.h,v 1.5 2006/10/03 08:01:56 vanhu Exp $ */
-
-/* Id: sainfo.h,v 1.5 2006/07/09 17:19:38 manubsd Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _SAINFO_H
-#define _SAINFO_H
-
-#include <sys/queue.h>
-
-/* SA info */
-struct sainfo {
- vchar_t *idsrc;
- vchar_t *iddst;
- /*
- * idsrc and iddst are constructed body of ID payload.
- * that is (struct ipsecdoi_id_b) + ID value.
- * If idsrc == NULL, that is anonymous entry.
- */
-
-#ifdef ENABLE_HYBRID
- vchar_t *group;
-#endif
-
- time_t lifetime;
- int lifebyte;
- int pfs_group; /* only use when pfs is required. */
- vchar_t *id_i; /* identifier of the authorized initiator */
- struct sainfoalg *algs[MAXALGCLASS];
-
- int remoteid;
-
- LIST_ENTRY(sainfo) chain;
-};
-
-/* algorithm type */
-struct sainfoalg {
- int alg;
- int encklen; /* key length if encryption algorithm */
- struct sainfoalg *next;
-};
-
-extern struct sainfo *getsainfo __P((const vchar_t *,
- const vchar_t *, const vchar_t *, int));
-extern struct sainfo *newsainfo __P((void));
-extern void delsainfo __P((struct sainfo *));
-extern void inssainfo __P((struct sainfo *));
-extern void remsainfo __P((struct sainfo *));
-extern void flushsainfo __P((void));
-extern void initsainfo __P((void));
-extern struct sainfoalg *newsainfoalg __P((void));
-extern void delsainfoalg __P((struct sainfoalg *));
-extern void inssainfoalg __P((struct sainfoalg **, struct sainfoalg *));
-extern const char * sainfo2str __P((const struct sainfo *));
-
-extern void save_sainfotree __P((void));
-extern void save_sainfotree_flush __P((void));
-extern void save_sainfotree_restore __P((void));
-
-#endif /* _SAINFO_H */
diff --git a/src/racoon/samples/psk.txt.in b/src/racoon/samples/psk.txt.in
deleted file mode 100644
index 52f1a55..0000000
--- a/src/racoon/samples/psk.txt.in
+++ /dev/null
@@ -1,21 +0,0 @@
-# IPv4/v6 addresses
-10.160.94.3 mekmitasdigoat
-172.16.1.133 mekmitasdigoat
-194.100.55.1 whatcertificatereally
-203.178.141.208 mekmitasdigoat
-206.175.160.18 mekmitasdigoat
-206.175.160.20 mekmitasdigoat
-206.175.160.21 mekmitasdigoat
-206.175.160.22 mekmitasdigoat
-206.175.160.23 mekmitasdigoat
-206.175.160.36 mekmitasdigoat
-206.175.161.125 mekmitasdigoat
-206.175.161.154 mekmitasdigoat
-206.175.161.156 mekmitasdigoat
-206.175.161.182 mekmitasdigoat
-3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat
-3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat
-# USER_FQDN
-sakane@kame.net mekmitasdigoat
-# FQDN
-kame hoge
diff --git a/src/racoon/samples/psk.txt.sample b/src/racoon/samples/psk.txt.sample
deleted file mode 100644
index 2ad1d0b..0000000
--- a/src/racoon/samples/psk.txt.sample
+++ /dev/null
@@ -1,10 +0,0 @@
-# IPv4/v6 addresses
-10.160.94.3 mekmitasdigoat
-172.16.1.133 0x12345678
-194.100.55.1 whatcertificatereally
-3ffe:501:410:ffff:200:86ff:fe05:80fa mekmitasdigoat
-3ffe:501:410:ffff:210:4bff:fea2:8baa mekmitasdigoat
-# USER_FQDN
-foo@kame.net mekmitasdigoat
-# FQDN
-foo.kame.net hoge
diff --git a/src/racoon/samples/racoon.conf.in b/src/racoon/samples/racoon.conf.in
deleted file mode 100644
index 29b7951..0000000
--- a/src/racoon/samples/racoon.conf.in
+++ /dev/null
@@ -1,121 +0,0 @@
-# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $
-
-# "path" affects "include" directives. "path" must be specified before any
-# "include" directive with relative file path.
-# you can overwrite "path" directive afterwards, however, doing so may add
-# more confusion.
-path include "@sysconfdir_x@/racoon";
-#include "remote.conf";
-
-# the file should contain key ID/key pairs, for pre-shared key authentication.
-path pre_shared_key "@sysconfdir_x@/racoon/psk.txt";
-
-# racoon will look for certificate file in the directory,
-# if the certificate/certificate request payload is received.
-path certificate "@sysconfdir_x@/cert";
-
-# "log" specifies logging level. It is followed by either "notify", "debug"
-# or "debug2".
-#log debug;
-
-# "padding" defines some padding parameters. You should not touch these.
-padding
-{
- maximum_length 20; # maximum padding length.
- randomize off; # enable randomize length.
- strict_check off; # enable strict check.
- exclusive_tail off; # extract last one octet.
-}
-
-# if no listen directive is specified, racoon will listen on all
-# available interface addresses.
-listen
-{
- #isakmp ::1 [7000];
- #isakmp 202.249.11.124 [500];
- #admin [7002]; # administrative port for racoonctl.
- #strict_address; # requires that all addresses must be bound.
-}
-
-# Specify various default timers.
-timer
-{
- # These value can be changed per remote node.
- counter 5; # maximum trying count to send.
- interval 20 sec; # maximum interval to resend.
- persend 1; # the number of packets per send.
-
- # maximum time to wait for completing each phase.
- phase1 30 sec;
- phase2 15 sec;
-}
-
-remote anonymous
-{
- exchange_mode main,aggressive;
- doi ipsec_doi;
- situation identity_only;
-
- my_identifier asn1dn;
- certificate_type x509 "my.cert.pem" "my.key.pem";
-
- nonce_size 16;
- initial_contact on;
- proposal_check strict; # obey, strict, or claim
-
- proposal {
- encryption_algorithm 3des;
- hash_algorithm sha1;
- authentication_method rsasig;
- dh_group 2;
- }
-}
-
-remote ::1 [8000]
-{
- #exchange_mode main,aggressive;
- exchange_mode aggressive,main;
- doi ipsec_doi;
- situation identity_only;
-
- my_identifier user_fqdn "sakane@kame.net";
- peers_identifier user_fqdn "sakane@kame.net";
- #certificate_type x509 "mycert" "mypriv";
-
- nonce_size 16;
- lifetime time 1 min; # sec,min,hour
-
- proposal {
- encryption_algorithm 3des;
- hash_algorithm sha1;
- authentication_method pre_shared_key;
- dh_group 2;
- }
-}
-
-sainfo anonymous
-{
- pfs_group 2;
- encryption_algorithm 3des;
- authentication_algorithm hmac_sha1;
- compression_algorithm deflate;
-}
-
-sainfo address 203.178.141.209 any address 203.178.141.218 any
-{
- pfs_group 2;
- lifetime time 30 sec;
- encryption_algorithm des;
- authentication_algorithm hmac_md5;
- compression_algorithm deflate;
-}
-
-sainfo address ::1 icmp6 address ::1 icmp6
-{
- pfs_group 3;
- lifetime time 60 sec;
- encryption_algorithm 3des, blowfish, aes;
- authentication_algorithm hmac_sha1, hmac_md5;
- compression_algorithm deflate;
-}
-
diff --git a/src/racoon/samples/racoon.conf.sample b/src/racoon/samples/racoon.conf.sample
deleted file mode 100644
index 631910f..0000000
--- a/src/racoon/samples/racoon.conf.sample
+++ /dev/null
@@ -1,61 +0,0 @@
-# $KAME: racoon.conf.sample,v 1.28 2002/10/18 14:33:28 itojun Exp $
-
-# "path" affects "include" directives. "path" must be specified before any
-# "include" directive with relative file path.
-# you can overwrite "path" directive afterwards, however, doing so may add
-# more confusion.
-#path include "/usr/local/v6/etc" ;
-#include "remote.conf" ;
-
-# the file should contain key ID/key pairs, for pre-shared key authentication.
-path pre_shared_key "/usr/local/v6/etc/psk.txt" ;
-
-# racoon will look for certificate file in the directory,
-# if the certificate/certificate request payload is received.
-#path certificate "/usr/local/openssl/certs" ;
-
-# "log" specifies logging level. It is followed by either "notify", "debug"
-# or "debug2".
-#log debug;
-
-remote anonymous
-{
- #exchange_mode main,aggressive,base;
- exchange_mode main,base;
-
- #my_identifier fqdn "server.kame.net";
- #certificate_type x509 "foo@kame.net.cert" "foo@kame.net.priv" ;
-
- lifetime time 24 hour ; # sec,min,hour
-
- #initial_contact off ;
- #passive on ;
-
- # phase 1 proposal (for ISAKMP SA)
- proposal {
- encryption_algorithm 3des;
- hash_algorithm sha1;
- authentication_method pre_shared_key ;
- dh_group 2 ;
- }
-
- # the configuration could makes racoon (as a responder)
- # to obey the initiator's lifetime and PFS group proposal,
- # by setting proposal_check to obey.
- # this would makes testing "so much easier", but is really
- # *not* secure !!!
- proposal_check strict;
-}
-
-# phase 2 proposal (for IPsec SA).
-# actual phase 2 proposal will obey the following items:
-# - kernel IPsec policy configuration (like "esp/transport//use)
-# - permutation of the crypto/hash/compression algorithms presented below
-sainfo anonymous
-{
- pfs_group 2;
- lifetime time 12 hour ;
- encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ;
- authentication_algorithm hmac_sha1, hmac_md5 ;
- compression_algorithm deflate ;
-}
diff --git a/src/racoon/samples/racoon.conf.sample-gssapi b/src/racoon/samples/racoon.conf.sample-gssapi
deleted file mode 100644
index 09c4df1..0000000
--- a/src/racoon/samples/racoon.conf.sample-gssapi
+++ /dev/null
@@ -1,43 +0,0 @@
-# $KAME: racoon.conf.sample-gssapi,v 1.5 2001/08/16 06:33:40 itojun Exp $
-
-# sample configuration for GSSAPI authentication (basically, Kerberos).
-# doc/README.gssapi gives some idea on how to configure it.
-# TODO: more documentation.
-
-#listen {
-# strict_address;
-#}
-
-# Uncomment the following for GSS-API to work with older versions of
-# racoon that (incorrectly) used ISO-Latin-1 encoding for the GSS-API
-# identifier attribute.
-#gss_id_enc latin1;
-
-remote anonymous {
- exchange_mode main;
-
- lifetime time 24 hour;
-
- proposal {
- encryption_algorithm 3des;
- hash_algorithm sha1;
- authentication_method gssapi_krb;
- # The default GSS-API ID is "host/hostname", where
- # hostname is the output of the hostname(1) command.
- # You probably want this to match your system's host
- # principal. ktutil(8)'s "list" command will list the
- # principals in your system's keytab. If you need to,
- # you can change the GSS-API ID here.
- #gss_id "host/some.host.name";
-
- dh_group 1;
- }
-}
-
-sainfo anonymous {
- lifetime time 2 hour;
-
- encryption_algorithm rijndael, 3des;
- authentication_algorithm hmac_sha1, hmac_md5;
- compression_algorithm deflate;
-}
diff --git a/src/racoon/samples/racoon.conf.sample-inherit b/src/racoon/samples/racoon.conf.sample-inherit
deleted file mode 100644
index 9e1185f..0000000
--- a/src/racoon/samples/racoon.conf.sample-inherit
+++ /dev/null
@@ -1,55 +0,0 @@
-# Id: racoon.conf.sample-inherit,v 1.3 2005/12/13 16:41:07 vanhu Exp
-# Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs
-
-# This file shows the basic inheritance usage in 'remote' statements.
-
-path pre_shared_key "/etc/racoon/psk.txt";
-path certificate "/etc/racoon";
-
-remote anonymous
-{
- exchange_mode main,aggressive;
- doi ipsec_doi;
- situation identity_only;
-
- my_identifier asn1dn;
- certificate_type x509 "my.cert.pem" "my.key.pem";
-
- nonce_size 16;
- initial_contact on;
- proposal_check strict; # obey, strict or claim
-
- proposal {
- encryption_algorithm 3des;
- hash_algorithm sha1;
- authentication_method rsasig;
- dh_group 2;
- }
-}
-
-remote 3ffe:ffff::1 inherit anonymous
-{
- exchange_mode aggressive;
- nat_traversal force;
-}
-
-remote 3ffe:ffff::1 [8000] inherit 3ffe:ffff::1
-{
- lifetime time 1 min; # sec,min,hour
-
- proposal {
- encryption_algorithm 3des;
- hash_algorithm sha1;
- authentication_method pre_shared_key;
- dh_group 2;
- }
-}
-
-sainfo anonymous
-{
- pfs_group 2;
- lifetime time 12 hour;
- encryption_algorithm aes, 3des;
- authentication_algorithm hmac_sha1, hmac_md5;
- compression_algorithm deflate;
-}
diff --git a/src/racoon/samples/racoon.conf.sample-natt b/src/racoon/samples/racoon.conf.sample-natt
deleted file mode 100644
index 645b4de..0000000
--- a/src/racoon/samples/racoon.conf.sample-natt
+++ /dev/null
@@ -1,97 +0,0 @@
-# Id: racoon.conf.sample-natt,v 1.5 2005/12/13 16:41:07 vanhu Exp
-# Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs
-
-# This file can be used as a template for NAT-Traversal setups.
-# Only NAT-T related options are explained here, refer to other
-# sample files and manual pages for details about the rest.
-
-path include "/etc/racoon";
-path certificate "/etc/racoon/cert";
-
-# Define addresses and ports where racoon will listen for an incoming
-# traffic. Don't forget to open these ports on your firewall!
-listen
-{
- # First define an address where racoon will listen
- # for "normal" IKE traffic. IANA allocated port 500.
- isakmp 172.16.0.1[500];
-
- # To use NAT-T you must also open port 4500 of
- # the same address so that peers can do 'Port floating'.
- # The same port will also be used for the UDP-Encapsulated
- # ESP traffic.
- isakmp_natt 172.16.0.1[4500];
-}
-
-
-timer
-{
- # To keep the NAT-mappings on your NAT gateway, there must be
- # traffic between the peers. Normally the UDP-Encap traffic
- # (i.e. the real data transported over the tunnel) would be
- # enough, but to be safe racoon will send a short
- # "Keep-alive packet" every few seconds to every peer with
- # whom it does NAT-Traversal.
- # The default is 20s. Set it to 0s to disable sending completely.
- natt_keepalive 10 sec;
-}
-
-# To trigger the SA negotiation there must be an appropriate
-# policy in the kernel SPD. For example for traffic between
-# networks 192.168.0.0/24 and 192.168.1.0/24 with gateways
-# 172.16.0.1 and 172.16.1.1, where the first gateway is behind
-# a NAT which translates its address to 172.16.1.3, you need the
-# following rules:
-# On 172.16.0.1 (e.g. behind the NAT):
-# spdadd 192.168.0.0/24 192.168.1.0/24 any -P out ipsec \
-# esp/tunnel/172.16.0.1-172.16.1.1/require;
-# spdadd 192.168.1.0/24 192.168.0.0/24 any -P in ipsec \
-# esp/tunnel/172.16.1.1-172.16.0.1/require;
-# On the other side (172.16.1.1) either use a "generate_policy on"
-# statement in the remote block, or in case that you know
-# the translated address, use the following policy:
-# spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec \
-# esp/tunnel/172.16.1.1-172.16.1.3/require;
-# spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec \
-# esp/tunnel/172.16.1.3-172.16.1.1/require;
-
-# Phase 1 configuration (for ISAKMP SA)
-remote anonymous
-{
- # NAT-T is supported with all exchange_modes.
- exchange_mode main,base,aggressive;
-
- # With NAT-T you shouldn't use PSK. Let's go on with certs.
- my_identifier asn1dn;
- certificate_type x509 "your-host.cert.pem" "your-host.key.pem";
-
- # This is the main switch that enables NAT-T.
- # Possible values are:
- # off - NAT-T support is disabled, i.e. neither offered,
- # nor accepted. This is the default.
- # on - normal NAT-T support, i.e. if NAT is detected
- # along the way, NAT-T is used.
- # force - if NAT-T is supported by both peers, it is used
- # regardless of whether there is a NAT gateway between them
- # or not. This is useful for traversing some firewalls.
- nat_traversal on;
-
- proposal {
- authentication_method rsasig;
- encryption_algorithm 3des;
- hash_algorithm sha1;
- dh_group 2;
- }
-
- proposal_check strict;
-}
-
-# Phase 2 proposal (for IPsec SA)
-sainfo anonymous
-{
- pfs_group 2;
- lifetime time 12 hour;
- encryption_algorithm 3des, rijndael;
- authentication_algorithm hmac_sha1;
- compression_algorithm deflate;
-}
diff --git a/src/racoon/samples/racoon.conf.sample-plainrsa b/src/racoon/samples/racoon.conf.sample-plainrsa
deleted file mode 100644
index 8447eb3..0000000
--- a/src/racoon/samples/racoon.conf.sample-plainrsa
+++ /dev/null
@@ -1,46 +0,0 @@
-# Id: racoon.conf.sample-plainrsa,v 1.4 2005/12/13 16:41:07 vanhu Exp
-# Contributed by: Michal Ludvig <mludvig@suse.cz>, SUSE Labs
-# http://www.logix.cz/michal
-
-# This file shows the usage of PlainRSA keys, which are widely used
-# by FreeSWAN/OpenSwan/StrongSwan/*Swan users. This functionality is
-# here mainly for those who are moving from the *Swan world to Racoon.
-
-# Racoon will look for a keyfile in this directory.
-path certificate "samples" ;
-
-remote anonymous
-{
- # *Swan supports only 'main' mode.
- exchange_mode main;
-
- # *Swan doesn't send identifiers by default.
- my_identifier address;
- peers_identifier address;
-
- # This is the trick - use PlainRSA certificates.
- certificate_type plain_rsa "privatekey.rsa";
-
- # Multiple certfiles are supported.
- peers_certfile plain_rsa "pubkey1.rsa";
- peers_certfile plain_rsa "pubkey2.rsa";
-
- # Standard setup follows...
- proposal_check strict;
-
- proposal {
- encryption_algorithm 3des;
- hash_algorithm sha1;
- authentication_method rsasig;
- dh_group 2;
- }
-}
-
-sainfo anonymous
-{
- pfs_group 2;
- lifetime time 12 hour;
- encryption_algorithm 3des, aes;
- authentication_algorithm hmac_sha1, hmac_md5;
- compression_algorithm deflate;
-}
diff --git a/src/racoon/samples/roadwarrior/README b/src/racoon/samples/roadwarrior/README
deleted file mode 100644
index aac9d43..0000000
--- a/src/racoon/samples/roadwarrior/README
+++ /dev/null
@@ -1,67 +0,0 @@
-This directory contains sample configurations files used for roadwarrior
-remote access using hybrid authentication. In this setup, the VPN
-gateway authenticates to the client using a certificate, and the client
-authenticates to the VPN gateway using a login and a password.
-
-Moreover, this setup makes use of ISAKMP mode config to autoconfigure
-the client. After a successful login, the client will receive an
-internal address, netmask and DNS from the VPN gateway.
-
-
-Server setups
-=============
-The server setups need racoon built with the following options:
-configure --enable-natt --enable-frag --enable-hybrid --enable-dpd \
- --with-libradius --sysconfdir=/etc/racoon
-
-The first server setup, in server/racoon.conf, is for a VPN gateway
-using authentication against the system password database, and using
-a locally configured pool of addresses.
-
-The second setup, server/racoon.conf-radius, uses a RADIUS server for
-authentication, IP allocation and accounting. The address and secret
-to be used for the RADIUS server are configured in /etc/radius.conf,
-see radius.conf(5).
-
-Both configurations can be used with the Cisco VPN client if it
-is set up to use hybrid authentication (aka mutual group authentication,
-available in Cisco VPN client version 4.0.5 and above). The group
-password configured in the Cisco VPN client is not used by racoon.
-
-After you have installed /etc/racoon/racoon.conf, you will also have
-to install a server certificate and key in /etc/openssl/certs/server.crt
-and /etc/openssl/certs/server.key
-
-
-Client setup
-============
-The client setup needs racoon built with the following options:
-configure --enable-natt --enable-frag --enable-hybrid --enable-dpd \
- --enable-adminport --sysconfdir=/etc/racoon --localstatedir=/var
-
-You need to copy client/racoon.conf, client/phase1-up.sh and
-client/phase1-down.sh to /etc/racoon, and you need to copy the
-certificate authority that signed the VPN gateway certificate in
-/etc/openssl/certs/root-ca.crt
-
-Once this is done, you can run racoon, and then you can start
-the VPN using racoonctl:
-racoonctl vc -u username vpn-gateway.example.net
-
-Where username is your login, and vpn-gateway.example.net is
-the DNS or IP address of the VPN gateway. racoonctl will prompt
-you for the password.
-
-The password can be stored in the psk.txt file. In that situation,
-add this directive to the remote section of racoon.conf:
- xauth_login "username";
-where username is your login.
-
-Note that for now there is no feedback in racoonctl if the authentication
-fails. Peek at the racoon logs to discover what goes wrong.
-
-In order to disconnect from the VPN, do this:
-racoonctl vd vpn-gateway.example.net
-
-This configuration should be compatible with the Cisco VPN 3000 using
-hybrid authentication, though this has not been tested.
diff --git a/src/racoon/samples/roadwarrior/client/phase1-down.sh b/src/racoon/samples/roadwarrior/client/phase1-down.sh
deleted file mode 100755
index 8edc187..0000000
--- a/src/racoon/samples/roadwarrior/client/phase1-down.sh
+++ /dev/null
@@ -1,73 +0,0 @@
-#!/bin/sh
-
-#
-# sa-down.sh local configuration for a new SA
-#
-
-PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
-
-case `uname -s` in
-NetBSD)
- DEFAULT_GW=`netstat -rn | awk '($1 == "default"){print $2}'`
- ;;
-Linux)
- DEFAULT_GW=`netstat -rn | awk '($1 == "0.0.0.0"){print $2}'`
- ;;
-esac
-
-echo $@
-echo "LOCAL_ADDR = ${LOCAL_ADDR}"
-echo "LOCAL_PORT = ${LOCAL_PORT}"
-echo "REMOTE_ADDR = ${REMOTE_ADDR}"
-echo "REMOTE_PORT = ${REMOTE_PORT}"
-echo "DEFAULT_GW = ${DEFAULT_GW}"
-echo "INTERNAL_ADDR4 = ${INTERNAL_ADDR4}"
-echo "INTERNAL_DNS4 = ${INTERNAL_DNS4}"
-
-echo ${INTERNAL_ADDR4} | grep '[0-9]' > /dev/null || exit 0
-echo ${DEFAULT_GW} | grep '[0-9]' > /dev/null || exit 0
-
-test -f /etc/resolv.conf.bak && cp /etc/resolv.conf.bak /etc/resolv.conf
-
-case `uname -s` in
-NetBSD)
- if=`netstat -rn|awk '($1 == "default"){print $7}'`
- ifconfig ${if} delete ${INTERNAL_ADDR4}
- route delete default
- route delete ${REMOTE_ADDR}
- route add default ${DEFAULT_GW} -ifa ${LOCAL_ADDR}
- ;;
-Linux)
- if=`netstat -rn|awk '($1 == "0.0.0.0"){print $8}'`
- route delete default
- route delete ${REMOTE_ADDR}
- ifconfig ${if}:1 del ${INTERNAL_ADDR4}
- route add default gw ${DEFAULT_GW}
-
- #
- # XXX This is a workaround because Linux seems to ignore
- # the deleteall commands below. This is bad because it flushes
- # any SAD instead of flushing what needs to be flushed.
- # Someone using Linux please fix it
- #
- setkey -F
- ;;
-esac
-
-# Use this for a NAT-T setup
-LOCAL="${LOCAL_ADDR}[${LOCAL_PORT}]"
-REMOTE="${REMOTE_ADDR}[${REMOTE_PORT}]"
-
-# Use this for a non NAT-T setup
-#LOCAL="${LOCAL_ADDR}"
-#REMOTE="${REMOTE_ADDR}"
-
-echo "
-deleteall ${REMOTE_ADDR} ${LOCAL_ADDR} esp;
-deleteall ${LOCAL_ADDR} ${REMOTE_ADDR} esp;
-spddelete ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any
- -P out ipsec esp/tunnel/${LOCAL}-${REMOTE}/require;
-spddelete 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any
- -P in ipsec esp/tunnel/${REMOTE}-${LOCAL}/require;
-" | setkey -c
-
diff --git a/src/racoon/samples/roadwarrior/client/phase1-up.sh b/src/racoon/samples/roadwarrior/client/phase1-up.sh
deleted file mode 100755
index e45b648..0000000
--- a/src/racoon/samples/roadwarrior/client/phase1-up.sh
+++ /dev/null
@@ -1,77 +0,0 @@
-#!/bin/sh
-
-#
-# sa-up.sh local configuration for a new SA
-#
-PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
-
-case `uname -s` in
-NetBSD)
- DEFAULT_GW=`netstat -rn | awk '($1 == "default"){print $2}'`
- ;;
-Linux)
- DEFAULT_GW=`netstat -rn | awk '($1 == "0.0.0.0"){print $2}'`
- ;;
-esac
-
-echo $@
-echo "LOCAL_ADDR = ${LOCAL_ADDR}"
-echo "LOCAL_PORT = ${LOCAL_PORT}"
-echo "REMOTE_ADDR = ${REMOTE_ADDR}"
-echo "REMOTE_PORT = ${REMOTE_PORT}"
-echo "DEFAULT_GW = ${DEFAULT_GW}"
-echo "INTERNAL_ADDR4 = ${INTERNAL_ADDR4}"
-echo "INTERNAL_DNS4 = ${INTERNAL_DNS4}"
-
-echo ${INTERNAL_ADDR4} | grep '[0-9]' > /dev/null || exit 0
-echo ${DEFAULT_GW} | grep '[0-9]' > /dev/null || exit 0
-
-test -f /etc/resolv.conf.bak || cp /etc/resolv.conf /etc/resolv.conf.bak
-echo "# Generated by racoon on `date`" > /etc/resolv.conf
-echo "nameserver ${INTERNAL_DNS4}" >> /etc/resolv.conf
-
-case `uname -s` in
-NetBSD)
- if=`netstat -rn|awk '($1 == "default"){print $7}'`
- ifconfig ${if} alias ${INTERNAL_ADDR4} netmask ${INTERNAL_NETMASK4}
- route delete default
- route add default ${DEFAULT_GW} -ifa ${INTERNAL_ADDR4}
- route add ${REMOTE_ADDR} ${DEFAULT_GW}
- ;;
-Linux)
- if=`netstat -rn|awk '($1 == "0.0.0.0"){print $8}'`
- ifconfig ${if}:1 ${INTERNAL_ADDR4}
- route delete default
- route add ${REMOTE_ADDR} gw ${DEFAULT_GW} dev ${if}
- route add default gw ${DEFAULT_GW} dev ${if}:1
- ;;
-esac
-
-# Use this for a NAT-T setup
-LOCAL="${LOCAL_ADDR}[${LOCAL_PORT}]"
-REMOTE="${REMOTE_ADDR}[${REMOTE_PORT}]"
-
-# Use this for a non NAT-T setup
-#LOCAL="${LOCAL_ADDR}"
-#REMOTE="${REMOTE_ADDR}"
-
-
-echo "
-spdadd ${INTERNAL_ADDR4}/32[any] 0.0.0.0/0[any] any
- -P out ipsec esp/tunnel/${LOCAL}-${REMOTE}/require;
-spdadd 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any
- -P in ipsec esp/tunnel/${REMOTE}-${LOCAL}/require;
-" | setkey -c
-
-#
-# XXX This is a workaround for Linux forward policies problem.
-# Someone familiar with forward policies please fix this properly.
-#
-case `uname -s` in
-Linux)
- echo "
- spddelete 0.0.0.0/0[any] ${INTERNAL_ADDR4}[any] any
- -P fwd ipsec esp/tunnel/${REMOTE}-${LOCAL}/require;
- " | setkey -c
- ;;
-esac
diff --git a/src/racoon/samples/roadwarrior/client/racoon.conf b/src/racoon/samples/roadwarrior/client/racoon.conf
deleted file mode 100644
index 669be36..0000000
--- a/src/racoon/samples/roadwarrior/client/racoon.conf
+++ /dev/null
@@ -1,33 +0,0 @@
-path certificate "/etc/openssl/certs";
-path pre_shared_key "/etc/racoon/psk.txt";
-
-listen {
- adminsock "/var/racoon/racoon.sock" "root" "operator" 0660;
-}
-
-remote 192.0.2.50 {
- exchange_mode aggressive;
- ca_type x509 "root-ca.crt";
- proposal_check strict;
- nat_traversal on;
- ike_frag on;
- mode_cfg on;
- script "/etc/racoon/phase1-up.sh" phase1_up;
- script "/etc/racoon/phase1-down.sh" phase1_down;
- passive off;
- proposal {
- encryption_algorithm aes;
- hash_algorithm sha1;
- authentication_method hybrid_rsa_client;
- dh_group 2;
- }
-}
-
-
-sainfo anonymous {
- pfs_group 2;
- lifetime time 1 hour;
- encryption_algorithm aes;
- authentication_algorithm hmac_sha1;
- compression_algorithm deflate ;
-}
diff --git a/src/racoon/samples/roadwarrior/server/racoon.conf b/src/racoon/samples/roadwarrior/server/racoon.conf
deleted file mode 100644
index ae7d603..0000000
--- a/src/racoon/samples/roadwarrior/server/racoon.conf
+++ /dev/null
@@ -1,42 +0,0 @@
-path certificate "/etc/openssl/certs";
-
-listen {
- adminsock disabled;
-}
-
-remote anonymous {
- exchange_mode aggressive;
- certificate_type x509 "server.crt" "server.key";
- my_identifier asn1dn;
- proposal_check strict;
- generate_policy on;
- nat_traversal on;
- dpd_delay 20;
- ike_frag on;
- proposal {
- encryption_algorithm aes;
- hash_algorithm sha1;
- authentication_method hybrid_rsa_server;
- dh_group 2;
- }
-}
-
-mode_cfg {
- network4 10.99.99.0;
- pool_size 255;
- netmask4 255.255.255.0;
- auth_source system;
- dns4 10.0.12.1;
- wins4 10.0.12.1;
- banner "/etc/racoon/motd";
- pfs_group 2;
-}
-
-sainfo anonymous {
- pfs_group 2;
- lifetime time 1 hour;
- encryption_algorithm aes;
- authentication_algorithm hmac_sha1;
- compression_algorithm deflate;
-}
-
diff --git a/src/racoon/samples/roadwarrior/server/racoon.conf-radius b/src/racoon/samples/roadwarrior/server/racoon.conf-radius
deleted file mode 100644
index 24e8d4e..0000000
--- a/src/racoon/samples/roadwarrior/server/racoon.conf-radius
+++ /dev/null
@@ -1,42 +0,0 @@
-path certificate "/etc/openssl/certs";
-
-listen {
- adminsock disabled;
-}
-
-remote anonymous {
- exchange_mode aggressive;
- certificate_type x509 "server.crt" "server.key";
- my_identifier asn1dn;
- proposal_check strict;
- generate_policy on;
- nat_traversal on;
- dpd_delay 20;
- ike_frag on;
- proposal {
- encryption_algorithm aes;
- hash_algorithm sha1;
- authentication_method hybrid_rsa_server;
- dh_group 2;
- }
-}
-
-mode_cfg {
- pool_size 255;
- auth_source radius;
- conf_source radius;
- accounting radius;
- dns4 10.0.12.1;
- wins4 10.0.12.1;
- banner "/etc/racoon/motd";
- pfs_group 2;
-}
-
-sainfo anonymous {
- pfs_group 2;
- lifetime time 1 hour;
- encryption_algorithm aes;
- authentication_algorithm hmac_sha1;
- compression_algorithm deflate;
-}
-
diff --git a/src/racoon/schedule.c b/src/racoon/schedule.c
deleted file mode 100644
index 04723c5..0000000
--- a/src/racoon/schedule.c
+++ /dev/null
@@ -1,364 +0,0 @@
-/* $NetBSD: schedule.c,v 1.4 2006/09/09 16:22:10 manu Exp $ */
-
-/* $KAME: schedule.c,v 1.19 2001/11/05 10:53:19 sakane Exp $ */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/time.h>
-#include <sys/queue.h>
-#include <sys/socket.h>
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-#include <time.h>
-
-#include "misc.h"
-#include "plog.h"
-#include "schedule.h"
-#include "var.h"
-#include "gcmalloc.h"
-
-#define FIXY2038PROBLEM
-
-#ifndef TAILQ_FOREACH
-#define TAILQ_FOREACH(elm, head, field) \
- for (elm = TAILQ_FIRST(head); elm; elm = TAILQ_NEXT(elm, field))
-#endif
-
-static struct timeval timeout;
-
-#ifdef FIXY2038PROBLEM
-#define Y2038TIME_T 0x7fffffff
-static time_t launched; /* time when the program launched. */
-static time_t deltaY2038;
-#endif
-
-static TAILQ_HEAD(_schedtree, sched) sctree;
-
-static void sched_add __P((struct sched *));
-static time_t current_time __P((void));
-
-/*
- * schedule handler
- * OUT:
- * time to block until next event.
- * if no entry, NULL returned.
- */
-struct timeval *
-schedular()
-{
- time_t now, delta;
- struct sched *p, *next = NULL;
-
- now = current_time();
-
- for (p = TAILQ_FIRST(&sctree); p; p = next) {
- /* if the entry has been daed, remove it */
- if (p->dead)
- goto next_schedule;
-
- /* if the time hasn't come, proceed to the next entry */
- if (now < p->xtime) {
- next = TAILQ_NEXT(p, chain);
- continue;
- }
-
- /* mark it with dead. and call the function. */
- p->dead = 1;
- if (p->func != NULL)
- (p->func)(p->param);
-
- next_schedule:
- next = TAILQ_NEXT(p, chain);
- TAILQ_REMOVE(&sctree, p, chain);
- racoon_free(p);
- }
-
- p = TAILQ_FIRST(&sctree);
- if (p == NULL)
- return NULL;
-
- now = current_time();
-
- delta = p->xtime - now;
- timeout.tv_sec = delta < 0 ? 0 : delta;
- timeout.tv_usec = 0;
-
- return &timeout;
-}
-
-/*
- * add new schedule to schedule table.
- */
-struct sched *
-sched_new(tick, func, param)
- time_t tick;
- void (*func) __P((void *));
- void *param;
-{
- static long id = 1;
- struct sched *new;
-
- new = (struct sched *)racoon_malloc(sizeof(*new));
- if (new == NULL)
- return NULL;
-
- memset(new, 0, sizeof(*new));
- new->func = func;
- new->param = param;
-
- new->id = id++;
- time(&new->created);
- new->tick = tick;
-
- new->xtime = current_time() + tick;
- new->dead = 0;
-
- /* add to schedule table */
- sched_add(new);
-
- return(new);
-}
-
-/* add new schedule to schedule table */
-static void
-sched_add(sc)
- struct sched *sc;
-{
- struct sched *p;
-
- TAILQ_FOREACH(p, &sctree, chain) {
- if (sc->xtime < p->xtime) {
- TAILQ_INSERT_BEFORE(p, sc, chain);
- return;
- }
- }
- if (p == NULL)
- TAILQ_INSERT_TAIL(&sctree, sc, chain);
-
- return;
-}
-
-/* get current time.
- * if defined FIXY2038PROBLEM, base time is the time when called sched_init().
- * Otherwise, conform to time(3).
- */
-static time_t
-current_time()
-{
- time_t n;
-#ifdef FIXY2038PROBLEM
- time_t t;
-
- time(&n);
- t = n - launched;
- if (t < 0)
- t += deltaY2038;
-
- return t;
-#else
- return time(&n);
-#endif
-}
-
-void
-sched_kill(sc)
- struct sched *sc;
-{
- sc->dead = 1;
-
- return;
-}
-
-/* XXX this function is probably unnecessary. */
-void
-sched_scrub_param(param)
- void *param;
-{
- struct sched *sc;
-
- TAILQ_FOREACH(sc, &sctree, chain) {
- if (sc->param == param) {
- if (!sc->dead) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "an undead schedule has been deleted.\n");
- }
- sched_kill(sc);
- }
- }
-}
-
-/*
- * for debug
- */
-int
-sched_dump(buf, len)
- caddr_t *buf;
- int *len;
-{
- caddr_t new;
- struct sched *p;
- struct scheddump *dst;
- int cnt = 0;
-
- /* initialize */
- *len = 0;
- *buf = NULL;
-
- TAILQ_FOREACH(p, &sctree, chain)
- cnt++;
-
- /* no entry */
- if (cnt == 0)
- return -1;
-
- *len = cnt * sizeof(*dst);
-
- new = racoon_malloc(*len);
- if (new == NULL)
- return -1;
- dst = (struct scheddump *)new;
-
- p = TAILQ_FIRST(&sctree);
- while (p) {
- dst->xtime = p->xtime;
- dst->id = p->id;
- dst->created = p->created;
- dst->tick = p->tick;
-
- p = TAILQ_NEXT(p, chain);
- if (p == NULL)
- break;
- dst++;
- }
-
- *buf = new;
-
- return 0;
-}
-
-/* initialize schedule table */
-void
-sched_init()
-{
-#ifdef FIXY2038PROBLEM
- time(&launched);
-
- deltaY2038 = Y2038TIME_T - launched;
-#endif
-
- TAILQ_INIT(&sctree);
-
- return;
-}
-
-#ifdef STEST
-#include <sys/types.h>
-#include <sys/time.h>
-#include <unistd.h>
-#include <err.h>
-
-void
-test(tick)
- int *tick;
-{
- printf("execute %d\n", *tick);
- racoon_free(tick);
-}
-
-void
-getstdin()
-{
- int *tick;
- char buf[16];
-
- read(0, buf, sizeof(buf));
- if (buf[0] == 'd') {
- struct scheddump *scbuf, *p;
- int len;
- sched_dump((caddr_t *)&scbuf, &len);
- if (scbuf == NULL)
- return;
- for (p = scbuf; len; p++) {
- printf("xtime=%ld\n", p->xtime);
- len -= sizeof(*p);
- }
- racoon_free(scbuf);
- return;
- }
-
- tick = (int *)racoon_malloc(sizeof(*tick));
- *tick = atoi(buf);
- printf("new queue tick = %d\n", *tick);
- sched_new(*tick, test, tick);
-}
-
-int
-main()
-{
- static fd_set mask0;
- int nfds = 0;
- fd_set rfds;
- struct timeval *timeout;
- int error;
-
- FD_ZERO(&mask0);
- FD_SET(0, &mask0);
- nfds = 1;
-
- /* initialize */
- sched_init();
-
- while (1) {
- rfds = mask0;
-
- timeout = schedular();
-
- error = select(nfds, &rfds, (fd_set *)0, (fd_set *)0, timeout);
- if (error < 0) {
- switch (errno) {
- case EINTR: continue;
- default:
- err(1, "select");
- }
- /*NOTREACHED*/
- }
-
- if (FD_ISSET(0, &rfds))
- getstdin();
- }
-}
-#endif
diff --git a/src/racoon/schedule.h b/src/racoon/schedule.h
deleted file mode 100644
index bd66593..0000000
--- a/src/racoon/schedule.h
+++ /dev/null
@@ -1,85 +0,0 @@
-/* $NetBSD: schedule.h,v 1.4.6.1 2007/03/21 14:29:48 vanhu Exp $ */
-
-/* Id: schedule.h,v 1.5 2006/05/03 21:53:42 vanhu Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _SCHEDULE_H
-#define _SCHEDULE_H
-
-#include <sys/queue.h>
-#include "gnuc.h"
-
-/* scheduling table */
-/* the head is the nearest event. */
-struct sched {
- time_t xtime; /* event time which is as time(3). */
- /*
- * if defined FIXY2038PROBLEM, this time
- * is from the time when called sched_init().
- */
- void (*func) __P((void *)); /* call this function when timeout. */
- void *param; /* pointer to parameter */
-
- int dead; /* dead or alive */
- long id; /* for debug */
- time_t created; /* for debug */
- time_t tick; /* for debug */
-
- TAILQ_ENTRY(sched) chain;
-};
-
-/* cancel schedule */
-#define SCHED_KILL(s) \
-do { \
- if(s != NULL){ \
- sched_kill(s); \
- s = NULL; \
- }\
-} while(0)
-
-/* must be called after it's called from scheduler. */
-#define SCHED_INIT(s) (s) = NULL
-
-struct scheddump {
- time_t xtime;
- long id;
- time_t created;
- time_t tick;
-};
-
-struct timeval *schedular __P((void));
-struct sched *sched_new __P((time_t, void (*func) __P((void *)), void *));
-void sched_kill __P((struct sched *));
-int sched_dump __P((caddr_t *, int *));
-void sched_init __P((void));
-void sched_scrub_param __P((void *));
-
-#endif /* _SCHEDULE_H */
diff --git a/src/racoon/security.c b/src/racoon/security.c
deleted file mode 100644
index e4b5a0d..0000000
--- a/src/racoon/security.c
+++ /dev/null
@@ -1,265 +0,0 @@
-/*
- * Copyright (C) 2005 International Business Machines Corporation
- * Copyright (c) 2005 by Trusted Computer Solutions, Inc.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-
-#include "config.h"
-
-#include <sys/types.h>
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-
-#include <selinux/selinux.h>
-#include <selinux/flask.h>
-#include <selinux/av_permissions.h>
-#include <selinux/avc.h>
-#include <selinux/context.h>
-
-#include "var.h"
-#include "vmbuf.h"
-#include "misc.h"
-#include "plog.h"
-
-#include "isakmp_var.h"
-#include "isakmp.h"
-#include "ipsec_doi.h"
-#include "policy.h"
-#include "proposal.h"
-#include "strnames.h"
-#include "handler.h"
-
-/*
- * Get the security context information from SA.
- */
-int
-get_security_context(sa, p)
- vchar_t *sa;
- struct policyindex *p;
-{
- int len = 0;
- int flag, type = 0;
- u_int16_t lorv;
- caddr_t bp;
- vchar_t *pbuf = NULL;
- vchar_t *tbuf = NULL;
- struct isakmp_parse_t *pa;
- struct isakmp_parse_t *ta;
- struct isakmp_pl_p *prop;
- struct isakmp_pl_t *trns;
- struct isakmp_data *d;
- struct ipsecdoi_sa_b *sab = (struct ipsecdoi_sa_b *)sa->v;
-
- /* check SA payload size */
- if (sa->l < sizeof(*sab)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Invalid SA length = %zu.\n", sa->l);
- return -1;
- }
-
- bp = (caddr_t)(sab + 1); /* here bp points to first proposal payload */
- len = sa->l - sizeof(*sab);
-
- pbuf = isakmp_parsewoh(ISAKMP_NPTYPE_P, (struct isakmp_gen *)bp, len);
- if (pbuf == NULL)
- return -1;
-
- pa = (struct isakmp_parse_t *)pbuf->v;
- /* check the value of next payload */
- if (pa->type != ISAKMP_NPTYPE_P) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Invalid payload type=%u\n", pa->type);
- vfree(pbuf);
- return -1;
- }
-
- if (pa->len == 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid proposal with length %d\n", pa->len);
- vfree(pbuf);
- return -1;
- }
-
- /* our first proposal */
- prop = (struct isakmp_pl_p *)pa->ptr;
-
- /* now get transform */
- bp = (caddr_t)prop + sizeof(struct isakmp_pl_p) + prop->spi_size;
- len = ntohs(prop->h.len) -
- (sizeof(struct isakmp_pl_p) + prop->spi_size);
- tbuf = isakmp_parsewoh(ISAKMP_NPTYPE_T, (struct isakmp_gen *)bp, len);
- if (tbuf == NULL)
- return -1;
-
- ta = (struct isakmp_parse_t *)tbuf->v;
- if (ta->type != ISAKMP_NPTYPE_T) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Invalid payload type=%u\n", ta->type);
- return -1;
- }
-
- trns = (struct isakmp_pl_t *)ta->ptr;
-
- len = ntohs(trns->h.len) - sizeof(struct isakmp_pl_t);
- d = (struct isakmp_data *)((caddr_t)trns + sizeof(struct isakmp_pl_t));
-
- while (len > 0) {
- type = ntohs(d->type) & ~ISAKMP_GEN_MASK;
- flag = ntohs(d->type) & ISAKMP_GEN_MASK;
- lorv = ntohs(d->lorv);
-
- if (type != IPSECDOI_ATTR_SECCTX) {
- if (flag) {
- len -= sizeof(*d);
- d = (struct isakmp_data *)((char *)d
- + sizeof(*d));
- } else {
- len -= (sizeof(*d) + lorv);
- d = (struct isakmp_data *)((caddr_t)d
- + sizeof(*d) + lorv);
- }
- } else {
- flag = ntohs(d->type & ISAKMP_GEN_MASK);
- if (flag) {
- plog(LLV_ERROR, LOCATION, NULL,
- "SECCTX must be in TLV.\n");
- return -1;
- }
- memcpy(&p->sec_ctx, d + 1, lorv);
- p->sec_ctx.ctx_strlen = ntohs(p->sec_ctx.ctx_strlen);
- return 0;
- }
- }
- return 0;
-}
-
-void
-set_secctx_in_proposal(iph2, spidx)
- struct ph2handle *iph2;
- struct policyindex spidx;
-{
- iph2->proposal->sctx.ctx_doi = spidx.sec_ctx.ctx_doi;
- iph2->proposal->sctx.ctx_alg = spidx.sec_ctx.ctx_alg;
- iph2->proposal->sctx.ctx_strlen = spidx.sec_ctx.ctx_strlen;
- memcpy(iph2->proposal->sctx.ctx_str, spidx.sec_ctx.ctx_str,
- spidx.sec_ctx.ctx_strlen);
-}
-
-
-/*
- * function: init_avc
- * description: function performs the steps necessary to initialize the
- * userspace avc.
- * input: void
- * return: 0 if avc was successfully initialized
- * 1 if the avc could not be initialized
- */
-
-static int mls_ready = 0;
-
-void
-init_avc(void)
-{
- if (!is_selinux_mls_enabled()) {
- plog(LLV_ERROR, LOCATION, NULL, "racoon: MLS support is not"
- " enabled.\n");
- return;
- }
-
- if (avc_init("racoon", NULL, NULL, NULL, NULL) == 0)
- mls_ready = 1;
- else
- plog(LLV_ERROR, LOCATION, NULL,
- "racoon: could not initialize avc.\n");
-}
-
-/*
- * function: within_range
- * description: function determines if the specified sl is within the
- * configured range for a policy rule.
- * input: security_context *sl SL
- * char *range Range
- * return: 1 if the sl is within the range
- * 0 if the sl is not within the range or an error
- * occurred which prevented the determination
- */
-
-int
-within_range(security_context_t sl, security_context_t range)
-{
- int rtn = 1;
- security_id_t slsid;
- security_id_t rangesid;
- struct av_decision avd;
- security_class_t tclass;
- access_vector_t av;
-
- if (!*range) /* This policy doesn't have security context */
- return 1;
-
- if (!mls_ready) /* mls may not be enabled */
- return 0;
-
- /*
- * Get the sids for the sl and range contexts
- */
- rtn = avc_context_to_sid(sl, &slsid);
- if (rtn != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "within_range: Unable to retrieve "
- "sid for sl context (%s).\n", sl);
- return 0;
- }
- rtn = avc_context_to_sid(range, &rangesid);
- if (rtn != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "within_range: Unable to retrieve "
- "sid for range context (%s).\n", range);
- sidput(slsid);
- return 0;
- }
-
- /*
- * Straight up test between sl and range
- */
- tclass = SECCLASS_ASSOCIATION;
- av = ASSOCIATION__POLMATCH;
- rtn = avc_has_perm(slsid, rangesid, tclass, av, NULL, &avd);
- if (rtn != 0) {
- plog(LLV_INFO, LOCATION, NULL,
- "within_range: The sl is not within range\n");
- sidput(slsid);
- sidput(rangesid);
- return 0;
- }
- plog(LLV_DEBUG, LOCATION, NULL,
- "within_range: The sl (%s) is within range (%s)\n", sl, range);
- return 1;
-}
diff --git a/src/racoon/session.c b/src/racoon/session.c
deleted file mode 100644
index 9db901d..0000000
--- a/src/racoon/session.c
+++ /dev/null
@@ -1,592 +0,0 @@
-/* $NetBSD: session.c,v 1.7.6.2 2007/08/01 11:52:22 vanhu Exp $ */
-
-/* $KAME: session.c,v 1.32 2003/09/24 02:01:17 jinmei Exp $ */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/time.h>
-#include <sys/socket.h>
-#if HAVE_SYS_WAIT_H
-# include <sys/wait.h>
-#endif
-#ifndef WEXITSTATUS
-# define WEXITSTATUS(s) ((unsigned)(s) >> 8)
-#endif
-#ifndef WIFEXITED
-# define WIFEXITED(s) (((s) & 255) == 0)
-#endif
-
-#include PATH_IPSEC_H
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-#include <signal.h>
-#include <sys/stat.h>
-#include <paths.h>
-
-#include <netinet/in.h>
-#include <resolv.h>
-
-#include "libpfkey.h"
-
-#include "var.h"
-#include "misc.h"
-#include "vmbuf.h"
-#include "plog.h"
-#include "debug.h"
-
-#include "schedule.h"
-#include "session.h"
-#include "grabmyaddr.h"
-#include "evt.h"
-#include "cfparse_proto.h"
-#include "isakmp_var.h"
-#include "isakmp_xauth.h"
-#include "isakmp_cfg.h"
-#include "admin_var.h"
-#include "admin.h"
-#include "privsep.h"
-#include "oakley.h"
-#include "pfkey.h"
-#include "handler.h"
-#include "localconf.h"
-#include "remoteconf.h"
-#include "backupsa.h"
-#ifdef ENABLE_NATT
-#include "nattraversal.h"
-#endif
-
-
-#include "algorithm.h" /* XXX ??? */
-
-#include "sainfo.h"
-
-static void close_session __P((void));
-static void check_rtsock __P((void *));
-static void initfds __P((void));
-static void init_signal __P((void));
-static int set_signal __P((int sig, RETSIGTYPE (*func) __P((int))));
-static void check_sigreq __P((void));
-static void check_flushsa_stub __P((void *));
-static void check_flushsa __P((void));
-static int close_sockets __P((void));
-
-static fd_set mask0;
-static fd_set maskdying;
-static int nfds = 0;
-static volatile sig_atomic_t sigreq[NSIG + 1];
-static int dying = 0;
-
-int
-session(void)
-{
- fd_set rfds;
- struct timeval *timeout;
- int error;
- struct myaddrs *p;
- char pid_file[MAXPATHLEN];
- FILE *fp;
- pid_t racoon_pid = 0;
- int i;
-
- /* initialize schedular */
- sched_init();
-
- init_signal();
-
-#ifdef ENABLE_ADMINPORT
- if (admin_init() < 0)
- exit(1);
-#endif
-
- initmyaddr();
-
- if (isakmp_init() < 0)
- exit(1);
-
- initfds();
-
-#ifdef ENABLE_NATT
- natt_keepalive_init ();
-#endif
-
- if (privsep_init() != 0)
- exit(1);
-
- for (i = 0; i <= NSIG; i++)
- sigreq[i] = 0;
-
- /* write .pid file */
- racoon_pid = getpid();
- if (lcconf->pathinfo[LC_PATHTYPE_PIDFILE] == NULL)
- strlcpy(pid_file, _PATH_VARRUN "racoon.pid", MAXPATHLEN);
- else if (lcconf->pathinfo[LC_PATHTYPE_PIDFILE][0] == '/')
- strlcpy(pid_file, lcconf->pathinfo[LC_PATHTYPE_PIDFILE], MAXPATHLEN);
- else {
- strlcat(pid_file, _PATH_VARRUN, MAXPATHLEN);
- strlcat(pid_file, lcconf->pathinfo[LC_PATHTYPE_PIDFILE], MAXPATHLEN);
- }
- fp = fopen(pid_file, "w");
- if (fp) {
- if (fchmod(fileno(fp),
- S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) == -1) {
- syslog(LOG_ERR, "%s", strerror(errno));
- fclose(fp);
- exit(1);
- }
- fprintf(fp, "%ld\n", (long)racoon_pid);
- fclose(fp);
- } else {
- plog(LLV_ERROR, LOCATION, NULL,
- "cannot open %s", pid_file);
- }
-
- while (1) {
- if (dying)
- rfds = maskdying;
- else
- rfds = mask0;
-
- /*
- * asynchronous requests via signal.
- * make sure to reset sigreq to 0.
- */
- check_sigreq();
-
- /* scheduling */
- timeout = schedular();
-
- error = select(nfds, &rfds, (fd_set *)0, (fd_set *)0, timeout);
- if (error < 0) {
- switch (errno) {
- case EINTR:
- continue;
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to select (%s)\n",
- strerror(errno));
- return -1;
- }
- /*NOTREACHED*/
- }
-
-#ifdef ENABLE_ADMINPORT
- if ((lcconf->sock_admin != -1) &&
- (FD_ISSET(lcconf->sock_admin, &rfds)))
- admin_handler();
-#endif
-
- for (p = lcconf->myaddrs; p; p = p->next) {
- if (!p->addr)
- continue;
- if (FD_ISSET(p->sock, &rfds))
- isakmp_handler(p->sock);
- }
-
- if (FD_ISSET(lcconf->sock_pfkey, &rfds))
- pfkey_handler();
-
- if (lcconf->rtsock >= 0 && FD_ISSET(lcconf->rtsock, &rfds)) {
- if (update_myaddrs() && lcconf->autograbaddr)
- check_rtsock(NULL);
- else
- initfds();
- }
- }
-}
-
-/* clear all status and exit program. */
-static void
-close_session()
-{
-#ifdef ENABLE_FASTQUIT
- flushph2();
-#endif
- flushph1();
- close_sockets();
- backupsa_clean();
-
- plog(LLV_INFO, LOCATION, NULL, "racoon shutdown\n");
- exit(0);
-}
-
-static void
-check_rtsock(unused)
- void *unused;
-{
- isakmp_close();
- grab_myaddrs();
- autoconf_myaddrsport();
- isakmp_open();
-
- /* initialize socket list again */
- initfds();
-}
-
-static void
-initfds()
-{
- struct myaddrs *p;
-
- nfds = 0;
-
- FD_ZERO(&mask0);
- FD_ZERO(&maskdying);
-
-#ifdef ENABLE_ADMINPORT
- if (lcconf->sock_admin != -1) {
- if (lcconf->sock_admin >= FD_SETSIZE) {
- plog(LLV_ERROR, LOCATION, NULL, "fd_set overrun\n");
- exit(1);
- }
- FD_SET(lcconf->sock_admin, &mask0);
- /* XXX should we listen on admin socket when dying ?
- */
-#if 0
- FD_SET(lcconf->sock_admin, &maskdying);
-#endif
- nfds = (nfds > lcconf->sock_admin ? nfds : lcconf->sock_admin);
- }
-#endif
- if (lcconf->sock_pfkey >= FD_SETSIZE) {
- plog(LLV_ERROR, LOCATION, NULL, "fd_set overrun\n");
- exit(1);
- }
- FD_SET(lcconf->sock_pfkey, &mask0);
- FD_SET(lcconf->sock_pfkey, &maskdying);
- nfds = (nfds > lcconf->sock_pfkey ? nfds : lcconf->sock_pfkey);
- if (lcconf->rtsock >= 0) {
- if (lcconf->rtsock >= FD_SETSIZE) {
- plog(LLV_ERROR, LOCATION, NULL, "fd_set overrun\n");
- exit(1);
- }
- FD_SET(lcconf->rtsock, &mask0);
- nfds = (nfds > lcconf->rtsock ? nfds : lcconf->rtsock);
- }
-
- for (p = lcconf->myaddrs; p; p = p->next) {
- if (!p->addr)
- continue;
- if (p->sock >= FD_SETSIZE) {
- plog(LLV_ERROR, LOCATION, NULL, "fd_set overrun\n");
- exit(1);
- }
- FD_SET(p->sock, &mask0);
- nfds = (nfds > p->sock ? nfds : p->sock);
- }
- nfds++;
-}
-
-static int signals[] = {
- SIGHUP,
- SIGINT,
- SIGTERM,
- SIGUSR1,
- SIGUSR2,
- SIGCHLD,
- 0
-};
-
-/*
- * asynchronous requests will actually dispatched in the
- * main loop in session().
- */
-RETSIGTYPE
-signal_handler(sig)
- int sig;
-{
- /* Do not just set it to 1, because we may miss some signals by just setting
- * values to 0/1
- */
- sigreq[sig]++;
-}
-
-
-/* XXX possible mem leaks and no way to go back for now !!!
- */
-static void reload_conf(){
- int error;
-
-#ifdef ENABLE_HYBRID
- if ((isakmp_cfg_init(ISAKMP_CFG_INIT_WARM)) != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "ISAKMP mode config structure reset failed, "
- "not reloading\n");
- return;
- }
-#endif
-
- save_sainfotree();
-
- /* TODO: save / restore / flush old lcconf (?) / rmtree
- */
-/* initlcconf();*/ /* racoon_conf ? ! */
-
- save_rmconf();
- initrmconf();
-
- /* Do a part of pfkey_init() ?
- * SPD reload ?
- */
-
- save_params();
- error = cfparse();
- if (error != 0){
- plog(LLV_ERROR, LOCATION, NULL, "config reload failed\n");
- /* We are probably in an inconsistant state... */
- return;
- }
- restore_params();
-
-#if 0
- if (dump_config)
- dumprmconf ();
-#endif
-
- /*
- * init_myaddr() ?
- * If running in privilege separation, do not reinitialize
- * the IKE listener, as we will not have the right to
- * setsockopt(IP_IPSEC_POLICY).
- */
- if (geteuid() == 0)
- check_rtsock(NULL);
-
- /* Revalidate ph1 / ph2tree !!!
- * update ctdtree if removing some ph1 !
- */
- revalidate_ph12();
- /* Update ctdtree ?
- */
-
- save_sainfotree_flush();
- save_rmconf_flush();
-}
-
-static void
-check_sigreq()
-{
- int sig;
-
- /*
- * XXX We are not able to tell if we got
- * several time the same signal. This is
- * not a problem for the current code,
- * but we shall remember this limitation.
- */
- for (sig = 0; sig <= NSIG; sig++) {
- if (sigreq[sig] == 0)
- continue;
-
- sigreq[sig]--;
- switch(sig) {
- case 0:
- return;
-
- /* Catch up childs, mainly scripts.
- */
- case SIGCHLD:
- {
- pid_t pid;
- int s;
-
- pid = wait(&s);
- }
- break;
-
-#ifdef DEBUG_RECORD_MALLOCATION
- /*
- * XXX This operation is signal handler unsafe and may lead to
- * crashes and security breaches: See Henning Brauer talk at
- * EuroBSDCon 2005. Do not run in production with this option
- * enabled.
- */
- case SIGUSR2:
- DRM_dump();
- break;
-#endif
-
- case SIGHUP:
- /* Save old configuration, load new one... */
- reload_conf();
- break;
-
- case SIGINT:
- case SIGTERM:
- plog(LLV_INFO, LOCATION, NULL,
- "caught signal %d\n", sig);
- EVT_PUSH(NULL, NULL, EVTT_RACOON_QUIT, NULL);
- pfkey_send_flush(lcconf->sock_pfkey,
- SADB_SATYPE_UNSPEC);
-#ifdef ENABLE_FASTQUIT
- close_session();
-#else
- sched_new(1, check_flushsa_stub, NULL);
-#endif
- dying = 1;
- break;
-
- default:
- plog(LLV_INFO, LOCATION, NULL,
- "caught signal %d\n", sig);
- break;
- }
- }
-}
-
-/*
- * waiting the termination of processing until sending DELETE message
- * for all inbound SA will complete.
- */
-static void
-check_flushsa_stub(p)
- void *p;
-{
-
- check_flushsa();
-}
-
-static void
-check_flushsa()
-{
- vchar_t *buf;
- struct sadb_msg *msg, *end, *next;
- struct sadb_sa *sa;
- caddr_t mhp[SADB_EXT_MAX + 1];
- int n;
-
- buf = pfkey_dump_sadb(SADB_SATYPE_UNSPEC);
- if (buf == NULL) {
- plog(LLV_DEBUG, LOCATION, NULL,
- "pfkey_dump_sadb: returned nothing.\n");
- return;
- }
-
- msg = (struct sadb_msg *)buf->v;
- end = (struct sadb_msg *)(buf->v + buf->l);
-
- /* counting SA except of dead one. */
- n = 0;
- while (msg < end) {
- if (PFKEY_UNUNIT64(msg->sadb_msg_len) < sizeof(*msg))
- break;
- next = (struct sadb_msg *)((caddr_t)msg + PFKEY_UNUNIT64(msg->sadb_msg_len));
- if (msg->sadb_msg_type != SADB_DUMP) {
- msg = next;
- continue;
- }
-
- if (pfkey_align(msg, mhp) || pfkey_check(mhp)) {
- plog(LLV_ERROR, LOCATION, NULL,
- "pfkey_check (%s)\n", ipsec_strerror());
- msg = next;
- continue;
- }
-
- sa = (struct sadb_sa *)(mhp[SADB_EXT_SA]);
- if (!sa) {
- msg = next;
- continue;
- }
-
- if (sa->sadb_sa_state != SADB_SASTATE_DEAD) {
- n++;
- msg = next;
- continue;
- }
-
- msg = next;
- }
-
- if (buf != NULL)
- vfree(buf);
-
- if (n) {
- sched_new(1, check_flushsa_stub, NULL);
- return;
- }
-
- close_session();
-}
-
-static void
-init_signal()
-{
- int i;
-
- for (i = 0; signals[i] != 0; i++)
- if (set_signal(signals[i], signal_handler) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to set_signal (%s)\n",
- strerror(errno));
- exit(1);
- }
-}
-
-static int
-set_signal(sig, func)
- int sig;
- RETSIGTYPE (*func) __P((int));
-{
- struct sigaction sa;
-
- memset((caddr_t)&sa, 0, sizeof(sa));
- sa.sa_handler = func;
- sa.sa_flags = SA_RESTART;
-
- if (sigemptyset(&sa.sa_mask) < 0)
- return -1;
-
- if (sigaction(sig, &sa, (struct sigaction *)0) < 0)
- return(-1);
-
- return 0;
-}
-
-static int
-close_sockets()
-{
- isakmp_close();
- pfkey_close(lcconf->sock_pfkey);
-#ifdef ENABLE_ADMINPORT
- (void)admin_close();
-#endif
- return 0;
-}
-
diff --git a/src/racoon/session.h b/src/racoon/session.h
deleted file mode 100644
index 58799ee..0000000
--- a/src/racoon/session.h
+++ /dev/null
@@ -1,40 +0,0 @@
-/* $NetBSD: session.h,v 1.4 2006/09/09 16:22:10 manu Exp $ */
-
-/* Id: session.h,v 1.3 2004/06/11 16:00:17 ludvigm Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _SESSION_H
-#define _SESSION_H
-
-extern int session __P((void));
-extern RETSIGTYPE signal_handler __P((int));
-
-#endif /* _SESSION_H */
diff --git a/src/racoon/sockmisc.c b/src/racoon/sockmisc.c
deleted file mode 100644
index 4dd7cf1..0000000
--- a/src/racoon/sockmisc.c
+++ /dev/null
@@ -1,1197 +0,0 @@
-/* $NetBSD: sockmisc.c,v 1.8.6.1 2007/08/01 11:52:22 vanhu Exp $ */
-
-/* Id: sockmisc.c,v 1.24 2006/05/07 21:32:59 manubsd Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-#include <sys/uio.h>
-
-#include <netinet/in.h>
-#include PATH_IPSEC_H
-
-#if defined(INET6) && !defined(INET6_ADVAPI) && \
- defined(IP_RECVDSTADDR) && !defined(IPV6_RECVDSTADDR)
-#define IPV6_RECVDSTADDR IP_RECVDSTADDR
-#endif
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-#ifdef HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-
-#include "var.h"
-#include "misc.h"
-#include "plog.h"
-#include "sockmisc.h"
-#include "debug.h"
-#include "gcmalloc.h"
-#include "debugrm.h"
-#include "libpfkey.h"
-
-#ifdef ANDROID_CHANGES
-#include "NetdClient.h"
-#endif
-
-#ifndef IP_IPSEC_POLICY
-#define IP_IPSEC_POLICY 16 /* XXX: from linux/in.h */
-#endif
-
-#ifndef IPV6_IPSEC_POLICY
-#define IPV6_IPSEC_POLICY 34 /* XXX: from linux/???.h per
- "Tom Lendacky" <toml@us.ibm.com> */
-#endif
-
-const int niflags = 0;
-
-/*
- * compare two sockaddr without port number.
- * OUT: 0: equal.
- * 1: not equal.
- */
-int
-cmpsaddrwop(addr1, addr2)
- const struct sockaddr *addr1;
- const struct sockaddr *addr2;
-{
- caddr_t sa1, sa2;
-
- if (addr1 == 0 && addr2 == 0)
- return 0;
- if (addr1 == 0 || addr2 == 0)
- return 1;
-
-#ifdef __linux__
- if (addr1->sa_family != addr2->sa_family)
- return 1;
-#else
- if (addr1->sa_len != addr2->sa_len
- || addr1->sa_family != addr2->sa_family)
- return 1;
-
-#endif /* __linux__ */
-
- switch (addr1->sa_family) {
- case AF_INET:
- sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr;
- sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr;
- if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0)
- return 1;
- break;
-#ifdef INET6
- case AF_INET6:
- sa1 = (caddr_t)&((struct sockaddr_in6 *)addr1)->sin6_addr;
- sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr;
- if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0)
- return 1;
- if (((struct sockaddr_in6 *)addr1)->sin6_scope_id !=
- ((struct sockaddr_in6 *)addr2)->sin6_scope_id)
- return 1;
- break;
-#endif
- default:
- return 1;
- }
-
- return 0;
-}
-
-/*
- * compare two sockaddr with port, taking care wildcard.
- * addr1 is a subject address, addr2 is in a database entry.
- * OUT: 0: equal.
- * 1: not equal.
- */
-int
-cmpsaddrwild(addr1, addr2)
- const struct sockaddr *addr1;
- const struct sockaddr *addr2;
-{
- caddr_t sa1, sa2;
- u_short port1, port2;
-
- if (addr1 == 0 && addr2 == 0)
- return 0;
- if (addr1 == 0 || addr2 == 0)
- return 1;
-
-#ifdef __linux__
- if (addr1->sa_family != addr2->sa_family)
- return 1;
-#else
- if (addr1->sa_len != addr2->sa_len
- || addr1->sa_family != addr2->sa_family)
- return 1;
-
-#endif /* __linux__ */
-
- switch (addr1->sa_family) {
- case AF_INET:
- sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr;
- sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr;
- port1 = ((struct sockaddr_in *)addr1)->sin_port;
- port2 = ((struct sockaddr_in *)addr2)->sin_port;
- if (!(port1 == IPSEC_PORT_ANY ||
- port2 == IPSEC_PORT_ANY ||
- port1 == port2))
- return 1;
- if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0)
- return 1;
- break;
-#ifdef INET6
- case AF_INET6:
- sa1 = (caddr_t)&((struct sockaddr_in6 *)addr1)->sin6_addr;
- sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr;
- port1 = ((struct sockaddr_in6 *)addr1)->sin6_port;
- port2 = ((struct sockaddr_in6 *)addr2)->sin6_port;
- if (!(port1 == IPSEC_PORT_ANY ||
- port2 == IPSEC_PORT_ANY ||
- port1 == port2))
- return 1;
- if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0)
- return 1;
- if (((struct sockaddr_in6 *)addr1)->sin6_scope_id !=
- ((struct sockaddr_in6 *)addr2)->sin6_scope_id)
- return 1;
- break;
-#endif
- default:
- return 1;
- }
-
- return 0;
-}
-
-/*
- * compare two sockaddr with strict match on port.
- * OUT: 0: equal.
- * 1: not equal.
- */
-int
-cmpsaddrstrict(addr1, addr2)
- const struct sockaddr *addr1;
- const struct sockaddr *addr2;
-{
- caddr_t sa1, sa2;
- u_short port1, port2;
-
- if (addr1 == 0 && addr2 == 0)
- return 0;
- if (addr1 == 0 || addr2 == 0)
- return 1;
-
-#ifdef __linux__
- if (addr1->sa_family != addr2->sa_family)
- return 1;
-#else
- if (addr1->sa_len != addr2->sa_len
- || addr1->sa_family != addr2->sa_family)
- return 1;
-
-#endif /* __linux__ */
-
- switch (addr1->sa_family) {
- case AF_INET:
- sa1 = (caddr_t)&((struct sockaddr_in *)addr1)->sin_addr;
- sa2 = (caddr_t)&((struct sockaddr_in *)addr2)->sin_addr;
- port1 = ((struct sockaddr_in *)addr1)->sin_port;
- port2 = ((struct sockaddr_in *)addr2)->sin_port;
- if (port1 != port2)
- return 1;
- if (memcmp(sa1, sa2, sizeof(struct in_addr)) != 0)
- return 1;
- break;
-#ifdef INET6
- case AF_INET6:
- sa1 = (caddr_t)&((struct sockaddr_in6 *)addr1)->sin6_addr;
- sa2 = (caddr_t)&((struct sockaddr_in6 *)addr2)->sin6_addr;
- port1 = ((struct sockaddr_in6 *)addr1)->sin6_port;
- port2 = ((struct sockaddr_in6 *)addr2)->sin6_port;
- if (port1 != port2)
- return 1;
- if (memcmp(sa1, sa2, sizeof(struct in6_addr)) != 0)
- return 1;
- if (((struct sockaddr_in6 *)addr1)->sin6_scope_id !=
- ((struct sockaddr_in6 *)addr2)->sin6_scope_id)
- return 1;
- break;
-#endif
- default:
- return 1;
- }
-
- return 0;
-}
-
-#ifdef ANDROID_PATCHED
-
-struct sockaddr *getlocaladdr(struct sockaddr *remote)
-{
- struct sockaddr_storage local;
- socklen_t len = sysdep_sa_len(remote);
- int s = socket(remote->sa_family, SOCK_DGRAM, 0);
-#ifdef ANDROID_CHANGES
- protectFromVpn(s);
-#endif
-
- if (s == -1 || connect(s, remote, len) == -1 ||
- getsockname(s, (struct sockaddr *)&local, &len) == -1) {
- close(s);
- return NULL;
- }
- close(s);
- return dupsaddr((struct sockaddr *)&local);
-}
-
-int recvfromto(int s, void *buf, size_t len, int flags, struct sockaddr *from,
- socklen_t *fromlen, struct sockaddr *to, unsigned int *tolen)
-{
- if (getsockname(s, to, (socklen_t *)tolen) == -1) {
- return -1;
- }
- return recvfrom(s, buf, len, flags, from, fromlen);
-}
-
-int sendfromto(int s, const void *buf, size_t len, struct sockaddr *from,
- struct sockaddr *to, int count)
-{
- int i;
- for (i = 0; i < count; ++i) {
- if (sendto(s, buf, len, 0, to, sysdep_sa_len(to)) == -1) {
- return -1;
- }
- }
- return len;
-}
-
-int setsockopt_bypass(int s, int family)
-{
- struct sadb_x_policy p = {
- .sadb_x_policy_len = PFKEY_UNIT64(sizeof(struct sadb_x_policy)),
- .sadb_x_policy_exttype = SADB_X_EXT_POLICY,
- .sadb_x_policy_type = IPSEC_POLICY_BYPASS,
- .sadb_x_policy_dir = IPSEC_DIR_INBOUND,
-#ifdef HAVE_PFKEY_POLICY_PRIORITY
- .sadb_x_policy_priority = PRIORITY_DEFAULT,
-#endif
- };
- int level = (family == AF_INET) ? IPPROTO_IP : IPPROTO_IPV6;
- int option = (family == AF_INET) ? IP_IPSEC_POLICY : IPV6_IPSEC_POLICY;
- int len = PFKEY_EXTLEN(&p);
- if (setsockopt(s, level, option, &p, len) == -1) {
- plog(LLV_WARNING, LOCATION, NULL, "setsockopt in bypass: %s\n",
- strerror(errno));
- }
- p.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
- if (setsockopt(s, level, option, &p, len) == -1) {
- plog(LLV_WARNING, LOCATION, NULL, "setsockopt out bypass: %s\n",
- strerror(errno));
- }
- return 0;
-}
-
-#else
-
-/* get local address against the destination. */
-struct sockaddr *
-getlocaladdr(remote)
- struct sockaddr *remote;
-{
- struct sockaddr *local;
- u_int local_len = sizeof(struct sockaddr_storage);
- int s; /* for dummy connection */
-
- /* allocate buffer */
- if ((local = racoon_calloc(1, local_len)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to get address buffer.\n");
- goto err;
- }
-
- /* get real interface received packet */
- if ((s = socket(remote->sa_family, SOCK_DGRAM, 0)) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "socket (%s)\n", strerror(errno));
- goto err;
- }
-#ifdef ANDROID_CHANGES
- protectFromVpn(s);
-#endif
-
- setsockopt_bypass(s, remote->sa_family);
-
- if (connect(s, remote, sysdep_sa_len(remote)) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "connect (%s)\n", strerror(errno));
- close(s);
- goto err;
- }
-
- if (getsockname(s, local, &local_len) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "getsockname (%s)\n", strerror(errno));
- close(s);
- return NULL;
- }
-
- close(s);
- return local;
-
- err:
- if (local != NULL)
- racoon_free(local);
- return NULL;
-}
-
-/*
- * Receive packet, with src/dst information. It is assumed that necessary
- * setsockopt() have already performed on socket.
- */
-int
-recvfromto(s, buf, buflen, flags, from, fromlen, to, tolen)
- int s;
- void *buf;
- size_t buflen;
- int flags;
- struct sockaddr *from;
- socklen_t *fromlen;
- struct sockaddr *to;
- u_int *tolen;
-{
- int otolen;
- u_int len;
- struct sockaddr_storage ss;
- struct msghdr m;
- struct cmsghdr *cm;
- struct iovec iov[2];
- u_char cmsgbuf[256];
-#if defined(INET6) && defined(INET6_ADVAPI)
- struct in6_pktinfo *pi;
-#endif /*INET6_ADVAPI*/
- struct sockaddr_in *sin;
-#ifdef INET6
- struct sockaddr_in6 *sin6;
-#endif
-
- len = sizeof(ss);
- if (getsockname(s, (struct sockaddr *)&ss, &len) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "getsockname (%s)\n", strerror(errno));
- return -1;
- }
-
- m.msg_name = (caddr_t)from;
- m.msg_namelen = *fromlen;
- iov[0].iov_base = (caddr_t)buf;
- iov[0].iov_len = buflen;
- m.msg_iov = iov;
- m.msg_iovlen = 1;
- memset(cmsgbuf, 0, sizeof(cmsgbuf));
- cm = (struct cmsghdr *)cmsgbuf;
- m.msg_control = (caddr_t)cm;
- m.msg_controllen = sizeof(cmsgbuf);
- if ((len = recvmsg(s, &m, flags)) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "recvmsg (%s)\n", strerror(errno));
- return -1;
- }
- *fromlen = m.msg_namelen;
-
- otolen = *tolen;
- *tolen = 0;
- for (cm = (struct cmsghdr *)CMSG_FIRSTHDR(&m);
- m.msg_controllen != 0 && cm;
- cm = (struct cmsghdr *)CMSG_NXTHDR(&m, cm)) {
-#if 0
- plog(LLV_ERROR, LOCATION, NULL,
- "cmsg %d %d\n", cm->cmsg_level, cm->cmsg_type);)
-#endif
-#if defined(INET6) && defined(INET6_ADVAPI)
- if (ss.ss_family == AF_INET6
- && cm->cmsg_level == IPPROTO_IPV6
- && cm->cmsg_type == IPV6_PKTINFO
- && otolen >= sizeof(*sin6)) {
- pi = (struct in6_pktinfo *)(CMSG_DATA(cm));
- *tolen = sizeof(*sin6);
- sin6 = (struct sockaddr_in6 *)to;
- memset(sin6, 0, sizeof(*sin6));
- sin6->sin6_family = AF_INET6;
-#ifndef __linux__
- sin6->sin6_len = sizeof(*sin6);
-#endif
- memcpy(&sin6->sin6_addr, &pi->ipi6_addr,
- sizeof(sin6->sin6_addr));
- /* XXX other cases, such as site-local? */
- if (IN6_IS_ADDR_LINKLOCAL(&sin6->sin6_addr))
- sin6->sin6_scope_id = pi->ipi6_ifindex;
- else
- sin6->sin6_scope_id = 0;
- sin6->sin6_port =
- ((struct sockaddr_in6 *)&ss)->sin6_port;
- otolen = -1; /* "to" already set */
- continue;
- }
-#endif
-#ifdef __linux__
- if (ss.ss_family == AF_INET
- && cm->cmsg_level == IPPROTO_IP
- && cm->cmsg_type == IP_PKTINFO
- && otolen >= sizeof(sin)) {
- struct in_pktinfo *pi = (struct in_pktinfo *)(CMSG_DATA(cm));
- *tolen = sizeof(*sin);
- sin = (struct sockaddr_in *)to;
- memset(sin, 0, sizeof(*sin));
- sin->sin_family = AF_INET;
- memcpy(&sin->sin_addr, &pi->ipi_addr,
- sizeof(sin->sin_addr));
- sin->sin_port =
- ((struct sockaddr_in *)&ss)->sin_port;
- otolen = -1; /* "to" already set */
- continue;
- }
-#endif
-#if defined(INET6) && defined(IPV6_RECVDSTADDR)
- if (ss.ss_family == AF_INET6
- && cm->cmsg_level == IPPROTO_IPV6
- && cm->cmsg_type == IPV6_RECVDSTADDR
- && otolen >= sizeof(*sin6)) {
- *tolen = sizeof(*sin6);
- sin6 = (struct sockaddr_in6 *)to;
- memset(sin6, 0, sizeof(*sin6));
- sin6->sin6_family = AF_INET6;
- sin6->sin6_len = sizeof(*sin6);
- memcpy(&sin6->sin6_addr, CMSG_DATA(cm),
- sizeof(sin6->sin6_addr));
- sin6->sin6_port =
- ((struct sockaddr_in6 *)&ss)->sin6_port;
- otolen = -1; /* "to" already set */
- continue;
- }
-#endif
-#ifndef __linux__
- if (ss.ss_family == AF_INET
- && cm->cmsg_level == IPPROTO_IP
- && cm->cmsg_type == IP_RECVDSTADDR
- && otolen >= sizeof(*sin)) {
- *tolen = sizeof(*sin);
- sin = (struct sockaddr_in *)to;
- memset(sin, 0, sizeof(*sin));
- sin->sin_family = AF_INET;
- sin->sin_len = sizeof(*sin);
- memcpy(&sin->sin_addr, CMSG_DATA(cm),
- sizeof(sin->sin_addr));
- sin->sin_port = ((struct sockaddr_in *)&ss)->sin_port;
- otolen = -1; /* "to" already set */
- continue;
- }
-#endif
- }
-
- return len;
-}
-
-/* send packet, with fixing src/dst address pair. */
-int
-sendfromto(s, buf, buflen, src, dst, cnt)
- int s, cnt;
- const void *buf;
- size_t buflen;
- struct sockaddr *src;
- struct sockaddr *dst;
-{
- struct sockaddr_storage ss;
- u_int len;
- int i;
-
- if (src->sa_family != dst->sa_family) {
- plog(LLV_ERROR, LOCATION, NULL,
- "address family mismatch\n");
- return -1;
- }
-
- len = sizeof(ss);
- if (getsockname(s, (struct sockaddr *)&ss, &len) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "getsockname (%s)\n", strerror(errno));
- return -1;
- }
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "sockname %s\n", saddr2str((struct sockaddr *)&ss));
- plog(LLV_DEBUG, LOCATION, NULL,
- "send packet from %s\n", saddr2str(src));
- plog(LLV_DEBUG, LOCATION, NULL,
- "send packet to %s\n", saddr2str(dst));
-
- if (src->sa_family != ss.ss_family) {
- plog(LLV_ERROR, LOCATION, NULL,
- "address family mismatch\n");
- return -1;
- }
-
- switch (src->sa_family) {
-#if defined(INET6) && defined(INET6_ADVAPI)
-// XXX: This block wasn't compiled on Linux - does it work?
- case AF_INET6:
- {
- struct msghdr m;
- struct cmsghdr *cm;
- struct iovec iov[2];
- u_char cmsgbuf[256];
- struct in6_pktinfo *pi;
- int ifindex;
- struct sockaddr_in6 src6, dst6;
-
- memcpy(&src6, src, sizeof(src6));
- memcpy(&dst6, dst, sizeof(dst6));
-
- /* XXX take care of other cases, such as site-local */
- ifindex = 0;
- if (IN6_IS_ADDR_LINKLOCAL(&src6.sin6_addr)
- || IN6_IS_ADDR_MULTICAST(&src6.sin6_addr)) {
- ifindex = src6.sin6_scope_id; /*???*/
- }
-
- /* XXX some sanity check on dst6.sin6_scope_id */
-
- /* flowinfo for IKE? mmm, maybe useful but for now make it 0 */
- src6.sin6_flowinfo = dst6.sin6_flowinfo = 0;
-
- memset(&m, 0, sizeof(m));
- m.msg_name = (caddr_t)&dst6;
- m.msg_namelen = sizeof(dst6);
- iov[0].iov_base = (char *)buf;
- iov[0].iov_len = buflen;
- m.msg_iov = iov;
- m.msg_iovlen = 1;
-
- memset(cmsgbuf, 0, sizeof(cmsgbuf));
- cm = (struct cmsghdr *)cmsgbuf;
- m.msg_control = (caddr_t)cm;
- m.msg_controllen = CMSG_SPACE(sizeof(struct in6_pktinfo));
-
- cm->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
- cm->cmsg_level = IPPROTO_IPV6;
- cm->cmsg_type = IPV6_PKTINFO;
- pi = (struct in6_pktinfo *)CMSG_DATA(cm);
- memcpy(&pi->ipi6_addr, &src6.sin6_addr, sizeof(src6.sin6_addr));
- pi->ipi6_ifindex = ifindex;
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "src6 %s %d\n",
- saddr2str((struct sockaddr *)&src6),
- src6.sin6_scope_id);
- plog(LLV_DEBUG, LOCATION, NULL,
- "dst6 %s %d\n",
- saddr2str((struct sockaddr *)&dst6),
- dst6.sin6_scope_id);
-
- for (i = 0; i < cnt; i++) {
- len = sendmsg(s, &m, 0 /*MSG_DONTROUTE*/);
- if (len < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "sendmsg (%s)\n", strerror(errno));
- return -1;
- }
- plog(LLV_DEBUG, LOCATION, NULL,
- "%d times of %d bytes message will be sent "
- "to %s\n",
- i + 1, len, saddr2str(dst));
- }
- plogdump(LLV_DEBUG, (char *)buf, buflen);
-
- return len;
- }
-#endif
-#ifdef __linux__
- case AF_INET:
- {
- struct msghdr m;
- struct cmsghdr *cm;
- struct iovec iov[2];
- u_char cmsgbuf[256];
- struct in_pktinfo *pi;
- int ifindex = 0;
- struct sockaddr_in src6, dst6;
-
- memcpy(&src6, src, sizeof(src6));
- memcpy(&dst6, dst, sizeof(dst6));
-
- memset(&m, 0, sizeof(m));
- m.msg_name = (caddr_t)&dst6;
- m.msg_namelen = sizeof(dst6);
- iov[0].iov_base = (char *)buf;
- iov[0].iov_len = buflen;
- m.msg_iov = iov;
- m.msg_iovlen = 1;
-
- memset(cmsgbuf, 0, sizeof(cmsgbuf));
- cm = (struct cmsghdr *)cmsgbuf;
- m.msg_control = (caddr_t)cm;
- m.msg_controllen = CMSG_SPACE(sizeof(struct in_pktinfo));
-
- cm->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
- cm->cmsg_level = IPPROTO_IP;
- cm->cmsg_type = IP_PKTINFO;
- pi = (struct in_pktinfo *)CMSG_DATA(cm);
- memcpy(&pi->ipi_spec_dst, &src6.sin_addr, sizeof(src6.sin_addr));
- pi->ipi_ifindex = ifindex;
-
- plog(LLV_DEBUG, LOCATION, NULL,
- "src4 %s\n",
- saddr2str((struct sockaddr *)&src6));
- plog(LLV_DEBUG, LOCATION, NULL,
- "dst4 %s\n",
- saddr2str((struct sockaddr *)&dst6));
-
- for (i = 0; i < cnt; i++) {
- len = sendmsg(s, &m, 0 /*MSG_DONTROUTE*/);
- if (len < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "sendmsg (%s)\n", strerror(errno));
- return -1;
- }
- plog(LLV_DEBUG, LOCATION, NULL,
- "%d times of %d bytes message will be sent "
- "to %s\n",
- i + 1, len, saddr2str(dst));
- }
- plogdump(LLV_DEBUG, (char *)buf, buflen);
-
- return len;
- }
-#endif /* __linux__ */
- default:
- {
- int needclose = 0;
- int sendsock;
-
- if (ss.ss_family == src->sa_family && memcmp(&ss, src, sysdep_sa_len(src)) == 0) {
- sendsock = s;
- needclose = 0;
- } else {
- int yes = 1;
- /*
- * Use newly opened socket for sending packets.
- * NOTE: this is unsafe, because if the peer is quick enough
- * the packet from the peer may be queued into sendsock.
- * Better approach is to prepare bind'ed udp sockets for
- * each of the interface addresses.
- */
- sendsock = socket(src->sa_family, SOCK_DGRAM, 0);
- if (sendsock < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "socket (%s)\n", strerror(errno));
- return -1;
- }
-#ifdef ANDROID_CHANGES
- protectFromVpn(sendsock);
-#endif
-
- if (setsockopt(sendsock, SOL_SOCKET,
-#ifdef __linux__
- SO_REUSEADDR,
-#else
- SO_REUSEPORT,
-#endif
- (void *)&yes, sizeof(yes)) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "setsockopt SO_REUSEPORT (%s)\n",
- strerror(errno));
- close(sendsock);
- return -1;
- }
-#ifdef IPV6_USE_MIN_MTU
- if (src->sa_family == AF_INET6 &&
- setsockopt(sendsock, IPPROTO_IPV6, IPV6_USE_MIN_MTU,
- (void *)&yes, sizeof(yes)) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "setsockopt IPV6_USE_MIN_MTU (%s)\n",
- strerror(errno));
- close(sendsock);
- return -1;
- }
-#endif
- if (setsockopt_bypass(sendsock, src->sa_family) < 0) {
- close(sendsock);
- return -1;
- }
-
- if (bind(sendsock, (struct sockaddr *)src, sysdep_sa_len(src)) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "bind 1 (%s)\n", strerror(errno));
- close(sendsock);
- return -1;
- }
- needclose = 1;
- }
-
- for (i = 0; i < cnt; i++) {
- len = sendto(sendsock, buf, buflen, 0, dst, sysdep_sa_len(dst));
- if (len < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "sendto (%s)\n", strerror(errno));
- if (needclose)
- close(sendsock);
- return len;
- }
- plog(LLV_DEBUG, LOCATION, NULL,
- "%d times of %d bytes message will be sent "
- "to %s\n",
- i + 1, len, saddr2str(dst));
- }
- plogdump(LLV_DEBUG, (char *)buf, buflen);
-
- if (needclose)
- close(sendsock);
-
- return len;
- }
- }
-}
-
-int
-setsockopt_bypass(so, family)
- int so, family;
-{
- int level;
- char *buf;
- char *policy;
-
- switch (family) {
- case AF_INET:
- level = IPPROTO_IP;
- break;
-#ifdef INET6
- case AF_INET6:
- level = IPPROTO_IPV6;
- break;
-#endif
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "unsupported address family %d\n", family);
- return -1;
- }
-
- policy = "in bypass";
- buf = ipsec_set_policy(policy, strlen(policy));
- if (buf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "ipsec_set_policy (%s)\n",
- ipsec_strerror());
- return -1;
- }
- if (setsockopt(so, level,
- (level == IPPROTO_IP ?
- IP_IPSEC_POLICY : IPV6_IPSEC_POLICY),
- buf, ipsec_get_policylen(buf)) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "setsockopt IP_IPSEC_POLICY (%s)\n",
- strerror(errno));
- return -1;
- }
- racoon_free(buf);
-
- policy = "out bypass";
- buf = ipsec_set_policy(policy, strlen(policy));
- if (buf == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "ipsec_set_policy (%s)\n",
- ipsec_strerror());
- return -1;
- }
- if (setsockopt(so, level,
- (level == IPPROTO_IP ?
- IP_IPSEC_POLICY : IPV6_IPSEC_POLICY),
- buf, ipsec_get_policylen(buf)) < 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "setsockopt IP_IPSEC_POLICY (%s)\n",
- strerror(errno));
- return -1;
- }
- racoon_free(buf);
-
- return 0;
-}
-
-struct sockaddr *
-newsaddr(len)
- int len;
-{
- struct sockaddr *new;
-
- if ((new = racoon_calloc(1, len)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "%s\n", strerror(errno));
- goto out;
- }
-
-#ifdef __linux__
- if (len == sizeof (struct sockaddr_in6))
- new->sa_family = AF_INET6;
- else
- new->sa_family = AF_INET;
-#else
- /* initial */
- new->sa_len = len;
-#endif
-out:
- return new;
-}
-
-#endif
-
-struct sockaddr *
-dupsaddr(src)
- struct sockaddr *src;
-{
- struct sockaddr *dst;
-
- dst = racoon_calloc(1, sysdep_sa_len(src));
- if (dst == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "%s\n", strerror(errno));
- return NULL;
- }
-
- memcpy(dst, src, sysdep_sa_len(src));
-
- return dst;
-}
-
-char *
-saddr2str(saddr)
- const struct sockaddr *saddr;
-{
- static char buf[NI_MAXHOST + NI_MAXSERV + 10];
- char addr[NI_MAXHOST], port[NI_MAXSERV];
-
- if (saddr == NULL)
- return NULL;
-
- if (saddr->sa_family == AF_UNSPEC)
- snprintf (buf, sizeof(buf), "%s", "anonymous");
- else {
- GETNAMEINFO(saddr, addr, port);
- snprintf(buf, sizeof(buf), "%s[%s]", addr, port);
- }
-
- return buf;
-}
-
-char *
-saddrwop2str(saddr)
- const struct sockaddr *saddr;
-{
- static char buf[NI_MAXHOST + NI_MAXSERV + 10];
- char addr[NI_MAXHOST];
-
- if (saddr == NULL)
- return NULL;
-
- GETNAMEINFO_NULL(saddr, addr);
- snprintf(buf, sizeof(buf), "%s", addr);
-
- return buf;
-}
-
-char *
-naddrwop2str(const struct netaddr *naddr)
-{
- static char buf[NI_MAXHOST + 10];
- static const struct sockaddr sa_any; /* this is initialized to all zeros */
-
- if (naddr == NULL)
- return NULL;
-
- if (memcmp(&naddr->sa, &sa_any, sizeof(sa_any)) == 0)
- snprintf(buf, sizeof(buf), "%s", "any");
- else {
- snprintf(buf, sizeof(buf), "%s", saddrwop2str(&naddr->sa.sa));
- snprintf(&buf[strlen(buf)], sizeof(buf) - strlen(buf), "/%ld", naddr->prefix);
- }
- return buf;
-}
-
-char *
-naddrwop2str_fromto(const char *format, const struct netaddr *saddr,
- const struct netaddr *daddr)
-{
- static char buf[2*(NI_MAXHOST + NI_MAXSERV + 10) + 100];
- char *src, *dst;
-
- src = racoon_strdup(naddrwop2str(saddr));
- dst = racoon_strdup(naddrwop2str(daddr));
- STRDUP_FATAL(src);
- STRDUP_FATAL(dst);
- /* WARNING: Be careful about the format string! Don't
- ever pass in something that a user can modify!!! */
- snprintf (buf, sizeof(buf), format, src, dst);
- racoon_free (src);
- racoon_free (dst);
-
- return buf;
-}
-
-char *
-saddr2str_fromto(format, saddr, daddr)
- const char *format;
- const struct sockaddr *saddr;
- const struct sockaddr *daddr;
-{
- static char buf[2*(NI_MAXHOST + NI_MAXSERV + 10) + 100];
- char *src, *dst;
-
- src = racoon_strdup(saddr2str(saddr));
- dst = racoon_strdup(saddr2str(daddr));
- STRDUP_FATAL(src);
- STRDUP_FATAL(dst);
- /* WARNING: Be careful about the format string! Don't
- ever pass in something that a user can modify!!! */
- snprintf (buf, sizeof(buf), format, src, dst);
- racoon_free (src);
- racoon_free (dst);
-
- return buf;
-}
-
-struct sockaddr *
-str2saddr(host, port)
- char *host;
- char *port;
-{
- struct addrinfo hints, *res;
- struct sockaddr *saddr;
- int error;
-
- memset(&hints, 0, sizeof(hints));
- hints.ai_family = PF_UNSPEC;
- hints.ai_socktype = SOCK_DGRAM;
- hints.ai_flags = AI_NUMERICHOST;
- error = getaddrinfo(host, port, &hints, &res);
- if (error != 0) {
- plog(LLV_ERROR, LOCATION, NULL,
- "getaddrinfo(%s%s%s): %s\n",
- host, port ? "," : "", port ? port : "",
- gai_strerror(error));
- return NULL;
- }
- if (res->ai_next != NULL) {
- plog(LLV_WARNING, LOCATION, NULL,
- "getaddrinfo(%s%s%s): "
- "resolved to multiple address, "
- "taking the first one\n",
- host, port ? "," : "", port ? port : "");
- }
- saddr = racoon_malloc(res->ai_addrlen);
- if (saddr == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "failed to allocate buffer.\n");
- freeaddrinfo(res);
- return NULL;
- }
- memcpy(saddr, res->ai_addr, res->ai_addrlen);
- freeaddrinfo(res);
-
- return saddr;
-}
-
-void
-mask_sockaddr(a, b, l)
- struct sockaddr *a;
- const struct sockaddr *b;
- size_t l;
-{
- size_t i;
- u_int8_t *p, alen;
-
- switch (b->sa_family) {
- case AF_INET:
- alen = sizeof(struct in_addr);
- p = (u_int8_t *)&((struct sockaddr_in *)a)->sin_addr;
- break;
-#ifdef INET6
- case AF_INET6:
- alen = sizeof(struct in6_addr);
- p = (u_int8_t *)&((struct sockaddr_in6 *)a)->sin6_addr;
- break;
-#endif
- default:
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid family: %d\n", b->sa_family);
- exit(1);
- }
-
- if ((alen << 3) < l) {
- plog(LLV_ERROR, LOCATION, NULL,
- "unexpected inconsistency: %d %zu\n", b->sa_family, l);
- exit(1);
- }
-
- memcpy(a, b, sysdep_sa_len(b));
- p[l / 8] &= (0xff00 >> (l % 8)) & 0xff;
- for (i = l / 8 + 1; i < alen; i++)
- p[i] = 0x00;
-}
-
-/* Compute a score describing how "accurate" a netaddr is for a given sockaddr.
- * Examples:
- * Return values for address 10.20.30.40 [port 500] and given netaddresses...
- * 10.10.0.0/16 => -1 ... doesn't match
- * 0.0.0.0/0 => 0 ... matches, but only 0 bits.
- * 10.20.0.0/16 => 16 ... 16 bits match
- * 10.20.30.0/24 => 24 ... guess what ;-)
- * 10.20.30.40/32 => 32 ... whole address match
- * 10.20.30.40:500 => 33 ... both address and port match
- * 10.20.30.40:501 => -1 ... port doesn't match and isn't 0 (=any)
- */
-int
-naddr_score(const struct netaddr *naddr, const struct sockaddr *saddr)
-{
- static const struct netaddr naddr_any; /* initialized to all-zeros */
- struct sockaddr sa;
- u_int16_t naddr_port, saddr_port;
- int port_score;
-
- if (!naddr || !saddr) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Call with null args: naddr=%p, saddr=%p\n",
- naddr, saddr);
- return -1;
- }
-
- /* Wildcard address matches, but only 0 bits. */
- if (memcmp(naddr, &naddr_any, sizeof(naddr_any)) == 0)
- return 0;
-
- /* If families don't match we really can't do much... */
- if (naddr->sa.sa.sa_family != saddr->sa_family)
- return -1;
-
- /* If port check fail don't bother to check addresses. */
- naddr_port = extract_port(&naddr->sa.sa);
- saddr_port = extract_port(saddr);
- if (naddr_port == 0 || saddr_port == 0) /* wildcard match */
- port_score = 0;
- else if (naddr_port == saddr_port) /* exact match */
- port_score = 1;
- else /* mismatch :-) */
- return -1;
-
- /* Here it comes - compare network addresses. */
- mask_sockaddr(&sa, saddr, naddr->prefix);
- if (loglevel >= LLV_DEBUG) { /* debug only */
- char *a1, *a2, *a3;
- a1 = racoon_strdup(naddrwop2str(naddr));
- a2 = racoon_strdup(saddrwop2str(saddr));
- a3 = racoon_strdup(saddrwop2str(&sa));
- STRDUP_FATAL(a1);
- STRDUP_FATAL(a2);
- STRDUP_FATAL(a3);
- plog(LLV_DEBUG, LOCATION, NULL,
- "naddr=%s, saddr=%s (masked=%s)\n",
- a1, a2, a3);
- free(a1);
- free(a2);
- free(a3);
- }
- if (cmpsaddrwop(&sa, &naddr->sa.sa) == 0)
- return naddr->prefix + port_score;
-
- return -1;
-}
-
-/* Some usefull functions for sockaddr port manipulations. */
-u_int16_t
-extract_port (const struct sockaddr *addr)
-{
- u_int16_t port = 0;
-
- if (!addr)
- return port;
-
- switch (addr->sa_family) {
- case AF_INET:
- port = ((struct sockaddr_in *)addr)->sin_port;
- break;
- case AF_INET6:
- port = ((struct sockaddr_in6 *)addr)->sin6_port;
- break;
- default:
- plog(LLV_ERROR, LOCATION, NULL, "unknown AF: %u\n", addr->sa_family);
- break;
- }
-
- return ntohs(port);
-}
-
-u_int16_t *
-get_port_ptr (struct sockaddr *addr)
-{
- u_int16_t *port_ptr;
-
- if (!addr)
- return NULL;
-
- switch (addr->sa_family) {
- case AF_INET:
- port_ptr = &(((struct sockaddr_in *)addr)->sin_port);
- break;
- case AF_INET6:
- port_ptr = &(((struct sockaddr_in6 *)addr)->sin6_port);
- break;
- default:
- plog(LLV_ERROR, LOCATION, NULL, "unknown AF: %u\n", addr->sa_family);
- return NULL;
- break;
- }
-
- return port_ptr;
-}
-
-u_int16_t *
-set_port (struct sockaddr *addr, u_int16_t new_port)
-{
- u_int16_t *port_ptr;
-
- port_ptr = get_port_ptr (addr);
-
- if (port_ptr)
- *port_ptr = htons(new_port);
-
- return port_ptr;
-}
diff --git a/src/racoon/sockmisc.h b/src/racoon/sockmisc.h
deleted file mode 100644
index a035dec..0000000
--- a/src/racoon/sockmisc.h
+++ /dev/null
@@ -1,89 +0,0 @@
-/* $NetBSD: sockmisc.h,v 1.7 2006/09/09 16:22:10 manu Exp $ */
-
-/* Id: sockmisc.h,v 1.9 2005/10/05 16:55:41 manubsd Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _SOCKMISC_H
-#define _SOCKMISC_H
-
-struct netaddr {
- union {
- struct sockaddr sa;
- struct sockaddr_in sin;
- struct sockaddr_in6 sin6;
- } sa;
- unsigned long prefix;
-};
-
-extern const int niflags;
-
-extern int cmpsaddrwop __P((const struct sockaddr *, const struct sockaddr *));
-extern int cmpsaddrwild __P((const struct sockaddr *, const struct sockaddr *));
-extern int cmpsaddrstrict __P((const struct sockaddr *, const struct sockaddr *));
-
-#ifdef ENABLE_NATT
-#define CMPSADDR(saddr1, saddr2) cmpsaddrstrict((saddr1), (saddr2))
-#else
-#define CMPSADDR(saddr1, saddr2) cmpsaddrwop((saddr1), (saddr2))
-#endif
-
-extern struct sockaddr *getlocaladdr __P((struct sockaddr *));
-
-extern int recvfromto __P((int, void *, size_t, int,
- struct sockaddr *, socklen_t *, struct sockaddr *, unsigned int *));
-extern int sendfromto __P((int, const void *, size_t,
- struct sockaddr *, struct sockaddr *, int));
-
-extern int setsockopt_bypass __P((int, int));
-
-extern struct sockaddr *newsaddr __P((int));
-extern struct sockaddr *dupsaddr __P((struct sockaddr *));
-extern char *saddr2str __P((const struct sockaddr *));
-extern char *saddrwop2str __P((const struct sockaddr *));
-extern char *saddr2str_fromto __P((const char *format,
- const struct sockaddr *saddr,
- const struct sockaddr *daddr));
-extern struct sockaddr *str2saddr __P((char *, char *));
-extern void mask_sockaddr __P((struct sockaddr *, const struct sockaddr *,
- size_t));
-
-/* struct netaddr functions */
-extern char *naddrwop2str __P((const struct netaddr *naddr));
-extern char *naddrwop2str_fromto __P((const char *format, const struct netaddr *saddr,
- const struct netaddr *daddr));
-extern int naddr_score(const struct netaddr *naddr, const struct sockaddr *saddr);
-
-/* Some usefull functions for sockaddr port manipulations. */
-extern u_int16_t extract_port __P((const struct sockaddr *addr));
-extern u_int16_t *set_port __P((struct sockaddr *addr, u_int16_t new_port));
-extern u_int16_t *get_port_ptr __P((struct sockaddr *addr));
-
-#endif /* _SOCKMISC_H */
diff --git a/src/racoon/stats.pl b/src/racoon/stats.pl
deleted file mode 100644
index f509512..0000000
--- a/src/racoon/stats.pl
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/usr/bin/perl
-# usage:
-# % cat /var/log/racoon-stats.log | perl stats.pl
-
-while(<STDIN>) {
- chomp;
- ($a, $a, $a, $a, $a, $b) = split(/\s+/, $_, 6);
- ($a, $c) = split(/:/, $b, 2);
- $r{$a} += $c;
- $t{$a}++;
-}
-
-foreach (sort keys %t) {
- printf "%s: total=%d avg=%8.6f\n", $_, $t{$_}, $r{$_}/$t{$_};
-}
diff --git a/src/racoon/str2val.c b/src/racoon/str2val.c
deleted file mode 100644
index 62d38a6..0000000
--- a/src/racoon/str2val.c
+++ /dev/null
@@ -1,126 +0,0 @@
-/* $NetBSD: str2val.c,v 1.4 2006/09/09 16:22:10 manu Exp $ */
-
-/* $KAME: str2val.c,v 1.11 2001/08/16 14:37:29 itojun Exp $ */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <ctype.h>
-
-#include <stdlib.h>
-#include <stdio.h>
-
-#include "str2val.h"
-#include "gcmalloc.h"
-
-/*
- * exchange a value to a hex string.
- * must free buffer allocated later.
- */
-caddr_t
-val2str(buf, mlen)
- const char *buf;
- size_t mlen;
-{
- caddr_t new;
- size_t len = (mlen * 2) + mlen / 8 + 10;
- size_t i, j;
-
- if ((new = racoon_malloc(len)) == 0) return(0);
-
- for (i = 0, j = 0; i < mlen; i++) {
- snprintf(&new[j], len - j, "%02x", (u_char)buf[i]);
- j += 2;
- if (i % 8 == 7) {
- new[j++] = ' ';
- new[j] = '\0';
- }
- }
- new[j] = '\0';
-
- return(new);
-}
-
-/*
- * exchange a string based "base" to a value.
- */
-char *
-str2val(str, base, len)
- const char *str;
- int base;
- size_t *len;
-{
- int f;
- size_t i;
- char *dst;
- char *rp;
- const char *p;
- char b[3];
-
- i = 0;
- for (p = str; *p != '\0'; p++) {
- if (isxdigit((int)*p))
- i++;
- else if (isspace((int)*p))
- ;
- else
- return NULL;
- }
- if (i == 0 || (i % 2) != 0)
- return NULL;
- i /= 2;
-
- if ((dst = racoon_malloc(i)) == NULL)
- return NULL;
-
- i = 0;
- f = 0;
- for (rp = dst, p = str; *p != '\0'; p++) {
- if (isxdigit((int)*p)) {
- if (!f) {
- b[0] = *p;
- f = 1;
- } else {
- b[1] = *p;
- b[2] = '\0';
- *rp++ = (char)strtol(b, NULL, base);
- i++;
- f = 0;
- }
- }
- }
-
- *len = i;
-
- return(dst);
-}
diff --git a/src/racoon/str2val.h b/src/racoon/str2val.h
deleted file mode 100644
index 4a7cec1..0000000
--- a/src/racoon/str2val.h
+++ /dev/null
@@ -1,40 +0,0 @@
-/* $NetBSD: str2val.h,v 1.4 2006/09/09 16:22:10 manu Exp $ */
-
-/* Id: str2val.h,v 1.3 2004/06/11 16:00:17 ludvigm Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _STR2VAL_H
-#define _STR2VAL_H
-
-extern caddr_t val2str __P((const char *, size_t));
-extern char *str2val __P((const char *, int, size_t *));
-
-#endif /* _STR2VAL_H */
diff --git a/src/racoon/strnames.c b/src/racoon/strnames.c
deleted file mode 100644
index fa5df0f..0000000
--- a/src/racoon/strnames.c
+++ /dev/null
@@ -1,1034 +0,0 @@
-/* $NetBSD: strnames.c,v 1.7.6.1 2007/08/01 11:52:22 vanhu Exp $ */
-
-/* $KAME: strnames.c,v 1.25 2003/11/13 10:53:26 itojun Exp $ */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-#include PATH_IPSEC_H
-#include <netinet/in.h>
-
-#include <stdio.h>
-#include <stdlib.h>
-#ifdef ENABLE_HYBRID
-#include <resolv.h>
-#endif
-
-#include "var.h"
-#include "misc.h"
-#include "vmbuf.h"
-#include "plog.h"
-
-#include "isakmp_var.h"
-#include "isakmp.h"
-#ifdef ENABLE_HYBRID
-# include "isakmp_xauth.h"
-# include "isakmp_unity.h"
-# include "isakmp_cfg.h"
-#endif
-#include "ipsec_doi.h"
-#include "oakley.h"
-#include "handler.h"
-#include "pfkey.h"
-#include "strnames.h"
-#include "algorithm.h"
-
-struct ksmap {
- int key;
- char *str;
- char *(*f) __P((int));
-};
-
-char *
-num2str(n)
- int n;
-{
- static char buf[20];
-
- snprintf(buf, sizeof(buf), "%d", n);
-
- return buf;
-}
-
-/* isakmp.h */
-char *
-s_isakmp_state(t, d, s)
- int t, d, s;
-{
- switch (t) {
- case ISAKMP_ETYPE_AGG:
- switch (d) {
- case INITIATOR:
- switch (s) {
- case PHASE1ST_MSG1SENT:
- return "agg I msg1";
- case PHASE1ST_ESTABLISHED:
- return "agg I msg2";
- default:
- break;
- }
- case RESPONDER:
- switch (s) {
- case PHASE1ST_MSG1SENT:
- return "agg R msg1";
- default:
- break;
- }
- }
- break;
- case ISAKMP_ETYPE_BASE:
- switch (d) {
- case INITIATOR:
- switch (s) {
- case PHASE1ST_MSG1SENT:
- return "base I msg1";
- case PHASE1ST_MSG2SENT:
- return "base I msg2";
- default:
- break;
- }
- case RESPONDER:
- switch (s) {
- case PHASE1ST_MSG1SENT:
- return "base R msg1";
- case PHASE1ST_ESTABLISHED:
- return "base R msg2";
- default:
- break;
- }
- }
- break;
- case ISAKMP_ETYPE_IDENT:
- switch (d) {
- case INITIATOR:
- switch (s) {
- case PHASE1ST_MSG1SENT:
- return "ident I msg1";
- case PHASE1ST_MSG2SENT:
- return "ident I msg2";
- case PHASE1ST_MSG3SENT:
- return "ident I msg3";
- default:
- break;
- }
- case RESPONDER:
- switch (s) {
- case PHASE1ST_MSG1SENT:
- return "ident R msg1";
- case PHASE1ST_MSG2SENT:
- return "ident R msg2";
- case PHASE1ST_ESTABLISHED:
- return "ident R msg3";
- default:
- break;
- }
- }
- break;
- case ISAKMP_ETYPE_QUICK:
- switch (d) {
- case INITIATOR:
- switch (s) {
- case PHASE2ST_MSG1SENT:
- return "quick I msg1";
- case PHASE2ST_ADDSA:
- return "quick I msg2";
- default:
- break;
- }
- case RESPONDER:
- switch (s) {
- case PHASE2ST_MSG1SENT:
- return "quick R msg1";
- case PHASE2ST_COMMIT:
- return "quick R msg2";
- default:
- break;
- }
- }
- break;
- default:
- case ISAKMP_ETYPE_NONE:
- case ISAKMP_ETYPE_AUTH:
- case ISAKMP_ETYPE_INFO:
- case ISAKMP_ETYPE_NEWGRP:
- case ISAKMP_ETYPE_ACKINFO:
- break;
- }
- /*NOTREACHED*/
-
- return "???";
-}
-
-static struct ksmap name_isakmp_certtype[] = {
-{ ISAKMP_CERT_NONE, "NONE", NULL },
-{ ISAKMP_CERT_PKCS7, "PKCS #7 wrapped X.509 certificate", NULL },
-{ ISAKMP_CERT_PGP, "PGP Certificate", NULL },
-{ ISAKMP_CERT_DNS, "DNS Signed Key", NULL },
-{ ISAKMP_CERT_X509SIGN, "X.509 Certificate Signature", NULL },
-{ ISAKMP_CERT_X509KE, "X.509 Certificate Key Exchange", NULL },
-{ ISAKMP_CERT_KERBEROS, "Kerberos Tokens", NULL },
-{ ISAKMP_CERT_CRL, "Certificate Revocation List (CRL)", NULL },
-{ ISAKMP_CERT_ARL, "Authority Revocation List (ARL)", NULL },
-{ ISAKMP_CERT_SPKI, "SPKI Certificate", NULL },
-{ ISAKMP_CERT_X509ATTR, "X.509 Certificate Attribute", NULL },
-};
-
-char *
-s_isakmp_certtype(k)
- int k;
-{
- int i;
- for (i = 0; i < ARRAYLEN(name_isakmp_certtype); i++)
- if (name_isakmp_certtype[i].key == k)
- return name_isakmp_certtype[i].str;
- return num2str(k);
-}
-
-static struct ksmap name_isakmp_etype[] = {
-{ ISAKMP_ETYPE_NONE, "None", NULL },
-{ ISAKMP_ETYPE_BASE, "Base", NULL },
-{ ISAKMP_ETYPE_IDENT, "Identity Protection", NULL },
-{ ISAKMP_ETYPE_AUTH, "Authentication Only", NULL },
-{ ISAKMP_ETYPE_AGG, "Aggressive", NULL },
-{ ISAKMP_ETYPE_INFO, "Informational", NULL },
-{ ISAKMP_ETYPE_CFG, "Mode config", NULL },
-{ ISAKMP_ETYPE_QUICK, "Quick", NULL },
-{ ISAKMP_ETYPE_NEWGRP, "New Group", NULL },
-{ ISAKMP_ETYPE_ACKINFO, "Acknowledged Informational", NULL },
-};
-
-char *
-s_isakmp_etype(k)
- int k;
-{
- int i;
- for (i = 0; i < ARRAYLEN(name_isakmp_etype); i++)
- if (name_isakmp_etype[i].key == k)
- return name_isakmp_etype[i].str;
- return num2str(k);
-}
-
-static struct ksmap name_isakmp_notify_msg[] = {
-{ ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE, "INVALID-PAYLOAD-TYPE", NULL },
-{ ISAKMP_NTYPE_DOI_NOT_SUPPORTED, "DOI-NOT-SUPPORTED", NULL },
-{ ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED, "SITUATION-NOT-SUPPORTED", NULL },
-{ ISAKMP_NTYPE_INVALID_COOKIE, "INVALID-COOKIE", NULL },
-{ ISAKMP_NTYPE_INVALID_MAJOR_VERSION, "INVALID-MAJOR-VERSION", NULL },
-{ ISAKMP_NTYPE_INVALID_MINOR_VERSION, "INVALID-MINOR-VERSION", NULL },
-{ ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE, "INVALID-EXCHANGE-TYPE", NULL },
-{ ISAKMP_NTYPE_INVALID_FLAGS, "INVALID-FLAGS", NULL },
-{ ISAKMP_NTYPE_INVALID_MESSAGE_ID, "INVALID-MESSAGE-ID", NULL },
-{ ISAKMP_NTYPE_INVALID_PROTOCOL_ID, "INVALID-PROTOCOL-ID", NULL },
-{ ISAKMP_NTYPE_INVALID_SPI, "INVALID-SPI", NULL },
-{ ISAKMP_NTYPE_INVALID_TRANSFORM_ID, "INVALID-TRANSFORM-ID", NULL },
-{ ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED, "ATTRIBUTES-NOT-SUPPORTED", NULL },
-{ ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN, "NO-PROPOSAL-CHOSEN", NULL },
-{ ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX, "BAD-PROPOSAL-SYNTAX", NULL },
-{ ISAKMP_NTYPE_PAYLOAD_MALFORMED, "PAYLOAD-MALFORMED", NULL },
-{ ISAKMP_NTYPE_INVALID_KEY_INFORMATION, "INVALID-KEY-INFORMATION", NULL },
-{ ISAKMP_NTYPE_INVALID_ID_INFORMATION, "INVALID-ID-INFORMATION", NULL },
-{ ISAKMP_NTYPE_INVALID_CERT_ENCODING, "INVALID-CERT-ENCODING", NULL },
-{ ISAKMP_NTYPE_INVALID_CERTIFICATE, "INVALID-CERTIFICATE", NULL },
-{ ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX, "BAD-CERT-REQUEST-SYNTAX", NULL },
-{ ISAKMP_NTYPE_INVALID_CERT_AUTHORITY, "INVALID-CERT-AUTHORITY", NULL },
-{ ISAKMP_NTYPE_INVALID_HASH_INFORMATION, "INVALID-HASH-INFORMATION", NULL },
-{ ISAKMP_NTYPE_AUTHENTICATION_FAILED, "AUTHENTICATION-FAILED", NULL },
-{ ISAKMP_NTYPE_INVALID_SIGNATURE, "INVALID-SIGNATURE", NULL },
-{ ISAKMP_NTYPE_ADDRESS_NOTIFICATION, "ADDRESS-NOTIFICATION", NULL },
-{ ISAKMP_NTYPE_NOTIFY_SA_LIFETIME, "NOTIFY-SA-LIFETIME", NULL },
-{ ISAKMP_NTYPE_CERTIFICATE_UNAVAILABLE, "CERTIFICATE-UNAVAILABLE", NULL },
-{ ISAKMP_NTYPE_UNSUPPORTED_EXCHANGE_TYPE, "UNSUPPORTED-EXCHANGE-TYPE", NULL },
-{ ISAKMP_NTYPE_UNEQUAL_PAYLOAD_LENGTHS, "UNEQUAL-PAYLOAD-LENGTHS", NULL },
-{ ISAKMP_NTYPE_CONNECTED, "CONNECTED", NULL },
-{ ISAKMP_NTYPE_RESPONDER_LIFETIME, "RESPONDER-LIFETIME", NULL },
-{ ISAKMP_NTYPE_REPLAY_STATUS, "REPLAY-STATUS", NULL },
-{ ISAKMP_NTYPE_INITIAL_CONTACT, "INITIAL-CONTACT", NULL },
-#ifdef ENABLE_HYBRID
-{ ISAKMP_NTYPE_UNITY_HEARTBEAT, "HEARTBEAT (Unity)", NULL },
-#endif
-{ ISAKMP_LOG_RETRY_LIMIT_REACHED, "RETRY-LIMIT-REACHED", NULL },
-};
-
-char *
-s_isakmp_notify_msg(k)
- int k;
-{
- int i;
- for (i = 0; i < ARRAYLEN(name_isakmp_notify_msg); i++)
- if (name_isakmp_notify_msg[i].key == k)
- return name_isakmp_notify_msg[i].str;
-
- return num2str(k);
-}
-
-static struct ksmap name_isakmp_nptype[] = {
-{ ISAKMP_NPTYPE_NONE, "none", NULL },
-{ ISAKMP_NPTYPE_SA, "sa", NULL },
-{ ISAKMP_NPTYPE_P, "prop", NULL },
-{ ISAKMP_NPTYPE_T, "trns", NULL },
-{ ISAKMP_NPTYPE_KE, "ke", NULL },
-{ ISAKMP_NPTYPE_ID, "id", NULL },
-{ ISAKMP_NPTYPE_CERT, "cert", NULL },
-{ ISAKMP_NPTYPE_CR, "cr", NULL },
-{ ISAKMP_NPTYPE_HASH, "hash", NULL },
-{ ISAKMP_NPTYPE_SIG, "sig", NULL },
-{ ISAKMP_NPTYPE_NONCE, "nonce", NULL },
-{ ISAKMP_NPTYPE_N, "notify", NULL },
-{ ISAKMP_NPTYPE_D, "delete", NULL },
-{ ISAKMP_NPTYPE_VID, "vid", NULL },
-{ ISAKMP_NPTYPE_ATTR, "attr", NULL },
-{ ISAKMP_NPTYPE_GSS, "gss id", NULL },
-{ ISAKMP_NPTYPE_NATD_RFC, "nat-d", NULL },
-{ ISAKMP_NPTYPE_NATOA_RFC, "nat-oa", NULL },
-{ ISAKMP_NPTYPE_NATD_DRAFT, "nat-d", NULL },
-{ ISAKMP_NPTYPE_NATOA_DRAFT, "nat-oa", NULL },
-{ ISAKMP_NPTYPE_FRAG, "ike frag", NULL },
-};
-
-char *
-s_isakmp_nptype(k)
- int k;
-{
- int i;
- for (i = 0; i < ARRAYLEN(name_isakmp_nptype); i++)
- if (name_isakmp_nptype[i].key == k)
- return name_isakmp_nptype[i].str;
- return num2str(k);
-}
-
-#ifdef ENABLE_HYBRID
-/* isakmp_cfg.h / isakmp_unity.h / isakmp_xauth.h */
-static struct ksmap name_isakmp_cfg_type[] = {
-{ INTERNAL_IP4_ADDRESS, "INTERNAL_IP4_ADDRESS", NULL },
-{ INTERNAL_IP4_NETMASK, "INTERNAL_IP4_NETMASK", NULL },
-{ INTERNAL_IP4_DNS, "INTERNAL_IP4_DNS", NULL },
-{ INTERNAL_IP4_NBNS, "INTERNAL_IP4_NBNS", NULL },
-{ INTERNAL_ADDRESS_EXPIRY, "INTERNAL_ADDRESS_EXPIRY", NULL },
-{ INTERNAL_IP4_DHCP, "INTERNAL_IP4_DHCP", NULL },
-{ APPLICATION_VERSION, "APPLICATION_VERSION", NULL },
-{ INTERNAL_IP6_ADDRESS, "INTERNAL_IP6_ADDRESS", NULL },
-{ INTERNAL_IP6_NETMASK, "INTERNAL_IP6_NETMASK", NULL },
-{ INTERNAL_IP6_DNS, "INTERNAL_IP6_DNS", NULL },
-{ INTERNAL_IP6_NBNS, "INTERNAL_IP6_NBNS", NULL },
-{ INTERNAL_IP6_DHCP, "INTERNAL_IP6_DHCP", NULL },
-{ INTERNAL_IP4_SUBNET, "INTERNAL_IP4_SUBNET", NULL },
-{ SUPPORTED_ATTRIBUTES, "SUPPORTED_ATTRIBUTES", NULL },
-{ INTERNAL_IP6_SUBNET, "INTERNAL_IP6_SUBNET", NULL },
-{ XAUTH_TYPE, "XAUTH_TYPE", NULL },
-{ XAUTH_USER_NAME, "XAUTH_USER_NAME", NULL },
-{ XAUTH_USER_PASSWORD, "XAUTH_USER_PASSWORD", NULL },
-{ XAUTH_PASSCODE, "XAUTH_PASSCODE", NULL },
-{ XAUTH_MESSAGE, "XAUTH_MESSAGE", NULL },
-{ XAUTH_CHALLENGE, "XAUTH_CHALLENGE", NULL },
-{ XAUTH_DOMAIN, "XAUTH_DOMAIN", NULL },
-{ XAUTH_STATUS, "XAUTH_STATUS", NULL },
-{ XAUTH_NEXT_PIN, "XAUTH_NEXT_PIN", NULL },
-{ XAUTH_ANSWER, "XAUTH_ANSWER", NULL },
-{ UNITY_BANNER, "UNITY_BANNER", NULL },
-{ UNITY_SAVE_PASSWD, "UNITY_SAVE_PASSWD", NULL },
-{ UNITY_DEF_DOMAIN, "UNITY_DEF_DOMAIN", NULL },
-{ UNITY_SPLITDNS_NAME, "UNITY_SPLITDNS_NAME", NULL },
-{ UNITY_SPLIT_INCLUDE, "UNITY_SPLIT_INCLUDE", NULL },
-{ UNITY_NATT_PORT, "UNITY_NATT_PORT", NULL },
-{ UNITY_LOCAL_LAN, "UNITY_LOCAL_LAN", NULL },
-{ UNITY_PFS, "UNITY_PFS", NULL },
-{ UNITY_FW_TYPE, "UNITY_FW_TYPE", NULL },
-{ UNITY_BACKUP_SERVERS, "UNITY_BACKUP_SERVERS", NULL },
-{ UNITY_DDNS_HOSTNAME, "UNITY_DDNS_HOSTNAME", NULL },
-};
-
-char *
-s_isakmp_cfg_type(k)
- int k;
-{
- int i;
- for (i = 0; i < ARRAYLEN(name_isakmp_cfg_type); i++)
- if (name_isakmp_cfg_type[i].key == k)
- return name_isakmp_cfg_type[i].str;
- return num2str(k);
-}
-
-/* isakmp_cfg.h / isakmp_unity.h / isakmp_xauth.h */
-static struct ksmap name_isakmp_cfg_ptype[] = {
-{ ISAKMP_CFG_ACK, "mode config ACK", NULL },
-{ ISAKMP_CFG_SET, "mode config SET", NULL },
-{ ISAKMP_CFG_REQUEST, "mode config REQUEST", NULL },
-{ ISAKMP_CFG_REPLY, "mode config REPLY", NULL },
-};
-
-char *
-s_isakmp_cfg_ptype(k)
- int k;
-{
- int i;
- for (i = 0; i < ARRAYLEN(name_isakmp_cfg_ptype); i++)
- if (name_isakmp_cfg_ptype[i].key == k)
- return name_isakmp_cfg_ptype[i].str;
- return num2str(k);
-}
-
-#endif
-
-/* ipsec_doi.h */
-static struct ksmap name_ipsecdoi_proto[] = {
-{ IPSECDOI_PROTO_ISAKMP, "ISAKMP", s_ipsecdoi_trns_isakmp },
-{ IPSECDOI_PROTO_IPSEC_AH, "AH", s_ipsecdoi_trns_ah },
-{ IPSECDOI_PROTO_IPSEC_ESP, "ESP", s_ipsecdoi_trns_esp },
-{ IPSECDOI_PROTO_IPCOMP, "IPCOMP", s_ipsecdoi_trns_ipcomp },
-};
-
-char *
-s_ipsecdoi_proto(k)
- int k;
-{
- int i;
- for (i = 0; i < ARRAYLEN(name_ipsecdoi_proto); i++)
- if (name_ipsecdoi_proto[i].key == k)
- return name_ipsecdoi_proto[i].str;
- return num2str(k);
-}
-
-static struct ksmap name_ipsecdoi_trns_isakmp[] = {
-{ IPSECDOI_KEY_IKE, "IKE", NULL },
-};
-
-char *
-s_ipsecdoi_trns_isakmp(k)
- int k;
-{
- int i;
- for (i = 0; i < ARRAYLEN(name_ipsecdoi_trns_isakmp); i++)
- if (name_ipsecdoi_trns_isakmp[i].key == k)
- return name_ipsecdoi_trns_isakmp[i].str;
- return num2str(k);
-}
-
-static struct ksmap name_ipsecdoi_trns_ah[] = {
-{ IPSECDOI_AH_MD5, "MD5", NULL },
-{ IPSECDOI_AH_SHA, "SHA", NULL },
-{ IPSECDOI_AH_DES, "DES", NULL },
-{ IPSECDOI_AH_SHA256, "SHA256", NULL },
-{ IPSECDOI_AH_SHA384, "SHA384", NULL },
-{ IPSECDOI_AH_SHA512, "SHA512", NULL },
-};
-
-char *
-s_ipsecdoi_trns_ah(k)
- int k;
-{
- int i;
- for (i = 0; i < ARRAYLEN(name_ipsecdoi_trns_ah); i++)
- if (name_ipsecdoi_trns_ah[i].key == k)
- return name_ipsecdoi_trns_ah[i].str;
- return num2str(k);
-}
-
-static struct ksmap name_ipsecdoi_trns_esp[] = {
-{ IPSECDOI_ESP_DES_IV64, "DES_IV64", NULL },
-{ IPSECDOI_ESP_DES, "DES", NULL },
-{ IPSECDOI_ESP_3DES, "3DES", NULL },
-{ IPSECDOI_ESP_RC5, "RC5", NULL },
-{ IPSECDOI_ESP_IDEA, "IDEA", NULL },
-{ IPSECDOI_ESP_CAST, "CAST", NULL },
-{ IPSECDOI_ESP_BLOWFISH, "BLOWFISH", NULL },
-{ IPSECDOI_ESP_3IDEA, "3IDEA", NULL },
-{ IPSECDOI_ESP_DES_IV32, "DES_IV32", NULL },
-{ IPSECDOI_ESP_RC4, "RC4", NULL },
-{ IPSECDOI_ESP_NULL, "NULL", NULL },
-{ IPSECDOI_ESP_AES, "AES", NULL },
-{ IPSECDOI_ESP_TWOFISH, "TWOFISH", NULL },
-{ IPSECDOI_ESP_CAMELLIA, "CAMELLIA", NULL },
-};
-
-char *
-s_ipsecdoi_trns_esp(k)
- int k;
-{
- int i;
- for (i = 0; i < ARRAYLEN(name_ipsecdoi_trns_esp); i++)
- if (name_ipsecdoi_trns_esp[i].key == k)
- return name_ipsecdoi_trns_esp[i].str;
- return num2str(k);
-}
-
-static struct ksmap name_ipsecdoi_trns_ipcomp[] = {
-{ IPSECDOI_IPCOMP_OUI, "OUI", NULL},
-{ IPSECDOI_IPCOMP_DEFLATE, "DEFLATE", NULL},
-{ IPSECDOI_IPCOMP_LZS, "LZS", NULL},
-};
-
-char *
-s_ipsecdoi_trns_ipcomp(k)
- int k;
-{
- int i;
- for (i = 0; i < ARRAYLEN(name_ipsecdoi_trns_ipcomp); i++)
- if (name_ipsecdoi_trns_ipcomp[i].key == k)
- return name_ipsecdoi_trns_ipcomp[i].str;
- return num2str(k);
-}
-
-char *
-s_ipsecdoi_trns(proto, trns)
- int proto, trns;
-{
- int i;
- for (i = 0; i < ARRAYLEN(name_ipsecdoi_proto); i++)
- if (name_ipsecdoi_proto[i].key == proto
- && name_ipsecdoi_proto[i].f)
- return (name_ipsecdoi_proto[i].f)(trns);
- return num2str(trns);
-}
-
-static struct ksmap name_attr_ipsec[] = {
-{ IPSECDOI_ATTR_SA_LD_TYPE, "SA Life Type", s_ipsecdoi_ltype },
-{ IPSECDOI_ATTR_SA_LD, "SA Life Duration", NULL },
-{ IPSECDOI_ATTR_GRP_DESC, "Group Description", NULL },
-{ IPSECDOI_ATTR_ENC_MODE, "Encryption Mode", s_ipsecdoi_encmode },
-{ IPSECDOI_ATTR_AUTH, "Authentication Algorithm", s_ipsecdoi_auth },
-{ IPSECDOI_ATTR_KEY_LENGTH, "Key Length", NULL },
-{ IPSECDOI_ATTR_KEY_ROUNDS, "Key Rounds", NULL },
-{ IPSECDOI_ATTR_COMP_DICT_SIZE, "Compression Dictionary Size", NULL },
-{ IPSECDOI_ATTR_COMP_PRIVALG, "Compression Private Algorithm", NULL },
-};
-
-char *
-s_ipsecdoi_attr(k)
- int k;
-{
- int i;
- for (i = 0; i < ARRAYLEN(name_attr_ipsec); i++)
- if (name_attr_ipsec[i].key == k)
- return name_attr_ipsec[i].str;
- return num2str(k);
-}
-
-static struct ksmap name_attr_ipsec_ltype[] = {
-{ IPSECDOI_ATTR_SA_LD_TYPE_SEC, "seconds", NULL },
-{ IPSECDOI_ATTR_SA_LD_TYPE_KB, "kilobytes", NULL },
-};
-
-char *
-s_ipsecdoi_ltype(k)
- int k;
-{
- int i;
- for (i = 0; i < ARRAYLEN(name_attr_ipsec_ltype); i++)
- if (name_attr_ipsec_ltype[i].key == k)
- return name_attr_ipsec_ltype[i].str;
- return num2str(k);
-}
-
-static struct ksmap name_attr_ipsec_encmode[] = {
-{ IPSECDOI_ATTR_ENC_MODE_ANY, "Any", NULL },
-{ IPSECDOI_ATTR_ENC_MODE_TUNNEL, "Tunnel", NULL },
-{ IPSECDOI_ATTR_ENC_MODE_TRNS, "Transport", NULL },
-{ IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC, "UDP-Tunnel", NULL },
-{ IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC, "UDP-Transport", NULL },
-{ IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT, "UDP-Tunnel", NULL },
-{ IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT, "UDP-Transport", NULL },
-};
-
-char *
-s_ipsecdoi_encmode(k)
- int k;
-{
- int i;
- for (i = 0; i < ARRAYLEN(name_attr_ipsec_encmode); i++)
- if (name_attr_ipsec_encmode[i].key == k)
- return name_attr_ipsec_encmode[i].str;
- return num2str(k);
-}
-
-static struct ksmap name_attr_ipsec_auth[] = {
-{ IPSECDOI_ATTR_AUTH_HMAC_MD5, "hmac-md5", NULL },
-{ IPSECDOI_ATTR_AUTH_HMAC_SHA1, "hmac-sha", NULL },
-{ IPSECDOI_ATTR_AUTH_HMAC_SHA2_256, "hmac-sha256", NULL },
-{ IPSECDOI_ATTR_AUTH_HMAC_SHA2_384, "hmac-sha384", NULL },
-{ IPSECDOI_ATTR_AUTH_HMAC_SHA2_512, "hmac-sha512", NULL },
-{ IPSECDOI_ATTR_AUTH_DES_MAC, "des-mac", NULL },
-{ IPSECDOI_ATTR_AUTH_KPDK, "kpdk", NULL },
-};
-
-char *
-s_ipsecdoi_auth(k)
- int k;
-{
- int i;
- for (i = 0; i < ARRAYLEN(name_attr_ipsec_auth); i++)
- if (name_attr_ipsec_auth[i].key == k)
- return name_attr_ipsec_auth[i].str;
- return num2str(k);
-}
-
-char *
-s_ipsecdoi_attr_v(type, val)
- int type, val;
-{
- int i;
- for (i = 0; i < ARRAYLEN(name_attr_ipsec); i++)
- if (name_attr_ipsec[i].key == type
- && name_attr_ipsec[i].f)
- return (name_attr_ipsec[i].f)(val);
- return num2str(val);
-}
-
-static struct ksmap name_ipsecdoi_ident[] = {
-{ IPSECDOI_ID_IPV4_ADDR, "IPv4_address", NULL },
-{ IPSECDOI_ID_FQDN, "FQDN", NULL },
-{ IPSECDOI_ID_USER_FQDN, "User_FQDN", NULL },
-{ IPSECDOI_ID_IPV4_ADDR_SUBNET, "IPv4_subnet", NULL },
-{ IPSECDOI_ID_IPV6_ADDR, "IPv6_address", NULL },
-{ IPSECDOI_ID_IPV6_ADDR_SUBNET, "IPv6_subnet", NULL },
-{ IPSECDOI_ID_IPV4_ADDR_RANGE, "IPv4_address_range", NULL },
-{ IPSECDOI_ID_IPV6_ADDR_RANGE, "IPv6_address_range", NULL },
-{ IPSECDOI_ID_DER_ASN1_DN, "DER_ASN1_DN", NULL },
-{ IPSECDOI_ID_DER_ASN1_GN, "DER_ASN1_GN", NULL },
-{ IPSECDOI_ID_KEY_ID, "KEY_ID", NULL },
-};
-
-char *
-s_ipsecdoi_ident(k)
- int k;
-{
- int i;
- for (i = 0; i < ARRAYLEN(name_ipsecdoi_ident); i++)
- if (name_ipsecdoi_ident[i].key == k)
- return name_ipsecdoi_ident[i].str;
- return num2str(k);
-}
-
-/* oakley.h */
-static struct ksmap name_oakley_attr[] = {
-{ OAKLEY_ATTR_ENC_ALG, "Encryption Algorithm", s_attr_isakmp_enc },
-{ OAKLEY_ATTR_HASH_ALG, "Hash Algorithm", s_attr_isakmp_hash },
-{ OAKLEY_ATTR_AUTH_METHOD, "Authentication Method", s_oakley_attr_method },
-{ OAKLEY_ATTR_GRP_DESC, "Group Description", s_attr_isakmp_desc },
-{ OAKLEY_ATTR_GRP_TYPE, "Group Type", s_attr_isakmp_group },
-{ OAKLEY_ATTR_GRP_PI, "Group Prime/Irreducible Polynomial", NULL },
-{ OAKLEY_ATTR_GRP_GEN_ONE, "Group Generator One", NULL },
-{ OAKLEY_ATTR_GRP_GEN_TWO, "Group Generator Two", NULL },
-{ OAKLEY_ATTR_GRP_CURVE_A, "Group Curve A", NULL },
-{ OAKLEY_ATTR_GRP_CURVE_B, "Group Curve B", NULL },
-{ OAKLEY_ATTR_SA_LD_TYPE, "Life Type", s_attr_isakmp_ltype },
-{ OAKLEY_ATTR_SA_LD, "Life Duration", NULL },
-{ OAKLEY_ATTR_PRF, "PRF", NULL },
-{ OAKLEY_ATTR_KEY_LEN, "Key Length", NULL },
-{ OAKLEY_ATTR_FIELD_SIZE, "Field Size", NULL },
-{ OAKLEY_ATTR_GRP_ORDER, "Group Order", NULL },
-{ OAKLEY_ATTR_BLOCK_SIZE, "Block Size", NULL },
-{ OAKLEY_ATTR_GSS_ID, "GSS-API endpoint name",NULL },
-};
-
-char *
-s_oakley_attr(k)
- int k;
-{
- int i;
- for (i = 0; i < ARRAYLEN(name_oakley_attr); i++)
- if (name_oakley_attr[i].key == k)
- return name_oakley_attr[i].str;
- return num2str(k);
-}
-
-static struct ksmap name_attr_isakmp_enc[] = {
-{ OAKLEY_ATTR_ENC_ALG_DES, "DES-CBC", NULL },
-{ OAKLEY_ATTR_ENC_ALG_IDEA, "IDEA-CBC", NULL },
-{ OAKLEY_ATTR_ENC_ALG_BLOWFISH, "Blowfish-CBC", NULL },
-{ OAKLEY_ATTR_ENC_ALG_RC5, "RC5-R16-B64-CBC", NULL },
-{ OAKLEY_ATTR_ENC_ALG_3DES, "3DES-CBC", NULL },
-{ OAKLEY_ATTR_ENC_ALG_CAST, "CAST-CBC", NULL },
-{ OAKLEY_ATTR_ENC_ALG_AES, "AES-CBC", NULL },
-};
-
-char *
-s_attr_isakmp_enc(k)
- int k;
-{
- int i;
- for (i = 0; i < ARRAYLEN(name_attr_isakmp_enc); i++)
- if (name_attr_isakmp_enc[i].key == k)
- return name_attr_isakmp_enc[i].str;
- return num2str(k);
-}
-
-static struct ksmap name_attr_isakmp_hash[] = {
-{ OAKLEY_ATTR_HASH_ALG_MD5, "MD5", NULL },
-{ OAKLEY_ATTR_HASH_ALG_SHA, "SHA", NULL },
-{ OAKLEY_ATTR_HASH_ALG_TIGER, "Tiger", NULL },
-{ OAKLEY_ATTR_HASH_ALG_SHA2_256,"SHA256", NULL },
-{ OAKLEY_ATTR_HASH_ALG_SHA2_384,"SHA384", NULL },
-{ OAKLEY_ATTR_HASH_ALG_SHA2_512,"SHA512", NULL },
-};
-
-char *
-s_attr_isakmp_hash(k)
- int k;
-{
- int i;
- for (i = 0; i < ARRAYLEN(name_attr_isakmp_hash); i++)
- if (name_attr_isakmp_hash[i].key == k)
- return name_attr_isakmp_hash[i].str;
- return num2str(k);
-}
-
-static struct ksmap name_attr_isakmp_method[] = {
-{ OAKLEY_ATTR_AUTH_METHOD_PSKEY, "pre-shared key", NULL },
-{ OAKLEY_ATTR_AUTH_METHOD_DSSSIG, "DSS signatures", NULL },
-{ OAKLEY_ATTR_AUTH_METHOD_RSASIG, "RSA signatures", NULL },
-{ OAKLEY_ATTR_AUTH_METHOD_RSAENC, "Encryption with RSA", NULL },
-{ OAKLEY_ATTR_AUTH_METHOD_RSAREV, "Revised encryption with RSA", NULL },
-{ OAKLEY_ATTR_AUTH_METHOD_EGENC, "Encryption with El-Gamal", NULL },
-{ OAKLEY_ATTR_AUTH_METHOD_EGREV, "Revised encryption with El-Gamal", NULL },
-#ifdef HAVE_GSSAPI
-{ OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB, "GSS-API on Kerberos 5", NULL },
-#endif
-#ifdef ENABLE_HYBRID
-{ OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R, "Hybrid DSS server", NULL },
-{ OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R, "Hybrid RSA server", NULL },
-{ OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I, "Hybrid DSS client", NULL },
-{ OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I, "Hybrid RSA client", NULL },
-{ OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I, "XAuth pskey client", NULL },
-{ OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R, "XAuth pskey server", NULL },
-{ OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I, "XAuth RSASIG client", NULL },
-{ OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R, "XAuth RSASIG server", NULL },
-#endif
-};
-
-char *
-s_oakley_attr_method(k)
- int k;
-{
- int i;
- for (i = 0; i < ARRAYLEN(name_attr_isakmp_method); i++)
- if (name_attr_isakmp_method[i].key == k)
- return name_attr_isakmp_method[i].str;
- return num2str(k);
-}
-
-static struct ksmap name_attr_isakmp_desc[] = {
-{ OAKLEY_ATTR_GRP_DESC_MODP768, "768-bit MODP group", NULL },
-{ OAKLEY_ATTR_GRP_DESC_MODP1024, "1024-bit MODP group", NULL },
-{ OAKLEY_ATTR_GRP_DESC_EC2N155, "EC2N group on GP[2^155]", NULL },
-{ OAKLEY_ATTR_GRP_DESC_EC2N185, "EC2N group on GP[2^185]", NULL },
-{ OAKLEY_ATTR_GRP_DESC_MODP1536, "1536-bit MODP group", NULL },
-{ OAKLEY_ATTR_GRP_DESC_MODP2048, "2048-bit MODP group", NULL },
-{ OAKLEY_ATTR_GRP_DESC_MODP3072, "3072-bit MODP group", NULL },
-{ OAKLEY_ATTR_GRP_DESC_MODP4096, "4096-bit MODP group", NULL },
-{ OAKLEY_ATTR_GRP_DESC_MODP6144, "6144-bit MODP group", NULL },
-{ OAKLEY_ATTR_GRP_DESC_MODP8192, "8192-bit MODP group", NULL },
-};
-
-char *
-s_attr_isakmp_desc(k)
- int k;
-{
- int i;
- for (i = 0; i < ARRAYLEN(name_attr_isakmp_desc); i++)
- if (name_attr_isakmp_desc[i].key == k)
- return name_attr_isakmp_desc[i].str;
- return num2str(k);
-}
-
-static struct ksmap name_attr_isakmp_group[] = {
-{ OAKLEY_ATTR_GRP_TYPE_MODP, "MODP", NULL },
-{ OAKLEY_ATTR_GRP_TYPE_ECP, "ECP", NULL },
-{ OAKLEY_ATTR_GRP_TYPE_EC2N, "EC2N", NULL },
-};
-
-char *
-s_attr_isakmp_group(k)
- int k;
-{
- int i;
- for (i = 0; i < ARRAYLEN(name_attr_isakmp_group); i++)
- if (name_attr_isakmp_group[i].key == k)
- return name_attr_isakmp_group[i].str;
- return num2str(k);
-}
-
-static struct ksmap name_attr_isakmp_ltype[] = {
-{ OAKLEY_ATTR_SA_LD_TYPE_SEC, "seconds", NULL },
-{ OAKLEY_ATTR_SA_LD_TYPE_KB, "kilobytes", NULL },
-};
-
-char *
-s_attr_isakmp_ltype(k)
- int k;
-{
- int i;
- for (i = 0; i < ARRAYLEN(name_attr_isakmp_ltype); i++)
- if (name_attr_isakmp_ltype[i].key == k)
- return name_attr_isakmp_ltype[i].str;
- return num2str(k);
-}
-
-char *
-s_oakley_attr_v(type, val)
- int type, val;
-{
- int i;
- for (i = 0; i < ARRAYLEN(name_oakley_attr); i++)
- if (name_oakley_attr[i].key == type
- && name_oakley_attr[i].f)
- return (name_oakley_attr[i].f)(val);
- return num2str(val);
-}
-
-/* netinet6/ipsec.h */
-static struct ksmap name_ipsec_level[] = {
-{ IPSEC_LEVEL_USE, "use", NULL },
-{ IPSEC_LEVEL_REQUIRE, "require", NULL },
-{ IPSEC_LEVEL_UNIQUE, "unique", NULL },
-};
-
-char *
-s_ipsec_level(k)
- int k;
-{
- int i;
- for (i = 0; i < ARRAYLEN(name_ipsec_level); i++)
- if (name_ipsec_level[i].key == k)
- return name_ipsec_level[i].str;
- return num2str(k);
-}
-
-static struct ksmap name_algclass[] = {
-{ algclass_ipsec_enc, "ipsec enc", s_ipsecdoi_trns_esp },
-{ algclass_ipsec_auth, "ipsec auth", s_ipsecdoi_trns_ah },
-{ algclass_ipsec_comp, "ipsec comp", s_ipsecdoi_trns_ipcomp },
-{ algclass_isakmp_enc, "isakmp enc", s_attr_isakmp_enc },
-{ algclass_isakmp_hash, "isakmp hash", s_attr_isakmp_hash },
-{ algclass_isakmp_dh, "isakmp dh", s_attr_isakmp_desc },
-{ algclass_isakmp_ameth, "isakmp auth method", s_oakley_attr_method },
-};
-
-char *
-s_algclass(k)
- int k;
-{
- int i;
- for (i = 0; i < ARRAYLEN(name_algclass); i++)
- if (name_algclass[i].key == k)
- return name_algclass[i].str;
- return num2str(k);
-}
-
-char *
-s_algtype(class, n)
- int class, n;
-{
- int i;
- for (i = 0; i < ARRAYLEN(name_algclass); i++)
- if (name_algclass[i].key == class
- && name_algclass[i].f)
- return (name_algclass[i].f)(n);
- return num2str(n);
-}
-
-/* pfkey.h */
-static struct ksmap name_pfkey_type[] = {
-{ SADB_GETSPI, "GETSPI", NULL },
-{ SADB_UPDATE, "UPDATE", NULL },
-{ SADB_ADD, "ADD", NULL },
-{ SADB_DELETE, "DELETE", NULL },
-{ SADB_GET, "GET", NULL },
-{ SADB_ACQUIRE, "ACQUIRE", NULL },
-{ SADB_REGISTER, "REGISTER", NULL },
-{ SADB_EXPIRE, "EXPIRE", NULL },
-{ SADB_FLUSH, "FLUSH", NULL },
-{ SADB_DUMP, "DUMP", NULL },
-{ SADB_X_PROMISC, "X_PROMISC", NULL },
-{ SADB_X_PCHANGE, "X_PCHANGE", NULL },
-{ SADB_X_SPDUPDATE, "X_SPDUPDATE", NULL },
-{ SADB_X_SPDADD, "X_SPDADD", NULL },
-{ SADB_X_SPDDELETE, "X_SPDDELETE", NULL },
-{ SADB_X_SPDGET, "X_SPDGET", NULL },
-{ SADB_X_SPDACQUIRE, "X_SPDACQUIRE", NULL },
-{ SADB_X_SPDDUMP, "X_SPDDUMP", NULL },
-{ SADB_X_SPDFLUSH, "X_SPDFLUSH", NULL },
-{ SADB_X_SPDSETIDX, "X_SPDSETIDX", NULL },
-{ SADB_X_SPDEXPIRE, "X_SPDEXPIRE", NULL },
-{ SADB_X_SPDDELETE2, "X_SPDDELETE2", NULL },
-#ifdef SADB_X_NAT_T_NEW_MAPPING
-{ SADB_X_NAT_T_NEW_MAPPING, "X_NAT_T_NEW_MAPPING", NULL },
-#endif
-#ifdef SADB_X_MIGRATE
-{ SADB_X_MIGRATE, "X_MIGRATE", NULL },
-#endif
-};
-
-char *
-s_pfkey_type(k)
- int k;
-{
- int i;
- for (i = 0; i < ARRAYLEN(name_pfkey_type); i++)
- if (name_pfkey_type[i].key == k)
- return name_pfkey_type[i].str;
- return num2str(k);
-}
-
-static struct ksmap name_pfkey_satype[] = {
-{ SADB_SATYPE_UNSPEC, "UNSPEC", NULL },
-{ SADB_SATYPE_AH, "AH", NULL },
-{ SADB_SATYPE_ESP, "ESP", NULL },
-{ SADB_SATYPE_RSVP, "RSVP", NULL },
-{ SADB_SATYPE_OSPFV2, "OSPFV2", NULL },
-{ SADB_SATYPE_RIPV2, "RIPV2", NULL },
-{ SADB_SATYPE_MIP, "MIP", NULL },
-{ SADB_X_SATYPE_IPCOMP, "IPCOMP", NULL },
-};
-
-char *
-s_pfkey_satype(k)
- int k;
-{
- int i;
- for (i = 0; i < ARRAYLEN(name_pfkey_satype); i++)
- if (name_pfkey_satype[i].key == k)
- return name_pfkey_satype[i].str;
- return num2str(k);
-}
-
-static struct ksmap name_direction[] = {
-{ IPSEC_DIR_INBOUND, "in", NULL },
-{ IPSEC_DIR_OUTBOUND, "out", NULL },
-#ifdef HAVE_POLICY_FWD
-{ IPSEC_DIR_FWD, "fwd", NULL },
-#endif
-};
-
-char *
-s_direction(k)
- int k;
-{
- int i;
- for (i = 0; i < ARRAYLEN(name_direction); i++)
- if (name_direction[i].key == k)
- return name_direction[i].str;
- return num2str(k);
-}
-
-char *
-s_proto(k)
- int k;
-{
- switch (k) {
- case IPPROTO_ICMP:
- return "icmp";
- case IPPROTO_TCP:
- return "tcp";
- case IPPROTO_UDP:
- return "udp";
- case IPPROTO_ICMPV6:
- return "icmpv6";
- case IPSEC_ULPROTO_ANY:
- return "any";
- }
-
- return num2str(k);
-}
-
-char *
-s_doi(int k)
-{
- switch (k) {
- case IPSEC_DOI:
- return "ipsec_doi";
- default:
- return num2str(k);
- }
-}
-
-char *
-s_etype (int k)
-{
- switch (k) {
- case ISAKMP_ETYPE_NONE:
- return "_none";
- case ISAKMP_ETYPE_BASE:
- return "base";
- case ISAKMP_ETYPE_IDENT:
- return "main";
- case ISAKMP_ETYPE_AUTH:
- return "_auth";
- case ISAKMP_ETYPE_AGG:
- return "aggressive";
- case ISAKMP_ETYPE_INFO:
- return "_info";
- case ISAKMP_ETYPE_QUICK:
- return "_quick";
- case ISAKMP_ETYPE_NEWGRP:
- return "_newgrp";
- case ISAKMP_ETYPE_ACKINFO:
- return "_ackinfo";
- default:
- return num2str(k);
- }
-}
-
-char *
-s_idtype (int k)
-{
- switch (k) {
- case IDTYPE_FQDN:
- return "fqdn";
- case IDTYPE_USERFQDN:
- return "user_fqdn";
- case IDTYPE_KEYID:
- return "keyid";
- case IDTYPE_ADDRESS:
- return "address";
- case IDTYPE_ASN1DN:
- return "asn1dn";
- default:
- return num2str(k);
- }
-}
-
-char *
-s_switch (int k)
-{
- switch (k) {
- case FALSE:
- return "off";
- case TRUE:
- return "on";
- default:
- return num2str(k);
- }
-}
diff --git a/src/racoon/strnames.h b/src/racoon/strnames.h
deleted file mode 100644
index 02ebbb5..0000000
--- a/src/racoon/strnames.h
+++ /dev/null
@@ -1,80 +0,0 @@
-/* $NetBSD: strnames.h,v 1.4 2006/09/09 16:22:10 manu Exp $ */
-
-/* Id: strnames.h,v 1.7 2005/04/18 10:04:26 manubsd Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _STRNAMES_H
-#define _STRNAMES_H
-
-extern char *num2str __P((int n));
-
-extern char *s_isakmp_state __P((int, int, int));
-extern char *s_isakmp_certtype __P((int));
-extern char *s_isakmp_etype __P((int));
-extern char *s_isakmp_notify_msg __P((int));
-extern char *s_isakmp_nptype __P((int));
-extern char *s_ipsecdoi_proto __P((int));
-extern char *s_ipsecdoi_trns_isakmp __P((int));
-extern char *s_ipsecdoi_trns_ah __P((int));
-extern char *s_ipsecdoi_trns_esp __P((int));
-extern char *s_ipsecdoi_trns_ipcomp __P((int));
-extern char *s_ipsecdoi_trns __P((int, int));
-extern char *s_ipsecdoi_attr __P((int));
-extern char *s_ipsecdoi_ltype __P((int));
-extern char *s_ipsecdoi_encmode __P((int));
-extern char *s_ipsecdoi_auth __P((int));
-extern char *s_ipsecdoi_attr_v __P((int, int));
-extern char *s_ipsecdoi_ident __P((int));
-extern char *s_oakley_attr __P((int));
-extern char *s_attr_isakmp_enc __P((int));
-extern char *s_attr_isakmp_hash __P((int));
-extern char *s_oakley_attr_method __P((int));
-extern char *s_attr_isakmp_desc __P((int));
-extern char *s_attr_isakmp_group __P((int));
-extern char *s_attr_isakmp_ltype __P((int));
-extern char *s_oakley_attr_v __P((int, int));
-extern char *s_ipsec_level __P((int));
-extern char *s_algclass __P((int));
-extern char *s_algtype __P((int, int));
-extern char *s_pfkey_type __P((int));
-extern char *s_pfkey_satype __P((int));
-extern char *s_direction __P((int));
-extern char *s_proto __P((int));
-extern char *s_doi __P((int));
-extern char *s_etype __P((int));
-extern char *s_idtype __P((int));
-extern char *s_switch __P((int));
-#ifdef ENABLE_HYBRID
-extern char *s_isakmp_cfg_type __P((int));
-extern char *s_isakmp_cfg_ptype __P((int));
-#endif
-
-#endif /* _STRNAMES_H */
diff --git a/src/racoon/throttle.c b/src/racoon/throttle.c
deleted file mode 100644
index cd7de1f..0000000
--- a/src/racoon/throttle.c
+++ /dev/null
@@ -1,158 +0,0 @@
-/* $NetBSD: throttle.c,v 1.4 2006/09/09 16:22:10 manu Exp $ */
-
-/* Id: throttle.c,v 1.5 2006/04/05 20:54:50 manubsd Exp */
-
-/*
- * Copyright (C) 2004 Emmanuel Dreyfus
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#if TIME_WITH_SYS_TIME
-# include <sys/time.h>
-# include <time.h>
-#else
-# if HAVE_SYS_TIME_H
-# include <sys/time.h>
-# else
-# include <time.h>
-# endif
-#endif
-#include <sys/param.h>
-#include <sys/queue.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-#include <resolv.h>
-
-#include "vmbuf.h"
-#include "misc.h"
-#include "plog.h"
-#include "throttle.h"
-#include "sockmisc.h"
-#include "libpfkey.h"
-#include "isakmp_var.h"
-#include "isakmp.h"
-#include "isakmp_xauth.h"
-#include "isakmp_cfg.h"
-#include "gcmalloc.h"
-
-struct throttle_list throttle_list = TAILQ_HEAD_INITIALIZER(throttle_list);
-
-
-struct throttle_entry *
-throttle_add(addr)
- struct sockaddr *addr;
-{
- struct throttle_entry *te;
- size_t len;
-
- len = sizeof(*te)
- - sizeof(struct sockaddr_storage)
- + sysdep_sa_len(addr);
-
- if ((te = racoon_malloc(len)) == NULL)
- return NULL;
-
- te->penalty = time(NULL) + isakmp_cfg_config.auth_throttle;
- memcpy(&te->host, addr, sysdep_sa_len(addr));
- TAILQ_INSERT_HEAD(&throttle_list, te, next);
-
- return te;
-}
-
-int
-throttle_host(addr, authfail)
- struct sockaddr *addr;
- int authfail;
-{
- struct throttle_entry *te;
- int found = 0;
- time_t now;
-
- if (isakmp_cfg_config.auth_throttle == 0)
- return 0;
-
- now = time(NULL);
-
-restart:
- RACOON_TAILQ_FOREACH_REVERSE(te, &throttle_list, throttle_list, next) {
- /*
- * Remove outdated entries
- */
- if (te->penalty < now) {
- TAILQ_REMOVE(&throttle_list, te, next);
- racoon_free(te);
- goto restart;
- }
-
- if (cmpsaddrwop(addr, (struct sockaddr *)&te->host) == 0) {
- found = 1;
- break;
- }
- }
-
- /*
- * No match, if auth failed, allocate a new throttle entry
- * give no penalty even on error: this is the first time
- * and we are indulgent.
- */
- if (!found) {
- if (authfail) {
- if ((te = throttle_add(addr)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "Throttle insertion failed\n");
- return (time(NULL)
- + isakmp_cfg_config.auth_throttle);
- }
- }
- return 0;
- } else {
- /*
- * We had a match and auth failed, increase penalty.
- */
- if (authfail) {
- time_t remaining;
- time_t new;
-
- remaining = te->penalty - now;
- new = remaining + isakmp_cfg_config.auth_throttle;
-
- if (new > THROTTLE_PENALTY_MAX)
- new = THROTTLE_PENALTY_MAX;
-
- te->penalty = now + new;
- }
- }
-
- return te->penalty;
-}
-
diff --git a/src/racoon/throttle.h b/src/racoon/throttle.h
deleted file mode 100644
index baa9af5..0000000
--- a/src/racoon/throttle.h
+++ /dev/null
@@ -1,51 +0,0 @@
-/* $NetBSD: throttle.h,v 1.4 2006/09/09 16:22:10 manu Exp $ */
-
-/* Id: throttle.h,v 1.1 2004/11/30 00:46:09 manubsd Exp */
-
-/*
- * Copyright (C) 2004 Emmanuel Dreyfus
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _THROTTLE_H
-#define _THROTTLE_H
-
-struct throttle_entry {
- int penalty;
- TAILQ_ENTRY(throttle_entry) next;
- struct sockaddr_storage host;
-};
-
-TAILQ_HEAD(throttle_list, throttle_entry);
-
-#define THROTTLE_PENALTY 1
-#define THROTTLE_PENALTY_MAX 10
-
-struct throttle_entry *throttle_add(struct sockaddr *);
-int throttle_host(struct sockaddr *, int);
-
-#endif /* _THROTTLE_H */
diff --git a/src/racoon/var.h b/src/racoon/var.h
deleted file mode 100644
index 8abb1c2..0000000
--- a/src/racoon/var.h
+++ /dev/null
@@ -1,107 +0,0 @@
-/* $NetBSD: var.h,v 1.4.6.1 2007/06/06 15:36:38 vanhu Exp $ */
-
-/* Id: var.h,v 1.6 2004/11/20 16:16:59 monas Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _VAR_H
-#define _VAR_H
-
-#if !defined(_VAR_H_)
-#define _VAR_H_
-
-#define MAX3(a, b, c) (a > b ? (a > c ? a : c) : (b > c ? b : c))
-
-#define ISSET(exp, bit) (((exp) & (bit)) == (bit))
-
-#define LALIGN(a) \
- ((a) > 0 ? ((a) &~ (sizeof(long) - 1)) : sizeof(long))
-
-#define RNDUP(a) \
- ((a) > 0 ? (1 + (((a) - 1) | (sizeof(long) - 1))) : sizeof(long))
-
-#define ARRAYLEN(a) (sizeof(a)/sizeof(a[0]))
-
-#define BUFSIZE 5120
-
-#ifndef FALSE
-#define FALSE 0
-#endif
-#ifndef TRUE
-#define TRUE 1
-#endif
-
-#ifdef ENABLE_STATS
-#include <sys/time.h>
-#endif
-#include <sys/socket.h>
-
-/*
- * use of GETNAMEINFO(x, y, NULL) is not politically correct,
- * as sizeof(NULL) would be 4, not 0. Also, gcc-3.4.2+ bombs on it.
- * In such cases, use GETNAMEINFO_NULL(x, y)
- */
-#include <sys/socket.h>
-#include <netdb.h>
-
-/* var.h is used from non-racoon code (like eaytest), so we can't use niflags */
-#define NIFLAGS (NI_NUMERICHOST | NI_NUMERICSERV)
-
-#define GETNAMEINFO(x, y, z) \
-do { \
- if (getnameinfo((x), sysdep_sa_len(x), (y), sizeof(y), (z), sizeof(z), \
- NIFLAGS) != 0) { \
- if (y != NULL) \
- strncpy((y), "(invalid)", sizeof(y)); \
- if (z != NULL) \
- strncpy((z), "(invalid)", sizeof(z)); \
- } \
-} while (0);
-
-#define GETNAMEINFO_NULL(x, y) \
-do { \
- if (getnameinfo((x), sysdep_sa_len(x), (y), sizeof(y), NULL, 0, \
- NIFLAGS) != 0) { \
- if (y != NULL) \
- strncpy((y), "(invalid)", sizeof(y)); \
- } \
-} while (0);
-
-#include <sys/queue.h>
-#ifndef LIST_FOREACH
-#define LIST_FOREACH(elm, head, field) \
- for (elm = LIST_FIRST(head); elm; elm = LIST_NEXT(elm, field))
-#endif
-
-#include "gcmalloc.h"
-
-#endif /*!defined(_VAR_H_)*/
-
-#endif /* _VAR_H */
diff --git a/src/racoon/vendorid.c b/src/racoon/vendorid.c
deleted file mode 100644
index 96c87a3..0000000
--- a/src/racoon/vendorid.c
+++ /dev/null
@@ -1,317 +0,0 @@
-/* $NetBSD: vendorid.c,v 1.4 2006/09/09 16:22:10 manu Exp $ */
-
-/* Id: vendorid.c,v 1.10 2006/02/22 16:10:21 vanhu Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <sys/param.h>
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-#include <ctype.h>
-
-#include "var.h"
-#include "misc.h"
-#include "vmbuf.h"
-#include "plog.h"
-#include "debug.h"
-
-#include "localconf.h"
-#include "isakmp_var.h"
-#include "isakmp.h"
-#include "vendorid.h"
-#include "crypto_openssl.h"
-#include "handler.h"
-#include "remoteconf.h"
-#ifdef ENABLE_NATT
-#include "nattraversal.h"
-#endif
-#ifdef ENABLE_HYBRID
-#include "isakmp_xauth.h"
-#include "isakmp_cfg.h"
-#endif
-
-static struct vendor_id all_vendor_ids[] = {
-{ VENDORID_IPSEC_TOOLS, "IPSec-Tools" },
-{ VENDORID_GSSAPI_LONG, "A GSS-API Authentication Method for IKE" },
-{ VENDORID_GSSAPI , "GSSAPI" },
-{ VENDORID_MS_NT5 , "MS NT5 ISAKMPOAKLEY" },
-{ VENDORID_NATT_00 , "draft-ietf-ipsec-nat-t-ike-00" },
-{ VENDORID_NATT_01 , "draft-ietf-ipsec-nat-t-ike-01" },
-{ VENDORID_NATT_02 , "draft-ietf-ipsec-nat-t-ike-02" },
-{ VENDORID_NATT_02_N , "draft-ietf-ipsec-nat-t-ike-02\n" },
-{ VENDORID_NATT_03 , "draft-ietf-ipsec-nat-t-ike-03" },
-{ VENDORID_NATT_04 , "draft-ietf-ipsec-nat-t-ike-04" },
-{ VENDORID_NATT_05 , "draft-ietf-ipsec-nat-t-ike-05" },
-{ VENDORID_NATT_06 , "draft-ietf-ipsec-nat-t-ike-06" },
-{ VENDORID_NATT_07 , "draft-ietf-ipsec-nat-t-ike-07" },
-{ VENDORID_NATT_08 , "draft-ietf-ipsec-nat-t-ike-08" },
-{ VENDORID_NATT_RFC , "RFC 3947" },
-{ VENDORID_XAUTH , "draft-ietf-ipsra-isakmp-xauth-06.txt" },
-{ VENDORID_UNITY , "CISCO-UNITY" },
-{ VENDORID_FRAG , "FRAGMENTATION" },
-/* Just a readable string for DPD ... */
-{ VENDORID_DPD , "DPD" },
-/* Other known Vendor IDs */
-{ VENDORID_KAME , "KAME/racoon" },
-};
-
-#define NUMVENDORIDS (sizeof(all_vendor_ids)/sizeof(all_vendor_ids[0]))
-
-#define DPD_MAJOR_VERSION 0x01
-#define DPD_MINOR_VERSION 0x00
-
-const char vendorid_dpd_hash[] = {
- 0xAF, 0xCA, 0xD7, 0x13,
- 0x68, 0xA1, 0xF1, 0xC9,
- 0x6B, 0x86, 0x96, 0xFC,
- 0x77, 0x57, DPD_MAJOR_VERSION, DPD_MINOR_VERSION
-};
-
-
-static vchar_t *vendorid_fixup(int, vchar_t *t);
-
-static struct vendor_id *
-lookup_vendor_id_by_id (int id)
-{
- int i;
-
- for (i = 0; i < NUMVENDORIDS; i++)
- if (all_vendor_ids[i].id == id)
- return &all_vendor_ids[i];
-
- return NULL;
-}
-
-const char *
-vid_string_by_id (int id)
-{
- struct vendor_id *current;
-
- if (id == VENDORID_DPD)
- return vendorid_dpd_hash;
-
- current = lookup_vendor_id_by_id(id);
-
- return current ? current->string : NULL;
-}
-
-static struct vendor_id *
-lookup_vendor_id_by_hash (const char *hash)
-{
- int i;
- unsigned char *h = (unsigned char *)hash;
-
- for (i = 0; i < NUMVENDORIDS; i++)
- if (strncmp(all_vendor_ids[i].hash->v, hash,
- all_vendor_ids[i].hash->l) == 0)
- return &all_vendor_ids[i];
-
- return NULL;
-}
-
-void
-compute_vendorids (void)
-{
- int i;
- vchar_t vid;
-
- for (i = 0; i < NUMVENDORIDS; i++) {
- /* VENDORID_DPD is not a MD5 sum... */
- if(all_vendor_ids[i].id == VENDORID_DPD){
- all_vendor_ids[i].hash = vmalloc(sizeof(vendorid_dpd_hash));
- if (all_vendor_ids[i].hash == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "unable to get memory for VID hash\n");
- exit(1); /* this really shouldn't happen */
- }
- memcpy(all_vendor_ids[i].hash->v, vendorid_dpd_hash,
- sizeof(vendorid_dpd_hash));
- continue;
- }
-
- vid.v = (char *) all_vendor_ids[i].string;
- vid.l = strlen(vid.v);
-
- all_vendor_ids[i].hash = eay_md5_one(&vid);
- if (all_vendor_ids[i].hash == NULL)
- plog(LLV_ERROR, LOCATION, NULL,
- "unable to hash vendor ID string\n");
-
- /* Special cases */
- all_vendor_ids[i].hash =
- vendorid_fixup(all_vendor_ids[i].id,
- all_vendor_ids[i].hash);
- }
-}
-
-/*
- * set hashed vendor id.
- * hash function is always MD5.
- */
-vchar_t *
-set_vendorid(int vendorid)
-{
- struct vendor_id *current;
- vchar_t vid, *new;
-
- if (vendorid == VENDORID_UNKNOWN) {
- /*
- * The default unknown ID gets translated to
- * KAME/racoon.
- */
- vendorid = VENDORID_DEFAULT;
- }
-
- current = lookup_vendor_id_by_id(vendorid);
- if (current == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "invalid vendor ID index: %d\n", vendorid);
- return (NULL);
- }
-
- /* The rest of racoon expects a private copy
- * of the VID that could be free'd after use.
- * That's why we don't return the original pointer. */
- return vdup(current->hash);
-}
-
-/*
- * Check the vendor ID payload -- return the vendor ID index
- * if we find a recognized one, or UNKNOWN if we don't.
- *
- * gen ... points to Vendor ID payload.
- */
-int
-check_vendorid(struct isakmp_gen *gen)
-{
- vchar_t vid, *vidhash;
- int i, vidlen;
- struct vendor_id *current;
-
- if (gen == NULL)
- return (VENDORID_UNKNOWN);
-
- vidlen = ntohs(gen->len) - sizeof(*gen);
-
- current = lookup_vendor_id_by_hash((char *)(gen + 1));
- if (!current)
- goto unknown;
-
- if (current->hash->l < vidlen)
- plog(LLV_INFO, LOCATION, NULL,
- "received broken Microsoft ID: %s\n",
- current->string);
- else
- plog(LLV_INFO, LOCATION, NULL,
- "received Vendor ID: %s\n",
- current->string);
-
- return current->id;
-
-unknown:
- plog(LLV_DEBUG, LOCATION, NULL, "received unknown Vendor ID\n");
- plogdump(LLV_DEBUG, (char *)(gen + 1), vidlen);
- return (VENDORID_UNKNOWN);
-}
-
-int
-handle_vendorid(struct ph1handle *iph1, struct isakmp_gen *gen)
-{
- int vid_numeric;
-
- vid_numeric = check_vendorid(gen);
- if (vid_numeric == VENDORID_UNKNOWN)
- return vid_numeric;
-
-#ifdef ENABLE_NATT
- if (natt_vendorid(vid_numeric))
- natt_handle_vendorid(iph1, vid_numeric);
-#endif
-#ifdef ENABLE_HYBRID
- switch (vid_numeric) {
- case VENDORID_XAUTH:
- iph1->mode_cfg->flags |= ISAKMP_CFG_VENDORID_XAUTH;
- break;
- case VENDORID_UNITY:
- iph1->mode_cfg->flags |= ISAKMP_CFG_VENDORID_UNITY;
- break;
- default:
- break;
- }
-#endif
-#ifdef ENABLE_DPD
- if (vid_numeric == VENDORID_DPD &&
- (iph1->rmconf == NULL || iph1->rmconf->dpd)) {
- iph1->dpd_support = 1;
- plog(LLV_DEBUG, LOCATION, NULL, "remote supports DPD\n");
- }
-#endif
-
- return vid_numeric;
-}
-
-static vchar_t *
-vendorid_fixup(vendorid, vidhash)
- int vendorid;
- vchar_t *vidhash;
-{
- switch(vendorid) {
- case VENDORID_XAUTH: { /* The vendor Id is truncated */
- vchar_t *tmp;
-
- if ((tmp = vmalloc(8)) == NULL) {
- plog(LLV_ERROR, LOCATION, NULL,
- "unable to hash vendor ID string\n");
- return NULL;
- }
-
- memcpy(tmp->v, vidhash->v, 8);
- vfree(vidhash);
- vidhash = tmp;
-
- break;
- }
- case VENDORID_UNITY: /* Two bytes tweak */
- vidhash->v[14] = 0x01;
- vidhash->v[15] = 0x00;
- break;
-
- default:
- break;
- }
-
- return vidhash;
-}
diff --git a/src/racoon/vendorid.h b/src/racoon/vendorid.h
deleted file mode 100644
index 7060c7e..0000000
--- a/src/racoon/vendorid.h
+++ /dev/null
@@ -1,106 +0,0 @@
-/* $NetBSD: vendorid.h,v 1.4 2006/09/09 16:22:10 manu Exp $ */
-
-/* Id: vendorid.h,v 1.11 2006/02/17 14:09:10 vanhu Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _VENDORID_H
-#define _VENDORID_H
-
-/* The unknown vendor ID. */
-#define VENDORID_UNKNOWN -1
-
-
-/* Our default vendor ID. */
-#define VENDORID_DEFAULT VENDORID_IPSEC_TOOLS
-
-#define VENDORID_IPSEC_TOOLS 0
-
-/*
- * Refer to draft-ietf-ipsec-isakmp-gss-auth-06.txt.
- */
-#define VENDORID_GSSAPI_LONG 1
-#define VENDORID_GSSAPI 2
-#define VENDORID_MS_NT5 3
-#define VENDOR_SUPPORTS_GSSAPI(x) \
- ((x) == VENDORID_GSSAPI_LONG || \
- (x) == VENDORID_GSSAPI || \
- (x) == VENDORID_MS_NT5)
-
-/* NAT-T support */
-#define VENDORID_NATT_00 4
-#define VENDORID_NATT_01 5
-#define VENDORID_NATT_02 6
-#define VENDORID_NATT_02_N 7
-#define VENDORID_NATT_03 8
-#define VENDORID_NATT_04 9
-#define VENDORID_NATT_05 10
-#define VENDORID_NATT_06 11
-#define VENDORID_NATT_07 12
-#define VENDORID_NATT_08 13
-#define VENDORID_NATT_RFC 14
-
-#define VENDORID_NATT_FIRST VENDORID_NATT_00
-#define VENDORID_NATT_LAST VENDORID_NATT_RFC
-
-
-#define MAX_NATT_VID_COUNT (VENDORID_NATT_LAST - VENDORID_NATT_FIRST + 1 )
-
-/* Hybrid auth */
-#define VENDORID_XAUTH 15
-#define VENDORID_UNITY 16
-
-/* IKE fragmentation */
-#define VENDORID_FRAG 17
-
-/* Dead Peer Detection */
-#define VENDORID_DPD 18
-
-
-/* Other Vendors...
- * XXX: do some cleanup to have separate lists for "real" vendors (to complete)
- * and "features" VendorIDs
- */
-#define VENDORID_KAME 19
-
-
-struct vendor_id {
- int id;
- const char *string;
- vchar_t *hash;
-};
-
-vchar_t *set_vendorid __P((int));
-int handle_vendorid __P((struct ph1handle *, struct isakmp_gen *));
-
-void compute_vendorids __P((void));
-const char *vid_string_by_id __P((int id));
-
-#endif /* _VENDORID_H */
diff --git a/src/racoon/vmbuf.c b/src/racoon/vmbuf.c
deleted file mode 100644
index 6c1aed1..0000000
--- a/src/racoon/vmbuf.c
+++ /dev/null
@@ -1,137 +0,0 @@
-/* $NetBSD: vmbuf.c,v 1.4 2006/09/09 16:22:10 manu Exp $ */
-
-/* $KAME: vmbuf.c,v 1.11 2001/11/26 16:54:29 sakane Exp $ */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "config.h"
-
-#define NONEED_DRM
-
-#include <sys/types.h>
-#include <sys/param.h>
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-
-#include "var.h"
-#include "misc.h"
-#include "vmbuf.h"
-#include "debug.h"
-#include "plog.h"
-#include "gcmalloc.h"
-
-vchar_t *
-vmalloc(size)
- size_t size;
-{
- vchar_t *var;
-
- if ((var = (vchar_t *)racoon_malloc(sizeof(*var))) == NULL)
- return NULL;
-
- var->l = size;
- if (size == 0) {
- var->v = NULL;
- } else {
- var->v = (caddr_t)racoon_calloc(1, size);
- if (var->v == NULL) {
- (void)racoon_free(var);
- return NULL;
- }
- }
-
- return var;
-}
-
-vchar_t *
-vrealloc(ptr, size)
- vchar_t *ptr;
- size_t size;
-{
- caddr_t v;
-
- if (ptr != NULL) {
- if (ptr->l == 0) {
- (void)vfree(ptr);
- return vmalloc(size); /* zero-fill it? */
- }
-
- if ((v = (caddr_t)racoon_realloc(ptr->v, size)) == NULL) {
- (void)vfree(ptr);
- return NULL;
- }
-
- if ( size > ptr->l)
- memset(v + ptr->l, 0, size - ptr->l);
- ptr->v = v;
- ptr->l = size;
- } else {
- if ((ptr = vmalloc(size)) == NULL)
- return NULL;
- }
-
- return ptr;
-}
-
-void
-vfree(var)
- vchar_t *var;
-{
- if (var == NULL)
- return;
-
- if (var->v)
- (void)racoon_free(var->v);
-
- (void)racoon_free(var);
-
- return;
-}
-
-vchar_t *
-vdup(src)
- vchar_t *src;
-{
- vchar_t *new;
-
- if (src == NULL) {
- plog(LLV_ERROR, LOCATION, NULL, "vdup(NULL) called\n");
- return NULL;
- }
-
- if ((new = vmalloc(src->l)) == NULL)
- return NULL;
-
- memcpy(new->v, src->v, src->l);
-
- return new;
-}
diff --git a/src/racoon/vmbuf.h b/src/racoon/vmbuf.h
deleted file mode 100644
index 3f2f4ea..0000000
--- a/src/racoon/vmbuf.h
+++ /dev/null
@@ -1,73 +0,0 @@
-/* $NetBSD: vmbuf.h,v 1.4 2006/09/09 16:22:10 manu Exp $ */
-
-/* Id: vmbuf.h,v 1.4 2005/10/30 10:28:44 vanhu Exp */
-
-/*
- * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the project nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef _VMBUF_H
-#define _VMBUF_H
-
-/*
- * bp v
- * v v
- * ........................
- * <--------------> l
- * <----------------------> bl
- */
-typedef struct _vchar_t_ {
-#if notyet
- u_int32_t t; /* type of the value */
- vchar_t *n; /* next vchar_t buffer */
- size_t bl; /* length of the buffer */
- caddr_t bp; /* pointer to the buffer */
-#endif
- size_t l; /* length of the value */
- caddr_t v; /* place holder to the pointer to the value */
-} vchar_t;
-
-#define VPTRINIT(p) \
-do { \
- if (p) { \
- vfree(p); \
- (p) = NULL; \
- } \
-} while(0);
-
-#if defined(__APPLE__) && defined(__MACH__)
-/* vfree is already defined in Apple's system libraries */
-#define vfree vmbuf_free
-#endif
-
-extern vchar_t *vmalloc __P((size_t));
-extern vchar_t *vrealloc __P((vchar_t *, size_t));
-extern void vfree __P((vchar_t *));
-extern vchar_t *vdup __P((vchar_t *));
-
-#endif /* _VMBUF_H */
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-02 23:39:48 +0000