Openwrt/openwrt/package/isakmpd/patches/010-debian_3.patch

1707 lines
53 KiB
Diff
Raw Normal View History

--- isakmpd-20041012.orig/dpd.c
+++ isakmpd-20041012/dpd.c
@@ -26,6 +26,7 @@
#include <sys/types.h>
#include <stdlib.h>
+#include <memory.h>
#include "sysdep.h"
@@ -174,6 +175,7 @@
}
break;
default:
+ ;
}
/* Mark handled. */
@@ -223,6 +225,7 @@
dpd_check_event, sa, &tv);
break;
default:
+ ;
}
if (!sa->dpd_event)
log_print("dpd_timer_reset: timer_add_event failed");
--- isakmpd-20041012.orig/ipsec.c
+++ isakmpd-20041012/ipsec.c
@@ -1020,6 +1020,52 @@
}
}
+/*
+ * deal with a NOTIFY of INVALID_SPI
+ */
+static void
+ipsec_invalid_spi (struct message *msg, struct payload *p)
+{
+ struct sockaddr *dst;
+ int invspisz, off;
+ u_int32_t spi;
+ u_int16_t totsiz;
+ u_int8_t spisz;
+
+ /* Any notification that make us do something should be protected */
+ if(!TAILQ_FIRST (&msg->payload[ISAKMP_PAYLOAD_HASH]))
+ {
+ LOG_DBG ((LOG_SA, 40,
+ "ipsec_invalid_spi: missing HASH payload in INVALID_SPI"
+ " notification"));
+ return;
+ }
+
+ /*
+ * get the invalid spi out of the variable sized notification data
+ * field, which is after the variable sized SPI field [which specifies
+ * the receiving entity's phase-1 SPI, not the invalid spi]
+ */
+ totsiz = GET_ISAKMP_GEN_LENGTH (p->p);
+ spisz = GET_ISAKMP_NOTIFY_SPI_SZ (p->p);
+ off = ISAKMP_NOTIFY_SPI_OFF + spisz;
+ invspisz = totsiz - off;
+
+ if (invspisz != sizeof spi)
+ {
+ LOG_DBG ((LOG_SA, 40,
+ "ipsec_invalid_spi: SPI size %d in INVALID_SPI "
+ "payload unsupported", spisz));
+ return;
+ }
+ memcpy (&spi, p->p + off, sizeof spi);
+
+ msg->transport->vtbl->get_dst (msg->transport, &dst);
+
+ /* delete matching SPI's from this peer */
+ ipsec_delete_spi_list (dst, 0, (u_int8_t *)&spi, 1, "INVALID_SPI");
+}
+
static int
ipsec_responder(struct message *msg)
{
@@ -1205,7 +1251,9 @@
return dv != IPSEC_ENCAP_TUNNEL
&& dv != IPSEC_ENCAP_TRANSPORT
&& dv != IPSEC_ENCAP_UDP_ENCAP_TUNNEL
- && dv != IPSEC_ENCAP_UDP_ENCAP_TRANSPORT;
+ && dv != IPSEC_ENCAP_UDP_ENCAP_TRANSPORT
+ && dv != IPSEC_ENCAP_UDP_ENCAP_TUNNEL_DRAFT
+ && dv != IPSEC_ENCAP_UDP_ENCAP_TRANSPORT_DRAFT;
#else
return dv < IPSEC_ENCAP_TUNNEL
|| dv > IPSEC_ENCAP_TRANSPORT;
@@ -1837,7 +1885,7 @@
ipsec_get_id(char *section, int *id, struct sockaddr **addr,
struct sockaddr **mask, u_int8_t *tproto, u_int16_t *port)
{
- char *type, *address, *netmask;
+ char *type, *address, *netmask;
type = conf_get_str(section, "ID-type");
if (!type) {
--- isakmpd-20041012.orig/GNUmakefile
+++ isakmpd-20041012/GNUmakefile
@@ -40,12 +40,12 @@
# integrated, freebsd/netbsd means FreeBSD/NetBSD with KAME IPsec.
# darwin means MacOS X 10.2 and later with KAME IPsec. linux means Linux-2.5
# and later with native IPSec support.
-OS= openbsd
+#OS= openbsd
#OS= netbsd
#OS= freebsd
#OS= freeswan
#OS= darwin
-#OS= linux
+OS= linux
.CURDIR:= $(shell pwd)
VPATH= ${.CURDIR}/sysdep/${OS}
@@ -55,9 +55,10 @@
ifndef BINDIR
BINDIR= /sbin
endif
-ifndef LDSTATIC
-LDSTATIC= -static
-endif
+
+#ifndef LDSTATIC
+#LDSTATIC= -static
+#endif
SRCS= app.c attribute.c cert.c connection.c \
constants.c conf.c cookie.c crypto.c dh.c doi.c exchange.c \
@@ -131,11 +132,14 @@
ifneq ($(findstring install,$(MAKECMDGOALS)),install)
# Skip 'regress' until the regress/ structure has gmake makefiles for it.
#SUBDIR:= regress
-SUBDIR:=
+#SUBDIR:= apps/certpatch
mksubdirs:
$(foreach DIR, ${SUBDIR}, \
- cd ${DIR}; ${MAKE} ${MAKEFLAGS} CFLAGS="${CFLAGS}" \
- MKDEP="${MKDEP}" ${MAKECMDGOALS})
+ cd ${.CURDIR}/${DIR}; ${MAKE} ${MAKECMDGOALS};)
+
+# $(foreach DIR, ${SUBDIR}, \
+# cd ${DIR}; ${MAKE} CFLAGS="${CFLAGS}" \
+# MKDEP="${MKDEP}" ${MAKECMDGOALS})
else
mksubdirs:
endif
@@ -173,7 +177,7 @@
endif
SRCS+= ${IPSEC_SRCS} ${X509} ${POLICY} ${EC} ${AGGRESSIVE} ${DNSSEC} \
- $(ISAKMP_CFG)
+ $(ISAKMP_CFG) ${DPD} ${NAT_TRAVERSAL}
CFLAGS+= ${IPSEC_CFLAGS}
LDADD+= ${DESLIB}
DPADD+= ${DESLIBDEP}
--- isakmpd-20041012.orig/exchange.h
+++ isakmpd-20041012/exchange.h
@@ -221,6 +221,8 @@
#define EXCHANGE_FLAG_NAT_T_ENABLE 0x10 /* We are doing NAT-T. */
#define EXCHANGE_FLAG_NAT_T_KEEPALIVE 0x20 /* We are the NAT:ed peer. */
#define EXCHANGE_FLAG_DPD_CAP_PEER 0x40 /* Peer is DPD capable. */
+#define EXCHANGE_FLAG_NAT_T_RFC 0x0080 /* Peer does RFC NAT-T. */
+#define EXCHANGE_FLAG_NAT_T_DRAFT 0x0100 /* Peer does draft NAT-T.*/
extern int exchange_add_certs(struct message *);
extern void exchange_finalize(struct message *);
--- isakmpd-20041012.orig/log.c
+++ isakmpd-20041012/log.c
@@ -79,7 +79,6 @@
struct packhdr {
struct pcap_pkthdr pcap;/* pcap file packet header */
- u_int32_t sa_family; /* address family */
union {
struct ip ip4; /* IPv4 header (w/o options) */
struct ip6_hdr ip6; /* IPv6 header */
@@ -97,7 +96,7 @@
static u_int8_t *packet_buf = NULL;
static int udp_cksum(struct packhdr *, const struct udphdr *,
- u_int16_t *);
+ u_int16_t *, int);
static u_int16_t in_cksum(const u_int16_t *, int);
#endif /* USE_DEBUG */
@@ -539,11 +538,9 @@
udp.uh_ulen = htons(datalen);
/* ip */
- hdr.sa_family = htonl(src->sa_family);
switch (src->sa_family) {
default:
/* Assume IPv4. XXX Can 'default' ever happen here? */
- hdr.sa_family = htonl(AF_INET);
hdr.ip.ip4.ip_src.s_addr = 0x02020202;
hdr.ip.ip4.ip_dst.s_addr = 0x01010101;
/* The rest of the setup is common to AF_INET. */
@@ -584,9 +581,7 @@
}
/* Calculate UDP checksum. */
- udp.uh_sum = udp_cksum(&hdr, &udp, (u_int16_t *) packet_buf);
- hdrlen += sizeof hdr.sa_family;
-
+ udp.uh_sum = udp_cksum(&hdr, &udp, (u_int16_t *) packet_buf, src->sa_family);
/* pcap file packet header */
gettimeofday(&tv, 0);
hdr.pcap.ts.tv_sec = tv.tv_sec;
@@ -610,7 +605,7 @@
/* Copied from tcpdump/print-udp.c, mostly rewritten. */
static int
-udp_cksum(struct packhdr *hdr, const struct udphdr *u, u_int16_t *d)
+udp_cksum(struct packhdr *hdr, const struct udphdr *u, u_int16_t *d, int af)
{
struct ip *ip4;
struct ip6_hdr *ip6;
@@ -639,7 +634,7 @@
/* Setup pseudoheader. */
memset(phu.pa, 0, sizeof phu);
- switch (ntohl(hdr->sa_family)) {
+ switch (af) {
case AF_INET:
ip4 = &hdr->ip.ip4;
memcpy(&phu.ip4p.src, &ip4->ip_src, sizeof(struct in_addr));
@@ -664,7 +659,7 @@
/* IPv6 wants a 0xFFFF checksum "on error", not 0x0. */
if (tlen < 0)
- return (ntohl(hdr->sa_family) == AF_INET ? 0 : 0xFFFF);
+ return (af == AF_INET ? 0 : 0xFFFF);
sum = 0;
for (i = 0; i < hdrlen; i += 2)
--- isakmpd-20041012.orig/nat_traversal.c
+++ isakmpd-20041012/nat_traversal.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: nat_traversal.c,v 1.7 2004/08/08 19:11:06 deraadt Exp $ */
+/* $OpenBSD: nat_traversal.c,v 1.17 2006/06/14 14:03:33 hshoexer Exp $ */
/*
* Copyright (c) 2004 H<>kan Olsson. All rights reserved.
@@ -48,40 +48,40 @@
#include "util.h"
#include "virtual.h"
+int disable_nat_t = 0;
+
/*
- * XXX According to draft-ietf-ipsec-nat-t-ike-07.txt, the NAT-T
- * capability of the other peer is determined by a particular vendor ID
- * sent as the first message. This vendor ID string is supposed to be a
- * MD5 hash of "RFC XXXX", where XXXX is the future RFC number.
+ * NAT-T capability of the other peer is determined by a particular vendor
+ * ID sent in the first message. This vendor ID string is supposed to be a
+ * MD5 hash of "RFC 3947".
*
* These seem to be the "well" known variants of this string in use by
* products today.
*/
-static const char *isakmp_nat_t_cap_text[] = {
- "draft-ietf-ipsec-nat-t-ike-00", /* V1 (XXX: may be obsolete) */
- "draft-ietf-ipsec-nat-t-ike-02\n", /* V2 */
- "draft-ietf-ipsec-nat-t-ike-03", /* V3 */
-#ifdef notyet
- "RFC XXXX",
-#endif
+
+static struct nat_t_cap isakmp_nat_t_cap[] = {
+ { VID_DRAFT_V2_N, EXCHANGE_FLAG_NAT_T_DRAFT,
+ "draft-ietf-ipsec-nat-t-ike-02\n", NULL, 0 },
+ { VID_DRAFT_V3, EXCHANGE_FLAG_NAT_T_DRAFT,
+ "draft-ietf-ipsec-nat-t-ike-03", NULL, 0 },
+ { VID_RFC3947, EXCHANGE_FLAG_NAT_T_RFC,
+ "RFC 3947", NULL, 0 },
};
+#define NUMNATTCAP (sizeof isakmp_nat_t_cap / sizeof isakmp_nat_t_cap[0])
+
/* In seconds. Recommended in draft-ietf-ipsec-udp-encaps-09. */
#define NAT_T_KEEPALIVE_INTERVAL 20
-/* The MD5 hashes of the above strings is put in this array. */
-static char **nat_t_hashes;
-static size_t nat_t_hashsize;
-
static int nat_t_setup_hashes(void);
-static int nat_t_add_vendor_payload(struct message *, char *);
+static int nat_t_add_vendor_payload(struct message *, struct nat_t_cap *);
static int nat_t_add_nat_d(struct message *, struct sockaddr *);
static int nat_t_match_nat_d_payload(struct message *, struct sockaddr *);
void
nat_t_init(void)
{
- nat_t_hashes = (char **)NULL;
+ nat_t_setup_hashes();
}
/* Generate the NAT-T capability marker hashes. Executed only once. */
@@ -89,7 +89,7 @@
nat_t_setup_hashes(void)
{
struct hash *hash;
- int n = sizeof isakmp_nat_t_cap_text / sizeof isakmp_nat_t_cap_text[0];
+ int n = NUMNATTCAP;
int i;
/* The draft says to use MD5. */
@@ -100,56 +100,49 @@
"could not find MD5 hash structure!");
return -1;
}
- nat_t_hashsize = hash->hashsize;
- /* Allocate one more than is necessary, i.e NULL terminated. */
- nat_t_hashes = (char **)calloc((size_t)(n + 1), sizeof(char *));
- if (!nat_t_hashes) {
- log_error("nat_t_setup_hashes: calloc (%lu,%lu) failed",
- (unsigned long)n, (unsigned long)sizeof(char *));
- return -1;
- }
-
- /* Populate with hashes. */
+ /* Populate isakmp_nat_t_cap with hashes. */
for (i = 0; i < n; i++) {
- nat_t_hashes[i] = (char *)malloc(nat_t_hashsize);
- if (!nat_t_hashes[i]) {
+ isakmp_nat_t_cap[i].hashsize = hash->hashsize;
+ isakmp_nat_t_cap[i].hash = (char *)malloc(hash->hashsize);
+ if (!isakmp_nat_t_cap[i].hash) {
log_error("nat_t_setup_hashes: malloc (%lu) failed",
- (unsigned long)nat_t_hashsize);
+ (unsigned long)hash->hashsize);
goto errout;
}
hash->Init(hash->ctx);
hash->Update(hash->ctx,
- (unsigned char *)isakmp_nat_t_cap_text[i],
- strlen(isakmp_nat_t_cap_text[i]));
- hash->Final(nat_t_hashes[i], hash->ctx);
+ (unsigned char *)isakmp_nat_t_cap[i].text,
+ strlen(isakmp_nat_t_cap[i].text));
+ hash->Final(isakmp_nat_t_cap[i].hash, hash->ctx);
LOG_DBG((LOG_EXCHANGE, 50, "nat_t_setup_hashes: "
- "MD5(\"%s\") (%lu bytes)", isakmp_nat_t_cap_text[i],
- (unsigned long)nat_t_hashsize));
+ "MD5(\"%s\") (%lu bytes)", isakmp_nat_t_cap[i].text,
+ (unsigned long)hash->hashsize));
LOG_DBG_BUF((LOG_EXCHANGE, 50, "nat_t_setup_hashes",
- nat_t_hashes[i], nat_t_hashsize));
+ isakmp_nat_t_cap[i].hash, hash->hashsize));
}
return 0;
- errout:
+errout:
for (i = 0; i < n; i++)
- if (nat_t_hashes[i])
- free(nat_t_hashes[i]);
- free(nat_t_hashes);
- nat_t_hashes = NULL;
+ if (isakmp_nat_t_cap[i].hash)
+ free(isakmp_nat_t_cap[i].hash);
return -1;
}
/* Add one NAT-T VENDOR payload. */
static int
-nat_t_add_vendor_payload(struct message *msg, char *hash)
+nat_t_add_vendor_payload(struct message *msg, struct nat_t_cap *cap)
{
- size_t buflen = nat_t_hashsize + ISAKMP_GEN_SZ;
+ size_t buflen = cap->hashsize + ISAKMP_GEN_SZ;
u_int8_t *buf;
+ if (disable_nat_t)
+ return 0;
+
buf = malloc(buflen);
if (!buf) {
log_error("nat_t_add_vendor_payload: malloc (%lu) failed",
@@ -158,12 +151,11 @@
}
SET_ISAKMP_GEN_LENGTH(buf, buflen);
- memcpy(buf + ISAKMP_VENDOR_ID_OFF, hash, nat_t_hashsize);
+ memcpy(buf + ISAKMP_VENDOR_ID_OFF, cap->hash, cap->hashsize);
if (message_add_payload(msg, ISAKMP_PAYLOAD_VENDOR, buf, buflen, 1)) {
free(buf);
return -1;
}
-
return 0;
}
@@ -171,16 +163,14 @@
int
nat_t_add_vendor_payloads(struct message *msg)
{
- int i = 0;
+ int i;
- if (!nat_t_hashes)
- if (nat_t_setup_hashes())
- return 0; /* XXX should this be an error? */
+ if (disable_nat_t)
+ return 0;
- while (nat_t_hashes[i])
- if (nat_t_add_vendor_payload(msg, nat_t_hashes[i++]))
+ for (i = 0; i < NUMNATTCAP; i++)
+ if (nat_t_add_vendor_payload(msg, &isakmp_nat_t_cap[i]))
return -1;
-
return 0;
}
@@ -192,36 +182,31 @@
{
u_int8_t *pbuf = p->p;
size_t vlen;
- int i = 0;
+ int i;
- /* Already checked? */
- if (p->flags & PL_MARK ||
- msg->exchange->flags & EXCHANGE_FLAG_NAT_T_CAP_PEER)
+ if (disable_nat_t)
return;
- if (!nat_t_hashes)
- if (nat_t_setup_hashes())
- return;
-
vlen = GET_ISAKMP_GEN_LENGTH(pbuf) - ISAKMP_GEN_SZ;
- if (vlen != nat_t_hashsize) {
- LOG_DBG((LOG_EXCHANGE, 50, "nat_t_check_vendor_payload: "
- "bad size %lu != %lu", (unsigned long)vlen,
- (unsigned long)nat_t_hashsize));
- return;
- }
- while (nat_t_hashes[i])
- if (memcmp(nat_t_hashes[i++], pbuf + ISAKMP_GEN_SZ,
+ for (i = 0; i < NUMNATTCAP; i++) {
+ if (vlen != isakmp_nat_t_cap[i].hashsize) {
+ LOG_DBG((LOG_EXCHANGE, 50, "nat_t_check_vendor_payload: "
+ "bad size %lu != %lu", (unsigned long)vlen,
+ (unsigned long)isakmp_nat_t_cap[i].hashsize));
+ continue;
+ }
+ if (memcmp(isakmp_nat_t_cap[i].hash, pbuf + ISAKMP_GEN_SZ,
vlen) == 0) {
/* This peer is NAT-T capable. */
msg->exchange->flags |= EXCHANGE_FLAG_NAT_T_CAP_PEER;
+ msg->exchange->flags |= isakmp_nat_t_cap[i].flags;
LOG_DBG((LOG_EXCHANGE, 10,
"nat_t_check_vendor_payload: "
"NAT-T capable peer detected"));
p->flags |= PL_MARK;
- return;
}
+ }
return;
}
@@ -233,10 +218,8 @@
{
struct ipsec_exch *ie = (struct ipsec_exch *)msg->exchange->data;
struct hash *hash;
- struct prf *prf;
u_int8_t *res;
in_port_t port;
- int prf_type = PRF_HMAC; /* XXX */
hash = hash_get(ie->hash->type);
if (hash == NULL) {
@@ -244,31 +227,25 @@
return NULL;
}
- prf = prf_alloc(prf_type, hash->type, msg->exchange->cookies,
- ISAKMP_HDR_COOKIES_LEN);
- if(!prf) {
- log_print("nat_t_generate_nat_d_hash: prf_alloc failed");
- return NULL;
- }
+ *hashlen = hash->hashsize;
- *hashlen = prf->blocksize;
res = (u_int8_t *)malloc((unsigned long)*hashlen);
if (!res) {
log_print("nat_t_generate_nat_d_hash: malloc (%lu) failed",
(unsigned long)*hashlen);
- prf_free(prf);
*hashlen = 0;
return NULL;
}
port = sockaddr_port(sa);
- memset(res, 0, *hashlen);
-
- prf->Update(prf->prfctx, sockaddr_addrdata(sa), sockaddr_addrlen(sa));
- prf->Update(prf->prfctx, (unsigned char *)&port, sizeof port);
- prf->Final(res, prf->prfctx);
- prf_free (prf);
+ bzero(res, *hashlen);
+ hash->Init(hash->ctx);
+ hash->Update(hash->ctx, msg->exchange->cookies,
+ sizeof msg->exchange->cookies);
+ hash->Update(hash->ctx, sockaddr_addrdata(sa), sockaddr_addrlen(sa));
+ hash->Update(hash->ctx, (unsigned char *)&port, sizeof port);
+ hash->Final(res, hash->ctx);
return res;
}
@@ -276,6 +253,7 @@
static int
nat_t_add_nat_d(struct message *msg, struct sockaddr *sa)
{
+ int ret;
u_int8_t *hbuf, *buf;
size_t hbuflen, buflen;
@@ -298,11 +276,19 @@
memcpy(buf + ISAKMP_NAT_D_DATA_OFF, hbuf, hbuflen);
free(hbuf);
- if (message_add_payload(msg, ISAKMP_PAYLOAD_NAT_D, buf, buflen, 1)) {
+ if (msg->exchange->flags & EXCHANGE_FLAG_NAT_T_RFC)
+ ret = message_add_payload(msg, ISAKMP_PAYLOAD_NAT_D, buf,
+ buflen, 1);
+ else if (msg->exchange->flags & EXCHANGE_FLAG_NAT_T_DRAFT)
+ ret = message_add_payload(msg, ISAKMP_PAYLOAD_NAT_D_DRAFT,
+ buf, buflen, 1);
+ else
+ ret = -1;
+
+ if (ret) {
free(buf);
return -1;
}
-
return 0;
}
@@ -312,14 +298,14 @@
{
struct sockaddr *sa;
- msg->transport->vtbl->get_src(msg->transport, &sa);
+ /* Remote address first. */
+ msg->transport->vtbl->get_dst(msg->transport, &sa);
if (nat_t_add_nat_d(msg, sa))
return -1;
- msg->transport->vtbl->get_dst(msg->transport, &sa);
+ msg->transport->vtbl->get_src(msg->transport, &sa);
if (nat_t_add_nat_d(msg, sa))
return -1;
-
return 0;
}
@@ -336,8 +322,8 @@
* If there are no NAT-D payloads in the message, return "found"
* as this will avoid NAT-T (see nat_t_exchange_check_nat_d()).
*/
- p = payload_first(msg, ISAKMP_PAYLOAD_NAT_D);
- if (!p)
+ if ((p = payload_first(msg, ISAKMP_PAYLOAD_NAT_D_DRAFT)) == NULL &&
+ (p = payload_first(msg, ISAKMP_PAYLOAD_NAT_D)) == NULL)
return 1;
hbuf = nat_t_generate_nat_d_hash(msg, sa, &hbuflen);
--- isakmpd-20041012.orig/udp_encap.c
+++ isakmpd-20041012/udp_encap.c
@@ -61,6 +61,11 @@
#define UDP_SIZE 65536
+#if defined(USE_NAT_TRAVERSAL) && defined (LINUX_IPSEC)
+#include <linux/socket.h>
+#include <linux/udp.h>
+#endif
+
/* If a system doesn't have SO_REUSEPORT, SO_REUSEADDR will have to do. */
#ifndef SO_REUSEPORT
#define SO_REUSEPORT SO_REUSEADDR
@@ -134,6 +139,18 @@
if (sysdep_cleartext(s, laddr->sa_family) == -1)
goto err;
+#if defined(USE_NAT_TRAVERSAL) && defined (LINUX_IPSEC)
+ {
+#ifndef SOL_UDP
+#define SOL_UDP 17
+#endif
+ int option = UDP_ENCAP_ESPINUDP;
+ if(setsockopt(s, SOL_UDP, UDP_ENCAP, &option,
+ sizeof (option)) < 0)
+ goto err;
+ }
+#endif
+
/* Wildcard address ? */
switch (laddr->sa_family) {
case AF_INET:
--- isakmpd-20041012.orig/apps/Makefile
+++ isakmpd-20041012/apps/Makefile
@@ -31,4 +31,4 @@
SUBDIR= certpatch
-.include <bsd.subdir.mk>
+#.include <bsd.subdir.mk>
--- isakmpd-20041012.orig/apps/certpatch/GNUmakefile
+++ isakmpd-20041012/apps/certpatch/GNUmakefile
@@ -0,0 +1,55 @@
+# $OpenBSD: Makefile,v 1.7 2003/06/03 14:35:00 ho Exp $
+# $EOM: Makefile,v 1.6 2000/03/28 21:22:06 ho Exp $
+
+#
+# Copyright (c) 1999 Niels Provos. All rights reserved.
+# Copyright (c) 2001 Niklas Hallqvist. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+
+#
+# This code was written under funding by Ericsson Radio Systems.
+#
+
+PROG= certpatch
+SRCS= certpatch.c
+BINDIR?= /usr/sbin
+TOPSRC= ${.CURDIR}../..
+TOPOBJ!= cd ${TOPSRC}; printf "all:\n\t@pwd\n" |${MAKE} -f-
+OS= linux
+FEATURES!= awk '/^FEATURES=/ { print $$0 }' ${.CURDIR}/../../Makefile | sed 's/FEATURES=.//'
+.PATH: ${TOPSRC} ${TOPSRC}/sysdep/${OS} ${TOPOBJ}
+CFLAGS+= -I${TOPSRC} -I${TOPSRC}/sysdep/${OS} -I${TOPOBJ} -Wall
+LDFLAGS+= -lcrypto -lssl -lgmp
+MAN= certpatch.8
+
+CFLAGS+= -DMP_FLAVOUR=MP_FLAVOUR_GMP
+LDADD+= -lgmp
+DPADD+= ${LIBGMP}
+
+# Override LIBSYSDEPDIR definition from Makefile.sysdep
+LIBSYSDEPDIR= ${TOPSRC}/sysdep/common/libsysdep
+
+all: ${PROG}
+
+clean:
+ rm -f ${PROG}
--- isakmpd-20041012.orig/pf_key_v2.c
+++ isakmpd-20041012/pf_key_v2.c
@@ -1055,6 +1055,10 @@
#endif
#if defined (USE_NAT_TRAVERSAL) && defined (SADB_X_EXT_UDPENCAP)
struct sadb_x_udpencap udpencap;
+#elif defined (USE_NAT_TRAVERSAL) && defined (SADB_X_EXT_NAT_T_TYPE)
+ struct sadb_x_nat_t_type nat_t_type;
+ struct sadb_x_nat_t_port nat_t_sport;
+ struct sadb_x_nat_t_port nat_t_dport;
#endif
#ifdef USE_DEBUG
char *addr_str;
@@ -1273,10 +1277,15 @@
log_print("pf_key_v2_set_spi: invalid proto %d", proto->proto);
goto cleanup;
}
- if (incoming)
+ if (incoming) {
sa->transport->vtbl->get_src(sa->transport, &dst);
- else
+ sa->transport->vtbl->get_dst(sa->transport, &src);
+ }
+ else {
sa->transport->vtbl->get_dst(sa->transport, &dst);
+ sa->transport->vtbl->get_src(sa->transport, &src);
+ }
+
#ifdef KAME
msg.sadb_msg_seq = (incoming ?
pf_key_v2_seq_by_sa(proto->spi[incoming], sizeof ssa.sadb_sa_spi,
@@ -1319,12 +1328,13 @@
ssa.sadb_sa_flags = 0;
#ifdef SADB_X_SAFLAGS_TUNNEL
if (iproto->encap_mode == IPSEC_ENCAP_TUNNEL ||
- iproto->encap_mode == IPSEC_ENCAP_UDP_ENCAP_TUNNEL)
+ iproto->encap_mode == IPSEC_ENCAP_UDP_ENCAP_TUNNEL ||
+ iproto->encap_mode == IPSEC_ENCAP_UDP_ENCAP_TUNNEL_DRAFT)
ssa.sadb_sa_flags = SADB_X_SAFLAGS_TUNNEL;
#endif
-#if defined (USE_NAT_TRAVERSAL) && defined (SADB_X_EXT_UDPENCAP)
if (isakmp_sa->flags & SA_FLAG_NAT_T_ENABLE) {
+#if defined (USE_NAT_TRAVERSAL) && defined (SADB_X_EXT_UDPENCAP)
memset(&udpencap, 0, sizeof udpencap);
ssa.sadb_sa_flags |= SADB_X_SAFLAGS_UDPENCAP;
udpencap.sadb_x_udpencap_exttype = SADB_X_EXT_UDPENCAP;
@@ -1334,8 +1344,40 @@
if (pf_key_v2_msg_add(update, (struct sadb_ext *)&udpencap, 0)
== -1)
goto cleanup;
- }
+#elif defined (USE_NAT_TRAVERSAL) && defined (SADB_X_EXT_NAT_T_TYPE)
+#ifndef UDP_ENCAP_ESPINUDP
+#define UDP_ENCAP_ESPINUDP 2
+#endif
+ memset(&nat_t_type, 0, sizeof nat_t_type);
+ memset(&nat_t_sport, 0, sizeof nat_t_sport);
+ memset(&nat_t_dport, 0, sizeof nat_t_dport);
+
+ /* type = draft-udp-encap-06 */
+ nat_t_type.sadb_x_nat_t_type_len = sizeof nat_t_type / PF_KEY_V2_CHUNK;
+ nat_t_type.sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE;
+ nat_t_type.sadb_x_nat_t_type_type = UDP_ENCAP_ESPINUDP;
+ if(pf_key_v2_msg_add(update, (struct sadb_ext *)&nat_t_type, 0) == -1)
+ goto cleanup;
+
+ /* source port */
+ nat_t_sport.sadb_x_nat_t_port_len = sizeof nat_t_sport /
+ PF_KEY_V2_CHUNK;
+ nat_t_sport.sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_SPORT;
+ nat_t_sport.sadb_x_nat_t_port_port = sockaddr_port(src);
+ if(pf_key_v2_msg_add(update, (struct sadb_ext *)&nat_t_sport, 0) == -1)
+ goto cleanup;
+
+ /* destination port */
+ nat_t_dport.sadb_x_nat_t_port_len = sizeof nat_t_dport /
+ PF_KEY_V2_CHUNK;
+ nat_t_dport.sadb_x_nat_t_port_exttype = SADB_X_EXT_NAT_T_DPORT;
+ nat_t_dport.sadb_x_nat_t_port_port = sockaddr_port(dst);
+ if(pf_key_v2_msg_add(update, (struct sadb_ext *)&nat_t_dport, 0) == -1)
+ goto cleanup;
+
+ /* original address (transport mode checksum missing info) goes here */
#endif
+ }
if (pf_key_v2_msg_add(update, (struct sadb_ext *)&ssa, 0) == -1)
goto cleanup;
@@ -1395,10 +1437,6 @@
/*
* Setup the ADDRESS extensions.
*/
- if (incoming)
- sa->transport->vtbl->get_dst(sa->transport, &src);
- else
- sa->transport->vtbl->get_src(sa->transport, &src);
len = sizeof *addr + PF_KEY_V2_ROUND(sysdep_sa_len(src));
addr = calloc(1, len);
if (!addr)
@@ -2167,7 +2205,7 @@
pf_key_v2_msg_free(ret);
return -1;
-#elif defined (SADB_X_SPDADD) && defined (SADB_X_SPDDELETE)
+#elif defined (SADB_X_SPDUPDATE) && defined (SADB_X_SPDDELETE)
struct sadb_msg msg;
struct sadb_x_policy *policy = 0;
struct sadb_x_ipsecrequest *ipsecrequest;
@@ -2181,7 +2219,7 @@
struct sockaddr_in *ip4_sa;
struct sockaddr_in6 *ip6_sa;
- msg.sadb_msg_type = delete ? SADB_X_SPDDELETE : SADB_X_SPDADD;
+ msg.sadb_msg_type = delete ? SADB_X_SPDDELETE : SADB_X_SPDUPDATE;
msg.sadb_msg_satype = SADB_SATYPE_UNSPEC;
msg.sadb_msg_seq = 0;
flow = pf_key_v2_msg_new(&msg, 0);
--- isakmpd-20041012.orig/isakmp_num.cst
+++ isakmpd-20041012/isakmp_num.cst
@@ -57,15 +57,18 @@
KD 17 # RFC 3547, Key Download
SEQ 18 # RFC 3547, Sequence Number
POP 19 # RFC 3547, Proof of possession
- RESERVED_MIN 20
+ NAT_D 20 # RFC 3947, NAT Discovery payload
+ NAT_OA 21 # RFC 3947, NAT Original Address payload
+ RESERVED_MIN 22
RESERVED_MAX 127
PRIVATE_MIN 128
# XXX values from draft-ietf-ipsec-nat-t-ike-01,02,03. Later drafts specify
# XXX NAT_D as payload 15 and NAT_OA as 16, but these are allocated by RFC
# XXX 3547 as seen above.
- NAT_D 130 # NAT Discovery payload
- NAT_OA 131 # NAT Original Address payload
+ NAT_D_DRAFT 130 # NAT Discovery payload
+ NAT_OA_DRAFT 131 # NAT Original Address payload
PRIVATE_MAX 255
+ MAX 255
.
# ISAKMP exchange types.
--- isakmpd-20041012.orig/ipsec_num.cst
+++ isakmpd-20041012/ipsec_num.cst
@@ -62,10 +62,10 @@
IPSEC_ENCAP
TUNNEL 1
TRANSPORT 2
- FUTURE_UDP_ENCAP_TUNNEL 3 # XXX Not yet assigned
- FUTURE_UDP_ENCAP_TRANSPORT 4 # XXX Not yet assigned
- UDP_ENCAP_TUNNEL 61443 # draft-ietf-ipsec-nat-t-ike
- UDP_ENCAP_TRANSPORT 61443 # draft-ietf-ipsec-nat-t-ike
+ UDP_ENCAP_TUNNEL 3
+ UDP_ENCAP_TRANSPORT 4
+ UDP_ENCAP_TUNNEL_DRAFT 61443 # draft-ietf-ipsec-nat-t-ike
+ UDP_ENCAP_TRANSPORT_DRAFT 61443 # draft-ietf-ipsec-nat-t-ike
.
# IPSEC authentication algorithm.
--- isakmpd-20041012.orig/nat_traversal.h
+++ isakmpd-20041012/nat_traversal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: nat_traversal.h,v 1.2 2004/06/21 23:27:10 ho Exp $ */
+/* $OpenBSD: nat_traversal.h,v 1.4 2005/07/25 15:03:47 hshoexer Exp $ */
/*
* Copyright (c) 2004 H<>kan Olsson. All rights reserved.
@@ -27,6 +27,24 @@
#ifndef _NAT_TRAVERSAL_H_
#define _NAT_TRAVERSAL_H_
+#define VID_DRAFT_V2 0
+#define VID_DRAFT_V2_N 1
+#define VID_DRAFT_V3 2
+#define VID_RFC3947 3
+
+struct nat_t_cap {
+ int id;
+ u_int32_t flags;
+ const char *text;
+ char *hash;
+ size_t hashsize;
+};
+
+/*
+ * Set if -T is given on the command line to disable NAT-T support.
+ */
+extern int disable_nat_t;
+
void nat_t_init(void);
int nat_t_add_vendor_payloads(struct message *);
void nat_t_check_vendor_payload(struct message *, struct payload *);
--- isakmpd-20041012.orig/message.c
+++ isakmpd-20041012/message.c
@@ -112,6 +112,7 @@
message_validate_hash, message_validate_sig, message_validate_nonce,
message_validate_notify, message_validate_delete,
message_validate_vendor, message_validate_attribute,
+ message_validate_nat_d, message_validate_nat_oa,
message_validate_nat_d, message_validate_nat_oa
};
@@ -120,7 +121,7 @@
isakmp_id_fld, isakmp_cert_fld, isakmp_certreq_fld, isakmp_hash_fld,
isakmp_sig_fld, isakmp_nonce_fld, isakmp_notify_fld, isakmp_delete_fld,
isakmp_vendor_fld, isakmp_attribute_fld, isakmp_nat_d_fld,
- isakmp_nat_oa_fld
+ isakmp_nat_oa_fld, isakmp_nat_d_fld, isakmp_nat_oa_fld
};
/*
@@ -138,7 +139,8 @@
ISAKMP_PAYLOAD_SAK, ISAKMP_PAYLOAD_SAT, ISAKMP_PAYLOAD_KD,
ISAKMP_PAYLOAD_SEQ, ISAKMP_PAYLOAD_POP
#endif
- ISAKMP_PAYLOAD_NAT_D, ISAKMP_PAYLOAD_NAT_OA
+ ISAKMP_PAYLOAD_NAT_D, ISAKMP_PAYLOAD_NAT_OA,
+ ISAKMP_PAYLOAD_NAT_D_DRAFT, ISAKMP_PAYLOAD_NAT_OA_DRAFT
};
static u_int8_t payload_map[256];
@@ -347,8 +349,8 @@
}
/* Ignore most private payloads. */
if (next >= ISAKMP_PAYLOAD_PRIVATE_MIN &&
- next != ISAKMP_PAYLOAD_NAT_D &&
- next != ISAKMP_PAYLOAD_NAT_OA) {
+ next != ISAKMP_PAYLOAD_NAT_D_DRAFT &&
+ next != ISAKMP_PAYLOAD_NAT_OA_DRAFT) {
LOG_DBG((LOG_MESSAGE, 30, "message_parse_payloads: "
"private next payload type %s in payload of "
"type %d ignored",
@@ -460,8 +462,10 @@
return ISAKMP_ATTRIBUTE_SZ;
#if defined (USE_NAT_TRAVERSAL)
case ISAKMP_PAYLOAD_NAT_D:
+ case ISAKMP_PAYLOAD_NAT_D_DRAFT:
return ISAKMP_NAT_D_SZ;
case ISAKMP_PAYLOAD_NAT_OA:
+ case ISAKMP_PAYLOAD_NAT_OA_DRAFT:
return ISAKMP_NAT_OA_SZ;
#endif
/* Not yet supported and any other unknown payloads. */
--- isakmpd-20041012.orig/policy.c
+++ isakmpd-20041012/policy.c
@@ -511,7 +511,10 @@
break;
}
#if defined (USE_NAT_TRAVERSAL)
- else if (decode_16(value) == IPSEC_ENCAP_UDP_ENCAP_TUNNEL)
+ else if (decode_16(value) ==
+ IPSEC_ENCAP_UDP_ENCAP_TUNNEL ||
+ decode_16(value) ==
+ IPSEC_ENCAP_UDP_ENCAP_TUNNEL_DRAFT)
switch (proto->proto) {
case IPSEC_PROTO_IPSEC_AH:
ah_encapsulation = "udp-encap-tunnel";
@@ -1932,7 +1935,7 @@
void
policy_init(void)
{
- char *ptr, *policy_file;
+ char *ptr, *policy_file, *use_keynote;
char **asserts;
size_t sz, len;
int fd, i;
@@ -1940,10 +1943,11 @@
LOG_DBG((LOG_POLICY, 30, "policy_init: initializing"));
/* Do we want to use the policy modules? */
- if (ignore_policy ||
- strncmp("yes", conf_get_str("General", "Use-Keynote"), 3))
- return;
-
+ use_keynote = conf_get_str("General", "Use-Keynote");
+ if (ignore_policy ||
+ (use_keynote && strncmp("yes", use_keynote, 3)))
+ return;
+
/* Get policy file from configuration. */
policy_file = conf_get_str("General", "Policy-file");
if (!policy_file)
--- isakmpd-20041012.orig/ike_phase_1.c
+++ isakmpd-20041012/ike_phase_1.c
@@ -1040,9 +1040,9 @@
/* Compare expected/desired and received remote ID */
if (bcmp(rid, payload->p + ISAKMP_ID_DATA_OFF, sz)) {
- free(rid);
log_print("ike_phase_1_recv_ID: "
- "received remote ID other than expected %s", p);
+ "received remote ID other than expected %s - %s", p, payload->p);
+ free(rid);
return -1;
}
free(rid);
--- isakmpd-20041012.orig/x509.c
+++ isakmpd-20041012/x509.c
@@ -910,7 +910,11 @@
X509_STORE_CTX_init(&csc, x509_cas, cert, NULL);
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
/* XXX See comment in x509_read_crls_from_dir. */
+#if OPENSSL_VERSION_NUMBER >= 0x00908000L
+ if (x509_cas->param->flags & X509_V_FLAG_CRL_CHECK) {
+#else
if (x509_cas->flags & X509_V_FLAG_CRL_CHECK) {
+#endif
X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK);
X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK_ALL);
}
--- isakmpd-20041012.orig/sysdep/linux/sysdep.c
+++ isakmpd-20041012/sysdep/linux/sysdep.c
@@ -169,22 +169,22 @@
return 0;
if (!(af == AF_INET || af == AF_INET6))
- {
+ {
log_print ("sysdep_cleartext: unsupported protocol family %d", af);
return -1;
}
if (setsockopt (fd, af == AF_INET ? IPPROTO_IP : IPPROTO_IPV6,
- af == AF_INET ? IP_IPSEC_POLICY : IPV6_IPSEC_POLICY,
- &pol_in, sizeof pol_in) < 0 ||
+ af == AF_INET ? IP_IPSEC_POLICY : IPV6_IPSEC_POLICY,
+ &pol_in, sizeof pol_in) < 0 ||
setsockopt (fd, af == AF_INET ? IPPROTO_IP : IPPROTO_IPV6,
- af == AF_INET ? IP_IPSEC_POLICY : IPV6_IPSEC_POLICY,
- &pol_out, sizeof pol_out) < 0)
- {
+ af == AF_INET ? IP_IPSEC_POLICY : IPV6_IPSEC_POLICY,
+ &pol_out, sizeof pol_out) < 0)
+ {
log_error ("sysdep_cleartext: "
- "setsockopt (%d, IPPROTO_IP%s, IP%s_IPSEC_POLICY, ...) "
- "failed", fd, af == AF_INET ? "" : "V6",
- af == AF_INET ? "" : "V6");
+ "setsockopt (%d, IPPROTO_IP%s, IP%s_IPSEC_POLICY, ...) "
+ "failed", fd, af == AF_INET ? "" : "V6",
+ af == AF_INET ? "" : "V6");
return -1;
}
return 0;
--- isakmpd-20041012.orig/sysdep/linux/GNUmakefile.sysdep
+++ isakmpd-20041012/sysdep/linux/GNUmakefile.sysdep
@@ -33,13 +33,13 @@
LDADD+= -lgmp ${LIBSYSDEP} ${LIBCRYPTO}
DPADD+= ${LIBGMP} ${LIBSYSDEP}
-CFLAGS+= -DUSE_OLD_SOCKADDR -DHAVE_PCAP \
- -DNEED_SYSDEP_APP -DMP_FLAVOUR=MP_FLAVOUR_GMP \
- -I/usr/src/linux/include -I${.CURDIR}/sysdep/common \
+CFLAGS+= -DHAVE_GETNAMEINFO -DUSE_OLD_SOCKADDR -DHAVE_PCAP \
+ -DNEED_SYSDEP_APP -DMP_FLAVOUR=MP_FLAVOUR_GMP -DUSE_AES \
+ -I${.CURDIR}/sysdep/linux/include -I${.CURDIR}/sysdep/common \
-I/usr/include/openssl
FEATURES= debug tripledes blowfish cast ec aggressive x509 policy
-FEATURES+= des aes
+FEATURES+= dpd nat_traversal isakmp_cfg des aes
IPSEC_SRCS= pf_key_v2.c
IPSEC_CFLAGS= -DUSE_PF_KEY_V2
@@ -51,7 +51,7 @@
# hack libsysdep.a dependenc
${LIBSYSDEPDIR}/.depend ${LIBSYSDEP}:
cd ${LIBSYSDEPDIR} && \
- ${MAKE} --no-print-directory ${MAKEFLAGS} \
+ ${MAKE} --no-print-directory \
CFLAGS="${CFLAGS}" MKDEP="${MKDEP}" ${MAKECMDGOALS}
ifeq ($(findstring clean,$(MAKECMDGOALS)),clean)
--- isakmpd-20041012.orig/sysdep/linux/include/bitstring.h
+++ isakmpd-20041012/sysdep/linux/include/bitstring.h
@@ -0,0 +1,132 @@
+/* $OpenBSD: bitstring.h,v 1.4 2002/06/19 02:50:10 millert Exp $ */
+/* $NetBSD: bitstring.h,v 1.5 1997/05/14 15:49:55 pk Exp $ */
+
+/*
+ * Copyright (c) 1989, 1993
+ * The Regents of the University of California. All rights reserved.
+ *
+ * This code is derived from software contributed to Berkeley by
+ * Paul Vixie.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ * must display the following acknowledgement:
+ * This product includes software developed by the University of
+ * California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * @(#)bitstring.h 8.1 (Berkeley) 7/19/93
+ */
+
+#ifndef _BITSTRING_H_
+#define _BITSTRING_H_
+
+/* modified for SV/AT and bitstring bugfix by M.R.Murphy, 11oct91
+ * bitstr_size changed gratuitously, but shorter
+ * bit_alloc spelling error fixed
+ * the following were efficient, but didn't work, they've been made to
+ * work, but are no longer as efficient :-)
+ * bit_nclear, bit_nset, bit_ffc, bit_ffs
+ */
+typedef unsigned char bitstr_t;
+
+/* internal macros */
+ /* byte of the bitstring bit is in */
+#define _bit_byte(bit) \
+ ((bit) >> 3)
+
+ /* mask for the bit within its byte */
+#define _bit_mask(bit) \
+ (1 << ((bit)&0x7))
+
+/* external macros */
+ /* bytes in a bitstring of nbits bits */
+#define bitstr_size(nbits) \
+ (((nbits) + 7) >> 3)
+
+ /* allocate a bitstring */
+#define bit_alloc(nbits) \
+ (bitstr_t *)calloc((size_t)bitstr_size(nbits), sizeof(bitstr_t))
+
+ /* allocate a bitstring on the stack */
+#define bit_decl(name, nbits) \
+ ((name)[bitstr_size(nbits)])
+
+ /* is bit N of bitstring name set? */
+#define bit_test(name, bit) \
+ ((name)[_bit_byte(bit)] & _bit_mask(bit))
+
+ /* set bit N of bitstring name */
+#define bit_set(name, bit) \
+ ((name)[_bit_byte(bit)] |= _bit_mask(bit))
+
+ /* clear bit N of bitstring name */
+#define bit_clear(name, bit) \
+ ((name)[_bit_byte(bit)] &= ~_bit_mask(bit))
+
+ /* clear bits start ... stop in bitstring */
+#define bit_nclear(name, start, stop) do { \
+ register bitstr_t *_name = name; \
+ register int _start = start, _stop = stop; \
+ while (_start <= _stop) { \
+ bit_clear(_name, _start); \
+ _start++; \
+ } \
+} while(0)
+
+ /* set bits start ... stop in bitstring */
+#define bit_nset(name, start, stop) do { \
+ register bitstr_t *_name = name; \
+ register int _start = start, _stop = stop; \
+ while (_start <= _stop) { \
+ bit_set(_name, _start); \
+ _start++; \
+ } \
+} while(0)
+
+ /* find first bit clear in name */
+#define bit_ffc(name, nbits, value) do { \
+ register bitstr_t *_name = name; \
+ register int _bit, _nbits = nbits, _value = -1; \
+ for (_bit = 0; _bit < _nbits; ++_bit) \
+ if (!bit_test(_name, _bit)) { \
+ _value = _bit; \
+ break; \
+ } \
+ *(value) = _value; \
+} while(0)
+
+ /* find first bit set in name */
+#define bit_ffs(name, nbits, value) do { \
+ register bitstr_t *_name = name; \
+ register int _bit, _nbits = nbits, _value = -1; \
+ for (_bit = 0; _bit < _nbits; ++_bit) \
+ if (bit_test(_name, _bit)) { \
+ _value = _bit; \
+ break; \
+ } \
+ *(value) = _value; \
+} while(0)
+
+#endif /* !_BITSTRING_H_ */
--- isakmpd-20041012.orig/sysdep/linux/include/sys/queue.h
+++ isakmpd-20041012/sysdep/linux/include/sys/queue.h
@@ -0,0 +1,453 @@
+/*
+ * Copyright (c) 1991, 1993
+ * The Regents of the University of California. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ * must display the following acknowledgement:
+ * This product includes software developed by the University of
+ * California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * @(#)queue.h 8.5 (Berkeley) 8/20/94
+ * $FreeBSD: src/sys/sys/queue.h,v 1.45 2001/12/11 11:49:58 sheldonh Exp $
+ */
+
+#ifndef _SYS_QUEUE_H_
+#define _SYS_QUEUE_H_
+
+//#include <machine/ansi.h> /* for __offsetof */
+
+/*
+ * This file defines four types of data structures: singly-linked lists,
+ * singly-linked tail queues, lists and tail queues.
+ *
+ * A singly-linked list is headed by a single forward pointer. The elements
+ * are singly linked for minimum space and pointer manipulation overhead at
+ * the expense of O(n) removal for arbitrary elements. New elements can be
+ * added to the list after an existing element or at the head of the list.
+ * Elements being removed from the head of the list should use the explicit
+ * macro for this purpose for optimum efficiency. A singly-linked list may
+ * only be traversed in the forward direction. Singly-linked lists are ideal
+ * for applications with large datasets and few or no removals or for
+ * implementing a LIFO queue.
+ *
+ * A singly-linked tail queue is headed by a pair of pointers, one to the
+ * head of the list and the other to the tail of the list. The elements are
+ * singly linked for minimum space and pointer manipulation overhead at the
+ * expense of O(n) removal for arbitrary elements. New elements can be added
+ * to the list after an existing element, at the head of the list, or at the
+ * end of the list. Elements being removed from the head of the tail queue
+ * should use the explicit macro for this purpose for optimum efficiency.
+ * A singly-linked tail queue may only be traversed in the forward direction.
+ * Singly-linked tail queues are ideal for applications with large datasets
+ * and few or no removals or for implementing a FIFO queue.
+ *
+ * A list is headed by a single forward pointer (or an array of forward
+ * pointers for a hash table header). The elements are doubly linked
+ * so that an arbitrary element can be removed without a need to
+ * traverse the list. New elements can be added to the list before
+ * or after an existing element or at the head of the list. A list
+ * may only be traversed in the forward direction.
+ *
+ * A tail queue is headed by a pair of pointers, one to the head of the
+ * list and the other to the tail of the list. The elements are doubly
+ * linked so that an arbitrary element can be removed without a need to
+ * traverse the list. New elements can be added to the list before or
+ * after an existing element, at the head of the list, or at the end of
+ * the list. A tail queue may be traversed in either direction.
+ *
+ * For details on the use of these macros, see the queue(3) manual page.
+ *
+ *
+ * SLIST LIST STAILQ TAILQ
+ * _HEAD + + + +
+ * _HEAD_INITIALIZER + + + +
+ * _ENTRY + + + +
+ * _INIT + + + +
+ * _EMPTY + + + +
+ * _FIRST + + + +
+ * _NEXT + + + +
+ * _PREV - - - +
+ * _LAST - - + +
+ * _FOREACH + + + +
+ * _FOREACH_REVERSE - - - +
+ * _INSERT_HEAD + + + +
+ * _INSERT_BEFORE - + - +
+ * _INSERT_AFTER + + + +
+ * _INSERT_TAIL - - + +
+ * _REMOVE_HEAD + - + -
+ * _REMOVE + + + +
+ *
+ */
+
+/*
+ * Singly-linked List declarations.
+ */
+#define SLIST_HEAD(name, type) \
+struct name { \
+ struct type *slh_first; /* first element */ \
+}
+
+#define SLIST_HEAD_INITIALIZER(head) \
+ { NULL }
+
+#define SLIST_ENTRY(type) \
+struct { \
+ struct type *sle_next; /* next element */ \
+}
+
+/*
+ * Singly-linked List functions.
+ */
+#define SLIST_EMPTY(head) ((head)->slh_first == NULL)
+
+#define SLIST_FIRST(head) ((head)->slh_first)
+
+#define SLIST_FOREACH(var, head, field) \
+ for ((var) = SLIST_FIRST((head)); \
+ (var); \
+ (var) = SLIST_NEXT((var), field))
+
+#define SLIST_INIT(head) do { \
+ SLIST_FIRST((head)) = NULL; \
+} while (0)
+
+#define SLIST_INSERT_AFTER(slistelm, elm, field) do { \
+ SLIST_NEXT((elm), field) = SLIST_NEXT((slistelm), field); \
+ SLIST_NEXT((slistelm), field) = (elm); \
+} while (0)
+
+#define SLIST_INSERT_HEAD(head, elm, field) do { \
+ SLIST_NEXT((elm), field) = SLIST_FIRST((head)); \
+ SLIST_FIRST((head)) = (elm); \
+} while (0)
+
+#define SLIST_NEXT(elm, field) ((elm)->field.sle_next)
+
+#define SLIST_REMOVE(head, elm, type, field) do { \
+ if (SLIST_FIRST((head)) == (elm)) { \
+ SLIST_REMOVE_HEAD((head), field); \
+ } \
+ else { \
+ struct type *curelm = SLIST_FIRST((head)); \
+ while (SLIST_NEXT(curelm, field) != (elm)) \
+ curelm = SLIST_NEXT(curelm, field); \
+ SLIST_NEXT(curelm, field) = \
+ SLIST_NEXT(SLIST_NEXT(curelm, field), field); \
+ } \
+} while (0)
+
+#define SLIST_REMOVE_HEAD(head, field) do { \
+ SLIST_FIRST((head)) = SLIST_NEXT(SLIST_FIRST((head)), field); \
+} while (0)
+
+/*
+ * Singly-linked Tail queue declarations.
+ */
+#define STAILQ_HEAD(name, type) \
+struct name { \
+ struct type *stqh_first;/* first element */ \
+ struct type **stqh_last;/* addr of last next element */ \
+}
+
+#define STAILQ_HEAD_INITIALIZER(head) \
+ { NULL, &(head).stqh_first }
+
+#define STAILQ_ENTRY(type) \
+struct { \
+ struct type *stqe_next; /* next element */ \
+}
+
+/*
+ * Singly-linked Tail queue functions.
+ */
+#define STAILQ_EMPTY(head) ((head)->stqh_first == NULL)
+
+#define STAILQ_FIRST(head) ((head)->stqh_first)
+
+#define STAILQ_FOREACH(var, head, field) \
+ for((var) = STAILQ_FIRST((head)); \
+ (var); \
+ (var) = STAILQ_NEXT((var), field))
+
+#define STAILQ_INIT(head) do { \
+ STAILQ_FIRST((head)) = NULL; \
+ (head)->stqh_last = &STAILQ_FIRST((head)); \
+} while (0)
+
+#define STAILQ_INSERT_AFTER(head, tqelm, elm, field) do { \
+ if ((STAILQ_NEXT((elm), field) = STAILQ_NEXT((tqelm), field)) == NULL)\
+ (head)->stqh_last = &STAILQ_NEXT((elm), field); \
+ STAILQ_NEXT((tqelm), field) = (elm); \
+} while (0)
+
+#define STAILQ_INSERT_HEAD(head, elm, field) do { \
+ if ((STAILQ_NEXT((elm), field) = STAILQ_FIRST((head))) == NULL) \
+ (head)->stqh_last = &STAILQ_NEXT((elm), field); \
+ STAILQ_FIRST((head)) = (elm); \
+} while (0)
+
+#define STAILQ_INSERT_TAIL(head, elm, field) do { \
+ STAILQ_NEXT((elm), field) = NULL; \
+ *(head)->stqh_last = (elm); \
+ (head)->stqh_last = &STAILQ_NEXT((elm), field); \
+} while (0)
+
+#define STAILQ_LAST(head, type, field) \
+ (STAILQ_EMPTY(head) ? \
+ NULL : \
+ ((struct type *) \
+ ((char *)((head)->stqh_last) - __offsetof(struct type, field))))
+
+#define STAILQ_NEXT(elm, field) ((elm)->field.stqe_next)
+
+#define STAILQ_REMOVE(head, elm, type, field) do { \
+ if (STAILQ_FIRST((head)) == (elm)) { \
+ STAILQ_REMOVE_HEAD(head, field); \
+ } \
+ else { \
+ struct type *curelm = STAILQ_FIRST((head)); \
+ while (STAILQ_NEXT(curelm, field) != (elm)) \
+ curelm = STAILQ_NEXT(curelm, field); \
+ if ((STAILQ_NEXT(curelm, field) = \
+ STAILQ_NEXT(STAILQ_NEXT(curelm, field), field)) == NULL)\
+ (head)->stqh_last = &STAILQ_NEXT((curelm), field);\
+ } \
+} while (0)
+
+#define STAILQ_REMOVE_HEAD(head, field) do { \
+ if ((STAILQ_FIRST((head)) = \
+ STAILQ_NEXT(STAILQ_FIRST((head)), field)) == NULL) \
+ (head)->stqh_last = &STAILQ_FIRST((head)); \
+} while (0)
+
+#define STAILQ_REMOVE_HEAD_UNTIL(head, elm, field) do { \
+ if ((STAILQ_FIRST((head)) = STAILQ_NEXT((elm), field)) == NULL) \
+ (head)->stqh_last = &STAILQ_FIRST((head)); \
+} while (0)
+
+/*
+ * List declarations.
+ */
+#define LIST_HEAD(name, type) \
+struct name { \
+ struct type *lh_first; /* first element */ \
+}
+
+#define LIST_HEAD_INITIALIZER(head) \
+ { NULL }
+
+#define LIST_ENTRY(type) \
+struct { \
+ struct type *le_next; /* next element */ \
+ struct type **le_prev; /* address of previous next element */ \
+}
+
+/*
+ * List functions.
+ */
+
+#define LIST_EMPTY(head) ((head)->lh_first == NULL)
+
+#define LIST_FIRST(head) ((head)->lh_first)
+
+#define LIST_FOREACH(var, head, field) \
+ for ((var) = LIST_FIRST((head)); \
+ (var); \
+ (var) = LIST_NEXT((var), field))
+
+#define LIST_INIT(head) do { \
+ LIST_FIRST((head)) = NULL; \
+} while (0)
+
+#define LIST_INSERT_AFTER(listelm, elm, field) do { \
+ if ((LIST_NEXT((elm), field) = LIST_NEXT((listelm), field)) != NULL)\
+ LIST_NEXT((listelm), field)->field.le_prev = \
+ &LIST_NEXT((elm), field); \
+ LIST_NEXT((listelm), field) = (elm); \
+ (elm)->field.le_prev = &LIST_NEXT((listelm), field); \
+} while (0)
+
+#define LIST_INSERT_BEFORE(listelm, elm, field) do { \
+ (elm)->field.le_prev = (listelm)->field.le_prev; \
+ LIST_NEXT((elm), field) = (listelm); \
+ *(listelm)->field.le_prev = (elm); \
+ (listelm)->field.le_prev = &LIST_NEXT((elm), field); \
+} while (0)
+
+#define LIST_INSERT_HEAD(head, elm, field) do { \
+ if ((LIST_NEXT((elm), field) = LIST_FIRST((head))) != NULL) \
+ LIST_FIRST((head))->field.le_prev = &LIST_NEXT((elm), field);\
+ LIST_FIRST((head)) = (elm); \
+ (elm)->field.le_prev = &LIST_FIRST((head)); \
+} while (0)
+
+#define LIST_NEXT(elm, field) ((elm)->field.le_next)
+
+#define LIST_REMOVE(elm, field) do { \
+ if (LIST_NEXT((elm), field) != NULL) \
+ LIST_NEXT((elm), field)->field.le_prev = \
+ (elm)->field.le_prev; \
+ *(elm)->field.le_prev = LIST_NEXT((elm), field); \
+} while (0)
+
+/*
+ * Tail queue declarations.
+ */
+#define TAILQ_HEAD(name, type) \
+struct name { \
+ struct type *tqh_first; /* first element */ \
+ struct type **tqh_last; /* addr of last next element */ \
+}
+
+#define TAILQ_HEAD_INITIALIZER(head) \
+ { NULL, &(head).tqh_first }
+
+#define TAILQ_ENTRY(type) \
+struct { \
+ struct type *tqe_next; /* next element */ \
+ struct type **tqe_prev; /* address of previous next element */ \
+}
+
+/*
+ * Tail queue functions.
+ */
+#define TAILQ_EMPTY(head) ((head)->tqh_first == NULL)
+
+#define TAILQ_FIRST(head) ((head)->tqh_first)
+
+#define TAILQ_FOREACH(var, head, field) \
+ for ((var) = TAILQ_FIRST((head)); \
+ (var); \
+ (var) = TAILQ_NEXT((var), field))
+
+#define TAILQ_FOREACH_REVERSE(var, head, headname, field) \
+ for ((var) = TAILQ_LAST((head), headname); \
+ (var); \
+ (var) = TAILQ_PREV((var), headname, field))
+
+#define TAILQ_INIT(head) do { \
+ TAILQ_FIRST((head)) = NULL; \
+ (head)->tqh_last = &TAILQ_FIRST((head)); \
+} while (0)
+
+#define TAILQ_INSERT_AFTER(head, listelm, elm, field) do { \
+ if ((TAILQ_NEXT((elm), field) = TAILQ_NEXT((listelm), field)) != NULL)\
+ TAILQ_NEXT((elm), field)->field.tqe_prev = \
+ &TAILQ_NEXT((elm), field); \
+ else \
+ (head)->tqh_last = &TAILQ_NEXT((elm), field); \
+ TAILQ_NEXT((listelm), field) = (elm); \
+ (elm)->field.tqe_prev = &TAILQ_NEXT((listelm), field); \
+} while (0)
+
+#define TAILQ_INSERT_BEFORE(listelm, elm, field) do { \
+ (elm)->field.tqe_prev = (listelm)->field.tqe_prev; \
+ TAILQ_NEXT((elm), field) = (listelm); \
+ *(listelm)->field.tqe_prev = (elm); \
+ (listelm)->field.tqe_prev = &TAILQ_NEXT((elm), field); \
+} while (0)
+
+#define TAILQ_INSERT_HEAD(head, elm, field) do { \
+ if ((TAILQ_NEXT((elm), field) = TAILQ_FIRST((head))) != NULL) \
+ TAILQ_FIRST((head))->field.tqe_prev = \
+ &TAILQ_NEXT((elm), field); \
+ else \
+ (head)->tqh_last = &TAILQ_NEXT((elm), field); \
+ TAILQ_FIRST((head)) = (elm); \
+ (elm)->field.tqe_prev = &TAILQ_FIRST((head)); \
+} while (0)
+
+#define TAILQ_INSERT_TAIL(head, elm, field) do { \
+ TAILQ_NEXT((elm), field) = NULL; \
+ (elm)->field.tqe_prev = (head)->tqh_last; \
+ *(head)->tqh_last = (elm); \
+ (head)->tqh_last = &TAILQ_NEXT((elm), field); \
+} while (0)
+
+#define TAILQ_LAST(head, headname) \
+ (*(((struct headname *)((head)->tqh_last))->tqh_last))
+
+#define TAILQ_NEXT(elm, field) ((elm)->field.tqe_next)
+
+#define TAILQ_PREV(elm, headname, field) \
+ (*(((struct headname *)((elm)->field.tqe_prev))->tqh_last))
+
+#define TAILQ_REMOVE(head, elm, field) do { \
+ if ((TAILQ_NEXT((elm), field)) != NULL) \
+ TAILQ_NEXT((elm), field)->field.tqe_prev = \
+ (elm)->field.tqe_prev; \
+ else \
+ (head)->tqh_last = (elm)->field.tqe_prev; \
+ *(elm)->field.tqe_prev = TAILQ_NEXT((elm), field); \
+} while (0)
+
+
+#ifdef _KERNEL
+
+/*
+ * XXX insque() and remque() are an old way of handling certain queues.
+ * They bogusly assumes that all queue heads look alike.
+ */
+
+struct quehead {
+ struct quehead *qh_link;
+ struct quehead *qh_rlink;
+};
+
+#ifdef __GNUC__
+
+static __inline void
+insque(void *a, void *b)
+{
+ struct quehead *element = (struct quehead *)a,
+ *head = (struct quehead *)b;
+
+ element->qh_link = head->qh_link;
+ element->qh_rlink = head;
+ head->qh_link = element;
+ element->qh_link->qh_rlink = element;
+}
+
+static __inline void
+remque(void *a)
+{
+ struct quehead *element = (struct quehead *)a;
+
+ element->qh_link->qh_rlink = element->qh_rlink;
+ element->qh_rlink->qh_link = element->qh_link;
+ element->qh_rlink = 0;
+}
+
+#else /* !__GNUC__ */
+
+void insque __P((void *a, void *b));
+void remque __P((void *a));
+
+#endif /* __GNUC__ */
+
+#endif /* _KERNEL */
+
+#endif /* !_SYS_QUEUE_H_ */
--- isakmpd-20041012.orig/sysdep/common/pcap.h
+++ isakmpd-20041012/sysdep/common/pcap.h
@@ -55,8 +55,13 @@
u_int32_t linktype; /* data link type (DLT_*) */
};
+struct pcap_timeval {
+ int32_t tv_sec; /* seconds */
+ int32_t tv_usec; /* microseconds */
+};
+
struct pcap_pkthdr {
- struct timeval ts; /* time stamp */
+ struct pcap_timeval ts; /* time stamp */
u_int32_t caplen; /* length of portion present */
u_int32_t len; /* length this packet (off wire) */
};
--- isakmpd-20041012.orig/sysdep/common/libsysdep/arc4random.c
+++ isakmpd-20041012/sysdep/common/libsysdep/arc4random.c
@@ -78,7 +78,7 @@
static void
arc4_stir(struct arc4_stream *as)
{
- int fd;
+ int fd, i;
struct {
struct timeval tv;
u_int8_t rnd[128 - sizeof(struct timeval)];
--- isakmpd-20041012.orig/x509v3.cnf
+++ isakmpd-20041012/x509v3.cnf
@@ -0,0 +1,26 @@
+# default settings
+CERTPATHLEN = 1
+CERTUSAGE = digitalSignature,keyCertSign
+CERTIP = 0.0.0.0
+CERTFQDN = nohost.nodomain
+
+# This section should be referenced when building an x509v3 CA
+# Certificate.
+# The default path length and the key usage can be overriden
+# modified by setting the CERTPATHLEN and CERTUSAGE environment
+# variables.
+[x509v3_CA]
+basicConstraints=critical,CA:true,pathlen:$ENV::CERTPATHLEN
+keyUsage=$ENV::CERTUSAGE
+
+# This section should be referenced to add an IP Address
+# as an alternate subject name, needed by isakmpd
+# The address must be provided in the CERTIP environment variable
+[x509v3_IPAddr]
+subjectAltName=IP:$ENV::CERTIP
+
+# This section should be referenced to add a FQDN hostname
+# as an alternate subject name, needed by isakmpd
+# The address must be provided in the CERTFQDN environment variable
+[x509v3_FQDN]
+subjectAltName=DNS:$ENV::CERTFQDN