Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src upgrade to KAME racoon as of 2002/4/26.
details: https://anonhg.NetBSD.org/src/rev/1b78177df2f2
branches: trunk
changeset: 526131:1b78177df2f2
user: itojun <itojun%NetBSD.org@localhost>
date: Fri Apr 26 02:25:13 2002 +0000
description:
upgrade to KAME racoon as of 2002/4/26.
file descriptor leak fix.
null encryption algorithm key length fix (should use 0).
couple of null-pointer reference fixes.
set port # to 500 in ID payload (possible interop issue - spec is unclear).
correctly match address pair on informational exchange
diffstat:
crypto/dist/kame/racoon/backupsa.c | 14 +-
crypto/dist/kame/racoon/cfparse.y | 315 +-------------------
crypto/dist/kame/racoon/cftoken.l | 43 +--
crypto/dist/kame/racoon/crypto_openssl.c | 166 ++++++----
crypto/dist/kame/racoon/getcertsbyname.c | 4 +-
crypto/dist/kame/racoon/grabmyaddr.c | 35 ++-
crypto/dist/kame/racoon/ipsec_doi.c | 42 +-
crypto/dist/kame/racoon/isakmp.c | 268 +++++++----------
crypto/dist/kame/racoon/isakmp_inf.c | 29 +-
crypto/dist/kame/racoon/isakmp_quick.c | 157 ++++++---
crypto/dist/kame/racoon/main.c | 23 +-
crypto/dist/kame/racoon/missing/crypto/sha2/sha2.c | 6 +-
crypto/dist/kame/racoon/oakley.c | 72 ++--
crypto/dist/kame/racoon/plog.c | 39 +-
crypto/dist/kame/racoon/racoon.8 | 10 +-
crypto/dist/kame/racoon/racoon.conf.5 | 57 ++-
crypto/dist/kame/racoon/samples/racoon.conf.sample | 4 +-
usr.sbin/racoon/Makefile.inc | 4 +-
18 files changed, 532 insertions(+), 756 deletions(-)
diffs (truncated from 2522 to 300 lines):
diff -r dcbbf201f487 -r 1b78177df2f2 crypto/dist/kame/racoon/backupsa.c
--- a/crypto/dist/kame/racoon/backupsa.c Fri Apr 26 02:16:38 2002 +0000
+++ b/crypto/dist/kame/racoon/backupsa.c Fri Apr 26 02:25:13 2002 +0000
@@ -1,4 +1,4 @@
-/* $KAME: backupsa.c,v 1.12 2001/08/20 06:46:28 itojun Exp $ */
+/* $KAME: backupsa.c,v 1.16 2001/12/31 20:13:40 thorpej Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -31,6 +31,7 @@
#include <sys/types.h>
#include <sys/param.h>
+#include <sys/socket.h>
#include <stdlib.h>
#include <stdio.h>
@@ -342,13 +343,11 @@
/*
* There is a possibility that an abnormal system down will happen
- * again. Any old SA will not be installed because racoon checks
- * the lifetime and compare with current time.
+ * again before new negotiation will be started. so racoon clears
+ * the backup file here. it's ok that old SAs are remained in the
+ * file. any old SA will not be installed because racoon checks the
+ * lifetime and compare with current time.
*/
-#if 0
- /* clean the file if SA installation succeed. */
- backupsa_clean();
-#endif
return 0;
}
@@ -369,6 +368,7 @@
lcconf->pathinfo[LC_PATHTYPE_BACKUPSA]);
return -1;
}
+ fclose(fp);
return 0;
}
diff -r dcbbf201f487 -r 1b78177df2f2 crypto/dist/kame/racoon/cfparse.y
--- a/crypto/dist/kame/racoon/cfparse.y Fri Apr 26 02:16:38 2002 +0000
+++ b/crypto/dist/kame/racoon/cfparse.y Fri Apr 26 02:25:13 2002 +0000
@@ -1,4 +1,4 @@
-/* $KAME: cfparse.y,v 1.107 2001/08/16 20:24:59 sakane Exp $ */
+/* $KAME: cfparse.y,v 1.112 2002/02/21 14:47:38 sakane Exp $ */
%{
#include <sys/types.h>
@@ -85,7 +85,6 @@
OAKLEY_ATTR_GRP_DESC_MODP1536,
};
-static struct policyindex *cur_spidx;
static struct remoteconf *cur_rmconf;
static int tmpalgtype[MAXALGCLASS];
static struct sainfo *cur_sainfo;
@@ -113,7 +112,6 @@
%union {
unsigned long num;
vchar_t *val;
- struct policyindex *spidx;
struct remoteconf *rmconf;
struct sockaddr *saddr;
struct sainfoalg *alg;
@@ -136,22 +134,18 @@
%token RETRY_PHASE1 RETRY_PHASE2
/* algorithm */
%token ALGORITHM_CLASS ALGORITHMTYPE STRENGTHTYPE
- /* policy */
-%token POLICY DIRTYPE ACTION
-%token PLADDRTYPE PROPOSAL WHICHSIDE
-%token PROTOCOL SECLEVEL SECLEVELTYPE SECMODE SECMODETYPE
/* sainfo */
%token SAINFO
/* remote */
%token REMOTE ANONYMOUS
%token EXCHANGE_MODE EXCHANGETYPE DOI DOITYPE SITUATION SITUATIONTYPE
%token CERTIFICATE_TYPE CERTTYPE PEERS_CERTFILE VERIFY_CERT SEND_CERT SEND_CR
-%token IDENTIFIERTYPE MY_IDENTIFIER PEERS_IDENTIFIER
+%token IDENTIFIERTYPE MY_IDENTIFIER PEERS_IDENTIFIER VERIFY_IDENTIFIER
%token DNSSEC CERT_X509
%token NONCE_SIZE DH_GROUP KEEPALIVE PASSIVE INITIAL_CONTACT
%token PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL
%token GENERATE_POLICY SUPPORT_MIP6
-%token POST_COMMAND
+%token PROPOSAL
%token EXEC_PATH EXEC_COMMAND EXEC_SUCCESS EXEC_FAILURE
%token GSSAPI_ID
%token COMPLEX_BUNDLE
@@ -169,15 +163,13 @@
%type <num> PATHTYPE IDENTIFIERTYPE LOGLEV
%type <num> ALGORITHM_CLASS dh_group_num
%type <num> ALGORITHMTYPE STRENGTHTYPE
-%type <num> PREFIX prefix PORT port ike_port DIRTYPE ACTION PLADDRTYPE WHICHSIDE
-%type <num> ul_proto UL_PROTO secproto
-%type <num> SECLEVELTYPE SECMODETYPE
+%type <num> PREFIX prefix PORT port ike_port
+%type <num> ul_proto UL_PROTO
%type <num> EXCHANGETYPE DOITYPE SITUATIONTYPE
%type <num> CERTTYPE CERT_X509 PROPOSAL_CHECK_LEVEL
%type <num> unittype_time unittype_byte
%type <val> QUOTEDSTRING HEXSTRING ADDRSTRING sainfo_id
%type <val> identifierstring
-%type <spidx> policy_index
%type <saddr> remote_index ike_addrinfo_port
%type <alg> algorithm
@@ -195,7 +187,6 @@
| padding_statement
| listen_statement
| timer_statement
- | policy_statement
| sainfo_statement
| remote_statement
| special_statement
@@ -396,263 +387,6 @@
EOS
;
- /* policy */
-policy_statement
- : POLICY policy_index
- {
- /*XXX to be deleted*/
- cur_spidx = $2;
- }
- policy_specswrap
- ;
-policy_specswrap
- : EOS
- {
- /*
- if (cur_spidx->action == IPSEC_POLICY_IPSEC) {
- yyerror("must define policy for IPsec");
- return -1;
- }
- */
- }
- | BOC
- {
- /*
- if (cur_spidx->action != IPSEC_POLICY_IPSEC) {
- yyerror("must not define policy for no IPsec");
- return -1;
- }
-
- cur_spidx->policy = newipsp();
- if (cur_spidx->policy == NULL) {
- yyerror("failed to allocate ipsec policy");
- return -1;
- }
- cur_spidx->policy->spidx = cur_spidx;
- */
- }
- policy_specs EOC
- {
- /*
- if (set_ipsec_proposal(cur_spidx, prhead) != 0)
- return -1;
- */
-
- /* DH group settting if PFS is required. */
- /*
- if (cur_spidx->policy->pfs_group != 0
- && oakley_setdhgroup(cur_spidx->policy->pfs_group,
- &cur_spidx->policy->pfsgrp) == -1) {
- yyerror("failed to set DH value.\n");
- return -1;
- }
-
-#if 0
- ipsecdoi_printsa(cur_spidx->policy->proposal);
-#endif
- insspidx(cur_spidx);
-
- cleanprhead();
- */
- }
- ;
-policy_index
- : ADDRSTRING prefix port
- ADDRSTRING prefix port ul_proto DIRTYPE ACTION
- {
- /*
- $$ = parse_spidx($1->v, $2, $3, $4->v, $5, $6, $7, $8);
- $$->action = $9;
- vfree($1);
- vfree($4);
- */
- }
- ;
-prefix
- : /* nothing */ { $$ = ~0; }
- | PREFIX { $$ = $1; }
- ;
-port
- : /* nothing */ { $$ = IPSEC_PORT_ANY; }
- | PORT { $$ = $1; }
- | PORTANY { $$ = IPSEC_PORT_ANY; }
- ;
-ul_proto
- : NUMBER { $$ = $1; }
- | UL_PROTO { $$ = $1; }
- | ANY { $$ = IPSEC_ULPROTO_ANY; }
- ;
-policy_specs
- : /* nothing */
- | policy_specs policy_spec
- ;
-policy_spec
- : PFS_GROUP dh_group_num
- {
- /*
- cur_spidx->policy->pfs_group = $2;
- */
- }
- EOS
- | PROPOSAL
- {
- /*
- struct proposalspec *prspec;
-
- prspec = newprspec();
- if (prspec == NULL)
- return -1;
- prspec->lifetime = ipsecdoi_get_defaultlifetime();
- insprspec(prspec, &prhead);
- */
- }
- BOC ipsecproposal_specs EOC
- ;
-ipsecproposal_specs
- : /* nothing */
- | ipsecproposal_specs ipsecproposal_spec
- ;
-ipsecproposal_spec
- : LIFETIME LIFETYPE_TIME NUMBER unittype_time
- {
- prhead->lifetime = $3 * $4;
- }
- EOS
- | LIFETIME LIFETYPE_BYTE NUMBER unittype_byte
- {
-#if 1
- yyerror("byte lifetime support is deprecated");
- return -1;
-#else
- prhead->lifebyte = fix_lifebyte($3 * $4);
- if (prhead->lifebyte == 0)
- return -1;
-#endif
- }
- EOS
- | PROTOCOL secproto
- {
- struct secprotospec *spspec;
-
- spspec = newspspec();
- if (spspec == NULL)
- return -1;
- insspspec(spspec, &prhead);
-
- prhead->spspec->proto_id = ipproto2doi($2);
- }
- BOC secproto_specs EOC
- ;
-secproto
- : UL_PROTO {
- switch ($1) {
- case IPPROTO_ESP:
- case IPPROTO_AH:
- case IPPROTO_IPCOMP:
- break;
- default:
- yyerror("It's not security protocol");
- return -1;
- }
- $$ = $1;
- }
- ;
-secproto_specs
- : /* nothing */
- | secproto_specs secproto_spec
- ;
-secproto_spec
- : SECLEVEL SECLEVELTYPE { prhead->spspec->ipsec_level = $2; } EOS
- | SECMODE secmode EOS
- | STRENGTH
- {
- yyerror("strength directive is obsoleted.");
- } STRENGTHTYPE EOS
- | ALGORITHM_CLASS ALGORITHMTYPE keylength
- {
- int doi;
- int defklen;
-
Home |
Main Index |
Thread Index |
Old Index