Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/dist/ipsec-tools proposal_check fixes:
details: https://anonhg.NetBSD.org/src/rev/0a1a3c9f811a
branches: trunk
changeset: 580821:0a1a3c9f811a
user: manu <manu%NetBSD.org@localhost>
date: Tue May 10 09:23:36 2005 +0000
description:
proposal_check fixes:
- fix claim behavior in phase 1
- also check lifebyte
diffstat:
crypto/dist/ipsec-tools/ChangeLog | 5 ++
crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c | 54 +++++++++++++++++--------
crypto/dist/ipsec-tools/src/racoon/proposal.c | 7 ++-
3 files changed, 48 insertions(+), 18 deletions(-)
diffs (148 lines):
diff -r 14382ff35985 -r 0a1a3c9f811a crypto/dist/ipsec-tools/ChangeLog
--- a/crypto/dist/ipsec-tools/ChangeLog Tue May 10 06:49:10 2005 +0000
+++ b/crypto/dist/ipsec-tools/ChangeLog Tue May 10 09:23:36 2005 +0000
@@ -1,3 +1,8 @@
+2005-05-10 Emmanuel Dreyfus <manu%netbsd.org@localhost>
+
+ * src/racoon/ipsec_doi.c: check for lifebyte in proposals
+ * src/racoon/ipsec_doi.c: fix a bug in proposal_check claim for phase 1
+
2005-05-07 Emmanuel Dreyfus <manu%netbsd.org@localhost>
* src/racoon/{admin.c|isakmp.c|isakmp_inf.c}: factor various
diff -r 14382ff35985 -r 0a1a3c9f811a crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c
--- a/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c Tue May 10 06:49:10 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c Tue May 10 09:23:36 2005 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec_doi.c,v 1.3 2005/04/27 05:19:50 manu Exp $ */
+/* $NetBSD: ipsec_doi.c,v 1.4 2005/05/10 09:23:36 manu Exp $ */
/* Id: ipsec_doi.c,v 1.26.2.1 2005/02/17 13:19:18 vanhu Exp */
@@ -221,13 +221,14 @@
if (pair[i] == NULL)
continue;
for (s = pair[i]; s; s = s->next) {
- prophlen = sizeof(struct isakmp_pl_p)
- + s->prop->spi_size;
+ prophlen =
+ sizeof(struct isakmp_pl_p) + s->prop->spi_size;
+
/* compare proposal and select one */
for (p = s; p; p = p->tnext) {
- sa = get_ph1approvalx(p, iph1->rmconf->proposal,
- &tsa, iph1->rmconf->pcheck_level);
- if (sa != NULL)
+ if ((sa = get_ph1approvalx(p,
+ iph1->rmconf->proposal, &tsa,
+ iph1->rmconf->pcheck_level)) != NULL)
goto found;
}
}
@@ -388,27 +389,46 @@
tsap->authmethod == authmethod &&
tsap->hashtype == s->hashtype &&
tsap->dh_group == s->dh_group &&
- tsap->encklen == s->encklen)
- switch(check_level){
+ tsap->encklen == s->encklen) {
+ switch(check_level) {
case PROP_CHECK_OBEY:
- if (s->rmconf && s->rmconf->remote->sa_family != AF_UNSPEC)
- s->lifetime=tsap->lifetime;
+ s->lifetime = tsap->lifetime;
+ s->lifebyte = tsap->lifebyte;
+ goto found;
+ break;
+
+ case PROP_CHECK_STRICT:
+ if ((tsap->lifetime > s->lifetime) ||
+ (tsap->lifebyte > s->lifebyte))
+ continue;
+
+ s->lifetime = tsap->lifetime;
+ s->lifebyte = tsap->lifebyte;
goto found;
break;
- case PROP_CHECK_STRICT:
+
case PROP_CHECK_CLAIM:
- if (tsap->lifetime > s->lifetime)
- continue ;
- if (s->rmconf && s->rmconf->remote->sa_family != AF_UNSPEC)
- s->lifetime=tsap->lifetime;
+ if (tsap->lifetime < s->lifetime)
+ s->lifetime = tsap->lifetime;
+ if (tsap->lifebyte < s->lifebyte)
+ s->lifebyte = tsap->lifebyte;
goto found;
break;
+
case PROP_CHECK_EXACT:
- if (tsap->lifetime != s->lifetime)
- continue ;
+ if ((tsap->lifetime != s->lifetime) ||
+ (tsap->lifebyte != s->lifebyte))
+ continue;
goto found;
break;
+
+ default:
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Unexpected proposal_check value\n");
+ continue;
+ break;
}
+ }
}
found:
diff -r 14382ff35985 -r 0a1a3c9f811a crypto/dist/ipsec-tools/src/racoon/proposal.c
--- a/crypto/dist/ipsec-tools/src/racoon/proposal.c Tue May 10 06:49:10 2005 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/proposal.c Tue May 10 09:23:36 2005 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: proposal.c,v 1.1.1.2 2005/02/23 14:54:25 manu Exp $ */
+/* $NetBSD: proposal.c,v 1.2 2005/05/10 09:23:36 manu Exp $ */
/* Id: proposal.c,v 1.13 2004/09/13 14:09:19 ludvigm Exp */
@@ -222,6 +222,7 @@
newpp->lifebyte = pp1->lifebyte;
newpp->pfs_group = pp1->pfs_group;
break;
+
case PROP_CHECK_STRICT:
if (pp1->lifetime > pp2->lifetime) {
plog(LLV_ERROR, LOCATION, NULL,
@@ -250,6 +251,7 @@
}
newpp->pfs_group = pp1->pfs_group;
break;
+
case PROP_CHECK_CLAIM:
/* lifetime */
if (pp1->lifetime <= pp2->lifetime) {
@@ -276,6 +278,7 @@
goto prop_pfs_check;
break;
+
case PROP_CHECK_EXACT:
if (pp1->lifetime != pp2->lifetime) {
plog(LLV_ERROR, LOCATION, NULL,
@@ -284,6 +287,7 @@
(int)pp2->lifetime, (int)pp1->lifetime);
goto err;
}
+
if (pp1->lifebyte != pp2->lifebyte) {
plog(LLV_ERROR, LOCATION, NULL,
"lifebyte mismatched: "
@@ -302,6 +306,7 @@
newpp->lifebyte = pp1->lifebyte;
newpp->pfs_group = pp1->pfs_group;
break;
+
default:
plog(LLV_ERROR, LOCATION, NULL,
"invalid pcheck_level why?.\n");
Home |
Main Index |
Thread Index |
Old Index