Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/dist/ipsec-tools/src/racoon From Tomas Mraz: Fix gssa...
details: https://anonhg.NetBSD.org/src/rev/bb3a912814f5
branches: trunk
changeset: 747502:bb3a912814f5
user: tteras <tteras%NetBSD.org@localhost>
date: Fri Sep 18 10:31:11 2009 +0000
description:
>From Tomas Mraz: Fix gssapi error checking.
diffstat:
crypto/dist/ipsec-tools/src/racoon/isakmp_agg.c | 114 +++++++++++----------
crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c | 83 ++++++++-------
2 files changed, 107 insertions(+), 90 deletions(-)
diffs (truncated from 603 to 300 lines):
diff -r d2ab78612e72 -r bb3a912814f5 crypto/dist/ipsec-tools/src/racoon/isakmp_agg.c
--- a/crypto/dist/ipsec-tools/src/racoon/isakmp_agg.c Fri Sep 18 09:24:58 2009 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/isakmp_agg.c Fri Sep 18 10:31:11 2009 +0000
@@ -1,11 +1,11 @@
-/* $NetBSD: isakmp_agg.c,v 1.15 2009/03/12 10:57:26 tteras Exp $ */
+/* $NetBSD: isakmp_agg.c,v 1.16 2009/09/18 10:31:11 tteras Exp $ */
/* Id: isakmp_agg.c,v 1.28 2006/04/06 16:46:08 manubsd Exp */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -17,7 +17,7 @@
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
- *
+ *
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -186,10 +186,10 @@
case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I:
case OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I:
if ((vid_xauth = set_vendorid(VENDORID_XAUTH)) == NULL)
- plog(LLV_ERROR, LOCATION, NULL,
+ plog(LLV_ERROR, LOCATION, NULL,
"Xauth vendor ID generation failed\n");
if ((vid_unity = set_vendorid(VENDORID_UNITY)) == NULL)
- plog(LLV_ERROR, LOCATION, NULL,
+ plog(LLV_ERROR, LOCATION, NULL,
"Unity vendor ID generation failed\n");
break;
default:
@@ -206,7 +206,7 @@
if (vid_frag == NULL)
plog(LLV_ERROR, LOCATION, NULL,
"Frag vendorID construction failed\n");
- }
+ }
#endif
plog(LLV_DEBUG, LOCATION, NULL, "authmethod is %s\n",
@@ -230,7 +230,11 @@
#ifdef HAVE_GSSAPI
if (iph1->rmconf->proposal->authmethod == OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB) {
- gssapi_get_token_to_send(iph1, &gsstoken);
+ if (gssapi_get_token_to_send(iph1, &gsstoken) < 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Failed to get gssapi token.\n");
+ goto end;
+ }
plist = isakmp_plist_append(plist, gsstoken, ISAKMP_NPTYPE_GSS);
}
#endif
@@ -243,19 +247,19 @@
plist = isakmp_plist_append(plist, vid_frag, ISAKMP_NPTYPE_VID);
#endif
#ifdef ENABLE_NATT
- /*
- * set VID payload for NAT-T if NAT-T
- * support allowed in the config file
+ /*
+ * set VID payload for NAT-T if NAT-T
+ * support allowed in the config file
*/
- if (iph1->rmconf->nat_traversal)
+ if (iph1->rmconf->nat_traversal)
plist = isakmp_plist_append_natt_vids(plist, vid_natt);
#endif
#ifdef ENABLE_HYBRID
if (vid_xauth)
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
vid_xauth, ISAKMP_NPTYPE_VID);
if (vid_unity)
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
vid_unity, ISAKMP_NPTYPE_VID);
#endif
#ifdef ENABLE_DPD
@@ -484,7 +488,7 @@
if (NATT_AVAILABLE(iph1)) {
struct natd_payload *natd = NULL;
int natd_verified;
-
+
plog(LLV_INFO, LOCATION, iph1->remote,
"Selected NAT-T version: %s\n",
vid_string_by_id(iph1->natt_options->version));
@@ -492,9 +496,9 @@
/* set both bits first so that we can clear them
upon verifying hashes */
iph1->natt_flags |= NAT_DETECTED;
-
+
while ((natd = TAILQ_FIRST(&natd_tree)) != NULL) {
- /* this function will clear appropriate bits bits
+ /* this function will clear appropriate bits bits
from iph1->natt_flags */
natd_verified = natt_compare_addr_hash (iph1,
natd->payload, natd->seq);
@@ -502,7 +506,7 @@
plog (LLV_INFO, LOCATION, NULL, "NAT-D payload #%d %s\n",
natd->seq - 1,
natd_verified ? "verified" : "doesn't match");
-
+
vfree (natd->payload);
TAILQ_REMOVE(&natd_tree, natd, chain);
@@ -510,7 +514,7 @@
}
plog (LLV_INFO, LOCATION, NULL, "NAT %s %s%s\n",
- iph1->natt_flags & NAT_DETECTED ?
+ iph1->natt_flags & NAT_DETECTED ?
"detected:" : "not detected",
iph1->natt_flags & NAT_DETECTED_ME ? "ME " : "",
iph1->natt_flags & NAT_DETECTED_PEER ? "PEER" : "");
@@ -626,9 +630,9 @@
case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I:
case OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I:
case OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I:
-#endif
+#endif
/* set HASH payload */
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
iph1->hash, ISAKMP_NPTYPE_HASH);
break;
@@ -677,7 +681,7 @@
goto end;
}
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
gsshash, ISAKMP_NPTYPE_HASH);
break;
#endif
@@ -688,26 +692,26 @@
if (NATT_AVAILABLE(iph1)) {
vchar_t *natd[2] = { NULL, NULL };
- plog(LLV_INFO, LOCATION,
+ plog(LLV_INFO, LOCATION,
NULL, "Adding remote and local NAT-D payloads.\n");
if ((natd[0] = natt_hash_addr (iph1, iph1->remote)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "NAT-D hashing failed for %s\n",
+ "NAT-D hashing failed for %s\n",
saddr2str(iph1->remote));
goto end;
}
if ((natd[1] = natt_hash_addr (iph1, iph1->local)) == NULL) {
plog(LLV_ERROR, LOCATION, NULL,
- "NAT-D hashing failed for %s\n",
+ "NAT-D hashing failed for %s\n",
saddr2str(iph1->local));
goto end;
}
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
natd[0], iph1->natt_options->payload_nat_d);
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
natd[1], iph1->natt_options->payload_nat_d);
}
#endif
@@ -1035,23 +1039,23 @@
case OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R:
#endif
/* set SA payload to reply */
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
iph1->sa_ret, ISAKMP_NPTYPE_SA);
/* create isakmp KE payload */
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
iph1->dhpub, ISAKMP_NPTYPE_KE);
/* create isakmp NONCE payload */
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
iph1->nonce, ISAKMP_NPTYPE_NONCE);
/* create isakmp ID payload */
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
iph1->id, ISAKMP_NPTYPE_ID);
/* create isakmp HASH payload */
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
iph1->hash, ISAKMP_NPTYPE_HASH);
/* create isakmp CR payload if needed */
@@ -1078,19 +1082,19 @@
need_cert = 1;
/* set SA payload to reply */
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
iph1->sa_ret, ISAKMP_NPTYPE_SA);
/* create isakmp KE payload */
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
iph1->dhpub, ISAKMP_NPTYPE_KE);
/* create isakmp NONCE payload */
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
iph1->nonce, ISAKMP_NPTYPE_NONCE);
/* add ID payload */
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
iph1->id, ISAKMP_NPTYPE_ID);
/* add CERT payload if there */
@@ -1122,9 +1126,9 @@
plog(LLV_ERROR, LOCATION, NULL,
"failed to wrap hash\n");
/*
- * This is probably due to the GSS
- * roundtrips not being finished yet.
- * Return this error in the hope that
+ * This is probably due to the GSS
+ * roundtrips not being finished yet.
+ * Return this error in the hope that
* a fallback to main mode will be done.
*/
isakmp_info_send_n1(iph1,
@@ -1141,28 +1145,32 @@
free_gss_sa = 1;
/* set SA payload to reply */
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
gss_sa, ISAKMP_NPTYPE_SA);
/* create isakmp KE payload */
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
iph1->dhpub, ISAKMP_NPTYPE_KE);
/* create isakmp NONCE payload */
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
iph1->nonce, ISAKMP_NPTYPE_NONCE);
/* create isakmp ID payload */
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
iph1->id, ISAKMP_NPTYPE_ID);
/* create GSS payload */
- gssapi_get_token_to_send(iph1, &gsstoken);
- plist = isakmp_plist_append(plist,
+ if (gssapi_get_token_to_send(iph1, &gsstoken) < 0) {
+ plog(LLV_ERROR, LOCATION, NULL,
+ "Failed to get gssapi token.\n");
+ goto end;
+ }
+ plist = isakmp_plist_append(plist,
gsstoken, ISAKMP_NPTYPE_GSS);
/* create isakmp HASH payload */
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
gsshash, ISAKMP_NPTYPE_HASH);
/* append vendor id, if needed */
@@ -1178,7 +1186,7 @@
"Cannot create Xauth vendor ID\n");
goto end;
}
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
xauth_vid, ISAKMP_NPTYPE_VID);
}
@@ -1188,7 +1196,7 @@
"Cannot create Unity vendor ID\n");
goto end;
}
- plist = isakmp_plist_append(plist,
+ plist = isakmp_plist_append(plist,
Home |
Main Index |
Thread Index |
Old Index