-/* $OpenBSD: connection.c,v 1.40 2018/01/04 14:21:00 mpi Exp $ */
+/* $OpenBSD: connection.c,v 1.41 2018/01/15 09:54:48 mpi Exp $ */
/* $EOM: connection.c,v 1.28 2000/11/23 12:21:18 niklas Exp $ */
/*
* Passive connections normally include: all "active" connections that
* are not flagged "Active-Only", plus all connections listed in
* the 'Passive-Connections' list.
- */
+ */
TAILQ_INIT(&connections);
TAILQ_INIT(&connections_passive);
-/* $OpenBSD: crypto.c,v 1.34 2018/01/04 14:21:00 mpi Exp $ */
+/* $OpenBSD: crypto.c,v 1.35 2018/01/15 09:54:48 mpi Exp $ */
/* $EOM: crypto.c,v 1.32 2000/03/07 20:08:51 niklas Exp $ */
/*
/*
* XXX There is controversy about the correctness of updating the IV
* like this.
- */
+ */
memcpy(ks->liv, buf + len - ks->xf->blocksize, ks->xf->blocksize);
ks->xf->decrypt(ks, buf, len);
LOG_DBG_BUF((LOG_CRYPTO, 70, "crypto_decrypt: after decryption", buf,
-/* $OpenBSD: dnssec.c,v 1.26 2018/01/04 14:21:00 mpi Exp $ */
+/* $OpenBSD: dnssec.c,v 1.27 2018/01/15 09:54:48 mpi Exp $ */
/*
* Copyright (c) 2001 Håkan Olsson. All rights reserved.
* Find a key with the wanted algorithm, if any.
* XXX If there are several keys present, we currently only find the
* first.
- */
+ */
for (i = 0; i < rr->rri_nrdatas && key_rr.datalen == 0; i++) {
key_rr.flags = ntohs((u_int16_t) * rr->rri_rdatas[i].rdi_data);
key_rr.protocol = *(rr->rri_rdatas[i].rdi_data + 2);
-/* $OpenBSD: exchange.c,v 1.141 2018/01/04 14:21:00 mpi Exp $ */
+/* $OpenBSD: exchange.c,v 1.142 2018/01/15 09:54:48 mpi Exp $ */
/* $EOM: exchange.c,v 1.143 2000/12/04 00:02:25 angelos Exp $ */
/*
* 16 at a time, and then masking, should do. Doing it this way means
* we can validate cookies very fast thus delimiting the effects of
* "Denial of service"-attacks using packet flooding.
- */
+ */
for (i = 0; i < ISAKMP_HDR_COOKIES_LEN; i += 2) {
cp = msg + ISAKMP_HDR_COOKIES_OFF + i;
/* Doing it this way avoids alignment problems. */
/*
* We want the exchange zeroed for exchange_free to be able to find
* out what fields have been filled-in.
- */
+ */
exchange = calloc(1, sizeof *exchange);
if (!exchange) {
log_error("exchange_create: calloc (1, %lu) failed",
/*
* Do not create SA's for informational exchanges.
* XXX How to handle new group mode?
- */
+ */
if (exchange->type != ISAKMP_EXCH_INFO &&
exchange->type != ISAKMP_EXCH_TRANSACTION) {
/* XXX Number of SAs should come from the args structure. */
/*
* Unless this is an informational exchange, look up our policy for
* this peer.
- */
+ */
type = GET_ISAKMP_HDR_EXCH_TYPE(msg->iov[0].iov_base);
if (type != ISAKMP_EXCH_INFO) {
/*
*
* XXX The decision should really be based on if a SA was installed
* successfully.
- */
+ */
for (sa = TAILQ_FIRST(&exchange->sa_list); sa;
sa = TAILQ_NEXT(sa, next)) {
/* Move over the name to the SA. */
* ISAKMP SA structure for future initialization of phase 2 exchanges'
* keystates. Also save the Phase 1 ID and authentication
* information.
- */
+ */
if (exchange->phase == 1 && msg->isakmp_sa) {
msg->isakmp_sa->keystate = exchange->keystate;
exchange->keystate = 0;
* it can hurt us if we have short lifetimes on the SAs and we try
* to call exchange_report, where the SA list will be walked and
* references to freed SAs can occur.
- */
+ */
while (TAILQ_FIRST(&exchange->sa_list)) {
sa = TAILQ_FIRST(&exchange->sa_list);
* Note: A 'return -1' breaks X509-auth interop in the responder case
* with some IPsec clients that send CERTREQs early (such as
* the SSH Sentinel).
- */
+ */
if (!id)
return 0;
/*
* First of all, never try to establish anything if another exchange
* of the same kind is running.
- */
+ */
exchange = exchange_lookup_by_name(name, phase);
if (exchange) {
LOG_DBG((LOG_EXCHANGE, 40,
-/* $OpenBSD: exchange.h,v 1.36 2018/01/04 14:21:00 mpi Exp $ */
+/* $OpenBSD: exchange.h,v 1.37 2018/01/15 09:54:48 mpi Exp $ */
/* $EOM: exchange.h,v 1.28 2000/09/28 12:54:28 niklas Exp $ */
/*
* has been run to its end, successfully. The 2nd argument is true
* if the finalization hook is called due to the exchange not running
* to its end normally.
- */
+ */
void (*finalize)(struct exchange *, void *, int);
void *finalize_arg;
/*
* The event that will occur when it has taken too long time to try to
* run the exchange and which will trigger auto-destruction.
- */
+ */
struct event *death;
/*
* Both initiator and responder cookies.
* XXX For code clarity we might split this into two fields.
- */
+ */
u_int8_t cookies[ISAKMP_HDR_COOKIES_LEN];
/* The message ID signifying phase 2 exchanges. */
/*
* A "program counter" into the script that validate message contents
* for this exchange.
- */
+ */
int16_t *exch_pc;
/* The last message received, used for checking for duplicates. */
/*
* If some message is queued up for sending, we want to be able to
* remove it from the queue, when the exchange is deleted.
- */
+ */
struct message *in_transit;
/*
* Initiator's & responder's nonces respectively, with lengths.
* XXX Should this be in the DOI-specific parts instead?
- */
+ */
u_int8_t *nonce_i;
size_t nonce_i_len;
u_int8_t *nonce_r;
* we don't pass it to the kernel, to avoid revealing such information
* to processes (processes either already know it, or have no business
* knowing it).
- */
+ */
int recv_certtype, recv_keytype;
void *recv_cert; /* Certificate received from peer,
* native format */
-/* $OpenBSD: ike_aggressive.c,v 1.12 2018/01/04 14:21:00 mpi Exp $ */
+/* $OpenBSD: ike_aggressive.c,v 1.13 2018/01/15 09:54:48 mpi Exp $ */
/* $EOM: ike_aggressive.c,v 1.4 2000/01/31 22:33:45 niklas Exp $ */
/*
* INITIAL-CONTACT in phase 1, thus contradicting what we learned
* above. I will bring this up in the IPsec list. For now we don't
* do INITIAL-CONTACT at all when using aggressive mode.
- */
+ */
return 0;
}
-/* $OpenBSD: ike_auth.c,v 1.115 2018/01/04 14:21:00 mpi Exp $ */
+/* $OpenBSD: ike_auth.c,v 1.116 2018/01/15 09:54:48 mpi Exp $ */
/* $EOM: ike_auth.c,v 1.59 2000/11/21 00:21:31 angelos Exp $ */
/*
* case in Aggressive mode), try to find the preshared key in the
* section of the initiator's Phase 1 ID. This allows us to do
* mobile user support with preshared keys.
- */
+ */
if (!exchange->initiator && exchange->id_i) {
switch (exchange->id_i[0]) {
case IPSEC_ID_IPV4_ADDR:
/*
* Get the pre-shared key for our peer. This will work even if the key
* has been passed to us through a mechanism like PFKEYv2.
- */
+ */
key = ike_auth_get_key(IKE_AUTH_PRE_SHARED, exchange->name,
(char *)buf, &keylen);
free(buf);
* XXX Assume we should use the same kind of certification as the
* remote... moreover, just use the first CERT payload to decide what
* to use.
- */
+ */
p = payload_first(msg, ISAKMP_PAYLOAD_CERT);
if (!p)
handler = cert_get(ISAKMP_CERTENC_KEYNOTE);
/*
* We need the policy session initialized now, so we can add
* credentials etc.
- */
+ */
exchange->policy_id = kn_init();
if (exchange->policy_id == -1) {
log_print("rsa_sig_decode_hash: failed to initialize policy "
* Walk over potential CERT payloads in this message.
* XXX I believe this is the wrong spot for this. CERTs can appear
* anytime.
- */
+ */
TAILQ_FOREACH(p, &msg->payload[ISAKMP_PAYLOAD_CERT], link) {
p->flags |= PL_MARK;
-/* $OpenBSD: ike_main_mode.c,v 1.18 2018/01/04 14:21:00 mpi Exp $ */
+/* $OpenBSD: ike_main_mode.c,v 1.19 2018/01/15 09:54:48 mpi Exp $ */
/* $EOM: ike_main_mode.c,v 1.77 1999/04/25 22:12:34 niklas Exp $ */
/*
/*
* Calculate DH values & key material in parallel with the message
* going on a roundtrip over the wire.
- */
+ */
message_register_post_send(msg,
(void (*)(struct message *))ike_phase_1_post_exchange_KE_NONCE);
-/* $OpenBSD: ike_quick_mode.c,v 1.113 2018/01/04 14:21:00 mpi Exp $ */
+/* $OpenBSD: ike_quick_mode.c,v 1.114 2018/01/15 09:54:48 mpi Exp $ */
/* $EOM: ike_quick_mode.c,v 1.139 2001/01/26 10:43:17 niklas Exp $ */
/*
* Add the authorizer (who is requesting the SA/ID);
* this may be a public or a secret key, depending on
* what mode of authentication we used in Phase 1.
- */
+ */
for (i = 0; i < nprinc; i++) {
LOG_DBG((LOG_POLICY, 40, "check_policy: "
"adding authorizer [%s]", principal[i]));
* XXX Currently, check_policy() is only called from
* message_negotiate_sa(), and so this log message reflects this.
* Change to something better?
- */
+ */
if (result == 0)
log_print("check_policy: negotiated SA failed policy check");
* Given that we have only 2 return values from policy (true/false)
* we can just return the query result directly (no pre-processing
* needed).
- */
+ */
return result;
}
* Add the payloads. As this is a SA, we need to recompute the
* lengths of the payloads containing others. We also need to
* reset these payload's "next payload type" field.
- */
+ */
if (message_add_payload(msg, ISAKMP_PAYLOAD_SA, sa_buf, sa_len, 1))
goto bail_out;
SET_ISAKMP_GEN_LENGTH(sa_buf, sa_len + proposals_len);
/*
* Save SA payload body in ie->sa_i_b, length ie->sa_i_b_len.
- */
+ */
ie->sa_i_b = message_copy(msg, ISAKMP_GEN_SZ, &ie->sa_i_b_len);
if (!ie->sa_i_b)
goto bail_out;
/*
* Generate a nonce, and add it to the message.
* XXX I want a better way to specify the nonce's size.
- */
+ */
if (exchange_gen_nonce(msg, 16))
return -1;
* transform should be given.
*
* XXX Currently we only support negotiating one SA per quick mode run.
- */
+ */
if (TAILQ_NEXT(sa_p, link)) {
log_print("initiator_recv_HASH_SA_NONCE: "
"multiple SA payloads in quick mode not supported yet");
/*
* Loop over all SA negotiations and do both an in- and an outgoing SA
* per protocol.
- */
+ */
for (sa = TAILQ_FIRST(&exchange->sa_list); sa;
sa = TAILQ_NEXT(sa, next)) {
for (proto = TAILQ_FIRST(&sa->protos); proto;
/*
* Check the payload's integrity.
* XXX Share with ipsec_fill_in_hash?
- */
+ */
LOG_DBG_BUF((LOG_NEGOTIATION, 90, "responder_recv_HASH_SA_NONCE: "
"SKEYID_a", isa->skeyid_a, isa->skeyid_len));
prf = prf_alloc(isa->prf_type, isa->hash, isa->skeyid_a,
/*
* Try to find and set the connection name on the exchange.
- */
+ */
/*
* Check for accepted identities as well as lookup the connection
*
* When not using policies make sure the peer proposes sane IDs.
* Otherwise this is done by KeyNote.
- */
+ */
name = connection_passive_lookup_by_ids(ie->id_ci, ie->id_cr);
if (name) {
exchange->name = strdup(name);
-/* $OpenBSD: init.c,v 1.42 2018/01/04 14:21:00 mpi Exp $ */
+/* $OpenBSD: init.c,v 1.43 2018/01/15 09:54:48 mpi Exp $ */
/* $EOM: init.c,v 1.25 2000/03/30 14:27:24 ho Exp $ */
/*
* User-initiated SIGHUP's maybe "authorizes" a wait until
* next connection-check.
* XXX This means we discard exchange->last_msg, is this really ok?
- */
+ */
/* Reread config file. */
conf_reinit();
/*
* Rescan interfaces (call reinit() in all transports).
- */
+ */
transport_reinit();
/*
* XXX "These" (non-existent) reinitializations should not be done.
* cookie_reinit ();
* ui_reinit ();
- */
+ */
sa_reinit();
}
-/* $OpenBSD: ipsec.c,v 1.149 2018/01/04 14:21:00 mpi Exp $ */
+/* $OpenBSD: ipsec.c,v 1.150 2018/01/15 09:54:48 mpi Exp $ */
/* $EOM: ipsec.c,v 1.143 2000/12/11 23:57:42 niklas Exp $ */
/*
* For phase 2 when no SA yet is setup we need to hash the IV used by
* the ISAKMP SA concatenated with the message ID, and use that as an
* IV for further cryptographic operations.
- */
+ */
if (!msg->isakmp_sa->keystate) {
log_print("ipsec_get_keystate: no keystate in ISAKMP SA %p",
msg->isakmp_sa);
/*
* XXX So far we don't accept any proposals for exchanges we don't
* support.
- */
+ */
if (payload_first(msg, ISAKMP_PAYLOAD_SA)) {
message_drop(msg, ISAKMP_NOTIFY_NO_PROPOSAL_CHOSEN, 0, 1, 0);
return -1;
/*
* If no pseudo-random function was negotiated, it's HMAC.
* XXX As PRF_HMAC currently is zero, this is a no-op.
- */
+ */
if (!ie->prf_type)
ie->prf_type = PRF_HMAC;
}
/*
* XXX There are better algorithms for already mostly-sorted data like
* this, but only qsort is standard. I will someday do this inline.
- */
+ */
qsort(contacts, contact_cnt, sizeof *contacts, addr_cmp);
return 0;
}
* XXX Real ugly way of making the offsets correct. Be aware that id
* now will point before the actual buffer and cannot be dereferenced
* without an offset larger than or equal to ISAKM_GEN_SZ.
- */
+ */
id -= ISAKMP_GEN_SZ;
/* This is the actual length of the ID data field. */
* Conservative allocation.
* XXX I think the ASN1 DN case can be thought through to give a better
* estimate.
- */
+ */
size = MAXIMUM(sizeof "ipv6/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff",
sizeof "asn1_dn/" + id_len);
buf = malloc(size);
-/* $OpenBSD: isakmp_cfg.c,v 1.40 2018/01/04 14:21:00 mpi Exp $ */
+/* $OpenBSD: isakmp_cfg.c,v 1.41 2018/01/15 09:54:48 mpi Exp $ */
/*
* Copyright (c) 2001 Niklas Hallqvist. All rights reserved.
/*
* Use the bitstring built previously to collect the right
* parameters for attrp.
- */
+ */
for (bit = 0; bit < CFG_ATTR_BIT_MAX; bit++)
if (bit_test(attrbits, bit)) {
attr = attrp + off;
-/* $OpenBSD: isakmpd.c,v 1.106 2018/01/04 14:21:00 mpi Exp $ */
+/* $OpenBSD: isakmpd.c,v 1.107 2018/01/15 09:54:48 mpi Exp $ */
/* $EOM: isakmpd.c,v 1.54 2000/10/05 09:28:22 niklas Exp $ */
/*
/*
* Do a clean daemon shutdown on TERM/INT. These signals must be
* initialized before monitor_init(). INT is only used with '-d'.
- */
+ */
signal(SIGTERM, daemon_shutdown_now);
if (debug == 1) /* i.e '-dd' will skip this. */
signal(SIGINT, daemon_shutdown_now);
-/* $OpenBSD: log.c,v 1.63 2018/01/04 14:21:00 mpi Exp $ */
+/* $OpenBSD: log.c,v 1.64 2018/01/15 09:54:48 mpi Exp $ */
/* $EOM: log.c,v 1.30 2000/09/29 08:19:23 niklas Exp $ */
/*
/*
* If we are not debugging this class, or the level is too low, just
* return.
- */
+ */
if (cls >= 0 && (log_level[cls] == 0 || level > log_level[cls]))
return;
va_start(ap, fmt);
/*
* If we are not debugging this class, or the level is too low, just
* return.
- */
+ */
if (cls >= 0 && (log_level[cls] == 0 || level > log_level[cls]))
return;
-/* $OpenBSD: message.h,v 1.28 2018/01/04 14:21:00 mpi Exp $ */
+/* $OpenBSD: message.h,v 1.29 2018/01/15 09:54:48 mpi Exp $ */
/* $EOM: message.h,v 1.51 2000/10/10 12:36:39 provos Exp $ */
/*
/*
* A pointer to the parent payload, used for proposal and transform
* payloads.
- */
+ */
struct payload *context;
/* Payload flags described below. */
/*
* This is the transport the message either arrived on or will be sent
* to.
- */
+ */
struct transport *transport;
/*
* This is the ISAKMP SA protecting this message.
* XXX Needs to be redone to some keystate pointer or something.
- */
+ */
struct sa *isakmp_sa;
/* This is the exchange where this message appears. */
* will be one payload, after encryption segment 0 will be the
* unencrypted header, and segment 1 will be the encrypted payloads,
* all of them.
- */
+ */
struct iovec *iov;
/* The segment count. */
/*
* Extra baggage needed to travel with the message. Used transiently
* in context sensitive ways.
- */
+ */
void *extra;
/*
* Hooks for stuff needed to be done after the message has gone out to
* the wire.
- */
+ */
TAILQ_HEAD(post_send_head, post_send) post_send;
};
-/* $OpenBSD: monitor.c,v 1.75 2018/01/04 14:21:00 mpi Exp $ */
+/* $OpenBSD: monitor.c,v 1.76 2018/01/15 09:54:48 mpi Exp $ */
/*
* Copyright (c) 2003 Håkan Olsson. All rights reserved.
* We only permit paths starting with
* /etc/isakmpd/ (read only)
* /var/run/ (rw)
- */
+ */
if (realpath(path, new_path) == NULL ||
realpath("/var/run", var_run) == NULL) {
-/* $OpenBSD: policy.c,v 1.98 2018/01/04 14:21:00 mpi Exp $ */
+/* $OpenBSD: policy.c,v 1.99 2018/01/15 09:54:48 mpi Exp $ */
/* $EOM: policy.c,v 1.49 2000/10/24 13:33:39 niklas Exp $ */
/*
/*
* If dirty is set, this is the first request for an attribute, so
* populate our value cache.
- */
+ */
if (dirty) {
ie = policy_exchange->data;
-/* $OpenBSD: sa.h,v 1.53 2018/01/04 14:21:00 mpi Exp $ */
+/* $OpenBSD: sa.h,v 1.54 2018/01/15 09:54:48 mpi Exp $ */
/* $EOM: sa.h,v 1.58 2000/10/10 12:39:01 provos Exp $ */
/*
/*
* The chosen transform, only valid while the incoming SA payload that
* held it is available for duplicate testing.
- */
+ */
struct payload *chosen;
/* The chosen transform's ID. */
/*
* When several SA's are being negotiated in one message we connect
* them through this link.
- */
+ */
TAILQ_ENTRY(sa) next;
/*
/*
* The key used to authenticate phase 1, in printable format, used
* only by KeyNote.
- */
+ */
char *keynote_key;
/*
* Certificates or other information from Phase 1; these are copied
* from the exchange, so look at exchange.h for an explanation of
* their use.
- */
+ */
int recv_certtype, recv_keytype;
/* Certificate received from peer, native format. */
void *recv_cert;
/*
* Certificates or other information we used to authenticate to the
* peer, Phase 1.
- */
+ */
int sent_certtype;
/* Certificate (to be) sent to peer, native format. */
void *sent_cert;
-/* $OpenBSD: sysdep.c,v 1.37 2018/01/04 14:21:00 mpi Exp $ */
+/* $OpenBSD: sysdep.c,v 1.38 2018/01/15 09:54:48 mpi Exp $ */
/* $EOM: sysdep.c,v 1.9 2000/12/04 04:46:35 angelos Exp $ */
/*
/*
* Need to bypass system security policy, so I can send and
* receive key management datagrams in the clear.
- */
+ */
level = IPSEC_LEVEL_BYPASS;
if (monitor_setsockopt(fd, optsw[sw].ip_proto, optsw[sw].auth_level,
(char *) &level, sizeof level) == -1) {
-/* $OpenBSD: transport.h,v 1.21 2018/01/04 14:21:00 mpi Exp $ */
+/* $OpenBSD: transport.h,v 1.22 2018/01/15 09:54:48 mpi Exp $ */
/* $EOM: transport.h,v 1.16 2000/07/17 18:57:59 provos Exp $ */
/*
/*
* Read a message from the transport's incoming pipe and start
* handling it.
- */
+ */
void (*handle_message) (struct transport *);
/* Send a message through the outgoing pipe. */
/*
* Fill out a sockaddr structure with the transport's destination end's
* address info.
- */
+ */
void (*get_dst) (struct transport *, struct sockaddr **);
/*
* Fill out a sockaddr structure with the transport's source end's
* address info.
- */
+ */
void (*get_src) (struct transport *, struct sockaddr **);
/*
* Return a string with decoded src and dst information
- */
+ */
char *(*decode_ids) (struct transport *);
/*
* Prioritized send queue. Messages in this queue will be transmitted
* before the normal sendq, they will also all be transmitted prior
* to a daemon shutdown. Currently only used for DELETE notifications.
- */
+ */
struct msg_head prio_sendq;
/* Flags describing the transport. */
projects / openbsd / commitdiff